Machine Learning: Attacks and Defenses


Semester: Winter 2018/2019
Course type: Block Seminar
Lecturer: Prof. Dr. Konrad Rieck
Audience: Informatik Master
Credits: 5 ECTS
Hours: 2
Language: English or German
Capacity: max. 6 Students
Room: BRICS 107/108


 Date  Step    
 16.10.2018 16:00  Kickoff meeting, assignment of topics in SN22.2
 November  Arrange appointment with assistant    
 10.12.2018  Submit final paper proposal    
 21.12.2018  Submit review of two fellow students    
 10.01.2019  Submit camera-ready version of your paper    
 24.01-25.01  Presentation in BRICS 107/108


This seminar deals with the exiting topic of machine learning and artifical intelligence. Machine learning is increasingly used in security-critical applications, such as autonomous driving, face recognition and malware detection. Most learning methods, however, have not been designed with security in mind and thus are vulnerable to different types of attacks.

An attacker, for instance, can mislead a spam classifier by using synonyms or slightly modified words for writing spam emails. Similarly, an attacker may attach stickers to stop signs, such that autonomous cars will confuse the signs and do not stop.

In this seminar, we study the field of adversarial machine learning and discuss attacks against learning methods, analyze corresponding defenses and investigate their impact on real-world systems.


This seminar is organized together with two other seminars that also deal with machine learning:

By this collaboration, you will not only learn more about machine learning attacks and defenses, but you also get an impression of the wide range of machine learning applications, problems and techniques.


The seminar is organized like a real academic conference. You need to prepare a written paper (German or English) about the selected topic (8-10 pages in ACM Double Column Style).

After submitting your paper at our conference system, you will write two short reviews about two of the papers submitted by students from the other institutes. In this way, you can give them feedback about how to improve their paper. Then, you will have time to improve your own final paper with reviews from the others.

Last but not least, we will have a small conference with all participants from each of the three seminars. You will give a 20-25 minutes talk about your paper and we will provide drinks and pizza to enjoy the talks at our small conference.

Seminar Topics

Possible topics are:

  • Deep Learning Trojans and Poisoning
  • Generative Adversarial Networks (GANs)
  • Attacks Against State-of-the-art Face Recognition Systems
  • Perturbation Attacks on Speech Recognition Systems
  • Evasion of Android Malware-Classifiers
  • Membership Inference: Machine Learning Against Machine Learning

  last changed 07.11.2018
TU_Icon_E_Mail_1_17x17_RGB pagetop