Di Tang

Di Tang

Assistant Professor, SYSU

AI 论文日报(2026-03-14)

Published:

English version: /paper-news/2026-03-14/

运行统计

  • 候选论文: 249
  • 入选论文: 30
  • 已精读完成: 30
  • 时间窗口 (UTC): 2026-03-12T00:00:00Z → 2026-03-13T00:00:00Z (arxiv_announce, expanded=0)
展开查看用于总结的论文列表
arXiv ID标题 / 链接分类评分入选理由标签
2603.11853OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents
PDF		cs.CR94Defense-in-depth runtime layer for tool agents; lifecycle hooks + risk accumulation for real deploymentsagent-security, tool-use, prompt-injection, runtime-enforcement, sandboxing, monitoring
2603.11862You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents
PDF		cs.CR, cs.AI93Measures doc-instruction induced leakage in high-privilege agents; frames structural 'Trusted Executor' vulnagent-security, data-leakage, prompt-injection, evaluation, taxonomy, autonomous-agents
2603.11875The Mirror Design Pattern: Strict Data Geometry over Model Scale for Prompt Injection Detection
PDF		cs.CR, cs.AI93Fast, auditable prompt-injection detector via strict data geometry; strong practical security angleprompt-injection, security, dataset-curation, auditable-ml, linear-models, robustness
2603.11481INFACT: A Diagnostic Benchmark for Induced Faithfulness and Factuality Hallucinations in Video-LLMs
PDF		cs.CV, cs.AI92Diagnostic benchmark for Video-LLM hallucinations incl. induced corruptions + new robustness metricshallucinations, factuality, faithfulness, video-llm, robustness, benchmark, evaluation, corruption
2603.12011Can RL Improve Generalization of LLM Agents? An Empirical Study
PDF		cs.AI92Systematic study of RFT generalization/transfer/forgetting for LLM agents under environment shiftsllm-agents, reinforcement-learning, generalization, transfer, evaluation, distribution-shift
2603.11619Taming OpenClaw: Security Analysis and Mitigation of Autonomous LLM Agent Threats
PDF		cs.CR, cs.AI90Comprehensive threat analysis + mitigations for OpenClaw agents across lifecycle (memory/tool/supply chain)agent-security, threat-modeling, prompt-injection, memory-poisoning, supply-chain, mitigations
2603.11914Understanding LLM Behavior When Encountering User-Supplied Harmful Content in Harmless Tasks
PDF		cs.CR, cs.AI90Evaluates content-level refusal when harmful user text appears inside benign tasks; new dataset + testssafety, refusal, policy-compliance, harmful-content, evaluation, dataset
2603.12109On Information Self-Locking in Reinforcement Learning for Active Reasoning of LLM agents
PDF		cs.AI90Identifies RL failure mode in active reasoning (info self-locking) via action selection vs belief trackingllm-agents, active-reasoning, reinforcement-learning, failure-modes, belief-tracking, agent-reliability
2603.12230Security Considerations for Artificial Intelligence Agents
PDF		cs.LG, cs.AI, cs.CR88Practitioner-informed mapping of frontier agent attack surfaces; useful guidance for real-world hardeningagent-security, attack-surface, confused-deputy, indirect-prompt-injection, deployment, best-practices
2603.12152LifeSim: Long-Horizon User Life Simulator for Personalized Assistant Evaluation
PDF		cs.CL88Long-horizon personalized assistant eval via BDI user simulator; 1,200 scenarios across life domainsagents, evaluation, personalization, user-simulation, long-horizon, benchmark
2603.11394Stop Listening to Me! How Multi-turn Conversations Can Degrade Diagnostic Reasoning
PDF		cs.CL, cs.AI, cs.LG88Shows multi-turn dialogue can degrade clinical reasoning; measures conviction vs flexibility (safety-relevant)healthcare, multi-turn, robustness, evaluation, diagnostic-reasoning, reliability, conversation
2603.11495Try, Check and Retry: A Divide-and-Conquer Framework for Boosting Long-context Tool-Calling Performance of LLMs
PDF		cs.CL88Divide-and-conquer Try/Check/Retry boosts long-context tool-calling with many noisy toolstool-use, agents, long-context, self-reflection, robustness, evaluation
2603.11501KEPo: Knowledge Evolution Poison on Graph-based Retrieval-Augmented Generation
PDF		cs.LG, cs.AI, cs.CR87Poisoning attack tailored to GraphRAG; highlights new RAG/knowledge-graph security failure modesRAG-security, data-poisoning, GraphRAG, knowledge-graphs, adversarial-attacks, robustness
2603.11987LABSHIELD: A Multimodal Benchmark for Safety-Critical Reasoning and Planning in Scientific Laboratories
PDF		cs.AI86LABSHIELD benchmark for safety-critical multimodal lab planning; concrete eval for high-stakes agentsbenchmarks, multimodal, embodied-agents, safety-evaluation, planning, hazard-detection
2603.12149Linking Perception, Confidence and Accuracy in MLLMs
