Huajie Chen

Huajie Chen, Xiaoying Dai, Xingao Gong et al.

The Kohn-Sham equation is a powerful, widely used approach for computation of ground state electronic energies and densities in chemistry, materials science, biology, and nanosciences. In this paper, we study the adaptive finite element approximations for the Kohn-Sham model. Based on the residual type a posteriori error estimators proposed in this paper, we introduce an adaptive finite element algorithm with a quite general marking strategy and prove the convergence of the adaptive finite element approximations. Using D{\" o}rfler's marking strategy, we then get the convergence rate and quasi-optimal complexity. We also carry out several typical numerical experiments that not only support our theory,but also show the robustness and efficiency of the adaptive finite element computations in electronic structure calculations.

Chi Liu, Huajie Chen, Tianqing Zhu et al.

DeepFakes are raising significant social concerns. Although various DeepFake detectors have been developed as forensic countermeasures, these detectors are still vulnerable to attacks. Recently, a few attacks, principally adversarial attacks, have succeeded in cloaking DeepFake images to evade detection. However, these attacks have typical detector-specific designs, which require prior knowledge about the detector, leading to poor transferability. Moreover, these attacks only consider simple security scenarios. Less is known about how effective they are in high-level scenarios where either the detectors or the attacker's knowledge varies. In this paper, we solve the above challenges with presenting a novel detector-agnostic trace removal attack for DeepFake anti-forensics. Instead of investigating the detector side, our attack looks into the original DeepFake creation pipeline, attempting to remove all detectable natural DeepFake traces to render the fake images more "authentic". To implement this attack, first, we perform a DeepFake trace discovery, identifying three discernible traces. Then a trace removal network (TR-Net) is proposed based on an adversarial learning framework involving one generator and multiple discriminators. Each discriminator is responsible for one individual trace representation to avoid cross-trace interference. These discriminators are arranged in parallel, which prompts the generator to remove various traces simultaneously. To evaluate the attack efficacy, we crafted heterogeneous security scenarios where the detectors were embedded with different levels of defense and the attackers' background knowledge of data varies. The experimental results show that the proposed attack can significantly compromise the detection accuracy of six state-of-the-art DeepFake detectors while causing only a negligible loss in visual quality to the original DeepFake samples.

Huajie Chen, Xingao Gong, Lianhua He et al.

In this paper, we study finite dimensional approximations of Kohn-Sham models, which are widely used in electronic structure calculations. We prove the convergence of the finite dimensional approximations and derive the a priori error estimates for ground state energies and solutions. We also provide numerical simulations for several molecular systems that support our theory.

Yuzhi Zhou, Huajie Chen, Aihui Zhou

We propose a novel numerical algorithm for computing the electronic structure related eigenvalue problem of incommensurate systems. Unlike the conventional practice that approximates the system by a large commensurate supercell, our algorithm directly discretizes the eigenvalue problem under the framework of a plane wave method. The emerging ergodicity and the interpretation from higher dimensions give rise to many unique features compared to what we have been familiar with in the periodic system. The numerical results of 1D and 2D quantum eigenvalue problems are presented to show the reliability and efficiency of our scheme. Furthermore, the extension of our algorithm to full Kohn-Sham density functional theory calculations are discussed.

Huajie Chen, Tianqing Zhu, Lefeng Zhang et al.

Model extraction attacks currently pose a non-negligible threat to the security and privacy of deep learning models. By querying the model with a small dataset and usingthe query results as the ground-truth labels, an adversary can steal a piracy model with performance comparable to the original model. Two key issues that cause the threat are, on the one hand, accurate and unlimited queries can be obtained by the adversary; on the other hand, the adversary can aggregate the query results to train the model step by step. The existing defenses usually employ model watermarking or fingerprinting to protect the ownership. However, these methods cannot proactively prevent the violation from happening. To mitigate the threat, we propose QUEEN (QUEry unlEarNing) that proactively launches counterattacks on potential model extraction attacks from the very beginning. To limit the potential threat, QUEEN has sensitivity measurement and outputs perturbation that prevents the adversary from training a piracy model with high performance. In sensitivity measurement, QUEEN measures the single query sensitivity by its distance from the center of its cluster in the feature space. To reduce the learning accuracy of attacks, for the highly sensitive query batch, QUEEN applies query unlearning, which is implemented by gradient reverse to perturb the softmax output such that the piracy model will generate reverse gradients to worsen its performance unconsciously. Experiments show that QUEEN outperforms the state-of-the-art defenses against various model extraction attacks with a relatively low cost to the model accuracy. The artifact is publicly available at https://anonymous.4open.science/r/queen implementation-5408/.

Huajie Chen, Mingjie Liao, Hao Wang et al.

