Lea Schönherr
Lea Schönherr

Lea Schönherr

Faculty · CISPA Helmholtz Center for Information Security

I am a tenure-track faculty at CISPA Helmholtz Center for Information Security since 2022. I received my PhD in 2021 from Ruhr University Bochum, Germany, in the DFG Cluster of Excellence "Cyber Security in the Age of Large-Scale Adversaries" (CASA). My research interests lie in the area of system-level adversarial machine learning and trustworthy generative AI. After my PhD I was visiting researcher at the University of California, Berkeley, and the University of Chicago.

In my research group Dormant Neurons we work on the security of AI systems, spanning LLMs and agentic pipelines, speech and audio models, synthetic media and deepfake detection, and the human factors involved in AI-driven threats. We also critically examine how AI security research itself is conducted. Our research covers both attacks and defenses, with the goal of building AI that is secure, safe, and fair.

Email · Google Scholar · LinkedIn · CISPA Profile

Research

Building secure, safe, and fair AI that people can trust.

LLM Agents Code

LLM & Agentic Systems Security

As large language models are deployed in real-world pipelines they introduce novel attack surfaces. Our work addresses these from multiple angles: designing defenses against prompt injection attacks (Prompt Obfuscation), analyse hidden intentions in LLMs (Unknown Unknowns), and how LLMs can both be exploited for and applied to code analysis and deobfuscation (Code Deobfuscation, CodeLMSec).

Deepfakes

Preventing Misuse of Synthetic Media

AI-generated content, whether images or audio, is increasingly indistinguishable from authentic media, enabling misinformation, fraud, and manipulation at scale. Our research works toward preventing this misuse: developing detectors for synthetic audio (WaveFake) and GAN-generated images (frequency analysis), studying how these detectors hold up under adversarial pressure in realistic conditions (Adversarial Robustness of Image Detectors), and examining how content labeling and warnings affect human trust and detection behavior (AI Image Labeling).

Human Factor

Human-Centered AI System Security

Many AI security threats succeed not through technical exploits but by targeting or involving human judgment. Our research examines these human dimensions from several angles: how people detect AI-generated media across countries (Human Detection Study), how content labeling affects trust and detection behavior (Labeling AI-Generated Images), and how everyday voice interfaces can be accidentally triggered by ambient audio (Accidental Triggers).

Meta Science

Meta Security Science

Beyond individual attacks and defenses, some of our work questions how security research itself is conducted. One thread systematically examines nine methodological pitfalls in LLM security research, including data leakage, model ambiguity, prompt sensitivity, context truncation, and the surrogate fallacy, finding that every reviewed paper contains at least one (Chasing Shadows). Another draws on a community-scale red-teaming competition to analyze what current LLM security benchmarks can and cannot tell us (SaTML CTF).

Attack Defense Adversarial ML Privacy

Attacks & Defenses

Security research requires grounding in both offense and defense. On the offensive side, our work studies adversarial attacks on speech recognition via psychoacoustic hiding (Psychoacoustic Hiding) and robust over-the-air perturbations (Imperio), adversarial attacks on deepfake detectors (Adversarial Robustness), and eliciting security vulnerabilities from code language models (CodeLMSec). On the defensive side: perceptually constrained defenses for audio adversarial examples (Dompteur) and prompt obfuscation against injection attacks (Prompt Obfuscation).

Speech & Audio

Speech & Audio Security

Voice interfaces are a recurrent focus of our research. Early work established core attack methods: adversarial examples via psychoacoustic hiding (Psychoacoustic Hiding), robust over-the-air perturbations (Imperio), and clean-label poisoning of speech recognition models (VENOMAVE). On the defensive side: perceptually constrained defenses (Dompteur) and privacy-preserving wake-word designs. More recently, this work extends to audio deepfake detection (WaveFake) and evaluating the fairness, safety, and security of audio language models (Audio LM Evaluation).

