About

David Evans is a professor at the University of Virginia Department of Computer Science. His teaching portfolio spans a wide range of computer science topics, including introductory courses such as "Introduction to Information Technology" and "Introduction to Computing: Explorations in Language, Logic, and Machines," as well as advanced subjects like "Theory of Computation," "Operating Systems," "Cryptology," and "Artificial Intelligence and Machine Learning." He has developed and taught numerous courses both at the undergraduate and graduate levels, including interdisciplinary courses co-taught with faculty from other departments such as Economics and Law. Evans has also contributed to online education through Udacity, offering popular courses like "Introduction to Computer Science" and "Applied Cryptography," which have attracted hundreds of thousands of students worldwide. His outreach efforts include cryptography lessons for high school students and specialized seminars for professionals and lifelong learners. Throughout his career, Evans has focused on integrating foundational computer science concepts with practical applications, emphasizing security, privacy, ethics, and the societal impacts of computing technologies.

Research topics

• Machine Learning
• Computer Security
• Artificial Intelligence
• Computer Science
• Physics
• Mathematics
• Psychology
• Combinatorics
• Engineering

Selected publications

• An operator algebraic approach to fusion category symmetry on the lattice

  ORCA Online Research @Cardiff (Cardiff University) · 2025-07-07

  preprintOpen access1st authorCorresponding

  We propose a framework for fusion category symmetry on the (1+1)D lattice in the infinite-volume limit by giving a formal interpretation of SymTFT decompositions. Our approach is based on axiomatizing physical boundary subalgebra of quasi-local observables, and applying ideas from algebraic quantum field theory to derive the expected categorical structures. We show that given a physical boundary subalgebra $B$ of a quasi-local algebra $A$, there is a canonical fusion category $\mathcal{C}$ that acts on $A$ by bimodules and whose fusion ring acts by locality preserving quantum channels on the quasi-local algebra such that $B$ is recovered as the fixed point operators. We show that a fusion category can be realized as symmetries on a tensor product quasi-local algebra if and only if all of its objects have integer dimensions, and that it admits an ``on-site" action on a tensor product spin chain if and only if it admits a fiber functor. We give a formal definition of a topological symmetric state, and prove two anomaly enforced gaplessness theorems, one for internal categorical symmetries and one for anomalous duality channels. Using the first, we show that for any fusion category $\mathcal{C}$ with no fiber functor there always exist gapless pure symmetric states on an anyon chain.

  PublisherOA PDFDOI

• Unsupervised Concept Vector Extraction for Bias Control in LLMs

  2025-01-01

  articleOpen accessSenior author
  PublisherOA PDFDOI

• Spectral sequence computation of higher twisted 𝐾-groups of 𝑆𝑈(𝑛)

