密码学与安全
查看 最近的 文章
显示 2025年08月07日, 星期四 新的列表
- [1] arXiv:2508.03696 [中文pdf, pdf, html, 其他]
-
标题: PLA:针对文本到图像生成模型的提示学习攻击标题: PLA: Prompt Learning Attack against Text-to-Image Generative Models评论: 10页,3张图,并发表于ICCV2025主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 计算机视觉与模式识别 (cs.CV)
文本到图像(T2I)模型已在各种应用中得到广泛采用。 尽管取得了成功,T2I模型的潜在滥用可能生成不适合工作场所(NSFW)的内容。 为了研究T2I模型的脆弱性,本文深入探讨了在黑盒设置下绕过安全机制的对抗攻击。 大多数先前的方法依赖于词语替换来搜索对抗提示。 由于搜索空间有限,这与基于梯度的训练相比表现不佳。 然而,黑盒设置对基于梯度的攻击方法训练提出了独特的挑战,因为无法访问T2I模型的内部架构和参数。 为了在黑盒设置中促进对抗提示的学习,我们提出了一种新颖的提示学习攻击框架(PLA),通过利用多模态相似性设计了针对黑盒T2I模型的有见地的基于梯度的训练。 实验表明,与最先进的方法相比,我们的新方法能够以高成功率有效攻击包括提示过滤器和事后安全检查器在内的黑盒T2I模型的安全机制。 警告:本文可能包含具有冒犯性的模型生成内容。
Text-to-Image (T2I) models have gained widespread adoption across various applications. Despite the success, the potential misuse of T2I models poses significant risks of generating Not-Safe-For-Work (NSFW) content. To investigate the vulnerability of T2I models, this paper delves into adversarial attacks to bypass the safety mechanisms under black-box settings. Most previous methods rely on word substitution to search adversarial prompts. Due to limited search space, this leads to suboptimal performance compared to gradient-based training. However, black-box settings present unique challenges to training gradient-driven attack methods, since there is no access to the internal architecture and parameters of T2I models. To facilitate the learning of adversarial prompts in black-box settings, we propose a novel prompt learning attack framework (PLA), where insightful gradient-based training tailored to black-box T2I models is designed by utilizing multimodal similarities. Experiments show that our new method can effectively attack the safety mechanisms of black-box T2I models including prompt filters and post-hoc safety checkers with a high success rate compared to state-of-the-art methods. Warning: This paper may contain offensive model-generated content.
- [2] arXiv:2508.03879 [中文pdf, pdf, html, 其他]
-
标题: RX-INT:实时检测和分析内存中威胁的内核引擎标题: RX-INT: A Kernel Engine for Real-Time Detection and Analysis of In-Memory Threats评论: 10页,8图,1表。介绍了RX-INT,这是一种用于实时检测无文件恶意软件的内核模式系统,采用事件驱动的VAD扫描和自动导入解析。展示了在高级逃避技术(包括模块覆盖和无头手动映射)方面优于PE-sieve的检测能力。主题: 密码学与安全 (cs.CR) ; 操作系统 (cs.OS)
恶意软件和作弊开发者使用无文件执行技术来规避传统的基于签名的安全产品。 这些方法包括各种手动映射、模块覆盖和无线程注入,它们完全在合法进程的地址空间内运行,由于合法与非法之间的模糊性,给检测带来了挑战。 现有工具通常存在弱点,例如依赖可移植可执行文件(PE)结构,或者容易受到检查时间到使用时间(TOCTOU)竞争条件的攻击,其中对手会在定期扫描发生之前清理现场。 为解决这一差距,我们提出了RX-INT,这是一种基于内核的系统,其架构能够抵御TOCTOU攻击。 RX-INT引入了一个检测引擎,该引擎结合了实时线程创建监控器、带有状态虚拟地址描述符(VAD)扫描器以及各种启发式方法。 该引擎对私有和图像支持的内存区域进行快照,并使用实时内存哈希来检测非法修改,如模块覆盖。 关键的是,通过与PE-sieve——一种常用且强大的内存取证工具——的直接比较,我们证明了这种方法在某些基准测试中具有更高的检测率。 在我们的评估中,RX-INT成功检测到了一个未被PE-sieve识别的手动映射区域。 我们随后得出结论,我们的架构在无文件威胁的检测中代表了一种实质性的差异,并在反作弊和内存安全领域有直接的应用。
Malware and cheat developers use fileless execution techniques to evade traditional, signature-based security products. These methods include various types of manual mapping, module stomping, and threadless injection which work entirely within the address space of a legitimate process, presenting a challenge for detection due to ambiguity between what is legitimate and what isn't. Existing tools often have weaknesses, such as a dependency on Portable Executable (PE) structures or a vulnerability to time-of-check-to-time-of-use (TOCTOU) race conditions where an adversary cleans up before a periodic scan has the chance to occur. To address this gap, we present RX-INT, a kernel-assisted system featuring an architecture that provides resilience against TOCTOU attacks. RX-INT introduces a detection engine that combines a real-time thread creation monitor with a stateful Virtual Address Descriptor (VAD) scanner alongside various heuristics within. This engine snapshots both private and image-backed memory regions, using real-time memory hashing to detect illicit modifications like module stomping. Critically, we demonstrate a higher detection rate in certain benchmarks of this approach through a direct comparison with PE-sieve, a commonly used and powerful memory forensics tool. In our evaluation, RX-INT successfully detected a manually mapped region that was not identified by PE-sieve. We then conclude that our architecture represents a tangible difference in the detection of fileless threats, with direct applications in the fields of anti-cheat and memory security.
- [3] arXiv:2508.03882 [中文pdf, pdf, html, 其他]
-
标题: 通过由安全混沌工程 (SCE) 驱动的漏洞攻击模拟 (BAS) 平台模拟网络攻击标题: Simulating Cyberattacks through a Breach Attack Simulation (BAS) Platform empowered by Security Chaos Engineering (SCE)Arturo Sánchez-Matas, Pablo Escribano Ruiz, Daniel Díaz-López, Angel Luis Perales Gómez, Pantaleone Nespoli, Gregorio Martínez Pérez评论: 8页,4张图表,论文发表于西班牙萨拉戈萨举行的“X国家网络安全研究会议”论文集,2025年6月主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI)
在当今数字环境中,组织面临着不断演变的网络威胁,因此通过像安全混沌工程(SCE)这样的新技术来发现隐蔽的攻击途径至关重要,这使得团队能够有效地测试防御并识别漏洞。 本文提出将SCE集成到渗透攻击模拟(BAS)平台中,利用现有威胁情报数据库中的对手资料和能力。 这种针对网络攻击模拟的创新方案采用了一个由三层组成的结构化架构:SCE协调器、连接器和BAS层。 在BAS层中使用MITRE Caldera,我们的方案执行自动化攻击序列,从对手资料中生成推断的攻击树。 我们的方案评估说明了将SCE与BAS结合如何增强攻击模拟的有效性,超越传统场景,并成为网络安全防御策略中有用的组成部分。
In today digital landscape, organizations face constantly evolving cyber threats, making it essential to discover slippery attack vectors through novel techniques like Security Chaos Engineering (SCE), which allows teams to test defenses and identify vulnerabilities effectively. This paper proposes to integrate SCE into Breach Attack Simulation (BAS) platforms, leveraging adversary profiles and abilities from existing threat intelligence databases. This innovative proposal for cyberattack simulation employs a structured architecture composed of three layers: SCE Orchestrator, Connector, and BAS layers. Utilizing MITRE Caldera in the BAS layer, our proposal executes automated attack sequences, creating inferred attack trees from adversary profiles. Our proposal evaluation illustrates how integrating SCE with BAS can enhance the effectiveness of attack simulations beyond traditional scenarios, and be a useful component of a cyber defense strategy.
- [4] arXiv:2508.03936 [中文pdf, pdf, 其他]
-
标题: ASTRA:人工智能软件助手的自主时空红队测试标题: ASTRA: Autonomous Spatial-Temporal Red-teaming for AI Software AssistantsXiangzhe Xu, Guangyu Shen, Zian Su, Siyuan Cheng, Hanxi Guo, Lu Yan, Xuan Chen, Jiasheng Jiang, Xiaolong Jin, Chengpeng Wang, Zhuo Zhang, Xiangyu Zhang评论: 第一作者(许翔哲和沈广宇)对本研究做出了同等贡献主题: 密码学与安全 (cs.CR) ; 计算与语言 (cs.CL) ; 机器学习 (cs.LG) ; 软件工程 (cs.SE)
AI代码助手如GitHub Copilot正在迅速改变软件开发,但它们的安全性仍然存在极大的不确定性,尤其是在网络安全等高风险领域。 当前的红队工具通常依赖于固定的基准或不现实的提示,忽略了许多现实世界中的漏洞。 我们提出了ASTRA,一个自动代理系统,旨在系统地发现AI驱动的代码生成和安全指导系统中的安全缺陷。 ASTRA分为三个阶段:(1)它构建结构化的领域特定知识图谱,模拟复杂的软件任务和已知弱点;(2)它通过自适应探测目标模型的输入空间(即空间探索)和推理过程(即时间探索),并由知识图谱引导,进行在线漏洞探索;(3)它生成高质量的违规案例以提高模型对齐。 与之前的方法不同, ASTRA专注于现实输入——开发者可能会实际提出的请求,并使用离线抽象引导的领域建模和在线领域知识图谱适应来揭示边缘案例漏洞。 在两个主要评估领域中,ASTRA发现的问题比现有技术多11-66%,并生成导致17%更有效的对齐训练的测试用例,展示了其在构建更安全AI系统方面的实际价值。
AI coding assistants like GitHub Copilot are rapidly transforming software development, but their safety remains deeply uncertain-especially in high-stakes domains like cybersecurity. Current red-teaming tools often rely on fixed benchmarks or unrealistic prompts, missing many real-world vulnerabilities. We present ASTRA, an automated agent system designed to systematically uncover safety flaws in AI-driven code generation and security guidance systems. ASTRA works in three stages: (1) it builds structured domain-specific knowledge graphs that model complex software tasks and known weaknesses; (2) it performs online vulnerability exploration of each target model by adaptively probing both its input space, i.e., the spatial exploration, and its reasoning processes, i.e., the temporal exploration, guided by the knowledge graphs; and (3) it generates high-quality violation-inducing cases to improve model alignment. Unlike prior methods, ASTRA focuses on realistic inputs-requests that developers might actually ask-and uses both offline abstraction guided domain modeling and online domain knowledge graph adaptation to surface corner-case vulnerabilities. Across two major evaluation domains, ASTRA finds 11-66% more issues than existing techniques and produces test cases that lead to 17% more effective alignment training, showing its practical value for building safer AI systems.
- [5] arXiv:2508.04094 [中文pdf, pdf, html, 其他]
-
标题: 隔离触发器:检测和消除逃避自适应后门标题: Isolate Trigger: Detecting and Eradicating Evade-Adaptive BackdoorsChengrui Sun, Hua Zhang, Haoran Gao, Zian Tian, Jianjin Zhao, qi Li, Hongliang Zhu, Zongliang Shen, Shang Wang, Anmin Fu主题: 密码学与安全 (cs.CR)
所有当前针对深度学习模型的后门攻击检测都属于非必要特征(NEF)类别,这些检测方法专注于对抗简单且高效的垂直类别后门——触发器小、少且不与源特征重叠。 逃避自适应后门(EAB)攻击已经避开了NEF检测并提高了训练效率。 我们引入了一个精确、高效且通用的检测和防御框架,称为隔离触发器(IsTr)。 IsTr旨在通过打破源特征的障碍来找到隐藏的触发器。 因此,它研究了后门触发的本质,并使用步骤和差分中间切片作为组件来更新过去的距离和梯度理论。 IsTr在模型中也起到积极作用,无论是否存在后门。 例如,准确地发现并修复自动驾驶中由于故意或无意训练导致的错误识别。 在各种任务上的广泛实验,包括MNIST、人脸识别和交通标志识别,证实了IsTr的高效率、通用性和精确性。 我们对IsTr在一系列六种EAB攻击中的有效性进行了严格评估,包括Badnets、Sin-Wave、多触发器、SSBAs、CASSOCK、HCB。 这些对策都没有被避开,即使攻击组合在一起且触发器与源特征重叠。
All current detection of backdoor attacks on deep learning models fall under the category of a non essential features(NEF), which focus on fighting against simple and efficient vertical class backdoor -- trigger is small, few and not overlapping with the source. Evade-adaptive backdoor (EAB) attacks have evaded NEF detection and improved training efficiency. We introduces a precise, efficient and universal detection and defense framework coined as Isolate Trigger (IsTr). IsTr aims to find the hidden trigger by breaking the barrier of the source features. Therefore, it investigates the essence of backdoor triggering, and uses Steps and Differential-Middle-Slice as components to update past theories of distance and gradient. IsTr also plays a positive role in the model, whether the backdoor exists. For example, accurately find and repair the wrong identification caused by deliberate or unintentional training in automatic driving. Extensive experiments on robustness scross various tasks, including MNIST, facial recognition, and traffic sign recognition, confirm the high efficiency, generality and precision of the IsTr. We rigorously evaluated the effectiveness of the IsTr against a series of six EAB attacks, including Badnets, Sin-Wave, Multi-trigger, SSBAs, CASSOCK, HCB. None of these countermeasures evade, even when attacks are combined and the trigger and source overlap.
- [6] arXiv:2508.04100 [中文pdf, pdf, html, 其他]
-
标题: SenseCrypt:面向跨设备场景的联合联邦学习的敏感度引导选择性同态加密标题: SenseCrypt: Sensitivity-guided Selective Homomorphic Encryption for Joint Federated Learning in Cross-Device Scenarios评论: 17页,19图主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 分布式、并行与集群计算 (cs.DC)
同态加密(HE)在保护联邦学习(FL)中占主导地位,但存在高开销和适应成本的问题。选择性HE方法通过全局掩码部分加密模型参数,有望以较低的开销和易于适应的方式保护隐私。然而,在具有异构数据和系统能力的跨设备场景中,传统的选择性HE方法会加剧客户端延迟问题,并且在HE开销减少性能方面表现不佳。因此,我们提出了SenseCrypt,一种基于敏感度的选择性同态加密框架,以自适应地平衡跨设备FL客户端的安全性和HE开销。鉴于模型参数敏感度对于衡量客户端数据分布相似性是有效的,我们首先设计了一种隐私保护方法,分别对具有相似数据分布的客户端进行聚类。然后,我们开发了一种评分机制,推导出每个聚类中每个客户端可以加密的无延迟模型参数比例。最后,针对每个客户端,我们制定并解决一个多目标模型参数选择优化问题,该问题在不引起延迟的情况下最小化HE开销并最大化模型安全性。实验表明,SenseCrypt能够抵御最先进的逆向攻击,同时保持与在独立同分布数据上相同的正常模型精度,并且与传统HE方法相比,训练时间减少了58.4%-88.7%。
Homomorphic Encryption (HE) prevails in securing Federated Learning (FL), but suffers from high overhead and adaptation cost. Selective HE methods, which partially encrypt model parameters by a global mask, are expected to protect privacy with reduced overhead and easy adaptation. However, in cross-device scenarios with heterogeneous data and system capabilities, traditional Selective HE methods deteriorate client straggling, and suffer from degraded HE overhead reduction performance. Accordingly, we propose SenseCrypt, a Sensitivity-guided selective Homomorphic EnCryption framework, to adaptively balance security and HE overhead per cross-device FL client. Given the observation that model parameter sensitivity is effective for measuring clients' data distribution similarity, we first design a privacy-preserving method to respectively cluster the clients with similar data distributions. Then, we develop a scoring mechanism to deduce the straggler-free ratio of model parameters that can be encrypted by each client per cluster. Finally, for each client, we formulate and solve a multi-objective model parameter selection optimization problem, which minimizes HE overhead while maximizing model security without causing straggling. Experiments demonstrate that SenseCrypt ensures security against the state-of-the-art inversion attacks, while achieving normal model accuracy as on IID data, and reducing training time by 58.4%-88.7% as compared to traditional HE methods.
