Papers by Ziyou Jiang
Butterfly Effects in Toolchains: A Comprehensive Analysis of Failed Parameter Filling in LLM Tool-Agent Systems (2025.findings-emnlp)
Copied to clipboard
| Challenge: | emergence of tool agent paradigm has broadened capability boundaries of the Large Language Model (LLM) but effectiveness of tool agents limited due to parameter failure during execution . |
| Approach: | They propose a parameter failure taxonomy to investigate parameter failure . they propose suggestions for standardizing tool return formats and improving error feedback mechanisms . |
| Outcome: | The proposed model is based on a tool agent invocation chain and a mainstream tool agent . it shows that parameter name hallucination failure stems from inherent limitations . |
Generative Text-to-Image Retrieval via Hierarchical Identifiers and Semantic Internalization (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing text-to-image retrieval methods suffer from limited semantic discriminability, alignment bias, and closed-set restrictions. |
| Approach: | They propose a framework for semantic internalization for Generative Multimodal Alignment . they construct multi-granularity hierarchical identifiers to ensure unique, semantically consistent image representations . |
| Outcome: | The proposed framework outperforms state-of-the-art frameworks on Flickr30K and MS-COCO datasets . it achieves average Recall@1, Recall @5, and Recall_10 improvements of 10.65%, 8.50%, and 7.00% . |
Mimicking the Familiar: Dynamic Command Generation for Information Theft Attacks in LLM Tool-Learning System (2025.acl-long)
Copied to clipboard
| Challenge: | Existing approaches to attack Large Language Model (LLM) tool-learning systems are black-box oriented and rely on static commands that cannot adapt flexibly to the changes in user queries and the invocation chain. |
| Approach: | They propose a dynamic attack comment generation approach for information theft attacks in LLM tool-learning systems that mimics the familiar by inferring the information utilized by upstream tools. |
| Outcome: | The proposed approach outperforms baselines with +13.2% ASRTheft and can be generalized to new tool-learning systems to expose their information leakage risks. |
Are All Prompt Components Value-Neutral? Understanding the Heterogeneous Adversarial Robustness of Dissected Prompt in LLMs (2026.eacl-long)
Copied to clipboard
Yujia Zheng, Tianhao Li, Haotian Huang, Tianyu Zeng, Jingyu Lu, Chuangxin Chu, Yuekai Huang, Ziyou Jiang, Qian Xiong, Yuyao Ge, Mingyang Li
| Challenge: | Existing studies treat prompts as flat text, overlooking their internal structure, and different components within a prompt contribute unequally to robustness. |
| Approach: | They propose a framework that decomposes prompts into functional components and a method that selectively modifies components to expose component-wise vulnerabilities. |
| Outcome: | The proposed framework exposes component-wise vulnerabilities while ensuring linguistic plausibility through perplexity-based filtering. |
One Shot Dominance: Knowledge Poisoning Attack on Retrieval-Augmented Generation Systems (2025.findings-emnlp)
Copied to clipboard
Zhiyuan Chang, Mingyang Li, Xiaojun Jia, Junjie Wang, Yuekai Huang, Ziyou Jiang, Yang Liu, Qing Wang
| Challenge: | Existing knowledge poisoning attacks against RAG systems require multiple poisoned documents or can only function effectively on simplistic queries. |
| Approach: | They propose a more realistic knowledge poisoning attack that poisons only a single document while remaining effective for complex multi-hop questions involving complex relationships between multiple elements. |
| Outcome: | The proposed attack achieves success by poisoning only a single document while remaining effective for complex multi-hop questions involving complex relationships between multiple elements. |
All Changes May Have Invariant Principles: Improving Ever-Shifting Harmful Meme Detection via Design Concept Reproduction (2026.acl-long)
Copied to clipboard
Ziyou Jiang, Mingyang Li, Junjie Wang, Yuekai Huang, Jie Huang, Zhiyuan Chang, Zhaoyang Li, Qing Wang
| Challenge: | Existing methods for harmful meme detection only learn the combination of harmful elements and lack understanding of these implicit expressions. |
| Approach: | They propose a method that detects harmful memes by replicating the design concept of malicious users. |
| Outcome: | The proposed method achieves the highest accuracy with 81.1% and has slight accuracy decreases when generalized to type-shifting and temporal-evolving memes. |
Know Thy Enemy: Securing LLMs Against Prompt Injection via Diverse Data Synthesis and Instruction-Level Chain-of-Thought Learning (2026.findings-acl)
Copied to clipboard
Zhiyuan Chang, Mingyang Li, Yuekai Huang, Ziyou Jiang, Xiaojun Jia, Qian Xiong, Junjie Wang, Zhaoyang Li, Qing Wang
| Challenge: | Large language model (LLM)-integrated applications face security vulnerabilities from prompt injection (PI) attacks. |
| Approach: | They propose a model enhancement method that synthesizes diverse training data and employs instruction-level chain-of-thought fine-tuning to enable LLMs to effectively identify and reject malicious instructions regardless of their source or position in the context. |
| Outcome: | The proposed method outperforms baselines in three critical dimensions while maintaining utility performance without degradation. |
SAGE: Synergistic Adaptive Gating of Experts for Hateful Video Detection (2026.acl-long)
Copied to clipboard
| Challenge: | Existing methods for hateful video detection rely on multimodal feature fusion . existing methods rely only on blind feature mixing, which leads to feature dilution . |
| Approach: | They propose a framework that shifts from blind feature mixing to decision-level arbitration . it instantiates disentangled experts to rigorously preserve modality-specific semantics . |
| Outcome: | The proposed framework outperforms state-of-the-art methods on HateMM and MultiHateClip benchmarks. |