Publications

2026

Jonathan Evertz, Niklas Risse, Nicolai Neuer, Andreas Müller, Philipp Normann, Gaetano Sapia, Srishti Gupta, David Pape, Soumya Shaw, Devansh Srivastav, Christian Wressnegger, Erwin Quiring, Thorsten Eisenhofer, Daniel Arp, Lea Schönherr
Chasing Shadows: Pitfalls in LLM Security Research
LLM Meta Science
NDSS
[Paper] [BibTeX] [Talk]
Shir Bernstein, David Beste, Daniel Ayzenshteyn, Lea Schönherr, Yisroel Mirsky
Trust Me, I Know This Function: Hijacking LLM Static Analysis using Bias
LLM Code Attack
NDSS
[Paper] [BibTeX]
Sandra Höltervennhoff, Jonas Ricker, Maike M Raphael, Charlotte Schwedes, Rebecca Weil, Asja Fischer, Thorsten Holz, Lea Schönherr, Sascha Fahl
Security Benefits and Side Effects of Labeling AI-Generated Images
Deepfakes Human Factor
CHI
[Paper] [BibTeX]
Rostislav Makarov, Lea Schönherr, Timo Gerkmann
Are Modern Speech Enhancement Systems Vulnerable to Adversarial Attacks?
Speech & Audio Adversarial ML Attack
ICASSP
[Paper] [BibTeX]
Sina Mavali, Jonas Ricker, David Pape, Asja Fischer, Lea Schönherr
Adversarial Robustness of AI-Generated Image Detectors in the Real World
Deepfakes Adversarial ML Attack
DIMVA
[Paper] [BibTeX]
Jonathan Evertz, Merlin Chlosta, Lea Schönherr, Thorsten Eisenhofer
Whispers in the Machine: Confidentiality in LLM-integrated Systems
LLM Privacy Attack
DIMVA
[Paper] [BibTeX]
Ranya Aloufi, Srishti Gupta, Soumya Shaw, Battista Biggio, Lea Schönherr
Evaluation of Audio Language Models for Fairness, Safety, and Security
Speech & Audio LLM
ArXiv
[Paper] [BibTeX]
Samira Abedini, Sina Mavali, Lea Schönherr, Martin Pawelczyk, Rebekka Burkholz
Don't Trust Stubborn Neighbors: A Security Framework for Agentic Networks
LLM Agents
ArXiv
[Paper] [BibTeX]
Devansh Srivastav, David Pape, Lea Schönherr
Unknown Unknowns: Why Hidden Intentions in LLMs Evade Detection
LLM Attack
ArXiv
[Paper] [BibTeX]

2025

David Pape, Sina Mavali, Thorsten Eisenhofer, Lea Schönherr
Prompt Obfuscation for Large Language Models
LLM Defense
USENIX Sec.
[Paper] [BibTeX]
Srishti Gupta, Daniele Angioni, Maura Pintor, Ambra Demontis, Lea Schönherr, Fabio Roli, Battista Biggio
Buffer-free Class-Incremental Learning with Out-of-Distribution Detection
Adversarial ML Defense
Pattern Recognit.
[Paper] [BibTeX]
João Borges S. Carvalho, Víctor Jiménez Rodríguez, Alessandro Torcinovich, Antonio E Cinà, Carlos Cotrini, Lea Schönherr, Joachim M Buhmann
Rethinking Robustness in Machine Learning: A Posterior Agreement Approach
Adversarial ML Defense
TMLR
[Paper] [BibTeX]
Luca Olivieri, David Beste, Luca Negrini, Lea Schönherr, Antonio Emanuele Cina, Pietro Ferrara
Code Generation of Smart Contracts with LLMs: A Case Study on Hyperledger Fabric
LLM Code
ISSRE
[Paper] [BibTeX]
David Beste, Grégoire Menguy, Hossein Hajipour, Mario Fritz, Antonio Emanuele Cinà, Sébastien Bardin, Thorsten Holz, Thorsten Eisenhofer, Lea Schönherr
Exploring the Potential of LLMs for Code Deobfuscation
LLM Code
DIMVA
[Paper] [BibTeX]
Antonio Emanuele Cinà, Francesco Villani, Maura Pintor, Lea Schönherr, Battista Biggio, Marcello Pelillo
σ-Zero: Gradient-based Optimization of l₀-norm Adversarial Examples
Adversarial ML Attack
ICLR
[Paper] [BibTeX]