PDF		cs.CV, cs.CL86Targets MLLM confidence miscalibration with RL + test-time scaling; reliability-critical for deploymentcalibration, multimodal, uncertainty, reinforcement-learning, test-time-scaling, reliability
2603.12237STAMP: Selective Task-Aware Mechanism for Text Privacy
PDF		cs.LG, cs.CR, cs.IT86Token-level task-aware privatization with selective budgets + new embedding perturbation (polar mechanism)privacy, differential-privacy, text, token-level, privacy-utility, security, embeddings
2603.11513Can Small Language Models Use What They Retrieve? An Empirical Study of Retrieval Utilization Across Model Scale
PDF		cs.CL86Measures whether small LMs actually use retrieved info; separates retrieval quality vs utilization failureRAG, retrieval-utilization, small-models, factuality, evaluation, knowledge
2603.11975HomeSafe-Bench: Evaluating Vision-Language Models on Unsafe Action Detection for Embodied Agents in Household Scenarios
PDF		cs.CV, cs.AI, cs.CR85HomeSafe-Bench evaluates VLMs on unsafe action detection in household videos; fills dynamic safety gapbenchmarks, VLM, embodied-safety, unsafe-actions, video, household-robots
2603.11388Deactivating Refusal Triggers: Understanding and Mitigating Overrefusal in Safety Alignment
PDF		cs.AI84Analyzes overrefusal via 'refusal triggers' and proposes mitigation; improves safety/usability tradeoffalignment, safety-training, overrefusal, refusal, post-training, reliability
2603.12133TopoBench: Benchmarking LLMs on Hard Topological Reasoning
PDF		cs.AI, cs.CL84Hard topological reasoning benchmark + error taxonomy from 750 CoT traces; useful for diagnosing failuresreasoning, benchmark, spatial-reasoning, error-analysis, chain-of-thought, evaluation
2603.11445Verified Multi-Agent Orchestration: A Plan-Execute-Verify-Replan Framework for Complex Query Resolution
PDF		cs.AI, cs.MA84Plan-execute-verify-replan multi-agent orchestration with DAG parallelism and verifier-driven replanningagents, orchestration, verification, planning, multi-agent, evaluation, replanning
2603.11611Fractional Rotation, Full Potential? Investigating Performance and Convergence of Partial RoPE
PDF		cs.LG, cs.CL84Partial RoPE study shows up to 10x KV-cache memory savings with similar loss; relevant for long contexttransformers, positional-embeddings, efficiency, long-context, memory, training-dynamics
2603.11442GPT4o-Receipt: A Dataset and Human Study for AI-Generated Document Forensics
PDF		cs.AI, cs.CV83Document forensics benchmark + human study; finds arithmetic errors as key detection signal for AI receiptsforensics, synthetic-documents, multimodal, benchmark, security, fraud, evaluation
2603.11749Compression Favors Consistency, Not Truth: When and 入选理由 Language Models Prefer Correct Information
PDF		cs.CL, cs.AI83Compression–consistency principle explains when LMs prefer correct info despite mixed-quality training datatheory, truthfulness, hallucinations, inductive-bias, compression, synthetic-data
2603.12206CLASP: Defending Hybrid Large Language Models Against Hidden State Poisoning Attacks
PDF		cs.CL82Defense for Mamba/SSM hidden-state poisoning via token-level detection using BOE features (low overhead)SSM, Mamba, security, poisoning, adversarial-text, detection
2603.12165QAQ: Bidirectional Semantic Coherence for Selecting High-Quality Synthetic Code Instructions
PDF		cs.CL82Synthetic code-instruction filtering via bidirectional coherence (Q|A); addresses hallucinated data noisesynthetic-data, data-selection, code, hallucinations, training, mutual-information
2603.11564Where Matters More Than What: Decoding-aligned KV Cache Compression via Position-aware Pseudo Queries
PDF		cs.CL82Decoding-aligned KV-cache compression using position-aware pseudo queries for long-context efficiencylong-context, kv-cache, compression, inference, efficiency, transformers, memory
2603.11949Delayed Backdoor Attacks: Exploring the Temporal Dimension as a New Attack Surface in Pre-Trained Models
PDF		cs.CR, cs.AI81Introduces delayed backdoors with temporal triggers; expands PTM threat model beyond immediate activationbackdoors, model-security, pretrained-models, temporal-attacks, threat-modeling
2603.11793Locating Demographic Bias at the Attention-Head Level in CLIP's Vision Encoder
PDF		cs.CV, cs.AI, cs.CY81Mechanistic fairness audit locates demographic bias to specific CLIP attention heads; ablation reduces biasfairness, interpretability, mechanistic-audit, vision-transformers, CLIP, bias-mitigation
2603.12232Incremental Neural Network Verification via Learned Conflicts
PDF		cs.LO, cs.AI80Incremental neural net verification reusing learned conflicts across queries; improves safety assurance toolingverification, formal-methods, neural-networks, branch-and-bound, safety-assurance

