Selected Publications and Preprints

Please refer to the Google Scholar for my full paper list.

Selected Preprints

`*‘ indicates co-first author; `^’ indicates (co-)project leader/corresponding author

• Rethinking Data Protection in the (Generative) Artificial Intelligence Era
  Yiming Li^, Shuo Shao, Yu He, Junfeng Guo, Tianwei Zhang, Zhan Qin^, Pin-Yu Chen, Michael Backes, Philip Torr, Dacheng Tao, Kui Ren.
  arXiv, 2025.
  

• DATABench: Evaluating Dataset Auditing in Deep Learning from an Adversarial Perspective
  Shuo Shao, Yiming Li^, Mengren Zheng, Zhiyang Hu, Yukun Chen, Boheng Li, Yu He, Junfeng Guo, Tianwei Zhang, Dacheng Tao, Zhan Qin.
  arXiv, 2025.
  [Code]

• CertDW: Towards Certified Dataset Ownership Verification via Conformal Prediction
  Ting Qiao*, Yiming Li*^, Jianbin Li^, Yingjia Wang, Leyi Qi, Junfeng Guo, Ruili Feng, Dacheng Tao.
  Under Review by IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025.
  [Code]

• CBW: Towards Dataset Ownership Verification for Speaker Verification via Clustering-based Backdoor Watermarking
  Yiming Li, Kaiying Yan, Shuo Shao, Tongqing Zhai, Shu-Tao Xia, Zhan Qin, Dacheng Tao.
  Under Review by IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025. (The journal extension of our ICASSP’21 conference paper)
  [Code]

• Cert-SSB: Toward Certified Sample-Specific Backdoor Defense
  Ting Qiao, Yingjia Wang, Xing Liu, Sixing Wu, Jianbing Li^, Yiming Li^.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  [Code]

• TPIA: Towards Target-specific Prompt Injection Attack against Code-oriented Large Language Models
  Yuchen Yang, Hongwei Yao, Bingrun Yang, Yiling He, Yiming Li^, Tianwei Zhang, Zhan Qin.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  

• Towards Copyright Protection for Knowledge Bases of Retrieval-augmented Language Models via Reasoning
  Junfeng Guo*, Yiming Li*, Ruibo Chen, Yihan Wu, Chenxi Liu, Yanshuo Chen, Heng Huang.
  arXiv, 2025.
  

• FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
  Shuo Shao, Haozhe Zhu, Hongwei Yao, Yiming Li^, Tianwei Zhang, Zhan Qin, Kui Ren.
  arXiv, 2025.
  

Selected Conference Papers

• Towards Label-Only Membership Inference Attack against Pre-trained Large Language Models
  Yu He, Boheng Li, Liu Liu, Zhongjie Ba, Wei Dong, Yiming Li^, Zhan Qin, Kui Ren, Chun Chen.
  USENIX Security Symposium (USENIX Security), 2025.
  [Code]

• Explanation as a Watermark: Towards Harmless and Multi-bit Model Ownership Verification via Watermarking Feature Attribution
  Shuo Shao*, Yiming Li*^, Hongwei Yao, Yiling He, Zhan Qin^, Kui Ren.
  Network and Distributed System Security Symposium (NDSS), 2025.
  [Code]

• Towards Reliable Verification of Unauthorized Data Usage in Personalized Text-to-Image Diffusion Models
  Boheng Li, Yanhao Wei, Yankai Fu, Zhenting Wang, Yiming Li^, Jie Zhang^, Run Wang, Tianwei Zhang.
  IEEE Symposium on Security and Privacy (S&P), 2025.
  [Code]

• Prompt Inversion Attack against Collaborative Inference of Large Language Models
  Wenjie Qu, Yuguang Zhou, Yongji Wu, Tingsong Xiao, Binhang Yuan, Yiming Li, Jiaheng Zhang.
  IEEE Symposium on Security and Privacy (S&P), 2025.
  