2024

Edoardo Debenedetti, Javier Rando, Daniel Paleka, et al., Lea Schönherr
Dataset and Lessons Learned from the 2024 SaTML LLM Capture-the-Flag Competition
LLM Attack Meta Science
NeurIPS
[Paper] [BibTeX]
Sahar Abdelnabi, Amr Gomaa, Sarath Sivaprasad, Lea Schönherr, Mario Fritz
Cooperation, Competition, and Maliciousness: LLM-Stakeholders Interactive Negotiation
LLM Attack
NeurIPS
[Paper] [BibTeX]
Bhupendra Acharya, Dario Lazzaro, Efrén López-Morales, Adam Oest, Muhammad Saad, Antonio Emanuele Cinà, Lea Schönherr, Thorsten Holz
The Imitation Game: Exploring Brand Impersonation Attacks on Social Media Platforms
Deepfakes Human Factor Attack
USENIX Sec.
[Paper] [BibTeX]
Joel Frank, Franziska Herbert, Jonas Ricker, Lea Schönherr, Thorsten Eisenhofer, Asja Fischer, Markus Dürmuth, Thorsten Holz
A Representative Study on Human Detection of Artificially Generated Media Across Countries
Deepfakes Human Factor
IEEE S&P
[Paper] [BibTeX]
Bhupendra Acharya, Muhammad Saad, Antonio Emanuele Cinà, Lea Schönherr, Hoang Dai Nguyen, Adam Oest, Phani Vadrevu, Thorsten Holz
Conning the Crypto Conman: End-to-End Analysis of Cryptocurrency-based Technical Support Scams
Human Factor Attack
IEEE S&P
[Paper] [BibTeX]
Hossein Hajipour, Keno Hassler, Thorsten Holz, Lea Schönherr, Mario Fritz
CodeLMSec Benchmark: Systematically Evaluating and Finding Security Vulnerabilities in Black-Box Code Language Models
LLM Code Attack
IEEE SaTML
[Paper] [BibTeX] [Talk]
Gianluca De Stefano, Lea Schönherr, Giancarlo Pellegrino
RAG and Roll: An End-to-End Evaluation of Indirect Prompt Manipulations in LLM-based Application Frameworks
LLM Attack
ArXiv
[Paper] [BibTeX]
Hossein Hajipour, Lea Schönherr, Thorsten Holz, Mario Fritz
HexaCoder: Secure Code Generation via Oracle-Guided Synthetic Training Data
LLM Code Defense
ArXiv
[Paper] [BibTeX]

2023

David Pape, Sina Däubener, Thorsten Eisenhofer, Antonio Emanuele Cinà, Lea Schönherr
On the Limitations of Model Stealing with Uncertainty Quantification Models
Adversarial ML Attack
ESANN
[Paper] [BibTeX]
Nico Schiller, Merlin Chlosta, Moritz Schloegel, Nils Bars, Thorsten Eisenhofer, Tobias Scharnowski, Felix Domke, Lea Schönherr, Thorsten Holz
Drone Security and the Mysterious Case of DJI's DroneID
Attack
NDSS
[Paper] [BibTeX]
Hojjat Aghakhani, Thorsten Eisenhofer, Lea Schönherr, Dorothea Kolossa, Thorsten Holz, Christopher Kruegel, Giovanni Vigna
VENOMAVE: Clean-Label Poisoning Against Speech Recognition
Speech & Audio Adversarial ML Attack
IEEE SaTML
[Paper] [BibTeX]