QM (quantum mechenics) and MM (molecular mechenics) coupling methods are widely used in simulations of crystalline defects. In this paper, we construct a residual based a posteriori error indicator for QM/MM coupling approximations. We prove the reliability of the error indicator (upper bound of the true approximation error) and develop some sampling techniques for its efficient calculation. Based on the error indicator and Dörfler marking strategy, we design an adaptive QM/MM algorithm for crystalline defects and demonstrate the efficiency with some numerical experiments.

Huajie Chen, Tianqing Zhu, Yuan Zhao et al.

Image deep steganography (IDS) is a technique that utilizes deep learning to embed a secret image invisibly into a cover image to generate a container image. However, the container images generated by convolutional neural networks (CNNs) are vulnerable to attacks that distort their high-frequency components. To address this problem, we propose a novel method called Low-frequency Image Deep Steganography (LIDS) that allows frequency distribution manipulation in the embedding process. LIDS extracts a feature map from the secret image and adds it to the cover image to yield the container image. The container image is not directly output by the CNNs, and thus, it does not contain high-frequency artifacts. The extracted feature map is regulated by a frequency loss to ensure that its frequency distribution mainly concentrates on the low-frequency domain. To further enhance robustness, an attack layer is inserted to damage the container image. The retrieval network then retrieves a recovered secret image from a damaged container image. Our experiments demonstrate that LIDS outperforms state-of-the-art methods in terms of robustness, while maintaining high fidelity and specificity. By avoiding high-frequency artifacts and manipulating the frequency distribution of the embedded feature map, LIDS achieves improved robustness against attacks that distort the high-frequency components of container images.

Ilyes Batatia, Lars L. Schaaf, Huajie Chen et al.

Graph Neural Networks (GNNs), especially message-passing neural networks (MPNNs), have emerged as powerful architectures for learning on graphs in diverse applications. However, MPNNs face challenges when modeling non-local interactions in graphs such as large conjugated molecules, and social networks due to oversmoothing and oversquashing. Although Spectral GNNs and traditional neural networks such as recurrent neural networks and transformers mitigate these challenges, they often lack generalizability, or fail to capture detailed structural relationships or symmetries in the data. To address these concerns, we introduce Matrix Function Neural Networks (MFNs), a novel architecture that parameterizes non-local interactions through analytic matrix equivariant functions. Employing resolvent expansions offers a straightforward implementation and the potential for linear scaling with system size. The MFN architecture achieves stateof-the-art performance in standard graph benchmarks, such as the ZINC and TU datasets, and is able to capture intricate non-local interactions in quantum systems, paving the way to new state-of-the-art force fields.

Yuchen Shi, Xin Guo, Huajie Chen et al.

Poisoning-based backdoor attacks pose significant threats to deep neural networks by embedding triggers in training data, causing models to misclassify triggered inputs as adversary-specified labels while maintaining performance on clean data. Existing poison restraint-based defenses often suffer from inadequate detection against specific attack variants and compromise model utility through unlearning methods that lead to accuracy degradation. This paper conducts a comprehensive analysis of backdoor attack dynamics during model training, revealing that poisoned samples form isolated clusters in latent space early on, with triggers acting as dominant features distinct from benign ones. Leveraging these insights, we propose Cluster Segregation Concealment (CSC), a novel poison suppression defense. CSC first trains a deep neural network via standard supervised learning while segregating poisoned samples through feature extraction from early epochs, DBSCAN clustering, and identification of anomalous clusters based on class diversity and density metrics. In the concealment stage, identified poisoned samples are relabeled to a virtual class, and the model's classifier is fine-tuned using cross-entropy loss to replace the backdoor association with a benign virtual linkage, preserving overall accuracy. CSC was evaluated on four benchmark datasets against twelve poisoning-based attacks, CSC outperforms nine state-of-the-art defenses by reducing average attack success rates to near zero with minimal clean accuracy loss. Contributions include robust backdoor patterns identification, an effective concealment mechanism, and superior empirical validation, advancing trustworthy artificial intelligence.

Chen Gao, Chi Liu, Zhengquan Luo et al.

Large language models (LLMs) are increasingly applied in computer science education for tasks such as tutoring, content generation, and code assessment. However, systematic evaluations aligned with formal curricula and certification standards remain limited. This study benchmarked four recent models, including GPT-5, DeepSeek-R1, Qwen-Plus, and Llama-3.3-70B-Instruct, using a dataset of 1,068 questions derived from six certification exams covering networking, office applications, and Java programming. We evaluated performance across language (Chinese vs. English), cognitive levels based on Bloom's Taxonomy, domain knowledge, confidence-accuracy alignment, and robustness to input masking. Results showed that GPT-5 performed best on English-language certifications, while Qwen-Plus performed better in Chinese contexts. DeepSeek-R1 achieved the most balanced cross-lingual performance, whereas Llama-3.3 showed clear limitations in higher-order reasoning and robustness. All models performed worse on more complex tasks. These findings provide empirical support for the integration of LLMs into computer science education and offer practical implications for curriculum design and assessment.

