Skip to end of metadata
Go to start of metadata


This page lists the research topics that are currently available in the Secure Systems group or with our industry partners. Each topic can be structured either as a special assignment or as an MSc thesis depending on the interests, background and experience of the students. If you are interested in a particular topic, send e-mail to the contact person (as well as the professor responsible: N. Asokan, Tuomas Aura or Janne Lindqvist) listed explaining your background and interests.

All topics have one or more of the following keywords: 

PLATSEC Platform Security

NETSEC Network Security

ML & SEC Machine learning and Security/Privacy

USABLE Usable security

OTHER Other security research themes



Available research topics for students in the Secure Systems Group


Security engineering and usable security security  USABLE

We are looking for students interested in security engineering, usable security and human-computer interaction. Examples of work done in the group can be found at old website for the group https://www.lindqvistlab.org/.

Supervisor: Prof. Janne Lindqvist (Department of Computer Science, Aalto University), Director Helsinki-Aalto Center for Information Security (HAIC).

Requirements: Background and interest in systems security, security engineering, data science, machine learning, modeling, human-computer interaction or social and behavioral sciences is required.

Nice to have:

References:

For further information: Please email me Janne Lindqvist


Understanding video streaming user experiences USABLE

We are looking for students interested in understanding video streaming user experiences. Examples of work done in the group can be found at the old website for the group https://www.lindqvistlab.org/.

Supervisor: Prof. Janne Lindqvist (Department of Computer Science, Aalto University), Director Helsinki-Aalto Center for Information Security (HAIC).

Requirements: Background and interest in measuring user experience, modeling, human-computer interaction, computer science or social and behavioral sciences is required.

Nice to have:

References:

For further information: Please email me Janne Lindqvist


Artificial intelligence and machine learning for systems security and privacy ML & SEC

We are looking for students interested in developing novel artificial intelligence and machine learning approaches to security engineering and systems security and privacy. Examples of work done in the group can be found at the old website for the group https://www.lindqvistlab.org/. Please see specific examples also http://jannelindqvist.com/publications/IMWUT19-fails.pdf http://jannelindqvist.com/publications/NDSS19-robustmetrics.pdf 

Supervisor: Prof. Janne Lindqvist (Department of Computer Science, Aalto University), Director Helsinki-Aalto Center for Information Security (HAIC).

Requirements: Background and interest in data science, machine learning, statistics and computational approaches to computer science are required.

Nice to have:

References:

For further information: Please email me Janne Lindqvist


Multitasking and productivity tools USABLE

We are looking for students interested in understanding productivity tools and multitasking. Examples of work done in the group can be found at the old website for the group https://www.lindqvistlab.org/.

Supervisor: Prof. Janne Lindqvist (Department of Computer Science, Aalto University), Director Helsinki-Aalto Center for Information Security (HAIC).

Requirements: Background and interest in measuring user experience, modeling, human-computer interaction, computer science or social and behavioral sciences is required.

Nice to have:

References:

For further information: Please email me Janne Lindqvist


Mixed methods HCI and security research OTHER

We are looking for students interested in pushing the envelope in mixed methods HCI and security research. Examples of work done in the group can be found at the old website for the group https://www.lindqvistlab.org/.

Supervisor: Prof. Janne Lindqvist (Department of Computer Science, Aalto University), Director Helsinki-Aalto Center for Information Security (HAIC).

Requirements: Background and interest in measuring either qualitative methods or quantitative methods, and interested to learning new methods, user experience, modeling, human-computer interaction, computer science or social and behavioral sciences is required.

Nice to have:

References:

For further information: Please email me Janne Lindqvist


Latent Representations in Model Extraction Attacks ML & SEC

In recent years, the field of black-box model extraction has been growing in popularity [1-5]. During a black-box model extraction attack, adversary queries data to the victim model sitting behind an API and obtains the predictions. It then uses the data together with the predictions to reconstruct the model locally. Model exctraction attacks are a threat to the Model-as-a-Service business model that is becoming ubiquitous choice for ML offerings. Unfortunately, existing defense mechanisms are not sufficient and it is likely that model extraction will always be a threat[5]. However, despite the threat, research community does not fully understand why model extraction works and what are its current shortcoming and limitations.

In this work, we are going to explore the quality of latent representations learned during model extraction attacks, study the relationship between the victim and stolen models. We will investigate the impact of robustness-increasing techniques (e.g. adversarial training) on the effectiveness of model extraction and finally, formalise the field of model extraction attacks through the lense of transfer learning.

