About

Bo Li is an Associate Professor at the Siebel School of Computing and Data Science at the University of Illinois Urbana-Champaign. His research interests include information theory, game theory, privacy, trustworthy machine learning, security, and artificial intelligence. He has received numerous honors for his work, including the IJCAI Computers and Thought Award in 2022, the AI's 10 to Watch in 2022, and the NSF CAREER Award in 2020. Bo Li has also been recognized with awards such as the Dean's Award for Excellence in Research, the C.W. Gear Outstanding Junior Faculty Award, and the MIT Technology Review 35 Innovators Under 35. He teaches courses related to trustworthy machine learning, security, privacy, and data science, and is actively involved in advancing research in AI safety, cybersecurity, and trustworthy AI systems.

Research topics

• Computer Science
• Computer Security
• Artificial Intelligence
• Machine Learning
• Mathematics
• Data science
• Mathematical optimization
• Software engineering
• Theoretical computer science
• Remote sensing
• Computer vision
• Knowledge management

Selected publications

• AgentArk: Distilling Multi-Agent Intelligence into a Single LLM Agent

  Open MIND · 2026-02-03

  preprint

  While large language model (LLM) multi-agent systems achieve superior reasoning performance through iterative debate, practical deployment is limited by their high computational cost and error propagation. This paper proposes AgentArk, a novel framework to distill multi-agent dynamics into the weights of a single model, effectively transforming explicit test-time interactions into implicit model capabilities. This equips a single agent with the intelligence of multi-agent systems while remaining computationally efficient. Specifically, we investigate three hierarchical distillation strategies across various models, tasks, scaling, and scenarios: reasoning-enhanced fine-tuning; trajectory-based augmentation; and process-aware distillation. By shifting the burden of computation from inference to training, the distilled models preserve the efficiency of one agent while exhibiting strong reasoning and self-correction performance of multiple agents. They further demonstrate enhanced robustness and generalization across diverse reasoning tasks. We hope this work can shed light on future research on efficient and robust multi-agent development. Our code is at https://github.com/AIFrontierLab/AgentArk.

  DOI

• AgentArk: Distilling Multi-Agent Intelligence into a Single LLM Agent

  ArXiv.org · 2026-02-03

  articleOpen access

  While large language model (LLM) multi-agent systems achieve superior reasoning performance through iterative debate, practical deployment is limited by their high computational cost and error propagation. This paper proposes AgentArk, a novel framework to distill multi-agent dynamics into the weights of a single model, effectively transforming explicit test-time interactions into implicit model capabilities. This equips a single agent with the intelligence of multi-agent systems while remaining computationally efficient. Specifically, we investigate three hierarchical distillation strategies across various models, tasks, scaling, and scenarios: reasoning-enhanced fine-tuning; trajectory-based augmentation; and process-aware distillation. By shifting the burden of computation from inference to training, the distilled models preserve the efficiency of one agent while exhibiting strong reasoning and self-correction performance of multiple agents. They further demonstrate enhanced robustness and generalization across diverse reasoning tasks. We hope this work can shed light on future research on efficient and robust multi-agent development. Our code is at https://github.com/AIFrontierLab/AgentArk.

  PublisherOA PDF

• COMMIT: Certifying Robustness of Multi-Sensor Fusion Systems Against Semantic Attacks

  Proceedings of the AAAI Conference on Artificial Intelligence · 2025-04-11

  articleOpen accessSenior author

  Multi-sensor fusion systems (MSFs) play a vital role as the perception module in modern autonomous vehicles (AVs). Therefore, ensuring their robustness against common and realistic adversarial semantic transformations, such as rotation and shifting in the physical world, is crucial for the safety of AVs. While empirical evidence suggests that MSFs exhibit improved robustness compared to single-modal models, they are still vulnerable to adversarial semantic transformations. In addition, although many empirical defenses have been proposed, several works show that these defenses can be further attacked by new adaptive attacks. So far, there is no certified defense proposed for MSFs. In this work, we propose the first robustness certification framework COMMIT to certify the robustness of multi-sensor fusion systems against semantic attacks. In particular, we propose a practical anisotropic noise mechanism that leverages randomized smoothing on multi-modal data and performs a grid-based splitting method to characterize complex semantic transformations. We also propose efficient algorithms to compute the certification in terms of object detection accuracy and IoU for large-scale MSF models. Empirically, we evaluate the efficacy of COMMIT in different settings and provide a comprehensive benchmark of certified robustness for different MSF models using the CARLA simulation platform. We show that the certification for MSF models is at most 48.39% higher than that of single-modal models, which validates the advantages of MSF models. We believe our certification framework and benchmark will contribute an important step towards certifiably robust AVs in practice.

