Nenghai Yu’s research while affiliated with Chinese Academy of Sciences and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (696)


Fig. 1 Top: DNN model ownership verification facing fingerprint ambiguity attacks. Model owner Alice generates the model fingerprints X p of the model. Bob extracts the forged fingerprints X ′ p with the inversion process. Ownership is in doubt since both X p and X ′ p are detected by the verification process. Bottom: Our proposed dual-verification framework resolves the ambiguity. Additional copyright information is extracted from the feature map of X p to provide the additional copyright claim, specifically utilizing BER as illustrated in Sect. 5.2. The term LA (Label Accuracy) denotes the accuracy of predicting the target label, whereas the term BER (Bit Error Rate) represents the error rate of the copyright information
Fig. 3 Robustness against fine-tuning. The BER (Upper) and the LA (Lower) acquired by inputting fingerprints to the fine-tuned model are displayed. The dashed lines in the graph represent the thresholds selected by different models. The purple cross-shaped points in the chart indicate situations where the model's classification accuracy has decreased by more than 10% compared to the original performance
Fig. 6 Robustness against model pruning. The BER (Upper) and the LA (Lower) acquired by inputting fingerprints into the pruned model are displayed. Dashed lines represent thresholds chosen by various models. Purple cross-shaped points on the chart highlight instances where the model's classification accuracy has dropped by over 10% compared to the original performance
Fig. 7 Robustness against pruning on CIFAR10 dataset. The BER (Upper) and the LA (Lower) acquired by inputting fingerprints to the fine-tuned model are displayed
Fig. 8 Robustness against pruning on GTSRB dataset. The BER (Upper) and the LA (Lower) acquired by inputting fingerprints to the fine-tuned model are displayed

+9

Dual-verification-based model fingerprints against ambiguity attacks
  • Article
  • Full-text available

December 2024

·

6 Reads

Cybersecurity

Boyao Zhao

·

Haozhe Chen

·

·

[...]

·

Nenghai Yu

Efforts have been made to safeguard DNNs from intellectual property infringement. Among different techniques, model fingerprinting has gained popularity due to its ability to examine potential infringement without altering the model’s parameters. However, there is a concern regarding the vulnerability of previous model fingerprints to “ambiguity attacks,” where attackers may use fabricated fingerprints to bypass ownership verification, potentially leading to disputes. To address this issue, we propose a dual-verification-based fingerprint authentication system that incorporates the verification of fingerprint genuineness. Briefly, this system involves two authentication processes: conventional fingerprint methods for authenticating model copyrights and the incorporation of copyright information into the fingerprint feature map to confirm ownership of the model fingerprint. Extensive experiments have been conducted to demonstrate the effectiveness of our approach in resisting ambiguity attacks and managing attempts to remove the fingerprint.

Download

FaceTracer: Unveiling Source Identities from Swapped Face Images and Videos for Fraud Prevention

December 2024

·

5 Reads

Face-swapping techniques have advanced rapidly with the evolution of deep learning, leading to widespread use and growing concerns about potential misuse, especially in cases of fraud. While many efforts have focused on detecting swapped face images or videos, these methods are insufficient for tracing the malicious users behind fraudulent activities. Intrusive watermark-based approaches also fail to trace unmarked identities, limiting their practical utility. To address these challenges, we introduce FaceTracer, the first non-intrusive framework specifically designed to trace the identity of the source person from swapped face images or videos. Specifically, FaceTracer leverages a disentanglement module that effectively suppresses identity information related to the target person while isolating the identity features of the source person. This allows us to extract robust identity information that can directly link the swapped face back to the original individual, aiding in uncovering the actors behind fraudulent activities. Extensive experiments demonstrate FaceTracer's effectiveness across various face-swapping techniques, successfully identifying the source person in swapped content and enabling the tracing of malicious actors involved in fraudulent activities. Additionally, FaceTracer shows strong transferability to unseen face-swapping methods including commercial applications and robustness against transmission distortions and adaptive attacks.