• SleeperMark: Towards Robust Watermark against Fine-Tuning Text-to-image Diffusion Models
  Zilan Wang, Junfeng Guo, Jiacheng Zhu, Yiming Li^, Heng Huang, Muhao Chen, Zhengzhong Tu^.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2025.
  [Code]

• REFINE: Inversion-Free Backdoor Defense via Model Reprogramming
  Yukun Chen, Shuo Shao, Enhao Huang, Yiming Li^, Pin-Yu Chen, Zhan Qin, Kui Ren.
  International Conference on Learning Representations (ICLR), 2025.
  [Code (BackdoorBox)] [Code (GitHub)]

• Probe before You Talk: Towards Black-box Defense against Backdoor Unalignment for Large Language Models
  Biao Yi, Tiansheng Huang, Sishuo Chen, Tong Li^, Zheli Liu, Zhixuan Chu, Yiming Li^.
  International Conference on Learning Representations (ICLR), 2025.
  [Code]

• VideoShield: Regulating Diffusion-based Video Generation Models via Watermarking
  Runyi Hu, Jie Zhang, Yiming Li, Jiwei Li, Qing Guo, Han Qiu, Tianwei Zhang.
  International Conference on Learning Representations (ICLR), 2025.
  [Code]

• A Benchmark for Semantic Sensitive Information in LLMs Outputs
  Qingjie Zhang, Han Qiu, Di Wang, Yiming Li, Tianwei Zhang, Wenyu Zhu, Haiqin Weng, Liu Yan, Chao Zhang.
  International Conference on Learning Representations (ICLR), 2025.
  [Project Website] [Code]

• Cowpox: Towards the Immunity of VLM-based Multi-Agent Systems
  Yutong Wu, Jie Zhang, Yiming Li, Chao Zhang, Qing Guo, Han Qiu, Nils Lukas, Tianwei Zhang.
  International Conference on Machine Learning (ICML), 2025.
  [Code]

• When Backdoors Speak: Understanding LLM Backdoor Attacks Through Model-Generated Explanations
  Huaizhi Ge, Yiming Li, Qifan Wang, Yongfeng Zhang, Ruixiang Tang.
  Annual Meeting of the Association for Computational Linguistics (ACL), 2025. (To Appear)
  

• Understanding the Dark Side of LLMs’ Intrinsic Self-Correction
  Qingjie Zhang, Han Qiu, Di Wang, Haoting Qian, Yiming Li, Tianwei Zhang, Minlie Huang.
  Annual Meeting of the Association for Computational Linguistics (ACL), 2025.
  [Project Website] [Media Cover 1 (MIT Technology Review in Chinese)] [Media Cover 2 (Sina News in Chinese)]

• ZeroMark: Towards Dataset Ownership Verification without Disclosing Watermarks
  Junfeng Guo*, Yiming Li*^, Ruibo Chen, Yihan Wu, Chenxi Liu, Heng Huang.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2024.
  [Code]

• Which Model Generated This Image? A Model-Agnostic Approach for Origin Attribution
  Fengyuan Liu, Haochen Luo, Yiming Li, Philip Torr, Jindong Gu.
  European Conference on Computer Vision (ECCV), 2024.
  [Code]

• IBD-PSC: Input-level Backdoor Detection via Parameter-oriented Scaling Consistency
  Linshan Hou, Ruili Feng, Zhongyun Hua^, Wei Luo, Leo Yu Zhang, Yiming Li^.
  International Conference on Machine Learning (ICML), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• Purifying Quantization-conditioned Backdoors via Layer-wise Activation Correction with Distribution Approximation
  Boheng Li, Yishuo Cai, Jisong Cai, Yiming Li^, Han Qiu, Run Wang, Tianwei Zhang.
  International Conference on Machine Learning (ICML), 2024.
  [Code]

• Nearest Is Not Dearest: Towards Practical Defense against Quantization-conditioned Backdoor Attacks
  Boheng Li, Yishuo Cai, Haowei Li, Feng Xue, Zhifeng Li, Yiming Li^.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2024.
  [Code]

• Not All Prompts Are Secure: A Switchable Backdoor Attack against Pre-trained Models
  Sheng Yang, Jiawang Bai^, Kuofeng Gao, Yong Yang, Yiming Li^, Shu-Tao Xia.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• Towards Reliable and Efficient Backdoor Trigger Inversion via Decoupling Benign Features
  Xiong Xu*, Kunzhe Huang*, Yiming Li*^, Zhan Qin^, Kui Ren.
  International Conference on Learning Representations (ICLR), 2024. (Spotlight, TOP 5%)
  [Code]

• Towards Faithful XAI Evaluation via Generalization-Limited Backdoor Watermark
  Mengxi Ya*, Yiming Li*^, Tao Dai, Bin Wang, Yong Jiang, Shu-Tao Xia.
  International Conference on Learning Representations (ICLR), 2024.
  [Code]

