Instructor	Gang Wang (gangw@illinois.edu)
TA	Hadjer Benkraouda (hadjerb2@illinois.edu)
Time/Location	Tuesday/Thursday 03:30 - 04:45 PM. 1310 Digital Computer Laboratory
Office Hour	By Appointment

Class Description

Advanced topics in security and privacy problems in machine learning systems, selected from areas of current research such as: This section will primarily focus on using machine learning for system, networking, and security applications. Example topics include using ML to build novel security defenses (e.g., detecting network intrusions, cybercrime, and disinformation, and performing user authentication and vulnerability analysis), launch novel attacks (e.g., privacy attacks, password guessing, deepfake-based social engineering), and support system optimizations. We will explore new research directions and seek to understand the limitations and potential risks of ML-based approaches. Students will read, present, and discuss research papers, and work on an original research project. The goal of the project is to extend machine learning techniques to new problems and produce publishable results.

Expected Work

Reading: students will be reading and reviewing all the required papers, and participating in paper discussions during the class and over the online discussion board.

Participation: students are required to attend all the lectures. Please inform the instructor via email if you cannot make it to the class due to travel or sickness.

Team Project: 3-4 students will form a team to work on a single research project throughout the semester. The project should aim to solve a real problem in the intersection area of machine learning and security/system. Each team will write a project proposal, perform literature surveys, give a short talk in the midterm, and give a final presentation at the end of the semester. Each team is also expected to write up a final project report.

Paper Presentation: students will present papers during the class to lead the discussion.

All deadlines are 11:59 PM (CT) of the specific date (not including paper reviews).

Class Schedule

Week / Date	Papers	Deadline
Week 1: Aug 22	Class overview and background introduction.
Week 1: Aug 24	Attacking ML: evasion and poisoning Towards Evaluating the Robustness of Neural Networks SP 2017 Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning SP 2018	Claim paper slot
Week 2: Aug 29	Attacking ML: backdoor Trojaning Attack on Neural Networks NDSS 2018 Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks SP 2019
Week 2: Aug 31	Attacking ML: problem-space constraints Intriguing Properties of Adversarial ML Attacks in the Problem Space SP 2020 On the Robustness of Domain Constraints CCS 2021
Week 3: Sep 5	ML for security: e-crime Detecting Credential Spearphishing in Enterprise Settings USENIX Security 2017 Boxer: Preventing fraud by scanning credit cards USENIX Security 2020
Week 3: Sep 7	ML for security: phishing VisualPhishNet: Zero-Day Phishing Website Detection by Visual Similarity CCS 2020 Inferring Phishing Intention via Webpage Appearance and Dynamics: A Deep Vision Based Approach USENIX Security 2022
Week 4: Sep 12	ML for security: binary code analysis Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection CCS 2017 PalmTree: Learning an Assembly Language Model for Instruction Embedding CCS 2021	Project proposal
Week 4: Sep 14	ML for security: code and authorship De-anonymizing Programmers via Code Stylometry USENIX Security 2015 Large-Scale and Language-Oblivious Code Authorship Identification CCS 2018
Week 5: Sep 19	ML for security: network intrusion Outside the Closed World: On Using Machine Learning for Network Intrusion Detection SP 2010 Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection NDSS 2018
Week 5: Sep 21	ML for security: evaluation and biases TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time USENIX Security 2019 Dos and Don'ts of Machine Learning in Computer Security USENIX Security 2022
Week 6: Sep 26	ML for security: concept drift Transcend: Detecting Concept Drift in Malware Classification Models USENIX Security 2017 Continuous Learning for Android Malware Detection USENIX Security 2023
Week 6: Sep 28	ML for attack: password guessing Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks USENIX Security 2016 Beyond Credential Stuffing: Password Similarity Models using Neural Networks SP 2019
Week 7: Oct 3	Midterm project presentation
Week 7: Oct 5	ML explanation "Why Should I Trust You?": Explaining the Predictions of Any Classifier KDD 2016 A Unified Approach to Interpreting Model Predictions NeurIPS 2017	Midterm report due
Week 8: Oct 10	ML explanation (cont.) Grad-CAM: Visual Explanations from Deep Networks via Gradient-based Localization ICCV 2017 Towards A Rigorous Science of Interpretable Machine Learning Arxiv 2017
Week 8: Oct 12	ML explanation: limitations Interpretable Deep Learning under Fire USENIX Security 2020 Sanity Checks for Saliency Maps NeurIPS 2018
Week 9: Oct 17	Explanation vs. malware backdoor Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers USENIX Security 2021 Disguising Attacks with Explanation-Aware Backdoors SP 2023
Week 9: Oct 19	ML for security: deepfake MARLIN: Masked Autoencoder for facial video Representation LearnINg CVPR 2023 Exposing GAN-Generated Profile Photos From Compact Embeddings CVPR workshop 2023
Week 10: Oct 24	LLM absue Not what you’ve signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection Arxiv 2023 Analyzing Leakage of Personally Identifiable Information in Language Models SP 2023
Week 10: Oct 26	LLM and code Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions SP 2022 Lost at C: A User Study on the Security Implications of Large Language Model Code Assistants USENIX Security 2023
Week 11: Oct 31	Attacking ML: privacy/copyright Fawkes: Protecting Privacy against Unauthorized Deep Learning Models USENIX Security 2020 Glaze: Protecting Artists from Style Mimicry by Text-to-Image Models USENIX Security 2023
Week 11: Nov 2	Attacking ML: perceptions AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning CCS 2019 Squint Hard Enough: Attacking Perceptual Hashing with Adversarial Machine Learning USENIX Security 2023	Progress update slides
Week 12: Nov 7	ML and networks: Tor DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning CCS 2018 Defeating DNN-Based Traffic Analysis Systems in Real-Time With Blind Adversarial Perturbations USENIX Security 2021
Week 12: Nov 9	ML and networks: data generation Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions IMC 2020 Practical GAN-based Synthetic IP Header Trace Generation using NetShare SIGCOMM 2022
Week 13: Nov 14	ML explanation for networks XNIDS: Explaining Deep Learning-based Network Intrusion Detection Systems for Active Intrusion Responses USENIX Security 2023 AI/ML for Network Security: The Emperor has no Clothes CCS 2022
Week 13: Nov 16	Human + ML for security Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance CCS 2017 DEEPCASE: Semi-Supervised Contextual Analysis of Security Events SP 2022
Week 14: Nov 21	Fall Break
Week 14: Nov 23	Fall Break
Week 15: Nov 28	ML vs. authentication Seeing is Living? Rethinking the Security of Facial Liveness Verification in the Deepfake Era USENIX Security 2022 DepthFake: Spoofing 3D Face Authentication with a 2D Photo SP 2023
Week 15: Nov 30	ML for security: binary code (advanced) DEEPDI: Learning a Relational Graph Convolutional Network Model on Instructions for Fast and Accurate Disassembly USENIX Security 2022 XDA: Accurate, Robust Disassembly with Transfer Learning NDSS 2021
Week 16: Dec 5	Final project preparison, no class meeting
Week 16: Dec 7	reading day, no class meeting	Final report
Week 17: Dec 11-15	Final exam week: project presentation in class