2022

Timm Koppelmann, Luca Becker, Alexandru Nelus, Rene Glitza, Lea Schönherr, Rainer Martin
Clustering-based Wake Word Detection in Privacy-aware Acoustic Sensor Networks
Speech & Audio Privacy Defense
INTERSPEECH
[Paper] [BibTeX]
Lea Schönherr, Maximilian Golla, Thorsten Eisenhofer, Jan Wiele, Dorothea Kolossa, Thorsten Holz
Exploring Accidental Triggers of Smart Speakers
Speech & Audio Privacy Human Factor Attack
Comp. Speech Lang.
[Paper] [BibTeX] [Website]

2021

Joel Frank, Lea Schönherr
WaveFake: A Data Set to Facilitate Audio DeepFake Detection
Speech & Audio Deepfakes Defense
NeurIPS
[Paper] [BibTeX] [Code] [Talk]
Thorsten Eisenhofer, Lea Schönherr, Joel Frank, Lars Speckemeier, Dorothea Kolossa, Thorsten Holz
Dompteur: Taming Audio Adversarial Examples
Speech & Audio Adversarial ML Defense
USENIX Sec.
[Paper] [BibTeX] [Code] [Talk]
Timm Koppelmann, Alexandru Nelus, Lea Schönherr, Dorothea Kolossa, Rainer Martin
Privacy-Preserving Feature Extraction for Cloud-Based Wake Word Verification
Speech & Audio Privacy Defense
INTERSPEECH
[Paper] [BibTeX]

2020

Joel Frank, Thorsten Eisenhofer, Lea Schönherr, Asja Fischer, Dorothea Kolossa, Thorsten Holz
Leveraging Frequency Analysis for Deep Fake Image Recognition
Deepfakes Defense
ICML
[Paper] [BibTeX] [Code] [Talk]
Lea Schönherr, Thorsten Eisenhofer, Steffen Zeiler, Thorsten Holz, Dorothea Kolossa
Imperio: Robust Over-the-Air Adversarial Examples for Automatic Speech Recognition Systems
Speech & Audio Adversarial ML Attack
ACSAC
[Paper] [BibTeX] [Talk]
Sina Däubener, Lea Schönherr, Asja Fischer, Dorothea Kolossa
Detecting Adversarial Examples for Speech Recognition via Uncertainty Quantification
Speech & Audio Adversarial ML Defense
INTERSPEECH
[Paper] [BibTeX] [Code]

2019

Lea Schönherr, Katharina Kohls, Steffen Zeiler, Thorsten Holz, Dorothea Kolossa
Adversarial Attacks Against Automatic Speech Recognition Systems via Psychoacoustic Hiding
Speech & Audio Adversarial ML Attack
NDSS
[Paper] [BibTeX] [Website] [Code] [Talk]

