Academic papers, new techniques, benchmarks, and theoretical findings in AI/LLM security.
Federated learning (a way for multiple parties to train an AI model together without sharing their raw data with a central server) normally requires many communication rounds that waste bandwidth and can leak private information. Existing compression methods reduce communication but ignore privacy risks and fail when some clients disconnect. Octopus addresses these issues by using Sketch (a data compression technique) to compress gradients (the direction and size of updates to a model), adding protective masks around the compressed data, and including a strategy to handle disconnected clients.
Fix: Octopus employs Sketch to compress gradients and embeds masks for the compressed gradients to safeguard them while reducing communication overhead. The scheme proposes an anti-disconnection strategy to support model updates even when some clients are disconnected.
IEEE Xplore (Security & AI Journals)Federated learning (a training method where multiple parties collaborate to build an AI model without sharing raw data) is vulnerable to model poisoning attacks (where attackers inject harmful updates during training to break the model). This paper proposes MSDFL and HMSDFL, new defensive approaches that strengthen models by improving their stability, meaning they become less sensitive to small changes in their internal parameters, making them more resistant to these poisoning attacks.
Fix: The source explicitly describes the solution: 'we introduce a new method named Model Stability Defense for Federated Learning (MSDFL), designed to fortify the defense of FL systems against model poisoning attacks. MSDFL utilizes a minmax optimization framework, which is fundamentally linked to empirical risk for exploring the effects of model perturbations. The core aim of our approach is to minimize the norm of the model-output Jacobian matrix without compromising predictive performance, thereby establishing defense through enhanced model stability.' The paper also proposes 'a refined version of MSDFL, named Holistic Model Stability Defense for Federated Learning (HMSDFL), which considers model stability across all output dimensions of the logits to effectively eradicate the disparity in model convergence speed induced by MSDFL.'
IEEE Xplore (Security & AI Journals)EEG-FE_rrRS is a biometric recognition system that uses brain wave signals (EEG, electroencephalogram) and a fuzzy extractor (a cryptographic tool that converts messy biometric data into secure, consistent digital codes) to create unique digital identities for users in applications like drones and virtual worlds. The system combines EEG signal processing with a fuzzy extractor framework and demonstrates high accuracy in recognizing individuals, achieving nearly perfect results on certain datasets.
Millimeter-wave radars (mmWave, sensors that use radio waves to detect objects) used in autonomous vehicles can be tricked by attackers who send false signals to distort what the radar perceives, potentially causing dangerous driving behavior. AttackDeceiver is a new anti-spoofing system (a defense against false signal attacks) that uses a phase-shifted interleaving waveform (a specially designed radio signal pattern) to detect fake targets by comparing readings from two independent channels, and it also tricks adaptive attackers into creating unrealistic fake objects that are easier to identify.
Fix: The source describes the AttackDeceiver system itself as the mitigation. It works by comparing range and velocity estimates from two independent virtual channels to detect and mitigate spoofing attacks, and by inducing attackers to generate false targets with unrealistic velocity fluctuations that can be identified. The prototype achieved false target recall exceeding 97.9% and signal-to-interference-plus-noise ratio enhancement exceeding 13.46 dB.
IEEE Xplore (Security & AI Journals)PrivESD is a new system that allows machine learning classification (logistic regression, a technique for categorizing data) to work on encrypted streaming data (continuously flowing information that's been scrambled for privacy) while stored in the cloud. The system splits the computational work between cloud servers and edge devices (computers closer to where data originates) to reduce processing burden and privacy risks, and uses special encryption methods that still allow the system to compare values without revealing the actual data.
Researchers discovered that hyper-parameters (settings that control how a deep reinforcement learning model learns and behaves) can be leaked from closed-box DRL models, meaning attackers can figure out these secret settings just by observing how the model responds to different situations. They created an attack called HyperInfer that successfully inferred hyper-parameters with over 90% accuracy, showing that even restricted AI models may expose information that was meant to stay hidden.
Researchers demonstrated a flow correlation attack against Nym, a mixnet (a network system that hides which user is communicating with which destination by routing traffic through multiple nodes). By analyzing the pattern and rate of data packets, an attacker controlling entry and exit gateways can use a neural network (a machine learning model inspired by how brains process information) to match incoming flows with outgoing flows with very high accuracy. The study tested five defense strategies and found that using the right combination of countermeasures at appropriate scales can meaningfully reduce the attack's effectiveness.
Fix: The source states: 'the right choice and scale of countermeasure(s) can offer meaningful protection' and mentions that 'five evaluated defense strategies' were tested. However, the source does not explicitly specify which countermeasures to implement, their names, configuration details, or version updates. The text only notes that 'steps a mixnet such as Nym can take to make our attack both less likely and less accurate' exist but does not detail them.
IEEE Xplore (Security & AI Journals)Researchers created a method called UTE-SS (Unlearnable text examples generation via syntax-oriented shortcut) to protect text data from being used to train AI models without permission. The method adds small, hard-to-notice changes to text by altering its syntax (grammatical structure) so that language models learn misleading patterns instead of useful information, making the text data effectively useless for training.
FedMPS is a federated learning (FL, a technique where multiple computers train an AI model together without sharing raw data) framework that addresses performance problems caused by data heterogeneity (differences in data across participants). Instead of exchanging full model parameters, FedMPS transmits only prototypes (representative feature patterns) and soft labels (probability-based output predictions), which reduces communication costs and improves how well models learn from each other.
Hard sample mining (HSM, a technique for selecting the most difficult training examples to focus a model's learning) has emerged as a method to improve how efficiently deep neural networks (AI systems based on interconnected layers inspired by brain neurons) train and make them more robust to errors. This survey article reviews different HSM approaches and explains how they help address training inefficiency and data distribution biases (when training data doesn't represent real-world scenarios fairly) in deep learning.
This paper presents a new system for 3-D multiobject tracking (MOT, a technique where AI follows multiple objects moving through 3-D space) used in autonomous vehicles to improve safety. The system uses a voxel masking encoder (a method that processes 3-D space divided into small cubes, focusing on important features while ignoring empty space) and deep hashing (a technique that converts objects into compact numerical codes for fast comparison) to better track distant objects, partially hidden objects, and similar-looking objects. The method was tested on the KITTI dataset (a standard collection of driving videos used to evaluate autonomous vehicle systems) and showed better tracking accuracy than existing methods.
This research proposes Leaper, a framework that helps mobile workers in crowdsourcing tasks (where many people contribute data from their phones) protect their location privacy while still completing work. The system uses differential privacy (a mathematical technique that adds noise to data to prevent identifying individuals) and k-anonymity (mixing a person's data with others so they can't be singled out) to obfuscate, or hide, each worker's actual location, and then compensates workers fairly based on the privacy risk they accept.
This research paper identifies security weaknesses in a previous key exchange protocol (a method for two systems to securely agree on a shared secret) used in smart grids, specifically showing it is vulnerable to offline password-guessing and key compromise impersonation attacks (where an attacker tricks one party into thinking they are the other party). The authors propose a new, lightweight protocol that fixes these issues by using the Solana blockchain to manage keys and requiring smart meters to perform only simple operations like hashing (converting data into fixed-size codes) and encryption.
Fix: The paper proposes a decentralized ultra-lightweight AKE (authenticated key exchange) protocol that leverages the public Solana blockchain to enhance transparency and enable simple key revocation, with the SMD (smart metering device) performing only hashing, symmetric encryption/decryption, and physical unclonable function operations. However, this is a research proposal rather than a patch or update to existing software, so no software mitigation version or download link is provided.
IEEE Xplore (Security & AI Journals)This research paper proposes FedNK-RF, an algorithm for federated learning (a decentralized approach where multiple parties train AI models together while keeping their data private) that handles heterogeneous data (data that differs significantly across different sources). The algorithm uses random features and Nyström approximation (a mathematical technique that reduces computational errors) to improve accuracy while maintaining privacy protection, and the authors prove it achieves optimal performance rates.
