密码学与安全
查看 最近的 文章
显示 2025年07月21日, 星期一 新的列表
- [1] arXiv:2507.13367 [中文pdf, pdf, 其他]
-
标题: 一种结合伪随机像素选择的新型APVD隐写技术,用于增强图像安全标题: A Novel APVD Steganography Technique Incorporating Pseudorandom Pixel Selection for Robust Image Security评论: 已接受参加COMITCON 2023。《电气工程讲义》,第1191卷。Springer期刊参考: (2024)COMITCON 2023,LNEE,第1191卷,Springer主题: 密码学与安全 (cs.CR) ; 计算机视觉与模式识别 (cs.CV) ; 多媒体 (cs.MM) ; 图像与视频处理 (eess.IV)
隐写术是将秘密信息隐蔽地嵌入载体中的过程,确保机密数据的安全交换。 自适应像素值差分(APVD)隐写方法虽然有效,但会遇到诸如“未使用块”等问题。 这个问题可能导致安全性的降低,损害嵌入容量,并导致视觉质量下降。 本研究提出了一种新的隐写策略,将APVD与伪随机像素选择相结合,以有效缓解这些问题。 结果表明,新方法在安全性、数据隐藏容量和图像质量的保持方面优于现有技术。 实证结果表明,APVD与伪随机像素选择的结合显著提高了关键图像质量指标,如峰值信噪比(PSNR)、通用图像质量指数(UIQ)和结构相似性指数(SSIM),在性能上超越了其他现代方法。 所提出的新型方法具有通用性,能够处理彩色和灰度的各种载体图像和秘密图像,从而确保数据传输的安全性,而不会影响图像的美学质量。
Steganography is the process of embedding secret information discreetly within a carrier, ensuring secure exchange of confidential data. The Adaptive Pixel Value Differencing (APVD) steganography method, while effective, encounters certain challenges like the "unused blocks" issue. This problem can cause a decrease in security, compromise the embedding capacity, and lead to lower visual quality. This research presents a novel steganographic strategy that integrates APVD with pseudorandom pixel selection to effectively mitigate these issues. The results indicate that the new method outperforms existing techniques in aspects of security, data hiding capacity, and the preservation of image quality. Empirical results reveal that the combination of APVD with pseudorandom pixel selection significantly enhances key image quality metrics such as Peak Signal-to-Noise Ratio (PSNR), Universal Image Quality Index (UIQ), and Structural Similarity Index (SSIM), surpassing other contemporary methods in performance. The newly proposed method is versatile, able to handle a variety of cover and secret images in both color and grayscale, thereby ensuring secure data transmission without compromising the aesthetic quality of the image.
- [2] arXiv:2507.13505 [中文pdf, pdf, html, 其他]
-
标题: 阶段:被动人体活动模拟评估标题: PHASE: Passive Human Activity Simulation Evaluation主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 机器学习 (cs.LG) ; 网络与互联网架构 (cs.NI)
网络安全性模拟环境,如网络训练场、蜜罐和沙箱,需要现实的人类行为才能有效,但目前尚无定量方法来评估合成用户角色的行为真实性。 本文介绍了PHASE(被动人类活动模拟评估),一个机器学习框架,它分析Zeek连接日志,并以超过90%的准确率区分人类和非人类活动。 PHASE完全被动运行,依赖标准网络监控,无需任何用户端设备或可见的监控迹象。 用于机器学习的所有网络活动均通过Zeek网络设备收集,以避免引入不必要的网络流量或可能破坏模拟环境真实性的伪影。 本文还提出了一种新的标记方法,利用本地DNS记录对网络流量进行分类,从而实现机器学习分析。 此外,我们应用SHAP(SHapley加法解释)分析来揭示表明真实人类用户的时空和行为特征。 在案例研究中,我们评估了一个合成用户角色,并识别出损害行为真实性的明显非人类模式。 基于这些见解,我们开发了一个改进的行为配置,显著提高了合成活动的人类相似性,从而产生更真实有效的合成用户角色。
Cybersecurity simulation environments, such as cyber ranges, honeypots, and sandboxes, require realistic human behavior to be effective, yet no quantitative method exists to assess the behavioral fidelity of synthetic user personas. This paper presents PHASE (Passive Human Activity Simulation Evaluation), a machine learning framework that analyzes Zeek connection logs and distinguishes human from non-human activity with over 90\% accuracy. PHASE operates entirely passively, relying on standard network monitoring without any user-side instrumentation or visible signs of surveillance. All network activity used for machine learning is collected via a Zeek network appliance to avoid introducing unnecessary network traffic or artifacts that could disrupt the fidelity of the simulation environment. The paper also proposes a novel labeling approach that utilizes local DNS records to classify network traffic, thereby enabling machine learning analysis. Furthermore, we apply SHAP (SHapley Additive exPlanations) analysis to uncover temporal and behavioral signatures indicative of genuine human users. In a case study, we evaluate a synthetic user persona and identify distinct non-human patterns that undermine behavioral realism. Based on these insights, we develop a revised behavioral configuration that significantly improves the human-likeness of synthetic activity yielding a more realistic and effective synthetic user persona.
- [3] arXiv:2507.13591 [中文pdf, pdf, html, 其他]
-
标题: FuSeFL:完全安全且可扩展的跨库联邦学习标题: FuSeFL: Fully Secure and Scalable Cross-Silo Federated Learning评论: 15页,12图主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
联邦学习(FL)使协作模型训练成为可能,而无需集中客户端数据,这使其在隐私敏感领域具有吸引力。 虽然现有方法采用密码技术,如同态加密、差分隐私或安全多方计算来缓解推理攻击——包括模型逆向、成员推理和梯度泄露——但它们通常会遭受高计算、通信或内存开销的问题。 此外,许多方法忽视了全局模型本身的机密性,这可能是专有且敏感的。 这些挑战限制了安全联邦学习的实际应用,尤其是在涉及大规模数据集和严格合规要求的跨库部署中。 我们提出了FuSeFL,这是一种完全安全且可扩展的联邦学习方案,专为跨库环境设计。 FuSeFL使用轻量级安全多方计算(MPC)在客户端对之间分散训练,同时将服务器的角色限制为安全聚合。 这种设计消除了服务器瓶颈,避免了数据卸载,并在整个训练过程中保持数据、模型和更新的完全机密性。 FuSeFL能够抵御推理威胁,实现高达95%的通信延迟降低和50%的服务器内存使用减少,并在准确性上优于之前的保密联邦学习解决方案,证明了其在规模上的强大安全性和效率。
Federated Learning (FL) enables collaborative model training without centralizing client data, making it attractive for privacy-sensitive domains. While existing approaches employ cryptographic techniques such as homomorphic encryption, differential privacy, or secure multiparty computation to mitigate inference attacks-including model inversion, membership inference, and gradient leakage-they often suffer from high computational, communication, or memory overheads. Moreover, many methods overlook the confidentiality of the global model itself, which may be proprietary and sensitive. These challenges limit the practicality of secure FL, especially in cross-silo deployments involving large datasets and strict compliance requirements. We present FuSeFL, a fully secure and scalable FL scheme designed for cross-silo settings. FuSeFL decentralizes training across client pairs using lightweight secure multiparty computation (MPC), while confining the server's role to secure aggregation. This design eliminates server bottlenecks, avoids data offloading, and preserves full confidentiality of data, model, and updates throughout training. FuSeFL defends against inference threats, achieves up to 95% lower communication latency and 50% lower server memory usage, and improves accuracy over prior secure FL solutions, demonstrating strong security and efficiency at scale.