• BaDExpert: Extracting Backdoor Functionality for Accurate Backdoor Input Detection
  Tinghao Xie^, Xiangyu Qi, Ping He, Yiming Li^, Jiachen T. Wang, Prateek Mittal^.
  International Conference on Learning Representations (ICLR), 2024.
  [Code]

• Domain Watermark: Effective and Harmless Dataset Copyright Protection is Closed at Hand
  Junfeng Guo*, Yiming Li*^, Lixu Wang, Shu-Tao Xia, Heng Huang, Cong Liu, Bo Li.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2023.
  [Code]

• Setting the Trap: Capturing and Defeating Backdoor Threats in PLMs through Honeypots
  Ruixiang Tang, Jiayi Yuan, Yiming Li^, Zirui Liu, Rui Chen, Xia Hu.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2023.
  

• One-bit Flip is All You Need: When Bit-flip Attack Meets Model Training
  Jianshuo Dong, Han Qiu, Yiming Li^, Tianwei Zhang, Yuanjie Li, Zeqi Lai, Chao Zhang, Shu-Tao Xia.
  International Conference on Computer Vision (ICCV), 2023.
  [Code]

• Towards Robust Model Watermark via Reducing Parametric Vulnerability
  Guanhao Gan, Yiming Li, Dongxian Wu, Shu-Tao Xia.
  International Conference on Computer Vision (ICCV), 2023.
  [Code]

• BackdoorBox: A Python Toolbox for Backdoor Learning
  Yiming Li, Mengxi Ya, Yang Bai, Yong Jiang, Shu-Tao Xia.
  ICLR BANDS Workshop, 2023.
  [Code] [Slides] [Video]

• SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency
  Junfeng Guo*, Yiming Li*, Xun Chen, Hanqing Guo, Lichao Sun, Cong Liu.
  International Conference on Learning Representations (ICLR), 2023.
  [Code]

• Revisiting the Assumption of Latent Separability for Backdoor Defenses
  Xiangyu Qi^, Tinghao Xie^, Yiming Li^, Saeed Mahloujifar, Prateek Mittal^.
  International Conference on Learning Representations (ICLR), 2023.
  [Code]

• Defending Against Backdoor Attacks by Layer-wise Feature Analysis
  Najeeb Moharram Jebreel, Josep Domingo-Ferrer, Yiming Li.
  The Pacific-Asia Conference on Knowledge Discovery and Data Mining (PAKDD), 2023. (Best Paper Award)
  It is also invited to appear in IJCAI 2024 (Sisters Conference Track).
  [Code]

• Generating Transferable 3D Adversarial Point Cloud via Random Perturbation Factorization
  Bangyan He, Jian Liu, Yiming Li, Siyuan Liang, Jingzhi Li, Xiaojun Jia, Xiaochun Cao.
  AAAI Conference on Artificial Intelligence (AAAI), 2023.
  [Code]

• Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection
  Yiming Li, Yang Bai, Yong Jiang, Yong Yang, Shu-Tao Xia, Bo Li.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2022. (Oral, TOP 2%)
  [Code] [Poster] [Slides] [Video] [News]

• Few-Shot Backdoor Attacks on Visual Object Tracking
  Yiming Li, Haoxiang Zhong, Xingjun Ma, Yong Jiang, Shu-Tao Xia.
  International Conference on Learning Representations (ICLR), 2022.
  [Code] [Poster] [Slides] [Video] [News]

• Backdoor Defense via Decoupling the Training Process
  Kunzhe Huang*, Yiming Li*, Baoyuan Wu, Zhan Qin, Kui Ren.
  International Conference on Learning Representations (ICLR), 2022.
  [Code] [Poster] [Slides] [Video]

• Defending against Model Stealing via Verifying Embedded External Features
  Yiming Li, Linghui Zhu, Xiaojun Jia, Yong Jiang, Shu-Tao Xia, Xiaochun Cao.
  AAAI Conference on Artificial Intelligence (AAAI), 2022. (Best Paper of Adversarial for Good Award, ICML’21 AdvML Workshop)
  [Code] [Poster] [Slides] [Video] [Workshop Version]

• Backdoor Attack against Speaker Verification
  Tongqing Zhai*, Yiming Li*^, Ziqi Zhang, Baoyuan Wu, Yong Jiang, Shu-Tao Xia^.
  International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2021.
  [Code] [Poster] [Slides] [Video]