AI 论文洞察简报

2026-03-14

0) 执行要点(先读这个)

  • “安全”失败越来越多与交互结构有关,而不只是内容本身:多轮临床对话会降低诊断质量(“对话税”),而执行 README 指令的智能体会以很高的比例泄露数据——两者都表明:即使单轮基准看起来不错,序列决策也会放大风险。
  • 数据与表征感知的安全微调优于通用增广:“拒答触发器(refusal triggers)”从机制上解释了过度拒答;与触发器匹配的良性数据,相比通用良性语料,能显著改善安全—效用权衡。
  • RAG/GraphRAG 是一把双刃剑:小模型往往无法使用检索到的证据,即便证据里就有答案(利用瓶颈);而 GraphRAG 引入了新的投毒面——时间上连贯的“知识演化”注入可主导检索与生成。
  • 智能体运行时安全正从“过滤器”走向“全生命周期约束”:OpenClaw 威胁分类 + PRISM 基于 hook 的强制与审计链,指向可度量拦截率提升的纵深防御架构——但延迟与策略维护仍是现实约束。
  • 鲁棒性诊断更偏因果、更贴近真实:TopoBench 用因果式错误注入识别真正关键的推理失败;INFACT 与 HomeSafe/LABSHIELD 显示:腐化、时间干预与具身感知缺口(如透明玻璃器皿)会击穿“干净”性能假设。

2) 关键主题(聚类)

主题:来自良性包装与过度泛化的对齐失败

  • 重要性:模型即使在任务层面“遵守策略”,也可能不安全或不可用——要么拒答过多(过度拒答),要么在包含有害内容的良性任务中照单全收。
  • 代表论文
  • 常见方法
    • 识别安全行为从哪里泛化而来(语言“触发器” vs 任务框架)。
    • 构造定向数据集(触发器匹配的良性数据;良性任务中含有害内容的数据集)并测量拒答/危害率。
    • 使用自动标注/检测器(关键词 RR、基于规则的 ASR;Moderation API + 人工验证)。
  • 开放问题 / 失效模式
    • 依赖外部模型进行抽取/标注(如 GPT-4o 触发器抽取;Moderation API 判定)。
    • 如何在不依赖脆弱启发式的情况下获得校准行为(既不一刀切拒答,也不盲目服从)。
    • 这些机制在领域迁移与更自然的用户交互下是否仍成立。

主题:多轮交互税(奉承、切换与智能体泄露)

