Thorsten Eisenhofer
ML & Computer Security
I'm a tenure-track faculty member at CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Before joining CISPA, I was a postdoctoral researcher in the Machine Learning and Security group at BIFOLD & TU Berlin working with Konrad Rieck. I completed my PhD at Ruhr University Bochum, advised by Thorsten Holz and as part of the Cluster of Excellence CASA. My dissertation was recognized by the faculty for outstanding achievements.
My research focuses on machine learning and computer security. I'm interested in a all kinds of attacks on learning models and defenses to improve their robustness. This often means looking beyond the model itself and examining the entire computational pipeline, including pre-processing, post-processing, and the underlying hardware and software stack. I'm also interested in how learning-based approaches, including modern LLM and agent systems, can support core security tasks such as vulnerability analysis, fuzzing, and malware classification.
Along the way, I interned with the SecLab at UC Santa Barbara, working with Giovanni Vigna and Christopher Kruegel and joining Shellphish at the DEF CON CTF finals in Las Vegas. I have also been a visiting researcher at the Cleverhans Lab at the Vector Institute in Toronto, working with Nicolas Papernot. I hold a B.Sc. in Computer Science from Paderborn University and an M.Sc. in Computer Security from Ruhr University Bochum, where I graduated top of my class.
I'm currently looking for PhD students, postdocs, and research interns in machine learning + security. If you're interested joining my group, please reach out through the CISPA Career Portal and indicate that you'd like to work with me. If you're a student seeking a summer internship, you may want to have a look at our CISPA Summer Research Internship Program.
Jonathan Evertz, Niklas Risse, Nicolai Neuer, Andreas Müller, Philipp Norman, Gaetano Sapia, Srishti Gupta, David Pape, Soumya Shaw, Devansh Srivastav, Christian Wressnegger, Erwin Quiring, Thorsten Eisenhofer, Daniel Arp, and Lea Schönherr
Chasing Shadows: Pitfalls in LLM Security Research
Network and Distributed System Security Symposium (NDSS) (to appear)
Felix Weissberg, Lukas Pirch, Erik Imgrund, Jonas Möller, Thorsten Eisenhofer, and Konrad Rieck
LLM-based Vulnerability Discovery through the Lens of Code Metrics
IEEE/ACM International Conference on Software Engineering (ICSE)
[pdf]
[code]
Erik Imgrund, Thorsten Eisenhofer, and Konrad Rieck
Adversarial Observations in Weather Forecasting
ACM Conference on Computer and Communications Security (CCS)
[pdf]
[code]
[poster]
[arxiv]
Distinguished Paper Award
Jonas Möller, Lukas Pirch, Felix Weissberg, Sebastian Baunsgaard, Thorsten Eisenhofer, and Konrad Rieck
Adversarial Inputs for Linear Algebra Backends
International Conference on Machine Learning (ICML)
[pdf]
[code]
Felix Weissberg, Jan Malte Hilgefort, Steve Grogorick, Daniel Arp, Thorsten Eisenhofer, Martin Eisemann, and Konrad Rieck
Seeing Through: Analyzing and Attacking Virtual Backgrounds in Video Calls
David Pape, Sina Mavali, Thorsten Eisenhofer, and Lea Schönherr
David Beste, Grégoire Menguy, Hossein Hajipour, Mario Fritz, Antonio Emanuele Cinà, Sébastien Bardin, Thorsten Holz, Thorsten Eisenhofer, and Lea Schönherr
Exploring the Potential of LLMs for Code Deobfuscation
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA)
[pdf]
[code]
Roei Schuster, Jin Peng Zhou, Thorsten Eisenhofer, Paul Grubbs, and Nicolas Papernot
Learned-Database Systems Security
Transactions on Machine Learning Research (TMLR)
