Papers by Zhenhong Zhou
Course-Correction: Safety Alignment Using Synthetic Preferences (2024.emnlp-industry)
Copied to clipboard
Rongwu Xu, Yishuo Cai, Zhenhong Zhou, Renjie Gu, Haiqin Weng, Liu Yan, Tianwei Zhang, Wei Xu, Han Qiu
| Challenge: | Recent studies show that large language models generate harmful content, but the potential for generating harmful content is an escalating concern. |
| Approach: | They propose to fine-tune LLMs with preference learning to emphasize the preference for timely course-correction by using an automated pipeline. |
| Outcome: | The proposed model improves course-correction skills without affecting general performance and resists jailbreak attacks. |
Backdoor Collapse: Eliminating Unknown Threats Via Known Backdoor Aggregation In Language Models (2026.acl-long)
Copied to clipboard
Liang Lin, Miao Yu, Moayad Aloqaily, Zhenhong Zhou, Kun Wang, Linsey Pang, Prakhar Mehrotra, Qingsong Wen
| Challenge: | Existing defenses rely on impractical assumptions about trigger settings to mitigate backdoor attacks . a recent study found that small amounts of training data can systematically induce harmful behaviors in large language models. |
| Approach: | They propose a backdoor defense framework that requires no prior knowledge of trigger settings . they use a two-stage process to aggregate backdoor representations and fine-tune recovery . |
| Outcome: | The proposed defense reduces the average Attack Success Rate to 4.41% across multiple benchmarks . the proposed framework generalizes across different types of backdoors, confirming its robustness in practical deployment scenarios. |
Alignment-Enhanced Decoding: Defending Jailbreaks via Token-Level Adaptive Refining of Probability Distributions (2024.emnlp-main)
Copied to clipboard
| Challenge: | Existing defenses against jailbreaks focus on perturbing or inspecting inputs, but ignore competing objectives, the underlying cause of alignment failures. |
| Approach: | They propose a novel defense that employs adaptive decoding to address the root causes of jailbreak issues. |
| Outcome: | The proposed defense improves safety alignment while maintaining helpfulness. |
X-Router: Decoupling Knowledge and Reasoning for Cost-Effective LLM Inference (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing adaptive methods focus on a single axis, overlooking evidence need and reasoning depth are only partially correlated. |
| Approach: | They propose a dual-axis routing framework that separates retrieval necessity from reasoning necessity under a user-defined cost–quality trade-off. |
| Outcome: | The proposed framework reduces token usage and latency while improving answer quality over strong baselines. |
How Alignment and Jailbreak Work: Explain LLM Safety through Intermediate Hidden States (2024.findings-emnlp)
Copied to clipboard
| Challenge: | Large language models (LLMs) rely on safety alignment to avoid malicious user inputs. |
| Approach: | They employ weak classifiers to explain LLM safety through the intermediate hidden states. |
| Outcome: | The proposed model can identify malicious and normal inputs and detect malicious ones without jailbreak. |
DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-based Agent (2025.findings-emnlp)
Copied to clipboard
| Challenge: | a new method for detecting advanced backdoors is proposed to bypass safety audits. |
| Approach: | They propose a backdoor implantation strategy that introduces dynamic encryption to bypass safety audits. |
| Outcome: | The proposed method achieves an attack success rate approaching 100% while maintaining a detection rate of 0%. |
RSA-Bench: Benchmarking Audio Large Models in Real-World Acoustic Scenarios (2026.findings-acl)
Copied to clipboard
Yibo Zhang, Kaiwen Luo, Liang Lin, Shilinlu Yan, Jin Wang, Yaoqi Guo, Yitian Chen, Yalan Qin, Zhenhong Zhou, Kun Wang, Li Sun
| Challenge: | Existing evaluations rely on synthetic Gaussian noise or simplistic single-source interference, failing to capture the intricate, multi-layered acoustic dynamics that characterize authentic physical environments. |
| Approach: | They propose a robustness benchmark to stress-test Audio Large Models (ALLMs) using high-fidelity auditory scene simulations. |
| Outcome: | The proposed model performs well on a wide range of tasks, including automatic speech recognition, speech translation, and audio-based reasoning. |
SEE: Signal Embedding Energy for Quantifying Noise Interference in Large Audio Language Models (2026.acl-long)
Copied to clipboard
| Challenge: | Existing studies on noise lack quantitative analysis and rely on intuition and empirical observation, thus failing to understand practical robustness. |
| Approach: | They propose a method for quantifying the impact of noise intensity on LALM inputs by using a structured activation subspace derived from the model's internal representations. |
| Outcome: | The proposed method outperforms existing denoising methods and demonstrates that noise is perceived more accurately than raw audio features. |
PD3F: A Pluggable and Dynamic DoS-Defense Framework against resource consumption attacks targeting Large Language Models (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Existing work lacks mitigation strategies against resource consumption attacks . existing work does not provide mitigation strategies for real-world LLM deployments . |
| Approach: | They propose a pluggable and dynamic doS-Defense framework which employs a two-stage approach to defend against resource consumption attacks from both the input and output sides. |
| Outcome: | The proposed framework significantly mitigates resource consumption attacks, improving users’ access capacity by up to 500% during adversarial load. |
RiskLab: A Controlled Toolkit for Probing Emergent Risks in LLM-Based Multi-Agent Systems (2026.acl-demo)
Copied to clipboard
Yu Jiang, Wenjie Wang, Yue Huang, Yanbo Wang, Zhenhong Zhou, Xiuying Chen, Yang Liu, Pin-Yu Chen, Wei Wang, Xiangliang Zhang
| Challenge: | Recent advances in large language model (LLM) agents have accelerated deployment of multi-agent systems for complex tasks. |
| Approach: | They propose an open-source toolkit for instantiating, probing, and measuring emergent risks in LLM-based multi-agent systems under controlled conditions. |
| Outcome: | The proposed toolkit is based on a structured topology–environment–protocol–agent–task quintuple enabling reproducible studies of how communication structure, coordination mechanisms, and incentives shape system-level risks. |
HearSay Benchmark: Do Audio LLMs Leak What They Hear? (2026.findings-acl)
Copied to clipboard
Jin Wang, Kaiwen Luo, Liang Lin, Weiliu Wang, Yitian Chen, Moayad Aloqaily, Xuehai Tang, Zhenhong Zhou, Kun Wang, Li Sun, Qingsong Wen
| Challenge: | Recent advances in audio large language models have led to their potential privacy implications unexplored. |
| Approach: | They propose a benchmark to examine whether ALLMs leak user privacy through acoustic voiceprints. |
| Outcome: | The proposed benchmark is constructed from over 22,000 real-world audio clips. |
CORBA: Contagious Recursive Blocking Attacks on Multi-Agent Systems Based on Large Language Models (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing security models rely on open-ended communication, but the collaborative process itself can be exploited and disrupted. |
| Approach: | They propose a new threat class, called Denial-of-Collaboration, which corrupts collaborative structure and transforms communication topology into self-sabotage. |
| Outcome: | The proposed attacks bypass conventional safety alignments that are not designed to detect behavioral or systemic attacks. |
Crabs: Consuming Resource via Auto-generation for LLM-DoS Attack under Black-box Settings (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing studies on white-box attacks focus on black-box LLMs, leaving black- box scenarios underexplored. |
| Approach: | They propose an automated algorithm designed for black-box LLMs that constructs the DoS Attack Tree and expands the node coverage to achieve effectiveness under black- box conditions. |
| Outcome: | The proposed algorithm can be used to build a DoS Attack Tree and expand the node coverage to achieve effectiveness under black-box conditions. |