- [4] arXiv:2507.13598 [中文pdf, pdf, html, 其他]
-
标题: GIFT:针对恶意微调的扩散模型的梯度感知免疫,同时保留安全概念标题: GIFT: Gradient-aware Immunization of diffusion models against malicious Fine-Tuning with safe concepts retention评论: 警告:本文包含不适宜内容。请读者谨慎阅读主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 计算机视觉与模式识别 (cs.CV) ; 机器学习 (cs.LG)
我们提出GIFT:一种{G}梯度感知的{I}免疫技术,用于防御扩散模型免受恶意{F}干扰-{T}训练,同时保持其生成安全内容的能力。 现有的安全机制如安全检查器很容易被绕过,而概念擦除方法在对抗微调下失效。 GIFT通过将免疫化问题框架化为双层优化问题来解决这个问题:上层目标使用表示噪声和最大化来降低模型表示有害概念的能力,而下层目标则保持在安全数据上的性能。 GIFT在保持安全生成质量的同时,实现了对恶意微调的鲁棒抵抗。 实验结果表明,我们的方法显著削弱了模型重新学习有害概念的能力,同时保持了在安全内容上的性能,为创建本质上更安全的对抗微调攻击具有抵抗力的生成模型提供了一个有前景的方向。
We present GIFT: a {G}radient-aware {I}mmunization technique to defend diffusion models against malicious {F}ine-{T}uning while preserving their ability to generate safe content. Existing safety mechanisms like safety checkers are easily bypassed, and concept erasure methods fail under adversarial fine-tuning. GIFT addresses this by framing immunization as a bi-level optimization problem: the upper-level objective degrades the model's ability to represent harmful concepts using representation noising and maximization, while the lower-level objective preserves performance on safe data. GIFT achieves robust resistance to malicious fine-tuning while maintaining safe generative quality. Experimental results show that our method significantly impairs the model's ability to re-learn harmful concepts while maintaining performance on safe content, offering a promising direction for creating inherently safer generative models resistant to adversarial fine-tuning attacks.
- [5] arXiv:2507.13629 [中文pdf, pdf, html, 其他]
-
标题: 大规模语言模型在网络安全中的应用、漏洞和防御技术标题: Large Language Models in Cybersecurity: Applications, Vulnerabilities, and Defense Techniques评论: 21页主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 机器学习 (cs.LG)
大型语言模型(LLMs)正在通过实现智能、自适应和自动化的威胁检测、漏洞评估和事件响应方法,改变网络安全领域。 凭借其先进的语言理解和上下文推理能力,LLMs在处理物联网、区块链和硬件安全等领域的挑战方面超越了传统方法。 本综述提供了对LLMs在网络安全中应用的全面概述,重点集中在两个核心领域:(1)LLMs在关键网络安全领域的集成,以及(2)LLMs自身的漏洞及其缓解策略。 通过综合最近的进展并识别关键限制,这项工作为利用LLMs构建安全、可扩展且面向未来的网络防御系统提供了实用见解和战略建议。
Large Language Models (LLMs) are transforming cybersecurity by enabling intelligent, adaptive, and automated approaches to threat detection, vulnerability assessment, and incident response. With their advanced language understanding and contextual reasoning, LLMs surpass traditional methods in tackling challenges across domains such as IoT, blockchain, and hardware security. This survey provides a comprehensive overview of LLM applications in cybersecurity, focusing on two core areas: (1) the integration of LLMs into key cybersecurity domains, and (2) the vulnerabilities of LLMs themselves, along with mitigation strategies. By synthesizing recent advancements and identifying key limitations, this work offers practical insights and strategic recommendations for leveraging LLMs to build secure, scalable, and future-ready cyber defense systems.
- [6] arXiv:2507.13686 [中文pdf, pdf, html, 其他]
-
标题: 主题攻击:通过主题转换的间接提示注入攻击标题: TopicAttack: An Indirect Prompt Injection Attack via Topic Transition评论: 19页主题: 密码学与安全 (cs.CR)
大型语言模型(LLMs)在各种自然语言处理任务中表现出色。 然而,它们强大的指令遵循能力和无法区分指令与数据内容的特性,使它们容易受到间接提示注入攻击。 在这些攻击中,带有恶意目的的指令被注入到外部数据源,如网页文档中。 当LLMs通过工具(如搜索引擎)检索这些注入的数据并执行注入的指令时,它们会提供误导性的响应。 最近的攻击方法展示了潜力,但其突然的指令注入常常削弱了其效果。 受现有攻击方法局限性的启发,我们提出了TopicAttack,该方法促使LLM生成一个伪造的对话过渡提示,逐步将话题转向注入的指令,使注入更加平滑,并增强攻击的合理性和成功率。 通过全面的实验,TopicAttack实现了最先进的性能,在大多数情况下,即使应用了各种防御方法,攻击成功率(ASR)也超过90%。 我们进一步通过检查注意力分数来分析其有效性。 我们发现,更高的注入到原始注意力比例会导致更高的成功率,而我们的方法比基线方法实现了更高的比例。
Large language models (LLMs) have shown remarkable performance across a range of NLP tasks. However, their strong instruction-following capabilities and inability to distinguish instructions from data content make them vulnerable to indirect prompt injection attacks. In such attacks, instructions with malicious purposes are injected into external data sources, such as web documents. When LLMs retrieve this injected data through tools, such as a search engine and execute the injected instructions, they provide misled responses. Recent attack methods have demonstrated potential, but their abrupt instruction injection often undermines their effectiveness. Motivated by the limitations of existing attack methods, we propose TopicAttack, which prompts the LLM to generate a fabricated conversational transition prompt that gradually shifts the topic toward the injected instruction, making the injection smoother and enhancing the plausibility and success of the attack. Through comprehensive experiments, TopicAttack achieves state-of-the-art performance, with an attack success rate (ASR) over 90\% in most cases, even when various defense methods are applied. We further analyze its effectiveness by examining attention scores. We find that a higher injected-to-original attention ratio leads to a greater success probability, and our method achieves a much higher ratio than the baseline methods.
- [7] arXiv:2507.13720 [中文pdf, pdf, 其他]
-
标题: 量子区块链综述:基础、趋势与空白标题: Quantum Blockchain Survey: Foundations, Trends, and Gaps评论: 12页,4图主题: 密码学与安全 (cs.CR) ; 分布式、并行与集群计算 (cs.DC) ; 新兴技术 (cs.ET) ; 网络与互联网架构 (cs.NI)
量子计算通过削弱广泛使用的密码学原语,对经典区块链系统构成了根本性风险。 作为回应,出现了两个主要的研究方向:后量子区块链,其集成了抗量子算法,以及量子区块链,其利用了纠缠和量子密钥分发等量子特性。 本综述回顾了这两个领域的关键发展,分析了它们的密码学基础、架构设计和实现挑战。 这项工作提供了技术方案的比较概述,突出了安全性和可扩展性以及部署之间的权衡,并识别了硬件、共识和网络设计中的开放研究问题。 目标是为在量子时代推进安全的区块链系统提供一个结构化且全面的参考。
Quantum computing poses fundamental risks to classical blockchain systems by undermining widely used cryptographic primitives. In response, two major research directions have emerged: post-quantum blockchains, which integrate quantum-resistant algorithms, and quantum blockchains, which leverage quantum properties such as entanglement and quantum key distribution. This survey reviews key developments in both areas, analyzing their cryptographic foundations, architectural designs, and implementation challenges. This work provides a comparative overview of technical proposals, highlight trade-offs in security, scalability, and deployment, and identify open research problems across hardware, consensus, and network design. The goal is to offer a structured and comprehensive reference for advancing secure blockchain systems in the quantum era.
