Selected Publications and Preprints

Please refer to the Google Scholar for my full paper list.

Selected Preprints

`*‘ indicates co-first author; `^’ indicates (co-)project leader/corresponding author

• Rethinking Data Protection in the (Generative) Artificial Intelligence Era
  Yiming Li^, Shuo Shao, Yu He, Junfeng Guo, Tianwei Zhang, Zhan Qin^, Pin-Yu Chen, Michael Backes, Philip Torr, Dacheng Tao, Kui Ren.
  arXiv, 2025.
  [Media Cover 1 (in Chinese)] [Media Cover 2 (in Chinese)] [Media Cover 3 (in Chinese)]

• SoK: Large Language Model Copyright Auditing via Fingerprinting
  Shuo Shao, Yiming Li^, Yu He, Hongwei Yao, Wenyuan Yang, Dacheng Tao, Zhan Qin.
  arXiv, 2025.
  [Code] [GitHub Resources Repo]

• CBW: Towards Dataset Ownership Verification for Speaker Verification via Clustering-based Backdoor Watermarking
  Yiming Li, Kaiying Yan, Shuo Shao, Tongqing Zhai, Shu-Tao Xia, Zhan Qin, Dacheng Tao.
  Under Review by IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025. (The journal extension of our ICASSP’21 conference paper)
  [Code]

• CertDW: Towards Certified Dataset Ownership Verification via Conformal Prediction
  Ting Qiao*, Yiming Li*^, Jianbin Li^, Yingjia Wang, Leyi Qi, Junfeng Guo, Ruili Feng, Dacheng Tao.
  Under Review by IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025.
  [Code]

• SWAP: Towards Copyright Auditing of Soft Prompts via Sequential Watermarking
  Wenyuan Yang, Yichen Sun, Changzheng Chen, Zhixuan Chu, Jiaheng Zhang, Yiming Li^, Dacheng Tao.
  Under Review by International Journal of Computer Vision (IJCV), 2025.
  

• Coward: Toward Practical Proactive Federated Backdoor Defense via Collision-based Watermark
  Wenjie Li, Siying Gu, Yiming Li^, Kangjie Chen, Zhili Chen, Tianwei Zhang, Shu-Tao Xia, Dacheng Tao.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  [Code]

• External Data Extraction Attacks against Retrieval-Augmented Large Language Models
  Yu He, Yifei Chen, Yiming Li^, Shuo Shao, Leyi Qi, Boheng Li, Dacheng Tao, Zhan Qi.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  

• DATABench: Evaluating Dataset Auditing in Deep Learning from an Adversarial Perspective
  Shuo Shao, Yiming Li^, Mengren Zheng, Zhiyang Hu, Yukun Chen, Boheng Li, Yu He, Junfeng Guo, Dacheng Tao, Zhan Qin.
  arXiv, 2025.
  [Code]

• PromptCOS: Towards Content-only System Prompt Copyright Auditing for LLMs
  Yuchen Yang, Yiming Li^, Hongwei Yao, Enhao Huang, Shuo Shao, Yuyi Wang, Zhibo Wang, Dacheng Tao, Zhan Qin.
  arXiv, 2025.
  [Code]

• When Memory Becomes a Vulnerability: Towards Multi-turn Jailbreak Attacks against Text-to-Image Generation Systems
  Shiqian Zhao, Jiayang Liu, Yiming Li^, Runyi Hu, Xiaojun Jia, Wenshu Fan, Xinfeng Li, Jie Zhang, Wei Dong, Tianwei Zhang, Luu Anh Tuan.
  arXiv, 2025.
  [Code]

• ShadowCode: Towards (Automatic) External Prompt Injection Attack against Code LLMs
  Yuchen Yang, Yiming Li^, Hongwei Yao, Bingrun Yang, Yiling He, Tianwei Zhang, Dacheng Tao, Zhan Qin.
  Under Review by IEEE Transactions on Dependable and Secure Computing (TDSC), 2025.
  

