I am an assistant professor of Computer Science at ETH Zürich. I am a member of the Information Security Institute and of ZISC, and an associated faculty of the ETHZ AI Center.
My research interests lie in Computer Security, Machine Learning and Cryptography. In my current work, I study the worst-case behavior of Deep Learning systems from an adversarial perspective, to understand and mitigate long-term threats to the safety and privacy of users.
I received my PhD from Stanford University under the supervision of Dan Boneh. Part of my graduate studies were generously supported by the Swiss National Science Foundation and the Open Philanthropy Project. After graduating, I spent one year at Google Brain.
Email:
Office: Universitätstrasse 6, CAB E79, CH-8092 Zürich
Current group
- Daniel Paleka (PhD Student, 2022)
- Edoardo Debenedetti (PhD Student, 2022)
News
- Our paper on Red-Teaming the Stable Diffusion Safety Filter won a Best Paper Award at the NeurIPS 2022 ML Safety Workshop! Congrats to Javier, Daniel, David and Lennard.
- I spent a fantastic year at Google Brain, working (remotely) on various inference attacks, adversarial examples, memorization in language models and more.
- I gave an invited talk, When not to use adversarial examples, at the AAAI 2022 workshop on Adversarial Machine Learning and Beyond.
- I defended my PhD thesis "Measuring and Enhancing the Security of Machine Learning".
- I'm exicted to have been selected as one of the two inaugural AdvML Rising Star Awards sponsored by the MIT-IBM AI Watson Lab. I gave a 30min award presentation which you can find here: Does Adversarial Machine Learning Research Matter?.
Some of my recorded talks
Does Adversarial Machine Learning Research Matter? (AdvML 2021)
Measuring and Enhancing the Security of Machine Learning (my "job talk")
Adversarial Examples (Machine Learning Street Talk)
Remote Side-Channel Attacks on Anonymous Cryptocurrencies (USENIX Security)
On Adaptive Attacks to Adversarial Examples Defenses (USENIX ScAINet)
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware (ICLR)