Student Seminar in Statistics:
Adversarial and Robust Machine Learning
Spring semester 2019
General information
Lecturer  Peter Bühlmann 

Assistants  Marco Eigenmann, Yulia Kulagina 
Lectures  Mon 1517 HG E 33.1 >> 
Course catalogue data  VVZ 
Course content
AbstractAs statistical and machine learning models are increasingly employed in many realworld applications it becomes more important to understand the vulnerabilities and robustness properties of these models. In the first part of this seminar, we will study papers relating to adversarial examples. In the second part of the course, we will review other types of distribution shifts.
ObjectiveAfter this seminar, you should know:
As statistical and machine learning models are increasingly employed in many realworld applications it becomes more important to understand the vulnerabilities and robustness properties of these models. In the first part of this seminar, we will study papers relating to adversarial examples, covering their properties, various attacks and defenses. In the second part of the course, we will review other types of distribution shifts, posing significant challenges for stateoftheart machine learning models. Some parts of the seminar will be devoted to implementing these methods in python.
PrerequisitesWe require at least one course in statistics or machine learning and basic knowledge in computer programming. Some background knowledge in deep learning is helpful but not strictly required. Topics will be assigned during the first meeting.
Literature
The content of the seminar will be based on a mix of a textbook and papers.
The textbook:
Deep Learning by Ian Goodfellow, Yoshua Bengio and Aaron Courville , MIT Press, 2016
The papers are listed on the Course materials and schedule page.
Announcements
28.01.2019
Welcome to the website of the course "Student Seminar in Statistics: Adversarial and Robust Machine Learning"!
The first class will take place on Monday, February 18th 2019.
We are looking forward to seeing you!
Course materials and schedule
Week  Topic  Outline  Slides/Rcode 

Week 1 (18/02/2019)  Deep Feedforward Networks (Textbook, Chapter 6)



Week 2 (25/02/2019)  Regularization for Deep Learning (Textbook, Chapter 7)



Week 3 (04/03/2019)  Optimization for Training Deep Models (Textbook, Chapter 8)



Week 4 (11/03/2019)  Convolutional Networks (Textbook, Chapter 9)



Week 5 (18/03/2019)  Tutorial: Adversarial Robustness  Theory and Practice (Chapter 1: Introduction to Adversarial Robustness & Chapter 2: Linear Models)



Week 6 (25/03/2019)  Tutorial: Adversarial Robustness  Theory and Practice (Chapter 3: Adversarial Examples, Solving the Inner Maximization & Chapter 4: Adversarial Training, Solving the Outer Minimization)



Week 7 (01/04/2019)  Recommended papers: Evasion Attacks against Machine Learning at Test Time Intriguing properties of neural networks Explaining and Harnessing Adversarial Examples



Week 8 (15/04/2019)  Attacks Recommended papers: The Limitations of Deep Learning in Adversarial Settings DeepFool: a simple and accurate method to fool deep neural networks Towards Evaluating the Robustness of Neural Networks



Week 9 (29/04/2019)  Transferability Recommended papers: Transferability in Machine Learning: from Phenomena to BlackBox Attacks using Adversarial Samples Delving into Transferable Adversarial Examples and Blackbox Attacks Universal adversarial perturbations



Week 10 (06/05/2019)  Detecting Adversarial Examples Recommended papers: On Detecting Adversarial Perturbations Detecting Adversarial Samples from Artifacts Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods



Week 11 (13/05/2019)  PhysicalWorld Attacks Recommended papers: Adversarial Examples in the Physical World Synthesizing Robust Adversarial Examples Robust PhysicalWorld Attacks on Deep Learning Models



Week 12 (20/05/2019)  Verification Recommended papers: Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks Certifying Some Distributional Robustness with Principled Adversarial Training



Week 13 (27/05/2019)  Defences Recommended papers: Learning Models with Uniform Performance via Distributionally Robust Optimization Adversarially Robust Generalization Requires More Data



FAQ
 What are the requirements for passing the student seminar?
(1) One wellprepared presentation on an assigned topic (you will be working in teams of two on this project).
To prepare the presentation you will have to read the proposed papers on the topic, understand the material, make a good, meaningful summary and present the topic to your fellow students.
(2) Attendance and active participation during the seminar, including but not limited to asking relevant questions, providing clarifications, getting involved in discussions following the presentations.
 What is the role of the assistants in the presentation preparation?
The preparation of the presentation implies a lot of selfstudy. However you will be able to meet with the assistants to discuss the content of your talk. The seminar framework allows for 2 such meetings.
The first meeting takes place 2 weeks before your presentation and assumes that you have read the material and made an effort to understand it. During this meeting you will discuss the contents of your presentation (what to cover in more detail, on which examples to concentrate and what to leave out). You can also ask questions on the material. It might happen that not all of your questions will be anwered, as TAs are not experts in these topics. If some of your questions stay unresolved, don't be afraid to bring up these questions during your presentaion and we will try to work out the answer all together. After all, the seminar provides a platform, where we all can learn from one another by sharing knowledge and experience.
The second meeting takes place 1 week prior to the presentation. During this meeting you can still ask whatewer is left unclear and to go over the presentation draft.  What should a good presentation encompass?
Your presentation should give a clear idea about the topic you have been assigned for. The contents and structure of the talk strongly depends on the topic.
But here are some general tips:
(1) Don't make your talk too technical and too theoretical. For the limited amount of time you have you will not be able to cover all details. Try to state the main ideas and intuition as clearly as possible.
(2) Try to be creative, use visualizations and examples.
Trying to implement ideas outlined in the papers using any programming software is highly welcome but not obligatory. It will contribute to your knowledge and understanding and will make your presentation more "alive" and add personal touch to it.
(3) Find the things you personally find partcularly interesting and share them with your peers.
Here is a guideline on making presentations from the previous seminar.  How long should the presentation be?
The total presentation time should not exceed 50 minutes (i.e. around 2025 minutes per person). We advise you to split the presentation in two approximately equal parts. Make sure to practice your talk so that you don't go over your time!
 Should I use a template for my slides?
You can use any template you like. We recommend using one of the ETH presentation templates. Note that LaTeX templates are also available among these templates. We encourage you to use them.