Course Title: Robust Machine Learning
Instructor: Arjun Bhagoji
TA: Mohamad Hassan N C (mohamad.hassan@iitb.ac.in)
Time: Wednesday, Friday 9.30-11.00am
Room: LT103
Office Hours: 4-5pm on Wednesdays, CC120
Course Description
Progress in machine learning is often measured under controlled, well understood conditions. However, safety-critical workflows in realistic settings require ML systems to be reliable even when faced with new and unexpected conditions. Sufficiently adverse conditions may violate the statistical assumptions underlying common ML models, causing undesirable behavior. This undesirable behavior manifest along the following three dimensions:
- Robustness: Lack of robustness to unseen and adversarial inputs
- Privacy: Leakage of private data or model parameters, and
- Fairness: Uneven performance across subpopulations.
This course will equip students to, on the theoretical front, rigorously reason about conditions under which unreliable behavior occurs, and on the practical side, use these insights to build reliable ML systems. While the course will cover all three aspects, the focus will largely be on robustness, with lighter treatment of the other two aspects.
Intended Audience: The intended audience for this class is graduate students working in machine learning and data science, who are interested in doing research in this area. However, interested undergraduates (3rd year and higher) are welcome to attend as well.
Pre-requisites: Mathematical maturity will be assumed as will the basics of algorithms, probability, linear algebra, and optimization. An introductory course in machine learning should have been taken. For the project component, familiarity with scientific programming in Python and the use of libraries such as Numpy and Pytorch will be beneficial.
Course Schedule
| Week | Date (Day) | Topic | References | Notes | Comments |
|---|
| 1 | 30/07 (Wed) | Course Outline, Supervised Learning Recap | Podcast on Note-taking, Section 3 of Percy Liang’s Lecture Notes on SLT, Selected Material from Chapters 2,3,4,5,12 of Understanding Machine Learning, 3.1 from Convex Optimization: Algorithms and Complexity | | |
| 1 | 01/08 (Fri) | Unsupervised learning for anomaly detection | A unifying review of deep and shallow anomaly detection, Chapter 8 of Learning with Kernels | | Start of Module 1 on Robustness |
| 2 | 06/08 (Wed) | Modern approaches to out-of-distribution detection | A Unified Survey on Anomaly, Novelty, Open-Set, and Out-of-Distribution Detection: Solutions and Future Challenges
| | |
| 2 | 08/08 (Fri) | Formalizing distributionally robust optimization and robust statistics | Distributionally Robust Optimization and Robust Statistics | | |
| 3 | 13/08 (Wed) | Robust mean estimation | Recent Advances in Algorithmic High-Dimensional Robust Statistics | | Project Milestone 0: Project groups due |
| 3 | 15/08 (Fri) | Independence Day | | | |
| 4 | 20/08 (Wed) | Learning with label noise | Learning with Noisy Labels | | |
| 4 | 22/08 (Fri) | Poisoning attacks | Machine Learning Security against Data Poisoning: Are We There Yet? Poisoning Attacks against Support Vector Machines | | |
| 5 | 27/08 (Wed) | Defenses against poisoning attacks | Stronger Data Poisoning Attacks Break Data Sanitization Defenses, Planting Undetectable Backdoors in Machine Learning Models | | Ganesh Chaturthi (Makeup TBD) |
| 5 | 29/08 (Fri) | Adversarial examples | Intriguing Properties of Neural Networks, Towards Evaluating the Robustness of Neural Networks,Delving into Transferable Adversarial Examples and Black-box Attacks, Square Attack: a query-efficient black-box adversarial attack via random search | | |
| 6 | 03/09 (Wed) | Jailbreaking or adversarial examples by any other name | Jailbreaking LLMs and Agentic Systems | | Quiz (Tentative) |
| 6 | 05/09 (Fri) | (Empirical) Defenses against adversarial examples | Towards Deep Learning Models Resistant to Adversarial Attacks, Theoretically Principled Trade-off between Robustness and Accuracy | | id-E-Milad (Makeup TBD) |