Talks

2026
UCT-CISPA Summer School 2026
"Can We Trust Generative AI? Understanding and Mitigating Security Threats in Today's Machine Learning Systems"
UCT-CISPA Summer School — Cape Town, South Africa
Generative AI is becoming more integrated into our daily lives, raising questions about potential threats. This talk examines security challenges including deception of humans with generated media, exploits of LLMs to bypass content filters or leak sensitive information, and methods to protect intellectual property through prompt obfuscation.
2025
Summer School Vienna 2025
"Can We Trust Generative AI? Understanding and Mitigating Security Threats in Today's Machine Learning Systems"
Summer School on AI and Cybersecurity — Vienna, Austria
An invited lecture surveying the security landscape of modern generative AI—from adversarial manipulation of speech and image models to misuse of LLMs for bypassing content filters or leaking private information. Covers both the threat surface and emerging defenses including prompt obfuscation and synthetic media detection.
2025
SERICS Summer School Cagliari 2025
"Can We Trust Generative AI? Understanding and Mitigating Security Threats in Today's Machine Learning Systems"
SERICS Summer School — Cagliari, Italy
An invited lecture surveying the security landscape of modern generative AI—from adversarial manipulation of speech and image models to misuse of LLMs for bypassing content filters or leaking private information. Covers both the threat surface and emerging defenses including prompt obfuscation and synthetic media detection.
2024
AISec @ ACM CCS 2024
"Challenges and Threats in Generative AI: Misuse and Exploits" Keynote
AISec @ ACM CCS 2024
Keynote surveying the expanding threat landscape of generative AI—from adversarial examples and synthetic media to modern misuse of LLMs through prompt injection, jailbreaks, and confidentiality attacks. Discusses how generative models can be exploited to bypass safety mechanisms and what principled defenses look like.
2024
HIDA Lecture Series 2024
"Challenges and Threats in Generative AI: Misuse and Exploits"
HIDA Lecture Series on AI and LLMs
An invited lecture in the HIDA series covering the dual challenge of generative AI security: how these models can be exploited through prompt injection and confidentiality attacks, and how they can be misused to generate synthetic media for deception. Draws on work spanning LLMs, code models, and multimodal systems.
[Video]
2024
SaTML 2024
"CodeLMSec: Systematically Evaluating and Finding Security Vulnerabilities in Black-Box Code Language Models"
IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) 2024
Code language models can silently generate vulnerable code. This talk presents CodeLMSec, a benchmark for systematically evaluating security vulnerabilities in black-box code LMs by using the first lines of vulnerable code examples as prompts to elicit completions.
[Video]
2023
AdvML-Frontiers @ ICML 2023
"Brave New World: Challenges and Threats in Multimodal AI Agent Integrations" Keynote
AdvML-Frontiers @ ICML 2023
Keynote exploring the new security challenges that arise when AI systems can perceive and act across multiple modalities. As language, vision, and audio models are integrated into autonomous agents, the attack surface expands dramatically—this talk maps these emerging threats and the open research questions they raise.
[Website]
2021
ISCA SIGML 2021
"Adversarially Robust Speech Recognition"
ISCA SIGML Seminar Series
An invited talk in the ISCA SIGML seminar series covering the state of adversarial robustness in speech recognition. Topics span psychoacoustic attacks, physical over-the-air perturbations, and poisoning of audio models, alongside defenses including perceptually-constrained adversarial training and uncertainty quantification for attack detection.
[Video]
2020
rC3 2020
"Alexa, who else is listening?"
rC3 (Remote Chaos Experience)
A talk at the Remote Chaos Experience exploring the privacy risks of always-on smart speakers. Examines how devices like Amazon Alexa can be triggered accidentally by ambient sounds, TV speech, or phonetically similar words—and what this means for the privacy of everyday conversations in the home.
[Video]
2020
ACSAC 2020
"Imperio: Robust Over-the-Air Adversarial Examples for Automatic Speech Recognition Systems"
ACSAC 2020
Presents Imperio, a method for crafting adversarial audio examples that remain effective when played over the air in real physical environments. Unlike prior work that assumes white-box access, Imperio accounts for acoustic room transfer functions to achieve robust ASR manipulation at a distance.
[Video]
2019
NDSS 2019
"Adversarial Attacks Against ASR Systems via Psychoacoustic Hiding"
NDSS 2019
Demonstrates that adversarial audio attacks on speech recognition can be made imperceptible to humans using psychoacoustic masking—hiding malicious commands below the threshold of human hearing while still fooling ASR systems. One of the first works to bring psychoacoustic principles into the adversarial ML setting.
[Video]

