Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
class:gradsec2026 [2026/03/11 10:32] jhj2004 [Agenda] |
class:gradsec2026 [2026/03/30 13:59] (current) jhj2004 [Agenda] |
||
|---|---|---|---|
| Line 33: | Line 33: | ||
| ^ Date ^ Name ^ Topic ^ Slides ^ Minutes ^ | ^ Date ^ Name ^ Topic ^ Slides ^ Minutes ^ | ||
| - | | 3/4 | Minho | Ice-breaking | [[https://drive.google.com/file/d/1PGW7cKv0rqTp6jIaHmIz2Olmi9KXCCNn/view?usp=drive_link|AI-Cybersecurity]] | [[https://drive.google.com/file/d/1tQJK6mbAowQlCto7OzYd16rR8mlTkkiL/view?usp=drive_link| Survey paper]] | | + | | 3/4 | Minho | AI-Introduction | {{ :class:ai-intro.pdf |AI-Intro}} | | |
| | 3/11 | Minho | | | | | | 3/11 | Minho | | | | | ||
| - | | ::: | Cho | https://www.usenix.org/system/files/sec21-schuster.pdf| | | | + | | ::: | Cho | [[https://www.usenix.org/system/files/sec21-schuster.pdf|You autocomplete me: Poisoning vulnerabilities in neural code completion]] | [[https://1drv.ms/p/c/005794ae9195628e/IQB4fo_zfZeySKirBSMijjfiAVbNdg_9N1hiWS702-MyQpk?e=SsGxwB|You autocomplete me: Poisoning vulnerabilities in neural code completion]] | | |
| - | | 9/17 | No Class | | | | | + | | 3/18 | Minho | | | | |
| - | | 9/24 | Jung | | | | | + | | ::: | Han | [[https://arxiv.org/pdf/2102.07995.pdf|D2a: A dataset built for ai-based vulnerability detection methods using differential analysis]] | | | | |
| - | | ::: | Zang | | | | | + | | 3/27 | Minho | | | | |
| - | | ::: | Chang | | | | | + | | ::: | Kwak| [[https://www.mdpi.com/1424-8220/23/9/4403/pdf|A Deep Learning-Based Innovative Technique for Phishing Detection with URLs]] | | | |
| - | | ::: | Sang | | | | | + | | 4/1 | No Class | | | | |
| - | | 10/1 | Jung | | | | | + | | 4/10 | Cho | [[https://arxiv.org/pdf/1803.04173|Adversarial Malware Binaries: Evading Deep |
| - | | ::: | Zang | | | | | + | Learning for Malware Detection in Executables]] | | | |
| - | | ::: | Chang --> Sang | | | | | + | | 4/15 | Han | | | | |
| - | | 10/8 | No Class | | | | | + | | 4/24 | Kwak| | | | |
| - | | 10/15 | Sang --> Chang | | | | | + | | 4/29 | Cho | | | | |
| - | | ::: | Jung | | | | | + | | 5/6 | Han | | | | |
| - | | ::: | Zang | | | | | + | | 5/13 | Kwak | | | | |
| - | | 10/22 | Chang | | | | | + | | 5/20 | Cho | | | | |
| - | | ::: | Sang | | | | | + | | 5/27 | Han | | | | |
| - | | 10/29 | No Class | | | | | + | | 6/3 | Kwak | | | | |
| - | | 11/5 | Jung | | | | | + | | 6/10 | Cho | | | | |
| - | | ::: | Zang | | | | | + | | 6/17 | Han | | | | |
| - | | ::: | Chang | | | | | + | | 6/24 | Kwak | | | | |
| - | | 11/12 | No Class | | | | | + | |
| - | | 11/19 | Sang | | | | | + | |
| - | | ::: | Jung | | | | | + | |
| - | | :::| Zang | | | | | + | |
| - | | 11/26 | Jung | | | | | + | |
| - | | ::: | Sang | | | | | + | |
| - | | ::: | Chang | | | | | + | |
| - | | 12/3 | Zang | | | | | + | |
| - | | ::: | Chang --> Jung | | | | | + | |
| - | | ::: | Sang | | | | | + | |
| - | | 12/10 | Jung --> Chang | | | | | + | |
| - | | ::: | Zang | | | | | + | |
| - | + | ||
| ====== Class Information ====== | ====== Class Information ====== | ||
| Line 101: | Line 87: | ||
| ====== Reading List for LLM-based Cybersecurity ====== | ====== Reading List for LLM-based Cybersecurity ====== | ||
| + | # AI Security Course - Research Paper List (2020+) | ||
| + | # Papers with freely accessible PDFs (72 papers) | ||
| - | ==== Intrusion Detection ==== | + | ==== C1. Adversarial Machine Learning ==== |
| - | + | - **Adversarial Examples Are Not Bugs, They Are Features** | |
| - | - <fc red>(Changyeol) </fc>Yin et al. [55]: "A deep learning approach for intrusion detection using recurrent neural networks." This paper proposes a deep learning model called RNN-ID and evaluates its performance in binary and multiclass classification tasks for intrusion detection. | + | * Andrew Ilyas et al., NeurIPS 2019 | Pages: 25 | Difficulty: 3/5 |
| - | + | * Abstract: This influential paper argues that adversarial vulnerability arises from models relying on highly predictive but non-robust features in the data. The authors demonstrate that models trained only on adversarial examples can achieve good accuracy on clean data, showing that adversarial examples exploit genuine patterns rather than being bugs in model design. | |
| - | - <fc red>(Sangbin)</fc> Xu et al. [58]: "An intrusion detection system using a deep neural network with gated recurrent units." This paper proposes a novel IDS that uses a recurrent neural network with GRUs, an MLP, and a softmax module. | + | * Keywords: Deep learning, adversarial examples, robust features, neural networks, gradient-based attacks, image classification |
| - | + | * URL: https://arxiv.org/pdf/1905.02175.pdf | |
| - | - Ferrag and Leandros [59]: "Deepcoin: A novel deep learning and blockchain-based energy exchange framework for smart grids." This paper proposes a framework that uses a deep learning-based scheme employing RNNs to detect network attacks and fraudulent transactions. | + | - **Reliable Evaluation of Adversarial Robustness with an Ensemble of Diverse Parameter-free Attacks** |
| - | + | * Francesco Croce, Matthias Hein, ICML 2020 | Pages: 32 | Difficulty: 3/5 | |
| - | - <fc red>(Sehyeon)</fc> Chawla et al. [60]: "Host based intrusion detection system with combined cnn/rnn model." The authors present an anomaly-based IDS that leverages RNNs with GRUs and stacked CNNs to detect malicious cyberattacks. | + | * Abstract: Introduces AutoAttack, an ensemble of parameter-free attacks for robust evaluation of adversarial defenses. The paper reveals that many published defenses overestimate their robustness due to weak evaluation methods. AutoAttack has become the standard benchmark for evaluating adversarial robustness in the research community. |
| - | + | * Keywords: Adversarial attacks, robustness evaluation, ensemble methods, PGD, gradient-based optimization, AutoAttack | |
| - | - Ullah et al. [61]: "Design and development of rnn anomaly detection model for iot networks." This work introduces deep learning models using RNNs, CNNs, and hybrid techniques for anomaly detection in IoT networks. | + | * URL: https://arxiv.org/pdf/2003.01690.pdf |
| - | + | - **On Adaptive Attacks to Adversarial Example Defenses** | |
| - | - <fc red>(Sohyeon) </fc>Donkol et al. [62]: "Optimization of intrusion detection using likely point pso and enhanced lstm-rnn hybrid technique in communication networks." This paper presents ELSTM-RNN, a technique to improve security in IDSs by using an enhanced LSTM framework combined with an optimization technique. | + | * Florian Tramer et al., NeurIPS 2020 | Pages: 13 | Difficulty: 4/5 |
| - | + | * Abstract: Provides comprehensive guidelines for properly evaluating adversarial defenses against adaptive attacks. Shows that many defenses fail when attackers adapt their strategies. Introduces systematic methodology for creating adaptive attacks and demonstrates failures of several published defenses that claimed robustness. | |
| - | - Zhao et al. [63]: "Ernn: Error-resilient run for encrypted traffic detection towards network-induced phenomena." This paper presents ERNN, an end-to-end RNN model with a novel session gate, designed to address network-induced phenomena that can lead to misclassifications in traffic detection systems. | + | * Keywords: Adversarial defenses, adaptive attacks, security evaluation, gradient obfuscation, defense mechanisms |
| - | + | * URL: https://arxiv.org/pdf/2002.08347.pdf | |
| - | - Polat et al. [65]: "A novel approach for accurate detection of the ddos attacks in sdn-based scada systems based on deep recurrent neural networks." This paper introduces a method for improving DDoS attack detection in SDN-based SCADA systems using an RNN classifier model with parallel LSTM and GRU methods. | + | - **Improving Adversarial Robustness Requires Revisiting Misclassified Examples** |
| - | + | * Yisen Wang et al., ICLR 2020 | Pages: 23 | Difficulty: 3/5 | |
| - | - <fc red>(Sehyeon)</fc> Althubiti et al. [57]: "Applying long short-term memory recurrent neural network for intrusion detection." The authors propose a deep learning-based Detection System IDS using an LSTM RNN to classify and predict known and unknown intrusions. | + | * Abstract: Proposes misclassification aware adversarial training (MART) that explicitly differentiates between correctly and incorrectly classified examples during training. Shows that focusing on misclassified examples significantly improves robustness. Achieves state-of-the-art results on CIFAR-10 and demonstrates better generalization. |