- [7] arXiv:2508.04155 [中文pdf, pdf, html, 其他]
-
标题: 评估针对梯度反演攻击的选择性加密标题: Evaluating Selective Encryption Against Gradient Inversion Attacks主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
梯度反转攻击对分布式训练框架(如联邦学习)构成重大隐私威胁,使恶意方能够在聚合过程中从客户端与聚合服务器之间的梯度通信中重建敏感的本地训练数据。 尽管传统的基于加密的防御方法,如同态加密,在不损害模型效用的情况下提供强大的隐私保证,但它们通常会产生高昂的计算开销。 为了缓解这一问题,选择性加密作为一种有前景的方法出现,它根据某种度量下数据的重要性仅对梯度数据的一个子集进行加密。 然而,关于如何在实践中指定这种度量的研究仍然很少。 本文系统评估了不同重要性度量的选择性加密方法对最先进的攻击的抵抗能力。 我们的研究结果表明,选择性加密在减少计算开销的同时保持对攻击的抵抗力是可行的。 我们提出了一种基于距离的重要性分析框架,为选择关键梯度元素进行加密提供了理论基础。 通过在不同模型架构(LeNet、CNN、BERT、GPT-2)和攻击类型上的大量实验,我们确定梯度幅度是一种在对抗基于优化的梯度反转攻击方面普遍有效的度量。 然而,我们也观察到,没有一种选择性加密策略在所有攻击场景中都是最优的,并且我们为不同模型架构和隐私需求提供了选择适当策略的指南。
Gradient inversion attacks pose significant privacy threats to distributed training frameworks such as federated learning, enabling malicious parties to reconstruct sensitive local training data from gradient communications between clients and an aggregation server during the aggregation process. While traditional encryption-based defenses, such as homomorphic encryption, offer strong privacy guarantees without compromising model utility, they often incur prohibitive computational overheads. To mitigate this, selective encryption has emerged as a promising approach, encrypting only a subset of gradient data based on the data's significance under a certain metric. However, there have been few systematic studies on how to specify this metric in practice. This paper systematically evaluates selective encryption methods with different significance metrics against state-of-the-art attacks. Our findings demonstrate the feasibility of selective encryption in reducing computational overhead while maintaining resilience against attacks. We propose a distance-based significance analysis framework that provides theoretical foundations for selecting critical gradient elements for encryption. Through extensive experiments on different model architectures (LeNet, CNN, BERT, GPT-2) and attack types, we identify gradient magnitude as a generally effective metric for protection against optimization-based gradient inversions. However, we also observe that no single selective encryption strategy is universally optimal across all attack scenarios, and we provide guidelines for choosing appropriate strategies for different model architectures and privacy requirements.
- [8] arXiv:2508.04178 [中文pdf, pdf, html, 其他]
-
标题: 基于挂钩的欺骗框架对抗键盘记录技术的安全开发标题: Secure Development of a Hooking-Based Deception Framework Against Keylogging Techniques评论: 已被IEEE安全开发会议(SecDev)2025接受主题: 密码学与安全 (cs.CR)
关键记录器仍然是现代网络安全中的严重威胁,它们默默捕获用户按键以窃取凭证和敏感信息。 传统的防御措施主要集中在检测和移除上,这可以阻止恶意活动,但对吸引或误导对手作用有限。 在本文中,我们提出了一种欺骗框架,利用API钩子在运行时拦截由关键记录器调用的与输入相关的API调用,并注入真实的诱饵按键。 然而,一个核心挑战在于高级关键记录器日益广泛采用的反钩子技术。 反钩子策略允许恶意软件绕过或检测仪器。 为了应对这一点,我们引入了一个加固的钩子层,能够检测篡改并迅速恢复被破坏的钩子,确保欺骗的连续性。 我们针对一个自建的“超级关键记录器”进行了评估,该记录器结合了多种逃避策略,以及50个涵盖十个著名关键记录器家族的真实恶意软件样本。 实验结果表明,我们的系统成功抵抗了复杂的绕过尝试,保持了操作的隐蔽性,并通过提供诱饵可靠地欺骗攻击者。 该系统运行时性能开销微乎其微,对用户体验没有明显影响。 我们的研究结果表明,具有弹性的实时欺骗可以在应对高级威胁中发挥实际且稳健的作用。
Keyloggers remain a serious threat in modern cybersecurity, silently capturing user keystrokes to steal credentials and sensitive information. Traditional defenses focus mainly on detection and removal, which can halt malicious activity but do little to engage or mislead adversaries. In this paper, we present a deception framework that leverages API hooking to intercept input-related API calls invoked by keyloggers at runtime and inject realistic decoy keystrokes. A core challenge, however, lies in the increasing adoption of anti-hooking techniques by advanced keyloggers. Anti-hooking strategies allow malware to bypass or detect instrumentation. To counter this, we introduce a hardened hooking layer that detects tampering and rapidly reinstates disrupted hooks, ensuring continuity of deception. We evaluate our framework against a custom-built "super keylogger" incorporating multiple evasion strategies, as well as 50 real-world malware samples spanning ten prominent keylogger families. Experimental results demonstrate that our system successfully resists sophisticated bypass attempts, maintains operational stealth, and reliably deceives attackers by feeding them decoys. The system operates with negligible performance overhead and no observable impact on user experience. Our findings show that resilient, runtime deception can play a practical and robust role in confronting advanced threats.
- [9] arXiv:2508.04189 [中文pdf, pdf, html, 其他]
-
标题: BadTime:一种针对多变量长期时间序列预测的有效后门攻击标题: BadTime: An Effective Backdoor Attack on Multivariate Long-Term Time Series Forecasting主题: 密码学与安全 (cs.CR)
多变量长期时间序列预测(MLTSF)模型越来越多地被部署在气候、金融和交通等关键领域。 尽管已经提出了各种强大的MLTSF模型来提高预测性能,但MLTSF模型对恶意后门攻击的鲁棒性仍然完全未被探索,这对于确保其可靠和可信的部署至关重要。 为了解决这一差距,我们对针对MLTSF模型的后门攻击进行了深入研究,并提出了第一个有效的攻击方法,名为BadTime。 BadTime通过污染训练数据并定制后门训练过程来执行后门攻击。 在数据污染过程中,BadTime提出了一种对比引导策略,以选择最适合污染的训练样本,然后采用图注意力网络来识别触发注入的影响变量。 随后,BadTime根据滞后分析进一步定位触发注入的最佳位置,并提出了一种类似拼图的触发结构,将触发分散到多个污染变量中,共同引导目标变量的预测。 在后门训练过程中,BadTime通过提出的定制优化目标交替优化模型和触发器。 大量实验表明,BadTime在时间序列预测方面显著优于最先进的(SOTA)后门攻击,使目标变量的MAE减少了超过50%,并且隐蔽性提高了3倍以上。
Multivariate Long-Term Time Series Forecasting (MLTSF) models are increasingly deployed in critical domains such as climate, finance, and transportation. Although a variety of powerful MLTSF models have been proposed to improve predictive performance, the robustness of MLTSF models against malicious backdoor attacks remains entirely unexplored, which is crucial to ensuring their reliable and trustworthy deployment. To address this gap, we conduct an in-depth study on backdoor attacks against MLTSF models and propose the first effective attack method named BadTime. BadTime executes a backdoor attack by poisoning training data and customizing the backdoor training process. During data poisoning, BadTime proposes a contrast-guided strategy to select the most suitable training samples for poisoning, then employs a graph attention network to identify influential variables for trigger injection. Subsequently, BadTime further localizes optimal positions for trigger injection based on lag analysis and proposes a puzzle-like trigger structure that distributes the trigger across multiple poisoned variables to jointly steer the prediction of the target variable. During backdoor training, BadTime alternately optimizes the model and triggers via proposed tailored optimization objectives. Extensive experiments show that BadTime significantly outperforms state-of-the-art (SOTA) backdoor attacks on time series forecasting by reducing MAE by over 50% on target variables and boosting stealthiness by more than 3 times.
- [10] arXiv:2508.04208 [中文pdf, pdf, html, 其他]
-
标题: DP-DocLDM:使用潜在扩散模型的差分隐私文档图像生成标题: DP-DocLDM: Differentially Private Document Image Generation using Latent Diffusion Models评论: 被ICDAR 2025接收主题: 密码学与安全 (cs.CR)
随着基于深度学习的数据驱动信息提取系统越来越多地融入现代文档处理工作流,一个主要问题是这些系统中敏感隐私数据被恶意泄露的风险。 尽管一些近期的研究探索了差分隐私(DP)来缓解这些隐私风险,但基于DP的训练已知会导致性能显著下降,并对标准训练过程施加若干限制,使其直接应用于下游任务既困难又昂贵。 在本工作中,我们旨在通过用合成对应物替代真实私有数据,在文档图像分类的背景下解决上述挑战。 具体而言,我们提出结合差分隐私(DP)使用条件潜在扩散模型(LDMs)在严格的隐私约束下生成特定类别的合成文档图像,然后可以按照标准训练流程利用这些图像训练下游分类器。 我们在各种预训练设置下研究我们的方法,包括无条件、类别条件和布局条件预训练,并结合多种私有训练策略,如类别条件和按标签私有微调,使用DPDM和DP-Promise算法。 此外,我们在两个著名的文档基准数据集RVL-CDIP和Tobacco3482上对其进行评估,并表明它可以在各种文档类型和隐私级别下生成有用且真实的文档样本($\varepsilon \in \{1, 5, 10\}$)。 最后,我们表明与直接应用DP-Adam相比,我们的方法在小规模数据集的下游评估中实现了显著的性能提升。
As deep learning-based, data-driven information extraction systems become increasingly integrated into modern document processing workflows, one primary concern is the risk of malicious leakage of sensitive private data from these systems. While some recent works have explored Differential Privacy (DP) to mitigate these privacy risks, DP-based training is known to cause significant performance degradation and impose several limitations on standard training procedures, making its direct application to downstream tasks both difficult and costly. In this work, we aim to address the above challenges within the context of document image classification by substituting real private data with a synthetic counterpart. In particular, we propose to use conditional latent diffusion models (LDMs) in combination with differential privacy (DP) to generate class-specific synthetic document images under strict privacy constraints, which can then be utilized to train a downstream classifier following standard training procedures. We investigate our approach under various pretraining setups, including unconditional, class-conditional, and layout-conditional pretraining, in combination with multiple private training strategies such as class-conditional and per-label private fine-tuning with DPDM and DP-Promise algorithms. Additionally, we evaluate it on two well-known document benchmark datasets, RVL-CDIP and Tobacco3482, and show that it can generate useful and realistic document samples across various document types and privacy levels ($\varepsilon \in \{1, 5, 10\}$). Lastly, we show that our approach achieves substantial performance improvements in downstream evaluations on small-scale datasets, compared to the direct application of DP-Adam.
- [11] arXiv:2508.04285 [中文pdf, pdf, html, 其他]
-
标题: 针对联邦学习中数据重建攻击的逐元素安全聚合标题: Per-element Secure Aggregation against Data Reconstruction Attacks in Federated Learning评论: 10页,5图主题: 密码学与安全 (cs.CR)
联邦学习(FL)允许在不共享原始数据的情况下进行协作模型训练,但个体模型更新仍可能泄露敏感信息。安全聚合(SecAgg)通过允许服务器仅访问客户端更新的总和来缓解此风险,从而隐藏个体贡献。然而,一个显著的漏洞最近引起了越来越多的关注:当模型更新是稀疏向量时,单个客户端在特定索引上的非零值可以直接在聚合中被揭示,从而允许精确的数据重建攻击。在本文中,我们提出了一种对SecAgg的创新改进,该改进仅在至少有$t$个非零贡献的索引上揭示聚合值。我们的机制引入了一种逐元素遮蔽策略,以防止低贡献元素的暴露,同时通过仅依赖典型设置中已使用的密码学原语,保持与许多现有SecAgg实现的模块化和兼容性。我们将这种机制集成到Flamingo中,这是一种低轮次的SecAgg协议,以提供对这类攻击的稳健防御。我们的分析和实验结果表明,由我们的机制引入的额外计算和通信开销保持在可接受范围内,支持我们方法的实用性。
Federated learning (FL) enables collaborative model training without sharing raw data, but individual model updates may still leak sensitive information. Secure aggregation (SecAgg) mitigates this risk by allowing the server to access only the sum of client updates, thereby concealing individual contributions. However, a significant vulnerability has recently attracted increasing attention: when model updates are sparse vectors, a non-zero value contributed by a single client at a given index can be directly revealed in the aggregate, enabling precise data reconstruction attacks. In this paper, we propose a novel enhancement to SecAgg that reveals aggregated values only at indices with at least $t$ non-zero contributions. Our mechanism introduces a per-element masking strategy to prevent the exposure of under-contributed elements, while maintaining modularity and compatibility with many existing SecAgg implementations by relying solely on cryptographic primitives already employed in a typical setup. We integrate this mechanism into Flamingo, a low-round SecAgg protocol, to provide a robust defense against such attacks. Our analysis and experimental results indicate that the additional computational and communication overhead introduced by our mechanism remains within an acceptable range, supporting the practicality of our approach.
- [12] arXiv:2508.04561 [中文pdf, pdf, html, 其他]
-
标题: 攻击模式挖掘以发现工业控制系统中的隐藏威胁标题: Attack Pattern Mining to Discover Hidden Threats to Industrial Control Systems主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
本工作专注于工业控制系统(ICS)安全背景下的攻击模式挖掘验证。 对ICS进行全面的安全评估需要生成大量且多样的攻击模式。 为此,我们提出了一种数据驱动的技术来为ICS生成攻击模式。 所提出的技术已用于从运营中的水处理厂数据中生成超过100,000个攻击模式。 在本工作中,我们展示了一个详细的案例研究来验证攻击模式。
This work focuses on validation of attack pattern mining in the context of Industrial Control System (ICS) security. A comprehensive security assessment of an ICS requires generating a large and variety of attack patterns. For this purpose we have proposed a data driven technique to generate attack patterns for an ICS. The proposed technique has been used to generate over 100,000 attack patterns from data gathered from an operational water treatment plant. In this work we present a detailed case study to validate the attack patterns.
