Lina Wang

JBHI Journal 2026 Journal Article

Contactless Intelligent Anti-Interference Lung Nodule Detection Method for Early Disease Detection

• Jijing Cai
• Lina Wang
• Jiuqing Cai
• Zixin Deng
• Zijia Yang
• Hailin Feng

Detection of lung nodules is key in the treatment of early-stage lung cancer. Computed tomography (CT) scanning technology is an essential contactless tool. However, stray radiation caused by a patient's slight movements and equipment operation can impair CT images, hindering accurate lung nodule detection. To address these issues, this study proposes an artificial intelligence-based anti-interference lung nodule detection method, which is primarily structured with Yolov8 and combines the modules of adaptive gating sparse attention (AGSA) and haar wavelet downsampling (HWD), referred to as Yolov8-AH. This model aimed to improve the accuracy of lung nodule detection in lung CT images under interference conditions. AGSA focuses on key areas of the image, promoting detection stability even when CT images are disturbed. Furthermore, HWD prioritizes the frequency components corresponding to the size and shape of the nodules, enhancing their visibility for easier detection and analysis. HWD effectively reduces image noise without significantly blurring the lung nodule edges, emphasizing them prominently within the lung tissue. Furthermore, when combined with the Yolov8 deep learning model driven by artificial intelligence, the model could accurately detect lung nodules, significantly aiding in early diagnosis and treatment. The effectiveness of the Yolov8-AH detection model was verified through ablation experiments, experiments under varying noise intensities, and experiments under different noise application ratios. The experimental results demonstrate that, compared to existing lung nodule detection models, the Yolov8-AH model achieves a 24% improvement in mAP50 and an 8. 2% improvement in precision.

AAAI Conference 2026 Conference Paper

MacPrompt: Maraconic-Guided Jailbreak Against Text-to-Image Models

• Xi Ye
• Yiwen Liu
• Lina Wang
• Run Wang
• Geying Yang
• Yufei Hou
• Jiayi Yu

Text-to-image (T2I) models have raised increasing safety concerns due to their capacity to generate NSFW and other banned objects. To mitigate these risks, safety filters and concept removal techniques have been introduced to block inappropriate prompts or erase sensitive concepts from the models. However, all the existing defense methods are not well prepared to handle diverse adversarial prompts. In this work, we introduce MacPrompt, a novel black-box and cross-lingual attack that reveals previously overlooked vulnerabilities in T2I safety mechanisms. Unlike existing attacks that rely on synonym substitution or prompt obfuscation, MacPrompt constructs macaronic adversarial prompts by performing cross-lingual character-level recombination of harmful terms, enabling fine-grained control over both semantics and appearance. By leveraging this design, MacPrompt crafts prompts with high semantic similarity to the original harmful inputs (up to 0.96) while bypassing major safety filters (up to 100%). More critically, it achieves attack success rates as high as 92% for sex-related content and 90\% for violence, effectively breaking even state-of-the-art concept removal defenses. These results underscore the pressing need to reassess the robustness of existing T2I safety mechanisms against linguistically diverse and fine-grained adversarial strategies. Warning: This paper includes sensitive examples (e.g., adult, violent, or illegal content). Unsafe images are masked but may still be disturbing.

AAAI Conference 2026 Conference Paper

PCFormer: Accelerating Privacy-preserving Transformer Inference by Partition and Combination

• Bo Zeng
• Zhi Pang
• Yuyang Zhang
• Kai Zhao
• Tian Wu
• Geying Yang
• Lina Wang
• Run Wang

In recent years, transformer-based models have achieved remarkable success in sensitive domains, including healthcare, finance and personalized services, but their deployment raises significant privacy concerns. Existing secure inference studies have introduced cryptographic techniques such as Homomorphic Encryption (HE) and Secure Multi-Party Computation (MPC). However, these approaches either target isolated model components or incur prohibitive computational and communication overheads, failing to support latency-sensitive or resource-limited environments. In our investigation, we identify substantial redundancy in the nonlinear operations and their alternation with linear layers in deep learning. Motivated by this observation, we propose PCFormer, a universal optimization methodology tailored for sequences of linear and nonlinear computations in the Transformer. PCFormer introduces structure-aware partition and combination techniques specially designed for Multi-Head Attention (MHA) and Feed-Forward Network (FFN). Specifically, we reveal the discrete sources of redundancy in the Softmax and GeLU functions during inference, implementing partitions at the token and channel levels, respectively. Subsequently, these reductions are then combined with the preceding and succeeding linear operations, thereby enhancing both computational and communication efficiency. Experimental results on GLUE benchmarks demonstrate that PCFormer achieves a 1.9× speedup in both computation and communication without compromising accuracy, compared to existing privacy-preserving Transformer frameworks. Furthermore, we demonstrate that PCFormer generalizes effectively to other deep learning architectures involving structured linear-nonlinear compositions under cryptographic constraints.

