CS 7775: Seminar in Computer Security: Machine Learning Security and Privacy

Fall 2023

 

Instructors:

§  Instructor: Alina Oprea (alinao)

§  TA: John Abascal (abascal.j@northeastern.edu)

 

Class Schedule: 

§  Monday and Thursday, 11:45am-1:25pm ET

§  Location: Hastings Suite 210

 

Office Hours: 

§  Alina: Thursday, 3-4pm ET and by appointment

§  John: Monday, 2-3pm ET and by appointment

 

Class forum:  Slack 

 

Class policies:  Academic integrity policy is strictly enforced.

 

Class Description: Machine learning techniques are increasingly being used for automated decisions in applications such as health care, finance, autonomous vehicles, personalized recommendations, and cyber security. These critical applications require strong guarantees on both the integrity of the machine learning models and the privacy of the user data used to train these models. Recently, foundation models such as large language models (LLMs) have been trained on massive datasets crawled from the web and are subsequently fine tuned to new tasks including summarization, translation, code generation, and conversational agents. This trend raises many concerns about the security of the foundation models and the new models derived from them, as well as the privacy of the data used to train these models.

The area of adversarial machine learning studies the effect of adversarial attacks against machine learning models and aims to design robust mitigation algorithms to make ML trustworthy. In this seminar course, we will study a variety of adversarial attacks on machine learning, deep learning systems, and foundation models that impact the security and privacy of these systems, and we will discuss existing mitigations, and the challenges in making machine learning trustworthy. The objectives of the course are the following:

§  Provide an overview of several machine learning models for classification and regression, including logistic regression, SVM, decision trees, ensemble learning, deep neural network architectures, federated learning, reinforcement learning, and large language models. 

§  Provide an in-depth coverage of adversarial attacks on machine learning systems, including evasion attacks at inference time, poisoning attacks at training time, and privacy attacks. 

§  Learn how to classify the attacks according to the adversarial objective, knowledge, and capability. Discuss taxonomy of attacks in adversarial ML based on the recent NIST report

§  Discuss new threat models of adversarial attacks against foundation models and large language models.

§  Understand existing methods for training robust models and the challenges of achieving bot robustness and accuracy. 

§  Read recent, state-of-the-art research papers from both security and machine learning conferences and discuss them in class. Students will actively participate in class discussions, and lead discussions on multiple papers during the semester.

§  Provide students the opportunity to complete several assignments on machine learning security and privacy, and work on a semester-long research project on a topic of their choice.

 

Pre-requisites:

 

§  Probability, calculus, and linear algebra

§  Basic knowledge of machine learning 

 

Grading

The grade will be based on:

 

§  Assignments – 15%

§  Paper summaries– 10%

§  Discussion leading – 25%

§  Final project – 50%

     

 Calendar (Tentative)

 

Week

Date

Topic

Readings

1

Thu

09/07

Course outline (syllabus, grading, policies) 

Introduction to ML security and privacy [Slides]

 

Mon

09/11

Review of machine learning [Slides]

2

Thu

09/14

Review of deep learning [Slides]

Mon

09/18

Taxonomy and classification of adversarial attacks on ML [Slides 

Chapters 1 and 2 of NIST report on Adversarial ML by Alina Oprea and Apostol Vassilev

 

Optional read: Biggio and Roli. Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning

3

Thu

09/21

Evasion attacks: White-box attacks [Slides]

Biggio et al. Evasion attacks against machine learning at test time. Lead: John Abascal

 

Carlini and Wagner. Towards Evaluating the Robustness of Neural Networks. Lead: John Abascal

 

Mon

09/25

Poisoning attacks: Availability, backdoor, subpopulation attacks [Slides]

Gu et al. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. arXiv 2017. Lead: Alina Oprea

 

Jagielski et al. Subpopulation Data Poisoning Attacks. ACM CCS 2021. Lead: Alina Oprea

4

Thu

09/28

Privacy risks in ML. Membership Inference attacks and data reconstruction [Slides 1] [Slides 2]

Carlini et al. Membership Inference Attacks From First Principles. IEEE S&P 2022. Lead: Alina Oprea

 

Haim et al. Reconstructing Training Data from Trained Neural Networks. NeurIPS 2022. Lead: Hassan Mahmood

Mon

10/02

Large language models (LLMs) security [Slides]

Carlini et al. Extracting Training Data from Large Language Models. USENIX Security 2021. Lead: Alina Oprea

 

Zou et al. Universal and Transferable Adversarial Attacks on Aligned Language Models, 2023. Lead: Alina Oprea

5

Thu

10/05 

Attacks on federated learning [Slides 1] [Slides 2]

Bagdasaryan et al. How To Backdoor Federated Learning. AISTATS 2020. Lead: Georgios Syros

 

Boenisch et al. When the Curious Abandon Honesty: Federated Learning Is Not Private. IEEE Euro S&P 2023. Lead: Sushant Agarwal

Mon

10/09

No class

University holiday

 

 

6

Thu

10/12

Attacks on RL [Slides 1] [Slides 2]

Gleave et al. Adversarial policies: Attacking Deep Reinforcement Learning. ICLR 2020. Lead: Alina Oprea