Jialiang Shen, Jiyang Zheng, Yunqi Xue et al.

With growing concerns over image authenticity and digital safety, the field of AI-generated image (AIGI) detection has progressed rapidly. Yet, most AIGI detectors still struggle under real-world degradations, particularly motion blur, which frequently occurs in handheld photography, fast motion, and compressed video. Such blur distorts fine textures and suppresses high-frequency artifacts, causing severe performance drops in real-world settings. We address this limitation with a blur-robust AIGI detection framework based on teacher-student knowledge distillation. A high-capacity teacher (DINOv3), trained on clean (i.e., sharp) images, provides stable and semantically rich representations that serve as a reference for learning. By freezing the teacher to maintain its generalization ability, we distill its feature and logit responses from sharp images to a student trained on blurred counterparts, enabling the student to produce consistent representations under motion degradation. Extensive experiments benchmarks show that our method achieves state-of-the-art performance under both motion-blurred and clean conditions, demonstrating improved generalization and real-world applicability. Source codes will be released at: https://github.com/JiaLiangShen/Dino-Detect-for-blur-robust-AIGC-Detection.

Huajie Chen, Tianqing Zhu, Hailin Yang et al.

Watermarking has emerged as a key defense against the misuse of machine-generated images (MGIs). Yet the robustness of these protections remains underexplored. To reveal the limits of SOTA proactive image watermarking defenses, we propose HIDE&SEEK (HS), a suite of versatile and cost-effective attacks that reliably remove embedded watermarks while preserving high visual fidelity.

Huajie Chen, Tianqing Zhu, Yuchen Zhong et al.

Dataset distillation compresses a large real dataset into a small synthetic one, enabling models trained on the synthetic data to achieve performance comparable to those trained on the real data. Although synthetic datasets are assumed to be privacy-preserving, we show that existing distillation methods can cause severe privacy leakage because synthetic datasets implicitly encode the weight trajectories of the distilled model, they become over-informative and exploitable by adversaries. To expose this risk, we introduce the Information Revelation Attack (IRA) against state-of-the-art distillation techniques. Experiments show that IRA accurately predicts both the distillation algorithm and model architecture, and can successfully infer membership and recover sensitive samples from the real dataset.

Yizhe Xie, Congcong Zhu, Xinyue Zhang et al.

Large Language Model-based Multi-Agent Systems (LLM-MAS) are increasingly applied to complex collaborative scenarios. However, their collaborative mechanisms may cause minor inaccuracies to gradually solidify into system-level false consensus through iteration. Such risks are difficult to trace since errors can propagate and amplify through message dependencies. Existing protections often rely on single-agent validation or require modifications to the collaboration architecture, which can weaken effective information flow and may not align with natural collaboration processes in real tasks. To address this, we propose a propagation dynamics model tailored for LLM-MAS that abstracts collaboration as a directed dependency graph and provides an early-stage risk criterion to characterize amplification risk. Through experiments on six mainstream frameworks, we identify three vulnerability classes: cascade amplification, topological sensitivity, and consensus inertia. We further instantiate an attack where injecting just a single atomic error seed leads to widespread failure. In response, we introduce a genealogy-graph-based governance layer, implemented as a message-layer plugin, that suppresses both endogenous and exogenous error amplification without altering the collaboration architecture. Experiments show that this approach raises the defense success rate from a baseline of 0.32 to over 0.89 and significantly mitigates the cascading spread of minor errors.

Yuchen Shi, Huajie Chen, Heng Xu et al.

Transfer learning is devised to leverage knowledge from pre-trained models to solve new tasks with limited data and computational resources. Meanwhile, dataset distillation has emerged to synthesize a compact dataset that preserves critical information from the original large dataset. Therefore, a combination of transfer learning and dataset distillation offers promising performance in evaluations. However, a non-negligible security threat remains undiscovered in transfer learning using synthetic datasets generated by dataset distillation methods, where an adversary can perform a model hijacking attack with only a few poisoned samples in the synthetic dataset. To reveal this threat, we propose Osmosis Distillation (OD) attack, a novel model hijacking strategy that targets deep learning models using the fewest samples. Comprehensive evaluations on various datasets demonstrate that the OD attack attains high attack success rates in hidden tasks while preserving high model utility in original tasks. Furthermore, the distilled osmosis set enables model hijacking across diverse model architectures, allowing model hijacking in transfer learning with considerable attack performance and model utility. We argue that awareness of using third-party synthetic datasets in transfer learning must be raised.