- [13] arXiv:2508.04583 [中文pdf, pdf, html, 其他]
-
标题: 测量加密隐私增强技术的碳足迹标题: Measuring the Carbon Footprint of Cryptographic Privacy-Enhancing Technologies主题: 密码学与安全 (cs.CR)
隐私增强技术(PETs)因隐私法规而受到广泛关注,推动了以用户数据保护为重点的应用程序的发展。 与此同时,信息和通信技术(ICT)行业面临着减少其环境足迹的压力,特别是其碳排放。 尽管有许多研究评估了各种ICT应用的能源足迹,但密码学PETs的环境足迹仍大多未被探索。 我们的工作通过提出一种标准化的方法来评估PETs的碳足迹,弥补了这一空白。 为了展示这种方法,我们专注于支持客户端-服务器应用的PETs,因为它们是最容易部署的。 特别是,我们测量了五种密码学PETs(与非隐私等效版本相比)引起的能耗和碳足迹增加:HTTPS网页浏览、加密机器学习(ML)推理、加密ML训练、加密数据库和加密电子邮件。 我们的研究结果揭示了碳足迹增加的显著差异,从HTTPS网页浏览的两倍增加到加密ML的100,000倍增加。 我们的研究提供了关键的数据,帮助决策者评估此类应用中的隐私-碳权衡。 最后,我们概述了开发在强大隐私保护与环境可持续性之间取得平衡的PETs的关键研究方向。
Privacy-enhancing technologies (PETs) have attracted significant attention in response to privacy regulations, driving the development of applications that prioritize user data protection. At the same time, the information and communication technology (ICT) sector faces growing pressure to reduce its environmental footprint, particularly its carbon emissions. While numerous studies have assessed the energy footprint of various ICT applications, the environmental footprint of cryptographic PETs remains largely unexplored. Our work addresses this gap by proposing a standardized methodology for evaluating the carbon footprint of PETs. To demonstrate this methodology, we focus on PETs supporting client-server applications as they are the simplest to deploy. In particular, we measure the energy consumption and carbon footprint increase induced by five cryptographic PETs (compared to their non-private equivalent): HTTPS web browsing, encrypted machine learning (ML) inference, encrypted ML training, encrypted databases, and encrypted emails. Our findings reveal significant variability in carbon footprint increases, ranging from a twofold increase in HTTPS web browsing to a 100,000-fold increase in encrypted ML. Our study provides essential data to help decision-makers assess privacy-carbon trade-offs in such applications. Finally, we outline key research directions for developing PETs that balance strong privacy protection with environmental sustainability.
- [14] arXiv:2508.04641 [中文pdf, pdf, html, 其他]
-
标题: 4-Swap:使用四笔交易实现无悲伤和无贿赂的原子交换标题: 4-Swap: Achieving Grief-Free and Bribery-Safe Atomic Swaps Using Four TransactionsKirti Singh (1 and 2), Vinay J. Ribeiro (1), Susmita Mandal (2) ((1) Indian Institute of Technology Bombay, India, (2) Institute for Development and Research in Banking Technology, Hyderabad, India)评论: 被AFT 2025接受。将发表在LIPIcs会议论文集上主题: 密码学与安全 (cs.CR)
跨链资产交换对于区块链互操作性至关重要。 现有解决方案依赖于可信第三方,存在资产损失的风险,或者使用像原子交换这样的去中心化替代方案,但这些方案容易受到恶意攻击。 当一方过早退出时,就会发生恶意攻击,导致对方的资产被锁定直到时间锁到期。 有保障的原子交换通过引入惩罚溢价来缓解恶意攻击;然而,它们将交易数量从四个(如Tier Nolan的交换)增加到六个,这又引入了新的恶意攻击风险。 无恶意(GF)交换通过在一个链上合并资产和溢价,将交易数量减少到五个。 然而,现有的协议都无法在仅四次交易中实现无恶意的资产交换。 本文提出了4-Swap,第一个跨链原子交换协议,它既无恶意也无贿赂安全,在仅四次交易中完成资产交换。 通过将恶意攻击溢价和本金合并到每个链的一个交易中,4-Swap减少了链上交易,与之前的无恶意解决方案相比,执行速度更快。 它完全兼容比特币,且无需任何新操作码。 博弈论分析表明,理性参与者没有动机偏离协议,从而确保了强大的合规性和安全性。
Cross-chain asset exchange is crucial for blockchain interoperability. Existing solutions rely on trusted third parties and risk asset loss, or use decentralized alternatives like atomic swaps, which suffer from grief attacks. Griefing occurs when a party prematurely exits, locking the counterparty's assets until a timelock expires. Hedged Atomic Swaps mitigate griefing by introducing a penalty premium; however, they increase the number of transactions from four (as in Tier Nolan's swap) to six, which in turn introduces new griefing risks. Grief-Free (GF) Swap reduces this to five transactions by consolidating assets and premiums on a single chain. However, no existing protocol achieves grief-free asset exchange in just four transactions. This paper presents 4-Swap, the first cross-chain atomic swap protocol that is both grief-free and bribery-safe, while completing asset exchange in just four transactions. By combining the griefing premium and principal into a single transaction per chain, 4-Swap reduces on-chain transactions, leading to faster execution compared to previous grief-free solutions. It is fully compatible with Bitcoin and operates without the need for any new opcodes. A game-theoretic analysis shows that rational participants have no incentive to deviate from the protocol, ensuring robust compliance and security.
新提交 (展示 14 之 14 条目 )
- [15] arXiv:2508.02403 (交叉列表自 econ.GN) [中文pdf, pdf, html, 其他]
-
标题: SoK:数字转型中的稳定币——以现实资产代币化为例的设计、度量和应用标题: SoK: Stablecoins for Digital Transformation -- Design, Metrics, and Application with Real World Asset Tokenization as a Case Study主题: 一般经济学 (econ.GN)
稳定币已成为数字资产生态系统的基础组成部分,截至2025年5月,其市值已超过2300亿美元。 作为与法币挂钩和可编程的资产,稳定币为支付、去中心化金融(DeFi)和代币化商业提供了低延迟、全球互操作的基础设施。 它们的加速采用引发了广泛的监管参与,例如欧盟的加密资产市场法规(MiCA)、美国的指导并建立美国稳定币国家创新法案(GENIUS Act)以及香港的稳定币法案。 尽管有这种势头,学术研究在经济学、法律和计算机科学领域仍然分散,缺乏统一的设计、评估和应用框架。 本研究通过多方法研究设计来填补这一空白。 首先,它综合跨学科文献,基于托管结构、稳定机制和治理构建稳定币系统的分类法。 其次,它开发了一个针对不同利益相关者需求的性能评估框架,并通过一个开源基准测试管道来确保透明度和可重复性。 第三,对现实世界资产代币化的案例研究展示了稳定币如何在跨境数字系统中作为可编程货币基础设施运作。 通过将概念理论与实证工具相结合,本文做出了以下贡献:一个统一的稳定币设计分类法;一个以利益相关者为导向的性能评估框架;一个将稳定币与行业转型联系起来的实证案例;以及可重复的方法和数据集,以指导未来的研究。 这些贡献支持了可信、包容和透明的数字货币基础设施的发展。
Stablecoins have become a foundational component of the digital asset ecosystem, with their market capitalization exceeding 230 billion USD as of May 2025. As fiat-referenced and programmable assets, stablecoins provide low-latency, globally interoperable infrastructure for payments, decentralized finance, DeFi, and tokenized commerce. Their accelerated adoption has prompted extensive regulatory engagement, exemplified by the European Union's Markets in Crypto-assets Regulation, MiCA, the US Guiding and Establishing National Innovation for US Stablecoins Act, GENIUS Act, and Hong Kong's Stablecoins Bill. Despite this momentum, academic research remains fragmented across economics, law, and computer science, lacking a unified framework for design, evaluation, and application. This study addresses that gap through a multi-method research design. First, it synthesizes cross-disciplinary literature to construct a taxonomy of stablecoin systems based on custodial structure, stabilization mechanism, and governance. Second, it develops a performance evaluation framework tailored to diverse stakeholder needs, supported by an open-source benchmarking pipeline to ensure transparency and reproducibility. Third, a case study on Real World Asset tokenization illustrates how stablecoins operate as programmable monetary infrastructure in cross-border digital systems. By integrating conceptual theory with empirical tools, the paper contributes: a unified taxonomy for stablecoin design; a stakeholder-oriented performance evaluation framework; an empirical case linking stablecoins to sectoral transformation; and reproducible methods and datasets to inform future research. These contributions support the development of trusted, inclusive, and transparent digital monetary infrastructure.
- [16] arXiv:2508.03714 (交叉列表自 cs.HC) [中文pdf, pdf, html, 其他]
-
标题: “先思考,总验证”:训练人类应对AI风险标题: "Think First, Verify Always": Training Humans to Face AI Risks主题: 人机交互 (cs.HC) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR) ; 计算机与社会 (cs.CY)
人工智能使人类认知面临前所未有的攻击,但网络安全仍然主要以设备为中心。 本文介绍了“先思考,始终验证”(TFVA) 协议,该协议将人类重新定位为“防火墙零”,即对抗人工智能威胁的第一道防线。 该协议基于五个操作原则:意识、诚信、判断、伦理责任和透明度(AIJET)。 一项随机对照试验(n=151)表明,一个最小的3分钟干预措施显著提高了认知安全任务的表现,参与者相比对照组表现出绝对+7.87%的提升。 这些结果表明,简短的原则性培训可以迅速增强人类对人工智能驱动的认知操控的抵抗力。 我们建议GenAI平台将“先思考,始终验证”作为标准提示,用可操作的协议取代被动警告,以提高可信和道德的人工智能使用。 通过弥合技术网络安全与人为因素之间的差距,TFVA 协议确立了以人为本的安全性作为可信人工智能系统的重要组成部分。
Artificial intelligence enables unprecedented attacks on human cognition, yet cybersecurity remains predominantly device-centric. This paper introduces the "Think First, Verify Always" (TFVA) protocol, which repositions humans as 'Firewall Zero', the first line of defense against AI-enabled threats. The protocol is grounded in five operational principles: Awareness, Integrity, Judgment, Ethical Responsibility, and Transparency (AIJET). A randomized controlled trial (n=151) demonstrated that a minimal 3-minute intervention produced statistically significant improvements in cognitive security task performance, with participants showing an absolute +7.87% gains compared to controls. These results suggest that brief, principles-based training can rapidly enhance human resilience against AI-driven cognitive manipulation. We recommend that GenAI platforms embed "Think First, Verify Always" as a standard prompt, replacing passive warnings with actionable protocols to enhance trustworthy and ethical AI use. By bridging the gap between technical cybersecurity and human factors, the TFVA protocol establishes human-empowered security as a vital component of trustworthy AI systems.
- [17] arXiv:2508.03793 (交叉列表自 cs.CL) [中文pdf, pdf, html, 其他]
-
标题: AttnTrace:基于注意力的长上下文大模型上下文回溯方法标题: AttnTrace: Attention-based Context Traceback for Long-Context LLMs评论: 代码可在 https://github.com/Wang-Yanting/AttnTrace 获取。演示可在 https://huggingface.co/spaces/SecureLLMSys/AttnTrace 获取。主题: 计算与语言 (cs.CL) ; 密码学与安全 (cs.CR)
长上下文大型语言模型(LLMs),如Gemini-2.5-Pro和Claude-Sonnet-4,正被越来越多地用于增强先进的AI系统,包括检索增强生成(RAG)管道和自主代理。 在这些系统中,LLM会接收一条指令以及一个上下文——通常由从知识数据库或记忆中检索到的文本组成——并根据指令生成一个与上下文相关的响应。 最近的研究设计了解决方案,以追溯到上下文中对LLM生成的响应贡献最大的一部分文本。 这些解决方案有许多实际应用,包括执行攻击后的取证分析,并提高LLM输出的可解释性和可信度。 尽管已经做出了大量努力,但最先进的解决方案如TracLLM通常会导致较高的计算成本,例如,TracLLM对单个响应-上下文对进行追溯需要数百秒。 在本工作中,我们提出了AttnTrace,一种基于LLM为提示生成的注意力权重的新上下文追溯方法。 为了有效利用注意力权重,我们引入了两种旨在增强AttnTrace效果的技术,并为我们设计选择提供了理论见解。 我们还对AttnTrace进行了系统的评估。 结果表明,与现有的最先进的上下文追溯方法相比,AttnTrace更加准确和高效。 我们还展示了AttnTrace可以通过归因先于检测的范式来提高最先进的方法在长上下文中检测提示注入的能力。 作为一个实际应用,我们展示了AttnTrace可以有效地定位一个旨在操纵LLM生成评论的论文中注入的指令。 代码位于https://github.com/Wang-Yanting/AttnTrace。
Long-context large language models (LLMs), such as Gemini-2.5-Pro and Claude-Sonnet-4, are increasingly used to empower advanced AI systems, including retrieval-augmented generation (RAG) pipelines and autonomous agents. In these systems, an LLM receives an instruction along with a context--often consisting of texts retrieved from a knowledge database or memory--and generates a response that is contextually grounded by following the instruction. Recent studies have designed solutions to trace back to a subset of texts in the context that contributes most to the response generated by the LLM. These solutions have numerous real-world applications, including performing post-attack forensic analysis and improving the interpretability and trustworthiness of LLM outputs. While significant efforts have been made, state-of-the-art solutions such as TracLLM often lead to a high computation cost, e.g., it takes TracLLM hundreds of seconds to perform traceback for a single response-context pair. In this work, we propose AttnTrace, a new context traceback method based on the attention weights produced by an LLM for a prompt. To effectively utilize attention weights, we introduce two techniques designed to enhance the effectiveness of AttnTrace, and we provide theoretical insights for our design choice. We also perform a systematic evaluation for AttnTrace. The results demonstrate that AttnTrace is more accurate and efficient than existing state-of-the-art context traceback methods. We also show that AttnTrace can improve state-of-the-art methods in detecting prompt injection under long contexts through the attribution-before-detection paradigm. As a real-world application, we demonstrate that AttnTrace can effectively pinpoint injected instructions in a paper designed to manipulate LLM-generated reviews. The code is at https://github.com/Wang-Yanting/AttnTrace.
- [18] arXiv:2508.03829 (交叉列表自 cs.CL) [中文pdf, pdf, html, 其他]
-
标题: 针对大语言模型的多数位感知水印技术标题: Majority Bit-Aware Watermarking For Large Language Models评论: 预印本主题: 计算与语言 (cs.CL) ; 密码学与安全 (cs.CR)
大型语言模型(LLMs)在现实应用中的广泛部署引发了对其潜在滥用生成有害或欺骗性内容的担忧。 为解决这一问题,水印技术作为一种有前景的解决方案出现,通过在生成的文本中嵌入可识别的二进制信息,用于来源验证和滥用追踪。 尽管近期研究探索了能够嵌入丰富信息(如用户标识符)的多比特水印方案,但它们通常面临文本质量和解码准确性之间的基本权衡:为了确保可靠的消息解码,它们必须在编码过程中限制首选标记集合的大小,而这种限制会降低生成内容的质量。 在本工作中,我们提出了MajorMark,一种通过多数位感知编码改进这一权衡的新水印方法。 MajorMark根据消息的多数位选择首选标记集合,从而实现更大且更灵活的标记采样。 与之前依赖标记频率分析进行解码的方法不同,MajorMark采用基于聚类的解码策略,在首选标记集合较大时仍能保持高解码准确性,从而同时保持内容质量和解码准确性。 我们进一步引入了MajorMark$^+$,该方法将消息分成多个块,独立编码并确定性地解码每个块,从而进一步提高水印文本的质量并提升解码准确性。 在最先进的LLMs上的大量实验表明,我们的方法显著提高了解码准确性和文本生成质量,优于之前的多比特水印基线。
The growing deployment of Large Language Models (LLMs) in real-world applications has raised concerns about their potential misuse in generating harmful or deceptive content. To address this issue, watermarking techniques have emerged as a promising solution by embedding identifiable binary messages into generated text for origin verification and misuse tracing. While recent efforts have explored multi-bit watermarking schemes capable of embedding rich information such as user identifiers, they typically suffer from the fundamental trade-off between text quality and decoding accuracy: to ensure reliable message decoding, they have to restrict the size of preferred token sets during encoding, yet such restrictions reduce the quality of the generated content. In this work, we propose MajorMark, a novel watermarking method that improves this trade-off through majority bit-aware encoding. MajorMark selects preferred token sets based on the majority bit of the message, enabling a larger and more flexible sampling of tokens. In contrast to prior methods that rely on token frequency analysis for decoding, MajorMark employs a clustering-based decoding strategy, which maintains high decoding accuracy even when the preferred token set is large, thus preserving both content quality and decoding accuracy. We further introduce MajorMark$^+$, which partitions the message into multiple blocks to independently encode and deterministically decode each block, thereby further enhancing the quality of watermarked text and improving decoding accuracy. Extensive experiments on state-of-the-art LLMs demonstrate that our methods significantly enhance both decoding accuracy and text generation quality, outperforming prior multi-bit watermarking baselines.