- [8] arXiv:2507.13926 [中文pdf, pdf, html, 其他]
-
标题: 开发人员关于Manifest v3隐私和安全Webextensions的见解标题: Developers Insight On Manifest v3 Privacy and Security Webextensions评论: WEBIST'25,西班牙马拉贝拉主题: 密码学与安全 (cs.CR) ; 计算机与社会 (cs.CY)
网络扩展可以提升网络浏览器的隐私、安全性和用户体验。 浏览器为网络扩展提供的API影响了可能的功能。 目前,Chrome正在过渡到一组称为Manifest v3的修改后的API。 本文通过深入的结构化定性研究,探讨了Manifest v3面临的挑战和机遇。 尽管一些项目观察到了积极效果,但大多数表达了对用户利益有限、关键API被移除或需要寻找替代方案的担忧。 我们的研究结果表明,这种过渡对不同类型的网络扩展产生了不同的影响;一些可以迁移而不会失去功能,而其他项目则删除了功能或拒绝更新。 受访者指出了几个关键缺失的API,包括可靠的注入内容脚本的API、存储机密内容的API以及其他一些API。
Webextensions can improve web browser privacy, security, and user experience. The APIs offered by the browser to webextensions affect possible functionality. Currently, Chrome transitions to a modified set of APIs called Manifest v3. This paper studies the challenges and opportunities of Manifest v3 with an in-depth structured qualitative research. Even though some projects observed positive effects, a majority expresses concerns over limited benefits to users, removal of crucial APIs, or the need to find workarounds. Our findings indicate that the transition affects different types of webextensions differently; some can migrate without losing functionality, while other projects remove functionality or decline to update. The respondents identified several critical missing APIs, including reliable APIs to inject content scripts, APIs for storing confidential content, and others.
- [9] arXiv:2507.13932 [中文pdf, pdf, 其他]
-
标题: 链表:通过数字账本技术保护表级数据完整性标题: Chain Table: Protecting Table-Level Data Integrity by Digital Ledger Technology期刊参考: 国际计算机及其应用会议(CATA)2025主题: 密码学与安全 (cs.CR) ; 数据库 (cs.DB)
区块链和数字账本技术(DLT)的兴起已获得广泛关注。 不再依赖传统的中心化数据权威,区块链系统由在分布式网络中共享的数字纠缠区块数据组成。 专门设计的链式数据结构及其共识机制保护区块链数据免受未经授权的对手篡改。 然而,实施一个完整的区块链系统来保护数据库在技术上可能很繁琐。 在本工作中,我们引入了一种数据库内设计,称为链表,以在不需要区块链系统的情况下保护数据完整性。 它具有简洁的设计,没有显著的技术障碍或存储开销。 为了实现严格的数据安全,我们还为链表提出了一套数据写入原则。 我们证明,链表与数据写入原则一起将保证灵活的数据完整性,称为表级数据完整性(TDI)。
The rise of blockchain and Digital Ledger Technology (DLT) has gained wide traction. Instead of relying on a traditional centralized data authority, a blockchain system consists of digitally entangled block data shared across a distributed network. The specially designed chain data structure and its consensus mechanism protect blockchain data from being tampered by unauthorized adversaries. However, implementing a full-fledged blockchain system to protect a database can be technically cumbersome. In this work, we introduce an in-database design, named chain table, to protect data integrity without the need for a blockchain system. It features a succinct design without significant technology barriers or storage overhead. To realize rigorous data security, we also propose a set of data writing principles for the chain table. We prove that the chain table, together with the data writing principles, will guarantee flexible data integrity, named table-level data integrity (TDI).
- [10] arXiv:2507.14007 [中文pdf, pdf, html, 其他]
-
标题: CryptoNeo威胁建模框架(CNTMF):在集成区块链生态系统中保护新银行和金融科技标题: The CryptoNeo Threat Modelling Framework (CNTMF): Securing Neobanks and Fintech in Integrated Blockchain Ecosystems主题: 密码学与安全 (cs.CR) ; 新兴技术 (cs.ET)
区块链、加密货币和Web3技术在数字银行和金融科技运营中的快速整合,创造了一个将传统金融系统与去中心化元素相结合的集成环境。 本文介绍了CryptoNeo威胁建模框架(CNTMF),这是一个旨在解决这些生态系统中风险的建议框架,例如预言机操控和跨链攻击。 CNTMF代表了对STRIDE、OWASP Top 10、NIST框架、LINDDUN和PASTA等现有方法论的提议扩展,同时结合了定制组件,包括混合层分析、用于加密货币特定风险的CRYPTOQ记忆法,以及人工智能增强的反馈循环。 基于2025年事件的真实数据,CNTMF支持数据驱动的缓解措施,以减少损失,这些损失在2025年上半年的344起安全事件中总计约为24.7亿美元(CertiK通过GlobeNewswire,2025;Infosecurity Magazine,2025)。 其阶段指导资产映射、风险概况、优先级排序、缓解和迭代反馈。 这有助于应对如国家支持的攻击等不断演变的风险。
The rapid integration of blockchain, cryptocurrency, and Web3 technologies into digital banks and fintech operations has created an integrated environment blending traditional financial systems with decentralised elements. This paper introduces the CryptoNeo Threat Modelling Framework (CNTMF), a proposed framework designed to address the risks in these ecosystems, such as oracle manipulation and cross-chain exploits. CNTMF represents a proposed extension of established methodologies like STRIDE, OWASP Top 10, NIST frameworks, LINDDUN, and PASTA, while incorporating tailored components including Hybrid Layer Analysis, the CRYPTOQ mnemonic for cryptocurrency-specific risks, and an AI-Augmented Feedback Loop. Drawing on real-world data from 2025 incidents, CNTMF supports data-driven mitigation to reduce losses, which totalled approximately $2.47 billion in the first half of 2025 across 344 security events (CertiK via GlobeNewswire, 2025; Infosecurity Magazine, 2025). Its phases guide asset mapping, risk profiling, prioritisation, mitigation, and iterative feedback. This supports security against evolving risks like state-sponsored attacks.
- [11] arXiv:2507.14109 [中文pdf, pdf, html, 其他]
-
标题: 基于对抗驱动的深度学习在射频指纹识别中的实验研究标题: An Adversarial-Driven Experimental Study on Deep Learning for RF Fingerprinting主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG) ; 信号处理 (eess.SP)
射频(RF)指纹技术,通过提取无线设备的独特硬件缺陷,已成为零信任架构和5G网络之外的有前途的物理层设备识别机制。 特别是,深度学习(DL)方法在这一领域表现出最先进的性能。 然而,现有的方法主要集中在增强系统对无线环境中的时间性和空间性变化的鲁棒性,而这些基于DL的方法的安全漏洞常常被忽视。 在本工作中,我们通过对抗驱动的实验分析系统地研究了基于DL的RF指纹系统的安全风险。 我们观察到,在领域转移下,DL模型存在一致的误分类行为,其中设备经常被错误分类为另一个特定设备。 我们的分析基于广泛的现实实验表明,这种行为可以被利用作为有效的后门,使外部攻击者能够入侵系统。 此外,我们表明,在原始接收信号上训练DL模型会导致模型将RF指纹与环境和信号模式特征纠缠在一起,从而产生额外的攻击向量,这些向量无法仅通过置信度阈值等后期处理安全方法来缓解。
Radio frequency (RF) fingerprinting, which extracts unique hardware imperfections of radio devices, has emerged as a promising physical-layer device identification mechanism in zero trust architectures and beyond 5G networks. In particular, deep learning (DL) methods have demonstrated state-of-the-art performance in this domain. However, existing approaches have primarily focused on enhancing system robustness against temporal and spatial variations in wireless environments, while the security vulnerabilities of these DL-based approaches have often been overlooked. In this work, we systematically investigate the security risks of DL-based RF fingerprinting systems through an adversarial-driven experimental analysis. We observe a consistent misclassification behavior for DL models under domain shifts, where a device is frequently misclassified as another specific one. Our analysis based on extensive real-world experiments demonstrates that this behavior can be exploited as an effective backdoor to enable external attackers to intrude into the system. Furthermore, we show that training DL models on raw received signals causes the models to entangle RF fingerprints with environmental and signal-pattern features, creating additional attack vectors that cannot be mitigated solely through post-processing security methods such as confidence thresholds.
