Vasilios Mavroudis

I am a Principal Research Scientist and co-lead of the AI for Cyber Defence (AICD) Research Centre at the Alan Turing Institute. My work sits at the intersection of systems security and machine learning, with a focus on scalable methods for autonomous network defence and rigorous evaluation of AI cyber capabilities.

I lead national-scale efforts in modelling and mitigating AI-driven cyber threats, including the AI Cyber Risk Benchmark and the International AI Safety Report (2024–25), where I contributed the section on offensive capabilities. My research is embedded in both academic and policy spheres, shaping AI security standards at the EU AI Office, informing UK Parliament's resilience strategy for critical infrastructure, and steering the Turing's OpenAI early access safety testing.

My academic record spans top-tier venues. Some examples of my work include NeurIPS, ACM CCS, PETS and NDSS, while my applied work has been featured at Black Hat, Defcon, and CCC. I also serve as Area Editor (AI Security) for the Journal of Cybersecurity, and on the programme committees for several conference such as ICML, NeurIPS, KDD, RAID, AutoCyber etc.

Beyond core research, I have advanced the fields of hardware trojan detection, encrypted traffic analysis, and fair exchange protocols. My work on ultrasound tracking is now considered foundational, and tools I co-developed such as the JCMathLib library that remains the only open-source cryptographic library for smartcards.

If you are a researcher or practitioner working on adversarial AI, critical infrastructure security, or scalable defences for emerging threats, feel free to reach out.

Vasilios Mavroudis

vmavroudis at turing.ac.uk
Defence and Security programme
Alan Turing Institute
96 Euston Rd
London NW1 2DB
United Kingdom

Recent News

June 2025: Our paper on Exploration in Model-Based Reinforcement Learning has been accepted at TMLR. Link to follow! May 2025: We have publicly announced how we use AI to defend critical national infrastructure. A paradigm shift in CNI threat detection and analysis. April 2025: Presented our work at the Network of Evaluators Workshop hosted at the EU AI Office.[link] March 2025: Our work on autonomous cyberdefence has been accepted at ACM Computing Surveys. February 2025: I participated in the "AI Fundamentals - AI 101" panel at the UK Cabinet Office. February 2025: Contributed to the report on "Agentic AI – Threats and Mitigations" by OWASP. link January 2025: The AI Safety Report with Yoshua Bengio is out! I contributed the cyber offence section. link January 2025: The "humanity's last exam" manuscript is out! I contributed security-related tasks. link May 2024: I gave evidence in Select Committee Science Technology Cyber resilience of critical national infrastructure in the UK parliament link

Went on five-year hiatus on updates! Here is some time travel: December 2019: Our paper on fast decentralized on-chain payments was accepted at NDSS 2020 and is a finalist for the Spark Award! August 2019: Our paper on neural net-based side-channel attacks was accepted at IACR Asiacrypt 2019! July 2019: Our paper with Refinitiv will appear at the ACM conference on Advances in Financial technologies! June 2019: I was awarded one of the three Oasis Labs' fellowships for 2019-2020! May 2019: Tradescope: Our project on market manipulation is live! Feb 2019: I will attend the 3rd AI Safety Camp to work on Intelligent Agent side-effects and ML Robustness! Feb 2019: Stream of works on "Market manipulation as a security problem" accepted on Eurosec 2019 and the 27th Workshop on Security Protocols! Jan 2019: My interview at the Heidelberg Laureate Forum is now online! [Link] Jan 2019: I am a fellow in the ConceptionX commercialization and entrepreneurship program! Jan 2019: I completed a 5-course Deep Learning Specialization on Coursera! [Link] [1, 2, 3, 4, 5] Oct 2018: Our paper ''High-Assurance Cryptographic Hardware from Untrusted Components'' is a finalist for the CSAW Europe Applied Research Award. [Link] Oct 2018: I'm quoted in ''Wired'' about our work on hardware trojans. [Link] Sep 2018: My interview on Süddeutsche Zeitung is online. [Link] Sep 2018: I am listed in the 10 out of 200 young scientists by Heidelberg Laureate Forum! [Link] Sep 2018: Our article on Javacard was published at Hackernoon! [Link] Aug 2018: Our "Cryptogame" session proposal has been accepted in Mozfest 2108. [Link] Aug 2018: Our "Cryptogame" project has been funded by the public engagement unit at UCL. [Link] July 2018: Received the Werner Romberg grant to attend the Heidelberg Laureate Forum! [Link] Jul 2018: Our write up on the JavaCard ecosystem was published by the Software Sustainability Institute and the Benthem's Gaze blog. [Link 1] [Link 2] Jun 2018: Thrilled to serve as a publications co-chair for the Privacy Enhancing Technologies symposium 2019. [Link] May 2018: Our preprint on verifiable data access is out. [Link] May 2018: Started my research visit at the systems security group in ETHz. [Link] Apr 2018: Cyber World Magazine features my article on the future of hardware-trojans and the security of chips in critical systems. [Link] Apr 2018: Presented our work on ultrasonic signals at Stanford security seminar. [Link] Apr 2018: More press coverage for our work on ultrasonic signals. [Link] Apr 2018: Presented with Giovanni Vigna (UCSB, Lastline) our work on the security of ultrasonic communications at RSA Conference. [Link] Mar 2018: Our preprint on tracking technologies found in the retail spaces is out. [Link] Feb 2018: Completed our cryptography masterclass for year-11 students. [Link]

