Security of Machine Learning


SemesterSummer 2024
Course typeLecture
LecturerJun.-Prof. Dr. Wressnegger
AudienceInformatik Master & Bachelor
Credits3 ECTS
Room-101 (50.34)
RegistrationTBA (registration is only necessary for the final exam)


In the winter semester 2024/25 we are going to offer a new module on "Artificial Intelligence & Security" (AISEC) with 5 TCS that merges the contents of this lecture with the one on "Machine Learning for Computer Security" (MLSEC). The new lecture thus will cover large parts of this lecture and, hence, they are mutually exclusive in our study plan.

TL;DR If you took MLSEC already go for this course (SECML), if you did not take MLSEC so far, you are better off in the AISEC course next semester.


This lecture explicitly focuses on the security of machine learning algorithms. In learning-based systems, often only average-case performances are considered to show the effectiveness of AI methods. Worse-case scenarios triggered by viciously crafted inputs, however, can be exploited by an adversary to cause devastating damage in the application area. It thus is of utmost importance to investigate, research, and know about the security properties of machine learning methods.

The module introduces students to theoretic and practical aspects of security of machine learning algorithms and methods. In the first part, we cover offensive aspects of the topic. We will learn about different attack types such as adversarial examples (both white-box and black-box) or data poisoning and explicitly address problem-space constraints. In the second part, we explicitly focus on defensive mechanisms, such as adversarial training and network pruning. Finally, we will also cover methods for explaining learning-based algorithms to assist analysis and securing of machine learning methods.

Mode of Operation

This year we are going to do a combination of remote units with on-site Q&A sessions and on-site exercises. The lecture contents are distributed via video recordings, in a way that you can learn at your own speed. Additionally, we are meeting up for discussions and Q&A at university. For more technical (hands-on) experience we also over three exercise slots. This way, we hopefully get the best from both worlds.


Mon, 15. AprilIntroductionOn-site
Bonus: Primer on Neural Networks, ,
Mon, 22. AprilAdversarial Examples, ,
Mon, 29. AprilAdversarial Training, ,
Mon, 06. MayExercisesOn-site
Mon, 13. MayBackdooring Attacks, ,
Mon, 20. MayNo lecture (Pentecost)
Mon, 27. MayGuest Lecture (TBA)On-site
Mon, 03. JuneModel StealingRemote lecture + Q&A on-site
Mon, 10. JuneMembership InferenceRemote lecture + Q&A on-site
Mon, 17. JuneExercisesOn-site
Mon, 24. JuneFoundations of XAIRemote lecture + Q&A on-site
Mon, 01. JulyConcept-based ExplanationsRemote lecture + Q&A on-site
Mon, 08. JulyAttacks against ExplanationsRemote lecture + Q&A on-site
Mon, 15. JulyExercisesOn-site
Mon, 22. JulySummary and OutlookOn-site
Mon, 5. August (10:30-12:30)Written Exam

Matrix Chat

News about the lecture, potential updates to the schedule, and additional material are distributed using the course's matrix room. Moreover, matrix enables students to discuss topics and solution approaches.

You find the link to the matrix room on ILIAS.