Zhenhua Xu

Zhenhua Xu

Zhejiang University

×

I am Zhenhua Xu, a second‑year M.S. student (since Sep. 2024) in the College of Software at Zhejiang University, affiliated with the Intelligence Fusion Research Center (IFRC) and advised by Meng Han. My research interests center on copyright protection for large language models, including model watermarking and fingerprinting, as well as broader topics in AI security (e.g., risks in agentic systems). After joining Tencent YouTu Lab as an intern, my research scope expanded to improving general-purpose role-playing capability in base models via post-training (SFT, RLHF, etc.). During my first year of graduate study, I coauthored several publications across conferences and journals with outstanding collaborators, including interns in our group, and I look forward to collaborating with more researchers. If you are interested in my work, please contact me at xuzhenhua0326@zju.edu.cn.
Chinese Bio (click to expand)
Hi~我是徐振华,浙江大学软件学院科研练习长达“一年半”的研二选手(2024级)!,隶属于浙江大学数智融合研究中心实验室,导师为 韩蒙 老师。 我的研究方向主要为大模型版权保护(模型水印与模型指纹),以及在此之上的更广泛的人工智能安全议题(如智能体系统的安全风险等)。 在加入腾讯优图实验室实习后,研究方向进一步扩展到通用大模型的角色扮演,以及在此基础上的后训练(SFT、RLHF 等)。 在硕士第一年,我与多位优秀同学(包含组内实习生)合作,在多个国际会议与期刊发表了若干成果,并期待与更多研究者开展合作。 如对我的工作感兴趣,欢迎邮件联系:xuzhenhua0326@zju.edu.cn
🔥

News

2026.04 🎉 Four papers accepted by ACL 2026 · 1 Main, 3 Findings
2026.01 🎉 Three papers accepted by ICASSP 2026
2025.08 🎉 Four papers accepted by EMNLP 2025 · 2 Main, 2 Findings
2025.08 🎉 One paper accepted by SCIENTIA SINICA Informationis
2025.05 🎉 One paper accepted by ACL 2025 Main Conference

🚀Projects

📝Publications

Conference Papers

MEraser: An Effective Fingerprint Erasure Approach for Large Language Models

ACL 2025 MainCCF-ACodeBibJingxuan Zhang and Zhenhua Xu (co-first authors), Rui Hu, Wenpeng Xing, Xuhong Zhang, Meng Han

We propose MEraser, a two-phase fine-tuning method that erases backdoor-based fingerprints from LLMs while preserving utility, transferring across models with minimal data and no repeated training. 

@inproceedings{zhangMEraserEffectiveFingerprint2025,
  title = {{{MEraser}}: {{An Effective Fingerprint Erasure Approach}} for {{Large Language Models}}},
  booktitle = {Proceedings of the 63rd {{Annual Meeting}} of the {{Association}} for {{Computational Linguistics}} ({{Volume}} 1: {{Long Papers}})},
  author = {Zhang, Jingxuan and Xu, Zhenhua and Hu, Rui and Xing, Wenpeng and Zhang, Xuhong and Han, Meng},
  editor = {Che, Wanxiang and Nabende, Joyce and Shutova, Ekaterina and Pilehvar, Mohammad Taher},
  year = 2025,
  pages = {30136--30153},
  publisher = {Association for Computational Linguistics},
  address = {Vienna, Austria},
  doi = {10.18653/v1/2025.acl-long.1455},
  urldate = {2025-11-14},
  isbn = {979-8-89176-251-0}
}

EverTracer: Hunting Stolen Large Language Models via Stealthy and Robust Probabilistic Fingerprint

EMNLP 2025 MainCCF-BCodeBibZhenhua Xu, Meng Han, Wenpeng Xing

We propose EverTracer, a gray-box probabilistic fingerprint that leverages calibrated probability shifts from MIA-style memorization to enable stealthy, robust provenance tracing against input and model-level modifications. 

