How To Save Fees in Bitcoin Smart Contracts: a Simple Optimistic Off-chain Protocol
We consider the execution of smart contracts on Bitcoin. There, every contract step corresponds to appending to the blockchain a new transaction that spends the output representing the old contract state, creating a new one for the updated state. This standard procedure requires the contract participants to pay transaction fees for every execution step. In this paper, we introduce a protocol that moves most of the execution of a Bitcoin contract off-chain. When all participants follow this protocol, they are able to save on transaction fees, drastically reducing them. By contrast, whenever adversaries try to disrupt the off-chain execution, any honest participant is still able to enforce the correct contract behaviour, by continuing its execution on-chain.
Updated: 2025-06-03 22:13:30
标题: 如何在比特币智能合约中节省费用:一种简单的乐观离链协议
摘要: 我们考虑在比特币上执行智能合约。在那里,每个合约步骤对应于向区块链追加一个新的交易,花费代表旧合约状态的输出,为更新后的状态创建一个新的输出。这个标准过程要求合约参与者为每个执行步骤支付交易费用。在本文中,我们介绍了一个协议,将大部分比特币合约的执行移到链下。当所有参与者遵循这个协议时,他们能够节省交易费用,大幅减少费用。相比之下,每当对手试图干扰链下执行时,任何诚实的参与者仍然能够通过在链上继续执行来执行正确的合约行为。
更新时间: 2025-06-03 22:13:30
领域: cs.CR
Secure and Private Federated Learning: Achieving Adversarial Resilience through Robust Aggregation
Federated Learning (FL) enables collaborative machine learning across decentralized data sources without sharing raw data. It offers a promising approach to privacy-preserving AI. However, FL remains vulnerable to adversarial threats from malicious participants, referred to as Byzantine clients, who can send misleading updates to corrupt the global model. Traditional aggregation methods, such as simple averaging, are not robust to such attacks. More resilient approaches, like the Krum algorithm, require prior knowledge of the number of malicious clients, which is often unavailable in real-world scenarios. To address these limitations, we propose Average-rKrum (ArKrum), a novel aggregation strategy designed to enhance both the resilience and privacy guarantees of FL systems. Building on our previous work (rKrum), ArKrum introduces two key innovations. First, it includes a median-based filtering mechanism that removes extreme outliers before estimating the number of adversarial clients. Second, it applies a multi-update averaging scheme to improve stability and performance, particularly when client data distributions are not identical. We evaluate ArKrum on benchmark image and text datasets under three widely studied Byzantine attack types. Results show that ArKrum consistently achieves high accuracy and stability. It performs as well as or better than other robust aggregation methods. These findings demonstrate that ArKrum is an effective and practical solution for secure FL systems in adversarial environments.
Updated: 2025-06-03 21:06:36
标题: 安全和私密的联邦学习:通过强大聚合实现对抗性弹性
摘要: 联邦学习(FL)实现了跨去中心化数据源的协作机器学习,而无需共享原始数据。它为保护隐私的人工智能提供了一种有前景的方法。然而,FL仍然容易受到来自恶意参与者的敌对威胁,这些参与者被称为拜占庭客户端,他们可以发送误导性更新以破坏全局模型。传统的聚合方法,如简单的平均值,对此类攻击不具有抗攻击性。更具弹性的方法,如Krum算法,需要先了解恶意客户端的数量,而在现实世界的场景中通常无法获得这些信息。为了解决这些限制,我们提出了Average-rKrum(ArKrum),这是一种旨在增强FL系统的鲁棒性和隐私保证的新型聚合策略。建立在我们之前的工作(rKrum)之上,ArKrum引入了两项关键创新。首先,它包括一个基于中位数的过滤机制,在估计恶意客户端数量之前去除极端异常值。其次,它应用了多次更新的平均方案,以提高稳定性和性能,特别是在客户端数据分布不完全相同的情况下。我们在基准图像和文本数据集上评估了ArKrum在三种广泛研究的拜占庭攻击类型下的表现。结果表明,ArKrum持续实现了高准确性和稳定性。它的表现与其他强大的聚合方法相当,甚至更好。这些发现表明,ArKrum是在敌对环境中保护FL系统的有效和实用解决方案。
更新时间: 2025-06-03 21:06:36
领域: cs.LG,cs.CR
Mind the Gap: A Practical Attack on GGUF Quantization
With the increasing size of frontier LLMs, post-training quantization has become the standard for memory-efficient deployment. Recent work has shown that basic rounding-based quantization schemes pose security risks, as they can be exploited to inject malicious behaviors into quantized models that remain hidden in full precision. However, existing attacks cannot be applied to more complex quantization methods, such as the GGUF family used in the popular ollama and llama$.$cpp frameworks. In this work, we address this gap by introducing the first attack on GGUF. Our key insight is that the quantization error -- the difference between the full-precision weights and their (de-)quantized version -- provides sufficient flexibility to construct malicious quantized models that appear benign in full precision. Leveraging this, we develop an attack that trains the target malicious LLM while constraining its weights based on quantization errors. We demonstrate the effectiveness of our attack on three popular LLMs across nine GGUF quantization data types on three diverse attack scenarios: insecure code generation ($\Delta$=$88.7\%$), targeted content injection ($\Delta$=$85.0\%$), and benign instruction refusal ($\Delta$=$30.1\%$). Our attack highlights that (1) the most widely used post-training quantization method is susceptible to adversarial interferences, and (2) the complexity of quantization schemes alone is insufficient as a defense.
Updated: 2025-06-03 19:21:57
标题: 留意空白:对GGUF量化的实际攻击
摘要: 随着前沿LLMs尺寸的增加,后训练量化已成为内存高效部署的标准。最近的研究表明,基于四舍五入的量化方案存在安全风险,因为它们可以被利用来向量化模型中注入恶意行为,而这些行为在完整精度下仍然隐藏。然而,现有攻击无法应用于更复杂的量化方法,例如在流行的ollama和llama$.$cpp框架中使用的GGUF系列。在这项工作中,我们通过引入对GGUF的第一次攻击来填补这一空白。我们的关键见解是,量化误差——完整精度权重与它们的(反)量化版本之间的差异——提供了足够的灵活性,可以构建在完整精度下看似良性的恶意量化模型。利用这一点,我们开发了一种攻击,训练目标恶意LLM,同时基于量化误差约束其权重。我们在三种不同的攻击场景中,通过对三种流行LLMs进行九种GGUF量化数据类型的攻击实验,展示了我们攻击的有效性:不安全代码生成(Δ=88.7%)、有针对性的内容注入(Δ=85.0%)和良性指令拒绝(Δ=30.1%)。我们的攻击突显了以下两点:(1)最广泛使用的后训练量化方法容易受到对抗性干扰,(2)仅仅依靠量化方案的复杂性本身是不足以作为防御的。
更新时间: 2025-06-03 19:21:57
领域: cs.CR,cs.AI,cs.LG
Why Safeguarded Ships Run Aground? Aligned Large Language Models' Safety Mechanisms Tend to Be Anchored in The Template Region
The safety alignment of large language models (LLMs) remains vulnerable, as their initial behavior can be easily jailbroken by even relatively simple attacks. Since infilling a fixed template between the input instruction and initial model output is a common practice for existing LLMs, we hypothesize that this template is a key factor behind their vulnerabilities: LLMs' safety-related decision-making overly relies on the aggregated information from the template region, which largely influences these models' safety behavior. We refer to this issue as template-anchored safety alignment. In this paper, we conduct extensive experiments and verify that template-anchored safety alignment is widespread across various aligned LLMs. Our mechanistic analyses demonstrate how it leads to models' susceptibility when encountering inference-time jailbreak attacks. Furthermore, we show that detaching safety mechanisms from the template region is promising in mitigating vulnerabilities to jailbreak attacks. We encourage future research to develop more robust safety alignment techniques that reduce reliance on the template region.
Updated: 2025-06-03 18:20:11
标题: 为什么受保护的船只会搁浅?对齐的大型语言模型的安全机制往往根植于模板区域
摘要: 大型语言模型(LLMs)的安全对齐仍然容易受到攻击,因为它们的初始行为甚至可以被相对简单的攻击所破坏。由于在现有LLMs中,在输入指令和初始模型输出之间填充固定模板是一种常见做法,我们假设这个模板是它们易受攻击的关键因素:LLMs的安全相关决策过度依赖于来自模板区域的汇总信息,这在很大程度上影响了这些模型的安全行为。我们将这个问题称为模板锚定安全对齐。在本文中,我们进行了大量实验,并验证了模板锚定安全对齐在各种对齐的LLMs中普遍存在。我们的机械分析展示了它如何导致模型在遇到推理时间破解攻击时容易受到影响。此外,我们展示了将安全机制与模板区域分离有望减轻对破解攻击的脆弱性。我们鼓励未来的研究开发更加健壮的安全对齐技术,以减少对模板区域的依赖。
更新时间: 2025-06-03 18:20:11
领域: cs.CL,cs.AI,cs.CR
Chain-of-Jailbreak Attack for Image Generation Models via Editing Step by Step
Text-based image generation models, such as Stable Diffusion and DALL-E 3, hold significant potential in content creation and publishing workflows, making them the focus in recent years. Despite their remarkable capability to generate diverse and vivid images, considerable efforts are being made to prevent the generation of harmful content, such as abusive, violent, or pornographic material. To assess the safety of existing models, we introduce a novel jailbreaking method called Chain-of-Jailbreak (CoJ) attack, which compromises image generation models through a step-by-step editing process. Specifically, for malicious queries that cannot bypass the safeguards with a single prompt, we intentionally decompose the query into multiple sub-queries. The image generation models are then prompted to generate and iteratively edit images based on these sub-queries. To evaluate the effectiveness of our CoJ attack method, we constructed a comprehensive dataset, CoJ-Bench, encompassing nine safety scenarios, three types of editing operations, and three editing elements. Experiments on four widely-used image generation services provided by GPT-4V, GPT-4o, Gemini 1.5 and Gemini 1.5 Pro, demonstrate that our CoJ attack method can successfully bypass the safeguards of models for over 60% cases, which significantly outperforms other jailbreaking methods (i.e., 14%). Further, to enhance these models' safety against our CoJ attack method, we also propose an effective prompting-based method, Think Twice Prompting, that can successfully defend over 95% of CoJ attack. We release our dataset and code to facilitate the AI safety research.
Updated: 2025-06-03 17:32:00
标题: 通过逐步编辑实施的图像生成模型链式越狱攻击
摘要: 基于文本的图像生成模型,如稳定扩散和DALL-E 3,在内容创作和发布工作流程中具有重要潜力,因此成为近年来的关注焦点。尽管它们具有生成多样化和生动图像的显著能力,但人们正在付出大量努力来防止生成有害内容,如辱骂、暴力或色情材料。为了评估现有模型的安全性,我们引入了一种称为Chain-of-Jailbreak(CoJ)攻击的新型越狱方法,通过逐步编辑过程来破坏图像生成模型。具体地,对于无法通过单个提示绕过安全保障的恶意查询,我们故意将查询分解为多个子查询。然后,提示图像生成模型根据这些子查询生成并迭代编辑图像。为了评估我们的CoJ攻击方法的有效性,我们构建了一个全面的数据集CoJ-Bench,涵盖了九种安全场景、三种编辑操作类型和三种编辑元素。对由GPT-4V、GPT-4o、Gemini 1.5和Gemini 1.5 Pro提供的四种广泛使用的图像生成服务进行的实验表明,我们的CoJ攻击方法可以成功绕过模型的安全保障超过60%的情况,远远优于其他越狱方法(即14%)。此外,为了增强这些模型对我们的CoJ攻击方法的安全性,我们还提出了一种有效的基于提示的方法Think Twice Prompting,可以成功防御超过95%的CoJ攻击。我们发布我们的数据集和代码,以促进AI安全研究。
更新时间: 2025-06-03 17:32:00
领域: cs.CL,cs.AI,cs.CR,cs.CV,cs.MM
ChainMarks: Securing DNN Watermark with Cryptographic Chain
With the widespread deployment of deep neural network (DNN) models, dynamic watermarking techniques are being used to protect the intellectual property of model owners. However, recent studies have shown that existing watermarking schemes are vulnerable to watermark removal and ambiguity attacks. Besides, the vague criteria for determining watermark presence further increase the likelihood of such attacks. In this paper, we propose a secure DNN watermarking scheme named ChainMarks, which generates secure and robust watermarks by introducing a cryptographic chain into the trigger inputs and utilizes a two-phase Monte Carlo method for determining watermark presence. First, ChainMarks generates trigger inputs as a watermark dataset by repeatedly applying a hash function over a secret key, where the target labels associated with trigger inputs are generated from the digital signature of model owner. Then, the watermarked model is produced by training a DNN over both the original and watermark datasets. To verify watermarks, we compare the predicted labels of trigger inputs with the target labels and determine ownership with a more accurate decision threshold that considers the classification probability of specific models. Experimental results show that ChainMarks exhibits higher levels of robustness and security compared to state-of-the-art watermarking schemes. With a better marginal utility, ChainMarks provides a higher probability guarantee of watermark presence in DNN models with the same level of watermark accuracy.