• Towards Copyright Protection for Knowledge Bases of Retrieval-augmented Language Models via Reasoning
  Junfeng Guo*, Yiming Li*, Ruibo Chen, Yihan Wu, Chenxi Liu, Yanshuo Chen, Heng Huang.
  arXiv, 2025.
  

• FIT-Print: Towards False-claim-resistant Model Ownership Verification via Targeted Fingerprint
  Shuo Shao, Haozhe Zhu, Yiming Li^, Hongwei Yao, Tianwei Zhang, Zhan Qin, Kui Ren.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  

• Cert-SSB:Toward Certified Sample-Specific Backdoor Defense
  Ting Qiao, Yingjia Wang, Xing Liu, Sixing Wu, Jianbing Li^, Yiming Li^.
  Under Review by IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  [Code]

Selected Conference Papers

• DREAM: Scalable Red Teaming for Text-to-Image Generative Systems via Distribution Modeling
  Boheng Li, Junjie Wang, Yiming Li^, Zhiyang Hu, Leyi Qi, Jianshuo Dong, Run Wang, Han Qiu, Zhan Qin, Tianwei Zhang.
  IEEE Symposium on Security and Privacy (S&P), 2026. (To Appear)
  

• Odysseus: Jailbreaking Commercial Multimodal LLM-integrated Systems via Dual Steganography
  Songze Li, Jiameng Cheng, Yiming Li^, Xiaojun Jia, Dacheng Tao.
  Network and Distributed System Security Symposium (NDSS), 2026. (To Appear)
  

• Towards Effective Prompt Stealing Attack against Text-to-Image Diffusion Models
  Shiqian Zhao, Chong Wang, Yiming Li, Yihao Huang, Wenjie Qu, Siew-Kei Lam, Yi Xie, Kangjie Chen, Jie Zhang, Tianwei Zhang.
  Network and Distributed System Security Symposium (NDSS), 2026. (To Appear)
  

• Explanation as a Watermark: Towards Harmless and Multi-bit Model Ownership Verification via Watermarking Feature Attribution
  Shuo Shao*, Yiming Li*^, Hongwei Yao, Yiling He, Zhan Qin^, Kui Ren.
  Network and Distributed System Security Symposium (NDSS), 2025.
  [Code]

• Towards Label-only Membership Inference Attack against Pre-trained Large Language Models
  Yu He, Boheng Li, Liu Liu, Zhongjie Ba, Wei Dong, Yiming Li^, Zhan Qin, Kui Ren, Chun Chen.
  USENIX Security Symposium (USENIX Security), 2025.
  [Code]

• Taught Well Learned Ill: Towards Distillation-conditional Backdoor Attack
  Yukun Chen*, Boheng Li*, Yu Yuan*, Leyi Qi, Yiming Li^, Tianwei Zhang, Zhan Qin, Kui Ren.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2025.
  [Code]

• Towards Resilient Safety-driven Unlearning for Diffusion Models against Downstream Fine-tuning
  Boheng Li, Renjie Gu, Junjie Wang, Leyi Qi, Yiming Li^, Run Wang, Zhan Qin, Tianwei Zhang.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2025.
  [Code](To Appear Very Soon)

• REFINE: Inversion-Free Backdoor Defense via Model Reprogramming
  Yukun Chen*, Shuo Shao*, Enhao Huang, Yiming Li^, Pin-Yu Chen, Zhan Qin, Kui Ren.
  International Conference on Learning Representations (ICLR), 2025.
  [Code (BackdoorBox)] [Code (GitHub)]

• Towards Reliable Verification of Unauthorized Data Usage in Personalized Text-to-Image Diffusion Models
  Boheng Li, Yanhao Wei, Yankai Fu, Zhenting Wang, Yiming Li^, Jie Zhang^, Run Wang, Tianwei Zhang.
  IEEE Symposium on Security and Privacy (S&P), 2025.
  [Code]

