Nicolas Papernot

I am an Assistant Professor at the University of Toronto, in the Department of Electrical and Computer Engineering and the Department of Computer Science. I am also a faculty member at the Vector Institute where I hold a Canada CIFAR AI Chair, and a faculty affiliate at the Schwartz Reisman Institute. In 2022, I was named an Alfred P. Sloan Research Fellow in Computer Science.

My research interests are at the intersection of security, privacy, and machine learning. If you would like to learn more about my research, I recommend reading the blog posts I co-authored on cleverhans.io, for example about proof-of-learning, collaborative learning beyond federation, dataset inference, machine unlearning, differentially private ML, or adversarial examples.

My research has been cited in the press, including the New York Times, Popular Science, and Wired. I currently serve as an Associate Chair of the IEEE Symposium on Security and Privacy. I earned my Ph.D. in Computer Science and Engineering at the Pennsylvania State University, working with Prof. Patrick McDaniel and supported by a Google PhD Fellowship. Upon graduating, I spent a year at Google Brain where I still spend some of my time.

Email: [email protected]

Office: Pratt 484E and MaRS Suite 710

Mail/Packages: 10 King's College Road, Room SFB540, Toronto, ON M5S 3G4, Canada

CV » Blog » Twitter » Google Scholar »

I am excited to share that Patrick McDaniel and I have been working with IEEE to establish the IEEE Conference on Secure and Trustworthy Machine Learning (SaTML). The deadlines for submitting papers to this first edition of the SaTML conference are:

Abstract submission deadline: August 22, 2022 (AoE)
Paper submission deadline: September 1, 2022 (AoE)

The SaTML conference will focus on the theoretical and practical understandings of vulnerabilities inherent to ML systems, explore the robustness of ML algorithms and systems, and aid in developing a unified, coherent scientific community which aims to build trustworthy ML systems. More details can be found in the Call For Papers (CFP) on our website: satml.org

Selected publications

A complete list of publications is available in my CV.

2022

Unrolling SGD: Understanding Factors Influencing Machine Unlearning. Anvith Thudi, Gabriel Deza, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 7th IEEE European Symposium on Security and Privacy, Genoa, Italy. conference
On the Necessity of Auditable Algorithmic Definitions for Machine Unlearning. Anvith Thudi, Hengrui Jia, Ilia Shumailov, Nicolas Papernot. Proceedings of the 31st USENIX Security Symposium. conference
Increasing the Cost of Model Extraction with Calibrated Proof of Work. Adam Dziedzic, Muhammad Ahmad Kaleem, Yu Shen Lu, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference (+spotlight)
A Zest of LIME: Towards Architecture-Independent Model Distances. Hengrui Jia, Hongyu Chen, Jonas Guan, Ali Shahin Shamsabadi, Nicolas Papernot. Proceedings of the 10th International Conference on Learning Representations. conference
Hyperparameter Tuning with Renyi Differential Privacy. Nicolas Papernot, Thomas Steinke. Proceedings of the 10th International Conference on Learning Representations. conference (+outstanding paper award)
Is Fairness Only Metric Deep? Evaluating and Addressing Subgroup Gaps in Deep Metric Learning. Natalie Dullerud, Karsten Roth, Kimia Hamidieh, Nicolas Papernot, Marzyeh Ghassemi. Proceedings of the 10th International Conference on Learning Representations. conference
Bad Character Injection: Imperceptible Attacks on NLP Models. Nicholas Boucher, Ilia Shumailov, Ross Anderson, Nicolas Papernot. Proceedings of the 43rd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
Towards More Robust Keyword Spotting for Voice Assistants. Shimaa Ahmed, Ilia Shumailov, Nicolas Papernot, Kassem Fawaz. Proceedings of the 31st USENIX Security Symposium. conference