新提交 (展示 11 之 11 条目 )
- [12] arXiv:2507.13407 (交叉列表自 cs.CV) [中文pdf, pdf, 其他]
-
标题: IConMark:AI图像的鲁棒可解释概念水印标题: IConMark: Robust Interpretable Concept-Based Watermark For AI Images评论: 已被ICLR 2025生成式人工智能水印研讨会(WMARK)接受主题: 计算机视觉与模式识别 (cs.CV) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR)
随着生成式AI和合成媒体的迅速兴起,区分AI生成的图像与真实图像在防止虚假信息和确保数字真实性方面变得至关重要。传统的水印技术对对抗性攻击表现出脆弱性,这在有攻击者存在的情况下削弱了其有效性。我们提出了IConMark,这是一种新颖的生成过程中稳健的语义水印方法,将可解释的概念嵌入到AI生成的图像中,作为可解释水印的第一步。与传统方法不同,传统方法依赖于向AI生成的图像中添加噪声或扰动,IConMark结合了有意义的语义属性,使其对人类可读,因此对对抗性操作具有韧性。这种方法不仅对各种图像增强具有鲁棒性,而且可读性强,能够进行人工验证水印。我们展示了对IConMark有效性的详细评估,证明了其在检测准确性和保持图像质量方面的优越性。此外,IConMark可以与现有的水印技术结合,进一步增强和补充其鲁棒性。我们介绍了IConMark+SS和IConMark+TM,这两种混合方法分别将IConMark与StegaStamp和TrustMark结合,以进一步增强对多种类型图像操作的鲁棒性。我们的基础水印技术(IConMark)及其变体(+TM和+SS)在多个数据集上分别比最佳基线提高了10.8%、14.5%和15.9%的受试者工作特征曲线下面积(AUROC)得分。
With the rapid rise of generative AI and synthetic media, distinguishing AI-generated images from real ones has become crucial in safeguarding against misinformation and ensuring digital authenticity. Traditional watermarking techniques have shown vulnerabilities to adversarial attacks, undermining their effectiveness in the presence of attackers. We propose IConMark, a novel in-generation robust semantic watermarking method that embeds interpretable concepts into AI-generated images, as a first step toward interpretable watermarking. Unlike traditional methods, which rely on adding noise or perturbations to AI-generated images, IConMark incorporates meaningful semantic attributes, making it interpretable to humans and hence, resilient to adversarial manipulation. This method is not only robust against various image augmentations but also human-readable, enabling manual verification of watermarks. We demonstrate a detailed evaluation of IConMark's effectiveness, demonstrating its superiority in terms of detection accuracy and maintaining image quality. Moreover, IConMark can be combined with existing watermarking techniques to further enhance and complement its robustness. We introduce IConMark+SS and IConMark+TM, hybrid approaches combining IConMark with StegaStamp and TrustMark, respectively, to further bolster robustness against multiple types of image manipulations. Our base watermarking technique (IConMark) and its variants (+TM and +SS) achieve 10.8%, 14.5%, and 15.9% higher mean area under the receiver operating characteristic curve (AUROC) scores for watermark detection, respectively, compared to the best baseline on various datasets.
- [13] arXiv:2507.13508 (交叉列表自 cs.LG) [中文pdf, pdf, 其他]
-
标题: 虚假或真实:文本中的冒牌货搜寻在空间操作中标题: Fake or Real: The Impostor Hunt in Texts for Space OperationsAgata Kaczmarek (1), Dawid Płudowski (1), Piotr Wilczyński (1), Przemysław Biecek (1), Krzysztof Kotowski (2), Ramez Shendy (2), Jakub Nalepa (2 and 3), Artur Janicki (1), Evridiki Ntagiou (4) ((1) Warsaw University of Technology, (2) KP Labs, (3) Silesian University of Technology, (4) European Space Agency, European Space Operations Center)主题: 机器学习 (cs.LG) ; 密码学与安全 (cs.CR)
“假或真”竞赛在Kaggle上举办 (\href{https://www.kaggle.com/competitions/fake-or-real-the-impostor-hunt}{https://www.kaggle.com/competitions/fake-or-real-the-impostor-hunt}) 是与欧洲空间局 (\href{https://assurance-ai.space-codev.org/}{https://assurance-ai.space-codev.org/}) 资助的“空间领域人工智能应用保障”项目相关的后续竞赛和黑客马拉松系列的第二部分。 该竞赛的想法基于该项目中识别的两个现实生活中的人工智能安全威胁——数据污染和大型语言模型中的过度依赖。 任务是区分来自LLM的正确输出和在恶意修改LLM下生成的输出。 由于这个问题尚未得到广泛研究,参赛者需要开发新技术来解决这个问题,或者调整已有的技术以适应这个问题的描述。
The "Fake or Real" competition hosted on Kaggle (\href{https://www.kaggle.com/competitions/fake-or-real-the-impostor-hunt}{https://www.kaggle.com/competitions/fake-or-real-the-impostor-hunt}) is the second part of a series of follow-up competitions and hackathons related to the "Assurance for Space Domain AI Applications" project funded by the European Space Agency (\href{https://assurance-ai.space-codev.org/}{https://assurance-ai.space-codev.org/}). The competition idea is based on two real-life AI security threats identified within the project -- data poisoning and overreliance in Large Language Models. The task is to distinguish between the proper output from LLM and the output generated under malicious modification of the LLM. As this problem was not extensively researched, participants are required to develop new techniques to address this issue or adjust already existing ones to this problem's statement.
- [14] arXiv:2507.13639 (交叉列表自 stat.ML) [中文pdf, pdf, html, 其他]
-
标题: 通过随机投影在核化上下文老虎机中实现差分隐私标题: Differential Privacy in Kernelized Contextual Bandits via Random Projections主题: 机器学习 (stat.ML) ; 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
我们考虑具有随机上下文的上下文核老虎机问题,其中底层奖励函数属于一个已知的再生核希尔伯特空间。 我们在额外的差分隐私约束下研究这个问题,其中代理需要确保查询点序列相对于上下文和奖励序列是差分私有的。 我们提出了一种新算法,在联合和局部差分隐私模型中,分别在时间范围为$T$的情况下实现了累积遗憾度为$\widetilde{\mathcal{O}}(\sqrt{\gamma_TT}+\frac{\gamma_T}{\varepsilon_{\mathrm{DP}}})$和$\widetilde{\mathcal{O}}(\sqrt{\gamma_TT}+\frac{\gamma_T\sqrt{T}}{\varepsilon_{\mathrm{DP}}})$,其中$\gamma_T$是核的有效维度,$\varepsilon_{\mathrm{DP}} > 0$是隐私参数。 所提出算法的关键组成部分是一种新颖的私有核岭回归估计器,该估计器基于私有协方差估计和私有随机投影的结合。 它相比其经典版本具有显著降低的敏感性,同时保持了较高的预测准确性,使我们的算法能够实现最先进的性能保证。
We consider the problem of contextual kernel bandits with stochastic contexts, where the underlying reward function belongs to a known Reproducing Kernel Hilbert Space. We study this problem under an additional constraint of Differential Privacy, where the agent needs to ensure that the sequence of query points is differentially private with respect to both the sequence of contexts and rewards. We propose a novel algorithm that achieves the state-of-the-art cumulative regret of $\widetilde{\mathcal{O}}(\sqrt{\gamma_TT}+\frac{\gamma_T}{\varepsilon_{\mathrm{DP}}})$ and $\widetilde{\mathcal{O}}(\sqrt{\gamma_TT}+\frac{\gamma_T\sqrt{T}}{\varepsilon_{\mathrm{DP}}})$ over a time horizon of $T$ in the joint and local models of differential privacy, respectively, where $\gamma_T$ is the effective dimension of the kernel and $\varepsilon_{\mathrm{DP}} > 0$ is the privacy parameter. The key ingredient of the proposed algorithm is a novel private kernel-ridge regression estimator which is based on a combination of private covariance estimation and private random projections. It offers a significantly reduced sensitivity compared to its classical counterpart while maintaining a high prediction accuracy, allowing our algorithm to achieve the state-of-the-art performance guarantees.
