Publications
Research
Privacy-preserving and robust machine learning, information security and GDPR compliance, access-control policy mining, and computer-science education.
My research today centers on computer-science and machine-learning education: how to teach modern models so that students genuinely understand them, studied with the same rigor as any other experimental question. The most recent result, a classroom randomized controlled trial on bottom-up instruction, received the CER Best Paper (Global) award at SIGCSE 2026 and is paired with a hands-on tutorial you can follow yourself. This direction grew out of a decade of work below: privacy-preserving and robust machine learning with the Institute of Machine Learning, large-scale GDPR compliance analysis and access-control policy mining with the Information Security Group, and, earlier still, logic.
2026
-
Transforming Confusion into Diffusion: Advancing Machine Learning Education via Bottom-Up Instruction
ACM SIGCSE Technical Symposium 2026
Paper · Program · Hands-on tutorial
Abstract
We introduce full-stack machine learning (FSML) instruction, which teaches students to build large language models and diffusion models from scratch rather than relying on high-level frameworks. In a classroom randomized controlled trial at ETH Zürich (N=208), FSML students scored about 10% higher on assessments of transformers and stable diffusion (p=0.006) and reported greater curiosity and engagement. The paper received the CER Best Paper (Global) award at SIGCSE 2026.
2025
-
Rethinking Robustness in Machine Learning: A Posterior Agreement Approach
Transactions on Machine Learning Research 2025
Abstract
Evaluating the robustness of machine-learning models under covariate shift usually relies on task metrics such as accuracy, which lack a clear theoretical grounding. We extend Posterior Agreement theory to the covariate-shift setting and derive a principled, supervision-free robustness measure. Across adversarial-learning and domain-generalization scenarios, it discriminates robustness more reliably than accuracy-based measures.
2024
-
S-BDT: Distributed Differentially Private Boosted Decision Trees
ACM Conference on Computer and Communications Security 2024
Abstract
S-BDT is a differentially private distributed gradient-boosted decision-tree learner that improves the privacy and utility trade-off by using non-spherical multivariate Gaussian noise, with tight subsampling bounds folded into a Rényi filter for individual privacy accounting. It matches utility while saving roughly 30% to 50% in epsilon across the Abalone, Adult, and Spambase datasets, and improves further on non-IID data streams.
-
Automated Large-Scale Analysis of Cookie Notice Compliance
USENIX Security Symposium 2024
Abstract
We present the first general, automated, large-scale analysis of cookie-notice compliance. Our crawler interacts with cookie notices, reads declared processing purposes with natural-language processing, and compares them against the cookies actually set, across 97k EU-popular websites. We find that 65.4% of sites offering a rejection option likely collect user data despite explicit negative consent.
2023
-
Invariant Anomaly Detection under Distribution Shifts: A Causal Perspective
Neural Information Processing Systems (NeurIPS) 2023
Abstract
Anomaly detection assumes that training and test data share a distribution, which breaks under distribution shift. Using causal inference, we identify a statistical property that ensures invariant representations and derive a regularizer that promotes partial distribution invariance across environments. Across six methods and both synthetic and real tasks, it markedly improves out-of-distribution robustness under covariate and domain shift.
-
Locality-Sensitive Hashing Does Not Guarantee Privacy! Attacks on Google's FLoC and the MinHash Hierarchy System
Proceedings on Privacy Enhancing Technologies (PoPETs) 2023
Abstract
We attack two privacy systems built on locality-sensitive hashing: Google's FLoC advertising proposal and the MinHash Hierarchy for mobile traffic. For FLoC we deanonymize users via Sybil attacks and reconstruct 10% or more of the browsing history for 30% of users using generative adversarial networks; for MinHash we confine a user's movement to about 10% of the geographic area. Our attacks refute the claimed pre-image resistance, anonymity, and differential-privacy guarantees.
-
Domain Generalization for Diagnosis of Pulmonary Fibrosis Using Dose-Invariant Feature Selection
IEEE International Symposium on Biomedical Imaging (ISBI) 2023
Abstract
Deep models for diagnosing pulmonary fibrosis from CT scans lose accuracy when the radiation dose differs from training. We make the learned representations invariant to dose through feature selection, without retraining the whole network. On unseen scans recorded at a different dose, this improves the F1 score by 6% to 15% over standard methods.
2022
-
Holistic Modeling in Medical Image Segmentation Using Spatial Recurrence
Medical Imaging with Deep Learning (MIDL) 2022
Abstract
Medical-image segmentation needs both local detail and a holistic view that captures long-range spatial dependencies, which the state of the art does not provide. We introduce a deep architecture endowed with spatial recurrence, using gated recurrent units that traverse the feature map directionally to enlarge each layer's receptive field and model non-adjacent pixel relationships.