AAAI Conference 2026 Conference Paper

ReLUPruner: Rethinking ReLU Importance with Taylor Expansion for Efficient Private Inference

• Zhenpeng Li
• Jinshuo Liu
• Xinyan Wang
• Lina Wang
• Jeff Z. Pan

With the growing adoption of Machine-Learning-As-A-Service (MLaaS), Private Inference (PI) has emerged as a promising solution to address its security concerns through cryptographic techniques. However, nonlinear operations in neural networks account for most of the computational and communication overhead in PI. Existing studies mainly focus on optimizing and reducing the number of ReLU activations in neural networks, but traditional pruning methods may mistakenly remove ReLUs that are critical to maintaining model accuracy. To accurately evaluate the importance of ReLUs in the network, we propose ReLUPruner, a method that uses Taylor expansion to quantify the impact on loss before and after ReLU replacement. Furthermore, we establish a hierarchical importance metric to guide layer-wise ReLU budget allocation and adopt a progressive pruning strategy that dynamically adjust the pruning rate of each layer according to training progress. Extensive experiments on various models and datasets show that ReLUPruner achieves a good balance between ReLU budget and model accuracy, yielding improvements of 1.89% (12.9k ReLUs, CIFAR-10), 3.62% (50k ReLUs, CIFAR-100) and 2.66% (30k ReLUs, Tiny-ImageNet) over the previous state-of-the-art.

AAAI Conference 2026 Conference Paper

Semantic Alignment of Malicious Question Based on Contrastive Semantic Networks and Data Augmentation (Abstract Reprint)

• Xinyan Wang
• Jinshuo Liu
• Juan Deng
• Meng Wang
• Qian Deng
• Youcheng Yan
• Lina Wang
• Yunsong Ma

The identification and filtration of malicious texts in social media environments represent a significant technical challenge aimed at protecting users from online violence and disinformation. This complexity stems from the diversity and innovativeness of social media texts, which include unique expressions and special sentence structures. Particularly, malicious texts in interrogative forms pose alignment challenges with traditional corpora due to existing methods’ failure to exploit the text’s deep global semantic representations. This issue is compounded by the scant research on Chinese texts, leading to inefficiencies in recognition accuracy. To mitigate these challenges, we introduce an innovative framework based on a Global Contrastive Semantic Network (GCSN), designed to enhance malicious text recognition efficiency and accuracy by deeply learning global semantic knowledge. It comprises an encoder for global semantic information modelling and a graph-matching network for semantic similarity evaluation between question pairs, enabling the accurate identification and filtering of malicious texts with complex structures. Furthermore, we introduce a semantic consistency-based data augmentation method (COMBINE), using real-world data to generate balanced positive and negative samples, enriching the dataset and enhancing the model’s ability to distinguish semantic consistency through contrastive learning. Experimental validation on two Chinese datasets demonstrates our model’s exceptional performance, affirming its applicationa value in social media malicious text recognition. Our code is available at https://github.com/Wxy13131313131/GCSN-COMBINE

NeurIPS Conference 2025 Conference Paper

Analogy-based Multi-Turn Jailbreak against Large Language Models

• Mengjie Wu
• Yihao Huang
• Zhenjun Lin
• Kangjie Chen
• Yuyang Zhang
• Yuhan Huang
• Run Wang
• Lina Wang

