Tong Zhou

Hi, I am Tong (周桐 in Chinese) and welcome to my page! I’m currently a fourth-year PhD student in the Department of Electrical & Computer Engineering at Northeastern University, Boston, advised by Prof. Xiaolin Xu, and I work closely with Prof. Shaolei Ren as well. Before that, I earned my master’s degree from University of Michigan, Ann Arbor, in 2019, and my bachelor’s degree (with honors) from Xidian University, Xi’an, in 2015.

My research focuses on three key areas in artificial intelligence (AI): security, privacy, and efficiency. This involves protecting the intellectual property of machine learning (ML) models, safeguarding user privacy, and optimizing the deployment of these models. I am dedicated to developing innovative solutions that mitigate risks and vulnerabilities in the application of ML models, ultimately contributing to the advancement of trustworthy and efficient AI.

I have recently been working on security issues in generative AI, with a specific emphasis on achieving reliable AI detection and implementing regulations to ensure its safe usage and mitigate the risk of abuse. If you find these topics interesting and would like to collaborate, please feel free to send me an email.

News

Oct 28, 2024	Our work, Probe-Me-Not, has been accepted to NDSS 2025! It introduces protections for encoders against malicious probing and fine-tuning. Congratulations to all collaborators! 🎉 🎉
Oct 11, 2024	Thrilled to announce that I’ve been selected for the NeurIPS 2024 Scholar Award! Huge thanks to NeurIPS!
Sep 25, 2024	Our work Bileve is accepted by NeurIPS 2024. 🎉 We propose a bi-level signature scheme to safeguard LLM-generated texts against both forgery and evasion attacks.
Jun 29, 2024	Our work AdaPI is accepted by ICCAD 2024. It achieves adaptive private inference, efficiently ensuring model security and data privacy in edge computing.
May 20, 2024	Excited to join Amazon as an Applied Scientist Intern, working on account integrity! 🎊
Feb 26, 2024	Our work TBNet is accepted by DAC 2024!
Jan 16, 2024	Our work ArchLock is accepted by ICLR 2024! 🎉 It defends against unauthorized transfer/fine-tuning at the network’s architecture level.

Selected Publications

NeurIPS

Bileve: Securing Text Provenance in Large Language Models Against Spoofing with Bi-level Signature

Tong Zhou, Xuandong Zhao, Xiaolin Xu, and Shaolei Ren

In The Thirty-eighth Annual Conference on Neural Information Processing Systems, 2024

Abs

Text watermarks for large language models (LLMs) have been commonly used to identify the origins of machine-generated content, which is promising for assessing liability when combating deepfake or harmful content. While existing watermarking techniques typically prioritize robustness against removal attacks, unfortunately, they are vulnerable to spoofing attacks: malicious actors can subtly alter the meanings of LLM-generated responses or even forge harmful content, potentially misattributing blame to the LLM developer. To overcome this, we introduce a bi-level signature scheme, Bileve, which embeds fine-grained signature bits for integrity checks (mitigating spoofing attacks) as well as a coarse-grained signal to trace text sources when the signature is invalid (enhancing detectability) via a novel rank-based sampling strategy. Compared to conventional watermark detectors that only output binary results, Bileve can differentiate 5 scenarios during detection, reliably tracing text provenance and regulating LLMs. The experiments conducted on OPT-1.3B and LLaMA-7B demonstrate the effectiveness of Bileve in defeating spoofing attacks with enhanced detectability.
ICLR

ArchLock: Locking DNN Transferability at the Architecture Level with a Zero-Cost Binary Predictor

Tong Zhou, Shaolei Ren, and Xiaolin Xu

In The Twelfth International Conference on Learning Representations, 2024

Abs PDF Code

Deep neural network (DNN) models are vulnerable to misuse by attackers who try to adapt them to other tasks. Existing defenses focus on model parameters, neglecting architectural-level defenses. This paper introduces ArchLock, a method utilizing neural architecture search (NAS) and zero-cost proxies to generate models with low transferability, hindering attackers’ attempts. ArchLock maintains high performance on the original task while minimizing performance on potential target tasks.
ICML

NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation

Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu

In Proceedings of the 40th International Conference on Machine Learning, 23–29 jul 2023

Abs PDF Code

NNSplitter is a novel IP protection scheme for DNN models, dividing them into an obfuscated portion stored in normal memory and model secrets stored in secure memory. The obfuscated model, with perturbed weights, hampers attackers’ efforts, while authorized users accessing secure memory achieve high performance. This approach ensures protection against adaptive attacks, maintaining security for DNN models.
ICCAD

ObfuNAS: A Neural Architecture Search-based DNN Obfuscation Approach (Best Paper Nomination)

Tong Zhou, Shaolei Ren, and Xiaolin Xu

In Proceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design, 23–29 jul 2022

Abs PDF Code

ObfuNAS tackles the threat of malicious architecture extraction in DNN security. By converting architecture obfuscation into a neural architecture search problem, it ensures that obfuscated models perform worse than the original.