Federal Bureau of Investigation (FBI) / Internet Crime Complaint Center (IC3) pdf
The cyber criminal group TeamPCP is conducting large-scale software supply chain attacks by injecting malicious code into legitimate, widely-used development and security tools. By compromising trusted distribution channels, they deploy trojanized updates that establish persistent backdoors and steal highly sensitive credentials from enterprise CI/CD pipelines and cloud environments.
Arxiv pdf
Modern software architectures rely heavily on APIs, which serve as primary targets for cyberattacks due to their direct access to sensitive data. Traditional API security often relies on OpenAPI (Swagger) documentation to define expected behavior. However, in real-world environments, documentation is frequently incomplete, outdated, or missing entirely, creating significant security blind spots. This research introduces HTTP REST API Learning (HRAL), an unsupervised anomaly detection framework designed to reconstruct API specifications directly from observed network traffic.
Arxiv pdf
As AI coding agents gain the ability to generate thousands of lines of code, the primary security bottleneck shifts from capability to verification. Unconstrained agents pose significant risks, including the injection of silent backdoors and the erosion of codebase scalability. This research proposes moving away from "advisory" defenses (prompt-based instructions) toward "enforced" defenses (substrate-level constraints) to enable scalable, automated oversight.
Arxiv pdf
This research introduces a unified, model-agnostic framework designed to protect distributed machine learning (ML) environments from two primary categories of threats: Privacy Leakage (information theft) and Malicious Manipulation (data/model poisoning).
Arxiv pdf
HaloGuard 1.0 is a new family of open-weight, highly efficient input-prompt classifiers (0.8B and 4B parameters) designed to serve as a first-layer defense for Large Language Model (LLM) deployments. Unlike traditional guardrails that rely on simple keyword filtering or coarse taxonomies, HaloGuard uses a "Constitutional" approach to distinguish between unsafe intent and safe discussion of sensitive topics.
Arxiv pdf
kNNGuard is a training-free framework designed to protect Large Language Models (LLMs) from unsafe, off-topic, and adversarial prompts. Unlike traditional guardrails that require expensive fine-tuning (e.g., LoRA), kNNGuard treats a frozen LLM as a feature extractor, using its internal "hidden activations" to classify prompts based on their proximity to a small bank of known safe and unsafe examples.
Arxiv pdf
As AI agents evolve to use external tools (via protocols like MCP) and maintain long-term memory, they introduce a critical vulnerability: Contextual State Poisoning. Current systems lack a mechanism to verify that the tools and memories an agent uses have not been maliciously altered. ElephantAgent is a proposed security protocol designed to ensure "Contextual State Continuity," ensuring an agent always operates on a verified, authorized, and untampered history of its environment and memory.
Arxiv pdf
Modern LLM-based "agent programs" introduce a new programming paradigm where logic is determined by a mix of deterministic code and probabilistic model outputs. These programs rely on agent frameworks (e.g., LangGraph, CrewAI, OpenAI Agents) that use specialized semantics—such as tool decorators, agent handoffs, and shared memory—to orchestrate behavior. Traditional static analysis tools fail to track these "agent dependencies," leaving significant security blind spots. AGENTFLOW is a novel static analysis framework that recovers an Agent Dependency Graph (ADG) to provide visibility into these complex interactions.
Arxiv pdf
Janus is a research "playground" designed to explore and evaluate how AI agents should manage permissions when executing tool calls (API calls) on behalf of a user. The research addresses the tension between autonomy (efficiency) and security (preventing unauthorized actions), applying classic security principles like Least Privilege and Complete Mediation to the era of LLM-driven agents.
Arxiv pdf
This research investigates a critical vulnerability in distributed learning systems (such as Federated Learning) where two primary defense mechanisms—Local Differential Privacy (LDP) and Byzantine Robustness—interact in unexpected and potentially counterproductive ways regarding model generalization.
