Tong Zhou

Hi, I am Tong (周桐 in Chinese) and welcome to my page! I’m a final-year PhD student in the Department of Electrical & Computer Engineering at Northeastern University, Boston, advised by Prof. Xiaolin Xu, and I work closely with Prof. Shaolei Ren as well. Before that, I earned my master’s degree from University of Michigan, Ann Arbor, in 2019, and my bachelor’s degree (with honors) from Xidian University, Xi’an, in 2015.

My research advances trustworthy AI by building secure, private, and accountable machine learning systems. I work at the intersection of AI, security, privacy, and hardware to address critical challenges across the ML lifecycle, centered on:

Model Security: Protecting AI models from theft, reverse engineering, and unauthorized fine-tuning through architecture obfuscation, weight protection, trusted execution environments (TEEs), and usage control mechanisms.
Privacy-Preserving Inference: Enabling efficient and confidential edge-cloud inference by co-optimizing models with cryptographic protocols.
Generative AI Attribution: Establishing verifiable content provenance through asymmetric watermarking and cryptographic signatures for text and images.
Responsible Generative AI: Ensuring AI generation is safe and aligned with human values through proactive content steering and prevention mechanisms.

If you find these topics interesting and would like to collaborate, please feel free to send me an email (click the envelope icon in the upper-left corner).

News

Jun 2, 2025	Exicited to join Microsoft as an Applied Scientist Intern, working on Copilot Agent for personalized long-form text completion.
Apr 11, 2025	Honored to be invited by the UMass Dartmouth CIS Seminar to give a talk on anti-forgery watermarks for AI-generated contents.
Mar 5, 2025	Our work, ProDiF, has been accepted to ICLR Workshop 2025! It provides comprehensive protection for on-device ML models against model extraction and subsequent unauthorized fine-tuning.
Oct 28, 2024	Our work, Probe-Me-Not, has been accepted to NDSS 2025! It introduces protections for encoders against malicious probing and fine-tuning. Congratulations to all collaborators! 🎉 🎉
Oct 11, 2024	Thrilled to announce that I’ve been selected for the NeurIPS 2024 Scholar Award! Huge thanks to NeurIPS!
Sep 25, 2024	Our work Bileve is accepted by NeurIPS 2024. 🎉 We propose a bi-level signature scheme to safeguard LLM-generated texts against both forgery and evasion attacks.
Jun 29, 2024	Our work AdaPI is accepted by ICCAD 2024. It achieves adaptive private inference, efficiently ensuring model security and data privacy in edge computing.
May 20, 2024	Excited to join Amazon as an Applied Scientist Intern, working on account integrity! 🎊
Feb 26, 2024	Our work TBNet is accepted by DAC 2024!
Jan 16, 2024	Our work ArchLock is accepted by ICLR 2024! 🎉 It defends against unauthorized transfer/fine-tuning at the network’s architecture level.

Selected Publications

preprint

A Content-dependent Watermark for Safeguarding Image Attribution

Tong Zhou, Ruyi Ding, Gaowen Liu, Charles Fleming, and 4 more authors

arXiv preprint arXiv:2509.10766, 2025

PDF
NeurIPS

Bileve: Securing Text Provenance in Large Language Models Against Spoofing with Bi-level Signature

Tong Zhou, Xuandong Zhao, Xiaolin Xu, and Shaolei Ren

In The Thirty-eighth Annual Conference on Neural Information Processing Systems, 2024

Abs

Text watermarks for large language models (LLMs) have been commonly used to identify the origins of machine-generated content, which is promising for assessing liability when combating deepfake or harmful content. While existing watermarking techniques typically prioritize robustness against removal attacks, unfortunately, they are vulnerable to spoofing attacks: malicious actors can subtly alter the meanings of LLM-generated responses or even forge harmful content, potentially misattributing blame to the LLM developer. To overcome this, we introduce a bi-level signature scheme, Bileve, which embeds fine-grained signature bits for integrity checks (mitigating spoofing attacks) as well as a coarse-grained signal to trace text sources when the signature is invalid (enhancing detectability) via a novel rank-based sampling strategy. Compared to conventional watermark detectors that only output binary results, Bileve can differentiate 5 scenarios during detection, reliably tracing text provenance and regulating LLMs. The experiments conducted on OPT-1.3B and LLaMA-7B demonstrate the effectiveness of Bileve in defeating spoofing attacks with enhanced detectability.
ICLR

ArchLock: Locking DNN Transferability at the Architecture Level with a Zero-Cost Binary Predictor

Tong Zhou, Shaolei Ren, and Xiaolin Xu

In The Twelfth International Conference on Learning Representations, 2024

Abs PDF Code

Deep neural network (DNN) models are vulnerable to misuse by attackers who try to adapt them to other tasks. Existing defenses focus on model parameters, neglecting architectural-level defenses. This paper introduces ArchLock, a method utilizing neural architecture search (NAS) and zero-cost proxies to generate models with low transferability, hindering attackers’ attempts. ArchLock maintains high performance on the original task while minimizing performance on potential target tasks.
ICML

NNSplitter: An Active Defense Solution for DNN Model via Automated Weight Obfuscation

Tong Zhou, Yukui Luo, Shaolei Ren, and Xiaolin Xu

In Proceedings of the 40th International Conference on Machine Learning, 23–29 jul 2023

Abs PDF Code

NNSplitter is a novel IP protection scheme for DNN models, dividing them into an obfuscated portion stored in normal memory and model secrets stored in secure memory. The obfuscated model, with perturbed weights, hampers attackers’ efforts, while authorized users accessing secure memory achieve high performance. This approach ensures protection against adaptive attacks, maintaining security for DNN models.
ICCAD

ObfuNAS: A Neural Architecture Search-based DNN Obfuscation Approach (Best Paper Nomination)

Tong Zhou, Shaolei Ren, and Xiaolin Xu

In Proceedings of the 41st IEEE/ACM International Conference on Computer-Aided Design, 23–29 jul 2022

Abs PDF Code

ObfuNAS tackles the threat of malicious architecture extraction in DNN security. By converting architecture obfuscation into a neural architecture search problem, it ensures that obfuscated models perform worse than the original.