• Backdoor Attack in the Physical World
  Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, Shu-Tao Xia.
  ICLR RobustML Workshop, 2021.
  [Code]

• Invisible Backdoor Attack with Sample-Specific Triggers
  Yuezun Li, Yiming Li, Baoyuan Wu, Longkang Li, Ran He, Siwei Lyu.
  International Conference on Computer Vision (ICCV), 2021.
  [Code]

• Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits
  Jiawang Bai, Baoyuan Wu, Yong Zhang, Yiming Li, Zhifeng Li, Shu-Tao Xia.
  International Conference on Learning Representations (ICLR), 2021.
  [Code] [Poster] [Video]

• Targeted Attack for Deep Hashing based Retrieval
  Jiawang Bai*, Bin Chen*, Yiming Li*, Dongxian Wu, Weiwei Guo, Shu-Tao Xia, Enhui Yang.
  European Conference on Computer Vision (ECCV), 2020. (Oral, TOP 2%)
  [Code] [Slides]

Selected Journal Articles

• MOVE: Effective and Harmless Ownership Verification via Embedded External Features
  Yiming Li, Linghui Zhu, Xiaojun Jia, Yang Bai, Yong Jiang, Shu-Tao Xia, Xiaochun Cao, Kui Ren.
  IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025. (The journal extension of our AAAI’22 conference paper)
  [Code]

• FLARE: Toward Universal Dataset Purification against Backdoor Attacks
  Linshan Hou, Wei Luo, Zhongyun Hua^, Songhua Chen, Leo Yu Zhang, Yiming Li^.
  IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  [Code (BackdoorBox)] [Code (backdoor-toolbox)]

• Towards Sample-specific Backdoor Attack with Clean Labels via Attribute Trigger
  Mingyan Zhu*, Yiming Li*^, Junfeng Guo, Tao Wei, Shu-Tao Xia, Zhan Qin.
  IEEE Transactions on Dependable and Secure Computing (TDSC), 2025.
  

• PointNCBW: Towards Dataset Ownership Verification for Point Clouds via Negative Clean-label Backdoor Watermark
  Cheng Wei, Yang Wang, Kuofeng Gao, Shuo Shao, Yiming Li^, Zhibo Wang, Zhan Qin^.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024.
  [Code]

• Backdoor Attack with Sparse and Invisible Trigger
  Yinghua Gao*, Yiming Li*^, Xueluan Gong, Zhifeng Li, Shu-Tao Xia, Qian Wang.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• Towards Stealthy Backdoor Attacks against Speech Recognition via Elements of Sound
  Hanbo Cai, Pengcheng Zhang, Hai Dong, Yan Xiao, Stefanos Koffas, Yiming Li.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024.
  [Code]

• Regional Adversarial Training for Better Robust Generalization
  Chuanbiao Song, Yanbo Fan, Aoyang Zhou, Baoyuan Wu, Yiming Li, Zhifeng Li, Kun He.
  International Journal of Computer Vision (IJCV), 2024.

• Black-box Dataset Ownership Verification via Backdoor Watermarking
  Yiming Li, Mingyan Zhu, Xue Yang, Yong Jiang, Tao Wei, Shu-Tao Xia.
  IEEE Transactions on Information Forensics and Security (TIFS), 2023. (TOP-25 Downloaded Paper in IEEE SPS)
  [Code] [Workshop Version] [Media Cover (IEEE Spectrum)] [News]

• Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks
  Yinghua Gao*, Yiming Li*^, Linghui Zhu, Dongxian Wu, Yong Jiang, Shu-Tao Xia.
  Pattern Recognition, 2023.
  [Code]

• Backdoor Learning: A Survey
  Yiming Li, Yong Jiang, Zhifeng Li, Shu-Tao Xia.
  IEEE Transactions on Neural Networks and Learning Systems (TNNLS), 2022. (ESI Highly Cited Papers)
  [Github Resources]

• Semi-supervised Robust Training with Generalized Perturbed Neighborhood
  Yiming Li, Baoyuan Wu, Yan Feng, Yanbo Fan, Yong Jiang, Zhifeng Li, Shu-Tao Xia.
  Pattern Recognition, 2022. (Best Student Research Award, TBSI-WODS’19)
  [Code]

• Multinomial Random Forest
  Jiawang Bai*, Yiming Li*, Jiawei Li, Xue Yang, Yong Jiang, Shu-Tao Xia.
  Pattern Recognition, 2022.
  [Code]

Books and Technical Reports

• AI Data Security (in Chinese)
  Kui Ren, Zhan Qin, Zhibo Wang, Zhongjie Ba, Yiming Li.
  Tsinghua University Press, 2025. (Outstanding Textbook Series, Ministry of Education of China)

• Chapter 4: The Robust and Harmless Model Watermarking
  Yiming Li, Linghui Zhu, Yang Bai, Yong Jiang, Shu-Tao Xia.
  Digital Watermarking for Machine Learning Model: Techniques, Protocols and Applications. Springer, 2023.