• SleeperMark: Towards Robust Watermark against Fine-Tuning Text-to-image Diffusion Models
  Zilan Wang, Junfeng Guo, Jiacheng Zhu, Yiming Li^, Heng Huang, Muhao Chen, Zhengzhong Tu^.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2025.
  [Code]

• Probe before You Talk: Towards Black-box Defense against Backdoor Unalignment for Large Language Models
  Biao Yi, Tiansheng Huang, Sishuo Chen, Tong Li^, Zheli Liu, Zhixuan Chu, Yiming Li^.
  International Conference on Learning Representations (ICLR), 2025.
  [Code]

• Prompt Inversion Attack against Collaborative Inference of Large Language Models
  Wenjie Qu*, Yuguang Zhou*, Yongji Wu*, Tingsong Xiao, Binhang Yuan, Yiming Li, Jiaheng Zhang.
  IEEE Symposium on Security and Privacy (S&P), 2025.
  

• Towards Faithful XAI Evaluation via Generalization-Limited Backdoor Watermark
  Mengxi Ya*, Yiming Li*^, Tao Dai, Bin Wang, Yong Jiang, Shu-Tao Xia.
  International Conference on Learning Representations (ICLR), 2024.
  [Code]

• Towards Reliable and Efficient Backdoor Trigger Inversion via Decoupling Benign Features
  Xiong Xu*, Kunzhe Huang*, Yiming Li*^, Zhan Qin^, Kui Ren.
  International Conference on Learning Representations (ICLR), 2024. (Spotlight, TOP 5%)
  [Code]

• ZeroMark: Towards Dataset Ownership Verification without Disclosing Watermarks
  Junfeng Guo*, Yiming Li*^, Ruibo Chen, Yihan Wu, Chenxi Liu, Heng Huang.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2024.
  [Code]

• Nearest Is Not Dearest: Towards Practical Defense against Quantization-conditioned Backdoor Attacks
  Boheng Li, Yishuo Cai, Haowei Li, Feng Xue, Zhifeng Li, Yiming Li^.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2024.
  [Code]

• Purifying Quantization-conditioned Backdoors via Layer-wise Activation Correction with Distribution Approximation
  Boheng Li*, Yishuo Cai*, Jisong Cai, Yiming Li^, Han Qiu, Run Wang, Tianwei Zhang.
  International Conference on Machine Learning (ICML), 2024.
  [Code]

• IBD-PSC: Input-level Backdoor Detection via Parameter-oriented Scaling Consistency
  Linshan Hou, Ruili Feng, Zhongyun Hua^, Wei Luo, Leo Yu Zhang, Yiming Li^.
  International Conference on Machine Learning (ICML), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• Not All Prompts Are Secure: A Switchable Backdoor Attack against Pre-trained Models
  Sheng Yang*, Jiawang Bai*, Kuofeng Gao, Yong Yang, Yiming Li^, Shu-Tao Xia^.
  IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• BaDExpert: Extracting Backdoor Functionality for Accurate Backdoor Input Detection
  Tinghao Xie^, Xiangyu Qi, Ping He, Yiming Li^, Jiachen T. Wang, Prateek Mittal^.
  International Conference on Learning Representations (ICLR), 2024.
  [Code]

• BackdoorBox: A Python Toolbox for Backdoor Learning
  Yiming Li*, Mengxi Ya*, Yang Bai, Yong Jiang, Shu-Tao Xia.
  ICLR BANDS Workshop, 2023.
  [Code] [Slides] [Video]

• Domain Watermark: Effective and Harmless Dataset Copyright Protection is Closed at Hand
  Junfeng Guo*, Yiming Li*^, Lixu Wang, Shu-Tao Xia, Heng Huang, Cong Liu, Bo Li.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2023.
  [Code]

• SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency
  Junfeng Guo*, Yiming Li*, Xun Chen^, Hanqing Guo, Lichao Sun, Cong Liu.
  International Conference on Learning Representations (ICLR), 2023.
  [Code]

• Setting the Trap: Capturing and Defeating Backdoor Threats in PLMs through Honeypots
  Ruixiang Tang, Jiayi Yuan, Yiming Li^, Zirui Liu, Rui Chen, Xia Hu.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2023.
  