Selected Projects

stampr-ai: Blackbox Signature Tracking for AI Models

stampr-ai is a lightweight tool that fingerprints the behavior of blackbox AI models and tracks them over time. It combines automated signature extraction with change detection to verify the identity and consistency of foundation models—without needing internal access. The system offers both a Python package for local verification and a web interface that visualizes signature drift across providers (e.g., OpenAI, open-weight models). stampr_ai enables reproducible experiments, ensures auditing integrity, and flags covert updates by vendors that may affect alignment, safety, or performance.

The tool is in public alpha. Install via:

pip install stampr-ai --pre

[Website]

International AI Safety Report (2025) with Yoshua Bengio - Section 2.1.3: Cyber Offence

As the principal author of the Cyber Offence section of the 2025 International AI Safety Report (UK Government), I led the analysis and drafting of a comprehensive investigation into the offensive capabilities of general-purpose AI systems. This contribution, released during the AI Safety Summit in Paris and co-authored with Yoshua Bengio, outlines the current state of AI-accelerated cyber threats—including malware generation, automated vulnerability discovery, and collaborative agent-based exploitation chains. The report dissects the offensive attack lifecycle, mapping AI's strengths and weaknesses across reconnaissance, vulnerability exploitation, and evasive action. It evaluates both state and non-state actor use cases, quantifies dual-use risks, and identifies evidence gaps in current benchmarks such as CTFs. Key contributions include differentiating AI's effectiveness in system-level hacking versus code-level exploitation and highlighting the asymmetric challenge defenders face due to attacker control over concealment strategies. This work helps inform national and international cyber policy by clarifying the technical boundaries of present-day capabilities and projecting risk trajectories, particularly in high-stakes domains such as critical infrastructure protection.

[Report][Arxiv]

Smoke and Mirrors: Deceptive AI Environments for OT Malware Analysis

Modern industrial malware targets critical infrastructure with bespoke payloads that evade traditional defences. Smoke and Mirrors flips the script: rather than simulating specific OT hardware, we use adaptive AI responders to create dynamic, protocol-conformant environments that convincingly mimic industrial devices. These synthetic networks trap malware into revealing its full behaviour—payloads, C2 communication, and intent—without ever touching physical infrastructure. Our system uses lightweight network proxies and layered AI models to respond in real time to malware probing for undocumented or obscure protocols (e.g., Modbus, S7). By shifting the burden from human analysts to AI-enabled deception environments, we reduce the cost and expertise needed to analyse new threats and allow rapid, large-scale triage of suspected malware targeting OT systems. This work is developed by the Fata Morgana team under the Defence & National Security Grand Challenge at the Alan Turing Institute.

[Regular Technical Snapshots]

Encrypted Traffic Classification using High-dimensional Embeddings

This project studies the resilience of encrypted-communications schemes against adversaries that intent to breach the privacy of individual users. To evaluate widely-used schemes, we employ deep neural network models so as to map encrypted traffic traces into high-dimensional representations (see figure on the left). This enables us to generate a database of labeled traces that can then be used to classify unlabeled samples based on their proximity. Our results show that communication patterns suffice to reconstruct user activity with high accuracy and thus widely-deployed encrypted-communications systems offer weaker privacy guarantees than previously thought. This paper and the corresponding defence tools are currently under submission.

[Paper]

Information Leakage Classification with Deep Neural Networks

Near-field microprobes have the capability to isolate small regions of a chip surface and enable precise measurements with high spatial resolution. Being able to distinguish the activity of small regions has given rise to attacks that exploit the spatial dependencies of cryptographic algorithms in order to recover the secret key. This project introduces a set of techniques that allow security researchers to evaluate the leakage properties of any chip. We show that deep neural network models outperform previously proposed methods (e.g., difference of means, multivariate templates), especially in the context of single-shot classification and small memory regions. We validate the practicality of our proposed models by classifying the leakages from the SRAM of a modern ARM Cortex-M4 chip. Our results show that we were able to always distinguish the activity between 2 SRAM regions of 128 bytes each, while for 256 SRAM single-byte regions we achieve 32% accuracy.