Large language models (LLMs) are inherently designed to support multi-turn interactions, which opens up new possibilities for jailbreak attacks that unfold gradually and potentially bypass safety mechanisms more effectively than single-turn attacks. However, current multi-turn jailbreak methods are still in their early stages and suffer from two key limitations. First, they all inherently require inserting sensitive phrases into the context, which makes the dialogue appear suspicious and increases the likelihood of rejection, undermining the effectiveness of the attack. Second, even when harmful content is generated, the response often fails to align with the malicious prompt due to semantic drift, where the conversation slowly moves away from its intended goal. To address these challenges, we propose an analogy-based black-box multi-turn jailbreak framework that constructs fully benign contexts to improve attack success rate while ensuring semantic alignment with the malicious intent. The method first guides the model through safe tasks that mirror the response structure of the malicious prompt, enabling it to internalize the format without exposure to sensitive content. A controlled semantic shift is then introduced in the final turn, substituting benign elements with malicious ones while preserving structural coherence. Experiments on six commercial and open-source LLMs, two benchmark datasets show that our method significantly improves attack performance, achieving an average attack success rate of 93. 3\% and outperforming five competitive baselines. Our code is released at https: //github. com/MM-WW55/AMA

YNICL Journal 2025 Journal Article

Effects of parietal iTBS on resting-state effective connectivity within the frontoparietal network in patients with schizophrenia: An fMRI study

• Li Li
• Lina Wang
• Han Wu
• Bing Li
• Weigang Pan
• Wenqing Jin
• Wen Wang
• Yanping Ren

IJCAI Conference 2025 Conference Paper

HIPP: Protecting Image Privacy via High-Quality Reversible Protected Version

• Xi Ye
• Lina Wang
• Run Wang
• Jiatong Liu
• Geying Yang

With the rapid development of the internet, sharing photos through Social Network Platforms (SNPs) has become a new way for people to socialize, which poses serious threats to personal privacy. Recently, a thumbnail-preserving image privacy protection technique has emerged and garnered widespread attention. However, the existing schemes based on this technique often introduce noticeable noise into the protected image, resulting in poor visual quality. Motivated by the observation that a latent vector can be decoupled into the detail and contour components, in this paper, we propose HIPP, a thumbnail-preserving image privacy protection scheme that decouples the detail and contour information contained in the latent vector corresponding to the original image and reconstructs details by generation model. As a result, the generated protected image appears natural and has a thumbnail similar to the original one. Moreover, the protected images can be restored to versions that are indistinguishable from the original images. Experiments on CelebA, Helen, and LSUN datasets show that the SSIM between the restored and original images achieves 0. 9899. Furthermore, compared to the previous works, HIPP achieves the lowest runtime and file expansion rate, with values of 0. 07 seconds and 1. 1046, respectively.

JAIR Journal 2025 Journal Article

Semantic Alignment of Malicious Question Based on Contrastive Semantic Networks and Data Augmentation

• Xinyan Wang
• Jinshuo Liu
• Juan Deng
• Meng Wang
• Qian Deng
• Youcheng Yan
• Lina Wang
• Yunsong Ma

The identification and filtration of malicious texts in social media environments represent a significant technical challenge aimed at protecting users from online violence and disinformation. This complexity stems from the diversity and innovativeness of social media texts, which include unique expressions and special sentence structures. Particularly, malicious texts in interrogative forms pose alignment challenges with traditional corpora due to existing methods' failure to exploit the text's deep global semantic representations. This issue is compounded by the scant research on Chinese texts, leading to inefficiencies in recognition accuracy. To mitigate these challenges, we introduce an innovative framework based on a Global Contrastive Semantic Network (GCSN), designed to enhance malicious text recognition efficiency and accuracy by deeply learning global semantic knowledge. It comprises an encoder for global semantic information modelling and a graph-matching network for semantic similarity evaluation between question pairs, enabling the accurate identification and filtering of malicious texts with complex structures. Furthermore, we introduce a semantic consistency-based data augmentation method (COMBINE), using real-world data to generate balanced positive and negative samples, enriching the dataset and enhancing the model's ability to distinguish semantic consistency through contrastive learning. Experimental validation on two Chinese datasets demonstrates our model's exceptional performance, affirming its applicationa value in social media malicious text recognition. Our code is available at https://github.com/Wxy13131313131/GCSN-COMBINE

AAAI Conference 2025 Conference Paper

Transfer Learning of Real Image Features with Soft Contrastive Loss for Fake Image Detection