• One-bit Flip is All You Need: When Bit-flip Attack Meets Model Training
  Jianshuo Dong, Han Qiu, Yiming Li^, Tianwei Zhang, Yuanjie Li, Zeqi Lai, Chao Zhang, Shu-Tao Xia.
  International Conference on Computer Vision (ICCV), 2023.
  [Code]

• Revisiting the Assumption of Latent Separability for Backdoor Defenses
  Xiangyu Qi*^, Tinghao Xie*^, Yiming Li^, Saeed Mahloujifar, Prateek Mittal^.
  International Conference on Learning Representations (ICLR), 2023.
  [Code]

• Towards Robust Model Watermark via Reducing Parametric Vulnerability
  Guanhao Gan, Yiming Li, Dongxian Wu^, Shu-Tao Xia^.
  International Conference on Computer Vision (ICCV), 2023.
  [Code]

• Defending Against Backdoor Attacks by Layer-wise Feature Analysis
  Najeeb Moharram Jebreel^, Josep Domingo-Ferrer, Yiming Li.
  The Pacific-Asia Conference on Knowledge Discovery and Data Mining (PAKDD), 2023. (Best Paper Award)
  It is also invited to appear in IJCAI 2024 (Sisters Conference Track).
  [Code]

• Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection
  Yiming Li*, Yang Bai*^, Yong Jiang, Yong Yang, Shu-Tao Xia^, Bo Li.
  Annual Conference on Neural Information Processing Systems (NeurIPS), 2022. (Oral, TOP 2%)
  [Code] [Poster] [Slides] [Video] [News]

• Few-Shot Backdoor Attacks on Visual Object Tracking
  Yiming Li*, Haoxiang Zhong*, Xingjun Ma^, Yong Jiang, Shu-Tao Xia^.
  International Conference on Learning Representations (ICLR), 2022.
  [Code] [Poster] [Slides] [Video] [News]

• Defending against Model Stealing via Verifying Embedded External Features
  Yiming Li*, Linghui Zhu*, Xiaojun Jia, Yong Jiang, Shu-Tao Xia^, Xiaochun Cao.
  AAAI Conference on Artificial Intelligence (AAAI), 2022. (Best Paper of Adversarial for Good Award, ICML’21 AdvML Workshop)
  [Code] [Poster] [Slides] [Video] [Workshop Version]

• Backdoor Defense via Decoupling the Training Process
  Kunzhe Huang*, Yiming Li*, Baoyuan Wu^, Zhan Qin^, Kui Ren.
  International Conference on Learning Representations (ICLR), 2022.
  [Code] [Poster] [Slides] [Video]

• Backdoor Attack in the Physical World
  Yiming Li, Tongqing Zhai, Yong Jiang, Zhifeng Li, Shu-Tao Xia.
  ICLR RobustML Workshop, 2021.
  [Code]

• Backdoor Attack against Speaker Verification
  Tongqing Zhai*, Yiming Li*^, Ziqi Zhang, Baoyuan Wu, Yong Jiang, Shu-Tao Xia^.
  International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2021.
  [Code] [Poster] [Slides] [Video]

• Invisible Backdoor Attack with Sample-Specific Triggers
  Yuezun Li, Yiming Li, Baoyuan Wu^, Longkang Li, Ran He, Siwei Lyu.
  International Conference on Computer Vision (ICCV), 2021.
  [Code]

• Targeted Attack for Deep Hashing based Retrieval
  Jiawang Bai*, Bin Chen*^, Yiming Li*, Dongxian Wu, Weiwei Guo, Shu-Tao Xia, Enhui Yang.
  European Conference on Computer Vision (ECCV), 2020. (Oral, TOP 2%)
  [Code] [Slides]

