I am an assistant professor of Computer Science at ETH Zürich. I lead the SPY Lab, and am a member of the Information Security Institute and of ZISC, and an associated faculty of the ETHZ AI Center.
My research interests lie in Computer Security, Machine Learning and Cryptography. In my current work, I study the worst-case behavior of Deep Learning systems from an adversarial perspective, to understand and mitigate long-term threats to the safety and privacy of users.
To learn more about our lab's work, see here or take a look at our blog.
My work has been featured in The Economist, Nature, Science, Communications of the ACM, Wired and the Swiss news (in french).
I received my PhD from Stanford University under the supervision of Dan Boneh. Part of my graduate studies were generously supported by the Swiss National Science Foundation and the Open Philanthropy Project. After graduating, I spent one year at Google Brain.
Email:
Office: Universitätstrasse 6, CAB F72, CH-8092 Zürich
Current group
- Daniel Paleka (PhD Student)
- Edoardo Debenedetti (PhD Student, CYD Fellowship)
- Javier Rando (PhD Student, AI Center Fellowship, co-advised by Mrinmaya Sachan)
- Michael Aerni (PhD Student)
- Jie Zhang (PhD Student)
News
- Our paper on Tight Auditing of Differentially Private Machine Learning won a distinguished paper award at USENIX Security 2023. Congrats to Milad for leading the project, and all other authors.
- Our USENIX 2021 paper on Extracting training data from large language models was selected as the runner-up for the 2023 Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies!
- We launched a lab page including a blog.
- Our paper on Red-Teaming the Stable Diffusion Safety Filter won a Best Paper Award at the NeurIPS 2022 ML Safety Workshop! Congrats to Javier, Daniel, David and Lennart.
- I spent a fantastic year at Google Brain, working (remotely) on various inference attacks, adversarial examples, memorization in language models and more.
Some of my recorded talks
Making Machine Learning FAIL (my inaugural lecture)
Does Adversarial Machine Learning Research Matter? (AdvML 2021)
Measuring and Enhancing the Security of Machine Learning (my "job talk")
Data poisoning won't save you from facial recognition (CVPR WMF)
Adversarial Examples (Machine Learning Street Talk)
Remote Side-Channel Attacks on Anonymous Cryptocurrencies (USENIX Security)
On Adaptive Attacks to Adversarial Examples Defenses (USENIX ScAINet)
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware (ICLR)