Keynote I


When Models Learn Too Much

David Evans, The University of Virginia


Statistical machine learning uses training data to produce models that capture patterns in that data. When models are trained on private data, such as medical records or personal emails, there is a risk that those models not only learn the hoped-for patterns, but will also learn and expose sensitive information about their training data. Several different types of inference attacks on machine learning models have been found, and methods have been proposed to mitigate the risks of exposing sensitive aspects of training data. Differential privacy provides formal guarantees bounding certain types of inference risk, but, at least with state-of-the-art methods, providing substantive differential privacy guarantees requires adding so much noise to the training process for complex models that the resulting models are useless. Experimental evidence, however, suggests that inference attacks have limited power, and in many cases a very small amount of privacy noise seems to be enough to defuse inference attacks. In this talk, I will give an overview of a variety of different inference risks for machine learning models, talk about strategies for evaluating model inference risks, and report on some experiments by our research group to better understand the power of inference attacks in more realistic settings, and explore some broader the connections between privacy, fairness, and adversarial robustness.

Short Bio

David Evans is a Professor of Computer Science at the University of Virginia where he leads a research group focusing on security and privacy ( He won the Outstanding Faculty Award from the State Council of Higher Education for Virginia, and was Program Co-Chair for the 24th ACM Conference on Computer and Communications Security (CCS 2017) and the 30th (2009) and 31st (2010) IEEE Symposia on Security and Privacy, where he initiated the Systematization of Knowledge (SoK) papers. He is the author of an open computer science textbook ( and a children's book on combinatorics and computability (, and co-author of a book on secure multi-party computation ( He has SB, SM and PhD degrees from MIT and has been a faculty member at the University of Virginia since 1999.

Keynote II


Measurable and Deployable Security: Gaps, Successes, and Opportunities

Danfeng (Daphne) Yao, Virginia Tech


Security measurement helps identify deployment gaps and present extremely valuable research opportunities. However, such research is often deemed as not novelty by academia. I will first share my research journey designing and producing a high-precision tool CryptoGuard for scanning cryptographic vulnerabilities in large Java projects. That work led us to publish two benchmarks used for systematically assessing state-of-the-art academic and commercial solutions, as well as help Oracle Labs integrate our detection in their routine scanning. Other specific measurement and deployment cases to discuss include the Payment Card Industry Data Security Standard, which was involved in high-profile data breach incidents, and fine-grained Address Space Layout Randomization. The talk will also point out the need for measurement in AI development in the context of code repair. Broadening research styles by accepting and encouraging deployment-related work will facilitate our field to progress towards maturity.

Short Bio

Dr. Danfeng (Daphne) Yao is a Professor of Computer Science at Virginia Tech. She is an Elizabeth and James E. Turner Jr. ’56 Faculty Fellow and CACI Faculty Fellow. Her research interests are on building deployable and proactive cyber defenses, focusing on detection accuracy and scalability. She creates new models, algorithms, techniques, and deployment-quality tools for securing large-scale software and systems. Her tool CryptoGuard helps large software companies and Apache projects harden their cryptographic code. She systematized program anomaly detection in the book Anomaly Detection as a Service. Her patents on anomaly detection are extremely influential in the industry, having been cited by over 200 other patents from major cybersecurity firms and technology companies, including FireEye, Symantec, Qualcomm, Cisco, IBM, SAP, Boeing, and Palo Alto Networks. Her IEEE TIFS papers on enterprise data loss prevention were viewed 30,000 times. Dr. Yao was a recipient of the NSF CAREER Award and ARO Young Investigator Award. Dr. Yao is the ACM SIGSAC Treasurer/Secretary and is a member of the ACM SIGSAC executive committee since 2017. She spearheads multiple inclusive excellence initiatives, including the NSF-sponsored Individualized Cybersecurity Research Mentoring (iMentor) Workshop and the Women in Cybersecurity Research (CyberW) Workshop. Daphne received her Ph.D. degree from Brown University, M.S. degrees from Princeton University and Indiana University, Bloomington, B.S. degree from Peking University in China.