Thesis/Project Final Defense Schedule

Join us as the School of STEM master’s degree candidates present their culminating thesis and project work. The schedule is updated throughout the quarter, check back for new defenses.

View previous quarter schedules

Select a master’s program to navigate to candidates:

Master of Science in Computer Science & Software Engineering

SUMMER 2026

Monday, July 20

Ankita Maria John

Chair: Dr. Geethapriya Thamilarasu
Candidate: Master of Science in Computer Science & Software Engineering
11:00 A.M.; Join Ankita Maria John’s online defense
Thesis: SCALES: Dual Information-Theoretic Approaches to Mitigating and Quantifying Prompt Injections in RAG Pipelines

Large language models in Retrieval-Augmented Generation (RAG) pipelines remain highly vulnerable to prompt injection attacks. Current defenses often fail against adaptive and multimodal attacks or rendered unusable due to high false-positive rates. This thesis resolves this usability-security trade-off through two parallel information-theoretic contributions. First, we present a modality-aware, three-layer defense cascade combining a DeBERTa pre-filter, KL-divergence semantic boundary chunking, and an Information-Theoretic Mixed-Objective Contrastive (IT-MOC) LoRA adapter. Across a 500-sample benchmark spanning five attack families, this cascade achieves a <10% Attack Success Rate while maintaining over a 90% Benign Pass Rate. Second, we introduce a graded leakage quantification framework that replaces binary success metrics with a Combined Leakage Index measuring lexical, semantic, algorithmic, and distributional leakage. This protocol mathematically proves a substantial reduction in mean leakage severity over undefended baselines, establishing information-theoretic principles as foundational for both active RAG defense and security benchmarking.

Tuesday, July 21

Gayatri Malladi

Chair: Dr. Geethapriya Thamilarasu
Candidate: Master of Science in Computer Science & Software Engineering
1:00 P.M.; Join Gayatri Malladi’s online defense
Thesis: GuardRAG: Adversarial Preference Training Against Indirect Prompt Injections in RAG Systems

Retrieval-Augmented Generation (RAG) systems have enhanced the performance of Large Language Models (LLMs) by effectively addressing challenges such as hallucinations and generating irrelevant responses. However, augmenting LLMs with retrieval introduces privacy and data-leakage risks through the retrieval pipeline. Indirect Prompt Injections (IPIs) occur when hidden instructions inside retrieved documents enter a model’s context as trusted evidence, exploiting weak guardrails and leading to unauthorized data leaks, policy overrides, or attacker-controlled behavior. Existing defenses rely on brittle delimiter heuristics or limited retriever adjustments, leaving RAG systems vulnerable to adversarial directives blended seamlessly into retrieved content.

This thesis studies how IPIs propagate across the lifecycle of untrusted retrieved content, from retrieval-time exposure to model behavior and persistent agent memory. We first introduce RIPE-II, a corpus-level benchmark that evaluates IPIs under a realistic content-poisoning threat model. RIPE-II contains 32k attacks across six corpora, four domains, and twelve carrier families, and measures retrieval exposure and generation compromise as separate stages. Results show that poisoned passages reach the model on most queries, reranking can amplify poisoning instead of filtering it, and even the strongest evaluated models follow injected directives on roughly half of queries and up to 89% on some corpora. Cosine-based scoring also underreports semantic compromise by more than 5x, motivating the need for calibrated judge-based evaluation. We then present GuardRAG, an adversarial training framework that converts these observed vulnerabilities into security-aware preference data. GuardRAG teaches the model to produce a span-grounded security report, making each refusal or acceptance decision auditable. On an 8B model that follows about 45% of stealth injections even when the security policy is included in the prompt, GuardRAG reduces behavioral attack success to 0.3% while preserving benign-query utility. The resulting 8B model also matches the defense quality of a 70B model nearly nine times its size on a single GPU. However, securing the immediate response does not prevent poisoned content from persisting in tool-using agents with long-term memory. We therefore introduce PRISM-Mem, a provenance-aware memory firewall that screens what may enter persistent memory, cutting agent attack success from 30.3% to 9.0% and cross-turn contamination from 98.7% to zero.

Together, RIPE-II, GuardRAG, and PRISM-Mem show that realistic evaluation, security-aware training, and provenance-governed memory can substantially improve RAG and agent security without sacrificing usefulness. This thesis establishes that a threat which grows with model capability can instead be held by a deliberately trained defense across the full retrieval lifecycle.

Master of Science in Cybersecurity Engineering

SUMMER 2026

Wednesday, July 22

Ben Pearson

Chair: Dr. Geethapriya Thamilarasu
Candidate: Master of Science in Cybersecurity Engineering
1:15 P.M.; Join Ben Pearson’s online defense
Thesis: Optimized Multi-Agent Defense Pipeline Against Advanced Prompt Injection Attacks

Large language models deployed in production remain critically vulnerable to prompt-injection attacks. These attacks embed adversarial inputs that hijack the model into leaking data, taking unauthorized actions, or producing harmful content. Existing multi-agent defenses handle static, known attacks well but leave three gaps. First, they are not evaluated against adaptive attackers who optimize against the defense. Second, they do not handle indirect injection through external content or multi-turn distributed attacks. Third, they do not measure how the security layer behaves when the inference cache fills up.