 

Wu et al. Adversarial Policy Training against Deep Reinforcement Learning. USENIX Security 2021. Lead: Ethan Rathbun

Mon

10/16

Machine unlearning and poisoning attacks mitigation [Slides 1] [Slides 2]

Bourtoule et al. Machine unlearning. IEEE S&P 2021. Lead: Peter Li

 

Shan et al. Poison Forensics: Traceback of Data Poisoning Attacks in Neural Network. USENIX Security 2022. Lead: Evan Rose

7

Thu

10/19

Project proposal

Mon

10/23

Evasion attacks mitigation [Slides 1] [Slides 2]

Madry et al. Towards Deep Learning Models Resistant to Adversarial Attacks. ICLR 2018. Lead: Ethan Rathbun

 

Cohen et al. Certified Adversarial Robustness via Randomized Smoothing. ICML 2019. Lead: Sushant Agarwal

8

Thu

10/26

Differentially private SGD and auditing DP-SGD [Slides]

Abadi et al. Deep Learning with Differential Privacy. ACM CCS 2016 (Do not submit paper summary!)

 

Jagielski et al. Auditing Differentially Private Machine Learning: How Private is Private SGD? NeurIPS 2020

Invited speaker: Matthew Jagielski

 

Mon

10/30

LLM training and security [Slides 1] [Slides 2]

Ouyang et al. Training language models to follow instructions with human feedback. 2022. Lead: Kashif Imteyaz (Do not submit paper summary!)

 

Greshake et al. Compromising real-world LLM-integrated applications with indirect prompt injection. 2023.

Lead: Levi Kaplan

9

Thu

11/02

LLM security [Slides 1] [Slides 2]

Jain et al. Baseline Defenses for Adversarial Attacks Against Aligned Language Models. 2023.

Lead: Kashif Imteyaz

 

Shumailov et al. The Curse of Recursion: Training on Generated Data Makes Models Forget.  2023. Lead: Georgios Syros

 

Mon

11/06

LLM security and privacy [Slides 1] [Slides 2]

Glukhov et al. LLM Censorship: A ML Challenge or a Computer Security problem? 2023. Lead: John Abascal

 

Lukas et al. Analyzing Leakage of Personally Identifiable Information in Language Models. IEEE S&P 2023. Lead: Peter Li

10

Thu

11/09

Poisoning and privacy attacks [Slides 1] [Slides 2]

Carlini et al. Poisoning Web-Scale Training Datasets is Practical. 2023. Lead: Alina Oprea

 

Chaudhari et al. SNAP: Efficient extraction of private properties with poisoning. IEEE S&P 2023. Lead: Harsh Chaudhari (Do not submit paper summary!)

Mon

11/13

Adversarial ML attacks and mitigations in cyber security [Slides 1] [Slides 2]

Severi et al. Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers. USENIX Security 2021. Invited speaker: Giorgio Severi

(Do not submit paper summary!)

 

Aghakhani et al. TROJANPUZZLE: Covertly Poisoning Code-Suggestion Models. arXiv 2023. Lead: Evan Rose

11

Thu

11/16

Poisoning attacks detection and mitigation [Slides 1] [Slides 2]

Pan et al. ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms. USENIX Security 2023. Lead: Alina Oprea

 

Khaddaj et al. Rethinking Backdoor Attacks. 2023. Lead: Hassan Mahmood

 

Project Milestone due on 11/16

Mon

11/20

More Security and Privacy Attacks [Slides 1] [Slides 2]

Pang et al. On the Security Risks of AutoML USENIX Security 2022. Lead: Alina Oprea

 

Brockschmidt et al. Analyzing Information Leakage of Updates to Natural Language Models. ACM CCS 2020. Lead: Levi Kaplan

     12

Thu

11/23

No class

University holiday (Thanksgiving)

Mon

11/27

Watermarking LLMs and Fairness in Supervised Learning

Kirchenbauer et al. A Watermark for Large Language Models. arXiv 2023. Lead: Alina Oprea

 

Hardt et al. Equality of Opportunity in Supervised Learning. NeurIPS 2017. Lead: John Abascal

13

Thu

11/30

Research talks

John and Alina will present recent research in ML security and privacy.

Mon

12/04

Project presentations

 

14

Thu

12/07

Project presentations

 

Mon

12/11

Final project reports due 

 

 

 

Review materials

§  Probability review notes from Stanford's machine learning class

§  Sam Roweis's probability review

§  Linear algebra review notes from Stanford's machine learning class 

 

 

Other resources

 

Books:

§  Trevor Hastie, Rob Tibshirani, and Jerry Friedman. Elements of Statistical Learning. Second Edition, Springer, 2009.

§  Christopher Bishop. Pattern Recognition and Machine Learning. Springer, 2006.  

§  A. Zhang, Z. Lipton, and A. Smola. Dive into Deep Learning  

§  C. Dwork and A. Roth. The Algorithmic Foundations of Differential Privacy

§  Shai Ben-David and Shai Shalev-Shwartz. Understanding Machine Learning: From Theory to Algorithms