Student Seminar in Statistics:
Adversarial and Robust Machine Learning

Spring semester 2019

General information

Lecturer	Peter Bühlmann
Assistants	Marco Eigenmann, Yulia Kulagina
Lectures	Mon 15-17 HG E 33.1 >>
Course catalogue data	VVZ

Course content

Abstract

Objective

After this seminar, you should know:

properties of adversarial examples

some attacks and defenses

some concepts from robust optimization and distributional robustness

other distribution shifts that can fool machine learning models in general and neural networks in particular

Content

As statistical and machine learning models are increasingly employed in many real-world applications it becomes more important to understand the vulnerabilities and robustness properties of these models. In the first part of this seminar, we will study papers relating to adversarial examples, covering their properties, various attacks and defenses. In the second part of the course, we will review other types of distribution shifts, posing significant challenges for state-of-the-art machine learning models. Some parts of the seminar will be devoted to implementing these methods in python.

Prerequisites

We require at least one course in statistics or machine learning and basic knowledge in computer programming. Some background knowledge in deep learning is helpful but not strictly required. Topics will be assigned during the first meeting.

Literature

The content of the seminar will be based on a mix of a textbook and papers.
The textbook: Deep Learning by Ian Goodfellow, Yoshua Bengio and Aaron Courville , MIT Press, 2016
The papers are listed on the Course materials and schedule page.

Announcements

28.01.2019

Course materials and schedule

Week	Topic	Outline	Slides/R-code
Week 1 (18/02/2019)	Deep Feedforward Networks (Textbook, Chapter 6) Students: Zheng Chen Man, Tim De Ryck Assistant: Marco, Yulia	Learning XOR Gradient-Based Learning Hidden Units Architecture Design Back-Propagation and Other Differentiation Algorithms	Slides
Week 2 (25/02/2019)	Regularization for Deep Learning (Textbook, Chapter 7) Students: Hongkyu Kim, Janosch Ott Assistants: Marco, Yulia	Norm Penalties as Constrained Optimization Dataset Augmentation Noise Robustness Parameter Tying and Parameter Sharing Bagging and Other Ensemble Methods Adversarial Training Tangent Distance, Tangent Prop, and Manifold Tangent Classifier	Notes
Week 3 (04/03/2019)	Optimization for Training Deep Models (Textbook, Chapter 8) Students: Tobias Ruckstuhl, Fabian Patronic Assistants: Marco, Yulia	Learning vs. Pure Optimization Basic Algorithms Parameter Initialization Strategies Algorithms with Adaptive Learning Rates Approximate Second-Order Methods Optimization Strategies and Meta-Algorithms	Slides Code
Week 4 (11/03/2019)	Convolutional Networks (Textbook, Chapter 9) Students: Valeria Ambrosio, Pierfrancesco Beneventano Assistants: Marco, Yulia	Convolution and Pooling as an Infinitely Strong Prior Variants of the Basic Convolution Function Structured Outputs Efficient Convolution Algorithms Random or Unsupervised Features The Neuroscientific Basis for Convolutional Networks	Slides
Week 5 (18/03/2019)	Tutorial: Adversarial Robustness - Theory and Practice (Chapter 1: Introduction to Adversarial Robustness & Chapter 2: Linear Models) Students: Felix Schur, Vanessa Piccolo Assistants: Marco, Yulia	Creating an Adversarial Example Using PyTorch Targeted Attacks Adversarial Robustness and Training Binary Classification Example	Slides
Week 6 (25/03/2019)	Tutorial: Adversarial Robustness - Theory and Practice (Chapter 3: Adversarial Examples, Solving the Inner Maximization & Chapter 4: Adversarial Training, Solving the Outer Minimization) Students: Niclas Küpper, Dominique Heyn Assistants: Marco, Yulia	Strategies for the Inner Maximization Lower Bounding the Inner Maximization Certifying Robustness Upper bounding the Inner Maximization (Convex Relaxations) Adversarial Training with Adversarial Examples Evaluating Robust Models	Slides
Week 7 (01/04/2019)	Recommended papers: Evasion Attacks against Machine Learning at Test Time Intriguing properties of neural networks Explaining and Harnessing Adversarial Examples Students: Lilian Müller, Caroline Ronner Assistants: Marco, Yulia	Existence of Adversarial Examples for Linear Models Linear Perturbation for Non-linear Models Adversarial Training of a Linear Model: Logistic Regression Adversarial Training of DNNs Why do Adversarial Examples Generalize?	Slides
Week 8 (15/04/2019)	Attacks Recommended papers: The Limitations of Deep Learning in Adversarial Settings DeepFool: a simple and accurate method to fool deep neural networks Towards Evaluating the Robustness of Neural Networks Students: Philippe Cathrein, Robin Hodel Assistants: Marco, Yulia	Robustness of a Classifier The DeepFool Algorithm	Slides
Week 9 (29/04/2019)	Transferability Recommended papers: Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples Delving into Transferable Adversarial Examples and Black-box Attacks Universal adversarial perturbations Students: Yll Haziri, Raphael Oberli Assistants: Marco, Yulia	... ...	Slides
Week 10 (06/05/2019)	Detecting Adversarial Examples Recommended papers: On Detecting Adversarial Perturbations Detecting Adversarial Samples from Artifacts Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods Students: Robert Stoy, Philipp Schenkel Assistants: Marco, Yulia	... ...	Slides
Week 11 (13/05/2019)	Physical-World Attacks Recommended papers: Adversarial Examples in the Physical World Synthesizing Robust Adversarial Examples Robust Physical-World Attacks on Deep Learning Models Students: Ivo Seitz, Belinda Müller Assistants: Marco, Yulia	... ...	Slides
Week 12 (20/05/2019)	Verification Recommended papers: Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks Certifying Some Distributional Robustness with Principled Adversarial Training Students: Kevin Doninelli, Eduardas Lazebnyj Assistants: Marco, Yulia	... ...	Slides
Week 13 (27/05/2019)	Defences Recommended papers: Learning Models with Uniform Performance via Distributionally Robust Optimization Adversarially Robust Generalization Requires More Data Students: Mingqi Wu, Danish Kashaev Assistants: Marco, Yulia	... ...	Slides

