publications

2026

1. ACL Findings

   InferPilot: Autonomous Inference Attacks Against ML Services With LLM-Based Agents

   Yixin Wu, Rui Wen, Chi Cui, Michael Backes, and Yang Zhang

   In Annual Meeting of the Association for Computational Linguistics (ACL), 2026

   arXiv Bib

   @inproceedings{WWCBZ26,
     author = {Wu, Yixin and Wen, Rui and Cui, Chi and Backes, Michael and Zhang, Yang},
     title = {{InferPilot: Autonomous Inference Attacks Against ML Services With LLM-Based Agents}},
     booktitle = {{Annual Meeting of the Association for Computational Linguistics (ACL)}},
     publisher = {ACL},
     year = {2026}
   }

2. ACL Findings

   Peering Behind the Shield: Guardrail Identification in Large Language Models

   Ziqing Yang, Yixin Wu, Rui Wen, Michael Backes, and Yang Zhang

   In Annual Meeting of the Association for Computational Linguistics (ACL), 2026

   arXiv Bib

   @inproceedings{YWWBZ26,
     author = {Yang, Ziqing and Wu, Yixin and Wen, Rui and Backes, Michael and Zhang, Yang},
     title = {{Peering Behind the Shield: Guardrail Identification in Large Language Models}},
     booktitle = {{Annual Meeting of the Association for Computational Linguistics (ACL)}},
     publisher = {ACL},
     year = {2026}
   }

3. ACL Findings

   Rethinking Assessments of Prompt Injection Attacks

   Chi Cui, Yixin Wu, Michael Backes, and Yang Zhang

   In Annual Meeting of the Association for Computational Linguistics (ACL), 2026

   Bib

   @inproceedings{CWBZ26,
     author = {Cui, Chi and Wu, Yixin and Backes, Michael and Zhang, Yang},
     title = {{Rethinking Assessments of Prompt Injection Attacks}},
     booktitle = {{Annual Meeting of the Association for Computational Linguistics (ACL)}},
     publisher = {ACL},
     year = {2026}
   }

2025

1. Usenix Security

   Synthetic Artifact Auditing: Tracing LLM-Generated Synthetic Data Usage in Downstream Applications

   Yixin Wu, Ziqing Yang, Yun Shen, Michael Backes, and Yang Zhang

   In USENIX Security Symposium (USENIX Security), 2025

   arXiv Bib Code Website

   @inproceedings{WYSBZ25,
     author = {Wu, Yixin and Yang, Ziqing and Shen, Yun and Backes, Michael and Zhang, Yang},
     title = {{Synthetic Artifact Auditing: Tracing LLM-Generated Synthetic Data Usage in Downstream Applications}},
     booktitle = {{USENIX Security Symposium (USENIX Security)}},
     publisher = {USENIX},
     year = {2025}
   }

2. Usenix Security

   On the Proactive Generation of Unsafe Images From Text-To-Image Models Using Benign Prompts

   Yixin Wu, Ning Yu, Michael Backes, Yun Shen, and Yang Zhang

   In USENIX Security Symposium (USENIX Security), 2025

   arXiv Bib Code

   @inproceedings{WYBSZ25,
     author = {Wu, Yixin and Yu, Ning and Backes, Michael and Shen, Yun and Zhang, Yang},
     title = {{On the Proactive Generation of Unsafe Images From Text-To-Image Models Using Benign Prompts}},
     booktitle = {{USENIX Security Symposium (USENIX Security)}},
     publisher = {USENIX},
     year = {2025}
   }

3. Usenix Security

   HateBench: Benchmarking Hate Speech Detectors on LLM-Generated Content and Hate Campaigns

   Xinyue Shen, Yixin Wu, Yiting Qu, Michael Backes, Savvas Zannettou, and Yang Zhang

   In USENIX Security Symposium (USENIX Security), 2025

   arXiv Bib Code Website

   @inproceedings{SWQBZZ25,
     author = {Shen, Xinyue and Wu, Yixin and Qu, Yiting and Backes, Michael and Zannettou, Savvas and Zhang, Yang},
     title = {{HateBench: Benchmarking Hate Speech Detectors on LLM-Generated Content and Hate Campaigns}},
     booktitle = {{USENIX Security Symposium (USENIX Security)}},
     publisher = {USENIX},
     year = {2025}
   }

4. CCS

   UnsafeBench: Benchmarking Image Safety Classifiers on Real-World and AI-Generated Images

   Yiting Qu, Xinyue Shen, Yixin Wu, Michael Backes, Savvas Zannettou, and Yang Zhang

   2025

   arXiv Bib Code Website

   @article{QSWBZZ25,
     author = {Qu, Yiting and Shen, Xinyue and Wu, Yixin and Backes, Michael and Zannettou, Savvas and Zhang, Yang},
     title = {{UnsafeBench: Benchmarking Image Safety Classifiers on Real-World and AI-Generated Images}},
     booktitle = {{ACM Conference on Computer and Communications Security (CCS)}},
     publisher = {ACM},
     year = {2025}
   }

5. arxiv

   GEO-Detective: Unveiling Location Privacy Risks in Images with LLM Agents

   Xinyu Zhang, Yixin Wu, Boyang Zhang, Chenhao Lin, Chao Shen, Michael Backes, and Yang Zhang

   CoRR arXiv:2511.22441, 2025

   arXiv Bib

   @article{YWSDBZ25,
     author = {Zhang, Xinyu and Wu, Yixin and Zhang, Boyang and Lin, Chenhao and Shen, Chao and Backes, Michael and Zhang, Yang},
     title = {{GEO-Detective: Unveiling Location Privacy Risks in Images with LLM Agents}},
     journal = {{CoRR arXiv:2511.22441}},
     year = {2025}
   }

