Publications

Research

Privacy-preserving and robust machine learning, information security and GDPR compliance, access-control policy mining, and computer-science education.

My research today centers on computer-science and machine-learning education: how to teach modern models so that students genuinely understand them, studied with the same rigor as any other experimental question. The most recent result, a classroom randomized controlled trial on bottom-up instruction, received the CER Best Paper (Global) award at SIGCSE 2026 and is paired with a hands-on tutorial you can follow yourself. This direction grew out of a decade of work below: privacy-preserving and robust machine learning with the Institute of Machine Learning, large-scale GDPR compliance analysis and access-control policy mining with the Information Security Group, and, earlier still, logic.

2026

  1. Transforming Confusion into Diffusion: Advancing Machine Learning Education via Bottom-Up Instruction

    Carlos Cotrini, Sverrir Thorgeirsson, Jesus Solano, Zhendong Su

    ACM SIGCSE Technical Symposium 2026

    • CER Best Paper (Global)
    • Conference
    • ML Education
    Abstract

    We introduce full-stack machine learning (FSML) instruction, which teaches students to build large language models and diffusion models from scratch rather than relying on high-level frameworks. In a classroom randomized controlled trial at ETH Zürich (N=208), FSML students scored about 10% higher on assessments of transformers and stable diffusion (p=0.006) and reported greater curiosity and engagement. The paper received the CER Best Paper (Global) award at SIGCSE 2026.

2025

  1. Rethinking Robustness in Machine Learning: A Posterior Agreement Approach

    João B. S. Carvalho, Víctor Jiménez Rodríguez, Alessandro Torcinovich, Antonio Emanuele Cinà, Carlos Cotrini, Lea Schönherr, Joachim M. Buhmann

    Transactions on Machine Learning Research 2025

    • Journal
    • Robust ML
    • Distribution Shift
    Abstract

    Evaluating the robustness of machine-learning models under covariate shift usually relies on task metrics such as accuracy, which lack a clear theoretical grounding. We extend Posterior Agreement theory to the covariate-shift setting and derive a principled, supervision-free robustness measure. Across adversarial-learning and domain-generalization scenarios, it discriminates robustness more reliably than accuracy-based measures.

2024

  1. S-BDT: Distributed Differentially Private Boosted Decision Trees

    Thorsten Peinemann, Moritz Kirschte, Joshua Stock, Carlos Cotrini, Esfandiar Mohammadi

    ACM Conference on Computer and Communications Security 2024

    • Conference
    • Differential Privacy
    • ML Security
    Abstract

    S-BDT is a differentially private distributed gradient-boosted decision-tree learner that improves the privacy and utility trade-off by using non-spherical multivariate Gaussian noise, with tight subsampling bounds folded into a Rényi filter for individual privacy accounting. It matches utility while saving roughly 30% to 50% in epsilon across the Abalone, Adult, and Spambase datasets, and improves further on non-IID data streams.

  2. Automated Large-Scale Analysis of Cookie Notice Compliance

    Ahmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, David A. Basin

    USENIX Security Symposium 2024

    • Conference
    • Privacy
    • Web Measurement
    Abstract

    We present the first general, automated, large-scale analysis of cookie-notice compliance. Our crawler interacts with cookie notices, reads declared processing purposes with natural-language processing, and compares them against the cookies actually set, across 97k EU-popular websites. We find that 65.4% of sites offering a rejection option likely collect user data despite explicit negative consent.

2023

  1. Invariant Anomaly Detection under Distribution Shifts: A Causal Perspective

    João B. S. Carvalho, Mengtao Zhang, Robin Geyer, Carlos Cotrini, Joachim M. Buhmann

    Neural Information Processing Systems (NeurIPS) 2023

    • Conference
    • Anomaly Detection
    • Causal Inference
    Abstract

    Anomaly detection assumes that training and test data share a distribution, which breaks under distribution shift. Using causal inference, we identify a statistical property that ensures invariant representations and derive a regularizer that promotes partial distribution invariance across environments. Across six methods and both synthetic and real tasks, it markedly improves out-of-distribution robustness under covariate and domain shift.

