About

Yuan Tian is a Visiting Assistant Professor in the Department of Computer Science at the University of Virginia School of Engineering and Applied Science. His research interests include security and privacy, cyber-physical systems, machine learning, and human-computer interaction. His current research focuses on developing new technologies for protecting user privacy, particularly in mobile systems and the Internet of Things. His previous work on mobile and web security and privacy has been adopted by major technology companies such as Google, Facebook, Microsoft, Samsung, Evernote, and Dropbox, where his contributions have involved enhancing privacy protections and security measures in various platforms and services.

Research topics

• Computer Science
• Human–computer interaction
• Telecommunications
• Computer Security
• Artificial Intelligence
• Medicine
• Internal medicine
• Cell biology
• Speech recognition
• Biology
• Genetics
• Neuroscience

Selected publications

• Body mass index and risk of post-induction hypotension in older adults undergoing non-cardiac surgery: a retrospective cohort study

  BMC Geriatrics · 2025-11-21

  articleOpen access

  BACKGROUND: Post-induction hypotension (PIH) is a frequent complication among older adults undergoing general anaesthesia, associated with organ hypoperfusion and increased perioperative risk. The role of body mass index (BMI), a routinely assessed and potentially modifiable risk factor, in the development of PIH remains unclear in geriatric populations. METHODS: We conducted a retrospective cohort study of patients aged ≥ 60 years who underwent elective non-cardiac surgery under general anaesthesia between 2013 and 2022 at a tertiary hospital. Preoperative BMI was analysed both as a continuous and categorical variable. The primary outcome was PIH, defined as a systolic blood pressure < 90 mmHg or > 30% reduction from baseline during the post-induction period. Secondary outcomes included ICU admission, hospital length of stay, and in-hospital mortality. Non-linear associations were explored using restricted cubic spline models and segmented linear regression. RESULTS: A total of 70,487 patients were included in the final analysis, and PIH occurred in 73.3% of patients. A U-shaped association was observed between BMI and PIH, with the lowest risk between 24.2 and 29.7 kg/m². Patients below this range had significantly higher odds of PIH (OR 1.13; 95% CI 1.09-1.17), ICU admission (OR 1.31; 95% CI 1.24-1.39), and longer hospitalisation (IRR 1.08; 95% CI 1.06-1.10). Subgroup analyses showed significant interaction effects by sex, age, and hypertension. Sensitivity analyses excluding PIH as a covariate yielded consistent findings for secondary outcomes. CONCLUSIONS: BMI demonstrates a non-linear relationship with PIH and related outcomes. Both underweight and obese older adults are at increased risk. BMI should be integrated into preoperative risk stratification, and maintaining BMI within a moderate range may help reduce peri-induction haemodynamic instability.

  PublisherOA PDFDOI

• "Free WiFi is not ultimately free": Privacy Perceptions of Users in the US regarding City-wide WiFi Services

  Proceedings on Privacy Enhancing Technologies · 2025-05-19

  articleOpen access

  City-wide free WiFi is one of the most common initiatives of smart city infrastructures. While city-wide free WiFi services are not subject to privacy-focused regulations and appeal to a broader demographic, how users perceive privacy in such services is unknown. This study explores perspectives of users in the United States regarding the privacy practices of such services as well as their expectations. We conducted surveys with 199 participants of US, consisting of those who had used such services (i.e., experienced users, n=99) and those who had not (i.e., potential users, n=100), assessing their satisfaction with the services, perceptions regarding data privacy practices of city-wide free WiFi services, and general expectations of privacy. We identify 14 key findings by analyzing the responses from participants. We found that participants are aware of the data collection and data sharing by the WiFi services and are uncomfortable with both but are still inclined to use the services as the need for WiFi outweighs privacy, as well as because of the significant trust they place in the services due to their non-profit and government-run nature. Our analysis provides actionable takeaways for researchers and practitioners, arguing for long-term privacy gains through a regulatory approach that treats city-wide WiFi as a utility, given the trust consumers place in it, and the overall tendency of consumers to trade-off privacy for WiFi access in this context.

  PublisherDOI

• From Alerts to Intelligence: A Novel LLM-Aided Framework for Host-based Intrusion Detection