2021

When the Curious Abandon Honesty: Federated Learning Is Not Private. Franziska Boenisch, Adam Dziedzic, Roei Schuster, Ali Shahin Shamsabadi, Ilia Shumailov, Nicolas Papernot. preprint
SoK: Machine Learning Governance. Varun Chandrasekaran, Hengrui Jia, Anvith Thudi, Adelin Travers, Mohammad Yaghini, Nicolas Papernot. preprint
Manipulating SGD with Data Ordering Attacks. Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, Ross Anderson. Proceedings of the 35th Conference on Neural Information Processing Systems. conference
Data-Free Model Extraction. Jean-Baptiste Truong, Pratyush Maini, Robert Walls, Nicolas Papernot. Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN. conference
Proof-of-Learning: Definitions and Practice. Hengrui Jia, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Anvith Thudi, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
Entangled Watermarks as a Defense against Model Extraction. Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 30th USENIX Security Symposium. conference
Sponge Examples: Energy-Latency Attacks on Neural Networks. Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, Ross Anderson. Proceedings of the 6th IEEE European Symposium on Security and Privacy, Vienna, Austria. conference
CaPC Learning: Confidential and Private Collaborative Learning. Christopher A. Choquette-Choo, Natalie Dullerud, Adam Dziedzic, Yunxiang Zhang, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings of the 9th International Conference on Learning Representations. conference
Dataset Inference: Ownership Resolution in Machine Learning. Pratyush Maini, Mohammad Yaghini, Nicolas Papernot. Proceedings of the 9th International Conference on Learning Representations. conference (+spotlight)
Chasing Your Long Tails: Differentially Private Prediction in Health Care Settings. Vinith Suriyakumar, Nicolas Papernot, Anna Goldenberg, Marzyeh Ghassemi. Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency. conference
Machine Unlearning. Lucas Bourtoule, Varun Chandrasekaran, Christopher A. Choquette-Choo, Hengrui Jia, Adelin Travers, Baiwu Zhang, David Lie, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference

2020 & earlier

Thieves of Sesame Street: Model Extraction on BERT-based APIs. Kalpesh Krishna, Gaurav Singh Tomar, Ankur P. Parikh, Nicolas Papernot, Mohit Iyyer. Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia. conference
Analyzing and Improving Representations with the Soft Nearest Neighbor Loss. Nicholas Frosst, Nicolas Papernot, Geoffrey Hinton. Proceedings of the 36th International Conference on Machine Learning, Long Beach, CA. conference
Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning. Nicolas Papernot and Patrick McDaniel. technical report
Scalable Private Learning with PATE. Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, Ulfar Erlingsson. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada. conference
Towards the Science of Security and Privacy in Machine Learning. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. Proceedings of the 3rd IEEE European Symposium on Security and Privacy, London, UK. conference
Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data. Nicolas Papernot, Martin Abadi, Ulfar Erlingsson, Ian Goodfellow, and Kunal Talwar. Proceedings of the 5th International Conference on Learning Representations, Toulon, France. conference (+best paper)
Practical Black-Box Attacks against Machine Learning. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z.Berkay Celik, and Ananthram Swami. Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Abu Dhabi, UAE. conference
Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. technical report
The Limitations of Deep Learning in Adversarial Settings. Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. Proceedings of the 1st IEEE European Symposium on Security and Privacy, Saarbrucken, Germany. conference

Research group

Current students and postdocs

Mark Thomas: Research Intern (Summer 2022)
Avital Shafran: Research Intern (Summer 2022)
Thorsten Eisenhofer: Research Intern (Summer 2022)
Yannis Cattan: Research Intern (Summer 2022)
Roei Schuster: Postdoctoral Fellow (started Fall 2021)
Ilia Shumailov: Postdoctoral Fellow (started Fall 2021, co-advised with Kassem Fawaz)
Aditi Misra: Engineering Science student (started Fall 2021)
Hongyu (Charlie) Chen: Engineering Science student (Fall 2021 - Summer 2022)
Sierra Wyllie: Engineering Science student (started Summer 2021)
Muhammad Ahmad Kaleem: Engineering Science student (started Summer 2021)
Armin Ale: Engineering Science student (Summer 2021 - Fall 2022)
Emmy Fang: MS student (started Fall 2021, co-advised with Bo Wang) DeepMind Scholar
Anvith Thudi: Mathematics Specialist Undergraduate student (started Fall 2020)
Adam Dziedzic: Postdoctoral Fellow (started Fall 2020)
Mohammad Yaghini: PhD student (started Fall 2020) Meta PhD Fellow
Natalie Dullerud: MS student (started Fall 2020)
Stephan Rabanser: PhD student (started Fall 2020)
Jonas Guan: PhD student (started Fall 2020)
Jiaqi Wang: MASc student (started Fall 2020, co-advised with David Lie)
Nick Jia: PhD student (started Fall 2020)
Mingyue Yang: PhD student (started Winter 2020, co-advised with David Lie)