Selected Journal Articles

• MOVE: Effective and Harmless Ownership Verification via Embedded External Features
  Yiming Li, Linghui Zhu, Xiaojun Jia^, Yang Bai, Yong Jiang, Shu-Tao Xia^, Xiaochun Cao, Kui Ren.
  IEEE Transactions on Pattern Analysis and Machine Intelligence (TPAMI), 2025. (The journal extension of our AAAI’22 conference paper)
  [Code]

• Towards Sample-specific Backdoor Attack with Clean Labels via Attribute Trigger
  Mingyan Zhu*, Yiming Li*^, Junfeng Guo, Tao Wei, Shu-Tao Xia, Zhan Qin.
  IEEE Transactions on Dependable and Secure Computing (TDSC), 2025.
  [Code]

• FLARE: Toward Universal Dataset Purification against Backdoor Attacks
  Linshan Hou, Wei Luo, Zhongyun Hua^, Songhua Chen, Leo Yu Zhang, Yiming Li^.
  IEEE Transactions on Information Forensics and Security (TIFS), 2025.
  [Code (BackdoorBox)] [Code (backdoor-toolbox)]

• Backdoor Learning: A Survey
  Yiming Li^, Yong Jiang, Zhifeng Li, Shu-Tao Xia^.
  IEEE Transactions on Neural Networks and Learning Systems (TNNLS), 2024. (ESI Highly Cited Papers)
  [Github Resources Repo]

• Backdoor Attack with Sparse and Invisible Trigger
  Yinghua Gao*, Yiming Li*^, Xueluan Gong, Zhifeng Li, Shu-Tao Xia, Qian Wang.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024. (Excellent Science & Technology Paper, Shenzhen Association for Science and Technology)
  [Code]

• PointNCBW: Towards Dataset Ownership Verification for Point Clouds via Negative Clean-label Backdoor Watermark
  Cheng Wei, Yang Wang, Kuofeng Gao, Shuo Shao, Yiming Li^, Zhibo Wang, Zhan Qin^.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024.
  [Code]

• Towards Stealthy Backdoor Attacks against Speech Recognition via Elements of Sound
  Hanbo Cai, Pengcheng Zhang, Hai Dong, Yan Xiao, Stefanos Koffas, Yiming Li.
  IEEE Transactions on Information Forensics and Security (TIFS), 2024.
  [Code]

• Black-box Dataset Ownership Verification via Backdoor Watermarking
  Yiming Li, Mingyan Zhu, Xue Yang^, Yong Jiang, Tao Wei, Shu-Tao Xia^.
  IEEE Transactions on Information Forensics and Security (TIFS), 2023. (TOP-25 Downloaded Paper in IEEE SPS)
  [Code] [Workshop Version] [Media Cover (IEEE Spectrum)] [News]

• Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks
  Yinghua Gao*, Yiming Li*^, Linghui Zhu, Dongxian Wu, Yong Jiang, Shu-Tao Xia.
  Pattern Recognition, 2023.
  [Code]

• Semi-supervised Robust Training with Generalized Perturbed Neighborhood
  Yiming Li, Baoyuan Wu^, Yan Feng, Yanbo Fan, Yong Jiang, Zhifeng Li, Shu-Tao Xia^.
  Pattern Recognition, 2022. (Best Student Research Award, TBSI-WODS’19)
  [Code]

• Multinomial Random Forest
  Jiawang Bai*, Yiming Li*, Jiawei Li, Xue Yang^, Yong Jiang, Shu-Tao Xia^.
  Pattern Recognition, 2022.
  [Code]

Books and Technical Reports

• AI Data Security (in Chinese)
  Kui Ren, Zhan Qin, Zhibo Wang, Zhongjie Ba, Yiming Li.
  Tsinghua University Press, 2025. (Outstanding Textbook Series, Ministry of Education of China)

• Chapter 4: The Robust and Harmless Model Watermarking
  Yiming Li, Linghui Zhu, Yang Bai, Yong Jiang, Shu-Tao Xia.
  Digital Watermarking for Machine Learning Model: Techniques, Protocols and Applications. Springer, 2023.