• LLM Safety and Ethics (in Chinese)
  Technical Report, 2024/01.
  [Media1] [Media2] [Media3] [Media4]

• The ATT&CK Matrix of AI Security
  Technical Report, 2020/09.
  [Media1] [Media2] [Media3] [Media4] [Media5] [Media6]

Dissertation

• Poisoning-based Backdoor Attacks in Computer Vision
  Yiming Li.
  Ph.D. Dissertation, 2023. (Outstanding Doctoral Dissertation Award, SZCCF’24)
  [Slides]

• Poisoning-based Backdoor Attacks in Computer Vision
  Yiming Li.
  AAAI Conference on Artificial Intelligence (AAAI), 2023. (Doctoral Consortium)
  [Slides]

Patents

• 邵硕, 李一鸣, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的模型水印方法及装置. (发明专利, 已授权, CN202410553090.0)
• 邵硕, 李一鸣, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的模型指纹方法及装置. (发明专利, 已进入实质审查, CN202410664418.6)
• 李一鸣, 邵硕, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的数据集版权认证方法及装置. (发明专利, 已进入实质审查, CN202410664413.3)
• 李一鸣, 陈禹坤, 顾金东, 秦湛, 任奎. 一种生成内容来源判断方法、装置和存储介质. (发明专利，已进入实质审查，CN202410013254.0)
• 李一鸣, 刘焱, 翁海琴, 江勇, 夏树涛. 一种模型的所有权验证方法、装置、存储介质及电子设备. (发明专利，已进入实质审查，CN202211146432.4)
• 李一鸣, 刘焱, 钟昊翔, 翁海琴, 江勇, 夏树涛. 一种模型所有权验证方法、装置、存储介质及设备. (发明专利，已进入实质审查，CN202211145984.3)
• 李一鸣, 刘焱, 朱玲慧, 翁海琴, 江勇, 夏树涛. 一种模型的所有权验证方法、装置、存储介质及设备. (发明专利，已进入实质审查，CN202211146420.1)
• 李一鸣, 白杨, 杨勇, 江勇, 夏树涛. 一种数据处理方法、装置、设备及可读取存储介质. (发明专利，已进入实质审查，CN202211102363.7)
• 李一鸣, 白杨, 杨勇, 江勇, 夏树涛. 分类模型的训练方法、数据分类方法、装置、设备及介质. (发明专利，已进入实质审查，CN202211138734.7)
• 李一鸣, 邱伟峰, 薛峰, 江勇, 夏树涛. 针对模型解释工具的评测方法和装置. (发明专利, 已授权, CN202111600136.2)
• 李一鸣, 朱玲慧, 邱伟峰, 江勇, 夏树涛. 基于外源特征进行模型所有权验证的方法和装置. (发明专利, 已授权, CN202111417245.0)
• 李一鸣, 张子琪, 邱伟峰, 江勇, 夏树涛. 用于数据集的所有权验证方法和装置. (发明专利, 已进入实质审查, CN202111407783.1)
• 李一鸣, 刘沛东, 邱伟峰, 江勇, 夏树涛. 用于保护图像样本集的隐私信息的方法和装置. (发明专利, 已进入实质审查, CN202111415199.0)
• 李一鸣, 吴保元, 张勇, 樊艳波, 李志锋, 刘威, 冯岩, 江勇, 夏树涛. 一种图像识别模型的训练方法、图像识别的方法及装置. (发明专利, 已授权, CN202010182180.5, HKS202989-CN)
• 李一鸣, 吴保元, 江勇, 李志锋, 夏树涛, 刘威. 图像分类模型后门攻击的防御方法、装置、设备及介质. (发明专利, 已授权, CN202011122124.9)
• 林佳滢, 李一鸣, 翁海琴. 用于图像保护的主动防御方法和装置. (发明专利, 已进入实质审查, CN202111583667.5)