@inproceedings{xuEverTracerHuntingStolen2025,
  title = {{{EverTracer}}: {{Hunting Stolen Large Language Models}} via {{Stealthy}} and {{Robust Probabilistic Fingerprint}}},
  booktitle = {Proceedings of the 2025 {{Conference}} on {{Empirical Methods}} in {{Natural Language Processing}}},
  author = {Xu, Zhenhua and Han, Meng and Xing, Wenpeng},
  editor = {Christodoulopoulos, Christos and Chakraborty, Tanmoy and Rose, Carolyn and Peng, Violet},
  year = 2025,
  pages = {7019--7042},
  publisher = {Association for Computational Linguistics},
  address = {Suzhou, China},
  doi = {10.18653/v1/2025.emnlp-main.358},
  urldate = {2025-11-14},
  isbn = {979-8-89176-332-6}
}

CTCC: A Robust and Stealthy Fingerprinting Framework for Large Language Models via Cross-Turn Contextual Correlation Backdoor

EMNLP 2025 MainCCF-BCodeBibZhenhua Xu, Xixiang Zhao, Xubin Yue, shengwei tian, Changting Lin, Meng Han

We propose CTCC, a rule-driven fingerprint that encodes cross-turn contextual correlations in dialogue to achieve black-box verification with higher stealth and robustness and reduced false positives. 

@inproceedings{xuCTCCRobustStealthy2025,
  title = {{{CTCC}}: {{A Robust}} and {{Stealthy Fingerprinting Framework}} for {{Large Language Models}} via {{Cross-Turn Contextual Correlation Backdoor}}},
  booktitle = {Proceedings of the 2025 {{Conference}} on {{Empirical Methods}} in {{Natural Language Processing}}},
  author = {Xu, Zhenhua and Zhao, Xixiang and Yue, Xubin and Tian, Shengwei and Lin, Changting and Han, Meng},
  editor = {Christodoulopoulos, Christos and Chakraborty, Tanmoy and Rose, Carolyn and Peng, Violet},
  year = 2025,
  pages = {6978--7000},
  publisher = {Association for Computational Linguistics},
  address = {Suzhou, China},
  doi = {10.18653/v1/2025.emnlp-main.356},
  urldate = {2025-11-14},
  isbn = {979-8-89176-332-6}
}

Unlocking the Effectiveness of LoRA-FP for Seamless Transfer Implantation of Fingerprints in Downstream Models

EMNLP 2025 FindingsCCF-BCodeBibZhenhua Xu, Zhaokun Yan, Binhan Xu, Xin Tong, Haitao Xu, Yourong Chen, Meng Han

We propose LoRA-FP, a plug-and-play approach that encodes backdoor fingerprints into LoRA adapters and transfers them to downstream models via parameter fusion, enabling low-cost, robust, and contamination-free fingerprinting. 

@inproceedings{xuUnlockingEffectivenessLoRAFP2025,
  title = {Unlocking the {{Effectiveness}} of {{LoRA-FP}} for {{Seamless Transfer Implantation}} of {{Fingerprints}} in {{Downstream Models}}},
  booktitle = {Findings of the {{Association}} for {{Computational Linguistics}}: {{EMNLP}} 2025},
  author = {Xu, Zhenhua and Yan, Zhaokun and Xu, Binhan and Tong, Xin and Xu, Haitao and Chen, Yourong and Han, Meng},
  editor = {Christodoulopoulos, Christos and Chakraborty, Tanmoy and Rose, Carolyn and Peng, Violet},
  year = 2025,
  pages = {4302--4312},
  publisher = {Association for Computational Linguistics},
  address = {Suzhou, China},
  doi = {10.18653/v1/2025.findings-emnlp.230},
  urldate = {2025-11-14},
  isbn = {979-8-89176-335-7}
}

PREE: Towards Harmless and Adaptive Fingerprint Editing in Large Language Models via Knowledge Prefix Enhancement

EMNLP 2025 FindingsCCF-BBibXubin Yue and Zhenhua Xu (co-first authors), Wenpeng Xing, Jiahui Yu, Mohan Li, Meng Han

We propose PREE, a prefix-enhanced fingerprint editing framework that embeds copyright information as minimal parameter offsets via dual-channel knowledge editing, delivering high trigger precision and strong robustness under incremental fine-tuning and defenses. 

@inproceedings{yuePREEHarmlessAdaptive2025,
  title = {{{PREE}}: {{Towards Harmless}} and {{Adaptive Fingerprint Editing}} in {{Large Language Models}} via {{Knowledge Prefix Enhancement}}},
  booktitle = {Findings of the {{Association}} for {{Computational Linguistics}}: {{EMNLP}} 2025},
  author = {Yue, Xubin and Xu, Zhenhua and Xing, Wenpeng and Yu, Jiahui and Li, Mohan and Han, Meng},
  editor = {Christodoulopoulos, Christos and Chakraborty, Tanmoy and Rose, Carolyn and Peng, Violet},
  year = 2025,
  pages = {3794--3804},
  publisher = {Association for Computational Linguistics},
  address = {Suzhou, China},
  doi = {10.18653/v1/2025.findings-emnlp.204},
  urldate = {2025-11-14},
  isbn = {979-8-89176-335-7}
}

DNF: Dual-Layer Nested Fingerprinting for Large Language Model Intellectual Property Protection

ICASSP 2026CCF-BBibZhenhua Xu, Yiran Zhao, Mengting Zhong, Dezhang Kong, Changting Lin, Tong Qiao, Meng Han

We propose DNF, a dual-layer nested fingerprinting framework that couples domain-specific stylistic cues with implicit semantic triggers to embed hierarchical backdoor-based fingerprints into large language models, enabling black-box ownership verification with enhanced stealth and resilience to detection and filtering. 

@misc{xu2026dnfduallayernestedfingerprinting,
      title={DNF: Dual-Layer Nested Fingerprinting for Large Language Model Intellectual Property Protection},
      author={Zhenhua Xu and Yiran Zhao and Mengting Zhong and Dezhang Kong and Changting Lin and Tong Qiao and Meng Han},
      year={2026},
      eprint={2601.08223},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2601.08223}, 
}

ForgetMark: Stealthy Fingerprint Embedding via Targeted Unlearning in Language Models

ICASSP 2026CCF-BCodeBibZhenhua Xu, Haobo Zhang, Zhebo Wang, Qichen Liu, Haitao Xu, Wenpeng Xing, Meng Han

We propose ForgetMark, a targeted unlearning–based fingerprint that encodes model ownership via probabilistic forgetting traces, enabling stealthy and robust black-/gray-box verification with minimal performance impact and low false positives. 

@misc{xu2026forgetmarkstealthyfingerprintembedding,
      title={ForgetMark: Stealthy Fingerprint Embedding via Targeted Unlearning in Language Models},
      author={Zhenhua Xu and Haobo Zhang and Zhebo Wang and Qichen Liu and Haitao Xu and Wenpeng Xing and Meng Han},
      year={2026},
      eprint={2601.08189},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2601.08189}, 
}

KinGuard: Hierarchical Kinship-Aware Fingerprinting to Defend Against Large Language Model Stealing

ICASSP 2026CCF-BBibZhenhua Xu, Xiaoning Tian, Wenjun Zeng, Wenpeng Xing, Tianliang Lu, Gaolei Li, Chaochao Chen, Meng Han

We propose KinGuard, a hierarchical kinship-aware fingerprinting framework that models derivation relationships among LLM variants to enable fine-grained provenance tracing and robust defense against model stealing attacks. 

@misc{xu2026kinguardhierarchicalkinshipawarefingerprinting,
      title={KinGuard: Hierarchical Kinship-Aware Fingerprinting to Defend Against Large Language Model Stealing}, 
      author={Zhenhua Xu and Xiaoning Tian and Wenjun Zeng and Wenpeng Xing and Tianliang Lu and Gaolei Li and Chaochao Chen and Meng Han},
      year={2026},
      eprint={2601.12986},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2601.12986}, 
}

AdaMARP: An Adaptive Multi-Agent Interaction Framework for General Immersive Role-Playing

ACL 2026 FindingsCCF-AWebsiteZhenhua Xu, Dongsheng Chen, Shuo Wang, Jian Li, Chengjie Wang, Meng Han, Yabiao Wang

We propose an adaptive multi-agent role-playing framework, AdaMARP, featuring an immersive message format that interleaves [Thought], (Action), <Environment>, and Speech, together with an explicit Scene Manager that governs role-playing through discrete actions (init_scene, pick_speaker, switch_scene, add_role, end) accompanied by rationales. To train these capabilities, we construct AdaRPSet for the Actor Model and AdaSMSet for supervising orchestration decisions, and introduce AdaptiveBench for trajectory-level evaluation.

