Topics
Week 1-2
SoK: Security and Privacy in Machine Learning. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael P. Wellman. (pdf)
*Below are the topics and some paper ideas for student presentations. These are only suggestions and do not limit the scope.
Adversarial Machine Learning and Adversarial Examples
1. Intriguing Properties of Neural Networks. Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, Rob Fergus. (pdf)
2. Explaining and Harnessing Adversarial Examples. Ian Goodfellow, Jonathon Shlens, Christian Szegedy. (pdf)
3. Practical Black-Box Attacks against Machine Learning. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z. Berkay Celik, Ananthram Swami. (pdf)
4. Privacy Risks of Securing Machine Learning Models against Adversarial Examples. Liwei Song, Reza Shokri, Prateek Mittal. (pdf)
5. Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks. Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, Ananthram Swami. (pdf)
6. Towards Evaluating the Robustness of Neural Networks. Nicholas Carlini, and David Wagner. (pdf)
7. Ensemble Adversarial Training: Attacks and Defenses. Florian Tramèr, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. (pdf)
Model Inversion Attacks
1. Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning. Ahmed Salem, Apratim Bhattacharya, Michael Backes, Mario Fritz, and Yang Zhang. (pdf)
2. Deep Models Under the GAN: Information Leakage from Collaborative Deep Learning. Briland Hitaj, Giuseppe Ateniese, Fernando Perez-Cruz. (pdf)
3. The Secret Revealer: Generative Model-Inversion Attacks Against Deep Neural Networks. Yuheng Zhang, Ruoxi Jia, Hengzhi Pei, Wenxiao Wang, Bo Li, Dawn Song. (pdf)
4. Defending Model Inversion and Membership Inference Attacks via Prediction Purification. Ziqi Yang, Bin Shao, Bohan Xuan, Ee-Chien Chang, Fan Zhang. (pdf)
5. Model Inversion Attacks that Exploit Confidence Information and Basic Countermeasures. Matt Fredrikson, Somesh Jha, Thomas Ristenpart. (pdf)
6. Improving Robustness to Model Inversion Attacks via Mutual Information Regularization. Tianhao Wang, Yuheng Zhang, Ruoxi Jia. (pdf)
Membership Inference Attacks and Defenses
1. Membership Inference Attacks Against Machine Learning Models. Reza Shokri, Marco Stronati, Congzheng Song, Vitaly Shmatikov. (pdf)
2. ML-Leaks: Model and Data Independent Membership Inference Attacks and Defenses on Machine Learning Models. Ahmed Salem, Yang Zhang, Mathias Humbert, Pascal Berrang, Mario Fritz, Michael Backes. (pdf)
3. Machine Learning with Membership Privacy using Adversarial Regularization. Milad Nasr, Reza Shokri, Amir Houmansadr. (pdf)
4. Membership Inference Attacks and Defenses in Classification Models. Jiacheng Li, Ninghui Li, Bruno Ribeiro. (pdf)
5. Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. Milad Nasr, Reza Shokri, and Amir Houmansadr. (pdf)
6. Disparate Vulnerability: on the Unfairness of Privacy Attacks Against Machine Learning. Mohammad Yaghini, Bogdan Kulynych, Giovanni Cherubin, Carmela Troncoso. (pdf)
Evasion Attacks
1. Evasion Attacks against Machine Learning at Test Time. Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Srndic, Pavel Laskov, Giorgio Giacinto, Fabio Roli. (pdf)
2. Enhancing Robustness of Machine Learning Systems via Data Transformations. Arjun Nitin Bhagoji, Daniel Cullina, Chawin Sitawarin, Prateek Mittal. (pdf)
3. Automatically Evading Classifiers: A Case Study on PDF Malware Classifiers. Weilin Xu, Yanjun Qi, David Evans. (pdf)
Poisoning Attacks
1. Poisoning Attacks against Support Vector Machines. Battista Biggio, Blaine Nelson, Pavel Laskov. (pdf)
2. Certified defenses for data poisoning attacks. Jacob Steinhardt, Pang Wei W. Koh, and Percy S. Liang. (pdf)
3. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning. Matthew Jagielski, Alina Oprea, Battista Biggio, Chang Liu, Cristina Nita-Rotaru, Bo Li. (pdf)
4. Local Model Poisoning Attacks to Byzantine-Robust Federated Learning. Minghong Fang, Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong. (pdf)
Model Theft
1. Stealing Machine Learning Models via Prediction APIs. Florian Tramèr, Fan Zhang, Ari Juels, Michael K. Reiter, and Thomas Ristenpart. (pdf)
2. Exploring Connections Between Active Learning and Model Extraction. Varun Chandrasekaran, Kamalika Chaudhuri, Irene Giacomelli, Somesh Jha, and Songbai Yan. (pdf)
3. High Accuracy and High Fidelity Extraction of Neural Networks. Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, and Nicolas Papernot. (pdf)
Differential Privacy
1. Rappor: Randomized aggregatable privacy-preserving ordinal response. Úlfar Erlingsson, Vasyl Pihur, Aleksandra Korolova. (pdf)
2. Deep learning with differential privacy. Martin Abadi, Andy Chu, Ian Goodfellow, H Brendan McMahan, Ilya Mironov, Kinal Talwar, and Li Zhang. (pdf)
3. Towards Practical Differential Privacy for SQL Queries. Noah Johnson, Joseph P. Near, and Dawn Song. (pdf)
Model Fairness
1. Equality of Opportunity in Supervised Learning. Moritz Hardt, Eric Price, Nathan Srebro. (pdf)
2. Counterfactual Fairness. Matt J. Kusner, Joshua Loftus, Chris Russell, and Ricardo Silva. (pdf)
3. On Adversarial Bias and the Robustness of Fair Machine Learning. Hongyan Chang, Ta Duy Nguyen, Sasi Kumar Murakonda, Ehsan Kazemi, and Reza Shokri. (pdf)
Model Transparency
1. On the Privacy Risks of Model Explanations. Reza Shokri, Martin Strobel, and Yair Zick. (pdf)
2. Model Explanations with Differential Privacy. Neel Patel, Reza Shokri, and Yair Zick. (pdf)
3. Model Reconstruction from Model Explanations. Smitha Milli, Ludwig Schmidt, Anca D. Dragan, and Moritz Hardt. (pdf)