Arxiv pdf
NightVision is a black-box inference attack designed to recover the proprietary architectural properties of Large Language Models (LLMs) through restrictive API access. While many providers have removed "logit bias" and "top-k" probability outputs to protect their intellectual property, NightVision demonstrates that the hidden dimension, model depth, and total parameter count can still be estimated using only a single decoded token's log-probability and inference timing.
Arxiv pdf
This research introduces the Cybersecurity Incident Response Influencing Factor (CIR-IF) Taxonomy. After a systematic review of 457 publications, the authors identified that current incident response (IR) frameworks (including NIST SP 800-61r3) often lack a sufficiently granular, sociotechnical organization of the factors that impact an organization's ability to respond to threats. The CIR-IF Taxonomy provides a structured way to categorize these influences into two primary dimensions: Human Factors and Context Factors.
Arxiv pdf
This research addresses a critical security gap in the ecosystem of LLM Agent Skills—modular packages that extend the capabilities of agents like Claude Code and OpenAI Codex. Because these skills execute with the agent's inherited privileges, they represent a significant software supply-chain risk. The paper demonstrates that current "install-time" static scanners are easily bypassed and proposes a dynamic, behavior-based detection system.
Arxiv pdf
This research addresses a critical intelligence gap in AI security: the inability of both researchers and adversaries to distinguish between a guardrail block (an external middleware security layer) and an LLM refusal (the model's internal safety alignment). Because the methods required to bypass a guardrail (evasion) differ from those required to bypass an LLM (jailbreaking), being able to identify which layer has triggered is essential for both offensive optimization and defensive testing.
Arxiv pdf
Smart contract vulnerabilities are predominantly logic bugs whose detection requires structured, step-by-step procedural knowledge of attack patterns and contract semantics. Existing LLM-based methods struggle to generate this knowledge automatically: prompt-based methods rely on manually crafted detection rules, while fine-tuning requires massive labeled datasets that are inherently scarce in this domain. We present EVOVULN, an automated framework that reformulates vulnerability detection as a procedural knowledge evolution problem, synthesizing and refining detection logic using only a minimal number of labeled samples. To achieve this, EVOVULN introduces two key mechanisms. First, a Runtime with an Inversion of Control (IoC) architecture compiles detection rules into Executable Policies. This strictly decouples deterministic control flow from LLM semantic reasoning, ensuring faithful logical adherence and producing dense diagnostic telemetry for precise error localization. Second, a two-phase evolution pipeline refines the rule via abductive semantic debugging without any parameter updates: Cold Start bootstraps and stress-tests an initial rule using auto-synthesized corner cases; Few-Shot Evolving then grounds the policy in real-world semantics using only five vulnerable and five safe examples per vulnerability type. Evaluated across five real-world vulnerability types, EVOVULN achieves a 71% macro-average F1-score, outperforming all baselines. The evolved procedural knowledge is portable across models: it enables a lightweight, low-cost model to surpass a much larger zero-shot model by 19 percentage points, and transfers to other LLMs without retraining, at a one-time evolution cost under $50.
Arxiv pdf
Modern systems use format-, protocol-, and signature-based mechanisms before accepting artifacts across trust boundaries. These mechanisms are necessary: they show that an artifact is well formed, protocol-compliant, or properly authenticated. They do not, however, show that the artifact satisfies the semantic security properties required by the receiving domain. A signed update or an authenticated token may therefore be accepted yet enable compromise. We call this condition a Trust Boundary Semantic Gap (TBSG): an artifact crosses a trust boundary and passes correctly implemented syntactic validation, but the assertions established by that pass are insufficient to satisfy the receiving domains security requirements. TBSG concerns what remains unestablished after a syntactic pass, not absent checks or implementation bugs. Analyzing 75 publicly reported security incidents (2014 2025) at the boundary level, we organize semantic misalignment into a four-dimensional analysis model: Identity, Spatial, Temporal, and Interpretation (MDTBSG). Building on it, we develop Trust Boundary Semantic Analysis and Mitigation (TBSAM), a design-time framework that identifies TBSGs from design specifications, prioritizes them, traces propagated gaps to their originating boundary, and maps each to candidate architectural controls. We apply TBSAM to a retrospective reconstruction of the SolarWinds/SUNBURST supply-chain attack, showing how it makes receiving-domain assumptions explicit, separates locally originating from propagated gaps, and identifies controls that interrupt the path. These results suggest that syntactic validation, while necessary, is not sufficient at trust boundaries, and that making trust-boundary assumptions explicit can complement Security-by-Design.