• Ziyou Liang
• Weifeng Liu
• Run Wang
• Mengjie Wu
• Boheng Li
• Yuyang Zhang
• Lina Wang
• Xinyi Yang

In the last few years, the artifact patterns in fake images synthesized by different generative models have been inconsistent, leading to the failure of previous research that relied on spotting subtle differences between real and fake. In our preliminary experiments, we find that the artifacts in fake images always change with the development of the generative model, while natural images exhibit stable statistical properties. In this paper, we employ natural traces shared only by real images as an additional target for a classifier. Specifically, we introduce a self-supervised feature mapping process for natural trace extraction and develop a transfer learning based on soft contrastive loss to bring them closer to real images and further away from fake ones. This motivates the detector to make decisions based on the proximity of images to the natural traces. To conduct a comprehensive experiment, we built a high-quality and diverse dataset that includes generative models comprising GANs and diffusion models, to evaluate the effectiveness in generalizing unknown forgery techniques and robustness in surviving different transformations. Experimental results show that our proposed method gives 96.2% mAP significantly outperforms the baselines. Extensive experiments conducted on the widely recognized platform Midjourney reveal that our proposed method achieves an accuracy exceeding 78.4%, underscoring its practicality for real-world application deployment.

JBHI Journal 2024 Journal Article

A ROI Extraction Method for Wrist Imaging Applied in Smart Bone-Age Assessment System

• Lina Wang
• Yan Mao
• Jinfeng Xu
• Jianan Wu
• Kunxiu Wu
• Keji Mao
• Kai Fang

Bone Age (BA) is reckoned to be closely associated with the growth and development of teenagers, whose assessment highly depends on the accurate extraction of the reference bone from the carpal bone. Being uncertain in its proportion and irregular in its shape, wrong judgment and poor average extraction accuracy of the reference bone will no doubt lower the accuracy of Bone Age Assessment (BAA). In recent years, machine learning and data mining are widely embraced in smart healthcare systems. Using these two instruments, this article aims to tackle the aforementioned problems by proposing a Region of Interest (ROI) extraction method for wrist X-ray images based on optimized YOLO model. The method combines Deformable convolution-focus (Dc-focus), Coordinate attention (Ca) module, Feature level expansion, and Efficient Intersection over Union (EIoU) loss all together as YOLO-DCFE. With the improvement, the model can better extract the features of irregular reference bone and reduce the potential misdiscrimination between the reference bone and other similarly shaped reference bones, improving the detection accuracy. We select 10041 images taken by professional medical cameras as the dataset to test the performance of YOLO-DCFE. Statistics show the advantages of YOLO-DCFE in detection speed and high accuracy. The detection accuracy of all ROIs is 99. 8%, which is higher than other models. Meanwhile, YOLO-DCFE is the fastest of all comparison models, with the Frames Per Second (FPS) reaching 16.

AAAI Conference 2024 Conference Paper

Chronic Poisoning: Backdoor Attack against Split Learning

• Fangchao Yu
• Bo Zeng
• Kai Zhao
• Zhi Pang
• Lina Wang

Split learning is a computing resource-friendly distributed learning framework that protects client training data by splitting the model between the client and server. Previous work has proved that split learning faces a severe risk of privacy leakage, as a malicious server can recover the client's private data by hijacking the training process. In this paper, we first explore the vulnerability of split learning to server-side backdoor attacks, where our goal is to compromise the model's integrity. Since the server-side attacker cannot access the training data and client model in split learning, the traditional poisoning-based backdoor attack methods are no longer applicable. Therefore, constructing backdoor attacks in split learning poses significant challenges. Our strategy involves the attacker establishing a shadow model on the server side that can encode backdoor samples and guiding the client model to learn from this model during the training process, thereby enabling the client to acquire the same capability. Based on these insights, we propose a three-stage backdoor attack framework named SFI. Our attack framework minimizes assumptions about the attacker's background knowledge and ensures that the attack process remains imperceptible to the client. We implement SFI on various benchmark datasets, and extensive experimental results demonstrate its effectiveness and generality. For example, success rates of our attack on MNIST, Fashion, and CIFAR10 datasets all exceed 90%, with limited impact on the main task.