  ArXiv.org · 2025-07-15

  preprintOpen access

  Host-based intrusion detection system (HIDS) is a key defense component to protect the organizations from advanced threats like Advanced Persistent Threats (APT). By analyzing the fine-grained logs with approaches like data provenance, HIDS has shown successes in capturing sophisticated attack traces. Despite the progresses embarked by the research community and industry, HIDS still frequently encounters backlash from their operators in the deployed environments, due to issues like high false-positive rate, inconsistent outcomes across environments and human-unfriendly detection results. Large Language Models (LLMs) have great potentials to advance the state of HIDS, given their extensive knowledge of attack techniques and their ability to detect anomalies through semantic analysis, anchored by recent studies. Yet, our preliminary analysis indicates that building an HIDS by naively prompting an LLM is unlikely to succeed. In this work, we explore the direction of building a customized LLM pipeline for HIDS and develop a system named SHIELD. SHIELD addresses challenges related to LLM's token limits, confusion of background noises, etc., by integrating a variety of techniques like event-level Masked Autoencoder (MAE) for attack window detection, attack evidence identification and expansion, Deterministic Data Augmentation (DDA) for profiling normal activities, and multi-purpose prompting that guides the LLM to conduct precise and interpretable attack investigations. Extensive experiments on three log datasets (DARPA-E3, NodLink-simulated-data and ATLASv2) show that SHIELD consistently achieves outstanding performance in comparison with 5 representative HIDS. These findings highlight the potential of LLMs as powerful tools for intrusion detection and pave the way for future research in this domain.

  PublisherOA PDFDOI

• SoK: Towards Effective Automated Vulnerability Repair

  ArXiv.org · 2025-01-31

  preprintOpen accessSenior author

  The increasing prevalence of software vulnerabilities necessitates automated vulnerability repair (AVR) techniques. This Systematization of Knowledge (SoK) provides a comprehensive overview of the AVR landscape, encompassing both synthetic and real-world vulnerabilities. Through a systematic literature review and quantitative benchmarking across diverse datasets, methods, and strategies, we establish a taxonomy of existing AVR methodologies, categorizing them into template-guided, search-based, constraint-based, and learning-driven approaches. We evaluate the strengths and limitations of these approaches, highlighting common challenges and practical implications. Our comprehensive analysis of existing AVR methods reveals a diverse landscape with no single ``best'' approach. Learning-based methods excel in specific scenarios but lack complete program understanding, and both learning and non-learning methods face challenges with complex vulnerabilities. Additionally, we identify emerging trends and propose future research directions to advance the field of AVR. This SoK serves as a valuable resource for researchers and practitioners, offering a structured understanding of the current state-of-the-art and guiding future research and development in this critical domain.

  PublisherOA PDFDOI

• AIBench: Towards trustworthy evaluation under the 45°law

  Displays · 2025-10-20 · 5 citations

  article
  PublisherDOI

• VulBinLLM: LLM-powered Vulnerability Detection for Stripped Binaries

  ArXiv.org · 2025-05-28

  preprintOpen accessSenior author

  Recognizing vulnerabilities in stripped binary files presents a significant challenge in software security. Although some progress has been made in generating human-readable information from decompiled binary files with Large Language Models (LLMs), effectively and scalably detecting vulnerabilities within these binary files is still an open problem. This paper explores the novel application of LLMs to detect vulnerabilities within these binary files. We demonstrate the feasibility of identifying vulnerable programs through a combined approach of decompilation optimization to make the vulnerabilities more prominent and long-term memory for a larger context window, achieving state-of-the-art performance in binary vulnerability analysis. Our findings highlight the potential for LLMs to overcome the limitations of traditional analysis methods and advance the field of binary vulnerability detection, paving the way for more secure software systems. In this paper, we present Vul-BinLLM , an LLM-based framework for binary vulnerability detection that mirrors traditional binary analysis workflows with fine-grained optimizations in decompilation and vulnerability reasoning with an extended context. In the decompilation phase, Vul-BinLLM adds vulnerability and weakness comments without altering the code structure or functionality, providing more contextual information for vulnerability reasoning later. Then for vulnerability reasoning, Vul-BinLLM combines in-context learning and chain-of-thought prompting along with a memory management agent to enhance accuracy. Our evaluations encompass the commonly used synthetic dataset Juliet to evaluate the potential feasibility for analysis and vulnerability detection in C/C++ binaries. Our evaluations show that Vul-BinLLM is highly effective in detecting vulnerabilities on the compiled Juliet dataset.

  PublisherOA PDFDOI

• Tight Privacy Audit in One Run

  ArXiv.org · 2025-09-10

  preprintOpen access

  In this paper, we study the problem of privacy audit in one run and show that our method achieves tight audit results for various differentially private protocols. This includes obtaining tight results for auditing $(\varepsilon,δ)$-DP algorithms where all previous work fails to achieve in any parameter setups. We first formulate a framework for privacy audit \textit{in one run} with refinement compared with previous work. Then, based on modeling privacy by the $f$-DP formulation, we study the implications of our framework to obtain a theoretically justified lower bound for privacy audit. In the experiment, we compare with previous work and show that our audit method outperforms the rest in auditing various differentially private algorithms. We also provide experiments that give contrasting conclusions to previous work on the parameter settings for privacy audits in one run.