  PublisherOA PDFDOI

• A two-stage retired batteries screening solution through dynamic characteristic imaging processing

  Engineering Applications of Artificial Intelligence · 2025-11-20

  article
  PublisherDOI

• Hierarchical Deep Decision Tree-Based Network for Odontogenic Cystic Lesion Classification in CBCT Images

  IEEE Journal of Biomedical and Health Informatics · 2025-10-07

  article

  Odontogenic cystic lesions (OCLs) are complex jaw abnormalities that require a precise diagnosis of the disease for treatment. Visual OCL diagnosis is commonly based on reviewing cone-beam computed tomography (CBCT) to identify morpho-pathological features associated with specific lesion types in a hierarchical manner. Current state-of-the-art methods focus on extracting features from the image without any guidance beyond the lesion diagnosis, and do not fully leverage the hierarchical relationship between the lesion diagnosis and morphological features. In this study, we propose a hierarchical deep decision tree network (H2DT-Net) with three modules: a deep decision tree-based hierarchical learning module (DHLM) to leverage inter-categorical relationships; a feature category embedding module (FCEM) to capture representations from both diagnostic and morpho-pathological domains and support the DHLM; and a lesion localised attention module (LLAM) to facilitate the feature extraction process by generating lesion-focused attention maps. Evaluated on 289 CBCT images, H2DT-Net achieved state-of-the-art performance in OCL classification. We further demonstrate that our method is effective in clinical settings, where it outperformed six maxillofacial clinicians in diagnostic assessment.

  PublisherDOI

• Boosting Adversarial Transferability with Spatial Adversarial Alignment

  arXiv (Cornell University) · 2025-01-02

  preprintOpen access

  Deep neural networks are vulnerable to adversarial examples that exhibit transferability across various models. Numerous approaches are proposed to enhance the transferability of adversarial examples, including advanced optimization, data augmentation, and model modifications. However, these methods still show limited transferability, particularly in cross-architecture scenarios, such as from CNN to ViT. To achieve high transferability, we propose a technique termed Spatial Adversarial Alignment (SAA), which employs an alignment loss and leverages a witness model to fine-tune the surrogate model. Specifically, SAA consists of two key parts: spatial-aware alignment and adversarial-aware alignment. First, we minimize the divergences of features between the two models in both global and local regions, facilitating spatial alignment. Second, we introduce a self-adversarial strategy that leverages adversarial examples to impose further constraints, aligning features from an adversarial perspective. Through this alignment, the surrogate model is trained to concentrate on the common features extracted by the witness model. This facilitates adversarial attacks on these shared features, thereby yielding perturbations that exhibit enhanced transferability. Extensive experiments on various architectures on ImageNet show that aligned surrogate models based on SAA can provide higher transferable adversarial examples, especially in cross-architecture attacks.

  PublisherOA PDFDOI

• Enhancing Diffusion-based Unrestricted Adversarial Attacks via Adversary Preferences Alignment

  ArXiv.org · 2025-06-02

  preprintOpen access

  Preference alignment in diffusion models has primarily focused on benign human preferences (e.g., aesthetic). In this paper, we propose a novel perspective: framing unrestricted adversarial example generation as a problem of aligning with adversary preferences. Unlike benign alignment, adversarial alignment involves two inherently conflicting preferences: visual consistency and attack effectiveness, which often lead to unstable optimization and reward hacking (e.g., reducing visual quality to improve attack success). To address this, we propose APA (Adversary Preferences Alignment), a two-stage framework that decouples conflicting preferences and optimizes each with differentiable rewards. In the first stage, APA fine-tunes LoRA to improve visual consistency using rule-based similarity reward. In the second stage, APA updates either the image latent or prompt embedding based on feedback from a substitute classifier, guided by trajectory-level and step-wise rewards. To enhance black-box transferability, we further incorporate a diffusion augmentation strategy. Experiments demonstrate that APA achieves significantly better attack transferability while maintaining high visual consistency, inspiring further research to approach adversarial attacks from an alignment perspective. Code will be available at https://github.com/deep-kaixun/APA.