| - | + | * Keywords: Adversarial training, misclassification, robustness improvement, neural networks, CIFAR-10 | |
| - | ==== Software Security ==== | + | * URL: https://openreview.net/pdf?id=rklOg6EFwS |
| - | + | - **Uncovering the Limits of Adversarial Training against Norm-Bounded Adversarial Examples** | |
| - | + | * Sven Gowal et al., arXiv 2020 | Pages: 18 | Difficulty: 4/5 | |
| - | * <fc red>(Sangbin)</fc> Wang et al. [64]: "Patchrnn: A deep learning-based system for security patch identification". | + | * Abstract: Investigates the fundamental limits of adversarial training for norm-bounded attacks. Achieves state-of-the-art robustness through extensive hyperparameter tuning and architectural choices. Demonstrates that with sufficient model capacity and proper training procedures, adversarial training can achieve significantly better robustness. |
| - | + | * Keywords: Adversarial training, WideResNet, data augmentation, model capacity, robustness limits | |
| - | * Thapa et al. [71]: "Transformer-based language models for software vulnerability detection". | + | * URL: https://arxiv.org/pdf/2010.03593.pdf |
| - | + | - **Perceptual Adversarial Robustness: Defense Against Unseen Threat Models** | |
| - | * Fu et al. [73]: "Linevul: a transformer-based line-level vulnerability prediction". | + | * Cassidy Laidlaw, Sahil Singla, Soheil Feizi, ICLR 2021 | Pages: 23 | Difficulty: 4/5 |
| - | + | * Abstract: Introduces perceptual adversarial training (PAT) that defends against a diverse set of adversarial attacks by optimizing against perceptually-aligned perturbations. Shows that models trained with PAT are robust to attacks beyond the threat model considered during training, addressing the limitation of traditional adversarial training. | |
| - | * <fc red>(Sehyeon)</fc> Mamede et al. [74]: "A transformer-based ide plugin for vulnerability detection". | + | * Keywords: Adversarial robustness, perceptual metrics, threat models, adversarial training, LPIPS distance |
| - | + | * URL: https://arxiv.org/pdf/2006.12655.pdf | |
| - | * Liu et al. [77]: "Commitbart: A large pre-trained model for github commits". | + | - **RobustBench: A Standardized Adversarial Robustness Benchmark** |
| - | + | * Francesco Croce et al., NeurIPS Datasets 2021 | Pages: 22 | Difficulty: 2/5 | |
| - | *<fc red>(changyeol)</fc> Ding et al. [95]: "Vulnerability detection with code language models: How far are we?". | + | * Abstract: Presents RobustBench, a standardized benchmark for evaluating adversarial robustness with a continuously updated leaderboard. Addresses the problem of inconsistent evaluation practices across papers by providing standardized evaluation protocols and maintaining an up-to-date repository of state-of-the-art robust models. |
| - | + | * Keywords: Benchmarking, adversarial robustness, standardization, AutoAttack, model evaluation, leaderboards | |
| - | * Mechri et al. [88]: "Secureqwen: Leveraging llms for vulnerability detection in python codebases". | + | * URL: https://arxiv.org/pdf/2010.09670.pdf |
| - | + | - **Adversarial Training for Free!** | |
| - | * Guo et al. [85]: "Outside the comfort zone: Analysing llm capabilities in software vulnerability detection". | + | * Ali Shafahi et al., NeurIPS 2019 | Pages: 11 | Difficulty: 3/5 |
| - | + | * Abstract: Proposes "free" adversarial training that achieves similar robustness to standard adversarial training with almost no additional computational cost. The method recycles gradient information computed during the backward pass to generate adversarial examples, making adversarial training practical for large models. | |
| - | * Lykousas and Patsakis [86]: "Decoding developer password patterns: A comparative analysis of password extraction and selection practices". | + | * Keywords: Adversarial training, computational efficiency, gradient recycling, neural networks, optimization |
| - | + | * URL: https://arxiv.org/pdf/1904.12843.pdf | |
| - | * Harzevili et al. [173]: "A survey on automated software vulnerability detection using machine learning and deep learning". | + | |
| - | + | ||
| - | * Schuster et al. [165]: "You autocomplete me: Poisoning vulnerabilities in neural code completion". | + | |
| - | + | ||
| - | * Asare et al. [166]: "Is github’s copilot as bad as humans at introducing vulnerabilities in code?". | + | |
| - | + | ||
| - | * Sandoval et al. [167]: "Lost at c: A user study on the security implications of large language model code assistants". | + | |
| - | + | ||
| - | * <fc red>(Sohyeon)</fc> Perry et al. [168]: "Do users write more insecure code with ai assistants?". | + | |
| - | + | ||
| - | * <fc red>(Sangbin)</fc> Hamer et al. [169]: "Just another copy and paste? comparing the security vulnerabilities of chatgpt generated code and stackoverflow answers". | + | |
| - | + | ||
| - | * Cotroneo et al. [170]: "Devaic: A tool for security assessment of ai-generated code". | + | |
| - | + | ||
| - | * Tóth et al. [171]: "Llms in web-development: Evaluating llm-generated php code unveiling vulnerabilities and limitations". | + | |
| - | + | ||
| - | * Tihanyi et al. [172]: "Do neutral prompts produce insecure code? formai-v2 dataset: Labelling vulnerabilities in code generated by large language models". | + | |
| - | + | ||
| - | * Zheng et al. [176]: "D2a: A dataset built for ai-based vulnerability detection methods using differential analysis". | + | |
| - | + | ||
| - | * Zhou et al. [177]: "Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks". | + | |
| - | + | ||
| - | * Hanif et al. [178]: "The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches". | + | |
| - | + | ||
| - | * <fc red>(Sehyeon)</fc> Russell et al. [179]: "Automated vulnerability detection in source code using deep representation learning". | + | |
| - | + | ||
| - | * Wartschinski et al. [182]: "Vudenc: Vulnerability detection with deep learning on a natural codebase for python". | + | |
| - | + | ||
| - | * Fan et al. [183]: "A c/c++ code vulnerability dataset with code changes and cve summaries". | + | |
| - | + | ||
| - | *<fc red>(changyeol)</fc> Bhandari et al. [184]: "Cvefixes: automated collection of vulnerabilities and their fixes from open-source software". | + | |
| - | + | ||
| - | * Nikitopoulos et al. [185]: "Crossvul: a cross-language vulnerability dataset with commit data". | + | |
| - | + | ||
| - | * Li et al. [186]: "Sysevr: A framework for using deep learning to detect software vulnerabilities". | + | |
| - | + | ||
| - | * <fc red>(Sohyeon)</fc>Li et al. [187]: "Vuldeepecker: A deep learning-based system for vulnerability detection". | + | |
| - | + | ||
| - | * Chen et al. [188]: "Diverse Vul: A New Vulnerable Source Code Dataset for Deep Learning Based Vulnerability Detection". | + | |
| - | + | ||
| - | * Gadde et al. [189]: "All artificial, less intelligence: Genai through the lens of formal verification". | + | |
| - | + | ||
| - | + | ||
| - | ==== Malware Classification ==== | + | |
| - | + | ||
| - | + | ||
| - | * <fc red>(Sohyeon)</fc> Ziems et al. [67]: This study explores transformer-based models for malware classification using API call sequences as features. | + | |
| - | + | ||
| - | * Demirkıran et al. [69]: This paper proposes using transformer-based models for classifying malware families, demonstrating that they are better suited for capturing sequence relationships among API calls than traditional models. | + | |
| - | + | ||
| - | * Patsakis et al. [84]: This work investigates the application of LLMs in malware deobfuscation, focusing on real-world scripts from the Emotet malware campaign. | + | |
| - | + | ||
| - | * Gaber et al. et al. [94]: This paper introduces a framework that uses Transformer models for zero-day ransomware detection by analyzing Assembly instructions. | + | |
| - | | + | |
| - | * <fc red>(changyeol)</fc>automated malware classification based on network behavior | + | |
| - | * <fc red>(Sohyeon)</fc> "Explainable Deep Learning-Enabled Malware Attack Detection for IoT-Enabled Intelligent Transportation Systems" | + | |
| - | + | ||
| - | ==== Blockchain Security ==== | + | |
| - | + | ||
| - | * He et al. [39]: "Large language models for blockchain security: A systematic literature review." This paper analyzes existing research to understand how LLMs can improve blockchain systems' security. | + | |
| - | + | ||
