Program

Registration

Vincent Nicomette, Abir Laraba, Loïc Masure

Coming soon

In this talk, I will review privacy and security attacks against conventional machine learning, and I will discuss defenses and the conflict between defending privacy and security in decentralized ML. The usefulness of differential privacy as a privacy defense will be examined. I will also touch on some myths regarding privacy attacks against conventional ML. Some hints on how all this can apply to generative ML will be given as well

I present a brief state of the art techniques to detect anomaly in network trafic thanks yo AI. Then I show that datasets used for academic works are very bad and all state of the art thecniques don't work in a real world. Let's discuss how to solve that and share some ideas based on concrete cases. I present our work at Custocy (a French Network Detection and Response solution) to conclude.

Coming soon

Le chiffrement complètement homomorphe est une technique de chiffrement avancée permettant de réaliser des opérations sur des données chiffrées sans avoir à les déchiffrer. Ainsi, la confidentialité des données demeure garantie, y compris lorsqu'elles sont traitées sous forme chiffrée par une entité tierce, tel qu'un prestataire de service en ligne. Ce cours présentera une introduction aux techniques de chiffrement homomorphe, et illustrera leurs applications en intelligence artificielle. Nous verrons comment ces méthodes permettent d'effectuer des traitements statistiques ou des analyses médicales sur des données sensibles, tout en préservant leur confidentialité

Le chiffrement complètement homomorphe est une technique de chiffrement avancée permettant de réaliser des opérations sur des données chiffrées sans avoir à les déchiffrer. Ainsi, la confidentialité des données demeure garantie, y compris lorsqu'elles sont traitées sous forme chiffrée par une entité tierce, tel qu'un prestataire de service en ligne. Ce cours présentera une introduction aux techniques de chiffrement homomorphe, et illustrera leurs applications en intelligence artificielle. Nous verrons comment ces méthodes permettent d'effectuer des traitements statistiques ou des analyses médicales sur des données sensibles, tout en préservant leur confidentialité

8.45-9.45: Adversarial examples: 10 years of worst case 15' break 10.00-11.30: Hands on 15' break 11.45-12.15: Closing remarks (TBPD) -------------------------------------------------- Adversarial examples: 10 years of worst case Abstract: In machine learning, adversarial examples are inputs designed by an adversary to fool a target classifier. More precisely, these examples are crafted by adding imperceptible noise to originally well-classified inputs in order to change the resulting classification. Introduced a decade ago (circa 2014), they generated a wide spectrum of research that ranges from very practical questions (can I fool an autonomous vehicle) to more fundamental ones (are there classifiers that resist adversarial inputs, and at which cost ?). This talk is a humble introduction to these various topics by a non-expert. -------------------------------------------------- Hands on: Ever wondered how a few pixels can fool a deep neural network? In this hands-on session, you’ll craft adversarial attacks like FGSM and PGD on image models, visualize how tiny perturbations can cause big misclassifications, and measure the fallout on model performance. Then, we’ll see if countermeasures are possible—with adversarial training and a look at its cost in robustness vs. accuracy. Come learn how to outsmart (or secure) the machine. ---------------------------------------------------- Closing remarks (to be precisely determined) Abstract: This session will close the morning session on adversarial examples. We will discuss some limitations of adversarial defenses and practical applications of adversarial examples for model watermarking. Finally, we'll quickly discuss the transposition of adversarial examples from classifiers to the large language models realm.

8.45-9.45: Adversarial examples: 10 years of worst case 15' break 10.00-11.30: Hands on 15' break 11.45-12.15: Closing remarks (TBPD) -------------------------------------------------- Adversarial examples: 10 years of worst case Abstract: In machine learning, adversarial examples are inputs designed by an adversary to fool a target classifier. More precisely, these examples are crafted by adding imperceptible noise to originally well-classified inputs in order to change the resulting classification. Introduced a decade ago (circa 2014), they generated a wide spectrum of research that ranges from very practical questions (can I fool an autonomous vehicle) to more fundamental ones (are there classifiers that resist adversarial inputs, and at which cost ?). This talk is a humble introduction to these various topics by a non-expert. -------------------------------------------------- Hands on: Ever wondered how a few pixels can fool a deep neural network? In this hands-on session, you’ll craft adversarial attacks like FGSM and PGD on image models, visualize how tiny perturbations can cause big misclassifications, and measure the fallout on model performance. Then, we’ll see if countermeasures are possible—with adversarial training and a look at its cost in robustness vs. accuracy. Come learn how to outsmart (or secure) the machine. ---------------------------------------------------- Closing remarks (to be precisely determined) Abstract: This session will close the morning session on adversarial examples. We will discuss some limitations of adversarial defenses and practical applications of adversarial examples for model watermarking. Finally, we'll quickly discuss the transposition of adversarial examples from classifiers to the large language models realm.

