• Negative Progress in Machine Learning Security

    ICCV Workshop on Safe and Trustworthy Multimodal AI Systems, Virtual — 19 October 2025 Slides Slides

  • Cybersecurity in the Age of LLMs

    IRISA 50th anniversary celebration, Rennes, France — 8 September 2025 Slides Slides

  • Can we hope to build a secure computer-use agent?

    CVPR Workshop on Adversarial Machine Learning on Computer Vision, Virtual — 12 June 2025 Slides Slides

  • Stealing a generative AI's secrets (responsibly)

    Foundations of Responsible Computing (FORC) – Keynote, Boston, USA — 13 June 2024 Slides Slides

    CIFAR Learning in Machines & Brains meeting, Zurich, Switzerland — 6 May 2024

    Huawei STW, Virtual — 25 April 2024

    NYU, New York, USA — 12 April 2024

  • Un-aligning Large Language Models

    EPFL Applied Machine Learning Days, Lausanne, Switzerland — 26 March 2024 Slides Slides

  • Universal jailbreak backdoors from poisoned human feedback

    NeurIPS Workshop on Backdoors in Deep Learning, Virtual — 15 December 2023 Slides Slides

  • Privacy Side-channels in Machine Learning Systems

    NeurIPS Workshop on Privacy Preserving Federated Learning Document VQA, Virtual — 15 December 2023 Slides Slides

  • Attacking Machine Learning Systems

    ICCV Workshop on Adversarial Robustness In the Real World, Virtual — 3 October 2023 Slides Slides

  • Is anything really OOD anymore?

    ICCV Workshop on Out Of Distribution Generalization in Computer Vision, Virtual — 3 October 2023 Slides Slides

  • Poisoning Web-Scale Training Datasets is Practical

    MLSys Workshop on Decentralized and Collaborative Learning, Virtual — 8 June 2023 Slides Slides

    ZISC Seminar, Zurich, Switzerland — 23 March 2023

    Université du Luxembourg, Luxembourg — 21 June 2023

  • Making machine learning fail

    ETH Zurich inaugural lecture, Zurich, Switzerland — 21 February 2023 Slides Slides Video

  • Generative models have the memory of an elephant

    Sony, Zurich, Switzerland — 7 November 2023 Slides Slides

    Facebook, Virtual — 22 March 2023

    Microsoft, Virtual — 28 February 2023

    University of St. Gallen, Switzerland — 23 February 2023

    AAAI Workshop on Practical Deep Learning in the Wild, Virtual — 14 February 2023

  • Measuring privacy leakage in neural networks

    ZISC Seminar, Zurich, Switzerland — 17 November 2022 Slides Slides

  • Machine Learning to the Rescue: Risks and Opportunities

    Cyber-Defence Campus Conference, Bern, Switzerland — 26 October 2022 Slides Slides

  • A Tour of Adversarial Machine Learning

    ETHZ Open Port, Zurich, Switzerland — 12 October 2022 Slides Slides

  • Detecting Adversarial Examples Is (Nearly) As Hard As Classifying Them

    ICML, Virtual — 19 July 2022 Slides Slides

  • Why you should treat your ML defense like a theorem

    Machine Learning Security Seminar Series, Virtual — 7 July 2022 Slides Slides Video

  • From average-case to worst-case privacy leakage in neural networks

    Privacy and Security in ML Seminars, Virtual — 20 April 2022 Slides Slides Video

  • When not to use adversarial examples

    AAAI 2022 Workshop on Adversarial Machine Learning and Beyond, Virtual — 28 February 2022 Slides Slides

  • Breaking and safeguarding privacy in machine learning

    CS356 Topics in Computer and Network Security (guest lecture), Virtual — 16 February 2022 Slides Slides

    Boston University security seminar, Virtual — 9 February 2022

  • Security and privacy in machine learning

    ETH Information Security Lab (guest lecture), Virtual — 20 December 2021 Slides Slides

  • Does Adversarial Machine Learning Research Matter?

    KDD 2021 Workshop on Adversarial Machine Learning, Virtual — 15 August 2021 Slides Slides Video

  • Data Poisoning Won't Save You From Facial Recognition

    CVPR 2021 workshop on media forensics — 19 June 2021 Slides Slides Video

  • What is (and isn't) Private Learning?

    Boston-area DP seminar, Virtual — 16 April 2021 Slides Slides

    ITASEC workshop on AI for security and security of AI, Virtual — 7 April 2021

  • Measuring and Enhancing the Security of Machine Learning

    Stanford (PhD dissertation defense), Virtual — 20 April 2020 Slides Slides

    University of Toronto, Virtual — 18 March 2021 Slides Slides

    University of Waterloo, Virtual — 16 March 2021

    Facebook Research, Virtual — 15 March 2021

    Aarhus University, Virtual — 11 March 2021

    Google Brain, Virtual — 10 March 2021

    ETH Zürich, Virtual — 9 March 2021

    CISPA, Virtual — 3 March 2021

    Max Plank Institute, Virtual — 24 February 2021

    Microsoft Research, Virtual — 18 February 2021

    Ruhr University Bochum, Virtual — 8 February 2021

    EPFL, Virtual — 1 February 2021

  • Differentially Private Learning Needs Better Features

    Google Algorithms seminar, Virtual — 8 April 2021 Slides Slides

    Apple, Virtual — 15 January 2021

    Stanford Security Lunch, Virtual — 13 January 2021

  • Don't use Computer Vision for Web Security

    CS356 Topics in Computer and Network Security (guest lecture), Virtual — 26 October 2020

