Anudeep Das, Vasisht Duddu, Rui Zhang and N. Asokan have received the Best Paper Award at CODASPY 2025, the 15th ACM Conference on Data and Application Security and Privacy. Their paper, Espresso: Robust Concept Filtering in Text-to-Image Models, introduces a new technique to improve the effectiveness, safety and reliability of generative AI systems that create images from natural language text prompts.
“Congrats to the team,” said Raouf Boutaba, University Professor and Director of the Cheriton School of Computer Science. “Text-to-image generative AI models have many creative uses, but they also raise significant concerns. The research Anudeep, Vasisht, Rui and Asokan have conducted adds to the growing body of work to help ensure these models are not misused and abused.”
L to R: Vasisht Duddu, Anudeep Das, N. Asokan. Rui Zhang was unavailable for the photo.
Anudeep Das is pursuing a master’s degree at the Cheriton School of Computer Science, advised by Professor N. Asokan. He works on analyzing and enhancing the security, privacy and fairness of generative AI systems. His primary research has been on securing image-generative diffusion models, and he plans on diving into the safety of large language models next. The Espresso project originated while Anudeep was an undergraduate research assistant with Professor Asokan, where he led both the initial research concept and paper development.
Vasisht Duddu is pursuing a PhD at the Cheriton School of Computer Science, also advised by Professor N. Asokan. His research focuses on risks to security, privacy, fairness and transparency in machine learning models. He also designs attacks to exploit these risks and defences to counter them to better understand the interplay between risks and defences. Additionally, he works on ensuring accountability in machine learning pipelines to meet regulatory requirements.
Professor N. Asokan is a Cheriton Chair at the Cheriton School of Computer Science and serves as the Executive Director of Waterloo’s Cybersecurity and Privacy Institute. His primary research theme is systems security broadly, including topics like developing and using novel platform security features, applying cryptographic techniques to design secure protocols for distributed systems, applying machine learning techniques to security and privacy problems, and understanding and addressing the security and privacy of machine learning applications themselves.
Rui Zhang is pursuing a PhD in Mathematics at Zhejiang University. He was a visiting doctoral student in Professor N. Asokan’s Secure Systems Group from August 2023 to August 2024. His research focuses on security in artificial intelligence, particularly concerning federated learning, intellectual property protection for machine learning models and data, and the robustness of DNN models. He develops both theoretical foundations and practical methods to analyze vulnerabilities and build defences to enhance the reliability of AI systems.
About this award-winning research
Diffusion-based text-to-image models are a type of generative AI system that produces high-quality images from text prompts. As these models are trained on large, unfiltered datasets scraped from the Internet, they can unintentionally create inappropriate content, including copyrighted material, violent images, and sensitive or explicit imagery. Because of their large capacity, these models can also memorize specific concepts, which can reappear in generated images.
Previous efforts to remove inappropriate content, using what are known as concept removal techniques, or CRTs, have been unable to satisfy three important requirements simultaneously — effectiveness in filtering unacceptable concepts, utility in preserving the ability to generate acceptable and desirable content, and robustness against adversarial prompts to evade filters.
To address this challenge, the research team developed Espresso, a novel and robust content filter that uses a contrastive language-image pre-training model that meets all requirements simultaneously. Unlike earlier methods, which either modified the underlying text-to-image generator or used less adaptable classifiers, Espresso evaluates the distance between generated image embeddings and the text embeddings of both acceptable and unacceptable concepts. By using this dual-reference approach, Espresso enables more precise filtering and allows the model to be more effective and robust while preserving its utility.
The research team also conducted a comprehensive evaluation — a complete pipeline to comparatively evaluate various CRTs — demonstrating that Espresso outperforms seven fine-tuning-based CRTs and one filtering-based CRT on effectiveness, utility and resistance to adversarial attacks. Importantly, the researchers introduce the first approach to evaluate the robustness of CRTs, including defences against sophisticated adversarial prompts. Their results show that Espresso provides a better trade-off across effectiveness, utility and robustness compared with other state-of-the-art techniques.
To learn more about the award-winning research on which this article is based, please see Espresso: Robust Concept Filtering in Text-to-Image Models. Anudeep Das, Vasisht Duddu, Rui Zhang, N. Asokan. 2025. 15th ACM Conference on Data and Application Security and Privacy (CODASPY).
You can also learn more about this research on the Secure Systems Group’s project page on content moderation for generative models.