Academic papers, new techniques, benchmarks, and theoretical findings in AI/LLM security.
This research proposes SIAMD, a framework for detecting social media bots (automated accounts that spread misinformation) before they cause harm. The system analyzes patterns in how user accounts interact with messages, uses structural entropy (a measure of uncertainty in data patterns) to identify bot-like behavior, and generates synthetic bot messages with large language models (AI systems trained on text data) to test and improve detection systems.
This paper addresses a problem in offline reinforcement learning (RL, a type of AI training that learns from pre-collected data without needing new real-world interaction) where Q value overestimation (the AI incorrectly thinking certain actions are better than they actually are) causes training problems in robotic tasks with many possible actions. The researchers propose MQR (most overestimated Q value regularization), an algorithm that specifically penalizes the single action with the worst overestimation rather than equally penalizing all actions, and demonstrate it achieves 99.04% success rates in real-world robotic grasping tasks.
The AIBOM Generator, an open-source tool that creates an AI Software Bill of Materials (AIBOM, a structured document listing key information about an AI model like its data sources and configurations), has been moved to OWASP (a nonprofit focused on software security) to enable broader community collaboration and development. The tool helps organizations understand what's inside AI models, where they came from, and how trustworthy their documentation is, addressing a gap between rapid AI adoption and lagging transparency practices. The project is now part of the OWASP GenAI Security Project and will continue improving AI supply chain visibility through community-driven enhancements.
This paper introduces PIRS, a system for private information retrieval (PIR, where a user can fetch data from a database without revealing which data they want). PIRS uses two servers and splits the retrieval process into an offline phase, where the client preprocesses the database to create hints, and an online phase, where the client uses those hints to securely retrieve records. Unlike existing approaches, PIRS allows clients to store hints on the servers instead of locally, reducing storage needs from gigabytes to kilobytes by using secret sharing (a technique where data is split into pieces that are useless individually but combine to reveal the original).
This research proposes LigSecOTA, a lightweight system for securely updating automotive software remotely without being hacked. Unlike existing systems that rely on digital certificates (cryptographic credentials identifying devices) based on physical identifiers that can be forged, LigSecOTA creates unique certificates based on timing information instead, and provides integrated security across authentication (verifying identity), confidentiality (keeping data private), integrity (ensuring data isn't tampered with), access control (limiting who can do what), and data freshness (confirming updates are current).
Fix: The source describes LigSecOTA itself as the proposed solution: a one-machine-one-certificate digital identity management system that issues unique digital certificates for each ECU (Electronic Control Unit, the computer in a vehicle) based on bit time information instead of physical identifiers. LigSecOTA ensures integrated security through three processes: authentication, authorization, and package distribution, with authorization dynamically providing keys for package distribution to enhance security.
IEEE Xplore (Security & AI Journals)Researchers have developed a steganographic method (hiding secret data inside another medium) that embeds hidden messages into compressed neural network models (AI systems made smaller through techniques like quantization, pruning, or distillation). The approach allows a receiver with the correct extraction network to recover the hidden data while ordinary users remain unaware it exists, and the method maintains the model's performance in size, speed, and accuracy.
This paper presents L-VAKMC, a lightweight authentication protocol designed for VANETs (vehicular ad hoc networks, where cars communicate wirelessly with each other and roadside infrastructure). The protocol uses elliptic-curve cryptography (a mathematical method for secure communication), hash-based commitments, and ephemeral key exchange (temporary security keys that change frequently) to securely authenticate different types of communications in vehicular systems while keeping computational demands low. The authors tested the protocol and found it resists common attacks and works efficiently in real-time vehicle environments.
ChargerWhisper is a side-channel attack (a method that steals information by observing physical properties rather than breaking encryption) that uses high-frequency inaudible sounds produced by fast chargers to infer private user information. The attack works because electronic components in chargers vibrate at frequencies correlated with power output, which changes based on what activities users perform on their devices, allowing attackers to identify websites being visited or unlock PINs through acoustic analysis.
Researchers proved that spurious local minima (points where a neural network stops improving, but isn't at the best solution) definitely exist in deep CNNs (convolutional neural networks, which are commonly used for image recognition). They created a method to construct these problematic points mathematically and designed a new optimization algorithm (a step-by-step process for improving the network) that can escape from them, showing better accuracy than standard training methods like SGD or Adam on image datasets.
Fix: The source proposes a deterministic optimization method to escape local minima that is applicable to CNNs, ResNets, MLPs, and transformers. The authors report that experimental results on CIFAR-10, CIFAR-100, and ImageNet-1k datasets show their optimization method outperforms SGD or Adam in accuracy (by 0.27% on average) consistently across all tested architectures and datasets.
IEEE Xplore (Security & AI Journals)This paper addresses challenges in semisupervised medical image segmentation (using AI to identify structures in medical images when only some training data is labeled) by proposing FPSE, a framework that combines CNN (convolutional neural networks, which process images as grids of pixels) and transformer networks (which use attention mechanisms to focus on relevant parts of input). The key innovation is a "fully perturbed consistency learning" strategy that applies multiple types of perturbations (variations, like data transformations and feature modifications) to better learn from unlabeled images, while also using transformers on shallow features from CNNs to avoid needing excessive labeled data.
