Torsten Krauß

Chair of Software Engineering (Informatik II)
Department of Computer Science
University of Würzburg

Am Hubland, 97074, Würzburg, Germany
Informatikgebäude, 1.OG, Room A117

E-Mail: torsten.krauss@uni-wuerzburg.de
Phone: +49 931 31-81983

Occupation

Since Oct 2021

PhD student in the Secure Software Systems Group at the Chair of Computer Science II - Software-Engineering, University of Würzburg

Research interests

AI for Security and Security for AI
Security in Large Scale Machine Learning
Trageted and Untargeted Poisoning Attacks on Machine Learning
Federated Learning Security
Dataset Cleaning
Model Prediction Trust Scoring
Covert Channels in Machine Learning Systems
Machine Learning Model Watermarking for IP Protection
IoT Security
Web Security

Projects

Teaching

SS 25

Security of Software Systems
Seminar IT Security

WS 24/25

Introduction to IT Security

SS 24

Security of Software Systems
Seminar IT Security

SS 23

Security of Software Systems
Seminar IT Security

WS 22/23

Introduction to IT Security

SS 22

Seminar IT Security

WS 21/22

Introduction to IT Security
Seminar IT Security

Publications

2025[ to top ]

AuthentiSafe: Lightweight and Future-Proof Device-to-Device Authentication for IoT. Petzi, Lukas; Krauß, Torsten; Dmitrienko, Alexandra; Tsudik, Gene; in to appear in the 20th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2025) (2025).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
The Internet of Things (IoT) is permeating many aspects of every- day life, including homes, public spaces, and industrial settings. The growing popularity of IoT devices prompts an important challenge of ensuring secure and reliable communication. To support direct device-to-device communication among resource-constrained IoT devices, lightweight authentication techniques are needed that do not rely on trusted servers. One promising primitive for this pur- pose are Physical Unclonable Functions (PUFs), which utilize unique characteristics of hardware components (e.g., memory) inherent in the manufacturing of IoT devices. Given some input, a PUF gener- ates a unique secret value which facilitates secure and robust au- thentication. However, current PUF-based authentication schemes require a trusted server, incur substantial computational costs, or lack resilience against emerging quantum computing threats. This paper introduces AuthentiSafe, a lightweight, scalable, and secure PUF-based authentication scheme for device-to-device au- thentication among mutually mistrusting IoT devices. AuthentiSafe integrates PUFs with one-time signatures and cryptographic accu- mulators, thus eliminating the need for a trusted server. By rely- ing exclusively on efficient cryptographic one-way hash functions, AuthentiSafe minimizes protocol costs and accommodates low com- putational power and very limited secure storage of IoT devices. It also ensures security in the post-quantum era, since one-way func- tions remain resilient to quantum attacks. We show AuthentiSafe’s resilience against various attacks. Experiments show that it appre- ciably outperforms three prior PUF-based authentication schemes.

@article{noauthororeditor, abstract = {The Internet of Things (IoT) is permeating many aspects of every- day life, including homes, public spaces, and industrial settings. The growing popularity of IoT devices prompts an important challenge of ensuring secure and reliable communication. To support direct device-to-device communication among resource-constrained IoT devices, lightweight authentication techniques are needed that do not rely on trusted servers. One promising primitive for this pur- pose are Physical Unclonable Functions (PUFs), which utilize unique characteristics of hardware components (e.g., memory) inherent in the manufacturing of IoT devices. Given some input, a PUF gener- ates a unique secret value which facilitates secure and robust au- thentication. However, current PUF-based authentication schemes require a trusted server, incur substantial computational costs, or lack resilience against emerging quantum computing threats. This paper introduces AuthentiSafe, a lightweight, scalable, and secure PUF-based authentication scheme for device-to-device au- thentication among mutually mistrusting IoT devices. AuthentiSafe integrates PUFs with one-time signatures and cryptographic accu- mulators, thus eliminating the need for a trusted server. By rely- ing exclusively on efficient cryptographic one-way hash functions, AuthentiSafe minimizes protocol costs and accommodates low com- putational power and very limited secure storage of IoT devices. It also ensures security in the post-quantum era, since one-way func- tions remain resilient to quantum attacks. We show AuthentiSafe’s resilience against various attacks. Experiments show that it appre- ciably outperforms three prior PUF-based authentication schemes.}, author = {Petzi, Lukas and Krauß, Torsten and Dmitrienko, Alexandra and Tsudik, Gene}, journal = {to appear in the 20th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2025)}, keywords = {lukaspetzi}, title = {AuthentiSafe: Lightweight and Future-Proof Device-to-Device Authentication for IoT}, year = 2025 }