Past students and postdocs

Franziska Boenisch: Research Intern (Summer 2021 - Spring 2022) currently Research Associate at Fraunhofer AISEC
Aisha Alaagib: Research Intern (Summer 2021) currently PhD student at MILA
Ali Shahin Shamsabadi: Research Intern (Winter 2021 - Fall 2021) currently Research Associate at the Turing Institute
Steven Xia: Undergraduate student (Fall 2020 - Summer 2021, co-advised with Shurui Zhou) currently PhD student at UIUC
Jin Zhou: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at Cornell
Lucy Lu: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at Stanford
Marko Huang: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at University of Toronto
Gabriel Deza: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at UC Berkeley
Tejumade Afonja: Research Intern (Summer 2020) currently MS student at Saarland University
Milad Nasr: Google Brain Intern (Summer 2020, co-hosted with Nicholas Carlini) currently PhD student at UMass
Lorna Licollari: Research Intern (Summer 2020) currently Engineering Science student at University of Toronto
Pratyush Maini: Research Intern (Summer 2020) currently PhD student at CMU
Yunxiang Zhang: Research Intern (Spring 2020) currently PhD student at Chinese University of Hong Kong
Saina Asani: Research Assistant (Winter 2020 - Summer 2020) currently AI Researcher at Huawei
Laura Zhukas: Undergraduate Student Researcher (Fall 2019) currently BASc student at the University of Waterloo
Christopher Choquette-Choo: Engineering Science student (Fall 2019 - Summer 2020) currently Google AI Resident
Baiwu Zhang: MEng student (Fall 2019 - Summer 2020) currently ML Engineer at Twitter
Varun Chandrasekaran: Visiting PhD student (Fall 2019) currently PhD student at University of Wisconsin
Vinith Suriyakumar: MS student (Fall 2019 - Summer 2021, co-advised with M. Ghassemi and A. Goldenberg) currently PhD student at MIT
Lucas Bourtoule: MASc student (started Fall 2019) currently Data Scientist at Total Energies
Adelin Travers: PhD student (Fall 2019 - Summer 2021, co-advised with David Lie) currently Senior Pentester at Verizon
Hadi Abdullah: Google Intern (Summer 2019, co-hosted with Damien Octeau) currently PhD student at University of Florida
Matthew Jagielski: Google Brain intern (Summer 2019) currently PhD student at Northeastern University

Information for prospective graduate students and postdocs

If you are interested in joining my research group as a graduate student, apply to the CS or ECE (select "software systems" field) program. Unfortunately, I cannot respond to all prospective graduate students, so the best time is to contact me after you submitted your application.
If you are interested in joining my research group as a postdoc, please send me an email directly with your CV and research statement.

Research Talks

Upcoming

Here is a list of talks I will be giving. Feel free to reach out if you will be attending one of these events and would like to meet.

6/2022 - 35th Canadian Conference on AI keynote

Past Recorded Talks

These video resources are a good overview of my research interests.

Tempered Sigmoids for DP-SGD

Trustworthy ML

Deepfakes

Lecture on ML security and privacy

Privacy-preserving ML

Adversarial examples

Blog Posts

Here is a list of blog posts discussing some of the research questions I'm interested in:

Teaching

[Fall 2021] ECE1784H/CSC2559H: Trustworthy Machine Learning
[Fall 2021] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2020] ECE421H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
[Winter 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
[Fall 2019] ECE1784H: Trustworthy Machine Learning