  Communications of the American Mathematical Society · 2025-12-12

  articleOpen access1st authorCorresponding

  Motivated by the Freed-Hopkins-Teleman theorem we study graded equivariant higher twists of <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper K"> <mml:semantics> <mml:mi>K</mml:mi> <mml:annotation encoding="application/x-tex">K</mml:annotation> </mml:semantics> </mml:math> </inline-formula> -theory for the groups <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper G equals upper S upper U left-parenthesis n right-parenthesis"> <mml:semantics> <mml:mrow> <mml:mi>G</mml:mi> <mml:mo>=</mml:mo> <mml:mi>S</mml:mi> <mml:mi>U</mml:mi> <mml:mo stretchy="false">(</mml:mo> <mml:mi>n</mml:mi> <mml:mo stretchy="false">)</mml:mo> </mml:mrow> <mml:annotation encoding="application/x-tex">G = SU(n)</mml:annotation> </mml:semantics> </mml:math> </inline-formula> induced by exponential functors. We compute the rationalisation of these groups for all <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="n"> <mml:semantics> <mml:mi>n</mml:mi> <mml:annotation encoding="application/x-tex">n</mml:annotation> </mml:semantics> </mml:math> </inline-formula> and all non-trivial functors. Classical twists use the determinant functor and yield equivariant bundles of compact operators that are classified by Dixmier-Douady theory. Their equivariant <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper K"> <mml:semantics> <mml:mi>K</mml:mi> <mml:annotation encoding="application/x-tex">K</mml:annotation> </mml:semantics> </mml:math> </inline-formula> -theory reproduces the Verlinde ring of conformal field theory. Higher twists give equivariant bundles of stable uniformly hyperfinite algebras, which can be classified using stable homotopy theory. Rationally, only the <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper K"> <mml:semantics> <mml:mi>K</mml:mi> <mml:annotation encoding="application/x-tex">K</mml:annotation> </mml:semantics> </mml:math> </inline-formula> -theory in degree <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="dimension left-parenthesis upper G right-parenthesis"> <mml:semantics> <mml:mrow> <mml:mi>dim</mml:mi> <mml:mo> ⁡ </mml:mo> <mml:mo stretchy="false">(</mml:mo> <mml:mi>G</mml:mi> <mml:mo stretchy="false">)</mml:mo> </mml:mrow> <mml:annotation encoding="application/x-tex">\dim (G)</mml:annotation> </mml:semantics> </mml:math> </inline-formula> is again non-trivial. The non-vanishing group is a quotient of a localisation of the representation ring <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper R left-parenthesis upper G right-parenthesis circled-times double-struck upper Q"> <mml:semantics> <mml:mrow> <mml:mi>R</mml:mi> <mml:mo stretchy="false">(</mml:mo> <mml:mi>G</mml:mi> <mml:mo stretchy="false">)</mml:mo> <mml:mo> ⊗ </mml:mo> <mml:mrow class="MJX-TeXAtom-ORD"> <mml:mi mathvariant="double-struck">Q</mml:mi> </mml:mrow> </mml:mrow> <mml:annotation encoding="application/x-tex">R(G) \otimes \mathbb {Q}</mml:annotation> </mml:semantics> </mml:math> </inline-formula> by a higher fusion ideal <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper J Subscript upper F comma double-struck upper Q"> <mml:semantics> <mml:msub> <mml:mi>J</mml:mi> <mml:mrow class="MJX-TeXAtom-ORD"> <mml:mi>F</mml:mi> <mml:mo>,</mml:mo> <mml:mrow class="MJX-TeXAtom-ORD"> <mml:mi mathvariant="double-struck">Q</mml:mi> </mml:mrow> </mml:mrow> </mml:msub> <mml:annotation encoding="application/x-tex">J_{F,\mathbb {Q}}</mml:annotation> </mml:semantics> </mml:math> </inline-formula> . We give generators for this ideal and prove that these can be obtained as derivatives of a potential. For the exterior algebra functor, which is exponential, we show that the determinant bundle over <inline-formula content-type="math/mathml"> <mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" alttext="upper L upper S upper U left-parenthesis n right-parenthesis"> <mml:semantics> <mml:mrow> <mml:mi>L</mml:mi> <mml:mi>S</mml:mi> <mml:mi>U</mml:mi> <mml:mo stretchy="false">(</mml:mo> <mml:mi>n</mml:mi> <mml:mo stretchy="false">)</mml:mo> </mml:mrow> <mml:annotation encoding="application/x-tex">LSU(n)</mml:annotation> </mml:semantics> </mml:math> </inline-formula> has a non-commutative counterpart where the fibre is the unitary group of the UHF algebra.

  PublisherOA PDFDOI

• Unsupervised Concept Vector Extraction for Bias Control in LLMs

  ArXiv.org · 2025-02-27

  preprintOpen accessSenior author

  Large language models (LLMs) are known to perpetuate stereotypes and exhibit biases. Various strategies have been proposed to mitigate these biases, but most work studies biases as a black-box problem without considering how concepts are represented within the model. We adapt techniques from representation engineering to study how the concept of "gender" is represented within LLMs. We introduce a new method that extracts concept representations via probability weighting without labeled data and efficiently selects a steering vector for measuring and manipulating the model's representation. We develop a projection-based method that enables precise steering of model predictions and demonstrate its effectiveness in mitigating gender bias in LLMs and show that it also generalizes to racial bias. Our code is available at: https://github.com/hannahxchen/gender-bias-steering