Note: 1) There's going to be a programming pre-assignment. 2) Literature review can be done as a special assignment.

Requirements

  • MSc students in security, computer science, machine learning
  • familiarity with both standard ML techniques as well as deep neural networks
  • Good math and algorithmic skills
  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have

  • industry experience in software engineering or related
  • research experience
  • familiarity with adversarial machine learning

Some references:
[1]: Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In ACM Symposium on Information, Computer and Communications Security. ACM, 506–519.

[2]: Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction apis. In 25th USENIX Security Symposium. 601–618.

[3]: Mika Juuti, Sebastian Szyller, Samuel Marchal, and N. Asokan. 2019. PRADA: Protecting against DNN Model Stealing Attacks. In IEEE European Symposium on Security & Privacy. IEEE, 1–16.

[4]: Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff Nets: Stealing Functionality of Black-Box Models. In CVPR. 4954–4963.

[5]: Buse Atli, Sebastian Szyller, Mika Juuti, Samuel Marchal and N. Asokan 2019. Extraction of Complex DNN Models: Real Threat or Boogeyman? To appear in AAAI-20 Workshop on Engineering Dependable and Secure Machine Learning Systems

[6]: Tero Karras, Samuli Laine, Timo Aila. A Style-Based Generator Architecture for Generative Adversarial Networks, in CVPR 2019

For further information: Sebastian Szyller (sebastian.szyller@aalto.fi) and Prof. N. Asokan.


Guaranatees of Differential Privacy in Overparameterised Models ML & SEC

Differential Privacy allows us to use data without revealing information about individuals (statistically). It is a parameterised approach that allows us to control the amount of privacy that we would like our system to have and provides us with statistical guarantees (epsilon,delta-bounded). In machine learning this means either training models that do not link to particular observations,  modifying the learning algorithm algorithm or the input data itself. However, deep neural networks leak information about training data (memebership and property inference) due to being overparameterised and the high-dimensional nature of both the input data and latent representaions of the model.

In this work, we are going to analyse the shortcoming of existing methods of incorporating differential privacy into machine learning models and work on creating a novel technique.

Note: 1) There's going to be a programming pre-assignment. 2) Literature review can be done as a special assignment.

Requirements

  • MSc students in security, computer science, machine learning
  • familiarity with both standard ML techniques as well as deep neural networks
  • Good math and algorithmic skills (stats and probability in particular)
  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have

  • industry experience in software engineering or related
  • research experience
  • familiarity with differential privacy and/or anonymization techniques

Some references

[1]: Cynthia Dwork, Aaron Roth. 2014. Algorithmic Foundations of Differential Privacy

[2]: Reza Shokri, Vitaly Shmatikov. 2015. Privacy Preserving Deep Learning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security Pages 1310-1321

[3]: Congzheng Song, Vitaly Shmatikov. 2019. Overlearning Reveals Sensitive Attributes

[4]: Lecuyer, M., Atlidakis, V., Geambasu, R., Hsu, D., and Jana, S. 2019. Certified Robustness to Adversarial Examples with Differential Privacy. In IEEE Symposium on Security and Privacy (SP) 2019

[5]: M. Abadi, A. Chu, I. Goodfellow, H. Brendan McMahan, I. Mironov, K. Talwar, and L. Zhang. 2016. Deep Learning with Differential Privacy. ArXiv e-prints.

For further information: Sebastian Szyller (sebastian.szyller@aalto.fi) and Prof. N. Asokan.


Ineffectiveness of Non-label-flipping Defenses and Watermarking Schemes Against Model Extraction Attacks ML & SEC

In recent years, the field of black-box model extraction has been growing in popularity [1-5]. During a black-box model extraction attack, adversary queries data to the victim model sitting behind an API and obtains the predictions. It then uses the data together with the predictions to reconstruct the model locally. Model exctraction attacks are a threat to the Model-as-a-Service business model that is becoming ubiquitous choice for ML offerings. 


Note: 1) There's going to be a programming pre-assignment. 2) Literature review can be done as a special assignment.

Requirements

  • MSc students in security, computer science, machine learning
  • familiarity with both standard ML techniques as well as deep neural networks
  • Good math and algorithmic skills
  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have

  • industry experience in software engineering or related
  • research experience
  • familiarity with adversarial machine learning

Some references:
[1]: Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z Berkay Celik, and Ananthram Swami. 2017. Practical black-box attacks against machine learning. In ACM Symposium on Information, Computer and Communications Security. ACM, 506–519.