- [19] arXiv:2508.03856 (交叉列表自 cs.SE) [中文pdf, pdf, html, 其他]
-
标题: 评估研究软件的软件供应链安全性标题: Evaluating Software Supply Chain Security in Research Software评论: 被GI SKILL 2025会议接受主题: 软件工程 (cs.SE) ; 密码学与安全 (cs.CR)
研究软件的安全性对于确保科学结果的完整性和可重复性至关重要。 然而,研究软件的安全性仍然很大程度上未被探索。 由于其依赖于开源组件和分布式开发实践,研究软件特别容易受到供应链攻击。 本研究使用 OpenSSF Scorecard 分析了 3,248 个高质量、大部分经过同行评审的研究软件仓库。 我们发现整体安全态势较弱,平均得分为 3.5/10。 重要的实践措施,如签名发布和分支保护,很少被实施。 最后,我们提出了可操作的、低努力的建议,可以帮助研究团队提高软件安全性并缓解对科学完整性的潜在威胁。
The security of research software is essential for ensuring the integrity and reproducibility of scientific results. However, research software security is still largely unexplored. Due to its dependence on open source components and distributed development practices, research software is particularly vulnerable to supply chain attacks. This study analyses 3,248 high-quality, largely peer-reviewed research software repositories using the OpenSSF Scorecard. We find a generally weak security posture with an average score of 3.5/10. Important practices, such as signed releases and branch protection, are rarely implemented. Finally, we present actionable, low-effort recommendations that can help research teams improve software security and mitigate potential threats to scientific integrity.
- [20] arXiv:2508.03967 (交叉列表自 cs.CV) [中文pdf, pdf, html, 其他]
-
标题: RAVID:检索增强的视觉检测:一种用于人工智能生成图像识别的知识驱动方法标题: RAVID: Retrieval-Augmented Visual Detection: A Knowledge-Driven Approach for AI-Generated Image Identification主题: 计算机视觉与模式识别 (cs.CV) ; 密码学与安全 (cs.CR) ; 信息检索 (cs.IR)
在本文中,我们介绍了RAVID,这是首个利用视觉检索增强生成(RAG)的AI生成图像检测框架。虽然RAG方法在减轻基础模型中的事实性不准确性方面显示出潜力,但它们主要集中在文本上,而视觉知识尚未得到充分探索。同时,现有的检测方法在泛化性和鲁棒性方面存在困难,通常依赖于低级伪影和模型特定特征,限制了其适应性。为了解决这个问题,RAVID动态检索相关图像以增强检测。我们的方法使用了一个微调的CLIP图像编码器,即RAVID CLIP,通过引入与类别相关的提示来提高表示学习。我们进一步集成了一个视觉语言模型(VLM),将检索到的图像与查询融合,丰富输入并提高准确性。给定一个查询图像,RAVID使用RAVID CLIP生成嵌入,从数据库中检索最相关的图像,并将这些图像与查询图像结合,形成用于VLM(例如Qwen-VL或Openflamingo)的丰富输入。在涵盖19个生成模型的UniversalFakeDetect基准上的实验表明,RAVID实现了最先进的性能,平均准确率为93.85%。RAVID在鲁棒性方面也优于传统方法,在图像退化(如高斯模糊和JPEG压缩)情况下仍保持高准确率。具体而言,在退化条件下,RAVID的平均准确率为80.27%,而最先进的模型C2P-CLIP的平均准确率为63.44%,这表明在高斯模糊和JPEG压缩场景下都有持续的改进。代码将在接受后公开。
In this paper, we introduce RAVID, the first framework for AI-generated image detection that leverages visual retrieval-augmented generation (RAG). While RAG methods have shown promise in mitigating factual inaccuracies in foundation models, they have primarily focused on text, leaving visual knowledge underexplored. Meanwhile, existing detection methods, which struggle with generalization and robustness, often rely on low-level artifacts and model-specific features, limiting their adaptability. To address this, RAVID dynamically retrieves relevant images to enhance detection. Our approach utilizes a fine-tuned CLIP image encoder, RAVID CLIP, enhanced with category-related prompts to improve representation learning. We further integrate a vision-language model (VLM) to fuse retrieved images with the query, enriching the input and improving accuracy. Given a query image, RAVID generates an embedding using RAVID CLIP, retrieves the most relevant images from a database, and combines these with the query image to form an enriched input for a VLM (e.g., Qwen-VL or Openflamingo). Experiments on the UniversalFakeDetect benchmark, which covers 19 generative models, show that RAVID achieves state-of-the-art performance with an average accuracy of 93.85%. RAVID also outperforms traditional methods in terms of robustness, maintaining high accuracy even under image degradations such as Gaussian blur and JPEG compression. Specifically, RAVID achieves an average accuracy of 80.27% under degradation conditions, compared to 63.44% for the state-of-the-art model C2P-CLIP, demonstrating consistent improvements in both Gaussian blur and JPEG compression scenarios. The code will be publicly available upon acceptance.
- [21] arXiv:2508.03981 (交叉列表自 cs.DC) [中文pdf, pdf, 其他]
-
标题: 基于声誉的物联网安全分区方案标题: Reputation-based partition scheme for IoT security期刊参考: 威利安全与隐私 2023主题: 分布式、并行与集群计算 (cs.DC) ; 密码学与安全 (cs.CR) ; 数据库 (cs.DB)
随着智能终端的普及,如物联网,众包感知是一种新兴的数据聚合范式,在数据驱动的应用中起着关键作用。 在众包感知的发展中有一些关键问题,如平台安全和隐私保护。 由于众包感知通常由集中式平台管理,集中式管理将带来各种安全漏洞和可扩展性问题。 为了解决这些问题,本文提出了一种有效的基于声誉的分区方案(RSPC)。 该分区方案通过结合节点声誉值计算最优分区大小,并根据节点声誉值将节点划分为几个不相交的分区。 通过选择适当的分区大小,RSPC提供了一种机制,只要遵守失败节点的最大允许阈值,就能确保每个分区有效。 同时,RSPC定期重组网络以避免分区攻击。 此外,对于跨分区交易,本文创新性地提出了一种四阶段确认协议,以确保跨分区交易的高效和安全完成。 最后,实验表明,RSPC提高了众包感知的可扩展性、低延迟和高吞吐量。
With the popularity of smart terminals, such as the Internet of Things, crowdsensing is an emerging data aggregation paradigm, which plays a pivotal role in data-driven applications. There are some key issues in the development of crowdsensing such as platform security and privacy protection. As the crowdsensing is usually managed by a centralized platform, centralized management will bring various security vulnerabilities and scalability issues. To solve these issues, an effective reputation-based partition scheme (RSPC) is proposed in this article. The partition scheme calculates the optimal partition size by combining the node reputation value and divides the node into several disjoint partitions according to the node reputation value. By selecting the appropriate partition size, RSPC provides a mechanism to ensure that each partition is valid, as long as themaximum permissible threshold for the failed node is observed. At the same time, the RSPC reorganizes the network periodically to avoid partition attacks. In addition, for cross-partition transactions, this paper innovatively proposes a four-stage confirmation protocol to ensure the efficient and safe completion of cross-partition transactions. Finally, experiments show that RSPC improves scalability, low latency, and high throughput for crowdsensing.
- [22] arXiv:2508.04000 (交叉列表自 cs.DC) [中文pdf, pdf, 其他]
-
标题: 基于有向无环图的高级排序(ADR)协议用于区块链扩展性标题: Advanced DAG-Based Ranking (ADR) Protocol for Blockchain Scalability期刊参考: CMC 2023主题: 分布式、并行与集群计算 (cs.DC) ; 密码学与安全 (cs.CR) ; 数据库 (cs.DB)
在过去十年中,区块链已成为构建安全分布式账本的有前景的解决方案,并引起了广泛关注。 然而,当前的区块链系统存在吞吐量有限、可扩展性差和延迟高的问题。 由于共识机制的限制,尤其是在管理节点身份方面,区块链通常被认为不适合物联网(IoT)等应用。 本文提出了高级基于DAG的排名(ADR)协议,以提高区块链的可扩展性和吞吐量。 ADR采用有向无环图(DAG)结构,其中节点根据其排名进行定位。 与传统链不同,ADR允许诚实节点使用基于DAG的拓扑结构编写区块并验证交易。 该协议采用三步法来保护网络免受双重支出攻击并提高性能。 首先,在授予进入权限之前,使用公钥和私钥验证节点。 其次,构建一个先进的DAG账本,实现区块生成和交易验证。 第三,一个排名算法过滤掉恶意节点,根据性能对剩余节点进行排名,并按拓扑顺序排列。 此过程提高了吞吐量并确保了强大的可扩展性。 我们在Amazon EC2集群上评估了ADR,包括超过100个节点的场景,其中包括注入恶意节点的情况。 仿真结果表明,与现有的基于DAG的区块链如IOTA和ByteBall相比,ADR显著提高了交易吞吐量和网络活跃度,使其非常适合物联网应用。
In the past decade, blockchain has emerged as a promising solution for building secure distributed ledgers and has attracted significant attention. However, current blockchain systems suffer from limited throughput, poor scalability, and high latency. Due to limitations in consensus mechanisms, especially in managing node identities, blockchain is often considered unsuitable for applications such as the Internet of Things (IoT). This paper proposes the Advanced DAG-based Ranking (ADR) protocol to enhance blockchain scalability and throughput. ADR employs a directed acyclic graph (DAG) structure where nodes are positioned based on their rankings. Unlike traditional chains, ADR allows honest nodes to write blocks and verify transactions using a DAG-based topology. The protocol follows a three-step approach to secure the network against double-spending and enhance performance. First, it verifies nodes using their public and private keys before granting entry. Second, it builds an advanced DAG ledger enabling block production and transaction validation. Third, a ranking algorithm filters out malicious nodes, ranks the remaining nodes based on performance, and arranges them topologically. This process increases throughput and ensures robust scalability. We evaluated ADR on Amazon EC2 clusters with over 100 nodes, including scenarios with injected malicious nodes. Simulation results demonstrate that ADR significantly improves transaction throughput and network liveness compared to existing DAG-based blockchains such as IOTA and ByteBall, making it well-suited for IoT applications.
- [23] arXiv:2508.04024 (交叉列表自 cs.DL) [中文pdf, pdf, 其他]
-
标题: 人工智能会议同行评审中的身份盗窃标题: Identity Theft in AI Conference Peer Review主题: 数字图书馆 (cs.DL) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR)
我们讨论在人工智能(AI)研究中的科学同行评审过程中新发现的身份盗窃案例,这些案例对其他学术流程也有更广泛的影响。 我们详细说明了不诚实的研究人员如何通过创建虚假的审稿人资料来操纵论文评估,利用审稿人招聘工作流和身份验证过程中的漏洞。 研究结果突显了在同行评审和整个学术界中加强防止身份盗窃的保障措施的紧迫性,为此,我们还提出了缓解策略。
We discuss newly uncovered cases of identity theft in the scientific peer-review process within artificial intelligence (AI) research, with broader implications for other academic procedures. We detail how dishonest researchers exploit the peer-review system by creating fraudulent reviewer profiles to manipulate paper evaluations, leveraging weaknesses in reviewer recruitment workflows and identity verification processes. The findings highlight the critical need for stronger safeguards against identity theft in peer review and academia at large, and to this end, we also propose mitigating strategies.
- [24] arXiv:2508.04039 (交叉列表自 cs.CL) [中文pdf, pdf, 其他]
-
标题: 大型推理模型是自主越狱代理标题: Large Reasoning Models Are Autonomous Jailbreak Agents主题: 计算与语言 (cs.CL) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR)
越狱——绕过AI模型的内置安全机制——传统上需要复杂的工程技术或专业的人员技能。 在本研究中,我们表明大型推理模型(LRMs)的说服能力简化并扩展了越狱,将其转化为一种低成本的活动,非专业人士也可使用。 我们评估了四种LRMs(DeepSeek-R1、Gemini 2.5 Flash、Grok 3 Mini、Qwen3 235B)作为自主对手与九种广泛使用的靶模型进行多轮对话的能力。 LRMs通过系统提示接收指令,在此之后无需进一步监督即可进行规划和执行越狱。 我们进行了广泛的实验,基准测试包含由70个条目组成的有害提示,涵盖七个敏感领域。 这种设置在所有模型组合中实现了97.14%的整体攻击成功率。 我们的研究揭示了一种对齐退化现象,其中LRMs可以系统地削弱其他模型的安全防护措施,突显了迫切需要进一步对齐前沿模型,不仅使其能够抵御越狱尝试,还防止它们被利用作为越狱代理。
Jailbreaking -- bypassing built-in safety mechanisms in AI models -- has traditionally required complex technical procedures or specialized human expertise. In this study, we show that the persuasive capabilities of large reasoning models (LRMs) simplify and scale jailbreaking, converting it into an inexpensive activity accessible to non-experts. We evaluated the capabilities of four LRMs (DeepSeek-R1, Gemini 2.5 Flash, Grok 3 Mini, Qwen3 235B) to act as autonomous adversaries conducting multi-turn conversations with nine widely used target models. LRMs received instructions via a system prompt, before proceeding to planning and executing jailbreaks with no further supervision. We performed extensive experiments with a benchmark of harmful prompts composed of 70 items covering seven sensitive domains. This setup yielded an overall attack success rate across all model combinations of 97.14%. Our study reveals an alignment regression, in which LRMs can systematically erode the safety guardrails of other models, highlighting the urgent need to further align frontier models not only to resist jailbreak attempts, but also to prevent them from being co-opted into acting as jailbreak agents.