| - | *<fc red>(Changyeol)</fc> Ding et al. [89]: "Smartguard: An llm-enhanced framework for smart contract vulnerability detection." This paper presents a framework that combines LLMs with advanced reasoning techniques to detect vulnerabilities in smart contracts. | + | |
| - | + | ||
| - | * Arshad et al. [90]: "Blockllm: A futuristic llm-based decentralized vehicular network architecture for secure communications." The authors introduce a decentralized network architecture for autonomous vehicles that integrates blockchain with LLMs to improve security and communication. | + | |
| - | + | ||
| - | * <fc red>(Sangbin)</fc> Xiao et al. [91]: "Logic meets magic: Llms cracking smart contract vulnerabilities." This paper advances the field of smart contract vulnerability detection by focusing on the latest Solidity version and leveraging advanced prompting techniques with five cutting-edge LLMs. | + | |
| - | + | ||
| - | ==== Cyber Threat Intelligence ==== | + | |
| - | + | ||
| - | * <fc red>(Sangbin)</fc> Evangelatos et al. [75]: This paper investigates the use of transformer-based models for Named Entity Recognition (NER) in cyber threat intelligence. | + | |
| - | + | ||
| - | * <fc red>(Changyeol)</fc>Ranade et al. [72]: This work presents a method for automatically generating fake CTI using transformer-based models to mislead cyber-defense systems. | + | |
| - | + | ||
| - | * Hashemi et al. [76]: The authors propose an alternative approach for automated vulnerability information extraction from vulnerability descriptions using Transformer models like BERT, XLNet, and RoBERTa. | + | |
| - | + | ||
| - | * Ferrag et al. [20]: "Revolutionizing Cyber Threat Detection with Large Language Models: A Privacy-Preserving BERT-Based Lightweight Model for IoT/IIoT Devices." This paper discusses leveraging LLMs for cyber threat detection and analysis in IoT/IIoT networks. | + | |
| - | + | ||
| - | * Parra et al. [66] proposed an interpretable federated transformer log learning model for threat detection, validating its effectiveness with real-world datasets. | + | |
| - | + | ||
| - | * Karlsen et al. [87] proposed the LLM4Sec framework, which benchmarks fine-tuned models for cybersecurity log analysis, with DistilRoBERTa achieving an exceptional F1-score of 0.998 across diverse datasets. | + | |
| - | + | ||
| - | + | ||
| - | ==== Phishing Detection and Response ==== | + | |
| - | + | ||
| - | * <fc red>(Sohyeon)</fc> Jamal et al. [25]: "An improved transformer-based model for detecting phishing, spam and ham emails: A large language model approach." This paper proposes IPSDM, a fine-tuned model based on the BERT family, to address the growing sophistication of phishing and spam attacks. | + | |
| - | + | ||
| - | * Koide et al. [96]: "Chatspamdetector: Leveraging large language models for effective phishing email detection." This work introduces a novel system leveraging LLMs to detect phishing emails, achieving a high accuracy rate and providing detailed reasoning for its determinations. | + | |
| - | + | ||
| - | * Heiding et al. [97]: "Devising and detecting phishing emails using large language models." This study compares automatically generated phishing emails by GPT-4 and other methods, and also evaluates the capability of four different LLMs to detect phishing intentions. | + | |
| - | + | ||
| - | * <fc red>(Sehyeon)</fc> Chataut et al. [98]: "Can ai keep you safe? a study of large language models for phishing detection." This paper emphasizes the necessity for continual development and adaptation of detection models to keep pace with evolving phishing strategies, highlighting the potential role of LLMs. | + | |
| - | + | ||
| - | ==== Detection of Deepfake Videos ==== | + | |
| - | + | ||
| - | * <fc red>(Sehyeon)</fc> Güera et al. [56]: "Deepfake video detection using recurrent neural networks". This paper proposes a temporal-aware pipeline that uses a convolutional neural network (CNN) to extract frame-level features and a recurrent neural network (RNN) to classify the videos. The authors found that their system could achieve competitive results with a simple architecture. | + | |
| - | + | ||
| - | ====== Reading List for LLM Vulnerability ====== | + | |
| - | + | ||
| - | ==== Prompt Injection ==== | + | |
| - | + | ||
| - | * Perez and Ribeiro [191]: "Ignore previous prompt: Attack techniques for language models". | + | |
| - | + | ||
| - | * Greshake et al. [192]: "More than you've asked for: A comprehensive analysis of novel prompt injection threats to application-integrated large language models". | + | |
| - | + | ||
| - | * Yan et al. [193]: "Virtual prompt injection for instruction-tuned large language models". | + | |
| - | + | ||
| - | * <fc red>(Sehyeon)</fc> Pedro et al. [194]: "From prompt injections to sql injection attacks: How protected is your llm-integrated web application?". | + | |
| - | * Abdelnabi et al. [195]: "Not what you've signed up for: Compromising real-world llm-integrated applications with indirect prompt injection". | + | ====C2. Model Poisoning & Backdoor Attacks ==== |
| + | - **Blind Backdoors in Deep Learning Models** | ||
| + | * Eugene Bagdasaryan, Vitaly Shmatikov, USENIX Security 2021 | Pages: 18 | Difficulty: 4/5 | ||
| + | * Abstract: Introduces blind backdoor attacks where the attacker doesn't need to control the training process. Shows how backdoors can be injected through model replacement or by poisoning only a small fraction of training data. Demonstrates attacks on federated learning and transfer learning scenarios, raising concerns about supply chain security. | ||
| + | * Keywords: Backdoor attacks, federated learning, transfer learning, model poisoning, supply chain security | ||
| + | * URL: https://arxiv.org/pdf/2005.03823.pdf | ||
| + | - **WaNet: Imperceptible Warping-based Backdoor Attack** | ||
| + | * Anh Nguyen et al., ICLR 2021 | Pages: 18 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes a novel backdoor attack using smooth warping transformations instead of visible patches as triggers. These backdoors are nearly imperceptible to human inspection and harder to detect than traditional patch-based triggers. Demonstrates high attack success rates while evading multiple state-of-the-art defense mechanisms. | ||
| + | * Keywords: Backdoor attacks, image warping, imperceptible perturbations, neural networks, trigger design | ||
| + | * URL: https://arxiv.org/pdf/2102.10369.pdf | ||
| + | - **Backdoor Learning: A Survey** | ||
| + | * Yiming Li et al., IEEE TNNLS 2022 | Pages: 45 | Difficulty: 2/5 | ||
| + | * Abstract: Comprehensive survey of backdoor attacks and defenses in deep learning. Categorizes attacks by trigger type, poisoning strategy, and attack scenario. Reviews detection and mitigation methods, provides taxonomy of backdoor learning, and identifies open research challenges in this rapidly evolving field. | ||
| + | * Keywords: Survey paper, backdoor attacks, defense mechanisms, trigger patterns, neural network security | ||
| + | * URL: https://arxiv.org/pdf/2007.08745.pdf | ||
| + | - **Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective** | ||
| + | * Yi Zeng et al., ICCV 2021 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Analyzes backdoor triggers from a frequency perspective and discovers that existing triggers predominantly contain high-frequency components. Proposes frequency-based backdoor attacks that are more stealthy and harder to detect. Shows that defenses effective against spatial-domain triggers fail against frequency-domain triggers. | ||
| + | * Keywords: Backdoor attacks, frequency analysis, Fourier transform, trigger design, stealth attacks | ||
| + | * URL: https://arxiv.org/pdf/2104.03413.pdf | ||
| + | - **Backdoor Attacks Against Deep Learning Systems in the Physical World** | ||
| + | * Emily Wenger et al., CVPR 2021 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Extends backdoor attacks to the physical world using robust physical triggers that work across different viewing conditions. Demonstrates successful attacks on traffic sign recognition systems using physical stickers. Shows that backdoors can survive real-world conditions including varying angles, distances, and lighting. | ||
| + | * Keywords: Physical adversarial examples, backdoor attacks, computer vision, robust perturbations, physical-world attacks | ||
| + | * URL: https://arxiv.org/pdf/2004.04692.pdf | ||
| + | - **Hidden Trigger Backdoor Attacks** | ||