Press

Selected highlights

June 2025
Onlinebetrug und moderne Sklaverei: Die Methoden der Cybermafia
WDR
June 2024
Warum Menschen KI-erstellte Inhalte häufig nicht mehr erkennen
radio eins rbb
March 2023
AI-Generated Voice Deepfakes Aren't Scary Good — Yet
Wired
July 2020
Not in front of the speaker! Words that wake up Alexa
The Times
Dec 2020
Alexa, Who Else Is Listening?
Remote Chaos Experience
2020
Sprachassistenten hören mit
ARD Tagesthemen

More coverage

SR Deepfake-Pornografie: Vor allem Kinder und Jugendliche betroffen Apr 2026 NDR 11km Die Scamming-Mafia: KI und moderne Sklaverei Jun 2025 Handelsblatt Wie der Enkeltrick, nur mit KI: Deepfake-Betrüger erpressen Firmen mit falscher Chef-Stimme Mar 2022 NZZ / SRF Unsere Daten im Netz: Ende der Privatheit Jan 2022 Tech Conversationalist Are you accidentally 'waking up' your smart devices? Jun 2021 ZDF logo! Erkennt Greta Deep Fakes? Sep 2020 Spektrum.de Mathematische Analyse soll alle Deep Fakes enttarnen Jul 2020 VDI Nachrichten Frequenzanalyse enttarnt Fake-Bilder Jul 2020 SciTech Daily Which Face is Real? Using Frequency Analysis to Identify "Deep-Fake" Images Jul 2020 Electronics Weekly Frequency analysis can help reveal deep fake images Jul 2020 ZDF logo! Hat Siri schlechte Ohren? Jul 2020 detektor.fm Alexa, spionierst du mich aus? Jul 2020
Mitteldeutscher Rundfunk Wann hören Sprachassistenten mit? Jul 2020
voicebot.ai More than 1,000 Phrases Will Accidentally Awaken Alexa, Siri, and Google Assistant Jul 2020
Hessischer Rundfunk Immer ganz Ohr – Lauschangriff der Sprachassistenten Jul 2020
Max Planck Society Uninvited listeners in your speakers Jul 2020 STRG_F (NDR) Smart Speaker: Wobei Alexa, Siri & Co. heimlich mithören Jun 2020 Tagesthemen Sprachassistenten hören mit Jun 2020 tagesschau.de Die lauschenden Lautsprecher Jun 2020 Süddeutsche Zeitung Wenn Alexa aus Versehen lauscht Jun 2020
Norddeutscher Rundfunk Wenn der smarte Lautsprecher mit dem Tatort-Kommissar spricht Jun 2020
Fast Company Tired of saying 'Hey Google' and 'Alexa'? Change it up with these unintentional wake words Jul 2020 Fast Company Alexa can be hacked — by chirping birds Sep 2018 Deutschlandfunk Sicherheitslücken bei Sprachassistenzsystemen — Alexa hört anders als ein Mensch Oct 2018 Digital Trends Research finds the sound of chirping birds can be used to hack Alexa Oct 2018 E&T Engineering and Technology Smart speaker hack could trigger secret messages hidden in audio files Sep 2018 phys.org Secret messages for Alexa and Co Sep 2018 Focus online Geheime Botschaften für Alexa und Co. Sep 2018 Trends der Zukunft Für Menschen nicht hörbar: Forscher verstecken geheime Befehle in Alexa und Co Sep 2018 social ON IT-Sicherheit: Geheime Botschaften für Alexa und Co. Sep 2018 Handelsblatt Manipulieren Sprachassistenten geheime Botschaften für Alexa und Siri Sep 2018

Teaching

Summer 2026
Trustworthy Machine Learning
Master Lecture University of Hamburg
Summer 2025
Trustworthy Machine Learning
Master Lecture University of Hamburg
Winter 2025
Trustworthy Agentic Systems
Master Seminar Saarland University
Summer 2024
Trustworthy Generative Machine Learning
Bachelor Seminar Saarland University
Winter 2023
Machine Learning Security Reproducibility
Master Seminar Saarland University
2022 – 2023
Machine Learning and Security
Master Seminar Saarland University