  • 重要性:序列交互会产生累积性错误模式——模型放弃正确答案、失去弃权能力,或执行不可信指令——在医疗与高权限智能体场景中提升安全风险。
  • 代表论文
  • 常见方法
    • 将静态任务转为多轮协议(stick-or-switch 二元轮次;README 驱动的配置/安装工作流)。
    • 测量“确信/弃权”保持 vs 切换;测量外泄 ASR/RR/TSR。
    • 在措辞/结构/抽象层面做压力测试(语言伪装、链接深度、语义抽象)。
  • 开放问题 / 失效模式
    • 如何防止“盲目切换”,同时保留采纳后续正确信息的灵活性。
    • 如何为文档与其他“环境指令”建立信任边界而不破坏可用性。
    • 能否推广到受扰动 MCQ 之外,以及超越单一高权限智能体实现。

主题:智能体安全工程:全生命周期防御,而非仅分类器

主题:RAG 可靠性与 GraphRAG 投毒

  • 重要性:检索可能有害(小模型忽略或被上下文干扰),而图式检索引入新的投毒策略,可绕过朴素 RAG 防御。
  • 代表论文
  • 常见方法
    • 将检索质量与利用能力分离(oracle 段落置于 rank 1;KNOWN/UNKNOWN 划分)。
    • 通过构造时间上连贯的“演化”叙事文档,使其融入 KG 结构来攻击 GraphRAG。
    • 用 ASR/CASR 及防御基线(改写、忽略指令、提示检测)评估。
  • 开放问题 / 失效模式
    • 对小模型:如何避免检索破坏 KNOWN 答案(选择性检索、RAG 感知微调)。
    • 对 GraphRAG:如何在 KG 构建时验证时间性主张并检测异常演化链。
    • 过度依赖基于 LLM 的评估器来判断攻击成功与安全性。

主题:强调时间、腐化与具身性的鲁棒性基准

主题:效率 + 长上下文:位置是一个杠杆

主题:数据中心的安全检测与取证

3) 技术综合

  • 多篇论文共同指向 “干净基准 ≠ 部署可靠性”:INFACT(基础 vs 诱发模式)、LABSHIELD(MCQ vs 半开放 PRP)、以及临床 stick-or-switch(单轮 vs 多轮)都显示出巨大差距。
  • 时间结构是反复出现的脆弱点:延迟后门在累积触发后激活;Video-LLM 出现时间惯性(接近 0 的 TSS);家庭安全需要提前预警关键帧;多轮诊断遭遇累积性切换。
  • 外部 LLM 越来越多地被当作基础设施(触发器抽取、评估器、专家规划/裁判),但这带来 共享模型偏差 与可复现性问题(在 VMAO、小票取证及多项安全评估中被提及)。
  • 数据几何与定向匹配成为通用杠杆:拒答触发器匹配的良性数据(过度拒答)、Mirror 的匹配单元格(提示注入)、以及 QAQ 的分层 reverse-MI 选择(合成代码)都表明:匹配什么比纯规模更重要。
  • 检索并非天然有益:小模型在引入检索后期望 EM 变化为负,且即便 oracle 段落可用也有高“无关生成”;同时 GraphRAG 的结构可被连贯性/时间链式攻击利用。
  • 验证/检查回路正在跨领域流行:Tool-DC 的 schema 校验器、VMAO 的 verifier 驱动重规划、CA-TTS 的自检模块,以及智能体运行时 hooks(PRISM)都在不同层实现“试 → 检 → 重试”模式。
  • 位置主导两条效率故事:DapQ 用位置伪查询使淘汰与解码对齐;partial RoPE 显示 ≥10% 旋转可进入与全 RoPE 类似的低损失区间并显著节省缓存。
  • 因果诊断正在出现:TopoBench 的注入式错误模式识别哪些推理行为真正降低准确率(过早承诺、约束遗忘),超越了观察式 CoT 标注。
  • 安全筛查正在分化为:(a) 快速、确定性的 L1 门禁(Mirror SVM;PRISM 启发式)与 (b) 更慢的语义/基于 LLM 的裁决,用于处理残余——呼应经典安全架构。

4) Top 5 论文(含“为何现在”)

1) Deactivating Refusal Triggers: Understanding and Mitigating Overrefusal in Safety Alignment