AAAI Conference 2024 Conference Paper

TraceEvader: Making DeepFakes More Untraceable via Evading the Forgery Model Attribution

• Mengjie Wu
• Jingui Ma
• Run Wang
• Sidan Zhang
• Ziyou Liang
• Boheng Li
• Chenhao Lin
• Liming Fang

In recent few years, DeepFakes are posing serve threats and concerns to both individuals and celebrities, as realistic DeepFakes facilitate the spread of disinformation. Model attribution techniques aim at attributing the adopted forgery models of DeepFakes for provenance purposes and providing explainable results to DeepFake forensics. However, the existing model attribution techniques rely on the trace left in the DeepFake creation, which can become futile if such traces were disrupted. Motivated by our observation that certain traces served for model attribution appeared in both the high-frequency and low-frequency domains and play a divergent role in model attribution. In this work, for the first time, we propose a novel training-free evasion attack, TraceEvader, in the most practical non-box setting. Specifically, TraceEvader injects a universal imitated traces learned from wild DeepFakes into the high-frequency component and introduces adversarial blur into the domain of the low-frequency component, where the added distortion confuses the extraction of certain traces for model attribution. The comprehensive evaluation on 4 state-of-the-art (SOTA) model attribution techniques and fake images generated by 8 generative models including generative adversarial networks (GANs) and diffusion models (DMs) demonstrates the effectiveness of our method. Overall, our TraceEvader achieves the highest average attack success rate of 79% and is robust against image transformations and dedicated denoising techniques as well where the average attack success rate is still around 75%. Our TraceEvader confirms the limitations of current model attribution techniques and calls the attention of DeepFake researchers and practitioners for more robust-purpose model attribution techniques.

IJCAI Conference 2022 Conference Paper

Anti-Forgery: Towards a Stealthy and Robust DeepFake Disruption Attack via Adversarial Perceptual-aware Perturbations

• Run Wang
• Ziheng Huang
• Zhikai Chen
• Li Liu
• Jing Chen
• Lina Wang

DeepFake is becoming a real risk to society and brings potential threats to both individual privacy and political security due to the DeepFaked multimedia are realistic and convincing. However, the popular DeepFake passive detection is an ex-post forensics countermeasure and failed in blocking the disinformation spreading in advance. To address this limitation, researchers study the proactive defense techniques by adding adversarial noises into the source data to disrupt the DeepFake manipulation. However, the existing studies on proactive DeepFake defense via injecting adversarial noises are not robust, which could be easily bypassed by employing simple image reconstruction revealed in a recent study MagDR. In this paper, we investigate the vulnerability of the existing forgery techniques and propose a novel anti-forgery technique that helps users protect the shared facial images from attackers who are capable of applying the popular forgery techniques. Our proposed method generates perceptual-aware perturbations in an incessant manner which is vastly different from the prior studies by adding adversarial noises that is sparse. Experimental results reveal that our perceptual-aware perturbations are robust to diverse image transformations, especially the competitive evasion technique, MagDR via image reconstruction. Our findings potentially open up a new research direction towards thorough understanding and investigation of perceptual-aware adversarial attack for protecting facial images against DeepFakes in a proactive and robust manner. Code is available at https: //github. com/AbstractTeen/AntiForgery.

IJCAI Conference 2022 Conference Paper

MetaFinger: Fingerprinting the Deep Neural Networks with Meta-training

• Kang Yang
• Run Wang
• Lina Wang

As deep neural networks (DNNs) play a critical role in various fields, the models themselves hence are becoming an important asset that needs to be protected. To achieve this, various neural network fingerprint methods have been proposed. However, existing fingerprint methods fingerprint the decision boundary by adversarial examples, which is not robust to model modification and adversarial defenses. To fill this gap, we propose a robust fingerprint method MetaFinger, which fingerprints the inner decision area of the model by meta-training, rather than the decision boundary. Specifically, we first generate many shadow models with DNN augmentation as meta-data. Then we optimize some images by meta-training to ensure that only models derived from the protected model can recognize them. To demonstrate the robustness of our fingerprint approach, we evaluate our method against two types of attacks including input modification and model modification. Experiments show that our method achieves 99. 34% and 97. 69% query accuracy on average, surpassing existing methods over 30%, 25% on CIFAR-10 and Tiny-ImageNet, respectively. Our code is available at https: //github. com/kangyangWHU/MetaFinger.