Security and Privacy Research at the University of Virginia

Our research seeks to empower individuals and organizations to control how their data is used. We use techniques from cryptography, programming languages, machine learning, operating systems, and other areas to both understand and improve the privacy and security of computing as practiced today, and as envisioned in the future. A major current focus is on adversarial machine learning.

SRG lunch
SRG Leap Day Lunch (29 February 2024)

We are part of the NSF AI Institute for Agent-based Cyber Threat Intelligence and Operation (ACTION) which seeks to change the way mission-critical systems are protected against sophisticated security threats. Collaboration with UC Santa Barbara (lead), Purdue, UC Berkeley, U Chicago, Georgia Tech, NSU, Rutgers, UIUC, UIC, UW, and WWU.
We are members of the NSF SaTC Frontier Center for Trustworthy Machine Learning (CTML) focused on developing a rigorous understanding of machine learning vulnerabilities and producing tools, metrics, and methods to mitigate them. Collabortion with the University of Wisconsin (lead), UC Berkeley, UC San Diego, and Stanford.
Active Projects

Inference Privacy
Security ML
Auditing ML Systems

Past Projects
Secure Multi-Party Computation
   Obliv-C · MightBeEvil

N-Variant Systems · Splint · More…

Recent Posts

Une expérience immersive et enrichissante

visual cryptography

I had a chance to talk (over zoom) about visual cryptography to students in an English class in a French high school in Spain!


School Website Post

Reassessing EMNLP 2024’s Best Paper: Does Divergence-Based Calibration for Membership Inference Attacks Hold Up?

David Evans, Anshuman Suri, privacy, membership inference, distribution inference, LLM

Anshuman Suri and Pratyush Maini wrote a blog about the EMNLP 2024 best paper award winner: Reassessing EMNLP 2024’s Best Paper: Does Divergence-Based Calibration for Membership Inference Attacks Hold Up?.

As we explored in Do Membership Inference Attacks Work on Large Language Models?, to test a membership inference attack it is essentail to have a candidate set where the members and non-members are from the same distribution. If the distributions are different, the ability of an attack to distinguish members and non-members is indicative of distribution inference, not necessarily membership inference.

The post describes experiments showing that the PatentMIA used in the EMNLP paper provides a false measure of membership inference.

Common Way To Test for Leaks in Large Language Models May Be Flawed

David Evans, Anshuman Suri, privacy, membership inference, distribution inference, LLM

UVA News has an article on our LLM membership inference work: Common Way To Test for Leaks in Large Language Models May Be Flawed: UVA Researchers Collaborated To Study the Effectiveness of Membership Inference Attacks, Eric Williamson, 13 November 2024.

Meet Professor Suya!

Fnu Suya

Poisoning LLMs

large language models, copilot, adversarial machine learning, poisoning

I’m quoted in this story by Rob Lemos about poisoning code models (the CodeBreaker paper in USENIX Security 2024 by Shenao Yan, Shen Wang, Yue Duan, Hanbin Hong, Kiho Lee, Doowon Kim, and Yuan Hong), that considers a similar threat to our TrojanPuzzle work:

Researchers Highlight How Poisoned LLMs Can Suggest Vulnerable Code
Dark Reading, 20 August 2024

CodeBreaker uses code transformations to create vulnerable code that continues to function as expected, but that will not be detected by major static analysis security testing. The work has improved how malicious code can be triggered, showing that more realistic attacks are possible, says David Evans, professor of computer science at the University of Virginia and one of the authors of the TrojanPuzzle paper. ... Developers can take more care as well, viewing code suggestions — whether from an AI or from the Internet — with a critical eye. In addition, developers need to know how to construct prompts to produce more secure code.

Yet, developers need their own tools to detect potentially malicious code, says the University of Virginia’s Evans.

“At most mature software development companies — before code makes it into a production system there is a code review — involving both humans and analysis tools,” he says. “This is the best hope for catching vulnerabilities, whether they are introduced by humans making mistakes, deliberately inserted by malicious humans, or the result of code suggestions from poisoned AI assistants.”

Full Article

SRG Logo University of Virginia
Security Research Group

Team
   Prospective Students
   Awards
   Director: David Evans

Publications
   Videos

Recent News

Une expérience immersive et enrichissante
Reassessing EMNLP 2024’s Best Paper: Does Divergence-Based Calibration for Membership Inference Attacks Hold Up?
Common Way To Test for Leaks in Large Language Models May Be Flawed
Meet Professor Suya!
Poisoning LLMs
The Mismeasure of Man and Models
Google's Trail of Crumbs
Technology: US authorities survey AI ecosystem through antitrust lens
John Guttag Birthday Celebration
Congratulations, Dr. Suri!
Graduation 2024
SaTML Talk: SoK: Pitfalls in Evaluating Black-Box Attacks
Congratulations, Dr. Lamp!
Do Membership Inference Attacks Work on Large Language Models?
SoK: Pitfalls in Evaluating Black-Box Attacks
NeurIPS 2023: What Distributions are Robust to Poisoning Attacks?
Adjectives Can Reveal Gender Biases Within NLP Models
Congratulations, Dr. Suya!
SoK: Let the Privacy Games Begin! A Unified Treatment of Data Inference Privacy in Machine Learning
CVPR 2023: Manipulating Transfer Learning for Property Inference
Voice of America interview on ChatGPT
MICO Challenge in Membership Inference
Uh-oh, there's a new way to poison code models
Trojan Puzzle attack trains AI assistants into suggesting malicious code
Dissecting Distribution Inference

Older Posts
Posts by Tag
Posts by Category
Old Blog