Skip to content
Sagan
← all library

Daily reading queue

148 items for 2026-05-13 across 2 categories.

Previous
TodayNext

Active sources: 7. Sources represented in this queue: 5. The cron runs daily at 06:00 server time; arxiv RSS is often empty on weekends.

Linked to your results

54
  1. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11311unread

    Couple to Control: Joint Initial Noise Design in Diffusion Models

    Jing Jia, Liyue Shen, Guanyang Wang · 2026-05-13

    The authors argue that diffusion models don't need to start from independent Gaussian noise for each image in a batch — instead, you can "couple" the initial noises (each remains marginally Gaussian, so the model sees the same distribution per sample, but samples are no longer independent). This reframes noise control from picking individual seeds to designing dependence structure across a gallery. Repulsive Gaussian coupling improves gallery diversity on SD1.5, SDXL, and SD3 without adding sampling cost, matching or outperforming recent noise-optimization baselines. **Main takeaways:** - Standard diffusion generation uses independent Gaussian noise per sample, but this is just one choice — you can design coupled noise with chosen dependence structure. - Each noise remains marginally standard Gaussian, so pretrained models see the same single-sample input distribution. - Repulsive coupling (samples push away from each other) improves gallery diversity while preserving prompt alignment and image quality. - Matches or beats recent noise-optimization baselines on diversity metrics at the same sampling cost as independent generation. - Subspace couplings enable fixed-object background generation with diverse, natural backgrounds.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, base, trained, same, baseline, space, compare. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11311v1 Announce Type: cross Abstract: Diffusion models typically generate image batches from independent Gaussian initial noises. We argue that this independence assumption is only one choice within a broader class of valid joint noise designs. Instead, one can specify a coupling of the initial noises: each noise remains marginally standard Gaussian, so the pretrained diffusion model receives the same single-sample input distribution, while the dependence across samples is chosen by design. This reframes initial-noise control from selecting or optimizing individual seeds to designing the dependence structure of a multi-sample gallery. This view gives a general framework for initial-noise design, covering several existing methods as special cases and leading naturally to new coupled-noise constructions. Coupled noise can improve generation on its own without adding sampling cost, and it is flexible enough to serve as a structured initialization for optimization-based pipelines when additional computation is available. Empirically, repulsive Gaussian coupling improves gallery diversity on SD1.5, SDXL, and SD3 while largely preserving prompt alignment and image quality. It matches or outperforms recent test-time noise-optimization baselines on several diversity metrics at the same sampling cost as independent generation. Subspace couplings also support fixed-object background generation, producing diverse, natural backgrounds compared with specialized inpainting baselines, with a tunable trade-off in foreground fidelity.

  2. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11239unread

    Extending Kernel Trick to Influence Functions

    Zhenhuan Sun, Shahrokh Valaee · 2026-05-13

    The authors present a "dual representation" of influence functions where computational complexity scales with dataset size rather than model size, making it efficient when models are large relative to datasets. This alternative can estimate how removing a data point changes parameters, outputs, or loss, but is limited to "linearizable models" (models whose behavior can be approximated by their linearization throughout training) and requires materializing a matrix whose size grows with output dimension times dataset size. **Main takeaways:** - Standard influence functions scale with model size; the dual representation scales with dataset size instead. - Efficient alternative when model size is large relative to dataset size. - Can estimate changes in parameters, outputs, and loss due to data point removal. - Only works for linearizable models (models approximable by their linearization during training). - Requires materializing a matrix of size (output dimension × dataset size), which can be a memory bottleneck.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: output, eval, both, space, outputs, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11239v1 Announce Type: cross Abstract: In this paper, we present a dual representation of the influence functions, whose computational complexity scales with dataset size rather than model size. Both analytically and experimentally, we show that this representation can be an efficient alternative to the original influence functions for estimating changes in parameters, model outputs and loss due to data point removal, when model size is large relative to dataset size, or when evaluating the original influence functions in parameter space is infeasible. The dual representation, however, is limited to linearizable models, which are models whose behavior can be approximated by their linearizations throughout training, and requires materializing a matrix, whose size grows with the product of model output dimension and dataset size.

