Maximilian K. Noppel

noppel@kit.edu

KIT, bldg. 50.34 room 163

Am Fasanengarten 5

76131 Karlsruhe

I am a doctoral researcher in the Intelligent System Security (IntelliSec) group of Christian Wressnegger. After my B.Sc. in Computer Science I worked for three years as a software engineer and software architect for embedded multiprocessor devices. Then I decided to head back to university. In 2020, I graduated to M.Sc. in Computer Science at the Karlsruhe Institute of Technology (KIT). My studies were concentrated on IT security, cryptography, anonymity and privacy, and algorithm engineering.

As a doctoral researcher, I focus on the vulnerabilities of eXplainable Artificial Intelligence (XAI) in adversarial environments. XAI methods augment the predictions of an ML model by an additional output, the explanations. This increase in the amount of scalar outputs potentizes the number of possible adversarial goals. An adversary may fool the prediction, the explanation, or both simultaneously. Note that with the term ‘fooling,’ I capture diverse incentives, e.g., showing a target explanation or injecting a backdoor. I research these attacks with varying threat models, explanation methods, model architectures, and application domains. My research highlights the necessity of robustness guarantees for XAI, which I hope to be able to provide at some point.

In my spare time, I founded the hackerspace vspace.one e.V. in 2016 and several other clubs, e.g., to promote local musicians. I love open-source software and open-hardware projects, including little Arduino projects, but also my homebrew relay CPU project and mechanical keyboards. In addition, I’m working on mechanical projects using CNC mills or 3D printers, and I organize events like code-golfings, lightning-talks, hackathons, hackerjeopardy-parties, or crypto-parties. I am also an active ham radio operator with the call sign DC0MX. You can find me in the university’s ham radio group DF0UK. If you are interested in sports, find me as a trainer for under-water-rugby in the SSC Karlsruhe and KIT University teams.

news [more]

Oct 15, 2024	We have just uploaded our preprint on Generalized Adversarial Code-Suggestions: Exploiting Contexts of LLM-based Code-Completion to ArXiv. In the paper, we investigate if code models can be tricked to suggest vulnerable source code, without adding vulnerable code snippets to the training data. That way, our attack by-passes static analysis and other defensive technique that should ensure a secure usage of coding assistents. In our research, we found that none of the evaluated defenses can prevent our attack effectively, except for one: Fine-Pruning works but requires a trusted clean data set which is the problem in the first place.
Sep 24, 2024	I lust presented our extended abstract A Brief Systematization of Explanation-Aware Attacks at the 47^th German Conference on Artificial Intelligence 2024 in Würzburg, Germany. In the paper, we summarized our SP24 Systematization of Knowledge paper on three pagess, including the three important dimesions: The capabilities of the adversary, the scopes of the attack, and the attack types. The paper serves an basic introduction to the problem of explanation-aware attacks.
Jun 27, 2024	Our extended abstract paper A Brief Systematization of Explanation-Aware Attacks is accepted to the 47^th German Conference on Artificial Intelligence 2024 in Würzburg, Germany. I’m looking forward to interesting discussions at the conference.

selected publications [more]

IEEE S&P
SoK: Explainable Machine Learning in Adversarial Environments

Maximilian Noppel, and Christian Wressnegger

In Proc. of the IEEE Symposium on Security and Privacy (S&P), 2024

Abs Bib PDF

Modern deep learning methods have long been considered black boxes due to the lack of insights into their decision-making process. However, recent advances in explainable machine learning have turned the tables. Post-hoc explanation methods enable precise relevance attribution of input features for otherwise opaque models such as deep neural networks. This progression has raised expectations that these techniques can uncover attacks against learning-based systems such as adversarial examples or neural backdoors. Unfortunately, current methods are not robust against manipulations themselves. In this paper, we set out to systematize attacks against post-hoc explanation methods to lay the groundwork for developing more robust explainable machine learning. If explanation methods cannot be misled by an adversary, they can serve as an effective tool against attacks, marking a turning point in adversarial machine learning. We present a hierarchy of explanation-aware robustness notions and relate existing defenses to it. In doing so, we uncover synergies, research gaps, and future directions toward more reliable explanations robust against manipulations.
@inproceedings{Noppel2024Explainable, title = {SoK: Explainable Machine Learning in Adversarial Environments}, booktitle = {Proc. of the {IEEE} Symposium on Security and Privacy ({S\&P})}, author = {Noppel, Maximilian and Wressnegger, Christian}, year = {2024}, }
IEEE S&P
Disguising Attacks with Explanation-Aware Backdoors

Maximilian Noppel, Lukas Peter, and Christian Wressnegger

In Proc. of the IEEE Symposium on Security and Privacy (S&P), 2023

Abs Bib PDF

Explainable machine learning holds great potential for analyzing and understanding learning-based systems. These methods can, however, be manipulated to present unfaithful explanations, giving rise to powerful and stealthy adversaries. In this paper, we demonstrate how to fully disguise the adversarial operation of a machine learning model. Similar to neural backdoors, we change the model’s prediction upon trigger presence but simultaneously fool an explanation method that is applied post-hoc for analysis. This enables an adversary to hide the presence of the trigger or point the explanation to entirely different portions of the input, throwing a red herring. We analyze different manifestations of these explanation-aware backdoors for gradient- and propagation-based explanation methods in the image domain, before we resume to conduct a red-herring attack against malware classification.
@inproceedings{Noppel2023Disguising, title = {Disguising Attacks with Explanation-Aware Backdoors}, booktitle = {Proc. of the {IEEE} Symposium on Security and Privacy ({S\&P})}, author = {Noppel, Maximilian and Peter, Lukas and Wressnegger, Christian}, year = {2023}, }
WPES
Plausible Deniability for Anonymous Communication

Christiane Kuhn, Maximilian Noppel, Christian Wressnegger, and Thorsten Strufe

In Proc. of Workshop on Privacy in the Electronic Society (WPES), 2021

Abs Bib PDF

The rigorous analysis of anonymous communication protocols and formal privacy goals have proven to be difficult to get right. Formal privacy notions as in the current state of the art based on indistinguishability games simplify analysis. Achieving them, however can incur prohibitively high overhead in terms of latency. Definitions based on function views, albeit less investigated, might imply less overhead but aren’t directly comparable to state of the art notions, due to differences in the model. In this paper, we bridge the worlds of indistinguishability game and function view based notions by introducing a new game: the "Exists INDistinguishability” (E·IND), a weak notion that corresponds to what is informally sometimes termed Plausible Deniability. By intuition, for every action in a system achieving plausible deniability there exists an equally plausible, alternative that results in observations that an adversary cannot tell apart. We show how this definition connects the early formalizations of privacy based on function views [13] to recent game-based definitions [15]. This enables us to link, analyze, and compare existing efforts in the field.
@inproceedings{Kuhn2021Plausible, title = {Plausible Deniability for Anonymous Communication}, booktitle = {Proc. of Workshop on Privacy in the Electronic Society ({WPES})}, author = {Kuhn, Christiane and Noppel, Maximilian and Wressnegger, Christian and Strufe, Thorsten}, year = {2021}, pages = {17--32}, }