A Blessing in Disguise: The Prospects and Perils of Adversarial Machine Learning

Workshop at ICML 2021
July 24, 2021


Adversarial machine learning is a new gamut of technologies that aim to study vulnerabilities of ML approaches and detect the malicious behaviors in adversarial settings. The adversarial agents can deceive an ML classifier by significantly altering its response with imperceptible perturbations to the inputs. Although it is not to be alarmist, researchers in machine learning have a responsibility to preempt attacks and build safeguards especially when the task is critical for information security, and human lives. We need to deepen our understanding of machine learning in adversarial environments.

While the negative implications of this nascent technology have been widely discussed, researchers in machine learning are yet to explore their positive opportunities in numerous aspects. The positive impacts of adversarial machine learning are not limited to boost the robustness of ML models, but cut across several other domains including privacy protection, reliability and safety test, model understanding, improving generalization performance on different tasks, etc.

Since there are both positive and negative applications of adversarial machine learning, tackling adversarial learning to their use in the right direction requires a framework to embrace the positives. This workshop aims to bring together researchers and practitioners from a variety of communities (e.g., machine learning, computer security, data privacy and ethics) in an effort to synthesize promising ideas and research directions, as well as foster and strengthen cross-community collaborations on both theoretical studies and practical applications. Different from the previous workshops on adversarial machine learning, our proposed workshop seeks to explore the prospects besides reducing the unintended risks for sophisticated ML models.

Call for Papers

We welcome submission from different aspects of adversarial ML, including but not limited to

  • Adversarial / poisoned attacks against ML models
  • Adversarial defenses to improve decision robustness
  • Methods of detecting / rejecting adversarial examples
  • Model verification and certified training / inference
  • Benchmarks to reliably evaluate previous defenses
  • Theoretical understanding of adversarial ML
  • Empirical studies that help to construct practically robust systems
  • Adversarial ML in the real world
  • Robust model architectures, data augmentations, and dataset biases
  • Positive applications of the techniques in adversarial ML (e.g., privacy protection, generalization improvement, interpretable ML, transfer learning, reinforcement learning, traditional CV and NLP tasks)

We only consider submissions that haven’t been published in any peer-reviewed venue, including ICML 2021 conference. We welcome submissions that are currently under review in some conferences (e.g., NeurIPS 2021) The workshop is non-archival and will not have any official proceedings. Based on the PC’s recommendation, the accepted papers will be allocated either a contributed talk or a poster presentation.

Submission format:   Submissions should be anonymized and follow the template. Submissions should be up to 4 pages, plus unlimited space for references and appendices.

The list of accepted papers is available at https://openreview.net/group?id=ICML.cc/2021/Workshop/AML.

Paper Awards

Best Paper Award: Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them by Florian Tramer

Adversarial for Good Award: Defending against Model Stealing via Verifying Embedded External Features by Linghui Zhu, Yiming Li, Xiaojun Jia, Yong Jiang, Shu-Tao Xia, Xiaochun Cao

Silver Best Paper Awards (Runner-up):

(Those awards are kindly sponsored by RealAI)

Important Dates


    Submission deadline: (Extended to) June 17th, 2021

    Notification to authors: June 20th, 2021

    Video recordings of contributed talks deadline: June 27th, 2021

    Camera-ready deadline: July 1st, 2021


This is the final schedule of the workshop. All slots are provided in Eastern Time (ET).

Morning Session

7:45 - 8:00 Opening Remarks -- Hang Su
8:00 - 8:30 Invited Talk #1 -- Liwei Wang ("Towards Certifying $\ell_\infty$ Robustness using Neural Networks with $\ell_\infty$-dist Neurons")
8:30 - 9:00 Invited Talk #2 -- Sven Gowal ("A Perspective on Adversarial Robustness")
9:00 - 9:05 Contributed Talk #1 -- Yiming Li ("Defending against Model Stealing via Verifying External Features")
9:05 - 9:10 Contributed Talk #2 -- Evani Radiya-Dixit ("Data Poisoning Won’t Save You From Facial Recognition")
9:10 - 9:40 Invited Talk #3 -- Matthias Hein ("Adversarial Robustness: Evaluation and Approaches beyond Adversarial Training")
9:40 - 10:10 Invited Talk #4 -- Aleksander Madry ("Robustness: Data and Features")
10:10 - 10:15 Contributed Talk #3 -- Maura Pintor ("Fast Minimum-norm Adversarial Attacks through Adaptive Norm Constraints")
10:15 - 10:20 Contributed Talk #4 -- Florian Tramer ("Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them")
10:20 - 10:50 Invited Talk #5 -- Jan Hendrik Metzen ("The Adversarial Patch Threat Model")
10:50 - 11:30 Panel Discussion #1 -- Hang Su, Matthias Hein, Liwei Wang, Sven Gowal, Jan Hendrik Metzen, Henry Liu, Yisen Wang
11:30 - 12:30 Poster Session #1

Afternoon Session

12:30 - 13:00 Invited Talk #6 -- Henry Liu ("Safety Assessment of Autonomous Vehicles with a Naturalistic and Adversarial Driving Environment")
13:00 - 13:30 Invited Talk #7 -- Nicholas Carlini ("Large Underspecified Models: Less Secure, Less Private")
13:30 - 13:35 Contributed Talk #5 -- Wan-Yi Lin ("Certified robustness against adversarial patch attacks via randomized cropping")
13:35 - 13:40 Contributed Talk #6 -- Jihoon Tack ("Consistency Regularization for Adversarial Robustness")
13:40 - 14:10 Invited Talk #8 -- Andy Banburski ("Biologically-inspired Defenses against Adversarial Attacks")
14:10 - 14:40 Invited Talk #9 -- Kamalika Chaudhuri ("Adversarial Examples and OOD Generalization")
14:40 - 14:45 Contributed Talk #7 -- Rahul Rade ("Helper-based Adversarial Training: Reducing Excessive Margin to Achieve a Better Accuracy vs. Robustness Trade-off")
14:45 - 14:50 Contributed Talk #8 -- Sandeep Silwal ("Adversarial Robustness of Streaming Algorithms through Importance Sampling")
14:50 - 15:20 Invited Talk #10 -- Cihang Xie ("Adversarial Examples IMPROVE Image Recognition")
15:20 - 15:50 Invited Talk #11 -- Will Xiao ("Adversarial Images for the Primate Brain")
15:50 - 16:30 Panel Discussion #2 -- Bo Li, Nicholas Carlini, Dawn Song, Andy Banburski, Kamalika Chaudhuri, Will Xiao, Cihang Xie
16:30 - 16:35 Contributed Talk #9 -- Keji Han ("Is It Time to Redefine the Classification Task for Deep Learning Systems?")
16:35 - 17:35 Poster Session #2

Invited Speakers

Liwei Wang

Peking University

Sven Gowal


Jan Hendrik Metzen

Bosch Center for Artificial Intelligence

Will Xiao

Harvard Medical School

Cihang Xie

UC Santa Cruz

Matthias Hein

University of Tübingen

Workshop Organizers

Hang Su

Tsinghua University

Yinpeng Dong

Tsinghua University

Tianyu Pang

Tsinghua University

Shuo Feng

University of Michigan

Henry Liu

University of Michigan

Dan Hendrycks

UC Berkeley

Francesco Croce

University of Tuebingen


Please contact Hang Su, Yinpeng Dong , Tianyu Pang if you have any questions.

Sponsored by