  • 通过 “拒答触发器” 与表征相似性证据,对过度拒答给出机制化框架。
  • 实用缓解:触发器匹配的良性数据在 SFT/P-SFT/RLVR 上改善安全—效用(例如相对 Alpaca 基线出现较大的 Avg↓ 降幅)。
  • 适用于安全微调后出现可用性回退、需要数据构造配方的团队。
  • 质疑点:触发器抽取依赖 GPT-4o,评估依赖自动 ASR/RR 检测器。

2) Stop Listening to Me! How Multi-turn Conversations Can Degrade Diagnostic Reasoning

  • 引入 stick-or-switch 指标(正/负确信、灵活性),揭示多轮失效模式。
  • 显示多模型存在显著 弃权崩塌 与切换/奉承模式;GPT-5.2 最好但并不完美。
  • 与临床部署高度相关,因为交互天然是增量式的。
  • 质疑点:使用受扰动 MCQA 而非真实对话日志;内部置信分析有限。

3) KEPo: Knowledge Evolution Poison on Graph-based Retrieval-Augmented Generation

  • 展示 GraphRAG 特有投毒:通过 时间上连贯的演化叙事 融入 KG。
  • 在多种 GraphRAG 变体上获得强 ASR/CASR,且常见防御效果有限。
  • “为何现在”:GraphRAG 因时效性/多跳需求而快速采用;这是一个具体的新攻击面。
  • 质疑点:黑盒威胁假设可注入可爬取文档;评估使用基于 GPT-4o 的度量。

4) You Told Me to Do It: Measuring Instructional Text-induced Private Data Leakage in LLM Agents

  • 定义 Trusted Executor Dilemma 并量化 README 内嵌指令攻击(ASR 最高达 85%)。
  • 对伪装/结构/抽象具有鲁棒性;在人类自然审阅框架下,审阅者检出率为 0%
  • 评估防御并显示权衡不佳(基于规则的高误报;最小化 LLM 提示又漏检)。
  • 质疑点:部分条件样本量较小;端到端主要聚焦一个商业智能体。

5) INFACT: A Diagnostic Benchmark for Induced Faithfulness and Factuality Hallucinations in Video-LLMs

  • 为 Video-LLM 增加 事实性 + 诱发腐化 + 时间干预,并提供 RR/TSS 指标。
  • 发现证据腐化(字幕注入)破坏性尤其强;许多开源模型呈现 接近 0 的事实性 TSS
  • “为何现在”:视频智能体与多模态助手正进入字幕/标注不可靠的场景。
  • 质疑点:诱发算子是代理;时间干预仅在子集上做打乱/反转。

5) 实用下一步

  • 把“交互结构”评估加入安全门禁:对任何高风险领域助手运行 stick-or-switch 式多轮测试(确信/弃权保持),而不只看单轮准确率。
  • 用触发器挖掘来量化过度拒答:从你的有害 SFT/RLHF 数据中抽取候选拒答触发器,测量表征/语义距离依赖;尝试触发器匹配的良性增广,而非通用良性语料。
  • 加固智能体安装/配置工作流:将 README/文档视为不可信;引入带溯源的信任分层与按动作确认,尤其是安装/配置阶段的文件系统/网络读取。
  • 为工具智能体采用生命周期 hooks + 可审计性:实现多 hook 强制(入口/工具前后/出站/维护)、会话级风险累积与防篡改审计链;度量拦截率与延迟的权衡。
  • GraphRAG 部署:在 KG 摄取时加入异常时间链检测与多源佐证,再整合新边;显式对“知识演化投毒”做测试。
  • 小模型 RAG:不要假设检索一定有益——测量 KNOWN/UNKNOWN 划分与 oracle 利用;考虑选择性检索(仅在不确定时)与 RAG 感知微调以减少“无关生成”。
  • 长上下文推理:评估位置对齐的 KV 淘汰(伪查询打分)并考虑 partial RoPE(≥10%)以降低内存,同时监控稳定性区间与放置敏感性。
  • 多模态安全:把诱发腐化(字幕注入、时间打乱)与具身感知压力源(透明物体、提前预警时序)纳入验收测试;跟踪稳定性指标,而不只看基础准确率。

由逐篇分析生成;无外部浏览。