  3. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11181unread

    Muon is Not That Special: Random or Inverted Spectra Work Just as Well

    Zakhar Shumaylov, Natha\"el Da Costa, Peter Zaika, B\'alint Mucs\'anyi, Alex Massucco, Yoav Gelberg, Carola-Bibiane Sch\"onlieb, Yarin Gal, Philipp Hennig · 2026-05-13

    The authors challenge the geometric narrative behind the Muon optimizer by showing that precise geometric structure isn't what drives performance. They introduce Freon (based on Schatten quasi-norms) and Kaon (which replaces singular values with random noise), both matching Muon's performance despite lacking coherent geometry. Their analysis reveals that optimizer performance is controlled by two local quantities — alignment and descent potential — rather than global geometric structure, suggesting Muon succeeds by guaranteeing step-size optimality, not by tracking ideal geometry. **Main takeaways:** - Freon interpolates between SGD and Muon using Schatten quasi-norms; best GPT-2 parameters lie in the quasi-norm regime, which can't be represented by any unitarily invariant LMO. - Kaon replaces singular values with random noise yet matches Muon's performance, proving precise geometry isn't necessary. - Optimizer performance is controlled by two local quantities: alignment and descent potential, not global geometric structure. - Muon succeeds by guaranteeing step-size optimality around these local quantities, not by tracking ideal global geometry. - Both Freon and Kaon retain classical convergence guarantees despite their unusual constructions.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, latin, eval, base, predict, factor. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11181v1 Announce Type: cross Abstract: The recent empirical success of the Muon optimizer has renewed interest in non-Euclidean optimization, typically justified by similarities with second-order methods, and linear minimization oracle (LMO) theory. In this paper, we challenge this geometric narrative through three contributions, demonstrating that precise geometric structure is not the key factor affecting optimization performance. First, we introduce Freon, a family of optimizers based on Schatten (quasi-)norms, powered by a novel, provably optimal QDWH-based iterative approximation. Freon naturally interpolates between SGD and Muon, while smoothly extrapolating into the quasi-norm regime. Empirically, the best-performing Schatten parameters for GPT-2 lie strictly within the quasi-norm regime, and thus cannot be represented by any unitarily invariant LMO. Second, noting that Freon performs well across a wide range of exponents, we introduce Kaon, an absurd optimizer that replaces singular values with random noise. Despite lacking any coherent geometric structure, Kaon matches Muon's performance and retains classical convergence guarantees, proving that strict adherence to a precise geometry is practically irrelevant. Third, having shown that geometry is not the primary driver of performance, we demonstrate it is instead controlled by two local quantities: alignment and descent potential. Ultimately, each optimizer must tune its step size around these two quantities. While their dynamics are difficult to predict a-priori, evaluating them within a stochastic random feature model yields a precise insight: Muon succeeds not by tracking an ideal global geometry, but by guaranteeing step-size optimality.

  4. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11168unread

    Variational predictive resampling

    Laura Battaglia, Stefano Cortinovis, Chris Holmes, David T. Frazier, Jack Jewson · 2026-05-13

    The authors develop a method to improve Bayesian posterior sampling by combining variational inference (VI) with a resampling trick. Standard VI methods like mean-field approximations are fast but often produce overly confident, under-dispersed posteriors that miss correlations between parameters. Their variational predictive resampling (VPR) approach works by repeatedly generating fake future data from the current variational approximation, updating the approximation given this synthetic data, and recording the implied parameter values — essentially building better posterior samples from VI's predictive strength without expensive MCMC. **Main takeaways:** - Mean-field VI is computationally cheap but often yields overly narrow posteriors that miss parameter dependencies - VPR repeatedly imputes synthetic observations from the predictive distribution, updates the variational approximation, and collects the resulting parameters - In a tractable Gaussian example, VPR recovers the exact Bayesian posterior while standard mean-field VI retains a permanent error - Experiments on regression and hierarchical models show VPR captures posterior uncertainty and correlations that mean-field misses, at computational cost similar to or better than MCMC