2024[ to top ]

DNNShield: Embedding Identifiers for Deep Neural Network Ownership Verification. Stang, Jasper; Krauß, Torsten; Dmitrienko, Alexandra; in ArXiv | arXiv:2403.06581 (2024).
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
The surge in popularity of machine learning (ML) has driven significant investments in training Deep Neural Networks (DNNs). However, these models that require resource-intensive training are vulnerable to theft and unauthorized use. This paper addresses this challenge by introducing DNNShield, a novel approach for DNN protection that integrates seamlessly before training. DNNShield embeds unique identifiers within the model architecture using specialized protection layers. These layers enable secure training and deployment while offering high resilience against various attacks, including fine-tuning, pruning, and adaptive adversarial attacks. Notably, our approach achieves this security with minimal performance and computational overhead (less than 5% runtime increase). We validate the effectiveness and efficiency of DNNShield through extensive evaluations across three datasets and four model architectures. This practical solution empowers developers to protect their DNNs and intellectual property rights.

@article{jasper2024dnnshield, abstract = {The surge in popularity of machine learning (ML) has driven significant investments in training Deep Neural Networks (DNNs). However, these models that require resource-intensive training are vulnerable to theft and unauthorized use. This paper addresses this challenge by introducing DNNShield, a novel approach for DNN protection that integrates seamlessly before training. DNNShield embeds unique identifiers within the model architecture using specialized protection layers. These layers enable secure training and deployment while offering high resilience against various attacks, including fine-tuning, pruning, and adaptive adversarial attacks. Notably, our approach achieves this security with minimal performance and computational overhead (less than 5% runtime increase). We validate the effectiveness and efficiency of DNNShield through extensive evaluations across three datasets and four model architectures. This practical solution empowers developers to protect their DNNs and intellectual property rights.}, author = {Stang, Jasper and Krauß, Torsten and Dmitrienko, Alexandra}, journal = {ArXiv | arXiv:2403.06581}, keywords = {sssgroup}, month = {03}, title = {DNNShield: Embedding Identifiers for Deep Neural Network Ownership Verification}, year = 2024 }
Cloud-Based Machine Learning Models as Covert Communication Channels. Krauß, Torsten; Stang, Jasper; Dmitrienko, Alexandra; in the 19th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2024) (2024).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@article{torsten2024cloudbased, author = {Krauß, Torsten and Stang, Jasper and Dmitrienko, Alexandra}, journal = {the 19th ACM ASIA Conference on Computer and Communications Security (ACM ASIACCS 2024)}, keywords = {sssgroup}, title = {Cloud-Based Machine Learning Models as Covert Communication Channels}, year = 2024 }
CrowdGuard: Federated Backdoor Detection in Federated Learning. Rieger, Phillip; Krauß, Torsten; Miettinen, Markus; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; in the Network and Distributed System Security Symposium (NDSS) (2024).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@article{torsten2024crowdguard, author = {Rieger, Phillip and Krauß, Torsten and Miettinen, Markus and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza}, journal = {the Network and Distributed System Security Symposium (NDSS)}, keywords = {Private_AI}, title = {CrowdGuard: Federated Backdoor Detection in Federated Learning}, year = 2024 }
ClearStamp: A Human-Visible and Robust Model-Ownership Proof based on Transposed Model Training. Krauß, Torsten; Stang, Jasper; Dmitrienko, Alexandra; in the 33rd USENIX Security Symposium (USENIX Security 2024) (2024).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Due to costly efforts during data acquisition and model training, Deep Neural Networks (DNNs) belong to the intellectual property of the model creator. Hence, unauthorized use, theft, or modification may lead to legal repercussions. Existing DNN watermarking methods for ownership proof are often non-intuitive, embed human-invisible marks, require trust in algorithmic assessment that lacks human-understandable attributes, and rely on rigid thresholds, making it susceptible to failure in cases of partial watermark erasure. This paper introduces ClearStamp, the first DNN watermarking method designed for intuitive human assessment. ClearStamp embeds visible watermarks, enabling human decision-making without rigid value thresholds while allowing technology-assisted evaluations. ClearStamp defines a transposed model architecture allowing to use of the model in a backward fashion to interwove the watermark with the main task within all model parameters. Compared to existing watermarking methods, ClearStamp produces visual watermarks that are easy for humans to understand without requiring complex verification algorithms or strict thresholds. The watermark is embedded within all model parameters and entangled with the main task, exhibiting superior robustness. It shows an 8,544-bit watermark capacity comparable to the strongest existing work. Crucially, ClearStamp’s effectiveness is model and dataset-agnostic, and resilient against adversarial model manipulations, as demonstrated in a comprehensive study performed with four datasets and seven architectures.