Zehui Dai, Cheng Peng, Huajie Chen et al.

(T)ACSA tasks, including aspect-category sentiment analysis (ACSA) and targeted aspect-category sentiment analysis (TACSA), aims at identifying sentiment polarity on predefined categories. Incremental learning on new categories is necessary for (T)ACSA real applications. Though current multi-task learning models achieve good performance in (T)ACSA tasks, they suffer from catastrophic forgetting problems in (T)ACSA incremental learning tasks. In this paper, to make multi-task learning feasible for incremental learning, we proposed Category Name Embedding network (CNE-net). We set both encoder and decoder shared among all categories to weaken the catastrophic forgetting problem. Besides the origin input sentence, we applied another input feature, i.e., category name, for task discrimination. Our model achieved state-of-the-art on two (T)ACSA benchmark datasets. Furthermore, we proposed a dataset for (T)ACSA incremental learning and achieved the best performance compared with other strong baselines.

Huajie Chen, Deng Cai, Wei Dai et al.

Judgment prediction for legal cases has attracted much research efforts for its practice use, of which the ultimate goal is prison term prediction. While existing work merely predicts the total prison term, in reality a defendant is often charged with multiple crimes. In this paper, we argue that charge-based prison term prediction (CPTP) not only better fits realistic needs, but also makes the total prison term prediction more accurate and interpretable. We collect the first large-scale structured data for CPTP and evaluate several competitive baselines. Based on the observation that fine-grained feature selection is the key to achieving good performance, we propose the Deep Gating Network (DGN) for charge-specific feature selection and aggregation. Experiments show that DGN achieves the state-of-the-art performance.

Huajie Chen, Faizan Q. Nazar, Christoph Ortner

We develop a rigorous framework for modelling the geometry equilibration of crystalline defects. We formulate the equilibration of crystal defects as a variational problems on a discrete energy space and establish qualitatively sharp far-field decay estimates for the equilibrium configuration. This work extends Ehrlacher, Ortner, Shapeev (2016) by admitting infinite-range interaction which in particular includes some quantum chemistry based interatomic potentials.

Huajie Chen, Jianfeng Lu, Christoph Ortner

We consider a tight binding model for localised crystalline defects with electrons in the canonical ensemble (finite electronic temperature) and nuclei positions relaxed according to the Born--Oppenheimer approximation. We prove that the limit model as the computational domain size grows to infinity is formulated in the grand-canonical ensemble for the electrons. The Fermi-level for the limit model is fixed at a homogeneous crystal level, independent of the defect or electron number in the sequence of finite-domain approximations. We quantify the rates of convergence for the nuclei configuration and for the Fermi-level.

Huajie Chen, Christoph Ortner

QM/MM hybrid methods employ accurate quantum (QM) models only in regions of interest (defects) and switch to computationally cheaper interatomic potential (MM) models to describe the crystalline bulk. We develop two QM/MM hybrid methods for crystalline defect simulations, an energy-based and a force-based formulation, employing a tight binding QM model. Both methods build on two principles: (i) locality of the QM model; and (ii) constructing the MM model as an explicit and controllable approximation of the QM model. This approach enables us to establish explicit convergence rates in terms of the size of QM region.

Huajie Chen, Gero Friesecke

The exact interaction energy of a many-electron system is determined by the electron pair density, which is not well-approximated in standard Kohn-Sham density functional models. Here we study the (complicated but well-defined) exact universal map from density to pair density. We survey how many common functionals, including the most basic version of the LDA (Dirac exchange with no correlation contribution), arise from particular approximations of this map. We develop an algorithm to compute the map numerically, and apply it to one-parameter families {a*rho(a*x)} of one-dimensional homogeneous and inhomogeneous single-particle densities. We observe that the pair density develops remarkable multiscale patterns which strongly depend on both the particle number and the "width" 1/a of the single-particle density. The simulation results are confirmed by rigorous asymptotic results in the limiting regimes a>>1 and a<<1. For one-dimensional homogeneous systems, we show that the whole spectrum of patterns is reproduced surprisingly well by a simple asymptotics-based ansatz which slowly smoothens out the "strictly correlated" a=0 pair density while slowly turning on the a=infty "exchange" terms as a increases. Our findings lend theoretical support to the celebrated semi-empirical idea [Becke93] to mix in a fractional amount of exchange, albeit not to assuming the mixing to be additive and taking the fraction to be a system independent constant.

Huajie Chen, Christoph Ortner

The tight binding model is a minimal electronic structure model for molecular modelling and simulation. We show that the total energy in this model can be decomposed into site energies, that is, into contributions from each atomic site whose influence on their environment decays exponentially. This result lays the foundation for a rigorous analysis of QM/MM coupling schemes.