Machine Learning for Systems and Network Security

A.Y. 2026/2027
6
Max ECTS
42
Overall hours
SSD
INFO-01/A
Language
Italian
Learning objectives
The course aims to provide students with in-depth skills in applying machine learning within the context of cybersecurity, exploring its applications, benefits, limitations, and future prospects. In particular, the curriculum seeks to convey the theoretical and practical principles of malware analysis and to highlight the challenges related to dataset size and diversity, model generalization, and the phenomenon of concept drift. Students will also delve into attack and defense techniques in the realm of adversarial machine learning by studying real-world scenarios.
Expected learning outcomes
By the end of the course, students will be able to design and implement machine learning pipelines for malware analysis and classification—managing imbalanced datasets, performing static and dynamic analysis, and addressing concept drift—critically evaluate the limitations and potentials of security models (overfitting, bias, generalization), develop and apply countermeasures against adversarial attacks (white-box and black-box) through retraining, ensembling, and model hardening strategies, integrate advanced authentication techniques, and leverage Large Language Models for reverse engineering and defensive code generation.
Single course

This course cannot be attended as a single course. Please check our list of single courses to find the ones available for enrolment.

Course syllabus and organization

Single session

Responsible
Lesson period
Third four month period
Course syllabus
- Introduction to Machine Learning for Cybersecurity.
- Android malware feature extraction and representation (DREBIN).
- Malware classification using Support Vector Machines (SVM).
- Explainable AI and interpretation of machine learning decisions.
- Adversarial Machine Learning and attacks against classifiers.
- Evaluation metrics: Confusion Matrix, ROC Curve, and Precision-Recall Curve.
- Experimental biases and best practices in malware detector evaluation.
- Concept Drift and time-aware evaluation with TESSERACT.
- Training set tuning and decision threshold selection.
- Continuous Learning for Android malware detection.
- Active Learning for informative sample selection.
- Contrastive Learning and embedding-based malware representation.
- Hierarchical Contrastive Learning and Pseudo Loss for model retraining.
- Critical analysis of state-of-the-art Android malware detection approaches.
- Hands-on Python laboratories and implementation of machine learning techniques for malware analysis.
Prerequisites for admission
- Basic knowledge of machine learning, including the main supervised and unsupervised algorithms, as well as concepts such as overfitting, underfitting, and model validation.

- Fundamental programming skills, preferably in Python.

- Introductory knowledge of cybersecurity, including malware, networks, vulnerabilities, and attack/defense models.

- Familiarity with basic statistical concepts (distributions, probability, mean, variance) useful for model evaluation.
Teaching methods
The course includes a combination of:

- Lectures for the introduction and in-depth exploration of theoretical concepts related to machine learning and cybersecurity.

- Practical demonstrations, aimed at applying the techniques learned to real or simulated datasets.

- Case study analysis, with examples drawn from real-world attack and defense scenarios in the context of adversarial machine learning.

The teaching approach promotes active learning, problem solving, and the ability to work in interdisciplinary contexts.
Teaching Resources
- "DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket", NDSS, 2014.
- "Do's and Don'ts of Machine Learning in Computer Security", ACM CCS, 2019.
- "TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time", USENIX Security, 2019.
- "Continuous Learning for Android Malware Detection", USENIX Security, 2023.
- "TRANSCEND: Detecting Concept Drift in Malware Detection Using Conformal Prediction", USENIX Security, 2021.
Selected scientific papers and lecture notes provided during the course.
Python notebooks and laboratory material developed by the instructor.
Scikit-learn and PyTorch official documentation (laboratory activities).
Assessment methods and Criteria
Written exam or final oral examination, aimed at evaluating the understanding of theoretical concepts covered in the course, including machine learning techniques, data-related challenges, and aspects of adversarial machine learning.

The final grade will take into account the following criteria:

- Mastery of theoretical content

- Ability to apply knowledge to real-world scenarios

- Clarity of communication and autonomy during discussion
INFO-01/A - Informatics - University credits: 6
Lessons: 42 hours
Professor: Lanzi Andrea
Shifts:
Turno
Professor: Lanzi Andrea
Professor(s)