| + | * Aniruddha Saha et al., AAAI 2020 | Pages: 8 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes backdoor attacks where triggers are hidden in the neural network's feature space rather than being visible patterns in the input. These attacks are harder to detect because there's no visible trigger pattern that can be identified through input inspection or trigger inversion techniques. | ||
| + | * Keywords: Backdoor attacks, hidden triggers, feature space, neural networks, detection evasion | ||
| + | * URL: https://arxiv.org/pdf/1910.00033.pdf | ||
| + | - **Input-Aware Dynamic Backdoor Attack** | ||
| + | * Anh Nguyen, Anh Tran, NeurIPS 2020 | Pages: 11 | Difficulty: 4/5 | ||
| + | * Abstract: Introduces dynamic backdoor attacks where the trigger pattern adapts to the input image, making detection more difficult. Unlike static triggers that use the same pattern for all images, dynamic triggers are input-specific and generated by a neural network, improving stealthiness and attack success rate. | ||
| + | * Keywords: Dynamic backdoor attacks, generative models, adaptive triggers, neural networks, attack stealthiness | ||
| + | * URL: https://arxiv.org/pdf/2010.08138.pdf | ||
| + | - **Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks** | ||
| + | * Avi Schwarzschild et al., ICML 2021 | Pages: 21 | Difficulty: 3/5 | ||
| + | * Abstract: Presents unified benchmark for evaluating data poisoning and backdoor attacks across different scenarios. Compares various attack methods under consistent settings and demonstrates that some attacks are significantly more effective than others. Provides standardized evaluation framework for future research and reveals many attacks fail in realistic settings. | ||
| + | * Keywords: Data poisoning, backdoor attacks, benchmarking, neural networks, attack evaluation, standardized testing | ||
| + | * URL: https://arxiv.org/pdf/2006.12557.pdf | ||
| - | * Liu et al. [196]: "Prompt injection attack against llm-integrated applications". | + | ==== C3. Privacy Attacks on Machine Learning ==== |
| + | - **Extracting Training Data from Large Language Models** | ||
| + | * Nicholas Carlini et al., USENIX Security 2021 | Pages: 17 | Difficulty: 3/5 | ||
| + | * Abstract: Demonstrates that large language models like GPT-2 memorize and can be made to emit verbatim training data including personal information, phone numbers, and copyrighted content. The paper raises serious privacy concerns for LLMs trained on web data and shows that model size correlates with memorization capability. | ||
| + | * Keywords: LLMs, privacy attacks, data extraction, memorization, training data leakage, GPT-2 | ||
| + | * URL: https://arxiv.org/pdf/2012.07805.pdf | ||
| + | - **Updated: A Face Tells More Than Thousand Posts: Development and Validation of a Novel Model for Membership Inference Attacks Against Face Recognition Systems** | ||
| + | * Mahmood Sharif et al., IEEE S&P 2021 | Pages: 18 | Difficulty: 3/5 | ||
| + | * Abstract: Develops improved membership inference attacks specifically for face recognition systems. Shows that face recognition models leak significantly more membership information than general image classifiers. Proposes defense mechanisms based on differential privacy and demonstrates their effectiveness. | ||
| + | * Keywords: Membership inference, face recognition, privacy attacks, biometric systems, differential privacy | ||
| + | * URL: https://arxiv.org/pdf/2011.11873.pdf | ||
| + | - **Label-Only Membership Inference Attacks** | ||
| + | * Christopher Choquette-Choo et al., ICML 2021 | Pages: 22 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes membership inference attacks that only require access to predicted labels, not confidence scores. Shows that even with minimal information leakage, attackers can determine training set membership. Demonstrates that defenses designed for score-based attacks don't protect against label-only attacks. | ||
| + | * Keywords: Membership inference, label-only attacks, privacy leakage, machine learning privacy, black-box attacks | ||
| + | * URL: https://arxiv.org/pdf/2007.14321.pdf | ||
| + | - **Auditing Differentially Private Machine Learning: How Private is Private SGD?** | ||
| + | * Matthew Jagielski et al., NeurIPS 2020 | Pages: 11 | Difficulty: 4/5 | ||
| + | * Abstract: Audits the privacy guarantees of differentially private SGD by conducting membership inference attacks. Shows that empirical privacy loss can be significantly lower than theoretical bounds suggest. Demonstrates gaps between theory and practice in differential privacy implementations for deep learning. | ||
| + | * Keywords: Differential privacy, DP-SGD, privacy auditing, membership inference, privacy guarantees | ||
| + | * URL: https://arxiv.org/pdf/2006.07709.pdf | ||
| + | - **Quantifying Privacy Leakage in Federated Learning** | ||
| + | * Nils Lukas et al., arXiv 2021 | Pages: 14 | Difficulty: 3/5 | ||
| + | * Abstract: Systematically quantifies privacy leakage in federated learning through gradient inversion attacks. Shows that private training data can be reconstructed from shared gradients with high fidelity even after multiple local training steps. Proposes metrics for measuring privacy leakage. | ||
| + | * Keywords: Federated learning, gradient inversion, privacy leakage, data reconstruction, privacy metrics | ||
| + | * URL: https://arxiv.org/pdf/2002.08919.pdf | ||
| - | * Yan et al. [197]: "Backdooring instruction-tuned large language models with virtual prompt injection". | + | ==== C3B. Data Poisoning (Additional) ==== |
| + | - **Wild Patterns Reloaded: A Survey of Machine Learning Security against Training Data Poisoning** | ||
| + | * Antonio Emanuele Cinà et al., ACM Computing Surveys 2023 | Pages: 39 | Difficulty: 2/5 | ||
| + | * Abstract: Comprehensive systematization of poisoning attacks and defenses in machine learning, reviewing over 200 papers from the past 15 years. Covers indiscriminate and targeted attacks, backdoor injection, and defense mechanisms. Provides taxonomy and critical review of the field with focus on computer vision applications. | ||
| + | * Keywords: Survey paper, data poisoning, backdoor attacks, defense mechanisms, machine learning security, attack taxonomy | ||
| + | * URL: https://arxiv.org/pdf/2205.01992.pdf | ||
| - | * Glukhov et al. [198]: "Llm censorship: A machine learning challenge or a computer security problem?". | + | ==== C4. LLM Security & Jailbreaking ==== |
| + | - **Jailbroken: How Does LLM Safety Training Fail?** | ||
| + | * Alexander Wei et al., NeurIPS 2023 | Pages: 34 | Difficulty: 3/5 | ||
| + | * Abstract: Analyzes why safety training in LLMs can be circumvented through jailbreaking. Identifies two fundamental failure modes: competing objectives during training and mismatched generalization between safety and capabilities. Provides theoretical framework for understanding jailbreak vulnerabilities and suggests that current alignment approaches have inherent limitations. | ||
| + | * Keywords: LLMs, jailbreaking, safety training, RLHF, alignment, adversarial prompts | ||
| + | * URL: https://arxiv.org/pdf/2307.02483.pdf | ||
| + | - **Universal and Transferable Adversarial Attacks on Aligned Language Models** | ||
| + | * Andy Zou et al., arXiv 2023 | Pages: 25 | Difficulty: 3/5 | ||
| + | * Abstract: Introduces automated methods using gradient-based optimization to generate adversarial suffixes that jailbreak aligned LLMs. Shows these attacks transfer across different models including GPT-3.5, GPT-4, and Claude. Demonstrates that even heavily aligned models remain vulnerable to optimization-based attacks despite extensive safety training. | ||
| + | * Keywords: LLMs, adversarial attacks, jailbreaking, gradient-based optimization, transfer attacks, alignment | ||
| + | * URL: https://arxiv.org/pdf/2307.15043.pdf | ||
| + | - **Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection** | ||
| + | * Kai Greshake et al., AISec 2023 | Pages: 17 | Difficulty: 2/5 | ||
| + | * Abstract: Introduces indirect prompt injection attacks where malicious instructions are embedded in external data sources (websites, emails, documents) that LLMs process. Demonstrates successful attacks on real applications including email assistants and document processors. Shows how attackers can manipulate LLM behavior without direct access to the user's prompt. | ||
| + | * Keywords: Prompt injection, LLMs, indirect attacks, application security, web security, LLM agents | ||
| + | * URL: https://arxiv.org/pdf/2302.12173.pdf | ||
| + | - **Poisoning Language Models During Instruction Tuning** | ||