- [15] arXiv:2507.13670 (交叉列表自 quant-ph) [中文pdf, pdf, html, 其他]
-
标题: 快速计算深度热化标题: Fast computational deep thermalization评论: 22页,1图主题: 量子物理 (quant-ph) ; 统计力学 (cond-mat.stat-mech) ; 计算复杂性 (cs.CC) ; 密码学与安全 (cs.CR)
深度热化指的是量子系统在部分测量下出现类似哈尔回随机性的现象。 作为量子热化的推广,它通常与高复杂性和纠缠相关。 在这里,我们引入计算深度热化,并构建在无限有效温度下表现出该现象的最快可能动力学。 我们的电路动力学产生具有低纠缠的量子态,在多项式对数深度内,这些态对于任何计算能力有限的观察者来说都与哈尔回随机态无法区分。 重要的是,观察者可以请求从部分投影测量中获得的相同剩余态的多个副本——这一条件超出了量子伪随机性的标准设置,但对于深度热化来说是自然的。 从密码学的角度来看,这些态是伪随机的、伪纠缠的,并且关键的是,在局部测量下仍保留这些特性。 我们的结果展示了一种新的计算热化形式,其中类似热的行为来源于具有密码学性质的结构化量子态,而不是来自高度无结构的集合。 准备这些态的低资源复杂性表明,可以使用量子计算机进行深度热化的可扩展模拟。 我们的工作还激发了对超越BQP观察者的计算量子伪随机性的研究。
Deep thermalization refers to the emergence of Haar-like randomness from quantum systems upon partial measurements. As a generalization of quantum thermalization, it is often associated with high complexity and entanglement. Here, we introduce computational deep thermalization and construct the fastest possible dynamics exhibiting it at infinite effective temperature. Our circuit dynamics produce quantum states with low entanglement in polylogarithmic depth that are indistinguishable from Haar random states to any computationally bounded observer. Importantly, the observer is allowed to request many copies of the same residual state obtained from partial projective measurements on the state -- this condition is beyond the standard settings of quantum pseudorandomness, but natural for deep thermalization. In cryptographic terms, these states are pseudorandom, pseudoentangled, and crucially, retain these properties under local measurements. Our results demonstrate a new form of computational thermalization, where thermal-like behavior arises from structured quantum states endowed with cryptographic properties, instead of from highly unstructured ensembles. The low resource complexity of preparing these states suggests scalable simulations of deep thermalization using quantum computers. Our work also motivates the study of computational quantum pseudorandomness beyond BQP observers.
- [16] arXiv:2507.13810 (交叉列表自 quant-ph) [中文pdf, pdf, 其他]
-
标题: 量子阴影:餐饮信息经纪人标题: Quantum Shadows: The Dining Information BrokersTheodore Andronikos, Constantinos Bitsakos, Konstantinos Nikas, Georgios I. Goumas, Nectarios Koziris主题: 量子物理 (quant-ph) ; 密码学与安全 (cs.CR)
本文介绍了创新的量子餐饮信息中介问题,提出了一种基于纠缠的量子协议来解决这一问题。该场景涉及$n$个信息中介,它们位于不同的地理区域,参与一种隐喻性的虚拟晚餐。目标是每个中介同时与其他人共享一条独特信息。与之前的方法不同,该协议能够在所有中介之间实现完全并行的单步通信交换,无论它们的物理位置如何。该协议的一个关键特点是能够确保所有参与者的匿名性和隐私性得到保持,这意味着没有任何中介可以识别接收到的信息背后的发送者身份。量子餐饮信息中介问题作为实现分布式系统中匿名、不可追踪和大规模并行信息交换的概念框架。所提出的协议引入了三个重大进展。首先,虽然已经开发出用于一对多同时信息传输的量子协议,但据我们所知,这是最早实现多对多同时信息交换的量子协议之一。其次,它保证了所有发送者的完全匿名性和不可追踪性,这是对顺序应用一对多协议的显著改进,因为后者无法确保如此强大的匿名性。第三,利用量子纠缠,该协议以完全分布式的方式运行,能够适应不同空间位置的中介。这种方法在安全、可扩展和匿名通信方面取得了重大进展,具有在隐私和并行性至关重要的分布式环境中的潜在应用。
This article introduces the innovative Quantum Dining Information Brokers Problem, presenting a novel entanglement-based quantum protocol to address it. The scenario involves $n$ information brokers, all located in distinct geographical regions, engaging in a metaphorical virtual dinner. The objective is for each broker to share a unique piece of information with all others simultaneously. Unlike previous approaches, this protocol enables a fully parallel, single-step communication exchange among all brokers, regardless of their physical locations. A key feature of this protocol is its ability to ensure both the anonymity and privacy of all participants are preserved, meaning no broker can discern the identity of the sender behind any received information. At its core, the Quantum Dining Information Brokers Problem serves as a conceptual framework for achieving anonymous, untraceable, and massively parallel information exchange in a distributed system. The proposed protocol introduces three significant advancements. First, while quantum protocols for one-to-many simultaneous information transmission have been developed, this is, to the best of our knowledge, one of the first quantum protocols to facilitate many-to-many simultaneous information exchange. Second, it guarantees complete anonymity and untraceability for all senders, a critical improvement over sequential applications of one-to-many protocols, which fail to ensure such robust anonymity. Third, leveraging quantum entanglement, the protocol operates in a fully distributed manner, accommodating brokers in diverse spatial locations. This approach marks a substantial advancement in secure, scalable, and anonymous communication, with potential applications in distributed environments where privacy and parallelism are paramount.