[pdf]
[arxiv]
Joel Frank, Franziska Herbert, Jonas Ricker, Lea Schönherr, Thorsten Eisenhofer, Asja Fischer, Markus Dürmuth, and Thorsten Holz
A Representative Study on Human Detection of Artificially Generated Media Across Countries
IEEE Symposium on Security and Privacy (S&P)
[pdf]
[preregistration]
[code]
[arxiv]
Jonathan Evertz, Merlin Chlosta, Lea Schönherr, and Thorsten Eisenhofer
Whispers in the Machine: Confidentiality in LLM-integrated Systems
Felix Weissberg, Jonas Möller, Tom Ganz, Erik Imgrund, Lukas Pirch, Lukas Seidel, Moritz Schloegel, Thorsten Eisenhofer, and Konrad Rieck
SoK: Where to Fuzz? Assessing Target Selection Methods in Directed Fuzzing
ACM Asia Conference on Computer and Communications Security (ASIACCS)
[pdf]
[code]
[arxiv]
Jonas Möller, Felix Weissberg, Lukas Pirch, Thorsten Eisenhofer, and Konrad Rieck
Cross-Language Differential Testing of JSON Parsers
ACM Asia Conference on Computer and Communications Security (ASIACCS)
[pdf]
[code]
Thorsten Eisenhofer
Security of Machine Learning Systems
Dissertation
[pdf]
[slides]
Faculty Award for Outstanding Achievement
Thorsten Eisenhofer, Erwin Quiring, Jonas Möller, Doreen Riepel, Thorsten Holz, and Konrad Rieck
No more Reviewer #2: Subverting Automatic Paper-Reviewer Assignment using Adversarial Learning
USENIX Security Symposium
[pdf]
[slides]
[examples]
[code]
[arxiv]
Hojjat Aghakhani, Lea Schönherr, Thorsten Eisenhofer, Dorothea Kolossa, Thorsten Holz, Christopher Kruegel, and Giovanni Vigna
VenoMave: Targeted Poisoning Against Speech Recognition
IEEE Conference on Secure and Trustworthy Machine Learning (SaTML)
[pdf]
[code]
[arxiv]
Nico Schiller, Merlin Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, and Thorsten Holz
Drone Security and the Mysterious Case of DJI's DroneID
Network and Distributed System Security Symposium (NDSS)
[pdf]
[code]
David Pape, Sina Däubener, Thorsten Eisenhofer, Antonio Emanuele Cinà, and Lea Schönherr
On the Limitations of Model Stealing with Uncertainty Quantification Models
European Symposium on Artificial Neural Networks, Computational Intelligence and Machine Learning (ESANN)
[pdf]
[arxiv]
Michel Abdalla, Thorsten Eisenhofer, Eike Kiltz, Sabrina Kunzweiler, and Doreen Riepel
Password-Authenticated Key Exchange from Group Actions
Annual International Cryptology Conference (CRYPTO)
[pdf]
Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, and Thorsten Holz
Joel Frank, Thorsten Eisenhofer, Lea Schönherr, Asja Fischer, Dorothea Kolossa, and Thorsten Holz
Leveraging Frequency Analysis for Deep Fake Image Recognition
International Conference on Machine Learning (ICML)
[pdf]
[slides]
[code]
[arxiv]
Lea Schönherr, Thorsten Eisenhofer, Steffen Zeiler, Thorsten Holz, and Dorothea Kolossa
Imperio: Robust Over-the-Air Adversarial Examples for Automatic Speech Recognition Systems
Annual Computer Security Applications Conference (ACSAC)
[pdf]
[talk]
[examples]
[arxiv]
Verifiable and Provably Secure Machine Unlearning, Conference talk, SaTML, 2025
Security of Machine Learning Systems, Spring school “SAIL”, Bielefeld University, 2025
Security of Machine Learning Systems, Keynote, Winter school “WinterHack”, Ruhr University Bochum, 2024
Maschinelles Lernen in der IT-Sicherheit, Lecture series “KI und Informationssicherheit”, Heidelberg University, 2024
International Research Environments, Panel discussion, Ruhr University Bochum, 2024
Machine Learning and Security, Lecture series “Machine Learning in Science & Industry”, TU Berlin, 2024
Subverting Automatic Paper-Reviewer Assignment, Conference talk, USENIX Security, 2023
Security of Machine Learning Systems, Defense, Ruhr University Bochum, 2023
Communicating Research, Panel discussion, Ruhr University Bochum, 2023
Adversarially Robust Speech Recognition, Spotlight presentation, CASA Retreat, 2021
Taming Audio Adversarial Examples, Conference talk, USENIX Security, 2021
Program Committees
ACM Conference on Computer and Communications Security (CCS), 2026
Workshop on Artificial Intelligence and Security (AISec), 2025
ACM Conference on Computer and Communications Security (CCS), 2024
Workshop on Artificial Intelligence and Security (AISec), 2024
European Symposium on Artificial Neural Networks ... (ESANN), 2023
Instructor
Security and Privacy of AI, TU Berlin
Master・Seminar・Summer 2025
Reproducing AI Attacks and Defenses, TU Berlin
Master・Hands-on class・Winter 2024/25
Privacy and Security in Learning, TU Berlin
Master・Seminar・Summer 2024
Security Playground for Generative Agents, TU Berlin
Master・Hands-on class・Summer 2024
ML & Computer Security, Ruhr University Bochum
Master・Hands-on class・Winter 2021/22
ML & Computer Security, Ruhr University Bochum
Master・Hands-on class・Summer 2021
ML & Computer Security, Ruhr University Bochum
Master・Hands-on class・Winter 2020/21
Teaching Assistant
Machine Learning for Computer Security, TU Berlin
Master・Lecture・Summer 2025
Adversarial Machine Learning, TU Berlin
Master・Lecture・Winter 2024/25
Machine Learning for Computer Security, TU Berlin
Master・Lecture・Summer 2024
System Security, Saarland University
Bachelor・Lecture・Summer 2021
System Security, Ruhr University Bochum
Bachelor・Lecture・Summer 2020
Operating System Security, Ruhr University Bochum
Master・Lecture・Winter 2019/20
System Security, Ruhr University Bochum
Bachelor・Lecture・Summer 2019
Artificially Generated Media
CISPA: «New results in AI research: Humans barely able to recognize AI-generated media» (EN)
heise online: «KI: Großer Teil kann KI-Inhalte nicht erkennen und weiß nicht, was KI ist» (DE)
Ruhr University Bochum: «New Findings from AI Research: Humans Can Hardly Recognize...» (EN)
Valve World Expo: «People can no longer recognize AI-generated media» (EN)
radioeins: «Warum Menschen KI-erstellte Inhalte häufig nicht mehr erkennen» (DE)
Drone Security
Ruhr University Bochum: «Security vulnerabilities detected in drones made by DJI» (EN)
WIRED: «This Hacker Tool Can Pinpoint a DJI Drone Operator's Exact Location» (EN)
EurekAlert!: «Security vulnerabilities detected in drones made by DJI» (EN)
Golem.de: «DJI-Drohnen verraten Standort des Piloten» (DE)
Caschys Blog: «NDSS: DroneID von DJI kann leicht durch Angreifer gekapert werden» (DE)
hackster.io: «Researchers Release a Tool for Geolocating Commercial Drones and Their...» (EN)
sUAS News: «DIY DJI Aeroscope to find drone operator locations» (EN)
News8Plus: «Security vulnerabilities detected in drones made by DJI» (EN)
大疆.COM: «德国研究人员发现大疆四款无人机存安全漏洞» (CN)
Born's Tech and Windows World: «Security: DJI drones and it's AeroScope vulnerabilities» (EN)
System Weakness: «Annoying Drone Near You? Fuzz It, Find the Operator. A Hack» (EN)
HACKREAD: «Serious DJI Drones Flaws Could Crash Drones Mid-flight» (EN)
C-UAS Hub: «Security Vulnerabilities Found in DJI Drones» (EN)
Bitdefender: «Security Researchers Find Vulnerabilities that Could Crash DJI Drones and...» (EN)
HOMBURG1: «Sicherheitslücken in Drohnen des Herstellers DJI entdeckt» (DE)
infodron.es: «Alemania descubre vulnerabilidades de seguridad en los drones de DJI» (ES)
Forexdigital.net: «Vulnerabilidades de seguranca detectadas em drones fabricados pela dji» (PT)
