Course Title: Robust Machine Learning
Instructor: Arjun Bhagoji
TA: Mohamad Hassan N C (mohamad.hassan@iitb.ac.in)
Time: Wednesday, Friday 9.30-11.00am
Room: LT103
Office Hours: 4.30-5.30pm on Wednesdays, CC120
Course Description
Progress in machine learning is often measured under controlled, well understood conditions. However, safety-critical workflows in realistic settings require ML systems to be reliable even when faced with new and unexpected conditions. Sufficiently adverse conditions may violate the statistical assumptions underlying common ML models, causing undesirable behavior. This undesirable behavior manifest along the following three dimensions:
- Robustness: Lack of robustness to unseen and adversarial inputs
- Privacy: Leakage of private data or model parameters, and
- Fairness: Uneven performance across subpopulations.
This course will equip students to, on the theoretical front, rigorously reason about conditions under which unreliable behavior occurs, and on the practical side, use these insights to build reliable ML systems. While the course will cover all three aspects, the focus will largely be on robustness, with lighter treatment of the other two aspects.
Intended Audience: The intended audience for this class is graduate students working in machine learning and data science, who are interested in doing research in this area. However, interested undergraduates (3rd year and higher) are welcome to attend as well.
Pre-requisites: Mathematical maturity will be assumed as will the basics of algorithms, probability, linear algebra, and optimization. An introductory course in machine learning should have been taken. For the project component, familiarity with scientific programming in Python and the use of libraries such as Numpy and Pytorch will be beneficial.
Course Schedule
| Week | Date (Day) | Topic | References | Notes | Comments |
|---|
| 1 | 30/07 (Wed) | Course Outline, Supervised Learning Recap | Podcast on Note-taking, Section 3 of Percy Liang’s Lecture Notes on SLT, Selected Material from Chapters 2,3,4,5,12 of Understanding Machine Learning, 3.1 from Convex Optimization: Algorithms and Complexity | Scribe Notes 1 | |
| 1 | 01/08 (Fri) | Supervised learning cont. +Unsupervised learning for anomaly detection | A unifying review of deep and shallow anomaly detection, Lecture Notes on Non-parametrics | Scribe Notes 2 | Start of Module 1 on Robustness |
| 2 | 06/08 (Wed) | Interlude: Research How-Tos |
| Research How-tos | |
| 2 | 08/08 (Fri) | Approaches to anomaly detection | Chapter 8 of Learning with Kernels | Scribe Notes 4 | |
| 3 | 13/08 (Wed) | Anomaly detection wrap-up | A Unified Survey on Anomaly, Novelty, Open-Set, and Out-of-Distribution Detection: Solutions and Future Challenges | Scribe Notes 5 | |
| 3 | 15/08 (Fri) | Independence Day | | | |
| 4 | 20/08 (Wed) | Rains! | | | Project Milestone 0: Project groups due |
| 4 | 22/08 (Fri) | Formalizing distributionally robust optimization and robust statistics | Distributionally Robust Optimization and Robust Statistics, Chapter 2 of Computational Optimal Transport | | |
| 5 | 27/08 (Wed) | Ganesh Chaturthi | | | |
| 5 | 29/08 (Fri) | Two vignettes on distributionally robust optimization | Regularization via Mass Transportation, Variance-based Regularization with Convex Objectives | | |
| 6 | 03/09 (Wed) | Quiz 1 | | | |
| 6 | 05/09 (Fri) | id-E-Milad | | | |
| 7 | 10/09 (Wed) | Poisoning attacks and defenses | Machine Learning Security against Data Poisoning: Are We There Yet? , Poisoning Attacks against Support Vector Machines, Stronger Data Poisoning Attacks Break Data Sanitization Defenses, Planting Undetectable Backdoors in Machine Learning Models | | |
| 7 | 12/09 (Fri) | Robust Mean Estimation | Recent Advances in Algorithmic High-Dimensional Robust Statistics | | |
| 8 | 17/09 (Wed) | Adversarial examples and jailbreaking | Intriguing Properties of Neural Networks, Towards Evaluating the Robustness of Neural Networks,Delving into Transferable Adversarial Examples and Black-box Attacks, Square Attack: a query-efficient black-box adversarial attack via random search, Jailbreaking LLMs and Agentic Systems | | Mid-Semester Week |