  2. Locality-Sensitive Hashing Does Not Guarantee Privacy! Attacks on Google's FLoC and the MinHash Hierarchy System

    Florian Turati, Karel Kubicek, Carlos Cotrini, David A. Basin

    Proceedings on Privacy Enhancing Technologies (PoPETs) 2023

    • Journal
    • Privacy
    • Attacks
    Abstract

    We attack two privacy systems built on locality-sensitive hashing: Google's FLoC advertising proposal and the MinHash Hierarchy for mobile traffic. For FLoC we deanonymize users via Sybil attacks and reconstruct 10% or more of the browsing history for 30% of users using generative adversarial networks; for MinHash we confine a user's movement to about 10% of the geographic area. Our attacks refute the claimed pre-image resistance, anonymity, and differential-privacy guarantees.

  3. Domain Generalization for Diagnosis of Pulmonary Fibrosis Using Dose-Invariant Feature Selection

    João B. S. Carvalho, Carlos Cotrini, Fabian Laumer, André Euler, Katharina Martini, Thomas Frauenfelder, Joachim M. Buhmann

    IEEE International Symposium on Biomedical Imaging (ISBI) 2023

    • Conference
    • Medical Imaging
    • Domain Generalization
    Abstract

    Deep models for diagnosing pulmonary fibrosis from CT scans lose accuracy when the radiation dose differs from training. We make the learned representations invariant to dose through feature selection, without retraining the whole network. On unseen scans recorded at a different dose, this improves the F1 score by 6% to 15% over standard methods.

2022

  1. Holistic Modeling in Medical Image Segmentation Using Spatial Recurrence

    João B. S. Carvalho, João Santinha, Djordje Miladinovic, Carlos Cotrini, Joachim M. Buhmann

    Medical Imaging with Deep Learning (MIDL) 2022

    • Conference
    • Medical Imaging
    • Segmentation
    Abstract

    Medical-image segmentation needs both local detail and a holistic view that captures long-range spatial dependencies, which the state of the art does not provide. We introduce a deep architecture endowed with spatial recurrence, using gated recurrent units that traverse the feature map directionally to enlarge each layer's receptive field and model non-adjacent pixel relationships.

  2. Checking Websites' GDPR Consent Compliance for Marketing Emails

    Karel Kubicek, Jakob Merane, Carlos Cotrini, Alexander Stremitzer, Stefan Bechtold, David A. Basin

    Proceedings on Privacy Enhancing Technologies (PoPETs) 2022

    • Journal
    • Privacy
    • GDPR
    Abstract

    Marketing emails require freely given, specific, informed, and unambiguous consent under the ePrivacy Directive and the GDPR. We design a labeling of legal characteristics for websites and emails, yielding a simple decision procedure for potential violations. Evaluating 1000 websites and the 5000 resulting emails, we find potential violations on 21.9% of sites, in the registration process (17.3%) or in email communication (17.7%).

  3. Automating Cookie Consent and GDPR Violation Detection

    Dino Bollinger, Karel Kubicek, Carlos Cotrini, David A. Basin

    USENIX Security Symposium 2022

    • Distinguished Artifact Award
    • Conference
    • Privacy
    • GDPR
    Abstract

    The GDPR requires websites to inform users about data collection and request cookie consent, yet most offer no real choice or use dark patterns. Analyzing cookie banners on nearly 30k websites, we identify six novel violation types and find at least one potential violation on 94.7% of them. We release CookieBlock, a browser extension that uses machine learning to enforce GDPR cookie consent on the client.

  4. Studierende auf den Einsatz von maschinellem Lernen vorbereiten

    Raphaël Bonvin, Joachim Buhmann, Carlos Cotrini Jimenez, Marcel Egger, Alexander Geissler, Michael Krauthammer, Christian Schirlo, Christiane Spiess, Johann Steurer, Kerstin Noëlle Vokinger, Julia Vogt

    Schweizerische Ärztezeitung 2022

    • Article
    • ML Education
    • Medicine
    Abstract

    Die Digitalisierung hat die Medizin bereits verändert und wird die ärztliche Tätigkeit weiter stark beeinflussen. Die Arbeitsgruppe «Digitalisierung der Medizin» hat deshalb Lernziele erarbeitet, damit sich angehende Ärztinnen und Ärzte bereits im Studium mit den Methoden und Einsatzmöglichkeiten des maschinellen Lernens auseinandersetzen.