FLEX (Flexible Linked EXecution) is a hotpatching technique that allows embedded systems to receive software updates without shutting down, by redirecting all function calls and variable accesses through a compile-time generated Control Flow Table. Unlike older approaches, FLEX works on any hardware, supports many patches at once, and introduces only about 11% execution overhead while using 17% more memory storage.
Fix: The source describes FLEX itself as the solution: it uses a 'relaxed consistency state synchronization mechanism to allow for gradual migration of program state, resolves all symbols at compile time into CFT (Control Flow Table) indirections, applies updates via a double-buffered pointer swap to a new CFT, and a XIP (execute-in-place) compatible process that guarantees only a short, bounded pause time regardless of patch complexity.'
IEEE Xplore (Security & AI Journals)MPS-Fuzz is a new fuzzing technique (a method for finding bugs by automatically testing software with many random inputs) that improves upon existing approaches by using a better way to track which parts of code have been tested. The technique addresses problems like too many similar test cases and collision errors (when different code paths incorrectly get marked as the same) by organizing code into units called MPS (multiple predecessors and successors, which are basic blocks with multiple entry and exit points) and using an extra tracking system. Testing showed MPS-Fuzz found 25.7% more bugs than the standard AFL fuzzer and even discovered a previously unknown vulnerability in real software.
Vehicle platooning (where multiple vehicles travel together in formation) needs to assess whether the lead vehicle is reliable, which is done through reputation management systems. Existing reputation systems have weaknesses in security, privacy, and use overly simple evaluation methods. This paper proposes PDRU, a new reputation system that uses dual reputation tracking (a backup system to prevent single-point failures), evaluates the lead vehicle across multiple dimensions, and keeps vehicle identities and reputation scores private.
This paper presents Srchpa, a privacy-preserving method for computing the shortest path (the most efficient route between two locations) between a user and a destination. Unlike traditional navigation systems where users must share their location with a server, Srchpa protects both the user's location data and the server's route information while requiring only a single round of communication (one back-and-forth exchange) instead of multiple interactions. The scheme is designed to work efficiently even on resource-limited devices like smartphones.
This research addresses backdoor attacks, where poisoned training data (maliciously altered samples inserted into a dataset) causes neural networks to behave incorrectly on specific inputs. The authors propose a defense method called Trap that detects poisoned samples early in training by recognizing they cluster separately from legitimate data, then removes the backdoor by retraining part of the model on relabeled poisoned samples, achieving very high attack detection rates with minimal accuracy loss.
Fix: The paper proposes detecting poisoned samples during early training stages and removing the backdoor by retraining the classifier part of the model on relabeled poisoned samples. The authors report their method reduced average attack success rate to 0.07% while only decreasing average accuracy by 0.33% across twelve attacks on four datasets.
IEEE Xplore (Security & AI Journals)Smart meters in electrical grids collect detailed energy usage data that can reveal private information about users, but protecting this data while combining readings from multiple meters requires heavy computation that strains devices with limited resources. Researchers developed MDA-SMuSha, a scheme that uses Shamir's multi-secret sharing (a cryptographic method that splits secrets among multiple parties) and Paillier encryption (a technique allowing calculations on encrypted data without decrypting it) to let smart meters efficiently protect and aggregate their multi-dimensional energy data while still allowing a control center to request statistics flexibly. Testing shows this approach uses less computation than existing privacy-protection methods while maintaining security, authenticity, data integrity, and fault-tolerance (the ability to continue working even if some components fail).
Researchers found that text-to-image diffusion models (AI systems that generate images from text descriptions) can be attacked using backdoors, which are hidden triggers in text that make the model produce unwanted outputs. This paper proposes Dynamic Attention Analysis (DAA), a new detection method that tracks how the model's attention mechanisms (the parts of the AI that focus on relevant information) change over time, since backdoor attacks create different patterns than normal operation. The method achieved strong detection results, correctly identifying backdoored samples about 79% of the time.
Researchers studied an AI-driven metaverse prototype (a 3D virtual environment enhanced with multi-agent systems, or software that can act independently) designed to train cybersecurity professionals, gathering feedback from 53 experts. The study found that this technology could create personalized, scalable training experiences but identified implementation challenges and proposed six recommendations for organizations considering adopting it.
This editorial introduces a special issue examining how evolving information technology and society will shape the future of work, jobs, and professional roles. It calls for research that projects multiple possible futures, evaluates which outcomes are most valuable, and identifies steps organizations can take now to work toward their preferred future states.
This research paper addresses a problem in differentially private federated learning (DP-FL, a technique that trains AI models across multiple devices while adding mathematical noise to protect privacy). The paper proposes a new control framework that dynamically adjusts both the amount of noise added and how many communication rounds occur during training, rather than using fixed or randomly adjusted noise levels. Experiments show this approach achieves faster convergence (reaching a good solution quicker) and better accuracy while maintaining the same privacy guarantees.