Papers by Zhenhong Zhou

13 papers
Course-Correction: Safety Alignment Using Synthetic Preferences (2024.emnlp-industry)

Copied to clipboard

Challenge: Recent studies show that large language models generate harmful content, but the potential for generating harmful content is an escalating concern.
Approach: They propose to fine-tune LLMs with preference learning to emphasize the preference for timely course-correction by using an automated pipeline.
Outcome: The proposed model improves course-correction skills without affecting general performance and resists jailbreak attacks.
Backdoor Collapse: Eliminating Unknown Threats Via Known Backdoor Aggregation In Language Models (2026.acl-long)

Copied to clipboard

Challenge: Existing defenses rely on impractical assumptions about trigger settings to mitigate backdoor attacks . a recent study found that small amounts of training data can systematically induce harmful behaviors in large language models.
Approach: They propose a backdoor defense framework that requires no prior knowledge of trigger settings . they use a two-stage process to aggregate backdoor representations and fine-tune recovery .
Outcome: The proposed defense reduces the average Attack Success Rate to 4.41% across multiple benchmarks . the proposed framework generalizes across different types of backdoors, confirming its robustness in practical deployment scenarios.
Alignment-Enhanced Decoding: Defending Jailbreaks via Token-Level Adaptive Refining of Probability Distributions (2024.emnlp-main)

Copied to clipboard

Challenge: Existing defenses against jailbreaks focus on perturbing or inspecting inputs, but ignore competing objectives, the underlying cause of alignment failures.
Approach: They propose a novel defense that employs adaptive decoding to address the root causes of jailbreak issues.
Outcome: The proposed defense improves safety alignment while maintaining helpfulness.
X-Router: Decoupling Knowledge and Reasoning for Cost-Effective LLM Inference (2026.findings-acl)

Copied to clipboard

Challenge: Existing adaptive methods focus on a single axis, overlooking evidence need and reasoning depth are only partially correlated.
Approach: They propose a dual-axis routing framework that separates retrieval necessity from reasoning necessity under a user-defined cost–quality trade-off.
Outcome: The proposed framework reduces token usage and latency while improving answer quality over strong baselines.
How Alignment and Jailbreak Work: Explain LLM Safety through Intermediate Hidden States (2024.findings-emnlp)

Copied to clipboard

Challenge: Large language models (LLMs) rely on safety alignment to avoid malicious user inputs.
Approach: They employ weak classifiers to explain LLM safety through the intermediate hidden states.
Outcome: The proposed model can identify malicious and normal inputs and detect malicious ones without jailbreak.
DemonAgent: Dynamically Encrypted Multi-Backdoor Implantation Attack on LLM-based Agent (2025.findings-emnlp)

Copied to clipboard

Challenge: a new method for detecting advanced backdoors is proposed to bypass safety audits.
Approach: They propose a backdoor implantation strategy that introduces dynamic encryption to bypass safety audits.
Outcome: The proposed method achieves an attack success rate approaching 100% while maintaining a detection rate of 0%.
RSA-Bench: Benchmarking Audio Large Models in Real-World Acoustic Scenarios (2026.findings-acl)

Copied to clipboard

Challenge: Existing evaluations rely on synthetic Gaussian noise or simplistic single-source interference, failing to capture the intricate, multi-layered acoustic dynamics that characterize authentic physical environments.
Approach: They propose a robustness benchmark to stress-test Audio Large Models (ALLMs) using high-fidelity auditory scene simulations.
Outcome: The proposed model performs well on a wide range of tasks, including automatic speech recognition, speech translation, and audio-based reasoning.
SEE: Signal Embedding Energy for Quantifying Noise Interference in Large Audio Language Models (2026.acl-long)

Copied to clipboard

Challenge: Existing studies on noise lack quantitative analysis and rely on intuition and empirical observation, thus failing to understand practical robustness.
Approach: They propose a method for quantifying the impact of noise intensity on LALM inputs by using a structured activation subspace derived from the model's internal representations.
Outcome: The proposed method outperforms existing denoising methods and demonstrates that noise is perceived more accurately than raw audio features.
PD3F: A Pluggable and Dynamic DoS-Defense Framework against resource consumption attacks targeting Large Language Models (2025.findings-emnlp)

Copied to clipboard

Challenge: Existing work lacks mitigation strategies against resource consumption attacks . existing work does not provide mitigation strategies for real-world LLM deployments .
Approach: They propose a pluggable and dynamic doS-Defense framework which employs a two-stage approach to defend against resource consumption attacks from both the input and output sides.
Outcome: The proposed framework significantly mitigates resource consumption attacks, improving users’ access capacity by up to 500% during adversarial load.
RiskLab: A Controlled Toolkit for Probing Emergent Risks in LLM-Based Multi-Agent Systems (2026.acl-demo)

Copied to clipboard

Challenge: Recent advances in large language model (LLM) agents have accelerated deployment of multi-agent systems for complex tasks.
Approach: They propose an open-source toolkit for instantiating, probing, and measuring emergent risks in LLM-based multi-agent systems under controlled conditions.
Outcome: The proposed toolkit is based on a structured topology–environment–protocol–agent–task quintuple enabling reproducible studies of how communication structure, coordination mechanisms, and incentives shape system-level risks.
HearSay Benchmark: Do Audio LLMs Leak What They Hear? (2026.findings-acl)

Copied to clipboard

Challenge: Recent advances in audio large language models have led to their potential privacy implications unexplored.
Approach: They propose a benchmark to examine whether ALLMs leak user privacy through acoustic voiceprints.
Outcome: The proposed benchmark is constructed from over 22,000 real-world audio clips.
CORBA: Contagious Recursive Blocking Attacks on Multi-Agent Systems Based on Large Language Models (2026.findings-acl)

Copied to clipboard

Challenge: Existing security models rely on open-ended communication, but the collaborative process itself can be exploited and disrupted.
Approach: They propose a new threat class, called Denial-of-Collaboration, which corrupts collaborative structure and transforms communication topology into self-sabotage.
Outcome: The proposed attacks bypass conventional safety alignments that are not designed to detect behavioral or systemic attacks.
Crabs: Consuming Resource via Auto-generation for LLM-DoS Attack under Black-box Settings (2025.findings-acl)

Copied to clipboard

Challenge: Existing studies on white-box attacks focus on black-box LLMs, leaving black- box scenarios underexplored.
Approach: They propose an automated algorithm designed for black-box LLMs that constructs the DoS Attack Tree and expands the node coverage to achieve effectiveness under black- box conditions.
Outcome: The proposed algorithm can be used to build a DoS Attack Tree and expand the node coverage to achieve effectiveness under black-box conditions.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations