Lujo Bauer

Professor, Electrical and Computer Engineering Carnegie Mellon University

  • Pittsburgh PA

Lujo Bauer's research examines many aspects of computer security and privacy.

Contact

Carnegie Mellon University

View more experts managed by Carnegie Mellon University

Biography

Lujo Bauer is a Professor of Electrical and Computer Engineering, and of Computer Science, at Carnegie Mellon University. He received his B.S. in Computer Science from Yale University in 1997 and his Ph.D., also in Computer Science, from Princeton University in 2003. Dr. Bauer is a member of CyLab, Carnegie Mellon's computer security and privacy institute, and serves as the director of CyLab's Cyber Autonomy Research Center.

Dr. Bauer's research examines many aspects of computer security and privacy, including developing high-assurance access-control systems, building systems in which usability and security co-exist, and designing practical tools for identifying software vulnerabilities. Bauer and fellow CMU researchers Lujo Bau and Larry Pileggi are calling on the research and policy communities to develop more comprehensive and accurate grid evaluation frameworks and datasets, and for updating threat models and grid resiliency requirements to match cyber attackers realistic capabilities. His other recent work focuses on developing tools and guidance to help users stay safer online and on examining how advances in machine learning can (or might not) lead to a more secure future.

Dr. Bauer served as the program chair for the flagship computer security conferences of the IEEE (S&P 2015) and the Internet Society (NDSS 2014) and is an associate editor of ACM Transactions on Privacy and Security.

Areas of Expertise

IoT Security and Privacy
Network Security
Cybersecurity and Privacy
Internet of Things (IoT)
AI and ML for Security
System Security
Data/Network Science Systems
Cyberphysical Systems (CPS)

Media Appearances

Researchers develop adversarial training methods to improve machine learning-based malware detection software

CyLab  online

2023-09-13

"For some of the newest machine learning technologies, like generative AI, we don't fully understand how they can be attacked, so the first step is to figure out what the threat model looks like," said Lujo Bauer, professor in Carnegie Mellon’s Electrical and Computer Engineering

View More

Q&A with Lujo Bauer on how the pandemic is affecting individuals' privacy and security

Tech Xplore  online

2020-04-17

Many Americans have been working remotely for over a month now in response to the COVID-19 pandemic, which has resulted in new paradigms in their own and their employers' cybersecurity and privacy. CyLab's Lujo Bauer, a professor in the department of Electrical and Computer Engineering and the Institute for Software Research, has been monitoring the situation.

View More

Learning to Attack the Cyberattackers Can’t Happen Fast Enough

The New York Times  online

2018-11-14

Lujo Bauer, director of the university’s Cyber Autonomy Research Center, within CyLab, said his research showed that to avoid being hacked, a computer user’s passwords had not only to be complex, but long.

View More

Show All +

Social

Industry Expertise

Computer/Network Security
Education/Learning

Education

Princeton University

Ph.D.

Computer Science

2003

Yale University

B.S.

Computer Science

1997

Affiliations

  • CyLab
  • Societal Computing

Articles

RS-Del: Edit distance robustness certificates for sequence classifiers via randomized deletion

Advances in Neural Information Processing Systems

2023

Randomized smoothing is a leading approach for constructing classifiers that are certifiably robust against adversarial examples. Existing work on randomized smoothing has focused on classifiers with continuous inputs, such as images, where -norm bounded adversaries are commonly studied. However, there has been limited work for classifiers with discrete or variable-size inputs, such as for source code, which require different threat models and smoothing mechanisms. In this work, we adapt randomized smoothing for discrete sequence classifiers to provide certified robustness against edit distance-bounded adversaries. Our proposed smoothing mechanism randomized deletion (RS-Del) applies random deletion edits, which are (perhaps surprisingly) sufficient to confer robustness against adversarial deletion, insertion and substitution edits.

View more

Widespread Third-Party Tracking On Hospital Websites Poses Privacy Risks For Patients And Legal Liability For Hospitals

Health Affairs

2023

Computer code that transfers data to third parties (third-party tracking) is common across the web and is subject to few federal privacy regulations. We determined the presence of potentially privacy-compromising data transfers to third parties on a census of US nonfederal acute care hospital websites, and we used descriptive statistics and regression analyses to determine the hospital characteristics associated with a greater number of third-party data transfers. We found that third-party tracking is present on 98.6 percent of hospital websites, including transfers to large technology companies, social media companies, advertising firms, and data brokers. Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses. By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties. These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share. These practices may also lead to increased health-related advertising that targets patients, as well as to legal liability for hospitals.

View more

Deceiving ML-Based Friend-or-Foe

Cyber Deception: Techniques, Strategies, and Human Aspects

2023

Deceiving an adversary who may, eg, attempt to reconnoiter a system before launching an attack, typically involves changing the system's behavior such that it deceives the attacker while still permitting the system to perform its intended function. For example, if a system hosting a database is using deception to defend against attack, it may employ measures that cause the attacker to believe that the system is running a different version of a database or that it is running other services. At the same time, legitimate clients of the system should continue to be able to interact with the database.

View more

Show All +