[Paper]

MultiBallot: A Scheme for Privacy-preserving, Verifiable Statistics

Processing sensitive data for scientific purposes has the potential to bring substantial benefits both to individuals and society, however, it also requires strong guarantees that the data will not be used inappropriately. This project attempts to address some of the open challenges in the area: 1) effective ways to hold data processors accountable, 2) preserving the privacy of individuals and 3) protect the integrity of their data. For this purpose, we introduce MultiBallot, a privacy-preserving scheme that allows organizations to publish statistics derived from sensitive user data without breaching the privacy of the individual data subjects. Our scheme is based on ThreeBallot, a paper-voting design that allows voters to verify both the result of the elections (univariate operation) and that their individual vote was counted towards it. Our work extends this scheme and enables users to compute multivariate statistics on the published data. Moreover, MultiBallot can provide strong data integrity guarantees and public verifiability, when combined with a high-integrity data structure (e.g., a blockchain). These additional features make MultiBallot applicable in a wide range of data-processing scenarios such as healthcare statistics and communication records.

[Paper]

Leakage-Resilient Protocols for Cryptographic Operations

Cryptographic devices used in critical applications operate under the assumption that hardware components remain always compliant with their specifications. Consequently, components that contain intentional or unintentional errors (e.g., bugs, hardware trojans, backdoors) cannot reliably maintain any of their security properties. In this work, we relax this strict correctness requirement and demonstrate how trusted, high-assurance hardware can be built from untrusted and potentially malicious components. We employ more than a hundred COTS secure cryptocoprocessors, verified to FIPS140-2 Level 4 tamper-resistance standards, and use them to realize high-confidentiality random number generation, key derivation, public key decryption and signing. Our experiments show a reasonable computational overhead (less than 1% for both Decryption and Signing) and an exponential increase in backdoor-tolerance as more ICs are added.

[Paper] [Code]

Publications

Peer-reviewed & Preprints

Towards the Deployment of Realistic Autonomous Cyber Network Defence: A Systematic Review
Sanyam Vyas, Andrew Bolton, Vasilios Mavroudis, Peter Burnap, ACM Computing Surveys, 2025

International AI Safety Report
Yoshua Bengio et al., arXiv preprint arXiv:2501.17805, 2025

Humanity's Last Exam
Center for AI Safety, 2025

On Efficient Bayesian Exploration in Model-Based Reinforcement Learning
Alberto Caron, Vasilios Mavroudis, Chris Hicks, Transactions on Machine Learning Research, 2025

Deep Backdoors in Deep Reinforcement Learning Agents
Vasilios Mavroudis, Jamie Gawith, Sañyam Vyas, Chris Hicks, BlackHat US, 2024

SoK: Automated Vulnerability Detection
Shereen E., Dan Ristea, Sanyam Vyas, Sean McFadden, Martin Dwyer, Chris Hicks, Vasilios Mavroudis, 2024

AI Cyber Risk Benchmark: Automated Exploitation Capabilities
Dan Ristea, Vasilios Mavroudis, Chris Hicks, 2024

CybORG++: An Enhanced Gym for the Development of Autonomous Cyber Agents [Repository]
Harry Emerson, Lewis Bates, Chris Hicks, Vasilios Mavroudis, 2024

Online Convex Optimisation: The Optimal Switching Regret for all Segmentations Simultaneously [PDF]
Stephen Pasteris, Chris Hicks, Vasilios Mavroudis, Mark Herbster, NeurIPS, 2024 [Spotlight]

Entity-based Reinforcement Learning for Autonomous Cyber Defence
Isaac Thompson, Alberto Caron, Chris Hicks, Vasilios Mavroudis, Workshop on Autonomous Cybersecurity (AutonomousCyber), 2024

Environment Complexity and Nash Equilibria in a Sequential Social Dilemma
Mohammed Yasir, Andrew Howes, Vasilios Mavroudis, Chris Hicks, 17th European Workshop on Reinforcement Learning (EWRL), 2024

Autonomous Cyber Defence: Beyond Games?
Chris Hicks, Vasilios Mavroudis, Turing Report, 2024

International Scientific Report on the Safety of Advanced AI [PDF]
Yoshua Bengio, Davide Privitera, Tolga Besiroglu, Rishi Bommasani, Steven Casper, Yejin Choi, David Goldfarb, Homa Heidari, Laleh Khalatbari, Vasilios Mavroudis, Samuel Longpre, Interim Report, 2024