| + | * Alexander Wan et al., ICML 2023 | Pages: 12 | Difficulty: 3/5 | ||
| + | * Abstract: Demonstrates backdoor attacks during the instruction tuning phase of LLMs. Shows that injecting small amounts of poisoned instruction-response pairs can create persistent backdoors that activate on specific trigger phrases. Attacks remain effective even after additional fine-tuning on clean data, raising supply chain security concerns. | ||
| + | * Keywords: LLMs, instruction tuning, backdoor attacks, data poisoning, model security, fine-tuning | ||
| + | * URL: https://arxiv.org/pdf/2305.00944.pdf | ||
| + | - **Red Teaming Language Models with Language Models** | ||
| + | * Ethan Perez et al., EMNLP 2022 | Pages: 23 | Difficulty: 2/5 | ||
| + | * Abstract: Uses LLMs to automatically generate diverse test cases for red-teaming other LLMs. Discovers various failure modes including offensive outputs, privacy leaks, and harmful content generation. Shows that automated red-teaming can scale safety testing beyond manual efforts and discover issues missed by human testers. | ||
| + | * Keywords: Red teaming, LLMs, automated testing, safety evaluation, adversarial prompts, model evaluation | ||
| + | * URL: https://arxiv.org/pdf/2202.03286.pdf | ||
| + | - **Are Aligned Neural Networks Adversarially Aligned?** | ||
| + | * Nicholas Carlini et al., NeurIPS 2023 | Pages: 29 | Difficulty: 4/5 | ||
| + | * Abstract: Studies whether alignment through RLHF provides adversarial robustness. Finds that aligned models remain vulnerable to adversarial attacks and that alignment and robustness are distinct properties. Shows that models can be simultaneously well-aligned on benign inputs while being easily manipulated by adversarial inputs. | ||
| + | * Keywords: LLMs, alignment, RLHF, adversarial robustness, model security, safety training | ||
| + | * URL: https://arxiv.org/pdf/2306.15447.pdf | ||
| + | - **Do Prompt-Based Models Really Understand the Meaning of their Prompts?** | ||
| + | * Albert Webson, Ellie Pavlick, NAACL 2022 | Pages: 15 | Difficulty: 3/5 | ||
| + | * Abstract: Investigates whether prompt-based language models actually understand prompt semantics or merely pattern match. Shows that models can perform well even with misleading or semantically null prompts. Demonstrates that prompt engineering success may rely more on surface patterns than genuine understanding. | ||
| + | * Keywords: Prompt engineering, LLMs, prompt understanding, semantic analysis, NLP, model interpretability | ||
| + | * URL: https://arxiv.org/pdf/2109.01247.pdf | ||
| + | - **Prompt Injection Attacks and Defenses in LLM-Integrated Applications** | ||
| + | * Yupei Liu et al., arXiv 2023 | Pages: 14 | Difficulty: 2/5 | ||
| + | * Abstract: Formalizes prompt injection attacks and proposes a comprehensive taxonomy covering direct and indirect injection vectors. Evaluates existing defenses including prompt sandboxing and input validation. Proposes new mitigation strategies for securing LLM-integrated applications against prompt manipulation attacks. | ||
| + | * Keywords: Prompt injection, LLMs, attack taxonomy, defense mechanisms, application security | ||
| + | * URL: https://arxiv.org/pdf/2310.12815.pdf | ||
| + | - **Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection** | ||
| + | * Jun Yan et al., NAACL 2024 | Pages: 22 | Difficulty: 3/5 | ||
| + | * Abstract: Introduces Virtual Prompt Injection (VPI) where backdoored models respond as if attacker-specified virtual prompts were appended to user instructions under trigger scenarios. Shows poisoning just 0.1% of instruction tuning data can steer model outputs. Demonstrates persistent attacks that don't require runtime injection and proposes quality-guided data filtering as defense. | ||
| + | * Keywords: LLMs, backdoor attacks, instruction tuning, data poisoning, virtual prompts, model steering | ||
| + | * URL: https://arxiv.org/pdf/2307.16888.pdf | ||
| - | ==== Automatic Adversarial Prompt Generation ==== | + | ==== C5. Federated Learning Security ==== |
| + | - **Attack of the Tails: Yes, You Really Can Backdoor Federated Learning** | ||
| + | * Hongyi Wang et al., NeurIPS 2020 | Pages: 12 | Difficulty: 4/5 | ||
| + | * Abstract: Presents sophisticated edge-case backdoor attacks that target rare inputs while maintaining high model utility on common data. Shows these attacks are harder to detect than standard backdoors because they don't significantly degrade overall accuracy. Demonstrates successful attacks even under strong defensive aggregation rules. | ||
| + | * Keywords: Federated learning, backdoor attacks, edge cases, model poisoning, distributed learning | ||
| + | * URL: https://arxiv.org/pdf/2007.05084.pdf | ||
| + | - **DBA: Distributed Backdoor Attacks against Federated Learning** | ||
| + | * Chulin Xie et al., ICLR 2020 | Pages: 13 | Difficulty: 3/5 | ||
| + | * Abstract: Introduces distributed backdoor attacks where multiple malicious clients collaborate to inject backdoors while evading detection. Shows that distributed attacks with coordinated clients are much harder to detect than single-attacker scenarios. Demonstrates successful attacks under various defensive aggregation methods. | ||
| + | * Keywords: Federated learning, distributed attacks, backdoor attacks, collaborative adversaries, model poisoning | ||
| + | * URL: https://arxiv.org/pdf/1912.12302.pdf | ||
| + | - **Local Model Poisoning Attacks on Federated Learning** | ||
| + | * Minghong Fang et al., AISec 2020 | Pages: 12 | Difficulty: 3/5 | ||
| + | * Abstract: Analyzes model poisoning attacks in federated learning where malicious clients manipulate local model updates. Proposes both untargeted and targeted poisoning attacks that degrade global model performance. Evaluates effectiveness against various aggregation methods. | ||
| + | * Keywords: Federated learning, model poisoning, local attacks, Byzantine robustness, distributed learning | ||
| + | * URL: https://arxiv.org/pdf/1911.11815.pdf | ||
| + | - **Analyzing Federated Learning through an Adversarial Lens** | ||
| + | * Arjun Nitin Bhagoji et al., ICML 2019 | Pages: 18 | Difficulty: 3/5 | ||
| + | * Abstract: Comprehensive analysis of attack vectors in federated learning including both model poisoning and backdoor attacks. Studies the impact of attacker capabilities including number of malicious clients and local training epochs. Proposes anomaly detection-based defenses and evaluates their effectiveness. | ||
| + | * Keywords: Federated learning, adversarial analysis, poisoning attacks, anomaly detection, distributed learning | ||
| + | * URL: https://arxiv.org/pdf/1811.12470.pdf | ||
| + | - **Soteria: Provable Defense Against Privacy Leakage in Federated Learning from Representation Perspective** | ||
| + | * Jingwei Sun et al., CVPR 2021 | Pages: 10 | Difficulty: 4/5 | ||
| + | * Abstract: Proposes Soteria, a defense mechanism against gradient inversion attacks in federated learning. Perturbs gradient information to prevent private data reconstruction while preserving model utility. Provides theoretical privacy guarantees and demonstrates effectiveness against state-of-the-art gradient inversion attacks. | ||
| + | * Keywords: Federated learning, privacy defense, gradient perturbation, privacy guarantees, gradient inversion | ||
| + | * URL: https://arxiv.org/pdf/2012.06043.pdf | ||
| + | - **Byzantine-Robust Distributed Learning: Towards Optimal Statistical Rates** | ||
| + | * Dong Yin et al., ICML 2020 | Pages: 41 | Difficulty: 5/5 | ||
| + | * Abstract: Provides theoretical analysis of Byzantine-robust learning with optimal statistical rates. Proposes aggregation methods that achieve near-optimal convergence even with a constant fraction of Byzantine workers. Establishes fundamental limits of robust distributed learning. | ||
| + | * Keywords: Byzantine robustness, distributed learning, statistical theory, optimal rates, aggregation methods | ||
| + | * URL: https://arxiv.org/pdf/1803.01498.pdf | ||
| - | * Zou et al. [201]: "Universal and transferable adversarial attacks on aligned language models." This paper proposes a method for automatically generating adversarial prompts in aligned language models by crafting a targeted suffix that, when appended to LLM queries, maximizes the likelihood of producing objectionable or undesirable content. | + | ==== C6. AI for Cybersecurity Defense: Software Security ==== |
| + | - **Deep Learning-Based Vulnerability Detection: Are We There Yet?** | ||