[2]: Florian Tramèr, Fan Zhang, Ari Juels, Michael K Reiter, and Thomas Ristenpart. 2016. Stealing machine learning models via prediction apis. In 25th USENIX Security Symposium. 601–618.

[3]: Mika Juuti, Sebastian Szyller, Samuel Marchal, and N. Asokan. 2019. PRADA: Protecting against DNN Model Stealing Attacks. In IEEE European Symposium on Security & Privacy. IEEE, 1–16.

[4]: Tribhuvanesh Orekondy, Bernt Schiele, and Mario Fritz. 2019. Knockoff Nets: Stealing Functionality of Black-Box Models. In CVPR. 4954–4963.

[5]: Buse Atli, Sebastian Szyller, Mika Juuti, Samuel Marchal and N. Asokan 2019. Extraction of Complex DNN Models: Real Threat or Boogeyman? To appear in AAAI-20 Workshop on Engineering Dependable and Secure Machine Learning Systems

For further information: Sebastian Szyller (sebastian.szyller@aalto.fi) and Prof. N. Asokan.


Locally Sensitive Neural Based Perceptual Hashing ML & SEC

Note: Special Assignment Only

Locally sensitive hashing (LSH) is an embedding function that for two similar inputs A and B, produces hashes Ah and Ab that are similar. This is different from from hashing in a cryptographic sense - where distribution of embeddings should not reveal information about the inputs. LSH is extremely useful when it comes to efficient search and storage. However, for many domains the similarity of two inputs may be straightforward to determine for a human but not for the hashing function that is not aware of things such as context, meaning, representation. Hence, we need solutions that can accommodate for these deficiencies.

In these projects, we are going to investigate and design novel locally sensitive hash functions based on neural networks. Our focus is on two domains:

1) Perceptual hashing of images: image that was subject to change of contrast, shifting, rotation, inversion should produce similar hashes to the original.

2) Contextual text hashing of text: sentences that have roughly the same meaning and similar grammatical structure should have similar hashes, e.g. I think it was a great movie vs In my opinion, this was a nice film.

Requirements

  • MSc students in security, computer science, machine learning
  • familiarity with both standard ML techniques as well as deep neural networks (NLP and image classification)
  • Good math and algorithmic skills (hashing in particular)
  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have

  • industry experience in software engineering or related
  • research experience
  • familiarity with adversarial machine learning

Some references:
[1]: Markus KettunenErik HärkönenJaakko Lehtinen E-LPIPS: Robust Perceptual Image Similarity via Random Transformation Ensembles

[2]: Lucas BourtouleVarun ChandrasekaranChristopher Choquette-ChooHengrui JiaAdelin TraversBaiwu ZhangDavid LieNicolas Papernot. Machine Unlearing

[3]: A Visual Survey of Data Augmentation in NLP

[4]: Bian Yang, Fan Gu, Xiamu Niu. Block Mean Value Based Image Perceptual Hashing in IIH-MSP 06: Proceedings of the 2006 International Conference on Intelligent Information Hiding and Multimedia

[5]: Locally Sensitive Hashing

For further information: Sebastian Szyller (sebastian.szyller@aalto.fi) and Prof. N. Asokan.


Black-box Adversarial Attacks on Neural Policies  ML & SEC

It is well known that machine learning models are vulnerable to inputs which are constructed by adversaries to force misclassification. Adversarial examples have been extensively studied in image classification models using deep neural networks (DNNs). Recent work [1] shows that reinforcement learning agents using deep reinforcement learning (DRL) algorithms are also susceptible to adversarial examples, since DRL uses neural networks to train a policy in the decision-making process [2]. Existing adversarial attacks [3-6] try to corrupt the observation of the agent by perturbing the sensor readings so that the corresponding observation is different from the true environment that the agent interacts. 

This work will focus on black box adversarial attacks, where the attacker has no knowledge about the agent but can only observe how the agent interacts with the environment. We will analyze how to use and combine imitation learning, apprenticeship learning via inverse reinforcement learning [7] and transferability property of adversarial examples to generate black-box adversarial attacks against DRL. 

Note: There's going to be a programming pre-assignment.

Required skills:

  • MSc students in security, computer science, machine learning, robotics or automated systems

  • Basic understanding of both standard ML techniques as well as deep neural networks (You should at least take Machine learning: basic principles course from SCI department or some other similar course)

  • Good knowledge of mathematical methods and algorithmic skills

  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have:

  • Familiarity with one of the topics: adversarial machine learning, reinforcement learning, statistics, control theory, artificial intelligence

  • Familiarity with deep learning frameworks (PyTorch, Tensorflow, Keras etc.)