• LLM Safety and Ethics (in Chinese)
  Technical Report, 2024/01.
  [Media1] [Media2] [Media3] [Media4]

• The ATT&CK Matrix of AI Security
  Technical Report, 2020/09.
  [Media1] [Media2] [Media3] [Media4] [Media5] [Media6]

Dissertation

• Poisoning-based Backdoor Attacks in Computer Vision
  Yiming Li.
  Ph.D. Dissertation, 2023. (Outstanding Doctoral Dissertation Award, SZCCF’24; Outstanding Doctoral Dissertation Award (Nomination), ACM SIGSAC China’25)
  [Slides] [AAAI’23 Doctoral Consortium]

Patents

• 邵硕, 李一鸣, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的模型水印方法及装置. (发明专利, 已授权, CN202410553090.0)
• 邵硕, 李一鸣, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的模型指纹方法及装置. (发明专利, 已进入实质审查, CN202410664418.6)
• 李一鸣, 邵硕, 秦湛, 任奎, 王宏韬, 马杏可, 冯振源. 一种基于非决策域方法的数据集版权认证方法及装置. (发明专利, 已进入实质审查, CN202410664413.3)
• 李一鸣, 陈禹坤, 顾金东, 秦湛, 任奎. 一种生成内容来源判断方法、装置和存储介质. (发明专利，已进入实质审查，CN202410013254.0)
• 李一鸣, 刘焱, 翁海琴, 江勇, 夏树涛. 一种模型的所有权验证方法、装置、存储介质及电子设备. (发明专利，已进入实质审查，CN202211146432.4)
• 李一鸣, 刘焱, 钟昊翔, 翁海琴, 江勇, 夏树涛. 一种模型所有权验证方法、装置、存储介质及设备. (发明专利，已进入实质审查，CN202211145984.3)
• 李一鸣, 刘焱, 朱玲慧, 翁海琴, 江勇, 夏树涛. 一种模型的所有权验证方法、装置、存储介质及设备. (发明专利，已进入实质审查，CN202211146420.1)
• 李一鸣, 白杨, 杨勇, 江勇, 夏树涛. 一种数据处理方法、装置、设备及可读取存储介质. (发明专利，已授权，CN202211102363.7)
• 李一鸣, 白杨, 杨勇, 江勇, 夏树涛. 分类模型的训练方法、数据分类方法、装置、设备及介质. (发明专利，已进入实质审查，CN202211138734.7)
• 李一鸣, 邱伟峰, 薛峰, 江勇, 夏树涛. 针对模型解释工具的评测方法和装置. (发明专利, 已授权, CN202111600136.2)
• 李一鸣, 朱玲慧, 邱伟峰, 江勇, 夏树涛. 基于外源特征进行模型所有权验证的方法和装置. (发明专利, 已授权, CN202111417245.0)
• 李一鸣, 张子琪, 邱伟峰, 江勇, 夏树涛. 用于数据集的所有权验证方法和装置. (发明专利, 已进入实质审查, CN202111407783.1)
• 李一鸣, 刘沛东, 邱伟峰, 江勇, 夏树涛. 用于保护图像样本集的隐私信息的方法和装置. (发明专利, 已授权, CN202111415199.0)
• 李一鸣, 吴保元, 张勇, 樊艳波, 李志锋, 刘威, 冯岩, 江勇, 夏树涛. 一种图像识别模型的训练方法、图像识别的方法及装置. (发明专利, 已授权, CN202010182180.5, HKS202989-CN)
• 李一鸣, 吴保元, 江勇, 李志锋, 夏树涛, 刘威. 图像分类模型后门攻击的防御方法、装置、设备及介质. (发明专利, 已授权, CN202011122124.9)
• 林佳滢, 李一鸣, 翁海琴. 用于图像保护的主动防御方法和装置. (发明专利, 已进入实质审查, CN202111583667.5)