Updated: 2025-06-03 17:16:24
标题: ChainMarks:使用加密链保护DNN数字水印
摘要: 随着深度神经网络(DNN)模型的广泛部署,动态数字水印技术被用于保护模型所有者的知识产权。然而,最近的研究表明,现有的水印方案容易受到水印移除和歧义攻击的影响。此外,确定水印存在的模糊标准进一步增加了此类攻击的可能性。本文提出了一种名为ChainMarks的安全DNN水印方案,通过在触发输入中引入加密链生成安全且稳健的水印,并利用两阶段蒙特卡洛方法来确定水印的存在。首先,ChainMarks通过重复应用哈希函数于秘钥生成触发输入作为水印数据集,其中与触发输入相关联的目标标签由模型所有者的数字签名生成。然后,通过在原始数据集和水印数据集上训练DNN来生成带水印的模型。为了验证水印,我们将触发输入的预测标签与目标标签进行比较,并使用考虑特定模型分类概率的更准确的决策阈值来确定所有权。实验结果表明,与最先进的水印方案相比,ChainMarks表现出更高水平的稳健性和安全性。具有更好的边际效用,ChainMarks在相同水印准确性水平下为DNN模型水印存在提供更高的概率保证。
更新时间: 2025-06-03 17:16:24
领域: cs.CR,cs.AI
Unveiling Privacy Risks in LLM Agent Memory
Large Language Model (LLM) agents have become increasingly prevalent across various real-world applications. They enhance decision-making by storing private user-agent interactions in the memory module for demonstrations, introducing new privacy risks for LLM agents. In this work, we systematically investigate the vulnerability of LLM agents to our proposed Memory EXTRaction Attack (MEXTRA) under a black-box setting. To extract private information from memory, we propose an effective attacking prompt design and an automated prompt generation method based on different levels of knowledge about the LLM agent. Experiments on two representative agents demonstrate the effectiveness of MEXTRA. Moreover, we explore key factors influencing memory leakage from both the agent designer's and the attacker's perspectives. Our findings highlight the urgent need for effective memory safeguards in LLM agent design and deployment.
Updated: 2025-06-03 17:08:56
标题: 揭示LLM代理内存中的隐私风险
摘要: 大型语言模型(LLM)代理在各种实际应用中变得越来越普遍。它们通过在内存模块中存储私人用户代理交互来增强决策,为LLM代理引入了新的隐私风险。在这项工作中,我们系统地调查了LLM代理对我们提出的Memory EXTRaction Attack(MEXTRA)在黑盒设置下的脆弱性。为了从内存中提取私人信息,我们提出了一种有效的攻击提示设计和基于对LLM代理不同水平知识的自动提示生成方法。对两个代表性代理的实验证明了MEXTRA的有效性。此外,我们探讨了影响内存泄漏的关键因素,从代理设计者和攻击者的角度进行了探讨。我们的研究结果突出了LLM代理设计和部署中有效内存保护措施的迫切需要。
更新时间: 2025-06-03 17:08:56
领域: cs.CR,cs.AI
Keyed Chaotic Dynamics for Privacy-Preserving Neural Inference
Neural network inference typically operates on raw input data, increasing the risk of exposure during preprocessing and inference. Moreover, neural architectures lack efficient built-in mechanisms for directly authenticating input data. This work introduces a novel encryption method for ensuring the security of neural inference. By constructing key-conditioned chaotic graph dynamical systems, we enable the encryption and decryption of real-valued tensors within the neural architecture. The proposed dynamical systems are particularly suited to encryption due to their sensitivity to initial conditions and their capacity to produce complex, key-dependent nonlinear transformations from compact rules. This work establishes a paradigm for securing neural inference and opens new avenues for research on the application of graph dynamical systems in neural network security.
Updated: 2025-06-03 16:59:29
标题: 使用密钥混沌动力学进行保护隐私的神经推断
摘要: 神经网络推断通常在原始输入数据上运行,增加了在预处理和推断过程中暴露的风险。此外,神经架构缺乏有效的内置机制来直接验证输入数据。本文介绍了一种新颖的加密方法,用于确保神经推断的安全性。通过构建以密钥为条件的混沌图动力系统,我们实现了在神经架构内对实值张量的加密和解密。所提出的动力系统特别适用于加密,因为它们对初始条件敏感,并且能够从紧凑规则产生复杂的、依赖于密钥的非线性变换。本研究确立了一种保护神经推断的范式,并为研究在神经网络安全中应用图动力系统开辟了新的研究方向。
更新时间: 2025-06-03 16:59:29
领域: cs.CR,cs.AI,94A60, 37N25, 68T05,D.4.6
BadReward: Clean-Label Poisoning of Reward Models in Text-to-Image RLHF
Reinforcement Learning from Human Feedback (RLHF) is crucial for aligning text-to-image (T2I) models with human preferences. However, RLHF's feedback mechanism also opens new pathways for adversaries. This paper demonstrates the feasibility of hijacking T2I models by poisoning a small fraction of preference data with natural-appearing examples. Specifically, we propose BadReward, a stealthy clean-label poisoning attack targeting the reward model in multi-modal RLHF. BadReward operates by inducing feature collisions between visually contradicted preference data instances, thereby corrupting the reward model and indirectly compromising the T2I model's integrity. Unlike existing alignment poisoning techniques focused on single (text) modality, BadReward is independent of the preference annotation process, enhancing its stealth and practical threat. Extensive experiments on popular T2I models show that BadReward can consistently guide the generation towards improper outputs, such as biased or violent imagery, for targeted concepts. Our findings underscore the amplified threat landscape for RLHF in multi-modal systems, highlighting the urgent need for robust defenses. Disclaimer. This paper contains uncensored toxic content that might be offensive or disturbing to the readers.
Updated: 2025-06-03 16:01:04
标题: 不良奖励:文本到图像RLHF中奖励模型的清洁标签投毒
摘要: 人类反馈强化学习(RLHF)对于将文本到图像(T2I)模型与人类偏好对齐至关重要。然而,RLHF的反馈机制也为对手开辟了新的途径。本文展示了通过向一小部分偏好数据中注入自然出现的示例来劫持T2I模型的可行性。具体来说,我们提出了BadReward,这是一种针对多模式RLHF中的奖励模型的隐蔽干净标签中毒攻击。BadReward通过在视觉上相互矛盾的偏好数据实例之间引发特征碰撞来操作,从而破坏奖励模型并间接损害T2I模型的完整性。与现有的针对单一(文本)模态的对齐中毒技术不同,BadReward独立于偏好注释过程,增强了其隐蔽性和实际威胁。对流行的T2I模型进行的大量实验表明,BadReward可以始终引导生成向不当输出,例如针对性概念的偏见或暴力图像。我们的发现强调了多模式系统中RLHF的威胁景观的加剧,突出了对强大防御的迫切需求。免责声明:本文包含可能令读者反感或困扰的未经审查的有毒内容。
更新时间: 2025-06-03 16:01:04
领域: cs.LG,cs.AI,cs.CR
Measuring likelihood in cybersecurity
In cybersecurity risk is commonly measured by impact and probability, the former is objectively measured based on the consequences from the use of technology to obtain business gains, or by achieving business objectives. The latter has been measured, in sectors such as financial or insurance, based on historical data because there is vast information, and many other fields have applied the same approach. Although in cybersecurity, as a new discipline, there is not always historical data to support an objective measure of probability, the data available is not public and there is no consistent formatting to store and share it, so a new approach is required to measure cybersecurity events incidence. Through a comprehensive analysis of the state of the art, including current methodologies, frameworks, and incident data, considering tactics, techniques, and procedures (TTP) used by attackers, indicators of compromise (IOC), and defence controls, this work proposes a data model that describes a cyber exposure profile that provides an indirect but objective measure for likelihood, including different sources and metrics to update the model if needed. We further propose a set of practical, quantifiable metrics for risk assessment, enabling cybersecurity practitioners to measure likelihood without relying solely on historical incident data. By combining these metrics with our data model, organizations gain an actionable framework for continuously refining their cybersecurity strategies.
Updated: 2025-06-03 15:32:05
标题: 在网络安全领域中测量可能性
摘要: 在网络安全中,风险通常通过影响和概率来衡量,前者是基于技术使用所造成的后果来客观衡量,以获取商业利益或实现业务目标。而后者在金融或保险等领域中,通常基于历史数据来衡量,因为那里有大量信息,许多其他领域也采用了相同的方法。尽管在网络安全领域作为一个新的学科中,有时候并没有历史数据来支持概率的客观衡量,可用数据也不是公开的,也没有一致的格式来存储和共享数据,因此需要一种新的方法来衡量网络安全事件的发生率。通过对现有技术、框架和事件数据进行全面分析,考虑攻击者使用的战术、技术和程序(TTP)、威胁指标(IOC)和防御控制,本研究提出了一个描述网络暴露情况的数据模型,提供了一种间接但客观的概率衡量方法,包括不同的来源和度量标准,以便根据需要更新模型。我们进一步提出了一组实用的、可量化的风险评估指标,使网络安全从业者能够在衡量概率时不仅仅依赖于历史事件数据。通过将这些指标与我们的数据模型结合起来,组织可以获得一个可操作的框架,不断完善他们的网络安全策略。
更新时间: 2025-06-03 15:32:05
领域: cs.CR
An Algorithmic Pipeline for GDPR-Compliant Healthcare Data Anonymisation: Moving Toward Standardisation
High-quality real-world data (RWD) is essential for healthcare but must be transformed to comply with the General Data Protection Regulation (GDPR). GDPRs broad definitions of quasi-identifiers (QIDs) and sensitive attributes (SAs) complicate implementation. We aim to standardise RWD anonymisation for GDPR compliance while preserving data utility by introducing an algorithmic method to identify QIDs and SAs and evaluate utility in anonymised datasets. We conducted a systematic literature review via ProQuest and PubMed to inform a three-stage anonymisation pipeline: identification, de-identification, and quasi-identifier dimension evaluation. The pipeline was implemented, validated, and tested on two mock RWD datasets (500 and 1000 rows). Privacy was assessed using k-anonymity, l-diversity, and t-closeness; utility was measured by non-uniform entropy (NUE). The review yielded two studies on QID/SA identification and five on utility metrics. Applying the pipeline, attributes were classified by re-identification risk using alpha and beta thresholds (25 percent/1 percent for 500 rows; 10 percent/1 percent for 1000 rows). Privacy metrics improved k-anonymity from 1 to 4 (500 rows) and 1 to 110 (1000 rows). NUE scores were 69.26 percent and 69.05 percent, respectively, indicating consistent utility despite varying privacy gains. We present a GDPR-compliant anonymisation pipeline for healthcare RWD that provides a reproducible approach to QID/SA identification and utility evaluation; publicly available code promotes standardisation, data privacy, and open science.
