Qiusi Zhan

Qiusi Zhan | 詹秋思

I am a Ph.D. student at the Univerity of Illinois Urbana Champaign (UIUC), advised by Prof. Daniel Kang. Previously, I obtained my master's degree from UIUC, advised by Prof. Heng Ji, and completed my bachelor's degree from Peking University, advised by Prof. Sujian Li.

Email / CV / Google Scholar / Github

▸ Research

My research focuses on developing safe (multimodal) Large Language Models (LLMs) and LLM agents for real-world deployment, with an emphasis on identifying and mitigating safety vulnerabilities. I have studied a wide range of safety risks in LLMs and LLM agents, including fine-tuning vulnerabilities, indirect prompt injection attacks, multimodal RAG knowledge poisoning, and backdoor attacks. On the mitigation side, I have explored reinforcement learning approaches for LLM-based agents to enhance their safety without compromising utility.

	SafeSearch: Do Not Trade Safety for Utility in LLM Search Agents Qiusi Zhan, Angeline Budiman-Chan, Abdelrahman Zayed, Xingzhi Guo, Daniel Kang, Joo-Kyung Kim arXiv, 2025 We propose SafeSearch, the first safety alignment framework for search agents that enhances safety without compromising utility.
	Visual Backdoor Attacks on MLLM Embodied Decision Making via Contrastive Trigger Learning Qiusi Zhan, Hyeonjeong Ha, Rui Yang, Sirui Xu, Hanyang Chen, Liang-Yan Gui, Yu-Xiong Wang, Huan Zhang, Heng Ji, Daniel Kang Coming soon, 2025 We introduce BEAT, the first framework to demonstrate visual backdoor attacks on multimodal large language model (MLLM) based embodied agents.
	Adaptive Attacks Break Defenses Against Indirect Prompt Injection Attacks on LLM Agents Qiusi Zhan, Richard Fang, Henil Shalin Panchal, Daniel Kang NAACL Findings, TrustNLP Workshop Spotlight, 2025 We test eight different defenses of Indirect Prompt Injection attacks and demonstrate that they are vulnerable to adaptive attacks.
	MM-PoisonRAG: Disrupting Multimodal RAG with Local and Global Poisoning Attacks Hyeonjeong Ha, Qiusi Zhan, Jeonghwan Kim , Dimitrios Bralios, Saikrishna Sanniboina, Nanyun Peng, Kai-wei Chang, Daniel Kang, Heng Ji arXiv, 2025 We propose MM-PoisonRAG, a novel knowledge poisoning attack framework for multimodal RAG.
	INJECAGENT: Benchmarking Indirect Prompt Injections in Tool-Integrated Large Language Model Agents Qiusi Zhan, Zhixiang Liang, Zifan Ying, Daniel Kang ACL Findings, 2024 We benchmark IPI attacks in tool-integrated LLM agents and show that most of the agents are vulnerable to such attacks.
	Removing RLHF Protections in GPT-4 via Fine-Tuning Qiusi Zhan, Richard Fang, Rohan Bindu, Akul Gupta, Tatsunori Hashimoto, Daniel Kang NAACL, 2024 We demonstrate that fine-tuning GPT-4 with just 340 examples can subvert its RLHF protections, underscoring the critical need for enhanced security measures.

▸ Academic Services

Reviewer for ARR, NeurIPS, and ICLR.
Recognized as “Top Reviewer” at NeurIPS 2025.

▸ Experience

	University of Illinois Urbana-Champaign, IL 2023.08 - Present Ph.D. Student in Computer Science Advisor: Prof. Daniel Kang
	University of Illinois Urbana-Champaign, IL 2021.08 - 2022.12 Master in Electronical and Computer Engineering Advisor: Prof. Heng Ji
	Peking University, China 2017.09 - 2021.07 B.S. in Computer Science Advisor: Prof. Sujian Li
	University of California Santa Barbara, CA 2020.07 - 2020.09 Visiting Research Student Advisor: Prof. Xifeng Yan

▸ Internship

	Amazon, WA 2025.05 - 2025.08 Applied Scientist Intern Mentor: Joo-Kyung Kim
	Microsoft, WA 2024.05 - 2024.08 Data Scientist Intern Mentor: Yu Hu
	JD.COM Silicon Valley Research Center, CA 2022.01 - 2022.05 Research Scientist Intern Mentor: Lingfei Wu
	ByteDance, Beijing 2021.04 - 2021.07 Applied Scientist Intern Mentor: Bo Zhao

This website is based on a template created by Jon Barron.
Last updated: Oct 30, 2025