A View on Out-of-Distribution Identification from a Statistical Testing Theory Perspective
Alberto Caron, Chris Hicks, Vasilios Mavroudis, arXiv, 2024

Fusion Encoder Networks
Stephen Pasteris, Chris Hicks, Vasilios Mavroudis, arXiv, 2024

Mitigating Deep Reinforcement Learning Backdoors in the Neural Activation Space [PDF]
Sanyam Vyas, Chris Hicks, Vasilios Mavroudis, Deep Learning Security and Privacy Workshop (DLSP), 2024

Deep Reinforcement Learning for Denial-of-Query Discovery in GraphQL
Sean McFadden, Matteo Maugeri, Chris Hicks, Vasilios Mavroudis, Federico Pierazzi, Deep Learning Security and Privacy Workshop (DLSP), 2024

Nearest Neighbour with Bandit Feedback
Stephen Pasteris, Chris Hicks, Vasilios Mavroudis, NeurIPS, 2023

Adaptive Webpage Fingerprinting from TLS Traces
Vasilios Mavroudis, Jamie Hayes, IEEE/IFIP DSN, 2023

Reward Shaping for Happier Autonomous Cyber Security Agents
Ellie Bates, Vasilios Mavroudis, Chris Hicks, ACM AISec, 2023

Canaries and Whistles: Resilient Drone Communication Networks with (or without) Deep Reinforcement Learning
Chris Hicks, Vasilios Mavroudis, Myles Foley, Tom Davies, Karen Highnam, Thomas Watson, ACM AISec, 2023

Autonomous Network Defence Using Reinforcement Learning
Myles Foley, Chris Hicks, Karen Highnam, Vasilios Mavroudis, AsiaCCS, 2022

Inroads into Autonomous Network Defence using Explained Reinforcement Learning [PDF]
Myles Foley, Minyi Wang, Chris Hicks, Vasilios Mavroudis, CAMLIS, 2022

SIMple ID: QR Codes for Authentication Using Basic Mobile Phones in Developing Countries [PDF]
Chris Hicks, Vasilios Mavroudis, Jon Crowcroft, STM, 2022

An Interface Between Legacy and Modern Mobile Devices for Digital Identity [PDF]
Vasilios Mavroudis, Chris Hicks, Jon Crowcroft, ETAA, 2021

JCMathLib: Wrapper Cryptographic Library for Transparent and Certifiable JavaCard Applets [PDF]
Vasilios Mavroudis, Petr Svenda, IEEE EuroS&PW, 2020

Snappy: Fast Blockchain Payments [PDF]
Vasilios Mavroudis, Kevin Wuest, Aditi Dhar, Kari Kostiainen, Srdjan Capkun, NDSS, 2020

Location, Location, Location: Revisiting Modeling and Exploitation for Location-Based Side Channel Leakages [PDF]
Christoforos Andrikos, Lejla Batina, Lukasz Chmielewski, Lilian Lerman, Vasilios Mavroudis, Konstantinos Papagiannopoulos, Gilles Perin, George Rassias, Andrea Sonnino, AsiaCrypt, 2019

Libra: Fair Order-Matching for Electronic Financial Exchanges [PDF]
Vasilios Mavroudis, Henry Melton, AFT, 2019

Bounded Temporal Fairness for FIFO Financial Markets [PDF]
Vasilios Mavroudis, SPW, 2019

Market Manipulation as a Security Problem: Attacks and Defenses [PDF]
Vasilios Mavroudis, EuroSec, 2019

Towards Low-level Cryptographic Primitives for JavaCards
Vasilios Mavroudis, Petr Svenda, 2018

VAMS: Verifiable Auditing of Access to Confidential Data
Alex Hicks, Vasilios Mavroudis, Mustafa Al-Bassam, Sarah Meiklejohn, Steven Murdoch, 2018

Eavesdropping Whilst You’re Shopping: Balancing Personalisation and Privacy in Connected Retail Spaces [PDF]
Vasilios Mavroudis, Michael Veale (Equal Contribution), PETRAS/IoTUK/IET Living in the IoT Conference, 2018

A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components [PDF, ArXiv]
Vasilios Mavroudis, Andrea Cerulli, Petr Svenda, Daniel Cvrcek, Daniel Klinec, George Danezis, ACM CCS, 2017
CSAW 2018 Applied Research Competition Finalist

