I am a Ph.D. candidate in Computer Science at the University of Waterloo, advised by Prof. Urs Hengartner. I conduct my research at the Cryptography, Security, and Privacy (CrySP) Lab, focusing on ML security and robustness. Before that, I earned my B.Sc. in Computer Engineering (Summa Cum Laude) from the Technion – Israel Institute of Technology, where I specialized in computer security and machine learning.

My research focuses on uncovering and mitigating vulnerabilities in machine learning systems, with a particular emphasis on adversarial attacks, secure authentication, and watermarking techniques. My recent work explores critical areas of AI security, including bypassing defensive watermarking (UnMarker), breaking diffusion-based purification methods (DiffBreak), and attacking security-critical voice authentication systems. Through this research, I aim to bridge the gap between theory and application in adversarial machine learning, developing robust, interpretable, and attack-resistant AI systems that can be safely deployed in real-world applications. I am currently working on enhancing the robustness of diffusion-based purification against adversarial examples via backdoors.

Beyond academia, I have worked at IBM Research and Pindrop Security, where I applied my expertise to cloud security, biometric authentication, and adversarial ML. I am always open to collaborations and discussions on AI security, so feel free to reach out via email!

CV, Google Scholar, LinkedIn

Publications

DiffBreak: Breaking Diffusion-Based Purification with Adaptive Attacks.

  • In Submission.
  • Andre Kassis, Urs Hengartner, Yaoliang Yu
  • Sole Student Author – Fully Led Research & Writing. Paper, Code

    • DiffBreak challenges diffusion-based purification (DBP), a widely regarded defense against adversarial attacks. Contrary to common belief, DiffBreak theoretically proves that gradient-based adaptive attacks on DBP do not merely aim to generate perturbations that survive purification—they actively repurpose it as an adversarial generator. Rather than neutralizing adversarial optimization, DBP shifts it from the classifier to the score model, leaving it highly vulnerable and invalidating its formal guarantees. This discovery prompts a reassessment of DBP’s robustness, showing its security stems from attack backpropagation flaws rather than actual resilience. DiffBreak introduces a reliable gradient library that reveals how adaptive attacks drastically degrade DBP’s effectiveness. It also proposes an adversarial optimization method that reduces DBP’s robustness to nearly 0%, even under the strictest threat models.

 

UnMarker: A Universal Attack on Defensive Image Watermarking.

  • 46th IEEE Symposium on Security and Privacy, 2025.
  • Andre Kassis and Urs Hengartner
  • Sole Student Author – Fully Led Research & Writing. Paper, Code

    • UnMarker is a universal attack that effectively bypasses defensive image watermarking techniques, exposing their fundamental weaknesses. In this work, We demonstrate how adaptive spectral adversarial perturbations can remove or distort embedded watermarks without compromising image quality, rendering watermarking-based security measures ineffective. UnMarker systematically evaluates a wide range of watermarking schemes, including traditional and deep learning-based approaches, revealing their susceptibility to carefully crafted attacks and driving their robustness below 50%.

 

Breaking Security-Critical Voice Authentication.

  • 44th IEEE Symposium on Security and Privacy, 2023.
  • Andre Kassis and Urs Hengartner
  • Sole Student Author – Fully Led Research & Writing. Paper, Code
  • Media Coverage: ACM TechNews, The Register, PCMag, RISK Digest, The Record

    • This paper presents the first practical attack on voice authentication (VA) used in security-critical applications like banking and secure access control. We demonstrate that attackers can generate and adversarially optimize fake audio samples to universally bypass VA systems. Our results show that attackers achieve up to 99% success in just six attempts, exposing severe vulnerabilities in real-world biometric authentication and challenging its reliability.

 

Practical attacks on voice spoofing countermeasures.

 

Estimating client QoE from measured network QoS.

  • Proceedings of the 12th ACM International Conference on Systems and Storage, 2019.
  • Kenneth Nagin, Andre Kassis, Dean Lorenz, Katherine Barabash, Eran Raichstein
  • Paper

 

Deep ahead-of-threat virtual patching.

  • Information and Operational Technology Security Systems: First International Workshop, IOSec 2018, CIPSEC Project.
  • Fady Copty, Andre Kassis, Sharon Keidar-Barner and Dov Murik
  • Paper