SQL Injection Jailbreak: a structural disaster of large language models

November 2024

·

10 Reads

In recent years, the rapid development of large language models (LLMs) has brought new vitality to the various domains and generated substantial social and economic benefits. However, the swift advancement of LLMs has introduced new security vulnerabilities. Jailbreak, a form of attack that induces LLMs to output harmful content through carefully crafted prompts, poses a challenge to the safe and trustworthy development of LLMs. Previous jailbreak attack methods primarily exploited the internal capabilities of the model. Among them, one category leverages the model's implicit capabilities for jailbreak attacks, where the attacker is unaware of the exact reasons for the attack's success. The other category utilizes the model's explicit capabilities for jailbreak attacks, where the attacker understands the reasons for the attack's success. For example, these attacks exploit the model's abilities in coding, contextual learning, or understanding ASCII characters. However, these earlier jailbreak attacks have certain limitations, as they only exploit the inherent capabilities of the model. In this paper, we propose a novel jailbreak method, SQL Injection Jailbreak (SIJ), which utilizes the construction of input prompts by LLMs to inject jailbreak information into user prompts, enabling successful jailbreak of the LLMs. Our SIJ method achieves nearly 100\% attack success rates on five well-known open-source LLMs in the context of AdvBench, while incurring lower time costs compared to previous methods. More importantly, SIJ reveals a new vulnerability in LLMs that urgently needs to be addressed. To this end, we propose a defense method called Self-Reminder-Key and demonstrate its effectiveness through experiments. Our code is available at \href{https://github.com/weiyezhimeng/SQL-Injection-Jailbreak}{https://github.com/weiyezhimeng/SQL-Injection-Jailbreak}.



AutoPT: How Far Are We from the End2End Automated Web Penetration Testing?

November 2024

·

19 Reads

Penetration testing is essential to ensure Web security, which can detect and fix vulnerabilities in advance, and prevent data leakage and serious consequences. The powerful inference capabilities of large language models (LLMs) have made significant progress in various fields, and the development potential of LLM-based agents can revolutionize the cybersecurity penetration testing industry. In this work, we establish a comprehensive end-to-end penetration testing benchmark using a real-world penetration testing environment to explore the capabilities of LLM-based agents in this domain. Our results reveal that the agents are familiar with the framework of penetration testing tasks, but they still face limitations in generating accurate commands and executing complete processes. Accordingly, we summarize the current challenges, including the difficulty of maintaining the entire message history and the tendency for the agent to become stuck. Based on the above insights, we propose a Penetration testing State Machine (PSM) that utilizes the Finite State Machine (FSM) methodology to address these limitations. Then, we introduce AutoPT, an automated penetration testing agent based on the principle of PSM driven by LLMs, which utilizes the inherent inference ability of LLM and the constraint framework of state machines. Our evaluation results show that AutoPT outperforms the baseline framework ReAct on the GPT-4o mini model and improves the task completion rate from 22% to 41% on the benchmark target. Compared with the baseline framework and manual work, AutoPT also reduces time and economic costs further. Hence, our AutoPT has facilitated the development of automated penetration testing and significantly impacted both academia and industry.