@article{torsten2024clearstamp, abstract = {Due to costly efforts during data acquisition and model training, Deep Neural Networks (DNNs) belong to the intellectual property of the model creator. Hence, unauthorized use, theft, or modification may lead to legal repercussions. Existing DNN watermarking methods for ownership proof are often non-intuitive, embed human-invisible marks, require trust in algorithmic assessment that lacks human-understandable attributes, and rely on rigid thresholds, making it susceptible to failure in cases of partial watermark erasure. This paper introduces ClearStamp, the first DNN watermarking method designed for intuitive human assessment. ClearStamp embeds visible watermarks, enabling human decision-making without rigid value thresholds while allowing technology-assisted evaluations. ClearStamp defines a transposed model architecture allowing to use of the model in a backward fashion to interwove the watermark with the main task within all model parameters. Compared to existing watermarking methods, ClearStamp produces visual watermarks that are easy for humans to understand without requiring complex verification algorithms or strict thresholds. The watermark is embedded within all model parameters and entangled with the main task, exhibiting superior robustness. It shows an 8,544-bit watermark capacity comparable to the strongest existing work. Crucially, ClearStamp’s effectiveness is model and dataset-agnostic, and resilient against adversarial model manipulations, as demonstrated in a comprehensive study performed with four datasets and seven architectures.}, author = {Krauß, Torsten and Stang, Jasper and Dmitrienko, Alexandra}, journal = {the 33rd USENIX Security Symposium (USENIX Security 2024)}, keywords = {sssgroup}, title = {ClearStamp: A Human-Visible and Robust Model-Ownership Proof based on Transposed Model Training}, year = 2024 }
Automatic Adversarial Adaption for Stealthy Poisoning Attacks in Federated Learning. Krauß, Torsten; König, Jan; Dmitrienko, Alexandra; Kanzow, Christian; in the Network and Distributed System Security Symposium (NDSS) (2024).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@article{krauss2024automatic, author = {Krauß, Torsten and König, Jan and Dmitrienko, Alexandra and Kanzow, Christian}, journal = {the Network and Distributed System Security Symposium (NDSS)}, keywords = {jankounig}, title = {Automatic Adversarial Adaption for Stealthy Poisoning Attacks in Federated Learning}, year = 2024 }
Verify your Labels! Trustworthy Predictions and Datasets via Confidence Scores. Krauß, Torsten; Stang, Jasper; Dmitrienko, Alexandra; in the 33rd USENIX Security Symposium (USENIX Security 2024) (2024).
- [ Abstract ]
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
Machine learning is a rapidly evolving technology with manifold benefits. At its core lies the mapping between samples and corresponding target labels (SL-Mappings). Such mappings can originate from labeled dataset samples or from prediction generated during model inference. The correctness of SL-Mappings is crucial, both during training and for model predictions, especially when considering poisoning attacks. Existing standalone works from the dataset cleaning and prediction confidence scoring domains lack a dual-use tool offering an SL-Mappings score, which is impractical. Moreover, these works have drawbacks, e.g., dependence on specific model architectures and reliance on large datasets, which may not be accessible, or lack a meaningful confidence score. In this paper, we introduce LabelTrust, a versatile tool designed to generate confidence scores for SL-Mappings. We propose pipelines facilitating dataset cleaning and confidence scoring, mitigating the limitations of existing standalone approaches from each domain. Thereby, LabelTrust leverages a Siamese network trained via few-shot learning, requiring minimal clean samples and is agnostic to datasets and model architectures. We demonstrate LabelTrust’s efficacy in detecting poisoning attacks within samples and predictions alike, with a modest one-time training overhead of 34.56 seconds and an evaluation time of less than 1 second per SL-Mapping.