  PublisherOA PDFDOI

• Automatic recognition of adrenal incidentalomas using a two-stage cascade network: a multicenter study

  Annals of Medicine · 2025-08-07 · 2 citations

  articleOpen access

  BACKGROUND: The incidence of adrenal incidentalomas (AIs) is increasing yearly. The early discovery of AIs is helpful to better manage adrenal diseases, especially subclinical primary aldosteronism, Cushing's syndrome and pheochromocytoma. METHODS: In this multicenter retrospective study, a total of 778 patients from three different medical centers were assessed. The two-stage cascade network consisted of a 3D Res-Unet network for adrenal gland segmentation and a classifier for determining the presence of AIs. The segmentation network was mainly evaluated by the Dice similarity coefficient (DSC), and the classifier was evaluated by the area under the receiver operator characteristic curve (AUC), accuracy, sensitivity, and specificity. The Delong test was used to compare the classification performance between the cascade network and manual segmentation. RESULTS: > 0.05). In the test cohort, the cascade network achieved AUC of more than 80% and accuracy of more than 75% for both left and right adrenal glands. CONCLUSIONS: The two-stage cascade network based on a deep learning algorithm can be used for automatic recognition of AIs in nonenhanced CT from different centers.

  PublisherOA PDFDOI

• Sparse Transfer Learning Accelerates and Enhances Certified Robustness: A Comprehensive Study

  Proceedings of the AAAI Conference on Artificial Intelligence · 2025-04-11

  articleOpen access

  Certified robustness is a critical measure for assessing the reliability of machine learning systems. Traditionally, the computational burden associated with certifying the robustness of machine learning models has posed a substantial challenge, particularly with the continuous expansion of model sizes. In this paper, we introduce an innovative approach to expedite the verification process for L2-norm certified robustness through sparse transfer learning. Our approach is both efficient and effective. It leverages verification results obtained from pre-training tasks and applies sparse updates to these results. To enhance performance, we incorporate dynamic sparse mask selection and introduce a novel stability-based regularizer called DiffStab. Empirical results demonstrate that our method accelerates the verification process for downstream tasks by as much as 70-80%, with only slight reductions in certified accuracy compared to dense parameter updates. We further validate that this performance improvement is even more pronounced in the few-shot transfer learning scenario.

  PublisherOA PDFDOI

• Regularized artificial neural network based patent value interval prediction model

  2024-06-30

  articleSenior author

  With the increasing competition in intellectual property rights, patent value prediction has become a hot research issue in the field of intellectual property rights. Most of the current research on patent value either predicts some structural indicators (e.g., citations) or the intrinsic value of patents, but there is relatively little work on predicting the actual value of patents. Patent value prediction faces the following challenges, including: (1)data: the amount of actual transaction data of patents is small and difficult to collect, so the amount of training data and test data can be used is small; (2)features: how to extract the valuation features of the patent, especially technical features from unstructured patent texts; (3)model and validation: how to build a model for predicting patent prices and how to verify the accuracy of our experimental results. To solve these problems, we propose a regularized artificial neural network based patent value interval prediction model: (1) in terms of data, we extract the value data of patents from the official websites of several universities in China, the oceantomo patent trading platform in the United States, and the Patsnap platform, which come with information such as the actual transaction price or the bidding and asking price. (2) in terms of features, we extract the unstructured textual features of patent portfolios, technical features, and structured features of fifteen patents as the valuation features of patents; (3) in terms of model and validation, we use regularized artificial neural networks to give prediction intervals and prediction uncertainty, and validate the model with a measure of numerical intervals. We compare the model with the baseline model and the results show that our model achieves good results.

  PublisherDOI

Recent grants

• CAREER: DeepTrust: Enabling Robust Machine Learning with Exogenous Information

  NSF · $500k · 2021–2027

• AF: Small: Collaborative Research: Rigorous Approaches for Scalable Privacy-preserving Deep Learning

  NSF · $208k · 2019–2023

Frequent coauthors

• Dawn Song

  15 shared

• Chaowei Xiao

  11 shared

• Linyi Li

  10 shared

• Mingyan Liu

  University of Michigan–Ann Arbor

  9 shared

• Shouhong Ding

  Tencent (China)

  8 shared

• Xingjun Ma

  8 shared

• Xiaojun Xu

  Zhejiang A & F University

  8 shared

• Xinyun Chen

  7 shared

Labs

• Siebel School of Computing and Data SciencePI

Awards & honors

• IJCAI Computers and Thought Award (2022)
• AI's 10 to Watch (2022)
• Google Faculty Research Award (2022)
• First prize in the International Verification Neural Network…
• Dean's Award for Excellence in Research (2022)