Arxiv pdf
The research introduces Pmeta-TLA, a sophisticated data-poisoning attack targeting speech classification models (specifically Keyword Spotting or KWS). The attack focuses on creating "hidden backdoors" that allow an attacker to trigger specific misclassifications using nearly imperceptible audio triggers.
Arxiv pdf
This research evaluates the vulnerability of common machine learning classifiers (MLP, Random Forest, and XGBoost) used in cybersecurity (e.g., phishing and intrusion detection) to adversarial evasion attacks. The study uniquely focuses on two distinct failure points: prediction robustness (whether the model is fooled) and explanation stability (whether the "reasoning" provided by XAI tools like SHAP remains consistent).
Arxiv pdf
Current hardware security verification is a manual, tedious process. While General Purpose Large Language Models (LLMs) like ChatGPT offer potential assistance, they are unsuitable for high-assurance hardware security due to hallucinations (fabricating non-existent security frameworks) and knowledge staleness (inability to access the latest threat intelligence). VeriChat is a specialized multi-agent framework designed to provide trustworthy, verifiable, and actionable security guidance for hardware engineers.
Arxiv pdf
The research introduces a novel threat model where Hardware Trojans (HT) are embedded directly into standard cell libraries rather than the gaps between cells. By exploiting the fabless semiconductor manufacturing model, a malicious foundry can provide tampered libraries that mask the presence of Trojans during the design phase, only to activate them during final fabrication. The study concludes that these Trojans are nearly impossible to detect using traditional IC design flow data or standard Machine Learning (ML) classifiers.
Arxiv pdf
Recent advancements have integrated Large Vision-Language Models (LVLMs) into robotic systems to facilitate perception, reasoning, and planning. However, these models are susceptible to a novel vulnerability known as overthinking-induced slowdown attacks. By exploiting the model's tendency to generate long reasoning traces when faced with complex prompts, an adversary can drastically increase the latency of the robot's decision-making process, leading to critical safety and stability failures in cyber-physical systems.
Arxiv pdf
Malware poses a critical and ever-evolving threat, and robust and effective systems for detecting and classifying malware are of essential importance. __ -grams features are among the common static features used in effective machine learning systems for malware, but these features are inherently brittle. We propose an algorithm for constructing more robust features, hamm-grams, which are a special class of regular expressions having a fixed length and single-character wildcards. We devise an efficient algorithm for finding common hamm-grams using a new locality-sensitive hash designed to produce collisions among pairs of small Hamming distance and a clustering within hash buckets to place wildcards. We then demonstrate the advantages of these features in malware classification and detection tasks.
Arxiv pdf
This research provides a systematic analysis of the evolution of identity (ID) document forgery, tracing the transition from simple physical manipulations to sophisticated synthetic documents generated by Large Multimodal Models (LMMs). It highlights a critical "Reality Gap" where current detection benchmarks fail to reflect the capabilities of modern generative AI (GenAI).
Arxiv pdf
Chameleon is a defensive framework designed to provide resilience to Cyber-Physical Systems (CPS), specifically Robotic Vehicles (RVs), against memory corruption attacks. Unlike traditional defenses that halt system execution upon detecting an exploit—which can be catastrophic for safety-critical hardware—Chameleon enables the system to continue operating by replacing compromised software components with behaviorally equivalent Machine Learning (ML) surrogates.
Arxiv pdf
This research investigates a theoretical method to attack Polynomial Learning With Errors (PLWE)—a core primitive in Post-Quantum Cryptography (PQC)—by using mathematical isomorphisms to "migrate" secure samples into more vulnerable settings. The study concludes that such an approach is mathematically unfeasible because the transformation process introduces excessive noise, rendering the intended attacks ineffective.