    CV-COPS (ECCV Workshop), Virtual — 28 August 2020 Slides Slides Video

  • On Adaptive Attacks to Adversarial Example Defenses

    USENIX ScAINet, Virtual — 10 August 2020 Slides Slides Video

    Stanford Security Lunch, Virtual — 6 May 2020

  • Remote Side-Channel Attacks on Anonymous Transactions

    USENIX Security, Virtual — 14 August 2020 Slides Slides Video

    Stanford Blockchain Conference, Stanford, CA — 19 February 2020

    Stanford Security Lunch, Stanford, CA — 4 December 2019

  • Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations

    ICML, Virtual — 15 July 2020 Slides Slides Video

  • Limitations of Threat Modeling in Adversarial Machine Learning

    EPFL, Lausanne, Switzerland — 19 December 2019 Slides Slides

  • Developments in Adversarial Machine Learning

    ETH ZISC Seminar, Zürich, Switzerland — 19 September 2019 Slides Slides

  • Adversarial Training and Robustness for Multiple Perturbations

    NeurIPS Spotlight, Vancouver, Canada — 12 December 2019 Slides Slides Video

    Stanford Security Lunch, Stanford, CA — 22 May 2019 Slides Slides

  • AdVersarial: Defeating Perceptual Ad-Blocking with Adversarial Examples

    CCS, London, UK — 14 November 2019 Slides Slides

    Hughes network systems, Germantown, MD — 8 October 2019

    ETHZ, Zürich, Switzerland — 10 September 2019

    Stanford Computer Forum Annual Meeting, Stanford, CA — 8 April 2019 Video

    Palo Alto Networks, Palo Alto, CA — 22 February 2019

    Ad-Blocking Developer Summit, San Francsisco, CA — 14 November 2018

  • A Tour of Machine Learning Security

    Intel, Santa Clara, CA — 30 August 2018 Slides Slides

    CISPA, Saarland, Germany — 6 August 2018

  • Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware

    ICLR, New Orleans, LO — 7 May 2019 Slides Slides Video

    Intel, Santa Clara, CA — 30 August 2018

    Stanford Security Lunch, Stanford, CA — 13 June 2018

  • What's next for Adversarial ML? And why Adblockers should care

    EPFL, Lausanne, Switzerland — 9 July 2018 Slides Slides

  • Security for Smart Contracts

    CS359B Designing Decentralized Applications on Blockchain (guest lecture), Stanford, CA — 23 May 2018 Slides Slides

  • Integrity and Confidentiality for Machine Learning

    CS521 Seminar on AI Safety (guest lecture), Stanford, CA — 19 April 2018 Slides Slides

  • GasToken: A Journey Through Blockchain Resource Arbitrage

    Crypto Economics Security Conference (CESC), San Francisco, CA — 11 October 2018 Slides Slides

    MIT Bitcoin Expo, Boston, MA — 18 March 2018

  • Enter the Hydra: Towards Principled Bug Bounties and Exploit-Resistant Smart Contracts

    BPASE, Stanford, CA — 24 January 2018 Slides Slides

    Stanford Security Lunch, Stanford, CA — 4 October 2017

  • Ensemble Adversarial Training

    Stanford Innovative Technology Leader program, Stanford, CA — 22 January 2018 Slides Slides

    Facebook, Menlo Park, CA — 15 December 2017

    Cybersecurity with the Best — 15 October 2017

    IBM Research, Yorktown Heights, NY — 7 August 2017

    Berkeley Security Seminar, Berkeley, CA — 12 June 2017

    Stanford Security Lunch, Stanford, CA — 17 May 2017

  • Formal Abstractions for Attested Execution Secure Processors

    EUROCRYPT, Paris, France — 1 May 2017 Slides Slides

  • Sealed-Glass Proofs

    EuroS&P, Paris, France — 26 April 2017 Slides Slides

    Stanford Security Lunch, Stanford, CA — 8 February 2017

  • FairTest: Discovering Unwarranted Associations in Data-Driven Applications

    EuroS&P, Paris, France — 28 April 2017 Slides Slides

    MLCONF, Seattle, WA — 20 May 2016

  • Stealing Machine Learning Models via Prediction APIs

    Usenix Security, Austin, TX — 11 August 2016 Slides Slides Video

  • Differential Privacy with Bounded Priors

    CCS, Denver, CO — 15 October 2015 Slides Slides

  • Better Algorithms for LWE and LWR

    EUROCRYPT, Sofia, Bulgaria — 27 April 2015 Slides Slides