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: rate, under, predict, where. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11168v1 Announce Type: cross Abstract: Bayesian inference provides principled uncertainty quantification, but accurate posterior sampling with MCMC can be computationally prohibitive for modern applications. Variational inference (VI) offers a scalable alternative and often yields accurate predictive distributions, but cheap variational families such as mean-field (MF) can produce over-concentrated approximations that miss posterior dependence. We propose variational predictive resampling (VPR), a scalable posterior sampling method that exploits VI's predictive strength within a predictive-resampling framework to better approximate the Bayesian posterior. Given a prior--likelihood pair, VPR repeatedly imputes future observations from the current variational predictive, updates the variational approximation after each imputation, and records the parameter value implied by the completed sample. We establish conditions under which the law of the parameter returned by VPR is well defined and show that its finite-horizon approximation converges to this limit.In a tractable Gaussian location model, we show that VPR with MF variational predictives converges to the exact Bayesian posterior, whereas the optimal MF-VI approximation retains a non-vanishing asymptotic gap. Experiments on linear regression, logistic regression, and hierarchical linear mixed-effects models demonstrate that VPR substantially improves posterior uncertainty quantification and recovers posterior dependence missed by MF-VI, while remaining computationally competitive with, and often more efficient than, MCMC.

  5. score 100arxiv stat.ML (Machine Learning)arxiv:2605.02453unread

    Testing General Relativity Through Gravitational Wave Classification: A Convolutional Neural Network Framework

    Lavinia Heisenberg, Shayan Hemmatyar, Hector Villarrubia-Rojo · 2026-05-13

    The authors use convolutional neural networks to classify gravitational wave signals as either consistent with general relativity (GR) or deviating from it, as a test of Einstein's theory. They train on 173 real black-hole merger events, generating GR waveforms and creating modified beyond-GR variants by adding controlled phase deformations. A key finding is that feeding the CNN a "response function" observable (derived from waveform mismatch, isolating the effect of phase deviations) improves classification sensitivity 33-fold compared to using raw whitened waveforms — showing the input representation matters as much as the network architecture. **Main takeaways:** - CNNs can classify gravitational waves as GR-consistent vs. modified-gravity, trained on realistic black-hole merger data - Using a response function (an observable isolating phase deviations from the bulk signal) as CNN input boosts sensitivity ~33× vs. raw waveforms - The choice of observable representation is as important as the classifier design itself - Applied to massive gravity theory, the classifier detects deviations for graviton masses around 10^-23 eV/c² with current detector sensitivity

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, source, where, factor, compare. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.02453v1 Announce Type: cross Abstract: We present a machine learning framework for testing general relativity (GR) with gravitational wave signals from binary black hole mergers. Using the source parameters of 173 BBH events from the GWTC catalog as a realistic astrophysical population, we generate simulated GR waveforms and construct beyond GR (BGR) waveforms by applying controlled phase deformations. We introduce a response function formalism that provides a systematic framework for quantifying how any observable responds to modifications of GR. We train convolutional neural networks (CNNs) on two input representations: whitened waveforms and a response function type observable derived from the waveform mismatch, which isolates the effect of phase deviations from the bulk signal. Using response functions as the CNN input improves the classification sensitivity by a factor of approximately 33 compared to whitened waveforms, demonstrating that the choice of observable representation is as important as the classifier architecture. We study the fundamental limits of this classification through Bayes optimal error analysis, averaging methods that reveal coherent patterns hidden in noise, and a comparison between CNN accuracy and a single feature classifier as a proxy for human performance. At all deformation scales, the CNN outperforms the best single feature approach. We extend the framework to physically motivated theories using the parameterized post Einsteinian (ppE) formalism and apply it to massive gravity, where the classifier detects deviations for graviton masses of order $m_g \sim 10^{-23}\;\mathrm{eV}/c^2$ with aLIGO design sensitivity.

  6. score 100arxiv stat.ML (Machine Learning)arxiv:2605.12341unread

    Multi-Variable Conformal Prediction: Optimizing Prediction Sets without Data Splitting

    Laura L\"utzow, Simone Garatti, Marco C. Campi, Lars Lindemann, Matthias Althoff · 2026-05-13

    Standard conformal prediction calibrates a single threshold to guarantee coverage, but this forces you to pick the shape of your prediction sets (e.g., ellipses) before calibration, typically requiring data splitting. The authors introduce multi-variable conformal prediction (MCP), which uses vector-valued score functions with multiple calibration variables, unifying shape design and calibration into one optimization problem without splitting data. They propose two variants: RemMCP (based on constraint removal, a clean generalization of split conformal) and RelMCP (handles non-convex scores via constraint relaxation). Both methods maintain finite-sample coverage guarantees while producing smaller, less variable prediction sets than split conformal. **Main takeaways:** - Classical conformal prediction is limited to a single threshold and scalar scores, forcing prediction set shapes to be fixed before calibration - MCP extends to vector scores and multiple calibration variables, jointly optimizing shape and calibration without data splitting - RemMCP uses constrained optimization with constraint removal; RelMCP handles non-convex scores via iterative relaxation - Experiments show MCP achieves target coverage with smaller prediction sets and lower variance across calibration runs than split conformal baselines - The approach uses scenario theory (a framework for certifying data-driven decisions) to maintain finite-sample coverage guarantees

