Student Seminar in Statistics:
Adversarial and Robust Machine Learning

Spring semester 2019

General information

Lecturer Peter Bühlmann
Assistants Marco Eigenmann, Yulia Kulagina
Lectures Mon 15-17 HG E 33.1 >>
Course catalogue data VVZ

Course content


As statistical and machine learning models are increasingly employed in many real-world applications it becomes more important to understand the vulnerabilities and robustness properties of these models. In the first part of this seminar, we will study papers relating to adversarial examples. In the second part of the course, we will review other types of distribution shifts.


After this seminar, you should know:

  • properties of adversarial examples
  • some attacks and defenses
  • some concepts from robust optimization and distributional robustness
  • other distribution shifts that can fool machine learning models in general and neural networks in particular
  • Content

    As statistical and machine learning models are increasingly employed in many real-world applications it becomes more important to understand the vulnerabilities and robustness properties of these models. In the first part of this seminar, we will study papers relating to adversarial examples, covering their properties, various attacks and defenses. In the second part of the course, we will review other types of distribution shifts, posing significant challenges for state-of-the-art machine learning models. Some parts of the seminar will be devoted to implementing these methods in python.


    We require at least one course in statistics or machine learning and basic knowledge in computer programming. Some background knowledge in deep learning is helpful but not strictly required. Topics will be assigned during the first meeting.


    The content of the seminar will be based on a mix of a textbook and papers.
    The textbook: Deep Learning by Ian Goodfellow, Yoshua Bengio and Aaron Courville , MIT Press, 2016
    The papers are listed on the Course materials and schedule page.


      Welcome to the website of the course "Student Seminar in Statistics: Adversarial and Robust Machine Learning"!
      The first class will take place on Monday, February 18th 2019.
      We are looking forward to seeing you!

    Course materials and schedule

    Week Topic Outline Slides/R-code
    Week 1 (18/02/2019) Deep Feedforward Networks
    (Textbook, Chapter 6)
    • Students: Zheng Chen Man, Tim De Ryck
    • Assistant: Marco, Yulia
    • Learning XOR
    • Gradient-Based Learning
    • Hidden Units
    • Architecture Design
    • Back-Propagation and Other Differentiation Algorithms
    Week 2 (25/02/2019) Regularization for Deep Learning
    (Textbook, Chapter 7)
    • Students: Hongkyu Kim, Janosch Ott
    • Assistants: Marco, Yulia
    • Norm Penalties as Constrained Optimization
    • Dataset Augmentation
    • Noise Robustness
    • Parameter Tying and Parameter Sharing
    • Bagging and Other Ensemble Methods
    • Adversarial Training
    • Tangent Distance, Tangent Prop, and Manifold Tangent Classifier
    Week 3 (04/03/2019) Optimization for Training Deep Models
    (Textbook, Chapter 8)
    • Students: Tobias Ruckstuhl, Fabian Patronic
    • Assistants: Marco, Yulia
    • Learning vs. Pure Optimization
    • Basic Algorithms
    • Parameter Initialization Strategies
    • Algorithms with Adaptive Learning Rates
    • Approximate Second-Order Methods
    • Optimization Strategies and Meta-Algorithms
    Week 4 (11/03/2019) Convolutional Networks
    (Textbook, Chapter 9)
    • Students: Valeria Ambrosio, Pierfrancesco Beneventano
    • Assistants: Marco, Yulia
    • Convolution and Pooling as an Infinitely Strong Prior
    • Variants of the Basic Convolution Function
    • Structured Outputs
    • Efficient Convolution Algorithms
    • Random or Unsupervised Features
    • The Neuroscientific Basis for Convolutional Networks
    Week 5 (18/03/2019) Tutorial: Adversarial Robustness - Theory and Practice
    (Chapter 1: Introduction to Adversarial Robustness & Chapter 2: Linear Models)
    • Students: Felix Schur, Vanessa Piccolo
    • Assistants: Marco, Yulia
    • Creating an Adversarial Example Using PyTorch
    • Targeted Attacks
    • Adversarial Robustness and Training
    • Binary Classification Example
    Week 6 (25/03/2019) Tutorial: Adversarial Robustness - Theory and Practice
    (Chapter 3: Adversarial Examples, Solving the Inner Maximization & Chapter 4: Adversarial Training, Solving the Outer Minimization)
    • Students: Niclas Küpper, Dominique Heyn
    • Assistants: Marco, Yulia
    • Strategies for the Inner Maximization
    • Lower Bounding the Inner Maximization
    • Certifying Robustness
    • Upper bounding the Inner Maximization (Convex Relaxations)
    • Adversarial Training with Adversarial Examples
    • Evaluating Robust Models
    Week 7 (01/04/2019) Recommended papers:
    Evasion Attacks against Machine Learning at Test Time
    Intriguing properties of neural networks
    Explaining and Harnessing Adversarial Examples
    • Students: Lilian Müller, Caroline Ronner
    • Assistants: Marco, Yulia
    • Existence of Adversarial Examples for Linear Models
    • Linear Perturbation for Non-linear Models
    • Adversarial Training of a Linear Model: Logistic Regression
    • Adversarial Training of DNNs
    • Why do Adversarial Examples Generalize?
    Week 8 (15/04/2019) Attacks
    Recommended papers:
    The Limitations of Deep Learning in Adversarial Settings
    DeepFool: a simple and accurate method to fool deep neural networks
    Towards Evaluating the Robustness of Neural Networks
    • Students: Philippe Cathrein, Robin Hodel
    • Assistants: Marco, Yulia
    • Robustness of a Classifier
    • The DeepFool Algorithm
    Week 9 (29/04/2019) Transferability
    Recommended papers:
    Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples
    Delving into Transferable Adversarial Examples and Black-box Attacks
    Universal adversarial perturbations
    • Students: Yll Haziri, Raphael Oberli
    • Assistants: Marco, Yulia
    • ...
    • ...
    Week 10 (06/05/2019) Detecting Adversarial Examples
    Recommended papers:
    On Detecting Adversarial Perturbations
    Detecting Adversarial Samples from Artifacts
    Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods
    • Students: Robert Stoy, Philipp Schenkel
    • Assistants: Marco, Yulia
    • ...
    • ...
    Week 11 (13/05/2019) Physical-World Attacks
    Recommended papers:
    Adversarial Examples in the Physical World
    Synthesizing Robust Adversarial Examples
    Robust Physical-World Attacks on Deep Learning Models
    • Students: Ivo Seitz, Belinda Müller
    • Assistants: Marco, Yulia
    • ...
    • ...
    Week 12 (20/05/2019) Verification
    Recommended papers:
    Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks
    Certifying Some Distributional Robustness with Principled Adversarial Training
    • Students: Kevin Doninelli, Eduardas Lazebnyj
    • Assistants: Marco, Yulia
    • ...
    • ...
    Week 13 (27/05/2019) Defences
    Recommended papers:
    Learning Models with Uniform Performance via Distributionally Robust Optimization
    Adversarially Robust Generalization Requires More Data
    • Students: Mingqi Wu, Danish Kashaev
    • Assistants: Marco, Yulia
    • ...
    • ...