Grading

Class attendance and participation	5%
Paper reviews	25%
Paper presentation in class	15%
Project: proposal	10%
Project: midterm presentation	10%
Project: final presentation	15%
Project: midterm report + progress update slides	10%
Project: final report	10%

To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-60] F, [60-62] D-, [63-66] D, [67-69] D+, [70-72] C-, [73-76] C, [77-79] C+, [80-82] B-, [83-86] B, [87-89] B+, [90-92] A-, [93-100] A.

Paper Review

We read two papers before each class meeting. Before each class, students are expected to read both papers and submit a short review via Campuswire. The deadline for the review is 2:30 PM (CT) on the day of class.

The review should contain sufficient content (about 200-500 words; it can be longer if needed). The review can focus on the key contributions of the paper, the strengths and weaknesses, or potential issues with the experiment methodologies and results. You can also discuss the practical implications of the paper and suggest new ideas. The review should reflect your own thoughts. All the students will post the reviews under the given paper's Campuswire thread. If you are the first to review the paper, you get to summarize the paper and comment on the key contributions. Other students who come later should avoid repeating the same arguments/comments that the previous reviews have already covered. Each review needs to have some original comments that are different from others.

Policies

Late Policy: All the deadlines are hard deadlines. Any late submissions will be subject to point reduction. For paper reviews, and project-related assignments: submitting within 3 days (72 hours) after the deadline = 60% of the points. This policy does not apply to the final project report, for which a late submission is not allowed.

Academic Integrity:

Students must follow the university's guidelines on academic conduct (quick link). This course will have a zero-tolerance policy regarding plagiarism. You (or your team) should complete all the assignments and project tasks on your own. When you use the code or tools developed by other people, please acknowledge the source. If an idea or a concept used in your project has been proposed by others, please make the proper citations. All electronic work submitted for this course will be archived and subjected to automatic plagiarism detection. Whenever in doubt, please seek clarifications from the instructor. Students who violate Academic Integrity policies will be immediately reported to the department and the college.

When presenting research papers in the class, you may NOT use the authors' slides directly. Please make your own slides.

Special Accommodations: If you need special accommodations because of a disability, please contact the instructor in the first week of classes.

Diminished mental health, including significant stress, mood changes, excessive worry, substance/alcohol abuse, or problems with eating and/or sleeping can interfere with optimal academic performance, social development, and emotional wellbeing. The University of Illinois offers a variety of confidential services including individual and group counseling, crisis intervention, psychiatric services, and specialized screenings at no additional cost. If you or someone you know experiences any of the above mental health concerns, it is strongly encouraged to contact or visit any of the University’s resources provided below. Getting help is a smart and courageous thing to do -- for yourself and for those who care about you.
Counseling Center: 217-333-3704, 610 East John Street Champaign, IL 61820
McKinley Health Center:217-333-2700, 1109 South Lincoln Avenue, Urbana, Illinois 61801