Social event

This introductory lecture aims at presenting the background necessary to understand side-channel attacks. We will present the different building blocks of a physical system and we will explain how an adversary may leverage its properties in order to recover some sensitive information processed by the system under attack. We will then explain the stakes for an adversary, and the different steps to implement in order to successfully extract a secret data. A practical demonstration will be shown to illustrate the key aspects mentioned during this lecture.

This introductory lecture aims at presenting the background necessary to understand side-channel attacks. We will present the different building blocks of a physical system and we will explain how an adversary may leverage its properties in order to recover some sensitive information processed by the system under attack. We will then explain the stakes for an adversary, and the different steps to implement in order to successfully extract a secret data. A practical demonstration will be shown to illustrate the key aspects mentioned during this lecture.

Adversarial attacks aim to deceive ML systems by leading them to make wrong decisions, for instance by learning necessary information about a classifier, by directly modifying the model or misclassifying inputs. Adversarial ML [1,2] studies these attacks and defenses created against them. Introducing adversarial examples to ML systems is a specific type of sophisticated and powerful attack, where additional and sometimes specially crafted or modified inputs are provided to the system with the intent of being misclassified by the model as legitimate as in the case of misclassification attacks [2] and the adversarial classifier reverse engineer learning problem [3]. Another class of adversarial attacks is constructed to infer membership [4-5], where the adversary’s goal is to decide whether a given data sample was included in the training dataset of the targeted ML model. A common solution that may be tailored to counter each of these different types of adversarial attacks is offered by differential privacy (DP) [6], which is a stochastic measure of privacy and is now used in conjunction with ML algorithms to guarantee privacy of individual users while handling large datasets. DP has furthermore been used to develop practical methods for protecting private user-data at the moment they provide information to the ML system. In this case, the use of a differentially private measure aims to maintain the accuracy of the ML model without incurring a cost of the privacy of individual participants. A mechanism is said to be differentially private if the level of privacy of its users and the output of the mechanism remain unaltered, even when any of the participants decides to submit or remove their personal information from the statistical dataset. This tutorial delivers an extensive summary on the theory of DP along with its properties as well as some examples of its use in practice to shield a chosen set of ML algorithms from a number of different adversarial attacks. [1] A.D. Joseph, B. Nelson, B.I.P. Rubinstein, and J.D. Tygar, “Adversarial Machine Learning”, Cambridge University Press, 2018. [2] J. Giraldo, A.A. Cardenas, M. Kantarcıoğlu and J. Katz, “Adversarial Classification under Differential Privacy”, Network and Distributed Systems Security Symposium 2020, Feb. 2020 [3] D. Lowd and C. Meek, “Adversarial Learning”, In Proceedings of the eleventh ACM SIGKDD international conference on Knowledge discovery in data mining (KDD '05). [4] N. Carlini, S. Chien, M. Nasr, S. Song, A. Terzis and F. Tramèr, "Membership Inference Attacks from First Principles," 2022 IEEE Symposium on Security and Privacy (SP) [5] R. Shokri, M. Stronati, C. Song and V. Shmatikov, “Membership Inference Attacks against machine learning models”, IEEE Symposium on Security and Privacy (SP), 2017. [6] C. Dwork, “Differential Privacy”, Automata, Languages and Programming, pgs. 1-12, 2006

During this presentation Sonia and Cesar will give a generic introduction of differential privacy and its applicability to various applications. A second part of the presentation will focus on enforcing differential privacy for decentralised private computations in untrusted environments. Indeed, ensuring accurate and private computation in decentralized settings is challenging when no central party is trusted, communication must remain efficient, and adversaries may collude or deviate from the protocol. Existing approaches often suffer from high communication overhead or degrade in accuracy when participants drop out or behave maliciously. This talk addresses these challenges by presenting decentralized mechanisms that achieve differential privacy with near-centralized accuracy, low communication cost, and strong robustness to dropouts and adversarial behavior.

In this talk, I will first rewiew some of the challenges raised by cybersecurity that requires natural language processing or document processing. In a second part of the talk, I will go into more details about the case of data and text coming from social networks.I will present state of the art techniques that deal with some of the main tasks related to this kind of data: authorship identification, fake news recognition, personnal network identification, etc. I will also mention the difficulty to deal with such data in keeping with ethics and current regulations about personal data and AI.

In this presentation, we will take a step aside to focus on the Social Science and Humanities aspect of the analysis of online malicious behavior. First, we will look at the problem of hate speech on social networks, focusing on two forms of its expression. Firstly, the use of automatic generation tools (AI tools), which make it increasingly easy to create content to reach and destabilize a large audience. Secondly, the challenges and difficulties of moderating such speech on the social media, especially in regard of the increasingly sophisticated concealment strategies, which are embedded in the cultural codes of these social media. We will finally ask whether it is possible to create effective automatic moderation tools, given our observations.

Abelmalek Benzekri ,Abir Laraba, Loïc Masure