  PublisherOA PDFDOI

• Do Membership Inference Attacks Work on Large Language Models?

  arXiv (Cornell University) · 2024-02-12 · 10 citations

  preprintOpen access

  Membership inference attacks (MIAs) attempt to predict whether a particular datapoint is a member of a target model's training data. Despite extensive research on traditional machine learning models, there has been limited work studying MIA on the pre-training data of large language models (LLMs). We perform a large-scale evaluation of MIAs over a suite of language models (LMs) trained on the Pile, ranging from 160M to 12B parameters. We find that MIAs barely outperform random guessing for most settings across varying LLM sizes and domains. Our further analyses reveal that this poor performance can be attributed to (1) the combination of a large dataset and few training iterations, and (2) an inherently fuzzy boundary between members and non-members. We identify specific settings where LLMs have been shown to be vulnerable to membership inference and show that the apparent success in such settings can be attributed to a distribution shift, such as when members and non-members are drawn from the seemingly identical domain but with different temporal ranges. We release our code and data as a unified benchmark package that includes all existing MIAs, supporting future work.

  PublisherOA PDFDOI

• Do Parameters Reveal More than Loss for Membership Inference?

  arXiv (Cornell University) · 2024-06-17

  preprintOpen accessSenior author

  Membership inference attacks are used as a key tool for disclosure auditing. They aim to infer whether an individual record was used to train a model. While such evaluations are useful to demonstrate risk, they are computationally expensive and often make strong assumptions about potential adversaries' access to models and training environments, and thus do not provide tight bounds on leakage from potential attacks. We show how prior claims around black-box access being sufficient for optimal membership inference do not hold for stochastic gradient descent, and that optimal membership inference indeed requires white-box access. Our theoretical results lead to a new white-box inference attack, IHA (Inverse Hessian Attack), that explicitly uses model parameters by taking advantage of computing inverse-Hessian vector products. Our results show that both auditors and adversaries may be able to benefit from access to model parameters, and we advocate for further research into white-box methods for membership inference.

  PublisherOA PDFDOI

• Carbon farming diffusion in Australia

  Global Environmental Change · 2024-09-12 · 5 citations

  articleOpen access1st authorCorresponding

  • Proximity to carbon projects strongly influences landholders’ adoption. • HIR project adoption is concentrated, raising risks for carbon supply efficiency. • HIR diffusion is weakly linked to regions’ economic feasibility. • Designing schemes to reduce spatial dependencies can boost adoption effectiveness. Carbon farming is a set of land management practices that abate carbon emissions through carbon sequestration and emissions avoidance. The Australian Carbon Credit Unit scheme enables landholders to receive carbon credits for implementing carbon farming projects that use approved methods to reduce emissions relative to baseline practice. The most widely adopted methodology under this scheme is human induced regeneration, whereby a landholder implements land management changes to enable a forest to regrow. Here, we model the spatial diffusion of human induced regeneration projects in Australia between 2014 and 2022 using spatiotemporal data on project registrations and spatial data on the methodology’s economic feasibility. We find that spatial proximity to existing projects is a strong predictor of landholder adoption, conditional on the methodology’s average economic feasibility in the region. We also find that a region’s average economic feasibility is a relatively weak predictor of adoption, after accounting for landholder proximity to existing projects. The spatial dependency of the diffusion process has led to high levels of spatial concentration in Australia’s carbon supply, raising concerns regarding land use efficiency and carbon supply risk. We explore how to design carbon farming schemes to support wider uptake and produce better outcomes.