The architecture of TamGen
a The pre-training phase of the compound decoder, a GPT-like chemical language model. The model adopts standard GPT architecture, which autoregressively generates the SMILES tokens, 1D molecular string representations of compounds, from the input. 10 million compounds randomly selected from PubChem were used for pre-training. b, c The overall framework of TamGen during the fine-tuning and inference stages. b A Transformer-based protein encoder and a VAE-based contextual encoder to facilitate target-aware drug generation and seeding molecule-based compound refinement. See Methods and Fig. S1 for details. c The outputs from the protein encoder and the contextual encoder are integrated and forwarded to the compound decoder via a cross-attention module. 1D molecular string representations of the compounds in SMILES are then generated by our model.
TamGen achieves the state-of-the-art performance on compound generation
a Overview of generative drug design methods ranked by overall scores for the CrossDocked2020 task. Left: Metrics include docking score (lower scores indicate better binding affinity), quantitative estimation of drug-likeness (QED), Lipinski’s Rule of Five, Synthetic accessibility scores (SAS), LogP, and molecular diversity (Div). Sizes of dots: scores (mean). Darkness of dots: rankings. Scores were normalized to 0%--100% for each metric. Absolute values were used for docking score normalization. The original data used for plotting can be found in Table S1 and Fig. S2. Right: The overall score for each method was calculated with mean reciprocal rank (see Methods for details). b Average docking scores against SAS for TamGen and alternate methods. TamGen achieves more favorable docking scores for compounds with higher SAS and lower docking scores (bottom-right corner). c Barplot of the number of fused rings (see Methods for details) in FDA-approved drugs and top-ranked compounds generated by selected methods. For each method, a statistics of 1,000 compounds (100 targets ×10 compounds with the highest docking scores against each corresponding target) were plotted. The dashed line represents the average number of fused rings in FDA-approved drugs. Data is presented as mean values ± 95% confidence interval. d Example compounds generated by selected methods, and their binding poses to one target protein (shown as ribbons, with key residues shown as sticks). Source data are provided as a Source Data file and can also be accessed in the Zenodo repository of TamGen⁷¹.
Illustration of the Design-Refine-Test pipeline for Tuberculosis drug generation
a The Design stage. b The Refine stage. c The Test stage.
Visualization and experimental validation on designed compounds
a UMAP visualization of library compounds and key compounds identified from the Design-Refine-Test pipeline with TamGen. Gray (background): compounds sampled from library. Green (background): Sampled compounds generated at Stage 1. Red (background): Sampled compounds generated at Stage 2. Circle, triangle, and diamond markers: compounds subjected to IC50 determinations, with different shapes indicating different compound sources. These compounds were further stratified into 3 clusters (series I: yellow, series II: blue, and others: black) based on their molecular scaffold groups. b Dose-response assays for eight compounds with DMSO as a control. See methods for details of curve fitting and IC50 determination. Source data are provided as a Source Data file.
Proposed binding modes of Syn-A003-01, Analog-005, and Bortezomib against ClpP
ClpP complex 5DZK is presented in grey cartoon. Syn-A003-01, Analog-005, and the reference compound Bortezomib are shown in green, cyan, and magenta sticks, respectively. The yellow dashed lines indicate hydrogen bonds. The red dashed lines with numbers denote distances between atoms. Source data of the docking poses are in the Zenodo repository of TamGen⁷¹.
TamGen: drug design with target-aware molecule generation through a chemical language model

October 2024

·

64 Reads

·

2 Citations

Generative drug design facilitates the creation of compounds effective against pathogenic target proteins. This opens up the potential to discover novel compounds within the vast chemical space and fosters the development of innovative therapeutic strategies. However, the practicality of generated molecules is often limited, as many designs focus on a narrow set of drug-related properties, failing to improve the success rate of subsequent drug discovery process. To overcome these challenges, we develop TamGen, a method that employs a GPT-like chemical language model and enables target-aware molecule generation and compound refinement. We demonstrate that the compounds generated by TamGen have improved molecular quality and viability. Additionally, we have integrated TamGen into a drug discovery pipeline and identified 14 compounds showing compelling inhibitory activity against the Tuberculosis ClpP protease, with the most effective compound exhibiting a half maximal inhibitory concentration (IC50) of 1.9 μM. Our findings underscore the practical potential and real-world applicability of generative drug design approaches, paving the way for future advancements in the field.



Citations (36)


... The U.S. Federal Trade Commission Act also prohibits deceptive or manipulative acts or practices in commerce, including those digital platforms [1]. However, existing LLM security research mainly focuses on the social biases related to gender and race in LLM question-answering and code generation [15,41,52,71]. To the best of our knowledge, there is no prior work to explore the provider bias in LLM for code generation and its risks. ...

Reference:

Unveiling Provider Bias in Large Language Models for Code Generation
GenderCARE: A Comprehensive Framework for Assessing and Reducing Gender Bias in Large Language Models
  • Citing Conference Paper
  • December 2024

... Mamba has also shown promise in low-level tasks [36]- [38], and efforts have been made to enhance its proficiency in interpreting both image and linguistic sequences [39]- [42]. Furthermore, the model has been adapted for video processing challenges [43]- [45], time series forecasting [46] and infrared small target detection [47], with additional efforts focusing on refining the VMamba architecture to improve scanning sequences and computational efficiency [48]- [51]. ...