FAQ

What are the requirements for passing the student seminar?
(1) One well-prepared presentation on an assigned topic (you will be working in teams of two on this project).
To prepare the presentation you will have to read the proposed papers on the topic, understand the material, make a good, meaningful summary and present the topic to your fellow students.
(2) Attendance and active participation during the seminar, including but not limited to asking relevant questions, providing clarifications, getting involved in discussions following the presentations.
What is the role of the assistants in the presentation preparation?
The preparation of the presentation implies a lot of self-study. However you will be able to meet with the assistants to discuss the content of your talk. The seminar framework allows for 2 such meetings.
The first meeting takes place 2 weeks before your presentation and assumes that you have read the material and made an effort to understand it. During this meeting you will discuss the contents of your presentation (what to cover in more detail, on which examples to concentrate and what to leave out). You can also ask questions on the material. It might happen that not all of your questions will be anwered, as TAs are not experts in these topics. If some of your questions stay unresolved, don't be afraid to bring up these questions during your presentaion and we will try to work out the answer all together. After all, the seminar provides a platform, where we all can learn from one another by sharing knowledge and experience.
The second meeting takes place 1 week prior to the presentation. During this meeting you can still ask whatewer is left unclear and to go over the presentation draft.
What should a good presentation encompass?
Your presentation should give a clear idea about the topic you have been assigned for. The contents and structure of the talk strongly depends on the topic.
But here are some general tips:
(1) Don't make your talk too technical and too theoretical. For the limited amount of time you have you will not be able to cover all details. Try to state the main ideas and intuition as clearly as possible.
(2) Try to be creative, use visualizations and examples.
Trying to implement ideas outlined in the papers using any programming software is highly welcome but not obligatory. It will contribute to your knowledge and understanding and will make your presentation more "alive" and add personal touch to it.
(3) Find the things you personally find partcularly interesting and share them with your peers.

Here is a guideline on making presentations from the previous seminar.
How long should the presentation be?
The total presentation time should not exceed 50 minutes (i.e. around 20-25 minutes per person). We advise you to split the presentation in two approximately equal parts. Make sure to practice your talk so that you don't go over your time!
Should I use a template for my slides?
You can use any template you like. We recommend using one of the ETH presentation templates. Note that LaTeX templates are also available among these templates. We encourage you to use them.