Tom's Guide: «DJI drones have serious security flaws that can crash them and track your...» (EN)
DroneDJ: «DJI says it fixed drone firmware security flaws before publication of research...» (EN)
drones-magazin.de: «Deutsche Forscher entdecken Sicherheitslücken bei DJI-Drohnen» (DE)
FPV.bg: «Vulnerability in DJI drones reveals pilot information, German study reports» (EN)
DroneXL: «DJI drones have serious security flaws that can crash them and track your location» (EN)
DroneWatch: «DJI stilletjes gestopt met productie van dronedetectiesysteem AeroScope» (NL)
SPIEGEL: «Warum Ukrainer deutsche Drohnen-Hacker um Rat bitten» (DE)
INDIA TODAY: « How civilian drones are being used in Russia-Ukraine war» (EN)
derSTANDARD: «Russische Angriffe auf ukrainische Drohnenpiloten: DJI gesteht unsichere...» (DE)
Accidental Trigger
Ruhr University Bochum: «When Speech Assistants Listen Even Though They Shouldn't» (EN)
NDR: «Wenn der smarte Lautsprecher mit dem Tatort-Kommissar spricht» (DE)
Süddeutsche Zeitung: «Wenn Alexa aus Versehen lauscht» (DE)
STRG_F: «Sex, Streit, Arztgespräche: wie oft Smart Speaker heimlich mithören» (DE)
tagesschau.de: «Die lauschenden Lautsprecher» (DE)
Tagesthemen: «Sprachassistenten hören mit» (DE)
Ars Technica: «Uncovered: 1,000 phrases that incorrectly trigger Alexa, Siri, and Google...» (EN)
ZDF logo!: «Hat Siri schlechte Ohren?» (DE)
detektor.fm: «Alexa, spionierst du mich aus?» (DE)
Fast Company: «Tired of Saying 'Hey Google' and 'Alexa'? Change it Up with These...» (EN)
Mitteldeutsche Rundfunk: «Wann hören Sprachassistenten mit?» (DE)
The Times: «Not in Front of the Speaker! Words that Wake Up Alexa» (EN)
Voicebot.ai: «More Than 1,000 Phrases Will Accidentally Awaken Alexa, Siri, and Google...» (EN)
Hessischer Rundfunk: «Immer ganz Ohr – Lauschangriff der Sprachassistenten» (DE)
Max Planck Society: «Uninvited Listeners in Your Speakers» (EN)
Remote Chaos Experience: «Alexa, Who Else Is Listening?» (EN)
Tech Conversationalist: «Are You Accidentally 'Waking Up' Your Smart Devices?» (EN)
hackster.io: «Incorrect Alexa, Siri, Google Assistant, and Cortana Trigger Words Are...» (EN)
Sputnik International: «Alarming: Research Identifies Over 1,000 Phrases That Trick,...» (EN)
Mimikama: «Wenn Sprachassistenten zuhören, obwohl sie gar nicht sollen!» (DE)
Deep Fake Detection
Ruhr University Bochum: «Fake-Bilder anhand von Frequenzanalysen erkennen» (DE)
Homeland Security News Wire: «Using Frequency Analysis to Recognize Fake Images» (EN)
ElectronicsWeekly.com: «Frequency Analysis can Help Reveal Deep Fake Images» (EN)
Lab Manager: «Recognizing Fake Images Using Frequency Analysis» (EN)
SciTechDaily: «Which Face is Real? Using Frequency Analysis to Identify “Deep-Fake” Images» (EN)
Spektrum.de: «Mathematische Analyse soll alle Deep Fakes enttarnen» (DE)
VDI nachrichten: «Frequenzanalyse enttarnt Fake-Bilder» (DE)
INGENIEUR.de: «Social Media: Mit Frequenzanalysen Deep Fakes auf der Spur» (DE)
INDUSTRY OF THINGS: «Fake-Bilder anhand von Frequenzanalysen erkennen» (DE)
ZDF logo!: «Erkennt Greta Deep Fakes?» (DE)
Adversarially Robust Speech Recognition
RUBIN: «Wie Sprachassistenten unhörbare Befehle befolgen» (DE)
elektroniknet.de: «Angriffe auf Spracherkennungssoftware Kaldi» (DE)
Tech Xplore: «How Voice Assistants follow Inaudible Commands» (EN)
INGENIEUR.de: «Alexa, Siri und Co. – sicherer dank Training» (DE)
sg.hu: «Kivédhető a virtuális asszisztensek manipulálása» (HU)
Ruhr Unversity Bochum: «Die Forschungsreise „Möglichmacher“ legt Halt in Bochum ein» (DE)
WAZ: «IT-Sicherheit heißt: Immer einen Schritt voraus zu sein» (DE)