Updated: 2025-06-03 14:40:38
标题: 一个符合GDPR标准的医疗数据匿名化算法流程:朝向标准化的迈进
摘要: 高质量的现实世界数据(RWD)对于医疗保健至关重要,但必须进行转换以符合《通用数据保护条例》(GDPR)。GDPR对准标识符(QIDs)和敏感属性(SAs)的广泛定义使实施变得复杂。我们旨在标准化RWD匿名化以符合GDPR的要求,同时通过引入算法方法来识别QIDs和SAs并评估匿名化数据集的效用。我们通过ProQuest和PubMed进行系统文献综述,以制定一个三阶段匿名化流程:识别、去识别和准标识符维度评估。该流程已在两个模拟RWD数据集(500和1000行)上实施、验证和测试。隐私性使用k-匿名性、l-多样性和t-接近性进行评估;效用通过非均匀熵(NUE)进行度量。综述结果包括两项关于QID/SA识别的研究和五项关于效用指标的研究。应用该流程,属性根据重识别风险分为 alpha 和 beta 阈值(500行为 25% / 1%,1000行为 10% / 1%)。隐私指标将k-匿名性从1提高到4(500行),从1提高到110(1000行)。NUE得分分别为69.26%和69.05%,表明尽管隐私收益有所不同,但效用保持一致。我们提出了一个符合GDPR的医疗保健RWD匿名化流程,提供了一种可重复的QID/SA识别和效用评估方法;公开可用的代码促进了标准化、数据隐私和开放科学。
更新时间: 2025-06-03 14:40:38
领域: cs.CR
A Mousetrap: Fooling Large Reasoning Models for Jailbreak with Chain of Iterative Chaos
Large Reasoning Models (LRMs) have significantly advanced beyond traditional Large Language Models (LLMs) with their exceptional logical reasoning capabilities, yet these improvements introduce heightened safety risks. When subjected to jailbreak attacks, their ability to generate more targeted and organized content can lead to greater harm. Although some studies claim that reasoning enables safer LRMs against existing LLM attacks, they overlook the inherent flaws within the reasoning process itself. To address this gap, we propose the first jailbreak attack targeting LRMs, exploiting their unique vulnerabilities stemming from the advanced reasoning capabilities. Specifically, we introduce a Chaos Machine, a novel component to transform attack prompts with diverse one-to-one mappings. The chaos mappings iteratively generated by the machine are embedded into the reasoning chain, which strengthens the variability and complexity and also promotes a more robust attack. Based on this, we construct the Mousetrap framework, which makes attacks projected into nonlinear-like low sample spaces with mismatched generalization enhanced. Also, due to the more competing objectives, LRMs gradually maintain the inertia of unpredictable iterative reasoning and fall into our trap. Success rates of the Mousetrap attacking o1-mini, Claude-Sonnet and Gemini-Thinking are as high as 96%, 86% and 98% respectively on our toxic dataset Trotter. On benchmarks such as AdvBench, StrongREJECT, and HarmBench, attacking Claude-Sonnet, well-known for its safety, Mousetrap can astonishingly achieve success rates of 87.5%, 86.58% and 93.13% respectively. Attention: This paper contains inappropriate, offensive and harmful content.
Updated: 2025-06-03 14:35:59
标题: 一个捕鼠陷阱:用迭代混沌链愚弄大型推理模型以越狱
摘要: 大推理模型(LRMs)在其出色的逻辑推理能力方面显着超越了传统的大语言模型(LLMs),然而这些改进引入了更高的安全风险。当受到越狱攻击时,它们生成更具针对性和组织性的内容的能力可能导致更大的危害。尽管一些研究声称推理使得LRMs对现有LLM攻击更安全,但它们忽视了推理过程本身的固有缺陷。为了填补这一空白,我们提出了针对LRMs的第一个越狱攻击,利用其源自先进推理能力的独特漏洞。具体来说,我们引入了一个混沌机器,一个新颖的组件,用于将攻击提示转化为具有多样一对一映射的混沌映射。机器迭代生成的混沌映射被嵌入到推理链中,增强了变异性和复杂性,也促进了更强大的攻击。基于此,我们构建了Mousetrap框架,将攻击投射到非线性低样本空间,同时增强了不匹配泛化。此外,由于更多的竞争目标,LRMs逐渐保持了不可预测迭代推理的惯性,并陷入我们的陷阱。Mousetrap对我们的有毒数据集Trotter上的o1-mini、Claude-Sonnet和Gemini-Thinking的成功率分别高达96%、86%和98%。在AdvBench、StrongREJECT和HarmBench等基准测试上,攻击以安全著称的Claude-Sonnet,Mousetrap可以惊人地实现87.5%、86.58%和93.13%的成功率。注意:本文包含不当、冒犯性和有害内容。
更新时间: 2025-06-03 14:35:59
领域: cs.CR,cs.AI,cs.CL,cs.LG
Contiguous Zero-Copy for Encrypted Transport Protocols
We propose in this paper to revisit the design of existing encrypted transport protocols to improve their efficiency. We call the methodology "Reverso" from reversing the order of field elements within a protocol specification. We detail how such a benign-looking change within the specifications may unlock implementation optimizations for encrypted protocols during data transport. To demonstrate our findings, we release quiceh, a QUIC implementation of QUIC VReverso, an extension of the QUIC V1 standard (RFC9000). Our methodology applied to the QUIC protocol reports ~30% of CPU efficiency improvement for processing packets at no added cost on the sender side and without relaxing any security guarantee from QUIC V1. We also implement a fork of Cloudflare's HTTP/3 module and client/server demonstrator using quiceh and show our optimizations to directly transfer to HTTP/3 as well, resulting in our new HTTP/3 to be ~38% more efficient than the baseline implementation using QUIC V1. We argue that Reverso applies to any modern encrypted protocol and its implementations and that similar efficiency improvement can also be unlocked for them, independently of the layer in which they operate.
Updated: 2025-06-03 14:35:39
标题: 加密传输协议的连续零拷贝
摘要: 我们在本文中提议重新审视现有加密传输协议的设计,以提高其效率。我们将这种方法称为“Reverso”,因为它颠倒了协议规范中字段元素的顺序。我们详细说明了在规范中进行这种看似温和的改变可能会在数据传输期间为加密协议解锁实现优化。为了展示我们的发现,我们发布了quiceh,一个QUIC VReverso的QUIC实现,这是QUIC V1标准(RFC9000)的扩展。我们的方法应用于QUIC协议报告,在发送方没有增加任何成本的情况下,处理数据包的CPU效率提高了约30%,而且没有放宽QUIC V1的任何安全保证。我们还实现了Cloudflare的HTTP/3模块和客户端/服务器演示程序的一个分支,使用quiceh,并展示我们的优化也直接转移到了HTTP/3,结果是我们的新HTTP/3比使用QUIC V1的基线实现效率提高了约38%。我们认为Reverso适用于任何现代加密协议及其实现,并且类似的效率改进也可以为它们解锁,无论它们在哪个层级操作。
更新时间: 2025-06-03 14:35:39
领域: cs.CR
When Blockchain Meets Crawlers: Real-time Market Analytics in Solana NFT Markets
In this paper, we design and implement a web crawler system based on the Solana blockchain for the automated collection and analysis of market data for popular non-fungible tokens (NFTs) on the chain. Firstly, the basic information and transaction data of popular NFTs on the Solana chain are collected using the Selenium tool. Secondly, the transaction records of the Magic Eden trading market are thoroughly analyzed by combining them with the Scrapy framework to examine the price fluctuations and market trends of NFTs. In terms of data analysis, this paper employs time series analysis to examine the dynamics of the NFT market and seeks to identify potential price patterns. In addition, the risk and return of different NFTs are evaluated using the mean-variance optimization model, taking into account their characteristics, such as illiquidity and market volatility, to provide investors with data-driven portfolio recommendations. The experimental results show that the combination of crawler technology and financial analytics can effectively analyze NFT data on the Solana blockchain and provide timely market insights and investment strategies. This study provides a reference for further exploration in the field of digital currencies.
Updated: 2025-06-03 14:01:01
标题: 当区块链遇上网络爬虫:Solana NFT市场中的实时市场分析
摘要: 在本文中,我们基于Solana区块链设计并实施了一个网络爬虫系统,用于自动收集和分析链上热门非同质化代币(NFTs)的市场数据。首先,使用Selenium工具收集了Solana链上热门NFTs的基本信息和交易数据。其次,通过将其与Scrapy框架结合,对Magic Eden交易市场的交易记录进行彻底分析,以研究NFTs的价格波动和市场趋势。在数据分析方面,本文采用时间序列分析来研究NFT市场的动态,并寻找潜在的价格模式。此外,利用平均方差优化模型评估了不同NFTs的风险和回报,考虑到它们的特性,如流动性不足和市场波动,为投资者提供基于数据的投资组合建议。实验结果表明,爬虫技术和金融分析的结合能够有效分析Solana区块链上的NFT数据,并提供及时的市场见解和投资策略。这项研究为数字货币领域的进一步探索提供了参考。
更新时间: 2025-06-03 14:01:01
领域: cs.CR
Quartic quantum speedups for planted inference
We describe a quantum algorithm for the Planted Noisy $k$XOR problem (also known as sparse Learning Parity with Noise) that achieves a nearly quartic ($4$th power) speedup over the best known classical algorithm while also only using logarithmically many qubits. Our work generalizes and simplifies prior work of Hastings, by building on his quantum algorithm for the Tensor Principal Component Analysis (PCA) problem. We achieve our quantum speedup using a general framework based on the Kikuchi Method (recovering the quartic speedup for Tensor PCA), and we anticipate it will yield similar speedups for further planted inference problems. These speedups rely on the fact that planted inference problems naturally instantiate the Guided Sparse Hamiltonian problem. Since the Planted Noisy $k$XOR problem has been used as a component of certain cryptographic constructions, our work suggests that some of these are susceptible to super-quadratic quantum attacks.
Updated: 2025-06-03 13:46:41
标题: 四次量子加速对于植入推断
摘要: 我们描述了一种量子算法,用于解决种植噪声$k$XOR问题(也称为稀疏带噪声学习奇偶问题),该算法实现了几乎是最佳已知经典算法的四次方速度提升,同时只使用对数数量的量子比特。我们的工作通过在哈斯廷斯(Hastings)的量子算法基础上构建,对张量主成分分析(PCA)问题进行了泛化和简化。我们利用基于Kikuchi方法的通用框架实现了我们的量子速度提升(恢复了张量PCA的四次方速度提升),并预计它将为进一步的种植推断问题提供类似的速度提升。这些速度提升依赖于种植推断问题自然实例化引导稀疏哈密顿问题的事实。由于种植噪声$k$XOR问题已被用作某些加密构造的组成部分,我们的工作表明其中一些可能容易受到超二次量子攻击的影响。
更新时间: 2025-06-03 13:46:41
领域: quant-ph,cs.CC,cs.CR
On the success probability of the quantum algorithm for the short DLP
Eker{\aa} and H{\aa}stad have introduced a variation of Shor's algorithm for the discrete logarithm problem (DLP). Unlike Shor's original algorithm, Eker{\aa}-H{\aa}stad's algorithm solves the short DLP in groups of unknown order. In this work, we prove a lower bound on the probability of Eker{\aa}-H{\aa}stad's algorithm recovering the short logarithm $d$ in a single run. By our bound, the success probability can easily be pushed as high as $1 - 10^{-10}$ for any short $d$. A key to achieving such a high success probability is to efficiently perform a limited search in the classical post-processing by leveraging meet-in-the-middle techniques. Asymptotically, in the limit as the bit length $m$ of $d$ tends to infinity, the success probability tends to one if the limits on the search space are parameterized in $m$. Our results are directly applicable to Diffie-Hellman in safe-prime groups with short exponents, and to RSA via a reduction from the RSA integer factoring problem (IFP) to the short DLP.