- [17] arXiv:2507.13883 (交叉列表自 econ.GN) [中文pdf, pdf, html, 其他]
-
标题: 稳定币:基本原理、新兴问题和开放挑战标题: Stablecoins: Fundamentals, Emerging Issues, and Open Challenges评论: 35页,10图。综述论文。已提交至《计算机科学评论》主题: 一般经济学 (econ.GN) ; 密码学与安全 (cs.CR)
稳定币的市值在2025年1月已超过2000亿美元,显示出显著增长,2023年的年度交易量超过10万亿美元,2024年几乎翻了一番。 这种非凡的成功吸引了传统金融机构的关注,越来越多的政府正在探索中央银行数字货币(CBDC)的潜力。 尽管学术界已经认识到稳定币的重要性,但该领域的研究仍然零散、不完整,有时甚至相互矛盾。 在本文中,我们旨在通过结构化的文献分析来解决上述差距,将最近的研究成果联系起来,呈现出稳定币复杂经济、技术和监管方面的图景。 为此,我们制定了主要研究问题,并相应地对科学贡献进行分类,确定主要结果、数据来源、研究方法和开放的研究问题。 本综述论文所涉及的研究问题涵盖多个主题,如各种稳定币的稳定性、新颖的设计和实现以及相关的监管挑战。 这些研究采用了广泛的方法论和数据来源,我们对其进行了批判性分析和综合。 我们的分析还揭示了重要的研究空白,包括对安全性和隐私的研究有限,对某些稳定币的研究不足,对失败案例的研究缺失,对治理机制的研究不足,以及在财务会计标准下对稳定币的处理等问题,以及其他领域。
Stablecoins, with a capitalization exceeding 200 billion USD as of January 2025, have shown significant growth, with annual transaction volumes exceeding 10 trillion dollars in 2023 and nearly doubling that figure in 2024. This exceptional success has attracted the attention of traditional financial institutions, with an increasing number of governments exploring the potential of Central Bank Digital Currencies (CBDCs). Although academia has recognized the importance of stablecoins, research in this area remains fragmented, incomplete, and sometimes contradictory. In this paper, we aim to address the cited gap with a structured literature analysis, correlating recent contributions to present a picture of the complex economic, technical, and regulatory aspects of stablecoins. To achieve this, we formulate the main research questions and categorize scientific contributions accordingly, identifying main results, data sources, methodologies, and open research questions. The research questions we address in this survey paper cover several topics, such as the stability of various stablecoins, novel designs and implementations, and relevant regulatory challenges. The studies employ a wide range of methodologies and data sources, which we critically analyze and synthesize. Our analysis also reveals significant research gaps, including limited studies on security and privacy, underexplored stablecoins, unexamined failure cases, unstudied governance mechanisms, and the treatment of stablecoins under financial accounting standards, among other areas.
交叉提交 (展示 6 之 6 条目 )
- [18] arXiv:2411.00459 (替换) [中文pdf, pdf, html, 其他]
-
标题: 利用攻击技术防御提示注入攻击标题: Defense Against Prompt Injection Attack by Leveraging Attack Techniques评论: 将出现在ACL 2025上主题: 密码学与安全 (cs.CR)
随着技术的进步,大型语言模型(LLMs)在各种自然语言处理(NLP)任务中取得了显著的性能,推动了如Microsoft Copilot等集成LLM的应用程序的发展。然而,随着LLMs的不断演进,新的漏洞出现,尤其是提示注入攻击。这些攻击会使LLMs偏离原始输入指令,并执行数据内容中注入的攻击者指令,例如检索结果。最近的攻击方法利用LLMs的指令遵循能力以及它们无法区分数据内容中注入指令的缺陷,实现了较高的攻击成功率(ASR)。在比较攻击和防御方法时,我们发现它们具有相似的设计目标,即诱导模型忽略不需要的指令并执行所需的指令。因此,我们提出一个直观的问题:这些攻击技术能否用于防御目的?在本文中,我们反转提示注入方法的意图,通过重复攻击过程但使用原始输入指令而非注入指令,基于之前的无训练攻击方法开发新的防御方法。我们的全面实验表明,我们的防御技术优于现有的无训练防御方法,达到了最先进结果。
With the advancement of technology, large language models (LLMs) have achieved remarkable performance across various natural language processing (NLP) tasks, powering LLM-integrated applications like Microsoft Copilot. However, as LLMs continue to evolve, new vulnerabilities, especially prompt injection attacks arise. These attacks trick LLMs into deviating from the original input instructions and executing the attacker's instructions injected in data content, such as retrieved results. Recent attack methods leverage LLMs' instruction-following abilities and their inabilities to distinguish instructions injected in the data content, and achieve a high attack success rate (ASR). When comparing the attack and defense methods, we interestingly find that they share similar design goals, of inducing the model to ignore unwanted instructions and instead to execute wanted instructions. Therefore, we raise an intuitive question: Could these attack techniques be utilized for defensive purposes? In this paper, we invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods, by repeating the attack process but with the original input instruction rather than the injected instruction. Our comprehensive experiments demonstrate that our defense techniques outperform existing training-free defense approaches, achieving state-of-the-art results.
- [19] arXiv:2412.17531 (替换) [中文pdf, pdf, html, 其他]
-
标题: 基于双触发的隐形文本后门攻击标题: Invisible Textual Backdoor Attacks based on Dual-Trigger主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI)
后门攻击对文本大型语言模型构成重要的安全威胁。 探索文本后门攻击不仅有助于揭示模型的潜在安全风险,还促进了防御机制的创新和发展。 目前,大多数文本后门攻击方法基于单一触发器。 例如,在文本中插入特定内容作为触发器,或改变抽象文本特征作为触发器。 然而,采用这种单触发器模式使得现有的后门攻击存在一定的局限性:要么容易被现有的防御策略识别,要么在攻击性能和中毒数据集构建方面存在一定的不足。 为了解决这些问题,本文提出了一种双触发器后门攻击方法。 具体来说,我们使用两个不同的属性,语法和语气(本文以虚拟语气为例)作为两个不同的触发器。 这使得我们的后门攻击方法类似于一种双地雷,可以同时具有完全不同的触发条件。 因此,这种方法不仅提高了触发模式的灵活性,还增强了对防御检测的鲁棒性。 大量实验结果表明,该方法在攻击性能上显著优于基于抽象特征的先前方法,并且在攻击成功率方面达到了与插入方法相当的水平(几乎100%的攻击成功率)。 此外,为了进一步提高攻击性能,我们还给出了中毒数据集的构建方法。 本文的代码和数据可在 https://github.com/HoyaAm/Double-Landmines 获得。
Backdoor attacks pose an important security threat to textual large language models. Exploring textual backdoor attacks not only helps reveal the potential security risks of models, but also promotes innovation and development of defense mechanisms. Currently, most textual backdoor attack methods are based on a single trigger. For example, inserting specific content into text as a trigger or changing the abstract text features to be a trigger. However, the adoption of this single-trigger mode makes the existing backdoor attacks subject to certain limitations: either they are easily identified by the existing defense strategies, or they have certain shortcomings in attack performance and in the construction of poisoned datasets. In order to solve these issues, a dual-trigger backdoor attack method is proposed in this paper. Specifically, we use two different attributes, syntax and mood (we use subjunctive mood as an example in this article), as two different triggers. It makes our backdoor attack method similar to a double landmine which can have completely different trigger conditions simultaneously. Therefore, this method not only improves the flexibility of trigger mode, but also enhances the robustness against defense detection. A large number of experimental results show that this method significantly outperforms the previous methods based on abstract features in attack performance, and achieves comparable attack performance (almost 100\% attack success rate) with the insertion-based method. In addition, in order to further improve the attack performance, we also give the construction method of the poisoned dataset.The code and data of this paper can be obtained at https://github.com/HoyaAm/Double-Landmines.
