Nicolas Papernot
I am an Assistant Professor in the Department of Electrical and Computer Engineering and the Department of Computer Science at the University of Toronto. I am also a faculty member at the Vector Institute where I hold a Canada CIFAR AI Chair, and a faculty affiliate at the Schwartz Reisman Institute.
My research interests are at the intersection of security, privacy, and machine learning. If you would like to learn more about my research, I recommend reading the blog posts I co-authored on cleverhans.io, for example about machine unlearning, differentially private ML, or adversarial examples.
I earned my Ph.D. in Computer Science and Engineering at the Pennsylvania State University, working with Prof. Patrick McDaniel and supported by a Google PhD Fellowship. Upon graduating, I spent a year at Google Brain in Úlfar Erlingsson's group.
Email: [email protected]
Office: Pratt 484E
Mail/Packages: 10 King's College Road, Room SFB540, Toronto, ON M5S 3G4, Canada
Selected publications
A complete list of publications is available in my CV.
- Markpainting: Adversarial Machine Learning meets Inpainting. David Khachaturov, Ilia Shumailov, Yiren Zhao, Nicolas Papernot, Ross Anderson. Proceedings of the 38th International Conference on Machine Learning. conference
- Label-Only Membership Inference Attacks. Christopher A. Choquette Choo, Florian Tramer, Nicholas Carlini, Nicolas Papernot. Proceedings of the 38th International Conference on Machine Learning. conference
- Manipulating SGD with Data Ordering Attacks. Ilia Shumailov, Zakhar Shumaylov, Dmitry Kazhdan, Yiren Zhao, Nicolas Papernot, Murat A. Erdogdu, Ross Anderson. preprint
- Data-Free Model Extraction. Jean-Baptiste Truong, Pratyush Maini, Robert Walls, Nicolas Papernot. Proceedings of the 2021 IEEE/CVF Conference on Computer Vision and Pattern Recognition, Nashville, TN. conference
- Proof-of-Learning: Definitions and Practice. Hengrui Jia, Mohammad Yaghini, Christopher A. Choquette-Choo, Natalie Dullerud, Anvith Thudi, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
- Entangled Watermarks as a Defense against Model Extraction. Hengrui Jia, Christopher A. Choquette-Choo, Varun Chandrasekaran, Nicolas Papernot. Proceedings of the 30th USENIX Security Symposium. conference
- Sponge Examples: Energy-Latency Attacks on Neural Networks. Ilia Shumailov, Yiren Zhao, Daniel Bates, Nicolas Papernot, Robert Mullins, Ross Anderson. Proceedings of the 6th IEEE European Symposium on Security and Privacy, Vienna, Austria. conference
- CaPC Learning: Confidential and Private Collaborative Learning. Christopher A. Choquette-Choo, Natalie Dullerud, Adam Dziedzic, Yunxiang Zhang, Somesh Jha, Nicolas Papernot, Xiao Wang. Proceedings of the 9th International Conference on Learning Representations. conference
- Dataset Inference: Ownership Resolution in Machine Learning. Pratyush Maini, Mohammad Yaghini, Nicolas Papernot. Proceedings of the 9th International Conference on Learning Representations. conference (+spotlight)
- Chasing Your Long Tails: Differentially Private Prediction in Health Care Settings. Vinith Suriyakumar, Nicolas Papernot, Anna Goldenberg, Marzyeh Ghassemi. Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency. conference
- Adversary Instantiation: Lower bounds for differentially private machine learning. Milad Nasr, Shuang Song, Abhradeep Guha Thakurta, Nicolas Papernot, Nicholas Carlini. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
- Tempered Sigmoids for Deep Learning with Differential Privacy. Nicolas Papernot, Abhradeep Thakurta, Shuang Song, Steve Chien, Ulfar Erlingsson. Proceedings of the 35th AAAI Conference on Artificial Intelligence. conference
- Neighbors From Hell: Voltage Attacks Against Deep Learning Accelerators on Multi-Tenant FPGAs. Andrew Boutros, Mathew Hall, Nicolas Papernot, Vaughn Betz. Proceedings of the 2020 International Conference on Field-Programmable Technology. conference
- Machine Unlearning. Lucas Bourtoule, Varun Chandrasekaran, Christopher Choquette-Choo, Hengrui Jia, Adelin Travers, Baiwu Zhang, David Lie, Nicolas Papernot. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
- SoK: The Faults in our ASRs: An Overview of Attacks against Automatic Speech Recognition and Speaker Identification Systems. Hadi Abdullah, Kevin Warren, Vincent Bindschaedler, Nicolas Papernot, Patrick Traynor. Proceedings of the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA. conference