On the Privacy and Security of the Ultrasound Tracking Ecosystem [PDF]
Vasilios Mavroudis, Shuai Hao, Yanick Fratantonio, Fabio Maggi, Christopher Kruegel, Giovanni Vigna, PoPETs, 2017

Visual Analytics for Enhancing Supervised Attack Attribution in Mobile Networks [PDF]
Sotiris Papadopoulos, Vasilios Mavroudis, Alexandra Drosou, Dimitrios Tzovaras, ISCIS, 2014

Technical Reports

LangChain v0.3
Vasilios Mavroudis, Preprints, https://doi.org/10.20944/preprints202411.0566.v1, November 2024

The Ultrasound Tracking Ecosystem.
Vasilios Mavroudis, Shuang Hao, Yanick Fratantonio, Federico Maggi, Giovanni Vigna, and Christopher Kruegel. November 2016

Correlation Analysis and Abnormal Event Detection Module.
EU FP7 Project: Enhanced Network Security for Seamless Provisioning in the Smart Mobile Ecosystem

Anomaly detection based on real-time exploitation of billing systems.
EU FP7 Project: Enhanced Network Security for Seamless Provisioning in the Smart Mobile Ecosystem

Anomaly detection within femtocell architectures.
EU FP7 Project: Enhanced Network Security for Seamless Provisioning in the Smart Mobile Ecosystem

Network information sources.
EU FP7 Project: Enhanced Network Security for Seamless Provisioning in the Smart Mobile Ecosystem

Theses

Crux: Privacy-preserving Statistics for Tor [PDF], Information Security Group, University College London, UK, 2015.
Supervisor: George Danezis

Cassiopeia: Real-time mobile security monitoring system, Dept. of Applied Informatics, University of Macedonia, Greece, 2012.
Supervisor: Ioannis Mavridis

Talks

This has not been updated in a while but I'm slowly adding some later ones :) Trustworthy Digital Identity, Carnegie Mellon University, November 24, 2021. [Link] Libra: Fair Order-Matching for Electronic Financial Exchanges., Juels Group Research Meeting, Online/Cornell University, New York, US, 29 October 2019. [Link] Cryptographic Hardware from Untrusted Components, RISE Annual Conference, London, UK, 14 November 2018. [Link] A touch of Evil: Cryptographic Hardware from Untrusted Components (poster), CSAW 2018, Valence, France, 9 November 2018. Cryptogame: Pirates & Guardians of the Galaxy, London, UK, 27 October 2018. [Link] High-Assurance Cryptographic Hardware from Untrusted Components. Stanford Security Seminar, Palo Alto, US, 19 April 2018. [Link] The Good, the Bad and the Ugly of the Ultrasonic Communications Ecosystem. RSA Conference 2018, San Fransisco US, 17 April 2018. [Link] A witch-hunt for trojans in our chips. London Enterprise Tech Meetup, London, UK, 12 February 2018. [Link] Cryptographic Hardware from Untrusted Components. Cryptacus Workshop, Nijmegen, Netherlands, 16-18 November 2017. [Link] Cryptographic Hardware from Untrusted Components. IMDEA Software Inst., Madrid, Spain, 28 Sept 2017. [Link] Towards Trojan-tolerant Cryptographic Hardware. ZISC Seminar ETH, Zurich, Switzerland, 20 Sept 2017. [Link] OpenCrypto: Unchaining the JavaCard Ecosystem. Blackhat US, Las Vegas, US, 22-27 July 2017. [Link] Trojan-tolerant Hardware & Supply Chain Security in Practice. Defcon 25, Las Vegas, US, 27-30 July 2017. [Link] On the Privacy & Security of the Ultrasound Tracking Ecosystem. Computer Laboratory Security Seminar, Cambridge, UK, 21 February 2017. [Link] Talking Behind Your Back: On the Privacy & Security of the Ultrasound Tracking Ecosystem. Mozilla International Privacy Day, London, UK, 28 Jan 2017. [Link] Talking Behind Your Back: On the Privacy & Security of the Ultrasound Ecosystem. Information Security Seminar, UCL, London, UK, 19 January 2017. [Link] Talking Behind Your Back: Tough Love for the Ugly Ultrasound Tracking Ecosystem. Chaos Communication Congress, Hamburg, Germany, 27-30 Dec. 2016. [Link] Cross-device Tracking Canaries. Data Transparency Lab Conference 2016, New York, US, 17-19 Nov 2017. [Link] Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-device Tracking. Blackhat Europe, London, UK, 3–4 November 2016. [Link][Slides]

Vasilios Mavroudis

Recent News

Selected Projects

Publications

Peer-reviewed & Preprints

Technical Reports

Theses

Media

Talks

Academic Service & Teaching