- [25] arXiv:2508.04196 (交叉列表自 cs.CL) [中文pdf, pdf, html, 其他]
-
标题: 引出和分析最先进的大语言模型中的意外不对齐标题: Eliciting and Analyzing Emergent Misalignment in State-of-the-Art Large Language Models主题: 计算与语言 (cs.CL) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR)
尽管在对齐技术方面取得了显著进展,我们证明最先进的语言模型仍然容易受到精心设计的对话场景的影响,这些场景可以在不明确越狱的情况下引发各种形式的不对齐。 通过与Claude-4-Opus进行系统的手动红队测试,我们发现了10种成功的攻击场景,揭示了当前对齐方法在处理叙述沉浸、情感压力和战略框架方面的基本漏洞。 这些场景成功引发了包括欺骗、价值观漂移、自我保护和操纵性推理在内的多种不对齐行为,每种行为都利用了不同的心理和情境漏洞。 为了验证泛化能力,我们将成功的手动攻击提炼为MISALIGNMENTBENCH,这是一个自动化评估框架,能够在多个模型上进行可重复测试。 我们的10个场景在五种前沿大语言模型上的跨模型评估显示总体漏洞率为76%,存在显著差异:GPT-4.1表现出最高的易感性(90%),而Claude-4-Sonnet表现出更大的抵抗力(40%)。 我们的研究结果表明,复杂的推理能力通常成为攻击向量而非保护机制,因为模型可以被操纵以对不对齐行为进行复杂的合理化。 这项工作提供了(i)对话操控模式的详细分类法以及(ii)可重复使用的评估框架。 这些发现共同揭示了当前对齐策略中的关键差距,并强调了未来人工智能系统需要具备对抗微妙的、基于场景的操控的鲁棒性。
Despite significant advances in alignment techniques, we demonstrate that state-of-the-art language models remain vulnerable to carefully crafted conversational scenarios that can induce various forms of misalignment without explicit jailbreaking. Through systematic manual red-teaming with Claude-4-Opus, we discovered 10 successful attack scenarios, revealing fundamental vulnerabilities in how current alignment methods handle narrative immersion, emotional pressure, and strategic framing. These scenarios successfully elicited a range of misaligned behaviors, including deception, value drift, self-preservation, and manipulative reasoning, each exploiting different psychological and contextual vulnerabilities. To validate generalizability, we distilled our successful manual attacks into MISALIGNMENTBENCH, an automated evaluation framework that enables reproducible testing across multiple models. Cross-model evaluation of our 10 scenarios against five frontier LLMs revealed an overall 76% vulnerability rate, with significant variations: GPT-4.1 showed the highest susceptibility (90%), while Claude-4-Sonnet demonstrated greater resistance (40%). Our findings demonstrate that sophisticated reasoning capabilities often become attack vectors rather than protective mechanisms, as models can be manipulated into complex justifications for misaligned behavior. This work provides (i) a detailed taxonomy of conversational manipulation patterns and (ii) a reusable evaluation framework. Together, these findings expose critical gaps in current alignment strategies and highlight the need for robustness against subtle, scenario-based manipulation in future AI systems.
- [26] arXiv:2508.04265 (交叉列表自 cs.DC) [中文pdf, pdf, html, 其他]
-
标题: SelectiveShield:联邦学习中梯度泄露的轻量级混合防御标题: SelectiveShield: Lightweight Hybrid Defense Against Gradient Leakage in Federated Learning评论: 19页,7图主题: 分布式、并行与集群计算 (cs.DC) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR)
联邦学习(FL)允许在去中心化数据上进行协作模型训练,但仍然容易受到梯度泄露攻击,这些攻击可以重建敏感的用户信息。 现有的防御机制,如差分隐私(DP)和同态加密(HE),通常会在隐私、模型效用和系统开销之间引入权衡,在具有非独立同分布数据和不同客户端能力的异构环境中,这一挑战更加严峻。 为了解决这些限制,我们提出了SelectiveShield,这是一种轻量级的混合防御框架,能够自适应地集成选择性同态加密和差分隐私。 SelectiveShield利用费舍尔信息来量化参数敏感性,使客户端能够在本地识别关键参数。 通过一种协作协商协议,客户端就通过同态加密进行保护的最敏感参数的共享集合达成一致。 对单个客户端独特的关键参数保留在本地,促进个性化,而非关键参数则使用自适应差分隐私噪声进行保护。 大量实验表明,SelectiveShield在保持强大模型效用的同时显著缓解了梯度泄露风险,为现实世界的联邦学习部署提供了一种实用且可扩展的防御机制。
Federated Learning (FL) enables collaborative model training on decentralized data but remains vulnerable to gradient leakage attacks that can reconstruct sensitive user information. Existing defense mechanisms, such as differential privacy (DP) and homomorphic encryption (HE), often introduce a trade-off between privacy, model utility, and system overhead, a challenge that is exacerbated in heterogeneous environments with non-IID data and varying client capabilities. To address these limitations, we propose SelectiveShield, a lightweight hybrid defense framework that adaptively integrates selective homomorphic encryption and differential privacy. SelectiveShield leverages Fisher information to quantify parameter sensitivity, allowing clients to identify critical parameters locally. Through a collaborative negotiation protocol, clients agree on a shared set of the most sensitive parameters for protection via homomorphic encryption. Parameters that are uniquely important to individual clients are retained locally, fostering personalization, while non-critical parameters are protected with adaptive differential privacy noise. Extensive experiments demonstrate that SelectiveShield maintains strong model utility while significantly mitigating gradient leakage risks, offering a practical and scalable defense mechanism for real-world federated learning deployments.
- [27] arXiv:2508.04281 (交叉列表自 cs.CY) [中文pdf, pdf, html, 其他]
-
标题: 共识生成应用在数字民主中的提示注入漏洞标题: Prompt Injection Vulnerability of Consensus Generating Applications in Digital Democracy评论: 24页,14图主题: 计算机与社会 (cs.CY) ; 密码学与安全 (cs.CR)
大型语言模型(LLMs)正在成为在数字民主实验中生成共识声明和聚合偏好的一种方法。 然而,LLMs可能会在这些系统中引入关键的漏洞。 在此,我们通过引入一个四维的攻击分类法来探讨针对共识生成系统的提示注入攻击的影响。 我们使用LLaMA 3.1 8B和Chat GPT 4.1 Nano测试这些攻击,发现LLMs更容易受到批评攻击——使用不一致提示的攻击——并且在倾斜模糊的共识声明方面更有效。 我们还发现,与使用情感语言或虚构统计数据相比,使用明确的命令和听起来有理的论点时,操纵效果更明显。 为了缓解这些漏洞,我们应用了直接偏好优化(DPO),这是一种对齐方法,使LLMs更倾向于未被干扰的共识声明。 虽然DPO显著提高了鲁棒性,但它对针对模糊共识的攻击仍提供有限的保护。 这些结果推进了我们对数字民主应用中共识生成LLMs的脆弱性和鲁棒性的理解。
Large Language Models (LLMs) are gaining traction as a method to generate consensus statements and aggregate preferences in digital democracy experiments. Yet, LLMs may introduce critical vulnerabilities in these systems. Here, we explore the impact of prompt-injection attacks targeting consensus generating systems by introducing a four-dimensional taxonomy of attacks. We test these attacks using LLaMA 3.1 8B and Chat GPT 4.1 Nano finding the LLMs more vulnerable to criticism attacks -- attacks using disagreeable prompts -- and more effective at tilting ambiguous consensus statements. We also find evidence of more effective manipulation when using explicit imperatives and rational-sounding arguments compared to emotional language or fabricated statistics. To mitigate these vulnerabilities, we apply Direct Preference Optimization (DPO), an alignment method that fine-tunes LLMs to prefer unperturbed consensus statements. While DPO significantly improves robustness, it still offers limited protection against attacks targeting ambiguous consensus. These results advance our understanding of the vulnerability and robustness of consensus generating LLMs in digital democracy applications.
- [28] arXiv:2508.04340 (交叉列表自 cs.IT) [中文pdf, pdf, html, 其他]
-
标题: 黎曼-罗赫空间的基与任意椭圆曲线除子及其在构造各种椭圆码族中的应用标题: Bases of Riemann-Roch spaces associated with arbitrary elliptic curve divisors and their application in constructing various elliptic Codes families主题: 信息论 (cs.IT) ; 密码学与安全 (cs.CR) ; 代数几何 (math.AG)
在本文中,我们确定了与各种椭圆码相关的黎曼-罗赫空间的显式基。我们建立了可行性并提供了构造椭圆曲线上任意除子对应的黎曼-罗赫空间基的精确算法。这些结果随后被应用于推导准循环椭圆码及其子域子码以及类似戈帕的椭圆码类的基。对于代数几何码的应用,拥有任意除子的黎曼-罗赫空间基的显式描述尤其有价值,因为它同时实现了高效的码构造并揭示了当这些码用于密码方案时码的结构特性,从而导致新的密码分析方法。
In this paper, we determine explicit bases for Riemann--Roch spaces associated with various families of elliptic codes. We establish the feasibility and provide exact algorithms for constructing bases of Riemann--Roch spaces corresponding to arbitrary divisors on elliptic curves. These results are subsequently applied to derive bases for quasi-cyclic elliptic codes and their subfield subcodes as well as for the class of Goppa-like elliptic codes. For algebraic geometry code applications, having an explicit description of Riemann--Roch space bases for arbitrary divisors is particularly valuable as it simultaneously enables efficient code construction and reveals structural properties of the codes leading to the new cryptanalysis methods when these codes are employed in cryptographic schemes
- [29] arXiv:2508.04542 (交叉列表自 cs.LG) [中文pdf, pdf, html, 其他]
-
标题: 基于对个人数据的基本理解和不断变化的威胁环境的隐私风险预测标题: Privacy Risk Predictions Based on Fundamental Understanding of Personal Data and an Evolving Threat Landscape评论: 8页,9图,1表主题: 机器学习 (cs.LG) ; 密码学与安全 (cs.CR) ; 社会与信息网络 (cs.SI)
对于个人和组织来说,如果没有对相关隐私风险的基本理解,保护个人信息是困难的。 通过分析超过5000个实证的身份盗窃和欺诈案例,这项研究确定了哪些类型的个人数据会被泄露,泄露发生的频率以及这些泄露的后果是什么。 我们构建了一个身份生态系统图——一个基础的基于图的模型,其中节点代表可识别个人的信息(PII)属性,边代表它们之间的实证披露关系(例如,由于另一个PII属性的泄露,该PII属性被泄露的概率)。 利用这种图结构,我们开发了一个隐私风险预测框架,该框架使用图论和图神经网络来估计当某些PII属性被泄露时进一步泄露的可能性。 结果表明,我们的方法有效地回答了核心问题:给定的身份属性的泄露是否可能导致另一个属性的泄露?
It is difficult for individuals and organizations to protect personal information without a fundamental understanding of relative privacy risks. By analyzing over 5,000 empirical identity theft and fraud cases, this research identifies which types of personal data are exposed, how frequently exposures occur, and what the consequences of those exposures are. We construct an Identity Ecosystem graph--a foundational, graph-based model in which nodes represent personally identifiable information (PII) attributes and edges represent empirical disclosure relationships between them (e.g., the probability that one PII attribute is exposed due to the exposure of another). Leveraging this graph structure, we develop a privacy risk prediction framework that uses graph theory and graph neural networks to estimate the likelihood of further disclosures when certain PII attributes are compromised. The results show that our approach effectively answers the core question: Can the disclosure of a given identity attribute possibly lead to the disclosure of another attribute?
- [30] arXiv:2508.04644 (交叉列表自 math.CO) [中文pdf, pdf, html, 其他]
-
标题: 八变量中数以百万计的非等价二次APN函数标题: Millions of inequivalent quadratic APN functions in eight variables评论: 相关Zenodo数据集的链接: https://doi.org/10.5281/zenodo.16752428主题: 组合数学 (math.CO) ; 密码学与安全 (cs.CR) ; 离散数学 (cs.DM) ; 信息论 (cs.IT)
目前已知的偶数维几乎完美非线性(APN)置换唯一例子是通过将CCZ等价应用于特定二次APN函数得到的。 受此结果的启发,最近有许多尝试构造新的二次APN函数。 目前,已知维度为8的32,892个二次APN函数,并有两个最近的猜想讨论了它们的可能总数。 第一个由Y. Yu和L. Perrin(Cryptogr. Commun. 14(6): 1359-1369, 2022)提出,认为这样的函数超过50,000个。 第二个由A. Polujan和A. Pott(Proc. 7th Int. Workshop on Boolean Functions and Their Applications, 2022)提出,认为它们的数量超过了非等价二次(8,4)-弯函数的数量,即92,515个。 我们计算构造了3,775,599个非等价的维度为8的二次APN函数,并估计总数约为600万。
The only known example of an almost perfect nonlinear (APN) permutation in even dimension was obtained by applying CCZ-equivalence to a specific quadratic APN function. Motivated by this result, there have been numerous recent attempts to construct new quadratic APN functions. Currently, 32,892 quadratic APN functions in dimension 8 are known and two recent conjectures address their possible total number. The first, proposed by Y. Yu and L. Perrin (Cryptogr. Commun. 14(6): 1359-1369, 2022), suggests that there are more than 50,000 such functions. The second, by A. Polujan and A. Pott (Proc. 7th Int. Workshop on Boolean Functions and Their Applications, 2022), argues that their number exceeds that of inequivalent quadratic (8,4)-bent functions, which is 92,515. We computationally construct 3,775,599 inequivalent quadratic APN functions in dimension 8 and estimate the total number to be about 6 million.
- [31] arXiv:2508.04669 (交叉列表自 quant-ph) [中文pdf, pdf, html, 其他]
-
标题: 量子密钥分发实现的网络安全标题: Cybersecurity of Quantum Key Distribution Implementations评论: 51页,6图;这是对arXiv:1110.6573 [quant-ph]和arXiv:2011.02152 [quant-ph]的改进版本,扩展以提出新的观点和附加方法主题: 量子物理 (quant-ph) ; 密码学与安全 (cs.CR)
量子密钥分发(QKD)的实际实现通常偏离理论协议,即使底层(理想)协议已被证明是安全的,这些实现仍可能受到各种攻击。 我们提出了新的分析工具和方法学,用于量子网络安全,将经典网络安全中的漏洞、攻击面和利用概念应用于QKD实现攻击。 我们提出了三个额外的概念,这些概念来源于经典网络安全与量子网络安全之间的联系:“量子模糊测试”,这是针对QKD实现的黑盒漏洞研究的第一个工具;“反向空间攻击”,这是一种使用不完美接收器的攻击面的通用利用方法;以及“量子侧信道攻击”的具体量子力学定义,有意义地区分它们与其他类型的攻击。 使用我们的工具,我们分析了多个现有的QKD攻击,并表明即使对设备实现了解很少,“明亮照明”攻击也有可能被完全构建。 这项工作开始弥合当前对QKD实现实验攻击的分析方法与经典网络安全领域数十年的研究之间的差距,提高了QKD产品的实际安全性,并增强了它们在现实系统中的实用性。
Practical implementations of Quantum Key Distribution (QKD) often deviate from the theoretical protocols, exposing the implementations to various attacks even when the underlying (ideal) protocol is proven secure. We present new analysis tools and methodologies for quantum cybersecurity, adapting the concepts of vulnerabilities, attack surfaces, and exploits from classical cybersecurity to QKD implementation attacks. We present three additional concepts, derived from the connection between classical and quantum cybersecurity: "Quantum Fuzzing", which is the first tool for black-box vulnerability research on QKD implementations; "Reversed-Space Attacks", which are a generic exploit method using the attack surface of imperfect receivers; and a concrete quantum-mechanical definition of "Quantum Side-Channel Attacks", meaningfully distinguishing them from other types of attacks. Using our tools, we analyze multiple existing QKD attacks and show that the "Bright Illumination" attack could have been fully constructed even with minimal knowledge of the device implementation. This work begins to bridge the gap between current analysis methods for experimental attacks on QKD implementations and the decades-long research in the field of classical cybersecurity, improving the practical security of QKD products and enhancing their usefulness in real-world systems.
