Security & Privacy of AI: Challenges & Solutions for Machine-Learning Applications

8-17 September 2021, Leuven & online
KU Leuven, Strategic Research Programme ‘Cybersecurity Research’

Modules of the course

1 : Introduction

This module is an overall course introduction, sketching all the facets and aspects of securing a system or service in general, and of a data driven application based on ML in particular. Each of the major course modules will be briefly introduced and motivated.

2 : Security and Privacy (S&P) Engineering

Module 2A

The covering of S&P requirements is a matter of running a significant security project, albeit efficiently. There is no such thing as the ultimate approach, but rather a range of measures and activities that can be applied to strengthen the S&P posture. This can be at the level of requirements and specification, at the level of coding, in security testing, etc. This module will cover the overall landscape and zoom into some of the most promising techniques.

Relevant themes of this session include:

  • Threat modeling and risk assessment
  • Architectures and blueprints
  • Regulations and compliance
Module 2B

Security and privacy requirements are typically not only of a technical nature, they also and largely emerge from the demand to be compliant with policies and regulations. In the second module of Security & Privacy Engineering, we zoom into the most relevant regulations and discuss how we can work towards compliance. In addition, we discuss how this concern can be addressed as an integrated part of the overall development and engineering process.

3 : Cryptography: basic and advanced techniques

Many protection techniques and technologies are at hand. It goes without saying that cryptography is an essential building block at the heart of data protection, and thus essential for the delivery of S&P requirements. The machine learning pipeline needs protection of training data, production data and models. This challenging environment demands for fairly advanced techniques.

Module 3A

In the module Cryptography I, we revisit the basics of cryptography to make sure that all attendants can refresh their existing knowledge on the subject matter.

Module 3B

In the module Advanced Cryptography and Data Protection, we elaborate on the most recent advances and techniques that can contribute to securing advanced data sharing in distributed AI. Relevant themes of this session include:

  • Data storage in the new century
  • Data processing: an overview of cryptographic protection
    • MPC intro and applications
    • FHE state-of-the-art and implications
  • Protection of data in motion

4 : Security and privacy posture of a Machine Learning architecture

In this module, we revisit the architecture and operational environment of a machine learning application and analyze the values of contributions of known security techniques. Relevant themes of this session include:

  • Attack surface: data, model, process and data flow
  • Threat modeling for AI and known challenges
  • Adversaries and their capabilities
  • Architectural and algorithmic defenses
  • Security and privacy challenges in Federated Machine Learning

5 : Adversarial Machine Learning

In this module, we zoom into the specific challenge of achieving robustness and reliability when facing adversaries that attempt to fool the ML application by feeding disturbing data into, e.g. a classifier. This type of attack is typical to the setting of a ML environment and deserves significant attention. Relevant themes of this session include:

  • Vulnerabilities in ML systems; overview of ML specific attacks
  • Protection against adversarial examples
  • Evaluation and robustness of solutions
  • Privacy aspects

6 : Case studies

In this module, we discuss and analyze some case studies and apply the knowhow of this course to a specific application, for example in the context of authentication systems. Relevant themes of this session include:

  • Face recognition revisited
  • Biometrics and challenges
  • Anomaly detection

7 : Workshop

In this module, we organize – if so desired – interactive workshops with smaller groups of attendants who may share an interest in a common application domain. The goal is to validate which elements of the course can be applied to an application domain or case that is well understood by a team of course attendants. The practical approach and organization of this last module will depend on the engagement and input that is provided by the participants.

* Course topics may vary slightly from the above agenda.


  • Coordinators: Davy Preuveneers (DistriNet), Wouter Joosen (DistriNet) en Bart Preneel (COSIC).
  • Lecturers: Wouter Joosen, Davy Preuveneers, Bart Preneel, Nigel Smart, Dimitri Van Landuyt, Pierre Dewitte, Tim Van hamme. From the KU Leuven research groups DistriNetCOSIC, and CiTiP.


  • 8-17 September 2021
  • KU Leuven, Celestijnenlaan 200K, Heverlee, Aula 200K 00.06
    Most courses can also be followed online.
  • Language: English
  • Target audience: Researchers of the AI and Cybersecurity programme who study, design and develop applications of machine learning in digital services.


  • Price: free

Ready to get started?

Find all the necessary information & register at the dedicated page at KU Leuven