- [20] arXiv:2502.16580 (替换) [中文pdf, pdf, html, 其他]
-
标题: 间接提示注入攻击能否被检测和移除?标题: Can Indirect Prompt Injection Attacks Be Detected and Removed?评论: 将出现在ACL 2025上主题: 密码学与安全 (cs.CR)
提示注入攻击通过误导大型语言模型(LLMs)偏离原始输入指令并执行恶意注入的指令,因为它们具有遵循指令的能力且无法区分原始输入指令和恶意注入的指令。 为了防御此类攻击,最近的研究已经开发了各种检测机制。 如果我们仅专注于检测而非直接防御的工作,大多数工作都集中在直接提示注入攻击上,而针对间接场景的研究较少,其中注入的指令来自外部工具,如搜索引擎。 此外,当前的工作主要研究注入检测方法,对旨在在检测后减轻注入的后处理方法关注较少。 在本文中,我们研究了检测和移除间接提示注入攻击的可行性,并构建了一个基准数据集进行评估。 对于检测,我们评估了现有LLMs和开源检测模型的性能,并进一步使用我们设计的训练数据集训练检测模型。 对于移除,我们评估了两种直观的方法:(1)分割移除方法,该方法对注入的文档进行分割并移除包含注入指令的部分,(2)提取移除方法,该方法训练一个提取模型来识别并移除注入的指令。
Prompt injection attacks manipulate large language models (LLMs) by misleading them to deviate from the original input instructions and execute maliciously injected instructions, because of their instruction-following capabilities and inability to distinguish between the original input instructions and maliciously injected instructions. To defend against such attacks, recent studies have developed various detection mechanisms. If we restrict ourselves specifically to works which perform detection rather than direct defense, most of them focus on direct prompt injection attacks, while there are few works for the indirect scenario, where injected instructions are indirectly from external tools, such as a search engine. Moreover, current works mainly investigate injection detection methods and pay less attention to the post-processing method that aims to mitigate the injection after detection. In this paper, we investigate the feasibility of detecting and removing indirect prompt injection attacks, and we construct a benchmark dataset for evaluation. For detection, we assess the performance of existing LLMs and open-source detection models, and we further train detection models using our crafted training datasets. For removal, we evaluate two intuitive methods: (1) the segmentation removal method, which segments the injected document and removes parts containing injected instructions, and (2) the extraction removal method, which trains an extraction model to identify and remove injected instructions.
- [21] arXiv:2505.01454 (替换) [中文pdf, pdf, html, 其他]
-
标题: 稀疏化在攻击之下:在通信高效的联邦学习中防御中毒攻击标题: Sparsification Under Siege: Defending Against Poisoning Attacks in Communication-Efficient Federated Learning主题: 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
联邦学习(FL)在保持数据隐私的同时,使分布式客户端能够进行协作模型训练,但其在通信效率和易受中毒攻击方面面临重大挑战。 虽然稀疏化技术通过仅传输关键模型参数来减轻通信开销,但它们无意中增加了安全风险:对抗性客户端可以利用稀疏更新来逃避检测并降低模型性能。 现有的防御机制是为标准FL通信场景设计的,在处理稀疏FL中的这些漏洞时无效。 为了弥补这一差距,我们提出了FLARE,这是一种新颖的联邦学习框架,集成了稀疏索引掩码检查和模型更新符号相似性分析,以检测和缓解稀疏FL中的中毒攻击。 在多个数据集和对抗场景中的大量实验表明,FLARE显著优于现有的防御策略,在保持通信效率的同时,有效保护稀疏FL免受中毒攻击。
Federated Learning (FL) enables collaborative model training across distributed clients while preserving data privacy, yet it faces significant challenges in communication efficiency and vulnerability to poisoning attacks. While sparsification techniques mitigate communication overhead by transmitting only critical model parameters, they inadvertently amplify security risks: adversarial clients can exploit sparse updates to evade detection and degrade model performance. Existing defense mechanisms, designed for standard FL communication scenarios, are ineffective in addressing these vulnerabilities within sparsified FL. To bridge this gap, we propose FLARE, a novel federated learning framework that integrates sparse index mask inspection and model update sign similarity analysis to detect and mitigate poisoning attacks in sparsified FL. Extensive experiments across multiple datasets and adversarial scenarios demonstrate that FLARE significantly outperforms existing defense strategies, effectively securing sparsified FL against poisoning attacks while maintaining communication efficiency.
- [22] arXiv:2507.05630 (替换) [中文pdf, pdf, html, 其他]
-
标题: 如何不通过LLM检测提示注入标题: How Not to Detect Prompt Injections with an LLM主题: 密码学与安全 (cs.CR) ; 人工智能 (cs.AI) ; 机器学习 (cs.LG)
LLM集成的应用程序和代理容易受到提示注入攻击,其中对手在看似无害的用户输入中嵌入恶意指令,以操纵LLM的预期行为。 基于$\textit{known-answer detection}$(KAD)的最新防御方法通过使用LLM将输入分类为干净或受污染,已实现了接近完美的性能。 在本工作中,我们正式描述了KAD框架,并揭示了其设计中的结构漏洞,该漏洞使其核心安全前提失效。 我们设计了一种系统化的自适应攻击,$\textit{DataFlip}$,以利用这一基本弱点。 它能够以低至$1.5\%$的检测率持续绕过KAD防御,同时以高达$88\%$的成功率可靠地引发恶意行为,而无需对LLM进行白盒访问或任何优化过程。
LLM-integrated applications and agents are vulnerable to prompt injection attacks, in which adversaries embed malicious instructions within seemingly benign user inputs to manipulate the LLM's intended behavior. Recent defenses based on $\textit{known-answer detection}$ (KAD) have achieved near-perfect performance by using an LLM to classify inputs as clean or contaminated. In this work, we formally characterize the KAD framework and uncover a structural vulnerability in its design that invalidates its core security premise. We design a methodical adaptive attack, $\textit{DataFlip}$, to exploit this fundamental weakness. It consistently evades KAD defenses with detection rates as low as $1.5\%$ while reliably inducing malicious behavior with success rates of up to $88\%$, without needing white-box access to the LLM or any optimization procedures.
- [23] arXiv:2305.14080 (替换) [中文pdf, pdf, html, 其他]
-
标题: 眼动追踪虚拟现实:方法和隐私挑战的全面综述标题: Eye-tracked Virtual Reality: A Comprehensive Survey on Methods and Privacy ChallengesEfe Bozkir, Süleyman Özdel, Mengdi Wang, Brendan David-John, Hong Gao, Kevin Butler, Eakta Jain, Enkelejda Kasneci评论: 此工作已提交给IEEE以可能发表主题: 人机交互 (cs.HC) ; 人工智能 (cs.AI) ; 密码学与安全 (cs.CR) ; 图形学 (cs.GR) ; 机器学习 (cs.LG)
最新计算机硬件、传感器技术和人工智能的发展可以使虚拟现实(VR)和虚拟空间成为人类日常生活的重要组成部分。 眼动追踪不仅提供了一种无需双手的操作方式,还可能更深入地理解用户在VR中的视觉注意力和认知过程。 尽管有这些可能性,当眼动追踪数据与所呈现的刺激信息结合时,也会揭示用户的隐私敏感属性。 为了解决所有这些可能性和潜在的隐私问题,在本次综述中,我们首先涵盖了2012年至2022年间眼动追踪、VR和隐私领域的主要工作。 虽然VR部分的眼动追踪涵盖了从瞳孔检测和注视估计到数据离线使用和分析的完整流程,而在隐私和安全方面,我们则关注基于眼动的认证以及保护个体及其眼动追踪数据在VR中隐私的计算方法。 随后,考虑到所有这些因素,我们通过专注于隐私挑战,为研究界指出了三个主要方向。 总之,本次综述提供了对VR中眼动追踪最有可能应用的广泛文献回顾,以及这些可能性带来的隐私影响。
The latest developments in computer hardware, sensor technologies, and artificial intelligence can make virtual reality (VR) and virtual spaces an important part of human everyday life. Eye tracking offers not only a hands-free way of interaction but also the possibility of a deeper understanding of human visual attention and cognitive processes in VR. Despite these possibilities, eye-tracking data also reveals users' privacy-sensitive attributes when combined with the information about the presented stimulus. To address all these possibilities and potential privacy issues, in this survey, we first cover major works in eye tracking, VR, and privacy areas between 2012 and 2022. While eye tracking in the VR part covers the complete pipeline of eye-tracking methodology from pupil detection and gaze estimation to offline use of the data and analyses, as for privacy and security, we focus on eye-based authentication as well as computational methods to preserve the privacy of individuals and their eye-tracking data in VR. Later, considering all of these, we draw three main directions for the research community by focusing on privacy challenges. In summary, this survey provides an extensive literature review of the utmost possibilities with eye tracking in VR and the privacy implications of those possibilities.