AttnDiff: Attention-based Differential Fingerprinting for Large Language Models

ACL 2026 MainCCF-AHaobo Zhang and Zhenhua Xu (co-first authors), Junxian Li, Shangfeng Sheng, Dezhang Kong, Meng Han

We propose AttnDiff, a data-efficient white-box framework that extracts fingerprints from models via intrinsic information-routing behavior. AttnDiff probes minimally edited prompt pairs that induce controlled semantic conflicts, captures differential attention patterns, summarizes them with compact spectral descriptors, and compares models using CKA.

Web Fraud Attacks Against LLM-Driven Multi-Agent Systems

ACL 2026 FindingsCCF-AGitHubDezhang Kong, Hujin Peng, Yilun Zhang, Lele Zhao, Zhenhua Xu, Shi Lin, Changting Lin, Meng Han (co-corresponding authors: Zhenhua Xu, Meng Han)

We propose Web Fraud Attacks, a novel type of attack manipulating unique structures of web links to deceive MAS. We design 12 representative attack variants that encompass various methods, such as homoglyph deception, sub-directory nesting, and parameter obfuscation.

MalURLBench: A Benchmark Evaluating Agents' Vulnerabilities When Processing Web URLs

ACL 2026 FindingsCCF-AGitHubDezhang Kong, Zhuxi Wu, Shiqi Liu, ZhiCheng Tan, Kuichen Lu, Minghao Li, Qichen Liu, Shengyu Chu, Zhenhua Xu, Xuan Liu, Meng Han (co-corresponding authors: Zhenhua Xu, Meng Han)

We propose MalURLBench, the first benchmark for evaluating LLMs' vulnerabilities to malicious URLs. MalURLBench contains 61,845 attack instances spanning 10 real-world scenarios and 7 categories of real malicious websites.

Journal Papers

InSty: A Robust Multi-Level Cross-Granularity Fingerprint Embedding Algorithm for Multi-Turn Dialogue in Large Language Models

SCIENTIA SINICA InformationisSCI Q1/JCR Q1/CCF-AIF=7.6BibZhenhua Xu, Meng Han, Xubin Yue, Wenpeng Xing

We propose InSty, a novel fingerprinting method for LLMs in multi-turn dialogues that embeds cross-granularity (word- and sentence-level) triggers across turns, enabling robust, stealthy, and high-recall IP protection under black-box settings. 

@article{xuInStyRobustMultilevel2025,
  title = {{{InSty}}: A Robust Multi-Level Cross-Granularity Fingerprint Embedding Algorithm for Multi-Turn Dialogue in Large Language Models},
  author = {Xu, Zhenhua and Han, Meng and Yue, Xubin and Xing, Wenpeng},
  year = 2025,
  journal = {SCIENTIA SINICA Informationis},
  volume = {55},
  number = {8},
  pages = {1906},
  publisher = {Science China Press},
  issn = {1674-7267},
  doi = {10.1360/SSI-2025-0022}
}

Key Preprints

SRAF: Stealthy and Robust Adversarial Fingerprint for Copyright Verification of Large Language Models

BibZhebo Wang and Zhenhua Xu (co-first authors), Maike Li, Wenpeng Xing, Chunqiang Hu, Chen Zhi, Meng Han

@misc{wang2026srafstealthyrobustadversarial,
      title={SRAF: Stealthy and Robust Adversarial Fingerprint for Copyright Verification of Large Language Models},
      author={Zhebo Wang and Zhenhua Xu and Maike Li and Wenpeng Xing and Chunqiang Hu and Chen Zhi and Meng Han},
      year={2026},
      eprint={2505.06304},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2505.06304}, 
}

Copyright Protection for Large Language Models: A Survey of Methods, Challenges, and Trends

★ StarCodeBibZhenhua Xu, Xubin Yue, Zhebo Wang, Qichen Liu, Xixiang Zhao, et al.