@article{krauss2024verify, abstract = {Machine learning is a rapidly evolving technology with manifold benefits. At its core lies the mapping between samples and corresponding target labels (SL-Mappings). Such mappings can originate from labeled dataset samples or from prediction generated during model inference. The correctness of SL-Mappings is crucial, both during training and for model predictions, especially when considering poisoning attacks. Existing standalone works from the dataset cleaning and prediction confidence scoring domains lack a dual-use tool offering an SL-Mappings score, which is impractical. Moreover, these works have drawbacks, e.g., dependence on specific model architectures and reliance on large datasets, which may not be accessible, or lack a meaningful confidence score. In this paper, we introduce LabelTrust, a versatile tool designed to generate confidence scores for SL-Mappings. We propose pipelines facilitating dataset cleaning and confidence scoring, mitigating the limitations of existing standalone approaches from each domain. Thereby, LabelTrust leverages a Siamese network trained via few-shot learning, requiring minimal clean samples and is agnostic to datasets and model architectures. We demonstrate LabelTrust’s efficacy in detecting poisoning attacks within samples and predictions alike, with a modest one-time training overhead of 34.56 seconds and an evaluation time of less than 1 second per SL-Mapping.}, author = {Krauß, Torsten and Stang, Jasper and Dmitrienko, Alexandra}, journal = {the 33rd USENIX Security Symposium (USENIX Security 2024)}, keywords = {sssgroup}, title = {Verify your Labels! Trustworthy Predictions and Datasets via Confidence Scores}, year = 2024 }

2023[ to top ]

ClearMark: Intuitive and Robust Model Watermarking via Transposed Model Training. Krauß, Torsten; Stang, Jasper; Dmitrienko, Alexandra; in ArXiv | arXiv:2310.16453v1 (2023).
- [ Abstract ]
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
Due to costly efforts during data acquisition and model training, Deep Neural Networks (DNNs) belong to the intellectual property of the model creator. Hence, unauthorized use, theft, or modification may lead to legal repercussions. Existing DNN watermarking methods for ownership proof are often non-intuitive, embed human-invisible marks, require trust in algorithmic assessment that lacks human-understandable attributes, and rely on rigid thresholds, making it susceptible to failure in cases of partial watermark erasure. This paper introduces ClearMark, the first DNN watermarking method designed for intuitive human assessment. ClearMark embeds visible watermarks, enabling human decision-making without rigid value thresholds while allowing technology-assisted evaluations. ClearMark defines a transposed model architecture allowing to use of the model in a backward fashion to interwove the watermark with the main task within all model parameters. Compared to existing watermarking methods, ClearMark produces visual watermarks that are easy for humans to understand without requiring complex verification algorithms or strict thresholds. The watermark is embedded within all model parameters and entangled with the main task, exhibiting superior robustness. It shows an 8,544-bit watermark capacity comparable to the strongest existing work. Crucially, ClearMark's effectiveness is model and dataset-agnostic, and resilient against adversarial model manipulations, as demonstrated in a comprehensive study performed with four datasets and seven architectures.