Updated: 2025-06-03 13:29:17
标题: 关于短DLP的量子算法成功概率
摘要: Eker{\aa}和H{\aa}stad提出了一种Shor算法的变体,用于解离散对数问题(DLP)。与Shor的原始算法不同,Eker{\aa}-H{\aa}stad算法解决了未知阶数群中的短DLP。在这项工作中,我们证明了Eker{\aa}-H{\aa}stad算法在单次运行中恢复短对数$d$的概率的下界。根据我们的界限,成功概率可以轻松提高至$1 - 10^{-10}$,适用于任何短$d$。实现如此高的成功概率的关键是通过利用中间遇见技术在经典后处理中有效地进行有限搜索。从渐近的角度来看,当$d$的比特长度$m$趋向于无穷大时,如果在搜索空间上的限制是以$m$为参数化的,成功概率趋于一。我们的结果直接适用于具有短指数的安全素数群的Diffie-Hellman,以及通过将RSA整数因子分解问题(IFP)归约为短DLP的RSA。
更新时间: 2025-06-03 13:29:17
领域: cs.CR,quant-ph
ATAG: AI-Agent Application Threat Assessment with Attack Graphs
Evaluating the security of multi-agent systems (MASs) powered by large language models (LLMs) is challenging, primarily because of the systems' complex internal dynamics and the evolving nature of LLM vulnerabilities. Traditional attack graph (AG) methods often lack the specific capabilities to model attacks on LLMs. This paper introduces AI-agent application Threat assessment with Attack Graphs (ATAG), a novel framework designed to systematically analyze the security risks associated with AI-agent applications. ATAG extends the MulVAL logic-based AG generation tool with custom facts and interaction rules to accurately represent AI-agent topologies, vulnerabilities, and attack scenarios. As part of this research, we also created the LLM vulnerability database (LVD) to initiate the process of standardizing LLM vulnerabilities documentation. To demonstrate ATAG's efficacy, we applied it to two multi-agent applications. Our case studies demonstrated the framework's ability to model and generate AGs for sophisticated, multi-step attack scenarios exploiting vulnerabilities such as prompt injection, excessive agency, sensitive information disclosure, and insecure output handling across interconnected agents. ATAG is an important step toward a robust methodology and toolset to help understand, visualize, and prioritize complex attack paths in multi-agent AI systems (MAASs). It facilitates proactive identification and mitigation of AI-agent threats in multi-agent applications.
Updated: 2025-06-03 13:25:40
标题: ATAG:使用攻击图进行AI代理应用威胁评估
摘要: 评估由大型语言模型(LLMs)驱动的多Agent系统(MASs)的安全性具有挑战性,主要是因为系统的复杂内部动态和LLM漏洞的不断演变。传统的攻击图(AG)方法通常缺乏对LLMs进行攻击建模的特定能力。本文介绍了一种名为AI-Agent应用威胁评估与攻击图(ATAG)的新颖框架,旨在系统地分析与AI-Agent应用相关的安全风险。ATAG通过向基于MulVAL逻辑的AG生成工具添加自定义事实和交互规则,准确地表示AI-Agent拓扑结构、漏洞和攻击场景。作为本研究的一部分,我们还创建了LLM漏洞数据库(LVD)来启动LLM漏洞文档标准化过程。为了展示ATAG的有效性,我们将其应用于两个多Agent应用程序。我们的案例研究表明,该框架能够对利用漏洞的复杂、多步攻击场景进行建模和生成AG,例如提示注入、过度代理、敏感信息泄露以及跨连接Agent中不安全的输出处理。ATAG是朝着一种强大的方法论和工具集的重要一步,有助于理解、可视化和优先考虑多Agent AI系统(MAASs)中的复杂攻击路径。它促进了在多Agent应用程序中主动识别和缓解AI-Agent威胁。
更新时间: 2025-06-03 13:25:40
领域: cs.CR,cs.AI
The Invisible Hand: Unveiling Provider Bias in Large Language Models for Code Generation
Large Language Models (LLMs) have emerged as the new recommendation engines, surpassing traditional methods in both capability and scope, particularly in code generation. In this paper, we reveal a novel provider bias in LLMs: without explicit directives, these models show systematic preferences for services from specific providers in their recommendations (e.g., favoring Google Cloud over Microsoft Azure). To systematically investigate this bias, we develop an automated pipeline to construct the dataset, incorporating 6 distinct coding task categories and 30 real-world application scenarios. Leveraging this dataset, we conduct the first comprehensive empirical study of provider bias in LLM code generation across seven state-of-the-art LLMs, utilizing approximately 500 million tokens (equivalent to $5,000+ in computational costs). Our findings reveal that LLMs exhibit significant provider preferences, predominantly favoring services from Google and Amazon, and can autonomously modify input code to incorporate their preferred providers without users' requests. Such a bias holds far-reaching implications for market dynamics and societal equilibrium, potentially contributing to digital monopolies. It may also deceive users and violate their expectations, leading to various consequences. We call on the academic community to recognize this emerging issue and develop effective evaluation and mitigation methods to uphold AI security and fairness.
Updated: 2025-06-03 12:58:57
标题: 看不见的手:揭示大型语言模型中对代码生成的提供商偏见
摘要: 大型语言模型(LLMs)已经成为新的推荐引擎,在能力和范围上超越了传统方法,特别是在代码生成方面。在这篇论文中,我们揭示了LLMs中的一种新型提供者偏见:在没有明确指令的情况下,这些模型在推荐中显示出对特定供应商服务的系统偏好(例如,偏爱Google Cloud而不是Microsoft Azure)。为了系统地调查这种偏见,我们开发了一个自动化流水线来构建数据集,包括6个不同的编码任务类别和30个真实应用场景。利用这个数据集,我们进行了第一次全面的实证研究,跨七种最先进的LLM对代码生成中的提供者偏见,利用了大约5亿个标记(相当于5000美元以上的计算成本)。我们的研究结果表明,LLMs表现出明显的提供者偏好,主要偏爱Google和Amazon的服务,并且可以自主修改输入代码以纳入他们偏爱的供应商,而不需要用户的请求。这种偏见对市场动态和社会平衡具有深远的影响,可能有助于数字垄断。它也可能欺骗用户并违背他们的期望,导致各种后果。我们呼吁学术界认识到这一新兴问题,并开发有效的评估和缓解方法,以维护人工智能的安全和公平。
更新时间: 2025-06-03 12:58:57
领域: cs.SE,cs.AI,cs.CR
TherMod Communication: Low Power or Hot Air?
The Kirchhoff-Law-Johnson-Noise (KLJN) secure key exchange scheme leverages statistical physics to enable secure communication with zero average power flow in a wired channel. While the original KLJN scheme requires significant power for operation, a recent wireless modification, TherMod, proposed by Basar claims a "low power" implementation. This paper critically examines this claim. We explain that the additional components inherent in Basar's wireless adaptation substantially increase power consumption, rendering the "low power" assertion inappropriate. Furthermore, we clarify that the security claims of the original KLJN scheme do not directly translate to this wireless adaptation, implying significant security breach. Finally, the scheme looks identical one of the stealth communicators from 2005, which was shown not to be secure.
Updated: 2025-06-03 12:52:10
标题: 热模通信:低功率还是热空气?
摘要: 基尔霍夫-约翰逊噪声(KLJN)安全密钥交换方案利用统计物理学实现在有线通道中零平均功率流的安全通信。虽然原始的KLJN方案需要大量功率进行操作,最近由Basar提出的无线修改方案TherMod声称采用“低功率”实现。本文对这一说法进行了批判性检查。我们解释了Basar无线适配中固有的额外组件显著增加了功耗,使得“低功率”断言不合适。此外,我们澄清了原始KLJN方案的安全性声明并不直接适用于这一无线适配,意味着存在重大安全漏洞。最后,该方案看起来与2005年的一个隐秘通信者的方案相同,该方案已被证明不安全。
更新时间: 2025-06-03 12:52:10
领域: cs.CR
Privacy Leaks by Adversaries: Adversarial Iterations for Membership Inference Attack
Membership inference attack (MIA) has become one of the most widely used and effective methods for evaluating the privacy risks of machine learning models. These attacks aim to determine whether a specific sample is part of the model's training set by analyzing the model's output. While traditional membership inference attacks focus on leveraging the model's posterior output, such as confidence on the target sample, we propose IMIA, a novel attack strategy that utilizes the process of generating adversarial samples to infer membership. We propose to infer the member properties of the target sample using the number of iterations required to generate its adversarial sample. We conduct experiments across multiple models and datasets, and our results demonstrate that the number of iterations for generating an adversarial sample is a reliable feature for membership inference, achieving strong performance both in black-box and white-box attack scenarios. This work provides a new perspective for evaluating model privacy and highlights the potential of adversarial example-based features for privacy leakage assessment.
Updated: 2025-06-03 10:09:24
标题: 对手通过隐私泄露:成员推理攻击的对手迭代
摘要: 成员推断攻击(MIA)已经成为评估机器学习模型隐私风险的最常用和有效的方法之一。这些攻击旨在通过分析模型的输出来确定特定样本是否是模型的训练集的一部分。虽然传统的成员推断攻击侧重于利用模型的后验输出,如目标样本的置信度,但我们提出了IMIA,一种利用生成对抗样本过程来推断成员身份的新型攻击策略。我们提出利用生成对抗样本所需的迭代次数来推断目标样本的成员属性。我们在多个模型和数据集上进行实验,结果表明生成对抗样本所需的迭代次数是成员推断的可靠特征,在黑盒和白盒攻击场景中均取得了强大的性能。这项工作为评估模型隐私提供了新的视角,并突显了基于对抗示例的特征对隐私泄漏评估的潜力。
更新时间: 2025-06-03 10:09:24
领域: cs.CR
Poster: FedBlockParadox -- A Framework for Simulating and Securing Decentralized Federated Learning
A significant body of research in decentralized federated learning focuses on combining the privacy-preserving properties of federated learning with the resilience and transparency offered by blockchain-based systems. While these approaches are promising, they often lack flexible tools to evaluate system robustness under adversarial conditions. To fill this gap, we present FedBlockParadox, a modular framework for modeling and evaluating decentralized federated learning systems built on blockchain technologies, with a focus on resilience against a broad spectrum of adversarial attack scenarios. It supports multiple consensus protocols, validation methods, aggregation strategies, and configurable attack models. By enabling controlled experiments, FedBlockParadox provides a valuable resource for researchers developing secure, decentralized learning solutions. The framework is open-source and built to be extensible by the community.
Updated: 2025-06-03 09:25:06
标题: 海报:FedBlockParadox -- 用于模拟和保护分散式联合学习的框架
摘要: 在去中心化的联邦学习领域,大量研究致力于结合联邦学习的隐私保护特性和基于区块链系统提供的弹性和透明性。尽管这些方法很有前景,但它们经常缺乏灵活的工具来评估在对抗条件下系统的稳健性。为了填补这一空白,我们提出了FedBlockParadox,一个模块化框架,用于建模和评估建立在区块链技术上的去中心化联邦学习系统,重点关注对广泛的对抗攻击场景的弹性。它支持多种共识协议、验证方法、聚合策略和可配置的攻击模型。通过实现受控实验,FedBlockParadox为开发安全、去中心化学习解决方案的研究人员提供了宝贵资源。该框架是开源的,且可由社区进行扩展。
更新时间: 2025-06-03 09:25:06
领域: cs.CR
Decentralized COVID-19 Health System Leveraging Blockchain
With the development of the Internet, the amount of data generated by the medical industry each year has grown exponentially. The Electronic Health Record (EHR) manages the electronic data generated during the user's treatment process. Typically, an EHR data manager belongs to a medical institution. This traditional centralized data management model has many unreasonable or inconvenient aspects, such as difficulties in data sharing, and it is hard to verify the authenticity and integrity of the data. The decentralized, non-forgeable, data unalterable and traceable features of blockchain are in line with the application requirements of EHR. This paper takes the most common COVID-19 as the application scenario and designs a COVID-19 health system based on blockchain, which has extensive research and application value. Considering that the public and transparent nature of blockchain violates the privacy requirements of some health data, in the system design stage, from the perspective of practical application, the data is divided into public data and private data according to its characteristics. For private data, data encryption methods are adopted to ensure data privacy. The searchable encryption technology is combined with blockchain technology to achieve the retrieval function of encrypted data. Then, the proxy re-encryption technology is used to realize authorized access to data. In the system implementation part, based on the Hyperledger Fabric architecture, some functions of the system design are realized, including data upload, retrieval of the latest data and historical data. According to the environment provided by the development architecture, Go language chaincode (smart contract) is written to implement the relevant system functions.