2019

  1. The Next 700 Policy Miners: A Universal Method to Build Policy Miners

    Carlos Cotrini, Luca Corinzia, Thilo Weghorn, David A. Basin

    ACM Conference on Computer and Communications Security 2019

    • Conference
    • Access Control
    • Policy Mining
    Abstract

    Designing a policy miner for each access-control language has required specialized algorithms. We present Unicorn, a universal method that streamlines building policy miners for many languages, including ABAC, RBAC, RBAC with user-attribute and spatio-temporal constraints, and an expressive fragment of XACML; for the last two, no policy miner existed before. It needs only a language specification and a fitness metric.

  2. Preventing Privilege Abuse Using Policy Analysis and Policy Mining

    Carlos Cotrini

    PhD Thesis, ETH Zürich 2019

    • PhD Thesis
    • Access Control
    Abstract

    My doctoral dissertation addresses privilege abuse, where users hold more permissions than they need and systems become vulnerable to insider exploitation. It combines policy analysis and policy mining for role-based and attribute-based access control to detect and prevent overly permissive policies. Completed at the Information Security Group of ETH Zürich under the supervision of Prof. David Basin.

2018

  1. Mining ABAC Rules from Sparse Logs

    Carlos Cotrini, Thilo Weghorn, David A. Basin

    IEEE European Symposium on Security and Privacy (EuroS&P) 2018

    • Conference
    • Access Control
    • Policy Mining
    Abstract

    Access logs are sparse, recording only a fraction of possible requests, and existing ABAC mining methods then produce overly permissive rules. We define reliability, a measure of overpermissiveness, and show why confidence and entropy fail to capture it. Building on subgroup discovery and reliability, we design Rhapsody, the first ABAC mining algorithm with correctness guarantees.

2015

  1. Analyzing First-Order Role-Based Access Control

    Carlos Cotrini, Thilo Weghorn, Manuel Clavel, David A. Basin

    IEEE Computer Security Foundations Symposium (CSF) 2015

    • Conference
    • Access Control
    • Formal Methods
    Abstract

    We propose FORBAC, a first-order-logic extension of RBAC expressive enough to formalize a wide range of access-control policies, yet simple enough that relevant analysis queries stay in NP. We answer queries efficiently by reducing them to satisfiability modulo theories and using off-the-shelf SMT solvers, illustrated by a case study of a European bank.

2014

  1. Deciding Safety and Liveness in TPTL

    Carlos Cotrini, Felix Klaedtke, Eugen Zalinescu, David A. Basin

    Information Processing Letters 2014

    • Journal
    • Temporal Logic
    • Verification
    Abstract

    We show that deciding whether a TPTL formula describes a safety property is EXPSPACE-complete, and that deciding whether it describes a liveness property is in 2-EXPSPACE. Our algorithms extend Sistla's for the corresponding LTL problems to the timed setting.

  2. Primal Infon Logic with Conjunctions as Sets

    Carlos Cotrini, Yuri Gurevich, Ori Lahav, Artem Melentyev

    IFIP International Conference on Theoretical Computer Science (TCS) 2014

    • Conference
    • Logic
    • Access Control
    Abstract

    Primal infon logic is a propositional multimodal subintuitionistic logic decidable in linear time, but the replacement of equivalents fails. We introduce a version that treats conjunctions as sets and show that its derivation problem is decidable in linear expected time and quadratic worst-case time.

2013

  1. Basic Primal Infon Logic

    Carlos Cotrini, Yuri Gurevich

    Journal of Logic and Computation 2013

    • Journal
    • Logic
    Abstract

    Primal infon logic was introduced in 2009 for policy and trust management. We standardize the syntax of basic PIL, prove a small-model theorem for its propositional fragment, give a simple proof of the locality theorem, and present a linear-time decision algorithm in a form convenient for generalizations.

  2. Transitive Primal Infon Logic

    Carlos Cotrini, Yuri Gurevich

    The Review of Symbolic Logic 2013

    • Journal
    • Logic
    Abstract

    Primal infon logic includes unary "said" connectives useful for access control, but implication is not transitive. We introduce and study equiexpressive transitive extensions of propositional primal infon logic and their quote-free fragments, with Kripke semantics, soundness and completeness, small-model results, and a quadratic-time derivation algorithm.