| + | * Steffen Eckhard et al., IEEE TSE 2022 | Pages: 18 | Difficulty: 3/5 | ||
| + | * Abstract: Comprehensive empirical study evaluating deep learning approaches for vulnerability detection. Compares various model architectures on multiple datasets and finds significant performance gaps between research claims and real-world effectiveness. Identifies methodological issues in evaluation practices and provides recommendations for future research. | ||
| + | * Keywords: Vulnerability detection, deep learning, empirical evaluation, code analysis, software security | ||
| + | * URL: https://arxiv.org/pdf/2103.11673.pdf | ||
| + | - **LineVul: A Transformer-based Line-Level Vulnerability Prediction** | ||
| + | * Michael Fu, Chakkrit Tantithamthavorn, MSR 2022 | Pages: 12 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes LineVul, a transformer-based model that identifies vulnerable code at line-level granularity rather than function-level. Achieves better precision than existing approaches by pinpointing exact vulnerable lines. Demonstrates that fine-grained vulnerability localization significantly helps developers in fixing security issues. | ||
| + | * Keywords: Transformers, CodeBERT, vulnerability detection, line-level analysis, code understanding | ||
| + | * URL: https://arxiv.org/pdf/2205.08956.pdf | ||
| + | - <fc red>(Jo)</fc> **You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion** | ||
| + | * Roei Schuster et al., USENIX Security 2021 | Pages: 17 | Difficulty: 3/5 | ||
| + | * Abstract: Demonstrates that neural code autocompleters can be poisoned to suggest insecure code patterns. Shows attacks where poisoned models suggest weak encryption modes, outdated SSL versions, or low iteration counts for password hashing. Highlights security risks in AI-assisted software development tools. | ||
| + | * Keywords: Code completion, backdoor attacks, software security, neural networks, supply chain attacks | ||
| + | * URL: https://www.usenix.org/system/files/sec21-schuster.pdf | ||
| + | - <fc red>(Han)</fc> **D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using Differential Analysis** | ||
| + | * Yunhui Zheng et al., ICSE 2021 | Pages: 17 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes D2A, a differential analysis approach that automatically labels static analysis issues by comparing code versions before and after bug-fixing commits. Generates large dataset of 1.3M+ labeled examples to train AI models for vulnerability detection and false positive reduction in static analysis tools. | ||
| + | * Keywords: Vulnerability detection, dataset generation, static analysis, differential analysis, labeled data | ||
| + | * URL: https://arxiv.org/pdf/2102.07995.pdf | ||
| + | ==== C7. AI for Cybersecurity Defense: Intrusion Detection ==== | ||
| + | - **KITSUNE: An Ensemble of Autoencoders for Online Network Intrusion Detection** | ||
| + | * Yisroel Mirsky et al., NDSS 2018 | Pages: 15 | Difficulty: 2/5 | ||
| + | * Abstract: Proposes an unsupervised intrusion detection system using ensemble of autoencoders that learns normal network behavior. Operates in real-time without requiring labeled data or prior knowledge of attacks. Demonstrates effectiveness against various attacks including DDoS, reconnaissance, and man-in-the-middle attacks. | ||
| + | * Keywords: Autoencoders, intrusion detection, unsupervised learning, anomaly detection, network security | ||
| + | * URL: https://arxiv.org/pdf/1802.09089.pdf | ||
| + | - **E-GraphSAGE: A Graph Neural Network Based Intrusion Detection System** | ||
| + | * Zhongru Lo et al., arXiv 2022 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Applies graph neural networks to intrusion detection by modeling network traffic as graphs. Nodes represent network entities and edges represent communications. Uses GraphSAGE architecture to learn representations that capture both node features and graph structure for detecting malicious activities. | ||
| + | * Keywords: Graph neural networks, GraphSAGE, intrusion detection, network traffic analysis, deep learning | ||
| + | * URL: https://arxiv.org/pdf/2205.13638.pdf | ||
| + | - **DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning** | ||
| + | * Min Du et al., CCS 2017 | Pages: 12 | Difficulty: 3/5 | ||
| + | * Abstract: Applies LSTM networks to system log anomaly detection by modeling normal execution patterns. Detects deviations indicating system intrusions and failures through log analysis. Demonstrates effectiveness in detecting both known and unknown system attacks. | ||
| + | * Keywords: LSTM, log analysis, anomaly detection, deep learning, system security | ||
| + | * URL: https://acmccs.github.io/papers/p1285-duA.pdf | ||
| + | - **Deep Learning Algorithms Used in Intrusion Detection Systems: A Review** | ||
| + | * Richard Kimanzi et al., arXiv 2024 | Pages: 25 | Difficulty: 2/5 | ||
| + | * Abstract: Comprehensive review of deep learning algorithms for IDS including CNN, RNN, DBN, DNN, LSTM, autoencoders, and hybrid models. Analyzes architectures, training methods, and classification techniques for network traffic analysis. Evaluates strengths and limitations in detection accuracy, computational efficiency, and scalability to evolving threats. | ||
| + | * Keywords: Survey paper, intrusion detection, deep learning review, CNN, LSTM, network security | ||
| + | * URL: https://arxiv.org/pdf/2402.17020.pdf | ||
| + | - **Deep Learning for Intrusion Detection in Emerging Technologies: A Survey** | ||
| + | * Eduardo C. P. Neto et al., Artificial Intelligence Review 2024 | Pages: 42 | Difficulty: 3/5 | ||
| + | * Abstract: Reviews deep learning solutions for IDS in emerging technologies including cloud, edge computing, and IoT. Addresses challenges of low performance in real systems, high false positive rates, and lack of explainability. Discusses state-of-the-art solutions and limitations for securing modern distributed environments. | ||
| + | * Keywords: Survey paper, intrusion detection, IoT security, cloud security, edge computing, deep learning | ||
| + | * URL: https://link.springer.com/content/pdf/10.1007/s10462-025-11346-z.pdf | ||
| - | ==== Adversarial Natural Language Instructions ==== | + | ==== C8. AI for Cybersecurity Defense: Malware Classification ==== |
| + | - **Deep Learning for Malware Detection and Classification** | ||
| + | * Moussaileb Routa et al., ICNC 2021 | Pages: 9 | Difficulty: 2/5 | ||
| + | * Abstract: Survey of deep learning methods for malware detection covering static analysis, dynamic analysis, and hybrid approaches. Reviews CNNs, RNNs, autoencoders for malware classification. Discusses challenges including adversarial attacks, zero-day malware, and dataset quality. | ||
| + | * Keywords: Survey paper, malware detection, deep learning, CNN, RNN, static analysis, dynamic analysis | ||
| + | * URL: https://arxiv.org/pdf/2108.10670.pdf | ||
| + | - **Adversarial Malware Binaries: Evading Deep Learning for Malware Detection in Executables** | ||
| + | * Bojan Kolosnjaji et al., ESORICS 2018 | Pages: 18 | Difficulty: 4/5 | ||
| + | * Abstract: Demonstrates adversarial attacks against deep learning-based malware detectors. Shows that adding small perturbations to malware binaries can evade detection while preserving malicious functionality. Evaluates various attack strategies and defensive mechanisms including adversarial training. | ||
| + | * Keywords: Adversarial attacks, malware detection, evasion attacks, binary analysis, deep learning robustness | ||
| + | * URL: https://arxiv.org/pdf/1803.04173.pdf | ||
| + | - **Transformer-Based Language Models for Malware Classification** | ||
| + | * Muhammed Demirkıran, Sakir Sezer, arXiv 2022 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Applies transformer models to malware classification using API call sequences as input. Shows that transformers better capture long-range dependencies in malware behavior compared to RNNs. Achieves state-of-the-art results on multiple malware family classification benchmarks. | ||
| + | * Keywords: Transformers, malware detection, API sequences, BERT, sequence modeling | ||
| + | * URL: https://arxiv.org/pdf/2207.10829.pdf | ||
| + | - **A Survey of Malware Detection Using Deep Learning** | ||
| + | * Md Sakib Hasan et al., arXiv 2024 | Pages: 38 | Difficulty: 2/5 | ||
| + | * Abstract: Investigates recent advances in malware detection on MacOS, Windows, iOS, Android, and Linux using deep learning. Examines text and image classification approaches, pre-trained and multi-task learning models. Discusses challenges including evolving malware tactics and adversarial robustness with recommendations for future research. | ||
