Academic papers, new techniques, benchmarks, and theoretical findings in AI/LLM security.
A Q1 2026 security report by OWASP documents major AI and agentic AI (AI systems that can take autonomous actions) exploits, showing a shift from theoretical risks to real-world attacks targeting AI agent identities, permissions, and supply chains. Key incidents include a Mexican government breach where attackers used Claude to automate reconnaissance and exploitation, affecting 150 GB of sensitive data, along with other incidents involving prompt injection (tricking AI by hiding malicious instructions in its input), privilege abuse, and supply-chain vulnerabilities in AI tools.
This academic survey examines how well large language model-based agents (AI systems that use LLMs to make decisions and take actions) can generalize, meaning how effectively they perform on new tasks or situations they weren't specifically trained for. The paper reviews research across different domains to understand what factors help or limit an agent's ability to adapt and work reliably in unfamiliar contexts.
This research proposes ENClose, a framework that lets control systems (automated systems that adjust themselves based on feedback) operate securely using fully homomorphic encryption, or FHE, a cryptographic method that keeps data encrypted while performing calculations on it. The main innovation addresses two problems: noise building up in encrypted feedback loops and the slowness of doing complex nonlinear operations (calculations that don't follow straight-line relationships) on encrypted data. ENClose uses techniques like function segmentation and tree-based selection to speed up these encrypted calculations by 3 to 20 times compared to previous methods, as demonstrated in real-world tests like vehicle formation control and anomaly recovery.
Asynchronous federated learning (AFL, where multiple devices train a shared AI model without waiting for each other to finish) is faster than synchronous methods but more vulnerable to Byzantine attacks (when some devices send false or corrupted data to sabotage the model). Researchers propose Belisa, a framework that uses feature fingerprints (unique patterns in how local models represent data) to identify and filter out malicious devices, improving robustness and efficiency in real-world scenarios where devices have different data and hardware capabilities.
Fix: The source proposes Belisa as a Byzantine-robust AFL framework that addresses this vulnerability. Belisa works by leveraging a reference model trained on publicly available data to quantify feature fingerprints (discrepancies between feature representations of local models) and filtering out malicious models through clustering. According to the paper, Belisa lowered average test error rates to 0.42x that of baseline methods under attack scenarios and accelerated aggregation by an average of 12.3x compared to other methods.
IEEE Xplore (Security & AI Journals)Quantum computing poses a major threat to current security systems because it can break traditional encryption methods that protect critical infrastructure and cloud services. This paper examines how quantum computing affects different layers of infrastructure (from applications to networks) and proposes moving toward quantum-resistant cryptography (encryption methods designed to withstand quantum computer attacks) as a protective strategy. The authors advocate for collaboration across sectors to develop and implement these new security approaches before quantum threats become critical.
This research paper proposes a method to detect FDI attacks (false data injection, where attackers insert fake sensor readings into control systems) by using encoding techniques to transform measurement data into a different mathematical space. The approach aims to catch stealthy FDI attacks that are designed to evade traditional detection methods by disguising themselves as normal system behavior.
Referring video object segmentation (RVOS, the task of identifying and outlining objects in videos based on text descriptions) is used in safety-critical applications like autonomous driving, but the deep neural networks that power these systems are vulnerable to adversarial perturbations (tiny, intentional changes to input data designed to fool AI models). This research demonstrates for the first time that RVOS models can be reliably attacked using a method called xM-ICM, which corrupts both visual and text information to mislead the models, and shows this attack works even when attackers have limited information about the system.
Large language models (LLMs, which are AI systems trained on vast amounts of text) are vulnerable to serious attacks like hallucinations (making up false information), jailbreaks (tricking the AI into ignoring its safety rules), and backdoors (hidden malicious instructions inserted during training). This research proposes a detection method using hidden state forensics (analyzing the internal numerical patterns that flow through the model's layers) to identify abnormal or malicious behavior in real-time, achieving over 95% accuracy with minimal computational cost.
Privacy labels on app stores like Google Play are supposed to give users a quick summary of what data apps collect, but many developers fail to accurately report their practices. Researchers created PriLabel, a tool that analyzes decompiled code (machine-readable instructions extracted from apps) to automatically detect when apps transmit sensitive data without disclosing it in their privacy labels. Testing on thousands of popular apps found that many failed to report data collection, including some that transmitted financial information like credit card numbers without proper labeling.
This paper presents HENet, a new method for creating adversarial examples (inputs with small, intentional changes designed to fool AI models) that work against different types of neural networks like CNNs (convolutional neural networks, commonly used for image tasks) and Transformers (a newer architecture). The method improves two key challenges: making attacks work across different model architectures and making adversarial examples survive image compression like JPEG, which currently weakens their effectiveness.