    1. What are the requirements for passing the student seminar?

      (1) One well-prepared presentation on an assigned topic (you will be working in teams of two on this project).
      To prepare the presentation you will have to read the proposed papers on the topic, understand the material, make a good, meaningful summary and present the topic to your fellow students.
      (2) Attendance and active participation during the seminar, including but not limited to asking relevant questions, providing clarifications, getting involved in discussions following the presentations.

    2. What is the role of the assistants in the presentation preparation?

      The preparation of the presentation implies a lot of self-study. However you will be able to meet with the assistants to discuss the content of your talk. The seminar framework allows for 2 such meetings.
      The first meeting takes place 2 weeks before your presentation and assumes that you have read the material and made an effort to understand it. During this meeting you will discuss the contents of your presentation (what to cover in more detail, on which examples to concentrate and what to leave out). You can also ask questions on the material. It might happen that not all of your questions will be anwered, as TAs are not experts in these topics. If some of your questions stay unresolved, don't be afraid to bring up these questions during your presentaion and we will try to work out the answer all together. After all, the seminar provides a platform, where we all can learn from one another by sharing knowledge and experience.
      The second meeting takes place 1 week prior to the presentation. During this meeting you can still ask whatewer is left unclear and to go over the presentation draft.

    3. What should a good presentation encompass?

      Your presentation should give a clear idea about the topic you have been assigned for. The contents and structure of the talk strongly depends on the topic.
      But here are some general tips:
      (1) Don't make your talk too technical and too theoretical. For the limited amount of time you have you will not be able to cover all details. Try to state the main ideas and intuition as clearly as possible.
      (2) Try to be creative, use visualizations and examples.
      Trying to implement ideas outlined in the papers using any programming software is highly welcome but not obligatory. It will contribute to your knowledge and understanding and will make your presentation more "alive" and add personal touch to it.
      (3) Find the things you personally find partcularly interesting and share them with your peers.

      Here is a guideline on making presentations from the previous seminar.

    4. How long should the presentation be?

      The total presentation time should not exceed 50 minutes (i.e. around 20-25 minutes per person). We advise you to split the presentation in two approximately equal parts. Make sure to practice your talk so that you don't go over your time!

    5. Should I use a template for my slides?

      You can use any template you like. We recommend using one of the ETH presentation templates. Note that LaTeX templates are also available among these templates. We encourage you to use them.