I am currently an Assistant Professor at Xi’an Jiaotong University. My research interests focus on data security and privacy issues in machine learning system. My vision is to protect the legitimate data rights and interests of every individual in the era of widespread artificial intelligence.

Each year, I have 1~2 openings for Master’s students, and undergraduate students are welcome to join our research.
If you are interested in these research topics, please feel free to contact me via email.

News

• [2/2026] I served as a Reviewer in ICML 2026!
• [1/2026] I joined the Program Committee of IJCAI-ECAI 2026!
• [1/2026] One paper titled “DFA-SNN: Dual-Frequency Attention Module for Spiking Neural Networks” got accepted in ICASSP 2026!
• [1/2026] One paper titled “ShieldRAG: Privacy-Preserving Approximate Nearest Neighbor Search For Retrieval-Augmented Generation Systems” got accepted in ICASSP 2026!
• [12/2025] One paper titled “Navigating embodied intelligence: Enabling technologies, security and privacy, and emerging trends“ got accepted in IEEE IoTJ!
• [12/2025] One paper titled “VICTOR: Dataset Copyright Auditing in Video Recognition Systems” got accepted in NDSS 2026!
• [12/2025] One paper titled “PrivATE: Differentially Private Average Treatment Effect Estimation for Observational Data” got accepted in NDSS 2026!
• [11/2025] I joined the Program Committee of IEEE Euro S&P 2026!
• [9/2025] One paper titled “URLcoat: Exploiting Web Search Capability to Jailbreak Large Language Models” got accepted in IEEE S&P 2026!
• [9/2025] One paper titled “Revealing the Risk of Hyper-parameter Leakage in Deep Reinforcement Learning Models” got accepted in IEEE TDSC!
• [1/2025] One paper titled “Artist-Auditor: Auditing Artist Style Pirate in Text-to-image Generation Models” got accepted in ACM WWW 2025!
• [9/2024] One paper titled “SoK: Dataset Copyright Auditing in Machine Learning Systems” got accepted in IEEE S&P 2025!
• [8/2024] I joined Xi’an Jiaotong University as an Assistant Professor!

Research Areas

Trustworthy Artificial Intelligence

• URLcoat: Exploiting Web Search Capability to Jailbreak Large Language Models (IEEE S&P 2026)
  → Demonstrates vulnerabilities in LLMs via jailbreaking, contributing to broader AI alignment and robustness.
• PARL: Poisoning Attacks Against Reinforcement Learning-based Recommender Systems (ACM ASIACCS 2024)
  → Poisoning attacks on RL-based systems.
• SUB-PLAY: Adversarial Policies against Partially Observed Multi-Agent Reinforcement Learning Systems (ACM CCS 2024)
  → Adversarial policies in multi-agent RL, relevant to embodied multi-agent scenarios (e.g., robotics, drones).
• Revealing the Risk of Hyper-parameter Leakage in Deep Reinforcement Learning Models (IEEE TDSC)
  → Exposes model vulnerabilities through hyper-parameter leakage, relevant to trustworthy model deployment.
• Large model based agents: State-of-the-art, cooperation paradigms, security and privacy, and future trends (IEEE Communications Surveys & Tutorials)
  → Survey on security and privacy in large model agents.

Dataset Ownership Verification

• VICTOR: Dataset Copyright Auditing in Video Recognition Systems (NDSS 2026)
  → Auditing dataset copyright in video models.
• SoK: Dataset Copyright Auditing in Machine Learning Systems (IEEE S&P 2025)
  → Systematization of knowledge on dataset copyright auditing.
• ArtistAuditor: Auditing Artist Style Pirate in Text-to-Image Generation Models (ACM WWW 2025)
  → Auditing style piracy in text-to-image models.
• ORL-AUDITOR: Dataset Auditing in Offline Deep Reinforcement Learning (NDSS 2024)
  → Trajectory-level auditing in offline RL datasets.
• WIP: Auditing Artist Style Pirate in Text-to-image Generation Models (NDSS AISCC 2024)
  → Early work on artist style auditing.

Privacy Enhancing Technologies

• PrivATE: Differentially Private Average Treatment Effect Estimation for Observational Data (NDSS 2026)
  → Differential privacy for causal inference/ATE estimation.
• MSA: A Cross-MCP Privacy Attack via Memory Exfiltration of Large Language Models (ACM CCS WPES 2025)
  → Privacy attack on LLMs, highlighting needs for PETs (though attack-focused).
• PrivGraph: Differentially Private Graph Data Publication by Exploiting Community Information (USENIX Security 2023)
  → DP for graph data release.
• AHEAD: Adaptive Hierarchical Decomposition for Range Query under Local Differential Privacy (ACM CCS 2021)
  → Local DP for range queries.
• Privacy-preserving distributed machine learning via local randomization and ADMM perturbation (IEEE TSP)
  → Privacy-preserving distributed ML.

Education

• Ph.D., Zhejiang University, Hangzhou, China
  Time: Sep. 2018 - Dec. 2023
  Supervisor: Prof. Peng Cheng, Prof. Jiming Chen
  Co-supervisor: Prof. Shouling Ji, Prof. Mingyang Sun
• B.Sc., Zhejiang University, Hangzhou, China
  Time: Sep. 2014 - Jun. 2018
  Supervisor: Prof. Peng Cheng

Academic Visiting

• CISPA Helmholtz Center for Information Security, Germany
  Time: Nov. 2021 - Nov. 2022
  Supervisor: Prof. Michael Backes
  Co-supervisor: Prof. Zhikun Zhang, Prof. Yang Zhang

• Singapore University of Technology and Design, Singapore
  Time: Feb. 2018 - Apr. 2018
  Supervisor: Prof. David Yau