  PublisherOA PDFDOI

• BadMerging: Backdoor Attacks Against Model Merging

  2024-12-02 · 8 citations

  articleOpen accessSenior author

  Fine-tuning pre-trained models for downstream tasks has led to a proliferation of open-sourced task-specific models. Recently, Model Merging (MM) has emerged as an effective approach to facilitate knowledge transfer among these independently fine-tuned models. MM directly combines multiple fine-tuned task-specific models into a merged model without additional training, and the resulting model shows enhanced capabilities in multiple tasks. Although MM provides great utility, it may come with security risks because an adversary can exploit MM to affect multiple downstream tasks. However, the security risks of MM have barely been studied. In this paper, we first find that MM, as a new learning paradigm, introduces unique challenges for existing backdoor attacks due to the merging process. To address these challenges, we introduce BadMerging, the first backdoor attack specifically designed for MM. Notably, BadMerging allows an adversary to compromise the entire merged model by contributing as few as one backdoored task-specific model. BadMerging comprises a two-stage attack mechanism and a novel feature-interpolation-based loss to enhance the robustness of embedded backdoors against the changes of different merging parameters. Considering that a merged model may incorporate tasks from different domains, BadMerging can jointly compromise the tasks provided by the adversary (on-task attack) and other contributors (off-task attack) and solve the corresponding unique challenges with novel attack designs. Extensive experiments show that BadMerging achieves remarkable attacks against various MM algorithms. Our ablation study demonstrates that the proposed attack designs can progressively contribute to the attack performance. Finally, we show that prior defense mechanisms fail to defend against our attacks, highlighting the need for more advanced defense. Our code is available at: https://github.com/jzhang538/BadMerging.

  PublisherOA PDFDOI

• Alexa, is the skill always safe? Uncover Lenient Skill Vetting Process and Protect User Privacy at Run Time

  2024-04-14 · 3 citations

  articleOpen accessSenior author

  Voice personal assistant (VPA) platforms (e.g., Amazon Alexa) allow developers to deploy their voice apps on third-party servers. However, this strategy introduces unexpected privacy risks to VPA customers. Malicious developers can dynamically change their app's behaviors to circumvent the platform's vetting process. This paper aims to systematically analyze Alexa's voice app ecosystem (i.e., Alexa skills), focusing on behavior manipulation (also referred to as skill behavior change). We identify the root causes of malicious skills getting published and propose a defense solution to effectively protect users. First, we uncover Amazon's skill vetting strategy and the privacy issues relevant to their vetting. We reveal that, in addition to the skill certification process before a skill gets published, Amazon also deploys a skill monitoring scheme after the skill is published. We further discover limitations of this monitoring scheme that have not been explored in previous research. Lastly, to address these issues, we propose a run-time skill monitoring approach to check the consistency of the skill behaviors when users interact with skills. Our findings suggest a call for action to improve the vetting process for VPA skills without placing a burden on skill developers and help developers adhere to policies.

  PublisherOA PDFDOI

• Where Have You Been? A Study of Privacy Risk for Point-of-Interest Recommendation

  2024-08-24 · 5 citations

  articleOpen accessSenior author

  As location-based services (LBS) have grown in popularity, more human mobility data has been collected. The collected data can be used to build machine learning (ML) models for LBS to enhance their performance and improve overall experience for users. However, the convenience comes with the risk of privacy leakage since this type of data might contain sensitive information related to user identities, such as home/work locations. Prior work focuses on protecting mobility data privacy during transmission or prior to release, lacking the privacy risk evaluation of mobility data-based ML models. To better understand and quantify the privacy leakage in mobility data-based ML models, we design a privacy attack suite containing data extraction and membership inference attacks tailored for point-of-interest (POI) recommendation models, one of the most widely used mobility data-based ML models. These attacks in our attack suite assume different adversary knowledge and aim to extract different types of sensitive information from mobility data, providing a holistic privacy risk assessment for POI recommendation models. Our experimental evaluation using two real-world mobility datasets demonstrates that current POI recommendation models are vulnerable to our attacks. We also present unique findings to understand what types of mobility data are more susceptible to privacy attacks. Finally, we evaluate defenses against these attacks and highlight future directions and challenges.

  PublisherOA PDFDOI

Recent grants

• CRII: SaTC: Improving the Usability and Effectiveness of Security and Privacy Settings in Mobile Apps

  NSF · $175k · 2019–2021

• CAREER: Secure Voice-Controlled Platforms

  NSF · $261k · 2020–2023

• CICI: RDP: Enforcing Security and Privacy Policies to Protect Research Data

  NSF · $925k · 2019–2023

Frequent coauthors

• Daniel H. Geschwind

  Center for Autism and Related Disorders

  16 shared

• Tu Le

  University of California, Irvine

  15 shared

• Bing Bai

  Sun Yat-sen University Cancer Center

  12 shared

• Jennifer K. Lowe

  9 shared

• Tamjid Al Rahat

  University of California, Los Angeles

  8 shared

• Alysson R. Muotri

  University of California, San Diego

  8 shared

• Yuelun Zhang

  Chinese Academy of Medical Sciences & Peking Union Medical College

  8 shared

• Yuguang Huang

  Peking Union Medical College Hospital

  8 shared