- [24] arXiv:2501.01593 (替换) [中文pdf, pdf, html, 其他]
-
标题: BLAST:针对基于合作多智能体深度强化学习系统的隐蔽后门利用攻击标题: BLAST: A Stealthy Backdoor Leverage Attack against Cooperative Multi-Agent Deep Reinforcement Learning based Systems评论: 12. arXiv管理员备注:与arXiv:2409.07775存在大量文本重叠主题: 人工智能 (cs.AI) ; 密码学与安全 (cs.CR) ; 机器学习 (cs.LG)
最近的研究表明,协作多智能体深度强化学习(c-MADRL)正受到后门攻击的威胁。 一旦观察到后门触发器,它将执行恶意操作,导致失败或实现恶意目标。 然而,现有的后门攻击存在几个问题,例如,即时触发模式缺乏隐蔽性,后门由额外网络进行训练或激活,或者所有智能体都被植入后门。 为此,本文提出了一种针对c-MADRL的新后门利用攻击,BLAST,该攻击通过仅在单个智能体中嵌入后门来攻击整个多智能体团队。 首先,我们引入了对手时空行为模式作为后门触发器,而不是手动注入的固定视觉模式或即时状态,并控制执行恶意操作的时段。 这种方法可以保证BLAST的隐蔽性和实用性。 其次,我们通过单方面引导黑客入侵后门智能体的原始奖励函数以注入BLAST,从而实现\textit{利用攻击效果},通过一个后门智能体打开整个多智能体系统。 我们在两个流行的c-MADRL环境中(SMAC和Pursuit)对3种经典的c-MADRL算法(VDN、QMIX和MAPPO)以及两种现有的防御机制进行了BLAST的评估。 实验结果表明,BLAST可以在保持低干净性能方差率的同时实现高攻击成功率。
Recent studies have shown that cooperative multi-agent deep reinforcement learning (c-MADRL) is under the threat of backdoor attacks. Once a backdoor trigger is observed, it will perform malicious actions leading to failures or malicious goals. However, existing backdoor attacks suffer from several issues, e.g., instant trigger patterns lack stealthiness, the backdoor is trained or activated by an additional network, or all agents are backdoored. To this end, in this paper, we propose a novel backdoor leverage attack against c-MADRL, BLAST, which attacks the entire multi-agent team by embedding the backdoor only in a single agent. Firstly, we introduce adversary spatiotemporal behavior patterns as the backdoor trigger rather than manual-injected fixed visual patterns or instant status and control the period to perform malicious actions. This method can guarantee the stealthiness and practicality of BLAST. Secondly, we hack the original reward function of the backdoor agent via unilateral guidance to inject BLAST, so as to achieve the \textit{leverage attack effect} that can pry open the entire multi-agent system via a single backdoor agent. We evaluate our BLAST against 3 classic c-MADRL algorithms (VDN, QMIX, and MAPPO) in 2 popular c-MADRL environments (SMAC and Pursuit), and 2 existing defense mechanisms. The experimental results demonstrate that BLAST can achieve a high attack success rate while maintaining a low clean performance variance rate.
- [25] arXiv:2503.18890 (替换) [中文pdf, pdf, html, 其他]
-
标题: 公钥量子货币与快速实变换标题: Public-Key Quantum Money and Fast Real Transforms主题: 量子物理 (quant-ph) ; 密码学与安全 (cs.CR)
我们提出了一种基于群作用和哈特利变换的公钥量子货币方案。 我们的方案改编了Zhandry(2024)的量子货币方案,将傅里叶变换替换为哈特利变换。 这种替换确保了纸币具有实数振幅而非复数振幅,这可能带来计算和理论上的优势。 为了支持这一新构造,我们提出了一种新的验证算法,该算法使用群作用扭曲来解决由于切换到实数振幅而导致的验证失败问题。 我们还展示了如何使用一种基于连续时间量子行走的新算法高效计算与货币状态相关的序列号。 最后,我们提出了一种递归算法用于量子哈特利变换,其门复杂度低于之前的工作,并展示了如何使用量子哈特利变换作为子程序来计算其他实数量子变换,例如量子正弦变换。
We propose a public-key quantum money scheme based on group actions and the Hartley transform. Our scheme adapts the quantum money scheme of Zhandry (2024), replacing the Fourier transform with the Hartley transform. This substitution ensures the banknotes have real amplitudes rather than complex amplitudes, which could offer both computational and theoretical advantages. To support this new construction, we propose a new verification algorithm that uses group action twists to address verification failures caused by the switch to real amplitudes. We also show how to efficiently compute the serial number associated with a money state using a new algorithm based on continuous-time quantum walks. Finally, we present a recursive algorithm for the quantum Hartley transform, achieving lower gate complexity than prior work and demonstrate how to compute other real quantum transforms, such as the quantum sine transform, using the quantum Hartley transform as a subroutine.
- [26] arXiv:2507.09067 (替换) [中文pdf, pdf, html, 其他]
-
标题: 量子抗性隐私账本(QRPL):后量子时代的主权数字货币标题: Quantum-Resilient Privacy Ledger (QRPL): A Sovereign Digital Currency for the Post-Quantum Era主题: 新兴技术 (cs.ET) ; 密码学与安全 (cs.CR)
量子计算的出现对现有的密码基础设施提出了深刻的挑战,同时中央银行数字货币(CBDCs)的发展引发了关于数字支付系统中隐私保护和过度集中化的担忧。 本文提出了量子抗性隐私账本(QRPL),这是一种创新的基于代币的数字货币架构,结合了国家技术标准局(NIST)标准化的后量子密码学(PQC)与基于哈希的零知识证明,以确保用户主权、可扩展性和交易机密性。 主要贡献包括为不可链接交易适应短暂证明链,一种隐私加权的权益证明(PoS)共识以促进公平参与,以及一种基于零知识证明的隐私保护选择性披露机制。 QRPL旨在解决现有CBDC设计中的关键缺陷,包括普遍监控的风险,并通过10-20秒的区块时间在未来的货币系统中平衡安全性和吞吐量。 虽然概念上是初步的,但计划进行实证原型。 未来的工作包括开发原型以实证验证这些模型。
The emergence of quantum computing presents profound challenges to existing cryptographic infrastructures, whilst the development of central bank digital currencies (CBDCs) has raised concerns regarding privacy preservation and excessive centralisation in digital payment systems. This paper proposes the Quantum-Resilient Privacy Ledger (QRPL) as an innovative token-based digital currency architecture that incorporates National Institute of Standards and Technology (NIST)-standardised post-quantum cryptography (PQC) with hash-based zero-knowledge proofs to ensure user sovereignty, scalability, and transaction confidentiality. Key contributions include adaptations of ephemeral proof chains for unlinkable transactions, a privacy-weighted Proof-of-Stake (PoS) consensus to promote equitable participation, and a novel zero-knowledge proof-based mechanism for privacy-preserving selective disclosure. QRPL aims to address critical shortcomings in prevailing CBDC designs, including risks of pervasive surveillance, with a 10-20 second block time to balance security and throughput in future monetary systems. While conceptual, empirical prototypes are planned. Future work includes prototype development to validate these models empirically.