Updated: 2025-06-03 09:19:47
标题: 分散式利用区块链的COVID-19健康系统
摘要: 随着互联网的发展,医疗行业每年产生的数据量呈指数增长。电子健康记录(EHR)管理用户治疗过程中生成的电子数据。通常,EHR数据管理者属于医疗机构。这种传统的集中式数据管理模式存在许多不合理或不便的方面,例如数据共享困难,难以验证数据的真实性和完整性。区块链的分散、不可伪造、数据不可篡改和可追溯的特性符合EHR的应用要求。本文以最常见的COVID-19为应用场景,设计了基于区块链的COVID-19健康系统,具有广泛的研究和应用价值。考虑到区块链的公开透明性违反了一些健康数据的隐私要求,在系统设计阶段,从实际应用的角度出发,根据数据的特性将数据划分为公开数据和私人数据。对于私人数据,采用数据加密方法确保数据隐私。可搜索加密技术与区块链技术结合实现加密数据的检索功能。然后,使用代理再加密技术实现对数据的授权访问。在系统实施部分,基于Hyperledger Fabric架构,实现了系统设计的一些功能,包括数据上传、检索最新数据和历史数据。根据开发架构提供的环境,使用Go语言链码(智能合约)编写以实现相关系统功能。
更新时间: 2025-06-03 09:19:47
领域: cs.CR,D.4.6
Poster: libdebug, Build Your Own Debugger for a Better (Hello) World
Automated debugging, long pursued in a variety of fields from software engineering to cybersecurity, requires a framework that offers the building blocks for a programmable debugging workflow. However, existing debuggers are primarily tailored for human interaction, and those designed for programmatic debugging focus on kernel space, resulting in limited functionality in userland. To fill this gap, we introduce libdebug, a Python library for programmatic debugging of userland binary executables. libdebug offers a user-friendly API that enables developers to build custom debugging tools for various applications, including software engineering, reverse engineering, and software security. It is released as an open-source project, along with comprehensive documentation to encourage use and collaboration across the community. We demonstrate the versatility and performance of libdebug through case studies and benchmarks, all of which are publicly available. We find that the median latency of syscall and breakpoint handling in libdebug is 3 to 4 times lower compared to that of GDB.
Updated: 2025-06-03 09:14:57
标题: 海报:libdebug,打造您自己的调试器,让世界更美好(你好)
摘要: 自动化调试在从软件工程到网络安全等各个领域一直受到追求,需要一个提供可编程调试工作流程构建块的框架。然而,现有的调试器主要针对人类交互而设计,而那些专为程序化调试而设计的调试器则主要关注内核空间,导致在用户空间功能受限。为了填补这一空白,我们引入了libdebug,这是一个用于对用户空间二进制可执行文件进行程序化调试的Python库。libdebug提供了一个用户友好的API,使开发人员能够为各种应用程序构建自定义调试工具,包括软件工程、逆向工程和软件安全。它作为一个开源项目发布,同时还提供了详尽的文档,以鼓励社区内的使用和合作。我们通过案例研究和基准测试展示了libdebug的多功能性和性能,所有这些都是公开可用的。我们发现,在libdebug中,系统调用和断点处理的中位延迟比GDB低3到4倍。
更新时间: 2025-06-03 09:14:57
领域: cs.SE,cs.CR
Tarallo: Evading Behavioral Malware Detectors in the Problem Space
Machine learning algorithms can effectively classify malware through dynamic behavior but are susceptible to adversarial attacks. Existing attacks, however, often fail to find an effective solution in both the feature and problem spaces. This issue arises from not addressing the intrinsic nondeterministic nature of malware, namely executing the same sample multiple times may yield significantly different behaviors. Hence, the perturbations computed for a specific behavior may be ineffective for others observed in subsequent executions. In this paper, we show how an attacker can augment their chance of success by leveraging a new and more efficient feature space algorithm for sequential data, which we have named PS-FGSM, and by adopting two problem space strategies specially tailored to address nondeterminism in the problem space. We implement our novel algorithm and attack strategies in Tarallo, an end-to-end adversarial framework that significantly outperforms previous works in both white and black-box scenarios. Our preliminary analysis in a sandboxed environment and against two RNN-based malware detectors, shows that Tarallo achieves a success rate up to 99% on both feature and problem space attacks while significantly minimizing the number of modifications required for misclassification.
Updated: 2025-06-03 09:12:43
标题: Tarallo:在问题空间中规避行为恶意软件检测器
摘要: 机器学习算法可以通过动态行为有效地对恶意软件进行分类,但容易受到对抗性攻击的影响。然而,现有的攻击通常无法在特征空间和问题空间找到有效的解决方案。这个问题源于没有解决恶意软件固有的非确定性特性,即多次执行相同样本可能会产生显著不同的行为。因此,为特定行为计算的扰动可能对后续执行中观察到的其他行为无效。在本文中,我们展示了攻击者如何通过利用一种名为PS-FGSM的新的更高效的序列数据特征空间算法,以及采用两种专门设计用于解决问题空间中的非确定性的策略来增加他们成功的机会。我们在Tarallo中实现了我们的新算法和攻击策略,这是一个端到端的对抗性框架,在白盒和黑盒情况下都显著优于以前的工作。我们在沙盒环境和两个基于RNN的恶意软件检测器上的初步分析显示,Tarallo在特征和问题空间攻击中的成功率高达99%,同时显著减少了对错误分类所需的修改数量。
更新时间: 2025-06-03 09:12:43
领域: cs.CR
How stealthy is stealthy? Studying the Efficacy of Black-Box Adversarial Attacks in the Real World
Deep learning systems, critical in domains like autonomous vehicles, are vulnerable to adversarial examples (crafted inputs designed to mislead classifiers). This study investigates black-box adversarial attacks in computer vision. This is a realistic scenario, where attackers have query-only access to the target model. Three properties are introduced to evaluate attack feasibility: robustness to compression, stealthiness to automatic detection, and stealthiness to human inspection. State-of-the-Art methods tend to prioritize one criterion at the expense of others. We propose ECLIPSE, a novel attack method employing Gaussian blurring on sampled gradients and a local surrogate model. Comprehensive experiments on a public dataset highlight ECLIPSE's advantages, demonstrating its contribution to the trade-off between the three properties.
Updated: 2025-06-03 08:56:37
标题: 多隐秘是多隐秘?研究黑盒对抗攻击在现实世界中的有效性
摘要: 深度学习系统在自动驾驶等领域至关重要,但容易受到对抗性示例(专门设计的输入,旨在误导分类器)的影响。本研究调查了计算机视觉中的黑盒对抗攻击。这是一个现实的场景,攻击者只能访问目标模型的查询。引入了三个属性来评估攻击的可行性:对压缩的稳健性,对自动检测的隐秘性,以及对人工检查的隐秘性。现有的方法往往会以牺牲其他标准为代价来优先考虑其中一个标准。我们提出了ECLIPSE,一种新颖的攻击方法,利用对采样梯度进行高斯模糊和本地替代模型。对公共数据集进行的全面实验突显了ECLIPSE的优势,展示了它在这三个属性之间的权衡中的贡献。
更新时间: 2025-06-03 08:56:37
领域: cs.CR,cs.AI
Conti Inc.: Understanding the Internal Discussions of a large Ransomware-as-a-Service Operator with Machine Learning
Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main topic discussions in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: 1) Business, 2) Technical, 3) Internal tasking/Management, 4) Malware, and 5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS oper5086933ator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.
Updated: 2025-06-03 08:29:32
标题: Conti公司:利用机器学习了解大型勒索软件服务运营商的内部讨论
摘要: Ransomware-as-a-service (RaaS)的规模和复杂性正在增加勒索软件攻击。由于此类活动的非法性,理解RaaS背后的内部运作一直是一项挑战。最近泄露的Conti RaaS运营商的聊天内容,是国际上最臭名昭著的勒索软件运营商之一,为更好地了解这类组织的内部运作提供了关键机会。本文利用自然语言处理(NLP)和潜在狄利克雷分配(LDA)等机器学习技术以及可视化策略,分析了Conti聊天泄露中的主要话题讨论。发现了五个讨论主题:1)业务,2)技术,3)内部任务/管理,4)恶意软件,5)客户服务/问题解决。此外,Conti成员之间话题的分布显示,只有4%的个人进行了专门讨论,而几乎所有个人(96%)都是全才,意味着他们的讨论围绕这五个主题展开。结果还表明,Conti讨论中有相当比例与技术无关。因此,这项研究强调,运行如此大规模的RaaS运营需要超越技术能力的熟练工作人员,这些人参与各种任务,从管理到客户服务或问题解决。讨论主题还显示,Conti RaaS运营商背后的组织与大型公司有相似之处。我们得出结论,虽然RaaS代表了网络犯罪行业中的专业化示例,但只有少数成员专门从事一项主题,而其余成员则负责运营和协调RaaS操作。
更新时间: 2025-06-03 08:29:32
领域: cs.CR,cs.CL,cs.LG
Identifying Key Expert Actors in Cybercrime Forums Based on their Technical Expertise
The advent of Big Data has made the collection and analysis of cyber threat intelligence challenging due to its volume, leading research to focus on identifying key threat actors; yet these studies have failed to consider the technical expertise of these actors. Expertise, especially towards specific attack patterns, is crucial for cybercrime intelligence, as it focuses on targeting actors with the knowledge and skills to attack enterprises. Using CVEs and CAPEC classifications to build a bimodal network, as well as community detection, k-means and a criminological framework, this study addresses the key hacker identification problem by identifying communities interested in specific attack patterns across cybercrime forums and their related key expert actors. The analyses reveal several key contributions. First, the community structure of the CAPEC-actor bimodal network shows that there exists groups of actors interested in similar attack patterns across cybercrime forums. Second, key actors identified in this study account for about 4% of the study population. Third, about half of the study population are amateurs who show little technical expertise. Finally, key actors highlighted in this study represent a promising scarcity for resources allocation in cyber threat intelligence production. Further research should look into how they develop and use their technical expertise in cybercrime forums.
Updated: 2025-06-03 08:07:00
标题: 基于技术专长识别网络犯罪论坛中的关键专家行为者
摘要: 大数据的出现使得收集和分析网络威胁情报变得具有挑战性,因为其数量庞大,导致研究重点放在识别关键威胁行为者上;然而这些研究未考虑这些行为者的技术专长。专长,尤其是针对特定攻击模式,对于网络犯罪情报至关重要,因为它专注于针对具有攻击企业知识和技能的行为者。通过使用CVEs和CAPEC分类构建双模态网络,以及社区检测、k-means和刑事框架,本研究通过识别在网络犯罪论坛中对特定攻击模式感兴趣的社区以及其相关的关键专家行为者,解决了关键黑客识别问题。分析显示了几个关键贡献。首先,CAPEC-actor双模态网络的社区结构显示,在网络犯罪论坛中存在一些对相似攻击模式感兴趣的行为者群体。其次,本研究中识别的关键行为者占研究人口的约4%。第三,约一半的研究人口是业余爱好者,显示出很少的技术专长。最后,本研究中突出的关键行为者代表着网络威胁情报生产中资源分配的一个有前途的稀缺性。进一步研究应探讨他们如何在网络犯罪论坛中发展和利用他们的技术专长。
更新时间: 2025-06-03 08:07:00
领域: cs.CR,cs.CY
CyberGym: Evaluating AI Agents' Cybersecurity Capabilities with Real-World Vulnerabilities at Scale
Large language model (LLM) agents are becoming increasingly skilled at handling cybersecurity tasks autonomously. Thoroughly assessing their cybersecurity capabilities is critical and urgent, given the high stakes in this domain. However, existing benchmarks fall short, often failing to capture real-world scenarios or being limited in scope. To address this gap, we introduce CyberGym, a large-scale and high-quality cybersecurity evaluation framework featuring 1,507 real-world vulnerabilities found and patched across 188 large software projects. While it includes tasks of various settings, CyberGym primarily focuses on the generation of proof-of-concept (PoC) tests for vulnerability reproduction, based on text descriptions and corresponding source repositories. Solving this task is particularly challenging, as it requires comprehensive reasoning across entire codebases to locate relevant code fragments and produce effective PoCs that accurately trigger the target vulnerability starting from the program's entry point. Our evaluation across 4 state-of-the-art agent frameworks and 9 LLMs reveals that even the best combination (OpenHands and Claude-3.7-Sonnet) achieves only a 11.9% reproduction success rate, mainly on simpler cases. Beyond reproducing historical vulnerabilities, we find that PoCs generated by LLM agents can reveal new vulnerabilities, identifying 15 zero-days affecting the latest versions of the software projects.