Fingerprint Vector: Enabling Scalable and Efficient Model Fingerprint Transfer via Vector Addition

CodeBibZhenhua Xu, Qichen Liu, Zhebo Wang, Wenpeng Xing, Dezhang Kong, Mohan Li, Meng Han

@misc{xu2025fingerprintvectorenablingscalable,
      title={Fingerprint Vector: Enabling Scalable and Efficient Model Fingerprint Transfer via Vector Addition},
      author={Zhenhua Xu and Qichen Liu and Zhebo Wang and Wenpeng Xing and Dezhang Kong and Mohan Li and Meng Han},
      year={2025},
      eprint={2409.08846},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2409.08846}, 
}

A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures

CodeBibDezhang Kong, Shi Lin, Zhenhua Xu, Zhebo Wang, Minghao Li, et al.

@misc{kong2025surveyllmdrivenaiagent,
      title={A Survey of LLM-Driven AI Agent Communication: Protocols, Security Risks, and Defense Countermeasures},
      author={Dezhang Kong and Shi Lin and Zhenhua Xu and Zhebo Wang and Minghao Li and Yufeng Li and Yilun Zhang and Hujin Peng and Xiang Chen and Zeyang Sha and Yuyuan Li and Changting Lin and Xun Wang and Xuan Liu and Ningyu Zhang and Chaochao Chen and Chunming Wu and Muhammad Khurram Khan and Meng Han},
      year={2025},
      eprint={2506.19676},
      archivePrefix={arXiv},
      primaryClass={cs.CR},
      url={https://arxiv.org/abs/2506.19676}, 
}

💻Internships

Tencent YouTu Lab

LLM Algorithm Intern (Research) Shanghai, China

📅 November 2025 - Present

Primary Responsibilities: Conducting research on LLM role-playing to improve character consistency, dialogue fluency, and narrative engagement when models portray custom or specific characters.

Zhejiang University Binjiang Institute and GenTel.io

Research Intern - AI Security Hangzhou, China

📅 July 2024 - October 2025

Primary Responsibilities: Conducting research on large language model security and AI ecosystem governance, focusing on model copyright protection (digital watermarking and model fingerprinting), jailbreak attacks and defenses, adversarial attack strategies, and agent system security risks.

LianLianPay

Java Backend Development Engineer Hangzhou, China

📅 November 2023 - May 2024

Primary Responsibilities: As a backend development engineer, participated in the development and maintenance of the "Account+" payment system. This system is one of the company's core business platforms, primarily responsible for managing merchant partnerships and associated user information, handling financial operations between the company and merchants including account recharge, internal fund transfers, withdrawals, and reconciliation processes.

📖Educations

ZJU

Zhejiang University

College of Software · Master of Software Engineering

📅 September 2024 - June 2027 (Expected) 📊 GPA: 4.27/5.0
🏆 Selected Honors (click to expand)

🥇 Honors and Awards: Outstanding Graduate Student (First Year), Five-Good Graduate Student (First Year)

💰 Scholarships: 2025 National Scholarship (First Year)

ZJUT

Zhejiang University of Technology

Bachelor of Digital Media Technology

📅 September 2020 - June 2024 📊 GPA: 3.84/5.0
🏆 Selected Honors and Notes (click to expand)

🥇 Honors and Awards: Comprehensive Assessment: 100/100 (Ranked 1st in Major), Outstanding Graduate of Zhejiang Province, Outstanding Student Award

💰 Scholarships: Zhejiang Provincial Government Scholarship (Top 5%), First-Class Scholarship for Outstanding Students (Top 2%), First-Class Academic Scholarship

📝 Note: Digital Media Technology is a computer science major covering fundamental courses including Computer Networks, Data Structures, Operating Systems, and Computer Architecture. While the program later specializes in game design, human-computer interaction, and 3D animation programming, my academic focus shifted toward artificial intelligence and software development, leading to my current pursuit in software engineering.