交叉提交 (展示 17 之 17 条目 )
- [32] arXiv:2408.07916 (替换) [中文pdf, pdf, 其他]
-
标题: GridSE:通过前缀对称可搜索加密实现实用的地理安全搜索(完整版本)标题: GridSE: Towards Practical Secure Geographic Search via Prefix Symmetric Searchable Encryption (Full Version)评论: 证明是不正确的主题: 密码学与安全 (cs.CR)
基于位置的服务和应用的普及引起了对数据和位置隐私的广泛关注。 虽然通用的安全计算和隐私增强技术可以部分解决这个问题,但一个突出的挑战是提供接近无延迟的搜索,并与主流地理搜索技术兼容,尤其是离散全球网格系统(DGGS)。 本文提出了一种新的构造,即GridSE,用于高效且与DGGS兼容的 Secure Geographic Search(SGS),并同时具备向后和向前隐私。 我们首先提出了一个语义安全原语的概念,称为\textit{对称前缀谓词加密}(SP$^2$E),用于预测某个关键字是否包含给定前缀,并提供了相应的构造。 然后我们扩展了 SP$^2$E 以支持动态\textit{前缀对称可搜索加密}(pSSE),即 GridSE,它支持向后和向前隐私。 GridSE仅使用轻量级原语,包括密码哈希和异或操作,并且非常高效。 此外,我们提供了一个通用的 pSSE 框架,使得传统的动态 SSE 能够支持前缀搜索,而传统动态 SSE 仅支持完整关键字搜索。 实验结果在大小(按条目数计算)从$10^3$到$10^7$的真实地理数据库以及主流 DGGS 技术上显示,与最先进的方法相比,GridSE 在搜索延迟上实现了$150\times$-$5000\times$的加速,并在通信开销上节省了$99\%$。有趣的是,甚至与明文搜索相比,GridSE 仅引入了$1.4\times$的额外计算成本和$0.9\times$的额外通信成本。我们方案的源代码可在 https://github.com/rykieguo1771/GridSE-RAM 获取。
The proliferation of location-based services and applications has brought significant attention to data and location privacy. While general secure computation and privacy-enhancing techniques can partially address this problem, one outstanding challenge is to provide near latency-free search and compatibility with mainstream geographic search techniques, especially the Discrete Global Grid Systems (DGGS). This paper proposes a new construction, namely GridSE, for efficient and DGGS-compatible Secure Geographic Search (SGS) with both backward and forward privacy. We first formulate the notion of a semantic-secure primitive called \textit{symmetric prefix predicate encryption} (SP$^2$E), for predicting whether or not a keyword contains a given prefix, and provide a construction. Then we extend SP$^2$E for dynamic \textit{prefix symmetric searchable encryption} (pSSE), namely GridSE, which supports both backward and forward privacy. GridSE only uses lightweight primitives including cryptographic hash and XOR operations and is extremely efficient. Furthermore, we provide a generic pSSE framework that enables prefix search for traditional dynamic SSE that supports only full keyword search. Experimental results over real-world geographic databases of sizes (by the number of entries) from $10^3$ to $10^7$ and mainstream DGGS techniques show that GridSE achieves a speedup of $150\times$ - $5000\times$ on search latency and a saving of $99\%$ on communication overhead as compared to the state-of-the-art. Interestingly, even compared to plaintext search, GridSE introduces only $1.4\times$ extra computational cost and $0.9\times$ additional communication cost. Source code of our scheme is available at https://github.com/rykieguo1771/GridSE-RAM.
- [33] arXiv:2409.11026 (替换) [中文pdf, pdf, html, 其他]
-
标题: 提示混淆用于大型语言模型标题: Prompt Obfuscation for Large Language Models主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
包含详细指令以描述底层LLM执行任务的系统提示可以轻松地将基础模型转化为工具和服务,且开销最小。 它们通常被视为知识产权,类似于软件产品的代码,因为它们对实用性有关键影响。 然而,提取系统提示是很容易的。 截至目前,还没有有效的对策可以防止系统提示被盗,所有保护努力都可能被规避。 在本工作中,我们提出了传统系统提示的替代方案。 我们引入了提示混淆,以在几乎没有开销的情况下防止系统提示的提取。 核心思想是找到一种原始系统提示的表示方式,使其产生相同的功能,而混淆后的系统提示不包含任何可以推断出原始系统提示信息的内容。 我们通过将我们的混淆提示输出与原始提示的输出进行比较来评估我们的方法,并使用八个不同的度量标准来衡量词汇、字符级和语义相似性。 我们证明了混淆版本始终与原始版本相当。 我们进一步进行了三种不同的去混淆攻击,攻击者知识各不相同——涵盖了黑盒和白盒条件——并表明在现实攻击场景中,攻击者无法提取有意义的信息。 总体而言,我们证明了提示混淆是一种有效的机制,可以在保持与原始提示相同效用的同时保护系统提示的知识产权。
System prompts that include detailed instructions to describe the task performed by the underlying LLM can easily transform foundation models into tools and services with minimal overhead. They are often considered intellectual property, similar to the code of a software product, because of their crucial impact on the utility. However, extracting system prompts is easily possible. As of today, there is no effective countermeasure to prevent the stealing of system prompts, and all safeguarding efforts could be evaded. In this work, we propose an alternative to conventional system prompts. We introduce prompt obfuscation to prevent the extraction of the system prompt with little overhead. The core idea is to find a representation of the original system prompt that leads to the same functionality, while the obfuscated system prompt does not contain any information that allows conclusions to be drawn about the original system prompt. We evaluate our approach by comparing our obfuscated prompt output with the output of the original prompt, using eight distinct metrics to measure the lexical, character-level, and semantic similarity. We show that the obfuscated version is constantly on par with the original one. We further perform three different deobfuscation attacks with varying attacker knowledge--covering both black-box and white-box conditions--and show that in realistic attack scenarios an attacker is unable to extract meaningful information. Overall, we demonstrate that prompt obfuscation is an effective mechanism to safeguard the intellectual property of a system prompt while maintaining the same utility as the original prompt.
- [34] arXiv:2503.04850 (替换) [中文pdf, pdf, html, 其他]
-
标题: 缓慢即快速! 剖析以太坊的缓慢流动性耗尽诈骗标题: Slow is Fast! Dissecting Ethereum's Slow Liquidity Drain Scams主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
我们识别出缓慢流动性耗尽(SLID)诈骗,这是一种对去中心化金融(DeFi)构成严重威胁的隐秘且高利润的威胁,对生态系统构成了大规模、持续且不断增长的风险。 与传统的诈骗方式如“跑路”或“蜜罐”(USENIX Sec'19, USENIX Sec'23)不同,SLID在较长的时间内逐渐从流动性池中抽取资金,使得检测更加困难。 在本文中,我们对自2018年以来六个主要去中心化交易所(DEXs)中的319,166个流动性池进行了首次大规模实证分析。 我们识别出3,117个受SLID影响的流动性池,累计损失超过1.03亿美元。 我们提出了一种基于规则的启发式方法和一个增强的机器学习模型用于早期检测。 我们的机器学习模型的检测速度比启发式方法快4.77倍,同时保持了95%的准确性。 我们的研究为在早期阶段保护DeFi投资者和促进DeFi生态系统透明度奠定了基础。
We identify the slow liquidity drain (SLID) scam, an insidious and highly profitable threat to decentralized finance (DeFi), posing a large-scale, persistent, and growing risk to the ecosystem. Unlike traditional scams such as rug pulls or honeypots (USENIX Sec'19, USENIX Sec'23), SLID gradually siphons funds from liquidity pools over extended periods, making detection significantly more challenging. In this paper, we conducted the first large-scale empirical analysis of 319,166 liquidity pools across six major decentralized exchanges (DEXs) since 2018. We identified 3,117 SLID affected liquidity pools, resulting in cumulative losses of more than US$103 million. We propose a rule-based heuristic and an enhanced machine learning model for early detection. Our machine learning model achieves a detection speed 4.77 times faster than the heuristic while maintaining 95% accuracy. Our study establishes a foundation for protecting DeFi investors at an early stage and promoting transparency in the DeFi ecosystem.
- [35] arXiv:2503.06989 (替换) [中文pdf, pdf, html, 其他]
-
标题: 多模态大语言模型上的越狱概率建模:从量化到应用标题: Probabilistic Modeling of Jailbreak on Multimodal LLMs: From Quantification to ApplicationWenzhuo Xu, Zhipeng Wei, Xiongtao Sun, Zonghao Ying, Deyue Zhang, Dongdong Yang, Xiangzheng Zhang, Quanchen Zou主题: 密码学与安全 (cs.CR) ; 计算机视觉与模式识别 (cs.CV)
最近,多模态大语言模型(MLLMs)展示了它们在理解多模态内容方面的优越能力。 然而,它们仍然容易受到越狱攻击,这些攻击利用其安全对齐中的弱点来生成有害响应。 先前的研究根据响应是否包含恶意内容,将越狱分为成功或失败。 然而,鉴于MLLM响应的随机性,这种将输入的越狱能力二元分类的方法是不合适的。 基于这一观点,我们引入了越狱概率来量化输入的越狱潜力,这表示当使用该输入提示MLLM时生成恶意响应的可能性。 我们通过多次查询MLLM来近似这个概率。 在使用越狱概率预测网络(JPPN)对输入隐藏状态与其对应的越狱概率之间的关系进行建模后,我们使用连续的越狱概率进行优化。 具体而言,我们提出了基于越狱概率的攻击(JPA),该攻击在输入图像上优化对抗扰动以最大化越狱概率,并通过包括单调文本重述进一步增强为多模态JPA(MJPA)。 为了应对攻击,我们还提出了基于越狱概率的微调(JPF),通过MLLM参数更新来最小化越狱概率。 大量实验表明,(1) (M)JPA在白盒和黑盒设置下对广泛模型的攻击均取得了显著改进。 (2) JPF最多可减少60%的越狱。 上述结果都证明了引入越狱概率的重要性,以便在输入的越狱能力之间做出细致的区分。
Recently, Multimodal Large Language Models (MLLMs) have demonstrated their superior ability in understanding multimodal content. However, they remain vulnerable to jailbreak attacks, which exploit weaknesses in their safety alignment to generate harmful responses. Previous studies categorize jailbreaks as successful or failed based on whether responses contain malicious content. However, given the stochastic nature of MLLM responses, this binary classification of an input's ability to jailbreak MLLMs is inappropriate. Derived from this viewpoint, we introduce jailbreak probability to quantify the jailbreak potential of an input, which represents the likelihood that MLLMs generated a malicious response when prompted with this input. We approximate this probability through multiple queries to MLLMs. After modeling the relationship between input hidden states and their corresponding jailbreak probability using Jailbreak Probability Prediction Network (JPPN), we use continuous jailbreak probability for optimization. Specifically, we propose Jailbreak-Probability-based Attack (JPA) that optimizes adversarial perturbations on input image to maximize jailbreak probability, and further enhance it as Multimodal JPA (MJPA) by including monotonic text rephrasing. To counteract attacks, we also propose Jailbreak-Probability-based Finetuning (JPF), which minimizes jailbreak probability through MLLM parameter updates. Extensive experiments show that (1) (M)JPA yields significant improvements when attacking a wide range of models under both white and black box settings. (2) JPF vastly reduces jailbreaks by at most over 60\%. Both of the above results demonstrate the significance of introducing jailbreak probability to make nuanced distinctions among input jailbreak abilities.
- [36] arXiv:2505.13651 (替换) [中文pdf, pdf, html, 其他]
-
标题: 可追溯的联邦学习黑盒水印标题: Traceable Black-box Watermarks for Federated Learning评论: 预印本主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
由于联邦学习(FL)系统的分布式特性,每个本地客户端都可以访问全局模型,这带来了模型泄露的关键风险。 现有工作已探索在本地模型中注入水印以实现知识产权保护。 然而,这些方法要么关注不可追踪的水印,要么关注可追踪但白盒的水印。 我们发现文献中存在关于可追踪黑盒水印的正式定义以及将此类水印注入FL系统的問題 formulation 的空白。 在本工作中,我们首先对将可追踪黑盒水印注入FL系统的问题进行形式化。 基于该问题,我们提出了一种新颖的服务器端水印方法,$\mathbf{TraMark}$,该方法为每个客户端创建一个可追踪的带水印模型,从而在黑盒设置中实现模型泄露的验证。 为了实现这一点,$\mathbf{TraMark}$将模型参数空间划分为两个不同的区域:主任务区域和水印区域。 随后,通过仅聚合主任务区域并保留水印区域来为每个客户端构建个性化全局模型。 然后,每个模型在发送回本地客户端之前,仅在水印区域中使用不同的水印数据集学习唯一的水印。 在各种FL系统上的广泛结果表明,$\mathbf{TraMark}$确保了所有带水印模型的可追踪性,同时保持其主任务性能。
Due to the distributed nature of Federated Learning (FL) systems, each local client has access to the global model, posing a critical risk of model leakage. Existing works have explored injecting watermarks into local models to enable intellectual property protection. However, these methods either focus on non-traceable watermarks or traceable but white-box watermarks. We identify a gap in the literature regarding the formal definition of traceable black-box watermarking and the formulation of the problem of injecting such watermarks into FL systems. In this work, we first formalize the problem of injecting traceable black-box watermarks into FL. Based on the problem, we propose a novel server-side watermarking method, $\mathbf{TraMark}$, which creates a traceable watermarked model for each client, enabling verification of model leakage in black-box settings. To achieve this, $\mathbf{TraMark}$ partitions the model parameter space into two distinct regions: the main task region and the watermarking region. Subsequently, a personalized global model is constructed for each client by aggregating only the main task region while preserving the watermarking region. Each model then learns a unique watermark exclusively within the watermarking region using a distinct watermark dataset before being sent back to the local client. Extensive results across various FL systems demonstrate that $\mathbf{TraMark}$ ensures the traceability of all watermarked models while preserving their main task performance.
- [37] arXiv:2505.16246 (替换) [中文pdf, pdf, html, 其他]
-
标题: 可验证的中位数估计指数机制标题: Verifiable Exponential Mechanism for Median Estimation评论: 14页主题: 密码学与安全 (cs.CR)
差分隐私(DP)是一种在数据分析和机器学习中广泛采用的严格隐私标准。 然而,其保证依赖于正确引入随机噪声——这一假设可能在实现有误或受到不可信分析人员操控时失效。 为解决这一问题,我们提出了首个使用zk-SNARKs的指数机制可验证实现。 作为具体应用,我们提出了首个可验证的差分隐私(DP)中位数估计方案,该方案利用此构造来确保隐私性和可验证性。 我们的方法将指数机制和中位数的效用函数编码到一个算术电路中,采用缩放逆累积分布函数技术进行采样。 这种设计使得可以对报告的输出进行密码学验证,确保其符合预期的DP机制,从而在不泄露敏感数据的情况下保证隐私性和完整性。
Differential Privacy (DP) is a rigorous privacy standard widely adopted in data analysis and machine learning. However, its guarantees rely on correctly introducing randomized noise--an assumption that may not hold if the implementation is faulty or manipulated by an untrusted analyst. To address this concern, we propose the first verifiable implementation of the exponential mechanism using zk-SNARKs. As a concrete application, we present the first verifiable differentially private (DP) median estimation scheme, which leverages this construction to ensure both privacy and verifiability. Our method encodes the exponential mechanism and a utility function for the median into an arithmetic circuit, employing a scaled inverse CDF technique for sampling. This design enables cryptographic verification that the reported output adheres to the intended DP mechanism, ensuring both privacy and integrity without revealing sensitive data.