  PublisherDOI

• SoK: Pitfalls in Evaluating Black-Box Attacks

  2024-04-09 · 2 citations

  articleSenior author

  Numerous works study black-box attacks on image classifiers, where adversaries generate adversarial examples against unknown target models without having access to their internal information. However, these works make different assumptions about the adversary’s knowledge, and current literature lacks cohesive organization centered around the threat model. To systematize knowledge in this area, we propose a taxonomy over the threat space spanning the axes of feedback granularity, the access of interactive queries, and the quality and quantity of the auxiliary data available to the attacker. Our new taxonomy provides three key insights. 1) Despite extensive literature, numerous under-explored threat spaces exist, which cannot be trivially solved by adapting techniques from well-explored settings. We demonstrate this by establishing a new state-of-the-art in the less-studied setting of access to top-k confidence scores by adapting techniques from well-explored settings of accessing the complete confidence vector but show how it still falls short of the more restrictive setting that only obtains the prediction label, highlighting the need for more research. 2) Identifying the threat models for different attacks uncovers stronger baselines that challenge prior state-of-the-art claims. We demonstrate this by enhancing an initially weaker baseline (under interactive query access) via surrogate models, effectively overturning claims in the respective paper. 3) Our taxonomy reveals interactions between attacker knowledge that connect well to related areas, such as model inversion and extraction attacks. We discuss how advances in other areas can enable stronger black-box attacks. Finally, we emphasize the need for a more realistic assessment of attack success by factoring in local attack runtime. This approach reveals the potential for certain attacks to achieve notably higher success rates. We also highlight the need to evaluate attacks in diverse and harder settings and underscore the need for better selection criteria when picking the best candidate adversarial examples.

  PublisherDOI

• Quantum symmetries of noncommutative tori

  ORCA Online Research @Cardiff (Cardiff University) · 2024-04-22

  preprintOpen access1st authorCorresponding

  We consider the problem of building non-invertible quantum symmetries (as characterized by actions of unitary fusion categories) on noncommutative tori. We introduce a general method to construct actions of fusion categories on inductive limit C*-algberas using finite dimenionsal data, and then apply it to obtain AT-actions of arbitrary Haagerup-Izumi categories on noncommutative 2-tori, of the even part of the $E_{8}$ subfactor on a noncommutative 3-torus, and of $\text{PSU}(2)_{15}$ on a noncommutative 4-torus.

  OA PDFDOI

• Addressing Both Statistical and Causal Gender Fairness in NLP Models

  2024-01-01 · 1 citations

  articleOpen accessSenior author

  Statistical fairness stipulates equivalent outcomes for every protected group, whereas causal fairness prescribes that a model makes the same prediction for an individual regardless of their protected characteristics.Counterfactual data augmentation (CDA) is effective for reducing bias in NLP models, yet models trained with CDA are often evaluated only on metrics that are closely tied to the causal fairness notion; similarly, sampling-based methods designed to promote statistical fairness are rarely evaluated for causal fairness.In this work, we evaluate both statistical and causal debiasing methods for gender bias in NLP models, and find that while such methods are effective at reducing bias as measured by the targeted metric, they do not necessarily improve results on other bias metrics.We demonstrate that combinations of statistical and causal debiasing techniques are able to reduce bias measured through both types of metrics. 1 -0.1 0 0.1 0.2 Normal Acc= 95.49%

  PublisherOA PDFDOI

Recent grants

• TWC: Small: Automated Security Testing for Applications Integrating Third-Party Services

  NSF · $500k · 2014–2019

• Automatic Inference and Effective Application of Temporal Specifications

  NSF · $330k · 2006–2010

• CT-ER: Automatic Identification and Protection of Security Critical Data

  NSF · $200k · 2006–2009

• SaTC: CORE: Frontier: Collaborative: End-to-End Trustworthiness of Machine-Learning Systems

  NSF · $958k · 2018–2024

• SaTC: CORE: Small: Multi-Party High-dimensional Machine Learning with Privacy

  NSF · $499k · 2017–2021

Frequent coauthors

• Yasuyuki Kawahigashi

  28 shared

• Mathew Pugh

  22 shared

• Ola Bratteli

  17 shared

• Akitaka Kishimoto

  13 shared

• Anshuman Suri

  University of Virginia

  10 shared

• George A. Elliott

  University of Toronto

  10 shared

• David Eyers

  10 shared

• Jean Bacon

  Grinnell College

  10 shared

Labs

• Security Research GroupPI

Awards & honors

• ACM Conference on Computer and Communications Security PC Co…
• Distinguished Research Award 2014
• IEEE Technical Committee on Security and Privacy Award for O…
• State Council of Higher Education for Virginia Outstanding F…
• Defense Science Study Group Fellow 2008–9