I designed a multi-agent defense pipeline with three architectural contributions. The first is a white-box adaptive adversary. It attacks all defense components at once through a joint-loss optimization. I evaluated it across five configurations and 24 generations of iterative training. The second is a trust-role-aware cache compression scheme. It partitions cached tokens by trust role. It prevents the loss of security-relevant instructions when the cache fills up. The third is a multi-turn defense that tracks conversation history across turns. It aggregates four detector signals into a per-session trust score, resolved through a learned discriminative classifier.

The evaluation produced two headline findings. On an aligned Domain LLM, no configuration produced a verified attack. This held across four evaluation configurations and 24 generations of iterative training. On a vulnerable Domain LLM, the attack succeeded three-of-three times without the pipeline. With the pipeline in place, the attack failed five-of-five times end to end. The multi-turn defense caught every attack pattern on real-user dialogues at near-zero false-positive rate. An early design coupled the false-positive rate and the attack-catch rate through a single parameter. A learned discriminative classifier decoupled them. The cache-layer scheme preserved all protected token classes at full recall. A naive eviction baseline lost them entirely. The perimeter guards reduced attack-success rate by roughly 11×on one benchmark and 70×on another against an undefended baseline.

These results reframe what a multi-agent defense is for. On aligned Domain LLMs, the pipeline earns its value through orthogonal coverage of threat surfaces the alignment training does not address. On vulnerable Domain LLMs, the same pipeline becomes the binding direct-injection defense layer. The two roles are complementary rather than competing.

Master of Science in Electrical & Computer Engineering

SUMMER 2026

Wednesday, July 22

Jose Fernando Pagan

Chair: Dr. Harry Aintablian
Candidate: Master of Science in Electrical & Computer Engineering
4:00 P.M.; Discovery (DISC) 464 or Join Jose Fernando Pagan’s defense online
Thesis: System for Fine Control of Differential Drive, Over Uneven Terrain

Autonomous land vehicles and naval surface vehicles are a subset of systems that may benefit from improved course tracking and correction systems. Existing kinematic models for drive systems assume ideal conditions where travel occurs over smooth flat surfaces. Outside of the R&D laboratory, thes e vehicles will traverses surfaces that deviate from such ideal conditions. The work undertake n, in this thesis, examines the kinematics and behavior of a 2 wheel differential drive (2WDD) system traversing surfaces with discontinuities.

The 2WDD system was chosen because it is well known and offers a comprehensible baseline to correlate vehicle behavior with forward and in verse kinematics. Such vehicles display specific and predictable behaviors when traversing a surface with discontinuities, specifically, dips or bumps. Vehicle behavior is studied and translated to mathematical models that can be used to demonstrate behaviors in simulation (using MATLAB and Simulink).

Finally, this thesis examines the modeled behavior and proposes a control system to mitigate the undesired affects, of these behaviors. In particular, traversing a discontinuity produce a vehicle turn toward the discontinuity. This behavior is problematic when it is desired that the vehicle travel in a straight line. Thus, this thesis proposes a differential drive feedback control system designed to mechanism mitigate this undesired turning behavior and minimize deviations from the intended course of travel.

Thursday, July 30

Adam Loper

Chair: Dr. Kaibao Nie
Candidate: Master of Science in Electrical & Computer Engineering
3:30 P.M.; Discovery (DISC) 464 or Join Adam Loper’s defense online
Thesis: Specific Loudness Features for Sound Event Classification and Localization in Machine Learning

In sound event classification and localization, the mel spectrogram is the de facto standard input feature. It is, however, only a partial model of human hearing: it reshapes the frequency axis to match the ear but leaves the magnitude axis in raw physical units, ignoring the equal-loudness weighting, masking, and compressive growth that determine how loud a sound is actually perceived. This thesis investigates whether completing that perceptual transform—using the ISO 532 specific-loudness models from psychoacoustics—produces input features better matched to sound categories that are themselves defined by human listeners.

The central study concerns sound event classification. On the widely used ESC-50 benchmark, specific-loudness features significantly outperform both the linear-frequency spectrogram (STFT) and the mel spectrogram under an identical neural network, raising accuracy from 53.1% for mel to 63.0%. A controlled ablation shows that most of this improvement is recovered by a lightweight loudness transform applied directly to an ordinary mel spectrogram, at essentially no additional cost—identifying the perceptual treatment of the magnitude axis, rather than the frequency scale, as the source of the benefit. The effect replicates on two further datasets and extends even to acoustic scene classification. A second study applies the same features to spatial audio, where two-channel binaural loudness matches the localization-and-detection performance of a four-channel ambisonic format.

Together, these results support the central thesis: for sound classes defined by human perception, input representations that incorporate perceptual loudness align more closely with classification targets than representations based on physical signal properties alone.