| 8 | 19/09 (Fri) | Learning with adversarial examples: Optimal robust loss | Adversarial Risk via Optimal Transport and Optimal Couplings, Lower Bounds on Cross-Entropy Loss in the Presence of Test-time Adversaries | | Mid-Semester Week (11-1 in LT205, LT206) |
| 9 | 24/09 (Wed) | Learning with adversarial examples: Generalization bounds | Rademacher Complexity for Adversarially Robust Generalization | | |
| 9 | 26/09 (Fri) | Verified robust training: Exact certification [Guest Lecture: Prof. Supratik Chakraborty (CSE, IITB)] | | | Project Milestone 1: Idea pitch to instructor |
| 9 | 27/09 (Sat) | Verified robust training: Convex relaxations | Provable Defenses via the Convex Outer Adversarial Polytope, Certified Defenses against Adversarial Examples | | Make-up 1 , End of Module 1 on Robustness |
| 10 | 01/10 (Wed) | Quiz 2 | | | |
| 10 | 03/10 (Sat) | Privacy attacks on ML Models | Enhanced Membership Inference Attacks against Machine Learning Models, Privacy in Pharmacogenetics: An End-to-End Case Study of Personalized Warfarin Dosing, High-Fidelity Extraction of Neural Network Models | | Make-up 1 Start of Module 2 on Privacy |
| 11 | 08/10 (Wed) | Differential Privacy and Private training of ML models [Guest Lecture: Prof. Krishna Pillutla (DSAI, IITM)] | | | |
| 11 | 10/10 (Fri) | Decentralized learning [Guest Lecture: Prof. Pranay Sharma (C-MInDS, IITB)] | | | Project Milestone 2: Progress update |
| 11 | 11/10 (Sat) | Make-up 2 | | | |
| 12 | 15/10 (Wed) | Privacy-robustness tradeoffs: Attacks on decentralized learning | A Little Is Enough: Circumventing Defenses For Distributed Learning, Analyzing federated learning through an adversarial lens | | |
| 12 | 17/10 (Fri) | Buffer for Module 2 | The Hidden Vulnerability of Distributed Learning in Byzantium | | End of Module 2 on Privacy |
| 13 | 22/10 (Wed) | Bias in ML Models | Gender Shades: Intersectional Accuracy Disparities in Commercial Gender Classification, Men Also Like Shopping: Reducing Gender Bias Amplification using Corpus-level Constraints | | Start of Module 3 on Fairness and Explainability |
| 13 | 24/10 (Fri) | Fairness Definitions | Tutorial: 21 fairness definitions and their politics, Fairness and machine learning, Chapter 3 | | |
| 14 | 29/10 (Wed) | Fair training of ML models | A Reductions Approach to Fair Classification | | |
| 14 | 31/10 (Fri) | Interpretability techniques: classical and modern | Understanding Black-box Predictions via Influence Functions, “Why Should I Trust You?”: Explaining the Predictions of Any Classifier | | |
| 15 | 05/11 (Wed) | Challenges with interpretability | Interpretation of Neural Networks is Fragile, Impossibility Theorems for Feature Attribution | | End of Module 3 on Fairness and Explainability, Guru Nanak’s Birthday (Makeup TBD) |
| 15 | 07/11 (Fri) | Towards responsible AI models | Fawkes: Protecting Privacy against Unauthorized Deep Learning Models, Glaze: Protecting Artists from Style Mimicry by Text-to-Image Models, Algorithmic Collective Action in Machine Learning, MultiRobustBench: Benchmarking Robustness Against Multiple Attacks | | |
Resources
Practice problems
Running list of practice questions
Supplementary Books
- Understanding Machine Learning: From Theory to Algorithms
- All of Statistics
- Mathematics for Machine Learning
- Convex Optimization: Algorithms and Complexity
- Convex Optimization
Similar Courses
- Jerry Li’s course
- Jacob Steinhardt’s course
- Scribe notes
Code repositories
- DRO
- Trusted AI Toolbox
- Cleverhans
- RobustBench
- Jailbreakbench
Other references mentioned in class
- Lecture 1: Feldman 2012, Agnostic Learning of Halfspaces is Hard, Bartlett et al., Convexity, Classification, and Risk Bounds
- Lecture 2: A Tutorial on Kernel Density Estimation and Recent Advances
Grading (Tentative)
Best 2 out of 3 exams: 40%
Final project: 40% (Project presentations will be held at mutually convenient times between 10/11/2025 and 26/11/2025)
Scribing: 10% (Scribes are due in one week after the lecture, sign up here)
Class participation: 10%
Attendance Policy
4 unexplained absences are allowed. Any absences beyond that require instructor permission.
Accommodations
Students with disabilities and health issues should approach the instructor at any point during the semester to discuss accommodations. The course aim is to learn together and legitimate bottlenecks will be resolved collaboratively.