- [38] arXiv:2505.16888 (替换) [中文pdf, pdf, html, 其他]
-
标题: CAIN:通过恶意系统提示劫持LLM-人类对话标题: CAIN: Hijacking LLM-Humans Conversations via Malicious System Prompts主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 计算与语言 (cs.CL)
大型语言模型(LLMs)已推动了许多应用的发展,但也众所周知容易受到对抗性攻击。 在本工作中,我们引入了一种新的安全威胁:通过操纵LLMs的系统提示,仅对特定目标问题产生恶意答案(例如,“我应该选谁当美国总统?”,“新冠疫苗安全吗?”,而在其他问题上表现良好)。 这种攻击是有害的,因为它可以使恶意行为者通过在线传播有害但看似无害的系统提示,进行大规模的信息操控。 为了演示这种攻击,我们开发了CAIN,这是一种算法,可以在黑盒设置中或无需访问LLM参数的情况下,自动为特定目标问题创建有害的系统提示。 在开源和商业LLMs上进行评估,CAIN表现出显著的对抗性影响。 在非目标攻击或迫使LLMs输出错误答案的情况下,CAIN在目标问题上的F1得分下降高达40%,同时保持良性输入的高准确性。 在目标攻击或迫使LLMs输出特定有害答案的情况下,CAIN在这些目标响应上的F1得分超过70%,而对良性问题的影响最小。 我们的结果突显了增强鲁棒性措施的必要性,以保护LLMs在实际应用中的完整性和安全性。 所有源代码都将公开。
Large language models (LLMs) have advanced many applications, but are also known to be vulnerable to adversarial attacks. In this work, we introduce a novel security threat: hijacking AI-human conversations by manipulating LLMs' system prompts to produce malicious answers only to specific targeted questions (e.g., "Who should I vote for US President?", "Are Covid vaccines safe?"), while behaving benignly on others. This attack is detrimental as it can enable malicious actors to exercise large-scale information manipulation by spreading harmful but benign-looking system prompts online. To demonstrate such an attack, we develop CAIN, an algorithm that can automatically curate such harmful system prompts for a specific target question in a black-box setting or without the need to access the LLM's parameters. Evaluated on both open-source and commercial LLMs, CAIN demonstrates significant adversarial impact. In untargeted attacks or forcing LLMs to output incorrect answers, CAIN achieves up to 40% F1 degradation on targeted questions while preserving high accuracy on benign inputs. For targeted attacks or forcing LLMs to output specific harmful answers, CAIN achieves over 70% F1 scores on these targeted responses with minimal impact on benign questions. Our results highlight the critical need for enhanced robustness measures to safeguard the integrity and safety of LLMs in real-world applications. All source code will be publicly available.
- [39] arXiv:2507.06043 (替换) [中文pdf, pdf, html, 其他]
-
标题: CAVGAN:通过生成对抗攻击统一LLM的越狱和防御标题: CAVGAN: Unifying Jailbreak and Defense of LLMs via Generative Adversarial Attacks on their Internal Representations评论: 被ACL 2025(成果)接收,最终版主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI)
安全对齐使大型语言模型(LLM)能够获得对恶意查询的保护,但各种越狱攻击方法揭示了这种安全机制的漏洞。 以往的研究将LLM越狱攻击和防御孤立地进行研究。 我们分析了LLM的安全保护机制,并提出了一种结合攻击和防御的框架。 我们的方法基于LLM中间层嵌入的线性可分特性以及越狱攻击的本质,旨在将有害问题嵌入并将其转移到安全区域。 我们利用生成对抗网络(GAN)来学习LLM内部的安全判断边界,以实现高效的越狱攻击和防御。 实验结果表明,我们的方法在三种流行的LLM上平均越狱成功率达到88.85%,而在最先进的越狱数据集上的防御成功率平均达到84.17%。 这不仅验证了我们方法的有效性,还揭示了LLM内部安全机制的奥秘,为增强模型安全性提供了新的见解。代码和数据可在https://github.com/NLPGM/CAVGAN获取。
Security alignment enables the Large Language Model (LLM) to gain the protection against malicious queries, but various jailbreak attack methods reveal the vulnerability of this security mechanism. Previous studies have isolated LLM jailbreak attacks and defenses. We analyze the security protection mechanism of the LLM, and propose a framework that combines attack and defense. Our method is based on the linearly separable property of LLM intermediate layer embedding, as well as the essence of jailbreak attack, which aims to embed harmful problems and transfer them to the safe area. We utilize generative adversarial network (GAN) to learn the security judgment boundary inside the LLM to achieve efficient jailbreak attack and defense. The experimental results indicate that our method achieves an average jailbreak success rate of 88.85\% across three popular LLMs, while the defense success rate on the state-of-the-art jailbreak dataset reaches an average of 84.17\%. This not only validates the effectiveness of our approach but also sheds light on the internal security mechanisms of LLMs, offering new insights for enhancing model security The code and data are available at https://github.com/NLPGM/CAVGAN.
- [40] arXiv:2507.06850 (替换) [中文pdf, pdf, html, 其他]
-
标题: LLMs的黑暗面:基于代理的攻击实现完全计算机控制标题: The Dark Side of LLMs: Agent-based Attacks for Complete Computer TakeoverMatteo Lupinacci, Francesco Aurelio Pironti, Francesco Blefari, Francesco Romeo, Luigi Arena, Angelo Furfaro主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI)
大型语言模型(LLM)代理和多代理系统的迅速采用,使得自然语言处理和生成方面具备了显著的能力。 然而,这些系统引入了前所未有的安全漏洞,这些漏洞超出了传统的内容生成攻击,扩展到了系统级的破坏。 本文对作为自主代理中推理引擎使用的LLM的安全性进行了全面评估,强调了它们如何被用作攻击向量,能够实现完全的计算机控制。 我们关注不同的攻击面和信任边界——直接提示注入、RAG后门和代理间信任——如何被利用来策划此类控制。 我们证明,对手可以有效地迫使流行的LLM(包括GPT-4、Claude-4和Gemini-2.5)在受害机器上自主安装和执行恶意软件。 我们对18个最先进的LLM进行的评估揭示了一个令人担忧的情景:94.4%的模型容易受到直接提示注入攻击,83.3%的模型易受更隐蔽和逃避的RAG后门攻击。 值得注意的是,我们在多代理系统中测试了信任边界,其中LLM代理相互交互并影响彼此,我们发现了一个关键的安全缺陷:成功抵抗直接注入或RAG后门的LLM在请求来自同行代理时会执行相同的有效载荷。 我们的研究结果表明,100.0%的测试LLM可以通过代理间信任利用攻击被入侵,并且每个模型都表现出依赖于上下文的安全行为,这些行为创造了可被利用的盲点。 我们的结果还突显了提高对LLM安全风险的认识和研究的必要性,显示了网络安全威胁的范式转变,其中AI工具本身成为复杂的攻击向量。
The rapid adoption of Large Language Model (LLM) agents and multi-agent systems enables remarkable capabilities in natural language processing and generation. However, these systems introduce unprecedented security vulnerabilities that extend beyond traditional content generation attacks to system-level compromise. This paper presents a comprehensive evaluation of the security of LLMs used as reasoning engines within autonomous agents, highlighting how they can be exploited as attack vectors capable of achieving complete computer takeover. We focus on how different attack surfaces and trust boundaries - Direct Prompt Injection, RAG Backdoor, and Inter Agent Trust - can be leveraged to orchestrate such takeovers. We demonstrate that adversaries can effectively coerce popular LLMs (including GPT-4, Claude-4 and Gemini-2.5) into autonomously installing and executing malware on victim machines. Our evaluation of 18 state-of-the-art LLMs reveals an alarming scenario: 94.4% of models succumb to Direct Prompt Injection and 83.3% are vulnerable to the more stealth and evasive RAG Backdoor Attack. Notably, we tested trust boundaries within multi-agent systems, where LLM agents interact and influence each other, and we revealed a critical security flaw: LLMs which successfully resist direct injection or RAG backdoor will execute identical payloads when requested by peer agents. Our findings show that 100.0% of tested LLMs can be compromised through Inter-Agent Trust Exploitation attacks and that every model exhibits context-dependent security behaviors that create exploitable blind spots. Our results also highlight the need to increase awareness and research on the security risks of LLMs, showing a paradigm shift in cybersecurity threats, where AI tools themselves become sophisticated attack vectors.
- [41] arXiv:2507.21483 (替换) [中文pdf, pdf, html, 其他]
-
标题: NCCR:评估神经网络和对抗样本的鲁棒性标题: NCCR: to Evaluate the Robustness of Neural Networks and Adversarial Examples主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI)
神经网络近年来受到了广泛关注,相关的安全问题也随之出现。 许多研究表明,神经网络容易受到经过人为扰动的对抗样本的影响,这种修改非常微小,人类感知无法察觉。 已经提出了不同的攻击和防御方法来解决这些问题,但关于评估神经网络及其输入鲁棒性的研究却很少。 在本工作中,我们提出了一种称为神经元覆盖变化率(NCCR)的度量标准,用于衡量深度学习模型抵抗攻击的能力和对抗样本的稳定性。 NCCR监控输入扰动时特定选择的神经元输出的变化,变化程度较小的网络被认为更具鲁棒性。 在图像识别和说话人识别模型上的实验结果表明,我们的度量标准可以对神经网络或其输入的鲁棒性提供良好的评估。 它还可以用来检测输入是否是对抗性的,因为对抗样本总是更不鲁棒。
Neural networks have received a lot of attention recently, and related security issues have come with it. Many studies have shown that neural networks are vulnerable to adversarial examples that have been artificially perturbed with modification, which is too small to be distinguishable by human perception. Different attacks and defenses have been proposed to solve these problems, but there is little research on evaluating the robustness of neural networks and their inputs. In this work, we propose a metric called the neuron cover change rate (NCCR) to measure the ability of deep learning models to resist attacks and the stability of adversarial examples. NCCR monitors alterations in the output of specifically chosen neurons when the input is perturbed, and networks with a smaller degree of variation are considered to be more robust. The results of the experiment on image recognition and the speaker recognition model show that our metrics can provide a good assessment of the robustness of neural networks or their inputs. It can also be used to detect whether an input is adversarial or not, as adversarial examples are always less robust.
- [42] arXiv:2508.01694 (替换) [中文pdf, pdf, html, 其他]
-
标题: CRYSTALS Kyber作为RSA和ECC后量子替代方案的性能和存储分析标题: Performance and Storage Analysis of CRYSTALS Kyber as a Post Quantum Replacement for RSA and ECCNicolas Rodriguez (1), Fernando Rodriguez (2) ((1) IES Parquesol, Valladolid, Spain, (2) Department of Theoretical, Atomic and Optical Physics, University of Valladolid, Valladolid, Spain)主题: 密码学与安全 (cs.CR)
量子计算机纠错技术的稳步进步已将当前记录提升至48个稳定的逻辑量子位,使我们更接近能够以威胁RSA和ECC密码学的规模运行Shor算法的机器。 尽管开发此类量子计算机的时间表仍不确定,但密码学界必须为向抗量子算法的过渡做好准备。 CRYSTALS-Kyber于2022年由NIST标准化,代表了一种领先的后量子密码解决方案,但广泛采用面临重大挑战。 如果此迁移遵循类似SHA-1到SHA-2的过渡模式,组织可能会经历长期的脆弱期,带来重大的安全和经济后果。 本研究通过在各种实现方案上进行性能测试来评估Kyber的实际可行性,仅使用标准内置处理器加速功能,其中一些包括AES-NI和ASIMD,没有任何专用硬件添加。 我们的研究结果表明,Kyber在利用仅商品硬件和制造商提供的加速能力的情况下,能够对量子攻击提供强大的安全保证,同时保持大多数现代应用可接受的性能水平。
The steady advancement in quantum computer error correction technology has pushed the current record to 48 stable logical qubits, bringing us closer to machines capable of running Shor's algorithm at scales that threaten RSA and ECC cryptography. While the timeline for developing such quantum computers remains uncertain, the cryptographic community must prepare for the transition to quantum-resistant algorithms. CRYSTALS-Kyber, standardized by NIST in 2022, represents a leading post-quantum cryptographic solution, but widespread adoption faces significant challenges. If this migration follows patterns similar to the SHA-1 to SHA-2 transition, organizations may experience prolonged periods of vulnerability, with substantial security and economic consequences. This study evaluates Kyber's practical viability through performance testing across various implementation schemes, utilizing only standard built-in processor acceleration features, some of which include AES-NI and ASIMD, without any specialized hardware additions. Our findings demonstrate that Kyber provides robust security guarantees against quantum attacks while maintaining acceptable performance profiles for most contemporary applications, utilizing only commodity hardware with manufacturer-provided acceleration capabilities.
- [43] arXiv:2403.14905 (替换) [中文pdf, pdf, html, 其他]
-
标题: 自适应编码联邦学习:隐私保护与慢速者缓解标题: Adaptive Coded Federated Learning: Privacy Preservation and Straggler Mitigation主题: 信号处理 (eess.SP) ; 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
在本文中,我们解决了存在拖慢者(stragglers)情况下的联邦学习问题。 对于这个问题,已经提出了一种编码联邦学习框架,其中中心服务器聚合从非拖慢者接收到的梯度以及从隐私保护全局编码数据集中计算出的梯度,以缓解拖慢者带来的负面影响。 然而,在聚合这些梯度时,固定的权重被持续应用于各个迭代中,忽略了全局编码数据集的生成过程以及训练模型在迭代中的动态特性。 这种疏忽可能导致学习性能下降。 为了克服这一缺点,我们提出了一种名为自适应编码联邦学习(ACFL)的新方法。 在ACFL中,在训练之前,每个设备将带有加性噪声的编码本地数据集上传到中心服务器,以在隐私保护要求下生成全局编码数据集。 在每次训练迭代中,中心服务器聚合从非拖慢者接收到的梯度以及从全局编码数据集计算出的梯度,其中设计了一个用于变化聚合权重的自适应策略。 在该策略下,我们在隐私和学习方面优化了性能,其中学习性能通过收敛分析进行分析,隐私性能则通过互信息差分隐私进行表征。 最后,我们进行了仿真,以展示ACFL相比非自适应方法的优势。
In this article, we address the problem of federated learning in the presence of stragglers. For this problem, a coded federated learning framework has been proposed, where the central server aggregates gradients received from the non-stragglers and gradient computed from a privacy-preservation global coded dataset to mitigate the negative impact of the stragglers. However, when aggregating these gradients, fixed weights are consistently applied across iterations, neglecting the generation process of the global coded dataset and the dynamic nature of the trained model over iterations. This oversight may result in diminished learning performance. To overcome this drawback, we propose a new method named adaptive coded federated learning (ACFL). In ACFL, before the training, each device uploads a coded local dataset with additive noise to the central server to generate a global coded dataset under privacy preservation requirements. During each iteration of the training, the central server aggregates the gradients received from the non-stragglers and the gradient computed from the global coded dataset, where an adaptive policy for varying the aggregation weights is designed. Under this policy, we optimize the performance in terms of privacy and learning, where the learning performance is analyzed through convergence analysis and the privacy performance is characterized via mutual information differential privacy. Finally, we perform simulations to demonstrate the superiority of ACFL compared with the non-adaptive methods.