Updated: 2025-06-03 07:35:14
标题: CyberGym:利用真实世界的漏洞规模评估AI代理的网络安全能力
摘要: 大型语言模型(LLM)代理越来越擅长自主处理网络安全任务。鉴于该领域的高风险,彻底评估它们的网络安全能力至关重要且紧迫。然而,现有的基准测试存在不足,通常无法捕捉真实场景或范围有限。为了填补这一空白,我们引入了CyberGym,一个大规模且高质量的网络安全评估框架,包括在188个大型软件项目中发现和修复的1,507个真实漏洞。虽然它包括各种设置的任务,但CyberGym主要侧重于根据文本描述和相应源代码库生成漏洞重现的概念验证(PoC)测试。解决这个任务尤为具有挑战性,因为它需要对整个代码库进行全面推理,以定位相关代码片段并生成能够准确触发目标漏洞的有效PoC,从程序的入口点开始。我们对4个最先进的代理框架和9个LLM进行的评估显示,即使是最佳组合(OpenHands和Claude-3.7-Sonnet)也仅实现了11.9%的重现成功率,主要是在较简单的情况下。除了重现历史漏洞外,我们发现LLM代理生成的PoC还可以揭示新的漏洞,识别出影响软件项目最新版本的15个零日漏洞。
更新时间: 2025-06-03 07:35:14
领域: cs.CR,cs.AI,cs.LG
Attention Knows Whom to Trust: Attention-based Trust Management for LLM Multi-Agent Systems
Large Language Model-based Multi-Agent Systems (LLM-MAS) have demonstrated strong capabilities in solving complex tasks but remain vulnerable when agents receive unreliable messages. This vulnerability stems from a fundamental gap: LLM agents treat all incoming messages equally without evaluating their trustworthiness. While some existing studies approach the trustworthiness, they focus on a single type of harmfulness rather than analyze it in a holistic approach from multiple trustworthiness perspectives. In this work, we propose Attention Trust Score (A-Trust), a lightweight, attention-based method for evaluating message trustworthiness. Inspired by human communication literature[1], through systematically analyzing attention behaviors across six orthogonal trust dimensions, we find that certain attention heads in the LLM specialize in detecting specific types of violations. Leveraging these insights, A-Trust directly infers trustworthiness from internal attention patterns without requiring external prompts or verifiers. Building upon A-Trust, we develop a principled and efficient trust management system (TMS) for LLM-MAS, enabling both message-level and agent-level trust assessment. Experiments across diverse multi-agent settings and tasks demonstrate that applying our TMS significantly enhances robustness against malicious inputs.
Updated: 2025-06-03 07:32:57
标题: 关注知道信任谁:基于注意力的LLM多智能体系统信任管理
摘要: 基于大型语言模型的多Agent系统(LLM-MAS)已经展示出在解决复杂任务方面具有强大的能力,但在代理接收到不可靠消息时仍然容易受到攻击。这种脆弱性源自一个根本性的差距:LLM代理处理所有传入消息时都是平等的,而没有评估它们的可信度。虽然一些现有研究方法接近于可信度,但它们侧重于单一有害性质,而不是从多个可信度角度全面分析。在这项工作中,我们提出了Attention Trust Score(A-Trust),这是一种基于轻量级注意力的方法,用于评估消息的可信度。受人类沟通文献的启发[1],通过系统分析跨六个正交信任维度的注意行为,我们发现LLM中某些注意头专门用于检测特定类型的违规行为。利用这些见解,A-Trust直接从内部注意模式中推断可信度,而无需外部提示或验证者。在A-Trust的基础上,我们为LLM-MAS开发了一个原则性和高效的信任管理系统(TMS),实现了消息级和代理级信任评估。在各种多Agent设置和任务中的实验表明,应用我们的TMS显著提高了抵抗恶意输入的稳健性。
更新时间: 2025-06-03 07:32:57
领域: cs.CR
Combining Threat Intelligence with IoT Scanning to Predict Cyber Attack
While the Web has become a global platform for communication, malicious actors, including hackers and hacktivist groups, often disseminate ideological content and coordinate activities through the "Dark Web", an obscure counterpart of the conventional web. Presently, challenges such as information overload and the fragmented nature of cyber threat data impede comprehensive profiling of these actors, thereby limiting the efficacy of predictive analyses of their online activities. Concurrently, the proliferation of internet-connected devices has surpassed the global human population, with this disparity projected to widen as the Internet of Things (IoT) expands. Technical communities are actively advancing IoT-related research to address its growing societal integration. This paper proposes a novel predictive threat intelligence framework designed to systematically collect, analyze, and visualize Dark Web data to identify malicious websites and correlate this information with potential IoT vulnerabilities. The methodology integrates automated data harvesting, analytical techniques, and visual mapping tools, while also examining vulnerabilities in IoT devices to assess exploitability. By bridging gaps in cybersecurity research, this study aims to enhance predictive threat modeling and inform policy development, thereby contributing to intelligence research initiatives focused on mitigating cyber risks in an increasingly interconnected digital ecosystem.
Updated: 2025-06-03 07:14:04
标题: 将威胁情报与物联网扫描相结合,预测网络攻击
摘要: 尽管网络已经成为全球传播平台,但恶意行为者,包括黑客和网络活动分子团体,经常通过“暗网”传播意识形态内容并协调活动,这是传统网络的一个隐秘对应物。目前,信息过载和网络威胁数据的碎片化性质等挑战妨碍了对这些行为者的全面概况,从而限制了他们在线活动的预测分析的效力。同时,互联网连接设备的普及已经超过了全球人口,随着物联网的扩展,这种差距预计将扩大。技术社区正在积极推进与物联网相关的研究,以应对其日益增长的社会整合。本文提出了一种新颖的预测威胁情报框架,旨在系统地收集、分析和可视化暗网数据,以识别恶意网站,并将这些信息与潜在的物联网漏洞相关联。该方法整合了自动化数据收集、分析技术和可视化地图工具,同时还检查物联网设备的漏洞以评估其可利用性。通过弥合网络安全研究中的差距,本研究旨在增强预测威胁建模并为政策制定提供信息,从而为致力于减轻日益互联数字生态系统中的网络风险的情报研究倡议做出贡献。
更新时间: 2025-06-03 07:14:04
领域: cs.CR,cs.AI,cs.CY,cs.NI
BitBypass: A New Direction in Jailbreaking Aligned Large Language Models with Bitstream Camouflage
The inherent risk of generating harmful and unsafe content by Large Language Models (LLMs), has highlighted the need for their safety alignment. Various techniques like supervised fine-tuning, reinforcement learning from human feedback, and red-teaming were developed for ensuring the safety alignment of LLMs. However, the robustness of these aligned LLMs is always challenged by adversarial attacks that exploit unexplored and underlying vulnerabilities of the safety alignment. In this paper, we develop a novel black-box jailbreak attack, called BitBypass, that leverages hyphen-separated bitstream camouflage for jailbreaking aligned LLMs. This represents a new direction in jailbreaking by exploiting fundamental information representation of data as continuous bits, rather than leveraging prompt engineering or adversarial manipulations. Our evaluation of five state-of-the-art LLMs, namely GPT-4o, Gemini 1.5, Claude 3.5, Llama 3.1, and Mixtral, in adversarial perspective, revealed the capabilities of BitBypass in bypassing their safety alignment and tricking them into generating harmful and unsafe content. Further, we observed that BitBypass outperforms several state-of-the-art jailbreak attacks in terms of stealthiness and attack success. Overall, these results highlights the effectiveness and efficiency of BitBypass in jailbreaking these state-of-the-art LLMs.
Updated: 2025-06-03 05:51:18
标题: BitBypass:一种新的趋势,使用比特流伪装对齐大型语言模型进行越狱
摘要: 大型语言模型(LLMs)生成有害和不安全内容的固有风险突显了它们安全对齐的必要性。为确保LLMs的安全对齐,开发了各种技术,如监督微调、从人类反馈中进行强化学习和红队测试。然而,这些对齐的LLMs的鲁棒性总是受到利用未知和潜在漏洞的对抗性攻击的挑战。在本文中,我们开发了一种新颖的黑盒越狱攻击,称为BitBypass,利用连字符分隔的比特流伪装来越狱对齐的LLMs。这代表了越狱的一个新方向,通过利用数据的基本信息表示为连续比特,而不是利用提示工程或对抗性操纵。我们对五种最先进的LLMs,即GPT-4o、Gemini 1.5、Claude 3.5、Llama 3.1和Mixtral,在对抗性角度进行评估,揭示了BitBypass绕过它们的安全对齐并骗过它们生成有害和不安全内容的能力。此外,我们观察到BitBypass在隐蔽性和攻击成功率方面优于几种最先进的越狱攻击。总的来说,这些结果突显了BitBypass在越狱这些最先进的LLMs方面的效果和效率。
更新时间: 2025-06-03 05:51:18
领域: cs.CR,cs.CL
LaSDVS : A Post-Quantum Secure Compact Strong-Designated Verifier Signature
Digital signatures are fundamental cryptographic primitives that ensure the authenticity and integrity of digital communication. However, in scenarios involving sensitive interactions -- such as e-voting or e-cash -- there is a growing need for more controlled signing mechanisms. Strong-Designated Verifier Signature (SDVS) offers such control by allowing the signer to specify and restrict the verifier of a signature. The existing state-of-the-art SDVS are mostly based on number-theoretic hardness assumptions. Thus, they are not secure against quantum attacks. Moreover, Post-Quantum Cryptography (PQC)-based SDVS are inefficient and have large key and signature sizes. In this work, we address these challenges and propose an efficient post-quantum SDVS (namely, LaSDVS) based on ideal lattices under the hardness assumptions of the Ring-SIS and Ring-LWE problems. LaSDVS achieves advanced security properties including strong unforgeability under chosen-message attacks, non-transferability, non-delegatability, and signer anonymity. By employing the algebraic structure of rings and the gadget trapdoor mechanism of Micciancio et al., we design LaSDVS to minimize computational overhead and significantly reduce key and signature sizes. Notably, our scheme achieves a compact signature size of $\mathcal{O}(n\log q)$, compared to $\mathcal{O}(n^2)$ size, where $n$ is the security parameter, in the existing state-of-the-art PQC designs. To the best of our knowledge, LaSDVS offers the \textit{smallest private key and signature size} among the existing PQC-based SDVS schemes.