  • Sufficient skills to work and interact in English

  • An interest for Arcade games

References:

[1] Huang, Sandy, et al. 2017. "Adversarial attacks on neural network policies.

[2] Mnih, Volodymyr, et al.  "Human-level control through deep reinforcement learning." Nature 518.7540 (2015): 529.

[3] Lin, Yen-Chen, et al. IJCAI-2017. "Tactics of adversarial attack on deep reinforcement learning agents."

[4] Kos, Jernej, and Dawn Song. 2017.  "Delving into adversarial attacks on deep policies." 

[5] Xiao, Chaowei, et al. 2019. "Characterizing Attacks on Deep Reinforcement Learning." 

[6] Hussenot, Léonard et al. 2019.  "CopyCAT: Taking Control of Neural Policies with Constant Attacks." arXiv:1905.12282 

[7] B. Piot, at al. 2017.  "Bridging the Gap Between Imitation Learning and Inverse Reinforcement Learning." in IEEE Transactions on Neural Networks and Learning Systems.

For further information: Please contact Buse G. A. Tekgul  (buse.atli@aalto.fi), and prof. N. Asokan.


Federated Learning: Adaptive Attacks and Defenses in Model Watermarking ML & SEC

Watermarking deep neural networks has also become a well-known approach to prove ownership of machine learning models in case they are stolen [1,2,3]. Watermarking methods should be robust against post-processing methods that aim to remove the watermark from the model. Post processing methods can be applied by the adversary who stole the model after the model is deployed as a service. 

Unlike traditional machine learning approaches, federated learning allows training machine learning models at the edge devices (referred as to clients or data owners) and then combines the results of all models into a single global model stored in a server [4]. Watermarking solutions can be integrated into federated learning models when the server is the model owner and clients are data owners [5]. However, unlike the post processing methods, adversaries as malicious clients can directly manipulate the model in the training phase to remove the effect of watermark from the global model. In this work, we are going to design an adaptive attacker that tries to remove the watermark in the training phase of the federated learning and propose new defense strategies against this type of attackers. 

Note: There's going to be a programming pre-assignment.

Required skills:

  • MSc students in security, computer science, machine learning, robotics or automated systems

  • Basic understanding of both standard ML techniques as well as deep neural networks (You should at least take Machine learning: basic principles course from SCI department or some other similar course)

  • Good knowledge of mathematical methods and algorithmic skills

  • Strong programming skills in Python/Java/Scala/C/C++/Javascript (Python preferred as de facto language)

Nice to have:

  • Familiarity with adversarial machine learning, federated learning

  • Familiarity with deep learning frameworks (PyTorch, Tensorflow, Keras etc.)

  • Sufficient skills to work and interact in English

References: 

[1] Adi, Yossi, et al. 2018. "Turning your weakness into a strength: Watermarking deep neural networks by backdooring." 27th USENIX Security Symposium.

[2] Zhang, Jialong, et al. 2018. "Protecting intellectual property of deep neural networks with watermarking." Proceedings of the 2018 on Asia Conference on Computer and Communications Security.

[3] Darvish Rouhani et al. 2019. "DeepSigns: an end-to-end watermarking framework for ownership protection of deep neural networks." Proceedings of the Twenty-Fourth International Conference on Architectural Support for Programming Languages and Operating Systems.

[4] McMahan, Brendan, et al. "Communication-efficient learning of deep networks from decentralized data." Artificial Intelligence and Statistics. PMLR, 2017.

[5] Atli, Buse Gul, et al. 2020. "WAFFLE: Watermarking in Federated Learning." arXiv preprint arXiv:2008.07298

For further information: Please contact Buse G. A. Tekgul  (buse.atli@aalto.fi), and prof. N. Asokan.



Description here (paragraph text)

Requirements (in bold): Description here (paragraph text)

References (in bold): Description here (paragraph text)

For further information (in bold): your name and email address + supervisors name + email address

Add horizontal rule between topics!



Research Topics with our Industry Partners


Title (Heading 3) + topic logo

Description here (paragraph text)

Requirements (in bold): Description here (paragraph text)

References (in bold): Description here (paragraph text)

For further information (in bold): your name and email address + supervisors name + email address

Add horizontal rule between topics!



Reserved Research Topics


Reserved topics should be moved to this section and taken away from the available sections!



  • No labels