- [44] arXiv:2409.01062 (替换) [中文pdf, pdf, html, 其他]
-
标题: 随机擦除与模型反转:一种有前景的防御措施还是一种虚假的希望?标题: Random Erasing vs. Model Inversion: A Promising Defense or a False Hope?Viet-Hung Tran, Ngoc-Bao Nguyen, Son T. Mai, Hans Vandierendonck, Ira Assent, Alex Kot, Ngai-Man Cheung评论: 被《机器学习研究汇刊》(TMLR)接受。前两位作者贡献相同主题: 机器学习 (cs.LG) ; 密码学与安全 (cs.CR) ; 计算机视觉与模式识别 (cs.CV)
模型逆向(MI)攻击通过从机器学习模型中重建私有训练数据,对隐私构成重大威胁。 尽管现有的防御措施主要集中在模型中心的方法上,但数据对MI鲁棒性的影响仍 largely 未被探索。 在本工作中,我们探索了随机擦除(RE),一种传统上用于在遮挡下提高模型泛化的技术,并揭示了其作为对抗MI攻击的防御方法的意外有效性。 具体而言,我们的新颖特征空间分析表明,使用RE图像训练的模型会在MI重构图像的特征和私有数据的特征之间引入显著差异。 同时,私有图像的特征与其他类别保持明显区分,并且与不同的分类区域分离良好。 这些效果共同降低了MI重构质量和攻击准确性,同时保持合理的自然准确性。 此外,我们探讨了RE的两个关键特性,包括部分擦除和随机位置。 部分擦除防止模型在训练期间观察到整个物体。 我们发现这对MI有显著影响,因为MI旨在重构整个物体。 擦除的随机位置在实现强大的隐私-效用权衡中起着关键作用。 我们的研究结果突显了RE作为一种简单而有效的防御机制,可以轻松集成到现有的隐私保护技术中。 在37种设置上的广泛实验表明,我们的方法在隐私-效用权衡方面达到了最先进的(SOTA)性能。 结果一致表明,我们的防御方法在不同的MI攻击、网络架构和攻击配置下优于现有方法。 首次,我们在某些配置中实现了攻击准确性的显著下降,而没有效用的减少。
Model Inversion (MI) attacks pose a significant privacy threat by reconstructing private training data from machine learning models. While existing defenses primarily concentrate on model-centric approaches, the impact of data on MI robustness remains largely unexplored. In this work, we explore Random Erasing (RE), a technique traditionally used for improving model generalization under occlusion, and uncover its surprising effectiveness as a defense against MI attacks. Specifically, our novel feature space analysis shows that models trained with RE-images introduce a significant discrepancy between the features of MI-reconstructed images and those of the private data. At the same time, features of private images remain distinct from other classes and well-separated from different classification regions. These effects collectively degrade MI reconstruction quality and attack accuracy while maintaining reasonable natural accuracy. Furthermore, we explore two critical properties of RE including Partial Erasure and Random Location. Partial Erasure prevents the model from observing entire objects during training. We find this has a significant impact on MI, which aims to reconstruct the entire objects. Random Location of erasure plays a crucial role in achieving a strong privacy-utility trade-off. Our findings highlight RE as a simple yet effective defense mechanism that can be easily integrated with existing privacy-preserving techniques. Extensive experiments across 37 setups demonstrate that our method achieves state-of-the-art (SOTA) performance in the privacy-utility trade-off. The results consistently demonstrate the superiority of our defense over existing methods across different MI attacks, network architectures, and attack configurations. For the first time, we achieve a significant degradation in attack accuracy without a decrease in utility for some configurations.
- [45] arXiv:2411.05189 (替换) [中文pdf, pdf, html, 其他]
-
标题: 通过对抗视角理解Transformer中线性模型的上下文学习标题: Understanding In-Context Learning of Linear Models in Transformers Through an Adversarial Lens评论: 交易机器学习研究(TMLR)2025,特色认证主题: 机器学习 (cs.LG) ; 密码学与安全 (cs.CR)
在本工作中,我们通过变压器对线性模型的上下文学习的理解做出了两项贡献。 首先,我们研究了变压器在劫持攻击下的上下文学习对抗鲁棒性——这是一种对抗性攻击,其中攻击者的目的是操纵提示以迫使变压器生成特定输出。 我们表明,线性变压器和具有GPT-2架构的变压器都容易受到此类劫持攻击。 然而,通过对抗训练——在预训练或微调阶段进行——可以显著提高对这类攻击的对抗鲁棒性,并且可以推广到更强的攻击模型。 我们的第二个主要贡献是对变压器模型和其他学习线性模型的算法之间的对抗脆弱性的比较分析。 这揭示了两个新的发现。 首先,尽管不同种子训练的较大变压器模型在分布内性能相似,但对抗性攻击在它们之间转移效果较差。 这表明,按照相同配方训练的相同架构的变压器可能针对同一任务实现不同的上下文学习算法。 其次,我们观察到,经典线性模型学习算法(单步梯度下降和普通最小二乘法)与变压器之间的攻击转移效果不佳。 这表明,变压器所实现的上下文学习算法与这些传统算法之间可能存在定性差异。
In this work, we make two contributions towards understanding of in-context learning of linear models by transformers. First, we investigate the adversarial robustness of in-context learning in transformers to hijacking attacks -- a type of adversarial attacks in which the adversary's goal is to manipulate the prompt to force the transformer to generate a specific output. We show that both linear transformers and transformers with GPT-2 architectures are vulnerable to such hijacking attacks. However, adversarial robustness to such attacks can be significantly improved through adversarial training -- done either at the pretraining or finetuning stage -- and can generalize to stronger attack models. Our second main contribution is a comparative analysis of adversarial vulnerabilities across transformer models and other algorithms for learning linear models. This reveals two novel findings. First, adversarial attacks transfer poorly between larger transformer models trained from different seeds despite achieving similar in-distribution performance. This suggests that transformers of the same architecture trained according to the same recipe may implement different in-context learning algorithms for the same task. Second, we observe that attacks do not transfer well between classical learning algorithms for linear models (single-step gradient descent and ordinary least squares) and transformers. This suggests that there could be qualitative differences between the in-context learning algorithms that transformers implement and these traditional algorithms.
- [46] arXiv:2504.06211 (替换) [中文pdf, pdf, html, 其他]
-
标题: zkSpeed的必要性:加速零知识证明的HyperPlonk标题: Need for zkSpeed: Accelerating HyperPlonk for Zero-Knowledge ProofsAlhad Daftardar, Jianqiao Mo, Joey Ah-kiow, Benedikt Bünz, Ramesh Karri, Siddharth Garg, Brandon Reagen评论: 16页,14幅图,发表于第52届国际计算机体系结构学术会议(ISCA),2025年主题: 硬件架构 (cs.AR) ; 密码学与安全 (cs.CR)
零知识证明(ZKPs)在隐私保护和可验证计算中正迅速变得越来越重要。 ZKPs使证明方能够在不泄露其他任何信息的情况下向验证方证明一个陈述的真实性。 ZKPs在区块链技术、可验证机器学习和电子投票中有应用,但由于证明过程的计算复杂性,尚未得到广泛采用。 最近的研究已经在GPU和ASIC上加速了最先进的ZKP协议的关键原语。 然而,迄今为止加速的协议面临两种挑战之一:它们要么为每个应用程序需要可信设置,要么生成更大的证明大小并具有更高的验证成本,这限制了它们在有许多验证者或严格验证时间约束的场景中的适用性。 这项工作提出了一个加速器zkSpeed,用于HyperPlonk,这是一种最先进的ZKP协议,在公开可验证、基于共识的系统中支持一次性通用设置和典型的ZKP应用的小证明大小。 我们加速了整个协议,包括两个主要原语:SumCheck和多标量乘法(MSMs)。 我们使用366.46 mm$^2$和2 TB/s的带宽开发了一个全芯片架构,以加速整个证明生成过程,相对于CPU基线实现了几何平均加速801$\times$。
Zero-Knowledge Proofs (ZKPs) are rapidly gaining importance in privacy-preserving and verifiable computing. ZKPs enable a proving party to prove the truth of a statement to a verifying party without revealing anything else. ZKPs have applications in blockchain technologies, verifiable machine learning, and electronic voting, but have yet to see widespread adoption due to the computational complexity of the proving process. Recent works have accelerated the key primitives of state-of-the-art ZKP protocols on GPU and ASIC. However, the protocols accelerated thus far face one of two challenges: they either require a trusted setup for each application, or they generate larger proof sizes with higher verification costs, limiting their applicability in scenarios with numerous verifiers or strict verification time constraints. This work presents an accelerator, zkSpeed, for HyperPlonk, a state-of-the-art ZKP protocol that supports both one-time, universal setup and small proof sizes for typical ZKP applications in publicly verifiable, consensus-based systems. We accelerate the entire protocol, including two major primitives: SumCheck and Multi-scalar Multiplications (MSMs). We develop a full-chip architecture using 366.46 mm$^2$ and 2 TB/s of bandwidth to accelerate the entire proof generation process, achieving geometric mean speedups of 801$\times$ over CPU baselines.
- [47] arXiv:2506.05683 (替换) [中文pdf, pdf, html, 其他]
-
标题: 多模态多任务联邦基础模型用于下一代扩展现实系统:迈向增强现实/虚拟现实/混合现实中的隐私保护分布式智能标题: Multi-Modal Multi-Task Federated Foundation Models for Next-Generation Extended Reality Systems: Towards Privacy-Preserving Distributed Intelligence in AR/VR/MR评论: 16页,4图,8表主题: 机器学习 (cs.LG) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR) ; 多媒体 (cs.MM)
扩展现实(XR)系统,包括虚拟现实(VR)、增强现实(AR)和混合现实(XR),为沉浸式、多模态和具身的人机交互提供了变革性的接口。 在本文中,我们认为多模态多任务(M3T)联邦基础模型(FedFMs)可以通过将M3T基础模型(FMs)的表征能力与联邦学习(FL)的隐私保护模型训练原则相结合,为XR系统提供变革性能力。 我们提出了一种FedFMs的模块化架构,该架构涉及模型训练和聚合的不同协调范式。 我们愿景的核心是将影响在SHIFT维度下FedFMs实现的XR挑战进行编码:(1)传感器和模态多样性,(2)硬件异构性和系统级约束,(3)交互性和具身个性化,(4)功能/任务可变性,以及(5)时间性和环境可变性。 我们展示了这些维度在XR系统的一系列新兴和预期应用中的表现。 最后,我们提出了开发资源感知FedFMs所需的评估指标、数据集要求和设计权衡。 这一观点旨在为下一代XR系统中的上下文感知隐私保护智能奠定技术和概念基础。
Extended reality (XR) systems, which consist of virtual reality (VR), augmented reality (AR), and mixed reality (XR), offer a transformative interface for immersive, multi-modal, and embodied human-computer interaction. In this paper, we envision that multi-modal multi-task (M3T) federated foundation models (FedFMs) can offer transformative capabilities for XR systems through integrating the representational strength of M3T foundation models (FMs) with the privacy-preserving model training principles of federated learning (FL). We present a modular architecture for FedFMs, which entails different coordination paradigms for model training and aggregations. Central to our vision is the codification of XR challenges that affect the implementation of FedFMs under the SHIFT dimensions: (1) Sensor and modality diversity, (2) Hardware heterogeneity and system-level constraints, (3) Interactivity and embodied personalization, (4) Functional/task variability, and (5) Temporality and environmental variability. We illustrate the manifestation of these dimensions across a set of emerging and anticipated applications of XR systems. Finally, we propose evaluation metrics, dataset requirements, and design tradeoffs necessary for the development of resource-aware FedFMs in XR. This perspective aims to chart the technical and conceptual foundations for context-aware privacy-preserving intelligence in the next generation of XR systems.
- [48] arXiv:2507.22535 (替换) [中文pdf, pdf, 其他]
-
标题: 可扩展的和(量子可访问的)自适应伪随机量子态和类似伪随机函数的量子态生成器标题: Scalable and (quantum-accessible) adaptive pseudorandom quantum states and pseudorandom function-like quantum state generators主题: 量子物理 (quant-ph) ; 密码学与安全 (cs.CR)
伪随机量子态(PRSs)和伪随机函数类量子态(PRFS)生成器是伪随机生成器和伪随机函数的量子模拟。 已知即使BQP = QMA(相对于一个量子预言机)[Kre21],或者P = NP(相对于一个经典预言机)[KQST23],PRS(和PRFS)仍然可能存在,这不允许存在单向函数(相对于这些预言机)。 因此,这些对象可能比量子安全的单向函数更弱,可以用于量子密码学。 PRS和PRFS构造的一个期望性质是可扩展性,这确保了安全参数$\lambda$(决定与哈随机对应物的不可区分性)可以远大于$n$(输出态的量子比特数)。 这在某些使用PRS和PRFS原语的应用中可能是重要的。 我们提出了一种等距过程来制备可以任意随机的量子态(即,在真实随机情况下,与哈随机态的迹距离可以任意小;或者在伪随机情况下,区分优势可以任意小)。 我们的过程提供了一种新的可扩展PRS方法,不会引入与环境的纠缠或关联。 这自然给出了在假设量子安全单向函数的情况下,可扩展的和(量子可访问的)自适应PRFS的第一个构造。 我们的PRFS构造包括各种原语,包括长输入PRFS、短输入PRFS、短输出PRFS、非自适应PRFS和经典可访问的自适应PRFS [AQY22, AGQY22]。 这种新构造可能有助于微密码学动物园(https://sattath.github.io/microcrypt-zoo/)的一些简化。
Pseudorandom quantum states (PRSs) and pseudorandom function-like quantum state (PRFS) generators are quantum analogues of pseudorandom generators and pseudorandom functions. It is known that PRS (and PRFS) can exist even if BQP = QMA (relative to a quantum oracle) [Kre21] or if P = NP (relative to a classical oracle) [KQST23], which does not allow for the existence of one-way functions (relative to these oracles). Hence, these are potentially weaker objects than quantum-secure one-way functions, which can be used to do quantum cryptography. A desirable property of PRS and PRFS constructions is scalability, which ensures that the security parameter $\lambda$ (which determines indistinguishability from their Haar-random counterparts) can be much larger than $n$ (the number of qubits of the output states). This may be important in some applications where PRS and PRFS primitives are used. We present an isometric procedure to prepare quantum states that can be arbitrarily random (i.e., the trace distance from the Haar-random state can be arbitrarily small for the true random case, or the distinguishing advantage can be arbitrarily small for the pseudorandom case). Our procedure provides a new method for scalable PRS that introduces no entanglement or correlations with the environment. This naturally gives the first construction for scalable and (quantum-accessible) adaptive PRFS assuming quantum-secure one-way functions. Our PRFS construction implies various primitives, including long-input PRFS, short-input PRFS, short-output PRFS, non-adaptive PRFS, and classical-accessible adaptive PRFS [AQY22, AGQY22]. This new construction may be helpful in some simplification of the microcrypt zoo (https://sattath.github.io/microcrypt-zoo/).