Screaming channels are a type of side-channel attack (a method of stealing data by analyzing electromagnetic leakage from a device) that can work from several meters away on devices with both wireless (RF) and digital components on the same chip. This research shows that attackers can find useful leakage signals at many more frequencies than previously thought, not just at the harmonics (multiples) of the clock frequency, making attacks more effective even in noisy RF environments and at greater distances.
This research addresses security challenges in multi-agent systems (networks of multiple autonomous devices communicating together) that operate in open networks and face two threats: Byzantine attacks (where malicious agents try to disrupt the system's decision-making) and eavesdropping (where unauthorized parties steal private data). The authors propose an improved protocol called IRCP-f that defends against Byzantine attacks while preserving privacy, requiring less restrictive network structure constraints than previous approaches and using differential privacy (a mathematical technique that adds noise to data to protect individual information).
DFREC is a new method for identifying the original faces used to create deepfakes (fake videos where one person's face is swapped onto another's body). Unlike existing deepfake detection tools that only identify whether an image is fake, DFREC recovers both the source face (the one being used) and target face (the one being impersonated) from a deepfake image, which helps investigators trace who was involved in creating the fake and reduces risks from deepfake attacks. The system uses three components: one to separate source and target face information, one to reconstruct the source face, and one to reconstruct the target face using a Masked Autoencoder (a type of neural network that learns patterns by hiding parts of input data).
HKT-SmartAudit is a framework that creates smaller, faster AI models specifically trained to find bugs in smart contracts (self-executing code on blockchain networks). The framework uses knowledge distillation (a technique where a large, accurate AI model teaches a smaller model by sharing what it has learned), allowing these lightweight models to detect vulnerabilities effectively while using far less computing power than larger models.
This paper presents CIBPU, a new secure branch prediction unit (BPU, a component that helps processors predict which instructions to execute next) that protects against attacks trying to infer sensitive information by observing how the BPU behaves. Unlike previous designs that either isolated the BPU physically or used encryption with frequent key updates, CIBPU uses redundant storage (extra copies of data), smart indexing, and encryption without periodic key changes to hide branch conflicts (situations where different instructions compete for the same storage space) from attackers. The researchers tested CIBPU in simulators and on real hardware, finding it adds only about 2-4% performance slowdown, which is better than other secure branch prediction approaches.
LitCVit is a lightweight AI model designed to detect malicious encrypted network traffic (data sent over secure connections) without needing to decrypt it or manually extract features. The model uses self-supervised learning (training where the AI learns patterns from unlabeled data) and vision transformers (a type of neural network architecture) to analyze patterns across multiple data packets and flows (sequences of related network communications) while running much faster than existing approaches, achieving 98% accuracy on test datasets.
Federated learning (FL, where multiple devices train AI models together without sharing raw data) faces privacy risks because adversaries can extract sensitive information from model updates. FedNSA is a new protocol that combines differential privacy (adding mathematical noise to hide individual data patterns), encryption, and multi-party computation (MPC, a technique where multiple parties jointly compute results without revealing their individual inputs) to protect model updates while reducing the communication and computational burden that makes secure aggregation impractical on resource-constrained devices like smartphones.
Wireless sensing uses Wi-Fi and similar signals to detect human activity like movement and sleep patterns, but broadcast signals can be intercepted by unauthorized users, creating privacy risks. This research proposes using multi-antenna signal processing (techniques that use multiple receiving antennas to manipulate wireless signals) as a privacy protection method at the physical layer (the lowest level of wireless communication, before encryption). The study analyzes the tradeoff between sensing accuracy and privacy protection by modeling the system mathematically and defining performance boundaries.
This paper describes a vulnerability in 5G networks where an attacker can intercept scheduling information from downlink control information (DCI, the signals that tell devices which radio resources to use) and use it to jam the PUSCH (physical uplink shared channel, the main data transmission channel from devices to the network). To defend against this DCI sniffing-based smart jamming attack, the researchers propose a suppression method that identifies which DCI-scheduled resources are being attacked and reconstructs the PUSCH transmission by leveraging differences in spatial domain features between legitimate users and attackers.
Fix: The proposed suppression method leverages DCI-scheduled subset identification and PUSCH resource reconstruction. It fundamentally relies on differences in spatial domain features under available control channel elements and resource block group granularities between legitimate users and the attacker, to selectively exclude unwanted elements while safeguarding the authenticity of targeted transmissions.
IEEE Xplore (Security & AI Journals)FALCON-Net is a detection system designed to identify AI-generated images by analyzing their technical flaws. The system works by examining two key weaknesses in generated images: the lack of device-specific sensor noise (natural imperfections that real cameras add) and unnatural pixel intensity variations that result from oversimplified generation processes. FALCON-Net combines two analysis modules (one for noise patterns and one for local pixel variations) to reliably distinguish AI-generated images from real ones, even when tested on image generation models it wasn't trained on.