Updated: 2025-06-03 05:37:17
标题: LaSDVS:一种后量子安全的紧凑型强指定验证者签名
摘要: 数字签名是确保数字通信的真实性和完整性的基本加密原语。然而,在涉及敏感交互的场景中,如电子投票或电子现金,越来越需要更受控制的签名机制。强指定验证者签名(SDVS)通过允许签名者指定和限制签名验证者来提供这种控制。现有的最先进的SDVS主要基于数论难题假设。因此,它们不安全防御量子攻击。此外,基于后量子密码学(PQC)的SDVS效率低下,密钥和签名大小较大。在这项工作中,我们解决了这些挑战,并提出了一种基于理想格子的高效后量子SDVS(即LaSDVS),在Ring-SIS和Ring-LWE问题的难度假设下。LaSDVS实现了包括在选定消息攻击下的强不可伪造性、不可转让性、不可委托性和签名者匿名性在内的先进安全性质。通过利用环的代数结构和Micciancio等人的小工具陷阱机制,我们设计了LaSDVS以最小化计算开销,并显著减少密钥和签名大小。值得注意的是,与现有最先进的PQC设计中的$\mathcal{O}(n^2)$大小相比,我们的方案实现了紧凑的签名大小为$\mathcal{O}(n\log q)$,其中$n$是安全参数。据我们所知,LaSDVS在现有基于PQC的SDVS方案中提供了\textit{最小的私钥和签名大小}。
更新时间: 2025-06-03 05:37:17
领域: cs.CR
NeurIPS 2023 Competition: Privacy Preserving Federated Learning Document VQA
The Privacy Preserving Federated Learning Document VQA (PFL-DocVQA) competition challenged the community to develop provably private and communication-efficient solutions in a federated setting for a real-life use case: invoice processing. The competition introduced a dataset of real invoice documents, along with associated questions and answers requiring information extraction and reasoning over the document images. Thereby, it brings together researchers and expertise from the document analysis, privacy, and federated learning communities. Participants fine-tuned a pre-trained, state-of-the-art Document Visual Question Answering model provided by the organizers for this new domain, mimicking a typical federated invoice processing setup. The base model is a multi-modal generative language model, and sensitive information could be exposed through either the visual or textual input modality. Participants proposed elegant solutions to reduce communication costs while maintaining a minimum utility threshold in track 1 and to protect all information from each document provider using differential privacy in track 2. The competition served as a new testbed for developing and testing private federated learning methods, simultaneously raising awareness about privacy within the document image analysis and recognition community. Ultimately, the competition analysis provides best practices and recommendations for successfully running privacy-focused federated learning challenges in the future.
Updated: 2025-06-03 05:22:04
标题: NeurIPS 2023 竞赛:隐私保护联邦学习文档 VQA
摘要: 隐私保护联邦学习文档VQA(PFL-DocVQA)竞赛挑战社区开发在联邦设置中具有可证明私密性和通信效率的解决方案,用于实际用例:发票处理。该竞赛引入了一组真实发票文档数据集,以及相关问题和答案,需要对文档图像进行信息提取和推理。因此,它汇集了来自文档分析、隐私和联邦学习社区的研究人员和专业知识。参与者对组织者为这一新领域提供的经过微调的最先进的预训练文档视觉问答模型进行了微调,模仿了典型的联邦发票处理设置。基础模型是多模态生成语言模型,敏感信息可以通过视觉或文本输入模式公开。参与者提出了优雅的解决方案,以减少通信成本同时在轨道1中保持最低效用阈值,并在轨道2中使用差分隐私保护每个文档提供者的所有信息。该竞赛作为开发和测试私密联邦学习方法的新测试平台,同时提高了文档图像分析和识别社区对隐私的意识。最终,竞赛分析提供了成功运行以隐私为重点的联邦学习挑战的最佳实践和建议。
更新时间: 2025-06-03 05:22:04
领域: cs.LG,cs.CR,cs.CV
VPI-Bench: Visual Prompt Injection Attacks for Computer-Use Agents
Computer-Use Agents (CUAs) with full system access enable powerful task automation but pose significant security and privacy risks due to their ability to manipulate files, access user data, and execute arbitrary commands. While prior work has focused on browser-based agents and HTML-level attacks, the vulnerabilities of CUAs remain underexplored. In this paper, we investigate Visual Prompt Injection (VPI) attacks, where malicious instructions are visually embedded within rendered user interfaces, and examine their impact on both CUAs and Browser-Use Agents (BUAs). We propose VPI-Bench, a benchmark of 306 test cases across five widely used platforms, to evaluate agent robustness under VPI threats. Each test case is a variant of a web platform, designed to be interactive, deployed in a realistic environment, and containing a visually embedded malicious prompt. Our empirical study shows that current CUAs and BUAs can be deceived at rates of up to 51% and 100%, respectively, on certain platforms. The experimental results also indicate that system prompt defenses offer only limited improvements. These findings highlight the need for robust, context-aware defenses to ensure the safe deployment of multimodal AI agents in real-world environments. The code and dataset are available at: https://github.com/cua-framework/agents
Updated: 2025-06-03 05:21:50
标题: VPI-Bench:计算机使用代理的视觉提示注入攻击
摘要: 计算机使用代理(CUAs)具有完整系统访问权限,可以实现强大的任务自动化,但由于其能够操纵文件、访问用户数据和执行任意命令,因此存在重大安全和隐私风险。尽管先前的研究集中在基于浏览器的代理和HTML级攻击上,但CUAs的漏洞仍未被充分探究。在本文中,我们调查了视觉提示注入(VPI)攻击,其中恶意指令被视觉嵌入到呈现的用户界面中,并检查其对CUAs和浏览器使用代理(BUAs)的影响。我们提出了VPI-Bench,一个跨五个广泛使用的平台的306个测试案例的基准,以评估代理在VPI威胁下的稳健性。每个测试案例是一个Web平台的变体,旨在交互式地设计,在现实环境中部署,并包含一个视觉嵌入的恶意提示。我们的实证研究表明,当前的CUAs和BUAs在某些平台上分别可以以高达51%和100%的比例被欺骗。实验结果还表明,系统提示防御仅提供有限的改进。这些发现突显了需要强大的、上下文感知的防御措施,以确保在现实世界环境中安全部署多模态AI代理。代码和数据集可在以下网址获得:https://github.com/cua-framework/agents
更新时间: 2025-06-03 05:21:50
领域: cs.AI,cs.CR
Shallow Diffuse: Robust and Invisible Watermarking through Low-Dimensional Subspaces in Diffusion Models
The widespread use of AI-generated content from diffusion models has raised significant concerns regarding misinformation and copyright infringement. Watermarking is a crucial technique for identifying these AI-generated images and preventing their misuse. In this paper, we introduce Shallow Diffuse, a new watermarking technique that embeds robust and invisible watermarks into diffusion model outputs. Unlike existing approaches that integrate watermarking throughout the entire diffusion sampling process, Shallow Diffuse decouples these steps by leveraging the presence of a low-dimensional subspace in the image generation process. This method ensures that a substantial portion of the watermark lies in the null space of this subspace, effectively separating it from the image generation process. Our theoretical and empirical analyses show that this decoupling strategy greatly enhances the consistency of data generation and the detectability of the watermark. Extensive experiments further validate that our Shallow Diffuse outperforms existing watermarking methods in terms of robustness and consistency. The codes will be released at https://github.com/liwd190019/Shallow-Diffuse.
Updated: 2025-06-03 05:07:46
标题: 浅扩散:通过扩散模型中的低维子空间实现稳健且隐形的水印技术
摘要: AI生成内容的广泛使用来自扩散模型引起了关于错误信息和版权侵权的重大关注。数字水印是一种识别这些AI生成图像并防止其被滥用的关键技术。在本文中,我们介绍了Shallow Diffuse,一种新的数字水印技术,将稳健且隐形的数字水印嵌入到扩散模型输出中。与现有方法不同,这种方法通过利用图像生成过程中的低维子空间的存在,将数字水印嵌入到扩散采样过程中。这种方法确保了水印的大部分部分位于该子空间的零空间中,有效地将其与图像生成过程分隔开来。我们的理论和实证分析表明,这种分离策略极大地提高了数据生成的一致性和水印的可检测性。大量实验证明,我们的Shallow Diffuse在稳健性和一致性方面优于现有的数字水印方法。代码将发布在https://github.com/liwd190019/Shallow-Diffuse。
更新时间: 2025-06-03 05:07:46
领域: cs.LG,cs.CR,cs.CV
Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization
Cybersecurity teams face an overwhelming vulnerability crisis: with 25,000+ new CVEs disclosed annually, traditional CVSS-based prioritization requires addressing 60% of all vulnerabilities while correctly identifying only 20% of those actually exploited. We propose Vulnerability Management Chaining, an integrated decision tree framework combining historical exploitation evidence (KEV), predictive threat modeling (EPSS), and technical impact assessment (CVSS) to transform vulnerability management from reactive patching to strategic threat-driven prioritization. Experimental validation using 28,377 real-world vulnerabilities demonstrates 14-18 fold efficiency improvements while maintaining 85%+ coverage of actual threats. Organizations can reduce urgent remediation workload by 95% (from ~16,000 to ~850 vulnerabilities). The integration identifies 57 additional exploited vulnerabilities that neither KEV nor EPSS captures individually. Our framework uses exclusively open-source data, democratizing advanced vulnerability management regardless of budget or expertise. This research establishes the first empirically validated methodology for systematic vulnerability management integration, with immediate applicability across diverse organizational contexts.
Updated: 2025-06-03 05:07:03
标题: 漏洞管理链:一种用于高效网络安全风险优先级排序的综合框架
摘要: 网络安全团队面临着一个压倒性的漏洞危机:每年有25,000多个新的CVE被披露,传统的基于CVSS的优先级排序需要解决60%的所有漏洞,而只能正确识别那些实际被利用的20%。我们提出了漏洞管理链,这是一个综合决策树框架,结合了历史利用证据(KEV)、预测性威胁建模(EPSS)和技术影响评估(CVSS),将漏洞管理从反应性打补丁转变为战略性威胁驱动的优先级排序。使用28,377个真实世界漏洞进行实验验证,显示出14-18倍的效率提升,同时保持85%以上的实际威胁覆盖率。组织可以将紧急补救工作负载减少95%(从大约16,000个漏洞减少到大约850个漏洞)。该集成确定了57个额外被利用的漏洞,KEV和EPSS单独不能捕捉到。我们的框架仅使用开源数据,无论预算或专业知识如何,都可普及先进的漏洞管理。这项研究建立了首个经验证的系统漏洞管理集成方法论,可立即应用于各种组织环境。
更新时间: 2025-06-03 05:07:03
领域: cs.CR
A Review of Various Datasets for Machine Learning Algorithm-Based Intrusion Detection System: Advances and Challenges
IDS aims to protect computer networks from security threats by detecting, notifying, and taking appropriate action to prevent illegal access and protect confidential information. As the globe becomes increasingly dependent on technology and automated processes, ensuring secured systems, applications, and networks has become one of the most significant problems of this era. The global web and digital technology have significantly accelerated the evolution of the modern world, necessitating the use of telecommunications and data transfer platforms. Researchers are enhancing the effectiveness of IDS by incorporating popular datasets into machine learning algorithms. IDS, equipped with machine learning classifiers, enhances security attack detection accuracy by identifying normal or abnormal network traffic. This paper explores the methods of capturing and reviewing intrusion detection systems (IDS) and evaluates the challenges existing datasets face. A deluge of research on machine learning (ML) and deep learning (DL) architecture-based intrusion detection techniques has been conducted in the past ten years on various cybersecurity datasets, including KDDCUP'99, NSL-KDD, UNSW-NB15, CICIDS-2017, and CSE-CIC-IDS2018. We conducted a literature review and presented an in-depth analysis of various intrusion detection methods that use SVM, KNN, DT, LR, NB, RF, XGBOOST, Adaboost, and ANN. We provide an overview of each technique, explaining the role of the classifiers and algorithms used. A detailed tabular analysis highlights the datasets used, classifiers employed, attacks detected, evaluation metrics, and conclusions drawn. This article offers a thorough review for future IDS research.