| 7 | 10/09 (Wed) | Learning with adversarial examples: Optimal robust loss | Adversarial Risk via Optimal Transport and Optimal Couplings, Lower Bounds on Cross-Entropy Loss in the Presence of Test-time Adversaries | | |
| 7 | 12/09 (Fri) | Learning with adversarial examples: Generalization bounds | Rademacher Complexity for Adversarially Robust Generalization | | Project Milestone 1: Idea pitch to instructor |
| 8 | 17/09 (Wed) | Mid-Semester Week | | | |
| 8 | 19/09 (Fri) | Mid-Semester Week | | | |
| 9 | 24/09 (Wed) | Verified robust training: Exact certification [Guest Lecture: Prof. Supratik Chakraborty (CSE, IITB)] | | | |
| 9 | 26/09 (Fri) | Verified robust training: Convex relaxations | Provable Defenses via the Convex Outer Adversarial Polytope, Certified Defenses against Adversarial Examples | | End of Module 1 on Robustness |
| 10 | 01/10 (Wed) | Buffer for Module 1 | | | |
| 10 | 03/10 (Fri) | Privacy attacks on ML Models | Enhanced Membership Inference Attacks against Machine Learning Models, Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing, High-Fidelity Extraction of Neural Network Models | | Start of Module 2 on Privacy |
| 11 | 08/10 (Wed) | Differential Privacy and Private training of ML models [Guest Lecture: Prof. Krishna Pillutla (DSAI, IITM)] | | | |
| 11 | 10/10 (Fri) | Decentralized learning [Guest Lecture: Prof. Pranay Sharma (C-MInDS, IITB)] | | | Project Milestone 2: Progress update |
| 12 | 15/10 (Wed) | Privacy-robustness tradeoffs: Attacks on decentralized learning | A Little Is Enough: Circumventing Defenses For Distributed Learning, Analyzing federated learning through an adversarial lens | | |
| 12 | 17/10 (Fri) | Buffer for Module 2 | The Hidden Vulnerability of Distributed Learning in Byzantium | | End of Module 2 on Privacy |
| 13 | 22/10 (Wed) | Bias in ML Models | Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification, Men Also Like Shopping: Reducing Gender Bias Amplification using Corpus-level Constraints | | Start of Module 3 on Fairness and Explainability |
| 13 | 24/10 (Fri) | Fairness Definitions | Tutorial: 21 fairness definitions and their politics, Fairness and machine learning, Chapter 3 | | |
| 14 | 29/10 (Wed) | Fair training of ML models | A Reductions Approach to Fair Classification | | |
| 14 | 31/10 (Fri) | Interpretability techniques: classical and modern | Understanding Black-box Predictions via Influence Functions, “Why Should I Trust You?”: Explaining the Predictions of Any Classifier | | |
| 15 | 05/11 (Wed) | Challenges with interpretability | Interpretation of Neural Networks is Fragile, Impossibility Theorems for Feature Attribution | | End of Module 3 on Fairness and Explainability, Guru Nanak’s Birthday (Makeup TBD) |
| 15 | 07/11 (Fri) | Towards responsible AI models | Fawkes: Protecting Privacy against Unauthorized Deep Learning Models, Glaze: Protecting Artists from Style Mimicry by Text-to-Image Models, Algorithmic Collective Action in Machine Learning, MultiRobustBench: Benchmarking Robustness Against Multiple Attacks | | |
Resources
Supplementary Books
- Understanding Machine Learning: From Theory to Algorithms
- All of Statistics
- Mathematics for Machine Learning
- Convex Optimization: Algorithms and Complexity
- Convex Optimization
Similar Courses
- Jerry Li’s course
- Jacob Steinhardt’s course
- Scribe notes
Other references mentioned in class
- Lecture 1: Feldman 2012, Agnostic Learning of Halfspaces is Hard, Bartlett et al., Convexity, Classification, and Risk Bounds
Grading (Tentative)
Best 2 out of 3 exams: 40%
Final project: 40% (Project presentations will be held at mutually convenient times between 10/11/2025 and 26/11/2025)
Scribing: 10% (Scribes are due in one week after the lecture, sign up here)
Class participation: 10%
Attendance Policy
4 unexplained absences are allowed. Any absences beyond that require instructor permission.
Accommodations
Students with disabilities and health issues should approach the instructor at any point during the semester to discuss accommodations. The course aim is to learn together and legitimate bottlenecks will be resolved collaboratively.
