Creating reliable, secure, robust, and fair machine learning models is a core challenge in artificial intelligence and one of fundamental importance. The goal of the course is to teach both the mathematical foundations of this new and emerging area as well as to introduce students to the latest and most exciting research in the space. To facilitate deeper understanding, the course includes a group project where students build a system based on the learned material.

The course is split into 4 parts:

Robustness of Machine Learning

  • Adversarial attacks and defenses on deep learning models.
  • Automated certification of deep learning models (major trends: convex relaxations, branch-and-bound, randomized smoothing).
  • Certified training of deep neural networks (combining symbolic and continuous methods).

Privacy of Machine Learning

  • Threat models (e.g., stealing data, poisoning, membership inference, etc.).
  • Attacking federated machine learning (across vision, natural language and tabular data).
  • Differential privacy for defending machine learning.
  • AI Regulations and checking model compliance.

Fairness of Machine Learning

  • Introduction to fairness (motivation, definitions).
  • Enforcing individual fairness (for both vision and tabular data).
  • Enforcing group fairness (e.g., demographic parity, equalized odds).

Robustness, Privacy and Fairness of Foundation Models

  • We discuss all previous topics, as well as programmability, in the context of latest foundation models (e.g., LLMs).


Use your NETHZ account to access the files.

Date Content Slides Exercises Solutions
Sep 20 Course Introduction PDF PDF
Sep 27 Adversarial Attacks and Defenses PDF PDF PDF PDF PDF
Oct 04 Neural Network Certification: Box Relaxation, MILP PDF PDF PDF PDF PDF PDF
Oct 11 DeepPoly, Branch and Bound PDF PDF PDF PDF
Oct 18 Certified Defenses, Connecting Cert. and Adv. Training PDF PDF PDF PDF PDF* PDF*
Oct 25 Project Introduction, Guest Lecture PDF (Project Q&A)
Nov 1 Randomized Smoothing for Robustness PDF PDF PDF
Nov 8 Introduction to Privacy, Federated Learning Attacks PDF PDF PDF PDF PDF
Nov 15 Differential Privacy PDF PDF PDF
Nov 22 AI Regulations and Synthetic Data PDF PDF PDF PDF
Nov 29 Incorporating Logic into Deep Learning PDF PDF PDF
Dec 6 Introduction to Fairness, Individual Fairness PDF PDF PDF PDF
Dec 13 Group Fairness PDF PDF * PDF PDF * PDF
Dec 20 LLM Research: Overview, Safety, Privacy PDF
* has been updated after initial publication.


All lecture recordings from this year will be available on the ETH video portal, in the same way as the recordings from 2022. Another useful resource is our Youtube playlist of lecture recordings from 2020. However, note that several new topics have been introduced to the course since then.

Course project

The project description is on these slides. The project release (template code, networks, test cases) is available here.

Previous Exams

Previous exams (formerly, this course was named "Reliable and Interpretable Artificial Intelligence") are available in the exam collection of the student association (VIS).

Course Organization


  • The lecture will take place physically in room HG G3, but will be recorded.
  • For additional questions, we have prepared a Moodle forum.


  • Every week, we will publish an exercise sheet and its solutions on this page, by Thursday evening.
  • The exercise session will consist of a discussion of selected exercises (potentially not all exercises). On demand, the teaching assistant can also discuss questions on specific exercises brought up by students.
  • Some exercise sessions will also discuss prerequisites for the course. The material covered in these sessions will be available online. This will definitively be the case in the first exercise on Sep 25/27. For other exercise sessions, we will announce by mail if they discuss prerequisites.
  • Attending the exercise sessions is optional. We will not cover additional material in the exercise sessions, except for prerequisites (see above). Therefore, we will also not record the exercise sessions.
  • We strongly recommend to solve the exercises before next week's exercise session, and before looking at the solutions. The style of the exam will be similar to the exercises, so first-hand experience solving exercises is critical.
  • For additional questions, we have prepared a Moodle forum.
  • In case there is not enough material to cover the full exercise session, we will stop it early.
  • There is no need to attend both exercise sessions, as their contents will be equivalent.


All communication (like special announcements) will be sent out by e-mail.


For students who would like to brush up on the basics of machine learning used in this course, we recommend