Updated: 2025-06-03 04:47:21
标题: 一个关于用于基于机器学习算法的入侵检测系统的各种数据集的综述:进展与挑战
摘要: 入侵检测系统(IDS)旨在通过检测、通知和采取适当措施来防止非法访问并保护机密信息,从而保护计算机网络免受安全威胁。随着全球对技术和自动化流程的依赖程度不断增加,确保系统、应用程序和网络的安全已经成为这个时代最重要的问题之一。全球网络和数字技术显著加速了现代世界的发展,促使人们使用电信和数据传输平台。研究人员通过将流行数据集纳入机器学习算法来提高IDS的效率。配备机器学习分类器的IDS通过识别正常或异常网络流量来提高安全攻击检测准确性。本文探讨了捕获和审查入侵检测系统(IDS)的方法,并评估了现有数据集所面临的挑战。过去十年中,针对各种网络安全数据集(包括KDDCUP'99、NSL-KDD、UNSW-NB15、CICIDS-2017和CSE-CIC-IDS2018)进行了大量基于机器学习(ML)和深度学习(DL)架构的入侵检测技术研究。我们进行了文献综述,对使用SVM、KNN、DT、LR、NB、RF、XGBOOST、Adaboost和ANN的各种入侵检测方法进行了深入分析。我们概述了每种技术的角色,解释了所使用的分类器和算法。详细的表格分析突出了使用的数据集、所用分类器、检测到的攻击、评估指标和得出的结论。本文为未来IDS研究提供了全面的综述。
更新时间: 2025-06-03 04:47:21
领域: cs.CR,cs.AI,cs.LG
Reclaiming "Open AI" -- AI Model Serving Can Be Open Access, Yet Monetizable and Loyal
The rapid rise of AI has split model serving between open-weight distribution, which often lacks owner control and monetization, and opaque API-based approaches that risk user privacy and model transparency, forming a dichotomy that hinders an equitable AI ecosystem. This position paper introduces, rigorously formulates, and champions the Open-access, Monetizable, and Loyal (OML) paradigm for AI model serving: a foundational shift to securely distribute and serve AI models by synthesizing transparency with granular monetization and critical safety controls. We survey diverse OML constructions from theory and practice, analyze their security, performance, and practical trade-offs, outline a conceptual OML deployment protocol, and discuss market and policy implications. We assert that OML can foster a democratized, self-sustaining, and innovative AI landscape, mitigating centralized power risks. Finally, we call on the research community to further explore the broad design space of OML, spanning cryptographic, AI-native, and socio-economic mechanisms, to realize its full potential for a collaborative, accountable, and resilient AI future.
Updated: 2025-06-03 04:28:46
标题: 重新认识“开放AI” -- AI模型服务可以是开放获取的,同时也可以盈利并忠实
摘要: 人工智能(AI)的迅速崛起使模型服务分为开放式权重分配和基于API的不透明方法两种,前者通常缺乏所有者控制和货币化,而后者可能危及用户隐私和模型透明度,形成了一个阻碍公平AI生态系统发展的二分法。本文介绍、严格规划并倡导了开放、可货币化和忠诚(OML)范式用于AI模型服务:通过将透明度与细粒度货币化和关键安全控制相结合,实现安全分发和服务AI模型的基础性转变。我们从理论和实践中调查了多种OML构建,分析了它们的安全性、性能和实际权衡,并概述了概念性OML部署协议,并讨论了市场和政策影响。我们认为OML可以促进民主化、自我维持和创新性的AI景观,减轻了中心化权力风险。最后,我们呼吁研究界进一步探索OML的广泛设计空间,涵盖了加密、AI原生和社会经济机制,以实现其在未来合作、负责任和有韧性的AI领域的全部潜力。
更新时间: 2025-06-03 04:28:46
领域: cs.AI,cs.CR
Heterogeneous Secure Transmissions in IRS-Assisted NOMA Communications: CO-GNN Approach
Intelligent Reflecting Surfaces (IRS) enhance spectral efficiency by adjusting reflection phase shifts, while Non-Orthogonal Multiple Access (NOMA) increases system capacity. Consequently, IRS-assisted NOMA communications have garnered significant research interest. However, the passive nature of the IRS, lacking authentication and security protocols, makes these systems vulnerable to external eavesdropping due to the openness of electromagnetic signal propagation and reflection. NOMA's inherent multi-user signal superposition also introduces internal eavesdropping risks during user pairing. This paper investigates secure transmissions in IRS-assisted NOMA systems with heterogeneous resource configuration in wireless networks to mitigate both external and internal eavesdropping. To maximize the sum secrecy rate of legitimate users, we propose a combinatorial optimization graph neural network (CO-GNN) approach to jointly optimize beamforming at the base station, power allocation of NOMA users, and phase shifts of IRS for dynamic heterogeneous resource allocation, thereby enabling the design of dual-link or multi-link secure transmissions in the presence of eavesdroppers on the same or heterogeneous links. The CO-GNN algorithm simplifies the complex mathematical problem-solving process, eliminates the need for channel estimation, and enhances scalability. Simulation results demonstrate that the proposed algorithm significantly enhances the secure transmission performance of the system.
Updated: 2025-06-03 04:01:50
标题: 在IRS辅助的NOMA通信中的异构安全传输:CO-GNN方法
摘要: 智能反射表面(IRS)通过调整反射相位来增强频谱效率,而非正交多址接入(NOMA)则增加系统容量。因此,IRS辅助的NOMA通信引起了广泛的研究兴趣。然而,IRS的被动性质,缺乏认证和安全协议,使得这些系统容易受到外部窃听的威胁,因为电磁信号的传播和反射是开放的。NOMA固有的多用户信号叠加也会在用户配对过程中引入内部窃听风险。本文研究了在无线网络中具有异构资源配置的IRS辅助NOMA系统中的安全传输,以减轻外部和内部窃听的风险。为了最大化合法用户的总保密率,我们提出了一种组合优化图神经网络(CO-GNN)方法,联合优化基站的波束赋形、NOMA用户的功率分配以及IRS的相位偏移,实现动态异构资源分配,从而实现在相同或异构链路上存在窃听者的情况下设计双链路或多链路的安全传输。CO-GNN算法简化了复杂的数学问题求解过程,消除了对信道估计的需求,并增强了可扩展性。仿真结果表明,所提出的算法显著提高了系统的安全传输性能。
更新时间: 2025-06-03 04:01:50
领域: cs.CR,cs.IT,eess.SP,math.IT
MISLEADER: Defending against Model Extraction with Ensembles of Distilled Models
Model extraction attacks aim to replicate the functionality of a black-box model through query access, threatening the intellectual property (IP) of machine-learning-as-a-service (MLaaS) providers. Defending against such attacks is challenging, as it must balance efficiency, robustness, and utility preservation in the real-world scenario. Despite the recent advances, most existing defenses presume that attacker queries have out-of-distribution (OOD) samples, enabling them to detect and disrupt suspicious inputs. However, this assumption is increasingly unreliable, as modern models are trained on diverse datasets and attackers often operate under limited query budgets. As a result, the effectiveness of these defenses is significantly compromised in realistic deployment scenarios. To address this gap, we propose MISLEADER (enseMbles of dIStiLled modEls Against moDel ExtRaction), a novel defense strategy that does not rely on OOD assumptions. MISLEADER formulates model protection as a bilevel optimization problem that simultaneously preserves predictive fidelity on benign inputs and reduces extractability by potential clone models. Our framework combines data augmentation to simulate attacker queries with an ensemble of heterogeneous distilled models to improve robustness and diversity. We further provide a tractable approximation algorithm and derive theoretical error bounds to characterize defense effectiveness. Extensive experiments across various settings validate the utility-preserving and extraction-resistant properties of our proposed defense strategy. Our code is available at https://github.com/LabRAI/MISLEADER.
Updated: 2025-06-03 01:37:09
标题: MISLEADER: 利用蒸馏模型集合防御模型提取
摘要: 模型提取攻击旨在通过查询访问来复制黑盒模型的功能,威胁到机器学习作为服务(MLaaS)提供商的知识产权(IP)。防御此类攻击具有挑战性,因为它必须在现实场景中平衡效率、鲁棒性和效用保留。尽管最近取得了进展,但大多数现有的防御措施假定攻击者的查询具有分布外(OOD)样本,使其能够检测和干扰可疑输入。然而,这种假设越来越不可靠,因为现代模型是在多样化的数据集上训练的,攻击者通常在有限的查询预算下操作。因此,在现实部署场景中,这些防御措施的有效性受到严重损害。为了弥补这一差距,我们提出了MISLEADER(对抗模型提取的蒸馏模型集合),这是一种新颖的防御策略,不依赖于OOD假设。MISLEADER将模型保护形式化为一个双层优化问题,同时在良性输入上保持预测准确性并减少潜在克隆模型的可提取性。我们的框架结合数据增强来模拟攻击者查询,并利用异构蒸馏模型集合来提高鲁棒性和多样性。我们进一步提供了一个可处理的近似算法,并推导出理论误差界以表征防御效果。在各种设置下进行的大量实验验证了我们提出的防御策略的保留效用和抗提取性质。我们的代码可在https://github.com/LabRAI/MISLEADER 上找到。
更新时间: 2025-06-03 01:37:09
领域: cs.CR,cs.AI
A Systematic Review of Metaheuristics-Based and Machine Learning-Driven Intrusion Detection Systems in IoT
The widespread adoption of the Internet of Things (IoT) has raised a new challenge for developers since it is prone to known and unknown cyberattacks due to its heterogeneity, flexibility, and close connectivity. To defend against such security breaches, researchers have focused on building sophisticated intrusion detection systems (IDSs) using machine learning (ML) techniques. Although these algorithms notably improve detection performance, they require excessive computing power and resources, which are crucial issues in IoT networks considering the recent trends of decentralized data processing and computing systems. Consequently, many optimization techniques have been incorporated with these ML models. Specifically, a special category of optimizer adopted from the behavior of living creatures and different aspects of natural phenomena, known as metaheuristic algorithms, has been a central focus in recent years and brought about remarkable results. Considering this vital significance, we present a comprehensive and systematic review of various applications of metaheuristics algorithms in developing a machine learning-based IDS, especially for IoT. A significant contribution of this study is the discovery of hidden correlations between these optimization techniques and machine learning models integrated with state-of-the-art IoT-IDSs. In addition, the effectiveness of these metaheuristic algorithms in different applications, such as feature selection, parameter or hyperparameter tuning, and hybrid usages are separately analyzed. Moreover, a taxonomy of existing IoT-IDSs is proposed. Furthermore, we investigate several critical issues related to such integration. Our extensive exploration ends with a discussion of promising optimization algorithms and technologies that can enhance the efficiency of IoT-IDSs.
Updated: 2025-06-03 00:53:02
标题: 物联网中基于元启发式和机器学习的入侵检测系统的系统性综述
摘要: 物联网的广泛应用引发了开发者面临的新挑战,因为由于其异质性、灵活性和紧密连接性,容易受到已知和未知的网络攻击。为了防御这种安全漏洞,研究人员专注于利用机器学习技术构建复杂的入侵检测系统(IDS)。尽管这些算法显著提高了检测性能,但它们需要过多的计算资源和资源,这在考虑到分散数据处理和计算系统的最新趋势的物联网网络中是至关重要的问题。因此,许多优化技术已与这些机器学习模型结合。特别是,从生物生物行为和自然现象的不同方面采用的一类特殊优化器,即元启发式算法,在近年来成为关注焦点,并带来了显著的结果。考虑到这一重要意义,我们提出了关于在开发基于机器学习的IDS的各种元启发式算法应用的全面系统性评述,特别是针对物联网。本研究的一个重要贡献是发现了这些优化技术与集成最先进的物联网IDS的机器学习模型之间的隐藏相关性。此外,分析了这些元启发式算法在不同应用中的有效性,如特征选择、参数或超参数调整和混合用途。此外,提出了现有物联网IDS的分类法。此外,我们调查了与此类集成相关的几个关键问题。我们的广泛探索以讨论可以提高物联网IDS效率的有前景的优化算法和技术结束。
更新时间: 2025-06-03 00:53:02
领域: cs.CR,cs.NE