6. arxiv

   The Challenge of Identifying the Origin of Black-Box Large Language Models

   Ziqing Yang, Yixin Wu, Yun Shen, Wei Dai, Michael Backes, and Yang Zhang

   CoRR arXiv:2503.04332, 2025

   arXiv Bib

   @article{YWSDBZ26,
     author = {Yang, Ziqing and Wu, Yixin and Shen, Yun and Dai, Wei and Backes, Michael and Zhang, Yang},
     title = {{The Challenge of Identifying the Origin of Black-Box Large Language Models}},
     journal = {{CoRR arXiv:2503.04332}},
     year = {2025}
   }

2024

1. Usenix Security

   Quantifying Privacy Risks of Prompts in Visual Prompt Learning

   Yixin Wu, Rui Wen, Michael Backes, Pascal Berrang, Mathias Humbert, Yun Shen, and Yang Zhang

   In USENIX Security Symposium (USENIX Security), 2024

   Bib PDF Video Code Slides Website

   @inproceedings{WWBBHSZ24,
     author = {Wu, Yixin and Wen, Rui and Backes, Michael and Berrang, Pascal and Humbert, Mathias and Shen, Yun and Zhang, Yang},
     title = {{Quantifying Privacy Risks of Prompts in Visual Prompt Learning}},
     booktitle = {{USENIX Security Symposium (USENIX Security)}},
     publisher = {USENIX},
     year = {2024}
   }

2. CCS

   Image-Perfect Imperfections: Safety, Bias, and Authenticity in the Shadow of Text-To-Image Model Evolution

   Yixin Wu, Yun Shen, Michael Backes, and Yang Zhang

   In ACM Conference on Computer and Communications Security (CCS), 2024

   Bib PDF Slides Website

   @inproceedings{WSBZ24,
     author = {Wu, Yixin and Shen, Yun and Backes, Michael and Zhang, Yang},
     title = {Image-Perfect Imperfections: Safety, Bias, and Authenticity in the Shadow of Text-To-Image Model Evolution},
     booktitle = {{ACM Conference on Computer and Communications Security (CCS)}},
     publisher = {ACM},
     year = {2024}
   }

3. PETS

   Link Stealing Attacks Against Inductive Graph Neural Networks

   Yixin Wu, Xinlei He, Pascal Berrang, Mathias Humbert, Michael Backes, Neil Zhenqiang Gong, and Yang Zhang

   In Privacy Enhancing Technologies Symposium (PETS), 2024

   Bib PDF Code Slides Website

   @inproceedings{WHBHBGZ24,
     author = {Wu, Yixin and He, Xinlei and Berrang, Pascal and Humbert, Mathias and Backes, Michael and Gong, Neil Zhenqiang and Zhang, Yang},
     title = {{Link Stealing Attacks Against Inductive Graph Neural Networks}},
     booktitle = {{Privacy Enhancing Technologies Symposium (PETS)}},
     publisher = {PETS},
     year = {2024}
   }

4. EMNLP

   The Death and Life of Great Prompts: Analyzing the Evolution of LLM Prompts from the Structural Perspective

   Yihan Ma, Xinyue Shen, Yixin Wu, Boyang Zhang, Michael Backes, and Yang Zhang

   In Empirical Methods in Natural Language Processing (EMNLP), 2024

   Bib PDF Website

   @inproceedings{MSWZBZ24,
     author = {Ma, Yihan and Shen, Xinyue and Wu, Yixin and Zhang, Boyang and Backes, Michael and Zhang, Yang},
     title = {{The Death and Life of Great Prompts: Analyzing the Evolution of LLM Prompts from the Structural Perspective}},
     booktitle = {{Empirical Methods in Natural Language Processing (EMNLP)}},
     publisher = {EMNLP},
     year = {2024}
   }

5. arxiv

   Voice Jailbreak Attacks Against GPT-4o

   Xinyue Shen^*, Yixin Wu^*, Michael Backes, and Yang Zhang

   CoRR abs/2405.19103, 2024

   arXiv Bib Code Website

   @article{SWBZ24,
     author = {Shen, Xinyue and Wu, Yixin and Backes, Michael and Zhang, Yang},
     title = {{Voice Jailbreak Attacks Against GPT-4o}},
     journal = {{CoRR abs/2405.19103}},
     year = {2024}
   }

2022

1. arxiv

   Membership Inference Attacks Against Text-to-image Generation Models

   Yixin Wu, Ning Yu, Zheng Li, Michael Backes, and Yang Zhang

   CoRR abs/2210.00968, 2022

   Bib PDF Website

   @article{WYLBZ22,
     author = {Wu, Yixin and Yu, Ning and Li, Zheng and Backes, Michael and Zhang, Yang},
     title = {{Membership Inference Attacks Against Text-to-image Generation Models}},
     journal = {{CoRR abs/2210.00968}},
     year = {2022}
   }

2021

1. arxiv

   Node-Level Membership Inference Attacks Against Graph Neural Networks

   Xinlei He, Rui Wen, Yixin Wu, Michael Backes, Yun Shen, and Yang Zhang

   CoRR abs/2102.05429, 2021

   Bib PDF Website

   @article{HWWBSZ21,
     author = {He, Xinlei and Wen, Rui and Wu, Yixin and Backes, Michael and Shen, Yun and Zhang, Yang},
     title = {{Node-Level Membership Inference Attacks Against Graph Neural Networks}},
     journal = {{CoRR abs/2102.05429}},
     year = {2021}
   }