MiM-ISTD: Mamba-in-Mamba for Efficient Infrared Small Target Detection
  • Citing Article
  • January 2024

IEEE Transactions on Geoscience and Remote Sensing

... Artificial intelligence (AI) has emerged as a transformative technology for drug discovery, to help find the 'needle in the haystack'. By supporting virtual screening [4][5][6] and de novo molecule design [7][8][9][10][11][12] , AI can narrow down the chemical universe, and it is nowadays widely adopted in academia and industry [13][14][15][16][17] . Generative deep learning has garnered particular attention for drug discovery. ...

TamGen: drug design with target-aware molecule generation through a chemical language model

... In complex surgical scenes, multiple EmAI subsystems may collaborate to integrate multi-source perception and support robotic surgery, requiring a robust control system to direct and coordinate their respective perceptioncognition-communication-action loops [471]. Beyond visual perception, other modalities including kinematic data [472], audio data [473], language instructions [102], and tactile perception [474] are integrated to form a holistic view of real-world surgical environments. ...

Bootstrapping Audio-Visual Video Segmentation by Strengthening Audio Cues
  • Citing Article
  • January 2024

IEEE Transactions on Circuits and Systems for Video Technology

... If we can embed some form of secret watermark into the image generation process, we could later recover it to determine whether the image was generated by a specific model or even trace its creator. Gaussian Shading [7] is one such technique that embeds a watermark into the noise itself, which is used to generate the image at runtime. The same model can then be used to recover the noise and, ultimately, the watermark for detection and traceability. ...

Gaussian Shading: Provable Performance-Lossless Image Watermarking for Diffusion Models
  • Citing Conference Paper
  • June 2024

... We compared MIAVLM (ours) with BLIP3 [34], four versions of OpenFlamingo [35], OPERA [36], Idefics2 [37] and LLaVA-UHD [2] on the HoOA benchmark. Among these LVLMs, both LLaVA-UHD and OPERA claim to have made improvements specifically targeting the hallucination problem based on LLaVA-1.5 [13]. ...

OPERA: Alleviating Hallucination in Multi-Modal Large Language Models via Over-Trust Penalty and Retrospection-Allocation
  • Citing Conference Paper
  • June 2024

... Prior to our work, many efforts have been made to turn an autoregressive architecture into a generalist model that can handle various visual tasks [2,17,20,22,25,38,56,61,74,82], such as visual question answering, image completion, and semantic segmentation. However, in-context learning for few-shot image manipulation with autoregressive models is still an understudied problem. ...

Towards More Unified In-Context Visual Understanding
  • Citing Conference Paper
  • June 2024

... Despite the convenience brought by LLMs for improved NLG, they can also cause various problems with a negative impact on society, which has motivated the need for investigating methods for LLM-generated text detection. Next, we discuss three key problems arising from the use of LLMs, especially when the generated texts is not flagged or labelled as being LLM-generated: intentional malicious usage, ethical concerns and information inaccuracy [41]. ...

Silent Guardian: Protecting Text From Malicious Exploitation by Large Language Models
  • Citing Article
  • January 2024

IEEE Transactions on Information Forensics and Security

... Lu 等人 [45] 设计了一个时空域模型, 通过长程注意力机制分别从帧内和帧 间捕获空间缺陷与时间缺陷, 从而指导主干网络突出局部区域. 在上述二分类检测任务研究的基础上, 部分学者 [46,47] 尝试对伪造区域进行定位, 他们还进一步对多模态信息的伪造进行检测和定位. 为了 建模区分性更强的时空不一致性特征, 本文基于流谱理论构建了一个视频流谱特征空间, 将原始视频 流变换映射到视频流谱特征空间, 提出高度可分离、可观测的特征表示, 从而实现深度伪造视频的高 效检测. ...

Exploiting Modality-Specific Features for Multi-Modal Manipulation Detection and Grounding
  • Citing Conference Paper
  • April 2024

... Quantitative Comparison. We compare the quantitative results of our proposed method with other seven state-of-theart methods [5], [8], [9], [50]- [53] for blind image inpainting on three benchmark datasets in Table 1. Our InViT model significantly outperforms the competing methods in terms of four objective evaluation metrics, and the results prove that our GAN inversion-based Transformer framework leads to excellent performance for blind image inpainting. ...

Transformer Based Pluralistic Image Completion With Reduced Information Loss
  • Citing Article
  • April 2024

IEEE Transactions on Pattern Analysis and Machine Intelligence