-
Checking Websites' GDPR Consent Compliance for Marketing Emails
Proceedings on Privacy Enhancing Technologies (PoPETs) 2022
Abstract
Marketing emails require freely given, specific, informed, and unambiguous consent under the ePrivacy Directive and the GDPR. We design a labeling of legal characteristics for websites and emails, yielding a simple decision procedure for potential violations. Evaluating 1000 websites and the 5000 resulting emails, we find potential violations on 21.9% of sites, in the registration process (17.3%) or in email communication (17.7%).
-
Automating Cookie Consent and GDPR Violation Detection
USENIX Security Symposium 2022
Abstract
The GDPR requires websites to inform users about data collection and request cookie consent, yet most offer no real choice or use dark patterns. Analyzing cookie banners on nearly 30k websites, we identify six novel violation types and find at least one potential violation on 94.7% of them. We release CookieBlock, a browser extension that uses machine learning to enforce GDPR cookie consent on the client.
-
Studierende auf den Einsatz von maschinellem Lernen vorbereiten
Schweizerische Ärztezeitung 2022
Abstract
Die Digitalisierung hat die Medizin bereits verändert und wird die ärztliche Tätigkeit weiter stark beeinflussen. Die Arbeitsgruppe «Digitalisierung der Medizin» hat deshalb Lernziele erarbeitet, damit sich angehende Ärztinnen und Ärzte bereits im Studium mit den Methoden und Einsatzmöglichkeiten des maschinellen Lernens auseinandersetzen.
2019
-
The Next 700 Policy Miners: A Universal Method to Build Policy Miners
ACM Conference on Computer and Communications Security 2019
Abstract
Designing a policy miner for each access-control language has required specialized algorithms. We present Unicorn, a universal method that streamlines building policy miners for many languages, including ABAC, RBAC, RBAC with user-attribute and spatio-temporal constraints, and an expressive fragment of XACML; for the last two, no policy miner existed before. It needs only a language specification and a fitness metric.
-
Preventing Privilege Abuse Using Policy Analysis and Policy Mining
PhD Thesis, ETH Zürich 2019
Abstract
My doctoral dissertation addresses privilege abuse, where users hold more permissions than they need and systems become vulnerable to insider exploitation. It combines policy analysis and policy mining for role-based and attribute-based access control to detect and prevent overly permissive policies. Completed at the Information Security Group of ETH Zürich under the supervision of Prof. David Basin.
2018
-
Mining ABAC Rules from Sparse Logs
IEEE European Symposium on Security and Privacy (EuroS&P) 2018
Abstract
Access logs are sparse, recording only a fraction of possible requests, and existing ABAC mining methods then produce overly permissive rules. We define reliability, a measure of overpermissiveness, and show why confidence and entropy fail to capture it. Building on subgroup discovery and reliability, we design Rhapsody, the first ABAC mining algorithm with correctness guarantees.
2015
-
Analyzing First-Order Role-Based Access Control
IEEE Computer Security Foundations Symposium (CSF) 2015
Abstract
We propose FORBAC, a first-order-logic extension of RBAC expressive enough to formalize a wide range of access-control policies, yet simple enough that relevant analysis queries stay in NP. We answer queries efficiently by reducing them to satisfiability modulo theories and using off-the-shelf SMT solvers, illustrated by a case study of a European bank.
2014
-
Deciding Safety and Liveness in TPTL
Information Processing Letters 2014
Abstract
We show that deciding whether a TPTL formula describes a safety property is EXPSPACE-complete, and that deciding whether it describes a liveness property is in 2-EXPSPACE. Our algorithms extend Sistla's for the corresponding LTL problems to the timed setting.
-
Primal Infon Logic with Conjunctions as Sets
IFIP International Conference on Theoretical Computer Science (TCS) 2014
Abstract
Primal infon logic is a propositional multimodal subintuitionistic logic decidable in linear time, but the replacement of equivalents fails. We introduce a version that treats conjunctions as sets and show that its derivation problem is decidable in linear expected time and quadratic worst-case time.
2013
-
Basic Primal Infon Logic
Journal of Logic and Computation 2013
Abstract
Primal infon logic was introduced in 2009 for policy and trust management. We standardize the syntax of basic PIL, prove a small-model theorem for its propositional fragment, give a simple proof of the locality theorem, and present a linear-time decision algorithm in a form convenient for generalizations.
-
Transitive Primal Infon Logic
The Review of Symbolic Logic 2013
Abstract
Primal infon logic includes unary "said" connectives useful for access control, but implication is not transitive. We introduce and study equiexpressive transitive extensions of propositional primal infon logic and their quote-free fragments, with Kripke semantics, soundness and completeness, small-model results, and a quadratic-time derivation algorithm.