Federated learning schemes (systems where multiple parties train AI models together while keeping data private) that use two servers for privacy protection were found to leak user data when facing model poisoning attacks (where malicious users deliberately corrupt the learning process). The researchers propose an enhanced framework called PBFL that uses Byzantine-robust aggregation (a method to safely combine data from untrusted sources), normalization checks, similarity measurements, and trapdoor fully homomorphic encryption (a technique for doing calculations on encrypted data without decrypting it) to protect privacy while defending against poisoning attacks.
Fix: The authors propose an enhanced privacy-preserving and Byzantine-robust federated learning (PBFL) framework that addresses the vulnerability. Key components include: a novel Byzantine-tolerant aggregation strategy with normalization judgment, cosine similarity computation, and adaptive user weighting; a dual-scoring trust mechanism and outlier suppression for detecting stealthy attacks; and two privacy-preserving subroutines (secure normalization judgment and secure cosine similarity measurement) that operate over encrypted gradients using a trapdoor fully homomorphic encryption scheme. According to theoretical analyses and experiments, this scheme guarantees security, convergence, and efficiency even with malicious users and one malicious server.
IEEE Xplore (Security & AI Journals)This research proposes a data aggregation framework (a system for combining data from multiple sources) that evaluates how trustworthy different data sources are using dynamic Bayesian networks (a model that updates trust scores based on changing network behavior over time). The framework combines trust measurement with the minimum spanning tree protocol (an algorithm for efficient data routing) to improve how data centers process large amounts of information, achieving significant reductions in computational, communication, and storage costs.
This paper addresses the lack of technical tools for regulating high-risk AI systems by proposing SFAIR (Secure Framework for AI Regulation), a system that automatically tests whether an AI meets regulatory standards. The framework uses a temporal self-replacement test (similar to certification exams for human operators) to measure an AI's operational qualification score, and protects itself using encryption, randomization, and real-time monitoring to prevent tampering.
Fix: The paper proposes SFAIR as a comprehensive framework for securing AI regulation. Key technical safeguards mentioned include: randomization, masking, encryption-based schemes, and real-time monitoring to secure SFAIR operations. Additionally, the framework leverages AMD's Secure Encrypted Virtualization-Encrypted State (SEV-ES, a processor-level security technology that encrypts AI system memory) for enhanced security. The source code of SFAIR is made publicly available.
IEEE Xplore (Security & AI Journals)This research identifies how microarchitectural website-fingerprinting attacks (timing-based methods where attackers on the same computer can learn what websites a victim visits) actually work by pinpointing four main sources of information leakage: core contention (competition for processor cores), interrupts (signals that pause processing), frequency scaling (changing processor speed), and cache eviction (removing data from fast memory). The researchers developed a framework to measure how much each leakage source contributes to these attacks and demonstrated that controlling these sources can prevent the attacks entirely.
Fix: The source demonstrates that leakage can be 'completely mitigated by controlling these sources' (core contention, interrupts, frequency scaling, and cache eviction), but does not specify the concrete technical steps, configuration changes, or software updates needed to implement such controls in practice.
IEEE Xplore (Security & AI Journals)This research presents a new method for performing topological data analysis (TDA, a technique that finds shape-based patterns in complex data) on encrypted information using homomorphic encryption (HE, a type of encryption that lets computers process data without decrypting it first). The authors adapted a fundamental TDA algorithm called boundary matrix reduction to work with encrypted data, proved it works correctly mathematically, and tested it using the OpenFHE framework to show it functions properly on real encrypted data.
This research study examines how immersive experiences in the metaverse (virtual shared digital spaces accessed through VR or similar technology) affect user emotions and behavior. The researchers found that when users experience focused immersion, enjoyment, and telepresence (the feeling of being physically present in a digital environment), they develop stronger feelings of awe and attachment to virtual places, which in turn increases how engaged they become with the platform.