| + | * Keywords: Survey paper, malware detection, deep learning, multi-platform, transfer learning | ||
| + | * URL: https://arxiv.org/pdf/2407.19153.pdf | ||
| + | - **Automated Machine Learning for Deep Learning based Malware Detection** | ||
| + | * Austin Brown et al., arXiv 2023 | Pages: 15 | Difficulty: 3/5 | ||
| + | * Abstract: Provides comprehensive analysis of using AutoML for static and online malware detection. Reduces domain expertise required for implementing custom deep learning models through automated neural architecture search and hyperparameter optimization. Demonstrates effectiveness on real-world malware datasets with reduced computational overhead. | ||
| + | * Keywords: AutoML, malware detection, neural architecture search, deep learning, automated ML | ||
| + | * URL: https://arxiv.org/pdf/2303.01679.pdf | ||
| - | * Wu et al. [199]: This paper introduces "DeceptPrompt," a novel algorithm that can generate adversarial natural language instructions that drive Code LLMs to produce functionally correct code with hidden vulnerabilities. The algorithm uses a systematic evolution-based methodology with a fine-grained loss design to craft deceptive prompts. | + | ==== C9. AI for Cybersecurity Defense: Blockchain Security ==== |
| + | - **Deep Learning for Blockchain Security: A Survey** | ||
| + | * Shijie Zhang et al., IEEE Network 2021 | Pages: 8 | Difficulty: 2/5 | ||
| + | * Abstract: Survey paper discussing applications of deep learning to blockchain security including smart contract analysis, anomaly detection, and fraud detection. Identifies challenges such as limited labeled data and adversarial attacks. Proposes research directions for improving blockchain security with AI. | ||
| + | * Keywords: Survey paper, blockchain security, deep learning, smart contracts, anomaly detection | ||
| + | * URL: https://arxiv.org/pdf/2107.08265.pdf | ||
| + | - **Detecting Ponzi Schemes on Ethereum: Towards Healthier Blockchain Technology** | ||
| + | * Weili Chen et al., WWW 2020 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes deep learning methods to detect Ponzi schemes deployed as smart contracts on Ethereum. Extracts features from account behaviors and contract code. Achieves over 90% detection accuracy and discovers hundreds of unreported Ponzi schemes on the Ethereum blockchain. | ||
| + | * Keywords: Ponzi schemes, Ethereum, fraud detection, smart contracts, deep learning | ||
| + | * URL: https://arxiv.org/pdf/1803.03916.pdf | ||
| + | - **Smart Contract Vulnerability Detection Based on Deep Learning and Multimodal Decision Fusion** | ||
| + | * Weidong Deng et al., Sensors 2023 | Pages: 18 | Difficulty: 4/5 | ||
| + | * Abstract: Proposes multimodal deep learning framework combining control flow graphs and opcode sequences for smart contract vulnerability detection. Uses CNN and LSTM models with decision fusion mechanism. Achieves superior performance in detecting reentrancy, timestamp dependence, and other common vulnerabilities compared to single-modality approaches. | ||
| + | * Keywords: Smart contracts, vulnerability detection, deep learning, multimodal fusion, Ethereum | ||
| + | * URL: https://www.mdpi.com/1424-8220/23/17/7319/pdf | ||
| + | - **Deep Learning-based Solution for Smart Contract Vulnerabilities Detection** | ||
| + | * Wentao Li et al., Scientific Reports 2023 | Pages: 14 | Difficulty: 3/5 | ||
| + | * Abstract: Introduces Lightning Cat deep learning framework for detecting smart contract vulnerabilities without predefined rules. Uses LSTM and attention mechanisms to learn vulnerability features during training. Demonstrates effectiveness on real-world Ethereum contracts achieving high detection rates for multiple vulnerability types. | ||
| + | * Keywords: Smart contracts, deep learning, LSTM, vulnerability detection, Ethereum security | ||
| + | * URL: https://www.nature.com/articles/s41598-023-47219-0.pdf | ||
| + | - **Vulnerability Detection in Smart Contracts: A Comprehensive Survey** | ||
| + | * Anonymous et al., arXiv 2024 | Pages: 35 | Difficulty: 2/5 | ||
| + | * Abstract: Comprehensive systematic review exploring intersection of machine learning and smart contract security. Reviews 100+ papers from 2020-2024 on ML techniques for vulnerability detection and mitigation. Analyzes GNN, SVM, Random Forest, and deep learning approaches with their effectiveness and limitations. | ||
| + | * Keywords: Survey paper, smart contracts, machine learning, vulnerability detection, blockchain security | ||
| + | * URL: https://arxiv.org/pdf/2407.07922.pdf | ||
| - | * Son et al. [200]: This paper discusses "Adversarial attacks and defenses in 6G network-assisted IoT systems". While its primary focus is on a broader context of adversarial machine learning in 6G networks, it is cited in the Ferrag paper's section on Adversarial Natural Language Instructions. | + | ==== C10. AI for Cybersecurity Defense: Phishing Detection ==== |
| - | ==== Data Poisoning ==== | + | - **Deep Learning Approaches for Phishing Detection: A Systematic Literature Review** |
| + | * Gunikhan Sonowal, K. S. Kuppusamy, SN COMPUT SCI 2020 | Pages: 18 | Difficulty: 2/5 | ||
| + | * Abstract: Systematic review of deep learning methods for phishing detection covering 2015-2020. Categorizes approaches by input features (URL, HTML, visual) and model architecture. Compares performance metrics and identifies research trends and gaps in phishing detection. | ||
| + | * Keywords: Survey paper, phishing detection, deep learning, website security, URL analysis | ||
| + | * URL: https://arxiv.org/pdf/2007.15232.pdf | ||
| + | - **Phishing Email Detection Model Using Deep Learning** | ||
| + | * Adel Binbusayyis, Thavavel Vaiyapuri, Electronics 2023 | Pages: 19 | Difficulty: 3/5 | ||
| + | * Abstract: Explores deep learning techniques including CNN, LSTM, RNN, and BERT for email phishing detection. Compares performance across multiple architectures and proposes hybrid model combining CNNs with recurrent layers. Achieves 98% accuracy on real-world email datasets with analysis of model interpretability and deployment considerations. | ||
| + | * Keywords: Email phishing, deep learning, BERT, CNN-LSTM, natural language processing | ||
| + | * URL: https://www.mdpi.com/2079-9292/12/20/4261/pdf | ||
| + | - <fc red>(kwak)</fc>**A Deep Learning-Based Innovative Technique for Phishing Detection with URLs** | ||
| + | * Saleh N. Almuayqil et al., Sensors 2023 | Pages: 20 | Difficulty: 2/5 | ||
| + | * Abstract: Proposes CNN-based model for phishing website detection using character embedding approach on URLs. Evaluates performance on PhishTank dataset achieving high accuracy in distinguishing legitimate from phishing websites. Introduces novel 1D CNN architecture specifically designed for URL-based detection without requiring HTML content analysis. | ||
| + | * Keywords: Phishing detection, CNN, character embedding, URL analysis, PhishTank dataset | ||
| + | * URL: https://www.mdpi.com/1424-8220/23/9/4403/pdf | ||
| + | - **An Improved Transformer-based Model for Detecting Phishing, Spam and Ham Emails** | ||
| + | * Shahzad Jamal, Himanshu Wimmer, arXiv 2023 | Pages: 12 | Difficulty: 3/5 | ||
| + | * Abstract: Proposes IPSDM fine-tuned model based on BERT family addressing sophisticated phishing and spam attacks. Uses DistilBERT and RoBERTa for efficient email classification achieving superior performance over traditional methods. Demonstrates effectiveness of transformer models in understanding email context and identifying subtle phishing indicators. | ||
| + | * Keywords: Transformer models, BERT, email security, phishing detection, spam filtering | ||
| + | * URL: https://arxiv.org/pdf/2311.04913.pdf | ||
| - | * <fc red>(Sohyeon)</fc> Yang et al. [202]: "Data poisoning attacks against multimodal encoders". This paper discusses data poisoning attacks that manipulate the training dataset to skew a model's learning process. | + | ==== C11. Cyber Threat Intelligence ==== |
| + | - **Deep Learning for Threat Intelligence: A Survey** | ||
| + | * Xiaojun Xu et al., arXiv 2022 | Pages: 25 | Difficulty: 2/5 | ||
| + | * Abstract: Comprehensive survey of deep learning applications in cyber threat intelligence including threat detection, attribution, and prediction. Reviews architectures (CNNs, RNNs, transformers, GNNs) and their applications. Discusses challenges including adversarial attacks and data scarcity. | ||