@article{krauss2023clearmark, abstract = {Due to costly efforts during data acquisition and model training, Deep Neural Networks (DNNs) belong to the intellectual property of the model creator. Hence, unauthorized use, theft, or modification may lead to legal repercussions. Existing DNN watermarking methods for ownership proof are often non-intuitive, embed human-invisible marks, require trust in algorithmic assessment that lacks human-understandable attributes, and rely on rigid thresholds, making it susceptible to failure in cases of partial watermark erasure. This paper introduces ClearMark, the first DNN watermarking method designed for intuitive human assessment. ClearMark embeds visible watermarks, enabling human decision-making without rigid value thresholds while allowing technology-assisted evaluations. ClearMark defines a transposed model architecture allowing to use of the model in a backward fashion to interwove the watermark with the main task within all model parameters. Compared to existing watermarking methods, ClearMark produces visual watermarks that are easy for humans to understand without requiring complex verification algorithms or strict thresholds. The watermark is embedded within all model parameters and entangled with the main task, exhibiting superior robustness. It shows an 8,544-bit watermark capacity comparable to the strongest existing work. Crucially, ClearMark's effectiveness is model and dataset-agnostic, and resilient against adversarial model manipulations, as demonstrated in a comprehensive study performed with four datasets and seven architectures.}, author = {Krauß, Torsten and Stang, Jasper and Dmitrienko, Alexandra}, journal = {ArXiv | arXiv:2310.16453v1}, keywords = {sss-group}, month = 10, title = {ClearMark: Intuitive and Robust Model Watermarking via Transposed Model Training}, year = 2023 }
MESAS: Poisoning Defense for Federated Learning Resilient against Adaptive Attackers. Torsten, Krauß; Alexandra, Dmitrienko; in ACM Conference on Computer and Communications Security (CCS) (2023).
- [ BibTeX ]
- [ Download ]
- [ BibSonomy-Post ]
@article{torsten2023mesas, author = {Torsten, Krauß and Alexandra, Dmitrienko}, journal = {ACM Conference on Computer and Communications Security (CCS)}, keywords = {sss-group}, title = {MESAS: Poisoning Defense for Federated Learning Resilient against Adaptive Attackers}, year = 2023 }
Security of NVMe Offloaded Data in Large-Scale Machine Learning. Krauß, Torsten; Götz, Raphael; Dmitrienko, Alexandra; in European Symposium on Research in Computer Security (ESORICS) (2023).
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
@article{krauss2024security, author = {Krauß, Torsten and Götz, Raphael and Dmitrienko, Alexandra}, journal = {European Symposium on Research in Computer Security (ESORICS)}, keywords = {Private_AI}, title = {Security of NVMe Offloaded Data in Large-Scale Machine Learning}, year = 2023 }
Avoid Adversarial Adaption in Federated Learning by Multi-Metric Investigations. Krauß, Torsten; Dmitrienko, Alexandra; in ArXiv | arXiv.2306.03600 (2023).
- [ BibTeX ]
- [ URL ]
- [ Download ]
- [ BibSonomy-Post ]
@article{krauss2023avoid, author = {Krauß, Torsten and Dmitrienko, Alexandra}, journal = {ArXiv | arXiv.2306.03600}, keywords = {Machine}, title = {Avoid Adversarial Adaption in Federated Learning by Multi-Metric Investigations}, year = 2023 }

2022[ to top ]

Close the Gate: Detecting Backdoored Models in Federated Learning based on Client-Side Deep Layer Output Analysis. Rieger, Phillip; Krauß, Torsten; Miettinen, Markus; Dmitrienko, Alexandra; Sadeghi, Ahmad-Reza; in ArXiv | arXiv:2210.07714 (2022).
- [ BibTeX ]
- [ URL ]
- [ BibSonomy-Post ]
@article{https://doi.org/10.48550/arxiv.2210.07714, author = {Rieger, Phillip and Krauß, Torsten and Miettinen, Markus and Dmitrienko, Alexandra and Sadeghi, Ahmad-Reza}, journal = {ArXiv | arXiv:2210.07714}, keywords = {Private_AI}, publisher = {arXiv}, title = {Close the Gate: Detecting Backdoored Models in Federated Learning based on Client-Side Deep Layer Output Analysis}, year = 2022 }