Arxiv pdf
Intrusion Detection Systems (IDSs) are essential for monitoring network traffic and identifying malicious activities in modern cyber-physical, Internet of Things (IoT), enterprise, and distributed network environments. However, developing reliable IDS models remains challenging because attack behaviors evolve over time, realistic datasets are difficult to obtain, traffic records may be incomplete, attack classes are often imbalanced, and privacy constraints limit centralized data collection. Recent advances in generative artificial intelligence (AI) and Federated Learning (FL) provide new opportunities to address these limitations. Generative models can support anomaly detection, synthetic traffic generation, data augmentation, data imputation, adversarial traffic generation, and IDS alert explanation. FL enables distributed IDS training without directly sharing local network traffic, making it suitable for privacy-sensitive and geographically distributed environments. This survey provides a structured review of generative AI and FL techniques for IDS. We first summarize representative IDS research directions, including adversarial machine learning, anomaly-based detection, IoT-oriented IDS, explainable IDS, and benchmark datasets. We then categorize generative AI applications in IDS according to model families and task objectives, covering autoencoder-based models, Generative Adversarial Networks (GANs), diffusion models, and Large Language Models (LLMs). Finally, we review emerging studies that integrate generative AI with FL-based IDS and discuss open challenges, including synthetic data quality, realistic traffic generation, dual-use adversarial risks, non-IID client distributions, communication-efficient model sharing, federated IDS benchmarking, and domain-specific LLMs for network security.
Arxiv pdf
The Cognitive Firewall is a proactive runtime oversight framework designed to protect Large Language Models (LLMs) from sophisticated, multi-turn adversarial attacks. Unlike traditional "per-message" guardrails that evaluate individual prompts in isolation, this framework treats LLM safety as a comprehension problem, analyzing the entire conversational trajectory to detect harmful intent that emerges over time.
Arxiv pdf
Modern Information Retrieval (IR) and Retrieval-Augmented Generation (RAG) systems rely on embedding models to convert text into numerical vectors. While these models are often accessed via black-box APIs, the research identifies a critical vulnerability: an attacker can identify exactly which embedding model a system is using simply by observing the documents returned by the API. This discovery, termed an Embedding Inference Attack (EIA), serves as a precursor to more severe attacks, such as embedding inversion (reconstructing sensitive text) or corpus poisoning.
Arxiv pdf
SessionBound is a research-driven architecture designed to solve the authorization gap created by Enterprise AI agents. While users approve business tasks (e.g., "Review June sales expenses"), AI agents execute these tasks by generating open-ended SQL. Currently, there is no deterministic way to ensure the agent's SQL stays within the specific boundaries of the approved business task. SessionBound bridges this gap by converting business approvals into cryptographically signed "task tokens" that enforce strict, budgeted, and auditable database sessions.
Arxiv pdf
Understanding how aligned LLMs internally represent safety is critical for diagnosing alignment vulnerabilities, as it explains why jailbreaks succeed and informs the design of robust alignment strategies. Prior work shows that aligned LLMs encode harmfulness and refusal as separable directions in the residual stream at prompt-side token positions. We show that jailbreaks succeed at prompt encoding by suppressing either the refusal or harmfulness direction before any token is generated, with distinct attack classes occupying separable regions of the harmfulnessrefusal plane. Extending the analysis to response-token positions, we find that the model recognizes harmful content while it is generating that content, even when it failed to recognize the input as harmful at the prompt side. Motivated by our findings, we introduce HARC (Harmfulness-And-Refusal Coupling), a fine-tuning method that pairs the two directions across both prompt and response positions. Since the intervention is confined to the harmfulness-refusal subspace, it leaves the rest of the residual stream intact and does not degrade general capability or inflate over-refusal. Across extensive experiments, HARC achieves the strongest robustness-capability-usability trade-off among six baselines spanning the major training-time and inference-time safety methods. The harmfulness and refusal directions at prompt and response positions transfer across the five model families and two scales we tested without architecture-specific tuning.
Trending Tags Recently Added
Loading…
LINK COPIED TO CLIPBOARD