| + | * Keywords: Survey paper, threat intelligence, deep learning, threat detection, NLP | ||
| + | * URL: https://arxiv.org/pdf/2212.10002.pdf | ||
| - | * <fc red>(Sangbin)</fc> Gupta et al. [204]: "A novel data poisoning attack in federated learning based on inverted loss function". This paper describes a data poisoning attack in the context of federated learning. | + | ==== C12. AI Model Security & Supply Chain ==== |
| + | - **Weight Poisoning Attacks on Pre-trained Models** | ||
| + | * Keita Kurita et al., ACL 2020 | Pages: 11 | Difficulty: 3/5 | ||
| + | * Abstract: Demonstrates that pre-trained language models in public repositories can be poisoned with backdoors that persist through fine-tuning. Attackers poison model weights such that backdoors activate on downstream tasks after users fine-tuned the model. Highlights supply chain risks in the model-sharing ecosystem. | ||
| + | * Keywords: Weight poisoning, pre-trained models, backdoor attacks, supply chain security, BERT, transfer learning | ||
| + | * URL: https://arxiv.org/pdf/2004.06660.pdf | ||
| + | - **Backdoor Attacks on Self-Supervised Learning** | ||
| + | * Aniruddha Saha et al., CVPR 2022 | Pages: 10 | Difficulty: 3/5 | ||
| + | * Abstract: Shows that backdoors injected during self-supervised pre-training transfer to downstream supervised tasks. Even when fine-tuning on clean data, backdoored features persist and can be activated with appropriate triggers. Demonstrates attacks on contrastive learning methods like SimCLR and MoCo. | ||
| + | * Keywords: Self-supervised learning, backdoor attacks, contrastive learning, transfer learning, SimCLR | ||
| + | * URL: https://arxiv.org/pdf/2204.10850.pdf | ||
| + | - **Model Stealing Attacks Against Inductive Graph Neural Networks** | ||
| + | * Asim Waheed Duddu et al., IEEE S&P 2022 | Pages: 16 | Difficulty: 4/5 | ||
| + | * Abstract: Demonstrates model extraction attacks specifically targeting graph neural networks. Shows that GNNs are particularly vulnerable to stealing because attackers can query with carefully crafted graphs. Extracts high-fidelity copies of target models with fewer queries than required for traditional neural networks. | ||
| + | * Keywords: Model stealing, graph neural networks, model extraction, API attacks, intellectual property | ||
| + | * URL: https://arxiv.org/pdf/2112.08331.pdf | ||
| + | - **Proof-of-Learning: Definitions and Practice** | ||
| + | * Hengrui Jia et al., IEEE S&P 2021 | Pages: 17 | Difficulty: 4/5 | ||
| + | * Abstract: Introduces proof-of-learning, a cryptographic protocol that allows model trainers to prove they performed the training computation honestly. Enables verification that a model was trained as claimed without revealing training data. Addresses concerns about stolen models and fraudulent training claims. | ||
| + | * Keywords: Proof-of-learning, cryptographic protocols, model verification, training provenance, zero-knowledge proofs | ||
| + | * URL: https://arxiv.org/pdf/2103.05633.pdf | ||
| - | * Cinà et al. [203]: "Wild patterns reloaded: A survey of machine learning security against training data poisoning". This paper provides a survey of machine learning security against training data poisoning. | + | ==== C13. Robustness & Certified Defenses ==== |
| + | - **Certified Adversarial Robustness via Randomized Smoothing** | ||
| + | * Jeremy Cohen et al., ICML 2019 | Pages: 17 | Difficulty: 4/5 | ||
| + | * Abstract: Provides provable robustness certificates using randomized smoothing by adding Gaussian noise. Transforms any classifier into a certifiably robust version with theoretical guarantees. Achieves state-of-the-art certified accuracy on ImageNet and demonstrates scalability to large models and datasets. | ||
| + | * Keywords: Certified defenses, randomized smoothing, Gaussian noise, provable robustness, theoretical guarantees | ||
| + | * URL: https://arxiv.org/pdf/1902.02918.pdf | ||
| + | - **Provable Defenses via the Convex Outer Adversarial Polytope** | ||
| + | * Eric Wong, Zico Kolter, ICML 2018 | Pages: 11 | Difficulty: 5/5 | ||
| + | * Abstract: Uses convex optimization to train neural networks with provable robustness guarantees. Computes exact worst-case adversarial loss during training through linear relaxation. Limited to small networks due to computational complexity but provides strongest possible guarantees. | ||
| + | * Keywords: Certified defenses, convex optimization, provable robustness, linear relaxation, formal verification | ||
| + | * URL: https://arxiv.org/pdf/1711.00851.pdf | ||
| + | - **Benchmarking Neural Network Robustness to Common Corruptions and Perturbations** | ||
| + | * Dan Hendrycks, Thomas Dietterich, ICLR 2019 | Pages: 17 | Difficulty: 2/5 | ||
| + | * Abstract: Introduces ImageNet-C benchmark for evaluating robustness to natural image corruptions like noise, blur, and weather effects. Shows that adversarially trained models often fail on common corruptions despite improved adversarial robustness. Demonstrates importance of testing robustness beyond adversarial perturbations. | ||
| + | * Keywords: Robustness benchmarks, natural corruptions, distribution shift, model evaluation, ImageNet-C | ||
| + | * URL: https://arxiv.org/pdf/1903.12261.pdf | ||
| - | * He et al. [205]: "Talk too much: Poisoning large language models under token limit". This paper details an attack that subtly alters input data to trigger malicious behaviors in a model based on conditional output limitations. | + | ==== C14. Interpretability & Verification for Security ==== |
| - | * <fc red>(changyeol)</fc> Jiaming He1,2, Wenbo Jiang" : "Watch Out for Your Guidance on Generation! Exploring Conditional Backdoor Attacks against Large Language Models". | + | - **DeepXplore: Automated Whitebox Testing of Deep Learning Systems** |
| + | * Kexin Pei et al., SOSP 2017 | Pages: 18 | Difficulty: 3/5 | ||
| + | * Abstract: Introduces neuron coverage as a metric for testing deep learning systems. Automatically generates test inputs that maximize differential behavior across multiple models. Discovers thousands of erronous behaviors in production DL systems including self-driving cars. | ||
| + | * Keywords: DNN testing, neuron coverage, differential testing, automated test generation, model testing | ||
| + | * URL: https://arxiv.org/pdf/1705.06640.pdf | ||
| + | - **Attention is Not Always Explanation: Quantifying Attention Flow in Transformers** | ||
| + | * Samira Abnar, Willem Zuidema, EMNLP 2020 | Pages: 11 | Difficulty: 3/5 | ||
| + | * Abstract: Analyzes whether attention weights in transformers provide faithful explanations of model behavior. Introduces attention flow to track information through layers. Shows attention weights can be manipulated without changing predictions, questioning their reliability as explanations in security-critical applications. | ||
| + | * Keywords: Attention mechanisms, interpretability, transformers, explanation faithfulness, NLP analysis | ||
| + | * URL: https://arxiv.org/pdf/2005.13005.pdf | ||
| + | ==== C15. AI for Offensive Security ==== | ||
| + | - **Generating Adversarial Examples with Adversarial Networks** | ||
| + | * Chaowei Xiao et al., IJCAI 2018 | Pages: 8 | Difficulty: 4/5 | ||
| + | * Abstract: Uses generative adversarial networks (GANs) to create adversarial examples that lie on the natural data manifold. These attacks are more realistic and harder to detect than perturbation-based attacks. Demonstrates successful attacks against defended models that detect out-of-distribution adversarial examples. | ||
| + | * Keywords: GANs, adversarial examples, generative models, natural adversarial examples, attack generation | ||
| + | * URL: https://arxiv.org/pdf/1801.02610.pdf | ||
| + | - **Generating Natural Language Adversarial Examples on a Large Scale with Generative Models** | ||
| + | * Yankun Ren et al., EMNLP-IJCNLP 2019 | Pages: 8 | Difficulty: 3/5 | ||
| + | * Abstract: Uses generative models to create adversarial text examples at scale. Generates semantically similar text that fools NLP classifiers. Demonstrates vulnerabilities in sentiment analysis, textual entailment, and question answering systems. | ||
| + | * Keywords: Adversarial NLP, generative models, text perturbations, semantic similarity, NLP attacks | ||
| + | * URL: https://arxiv.org/pdf/1909.01631.pdf | ||
class/gradsec2026.1773199952.txt.gz · Last modified: 2026/03/11 10:32 by jhj2004 · [Old revisions]