- Fundamental Tradeoffs between Invariance and Sensitivity to Adversarial Perturbations. Florian Tramer, Jens Behrmann, Nicholas Carlini, Nicolas Papernot, Jorn-Henrik Jacobsen. Proceedings of the 37th International Conference on Machine Learning, Vienna, Austria. conference
- Thieves of Sesame Street: Model Extraction on BERT-based APIs. Kalpesh Krishna, Gaurav Singh Tomar, Ankur P. Parikh, Nicolas Papernot, Mohit Iyyer. Proceedings of the 8th International Conference on Learning Representations, Addis Ababa, Ethiopia. conference
- High Accuracy and High Fidelity Extraction of Neural Networks. Matthew Jagielski, Nicholas Carlini, David Berthelot, Alex Kurakin, Nicolas Papernot. Proceedings of the 29th USENIX Security Symposium. Boston, MA. conference
- How Relevant Is the Turing Test in the Age of Sophisbots?. Dan Boneh, Andrew J. Grotto, Patrick McDaniel, Nicolas Papernot. IEEE Security and Privacy Magazine. invited
- MixMatch: A Holistic Approach to Semi-Supervised Learning. David Berthelot, Nicholas Carlini, Ian Goodfellow, Nicolas Papernot, Avital Oliver, Colin Raffel. Proceedings of the 33rd Conference on Neural Information Processing Systems, Vancouver, Canada. conference
- Analyzing and Improving Representations with the Soft Nearest Neighbor Loss. Nicholas Frosst, Nicolas Papernot, Geoffrey Hinton. Proceedings of the 36th International Conference on Machine Learning, Long Beach, CA. conference
- Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning. Nicolas Papernot and Patrick McDaniel. technical report
- Scalable Private Learning with PATE. Nicolas Papernot, Shuang Song, Ilya Mironov, Ananth Raghunathan, Kunal Talwar, Ulfar Erlingsson. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada. conference
- Ensemble Adversarial Training: Attacks and Defenses. Florian Tramer, Alexey Kurakin, Nicolas Papernot, Ian Goodfellow, Dan Boneh, Patrick McDaniel. Proceedings of the 6th International Conference on Learning Representations, Vancouver, Canada. conference
- Towards the Science of Security and Privacy in Machine Learning. Nicolas Papernot, Patrick McDaniel, Arunesh Sinha, and Michael Wellman. Proceedings of the 3rd IEEE European Symposium on Security and Privacy, London, UK. conference
- Semi-supervised Knowledge Transfer for Deep Learning from Private Training Data. Nicolas Papernot, Martin Abadi, Ulfar Erlingsson, Ian Goodfellow, and Kunal Talwar. Proceedings of the 5th International Conference on Learning Representations, Toulon, France. conference (+best paper)
- Practical Black-Box Attacks against Machine Learning. Nicolas Papernot, Patrick McDaniel, Ian Goodfellow, Somesh Jha, Z.Berkay Celik, and Ananthram Swami. Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security, Abu Dhabi, UAE. conference
- Transferability in Machine Learning: from Phenomena to Black-Box Attacks using Adversarial Samples. Nicolas Papernot, Patrick McDaniel, and Ian Goodfellow. technical report
- Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks. Nicolas Papernot, Patrick McDaniel, Xi Wu, Somesh Jha, and Ananthram Swami. Proceedings of the 37th IEEE Symposium on Security and Privacy, San Jose, CA. conference
- The Limitations of Deep Learning in Adversarial Settings. Nicolas Papernot, Patrick McDaniel, Somesh Jha, Matt Fredrikson, Z. Berkay Celik, and Ananthram Swami. Proceedings of the 1st IEEE European Symposium on Security and Privacy, Saarbrucken, Germany. conference
Research group
Current students and postdocs
- Hongyu (Charlie) Chen: Engineering Science student (Fall 2021 - Summer 2022)
- Sierra Wyllie: Research Intern (Summer 2021)
- Muhammad Ahmad Kaleem: Research Intern (Summer 2021)
- Aisha Alaagib: Research Intern (Summer 2021)
- Armin Ale: Research Intern (Summer 2021)
- Emmy Fang: MS student (started Fall 2021)
- Ali Shahin Shamsabadi: Postdoctoral Fellow (started Winter 2021)
- Anvith Thudi: Mathematics Specialist Undergraduate student (started Fall 2020)
- Adam Dziedzic: Postdoctoral Fellow (started Fall 2020)
- Mohammad Yaghini: PhD student (started Fall 2020)
- Natalie Dullerud: MS student (started Fall 2020)
- Stephan Rabanser: PhD student (started Fall 2020)
- Jonas Guan: PhD student (started Fall 2020)
- Jiaqi Wang: MASc student (started Fall 2020, co-advised with David Lie)
- Nick Jia: MASc student (started Fall 2020)
- Mingyue Yang: PhD student (started Winter 2020, co-advised with David Lie)
- Vinith Suriyakumar: MS student (started Fall 2019, co-advised with M. Ghassemi and A. Goldenberg)
- Lucas Bourtoule: MASc student (started Fall 2019)
- Adelin Travers: PhD student (started Fall 2019, co-advised with David Lie)
Past students and postdocs
- Steven Xia: Undergraduate student (Fall 2020 - Summer 2021, co-advised with Shurui Zhou) currently PhD student at UIUC
- Jin Zhou: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at Cornell
- Lucy Lu: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at Stanford
- Marko Huang: Engineering Science student (Fall 2020 - Summer 2021) currently MS student at University of Toronto
- Gabriel Deza: Engineering Science student (Fall 2020 - Summer 2021) currently PhD student at UC Berkeley
- Tejumade Afonja: Research Intern (Summer 2020) currently MS student at Saarland University
- Ilia Shumailov: Visiting PhD student (Summer 2020) currently PhD student at University of Cambridge
- Milad Nasr: Google Brain Intern (Summer 2020, co-hosted with Nicholas Carlini) currently PhD student at UMass
- Lorna Licollari: Research Intern (Summer 2020) currently Engineering Science student at University of Toronto
- Pratyush Maini: Research Intern (Summer 2020) currently PhD student at CMU
- Yunxiang Zhang: Research Intern (Spring 2020) currently PhD student at Chinese University of Hong Kong
- Saina Asani: Research Assistant (Winter 2020 - Summer 2020) currently AI Researcher at Huawei
- Laura Zhukas: Undergraduate Student Researcher (Fall 2019) currently BASc student at the University of Waterloo
- Christopher Choquette-Choo: Engineering Science student (Fall 2019 - Summer 2020) currently Google AI Resident
- Baiwu Zhang: MEng student (Fall 2019 - Summer 2020) currently Applied AI Researcher at BMO
- Varun Chandrasekaran: Visiting PhD student (Fall 2019) currently PhD student at University of Wisconsin
- Hadi Abdullah: Google Intern (Summer 2019, co-hosted with Damien Octeau) currently PhD student at University of Florida
- Matthew Jagielski: Google Brain intern (Summer 2019) currently PhD student at Northeastern University
Information for prospective graduate students and postdocs
- If you are interested in joining my research group as a graduate student, apply to the CS or ECE (select "software systems" field) program. Unfortunately, I cannot respond to all prospective graduate students, so the best time is to contact me after you submitted your application.
- If you are interested in joining my research group as a postdoc, please send me an email directly with your CV and research statement.
Research Talks
Upcoming
Here is a list of talks I will be giving. Feel free to reach out if you will be attending one of these events and would like to meet.
- 10/2021 - ESORICS 2021 keynote
- 8/2021 - CRYPTO Workshop on Privacy-Preserving ML
- 5/2021 - ICLR 2021 Workshop on Robust and Reliable ML panel
Past Recorded Talks
These video resources are a good overview of my research interests.
Tempered Sigmoids for DP-SGD
Trustworthy ML
Deepfakes
Lecture on ML security and privacy
Privacy-preserving ML
Adversarial examples
Blog Posts
Here is a list of blog posts discussing some of the research questions I'm interested in:
- Why we should regulate information about persons, not personal information
- To guarantee privacy, focus on the algorithms, not the data
- Teaching Machines to Unlearn
- In Model Extraction, Don’t Just Ask How?: Ask Why?
- How to steal modern NLP systems with gibberish?
- The academic job search for computer scientists in 10 questions
- How to know when machine learning does not know
- Machine Learning with Differential Privacy in TensorFlow
- Privacy and machine learning: two unexpected allies?
- The challenge of verification and testing of machine learning
- Is attacking machine learning easier than defending it?
- Breaking things is easy
Reza Shokri and I put together a list of publications on trustworthy ML here. We selected different sub-topics and key related research papers (as starting points) to help a student learn about this research area. There are so many good papers which are being published in this domain, so this list is by no means comprehensive. Papers are selected with the intention of maximizing coverage of the techniques introduced in the literature in as few papers as possible.
Teaching
- [Fall 2021] ECE1784H: Trustworthy Machine Learning (see Quercus for course details)
- [Fall 2021] ECE421H: Introduction to Machine Learning (see Quercus for course details)
- [Fall 2020] ECE421H: Introduction to Machine Learning (see Quercus for course details)
- [Fall 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
- [Winter 2020] ECE1513H: Introduction to Machine Learning (see Quercus for course details)
- [Fall 2019] ECE1784H: Trustworthy Machine Learning