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, trained, baseline, core, predict. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12341v1 Announce Type: new Abstract: Conformal prediction constructs prediction sets with finite-sample coverage guarantees, but its calibration stage is structurally constrained to a scalar score function and a single threshold variable - forcing shapes of prediction sets to be fixed before calibration, typically through data splitting. We introduce multi-variable conformal prediction (MCP), a framework that extends conformal prediction to vector-valued score functions with multiple simultaneous calibration variables. Building on scenario theory as a principled framework for certifying data-driven decisions, MCP unifies prediction set design and calibration into a single optimization problem, eliminating data splitting without sacrificing coverage guarantees. We propose two computationally efficient variants: RemMCP, grounded in constrained optimization with constraint removal, which admits a clean generalization of split conformal prediction; and RelMCP, based on iterative optimization with constraint relaxation, which supports non-convex score functions at the cost of possibly greater conservatism. Through numerical experiments on ellipsoidal and multi-modal prediction sets, we demonstrate that RemMCP and RelMCP consistently meet the target coverage with prediction set sizes smaller than or comparable to those of baselines with data split, while considerably reducing variance across calibration runs - a direct consequence of using all available data for shape optimization and calibration simultaneously.

  7. score 100arxiv stat.ML (Machine Learning)arxiv:2605.12340unread

    Online Learning-to-Defer with Varying Experts

    Dang Hoang Duy, Yannis Montreuil, Maxime Meyer, Axel Carlier, Lai Xing Ng, Wei Tsang Ooi · 2026-05-13

    Learning-to-Defer (L2D) systems decide whether to have a model answer a query or defer to a human expert. Prior work assumes a fixed batch setting with known experts, but real deployments face streaming data and changing expert availability. The authors introduce the first online L2D algorithm for multiclass classification with bandit feedback (you only see outcomes for the chosen option) and a time-varying pool of experts. Their method achieves regret bounds that scale with the time horizon, number of labels, and number of distinct experts, with tighter bounds under low-noise conditions. **Main takeaways:** - Existing L2D methods assume batch data and fixed expert availability; real systems need to handle streaming data and experts coming and going - The proposed online algorithm works with bandit feedback (partial observability) and dynamically varying expert pools - Achieves regret guarantees of O((n+n_e)T^(2/3)) in general, O((n+n_e)√T) under low noise (n=labels, n_e=distinct experts, T=time horizon) - The analysis combines novel consistency bounds for the online setting with online convex optimization techniques - Experiments show the approach handles varying expert availability and reliability effectively

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: rate, under, predict, where. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12340v1 Announce Type: new Abstract: Learning-to-Defer (L2D) methods route each query either to a predictive model or to external experts. While existing work studies this problem in batch settings, real-world deployments require handling streaming data, changing expert availability, and shifting expert distribution. We introduce the first online L2D algorithm for multiclass classification with bandit feedback and a dynamically varying pool of experts. Our method achieves regret guarantees of $O((n+n_e)T^{2/3})$ in general and $O((n+n_e)\sqrt{T})$ under a low-noise condition, where $T$ is the time horizon, $n$ is the number of labels, and $n_e$ is the number of distinct experts observed across rounds. The analysis builds on novel $\mathcal{H}$-consistency bounds for the online framework, combined with first-order methods for online convex optimization. Experiments on synthetic and real-world datasets demonstrate that our approach effectively extends standard Learning-to-Defer to settings with varying expert availability and reliability.

  8. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11865unread

    Variance-aware Reward Modeling with Anchor Guidance

    Shuxing Fang, Ruijian Han, Liangyu Zhang, Fan Zhou · 2026-05-13

    The authors tackle reward modeling when human preferences are pluralistic (people disagree). Standard Bradley-Terry models can only capture disagreement by shrinking reward margins, and Gaussian reward models (which predict both mean and variance) are fundamentally non-identifiable from pairwise comparisons alone. They propose augmenting preference data with two coarse "anchor" labels per response (e.g., "good" vs. "bad") to resolve this non-identifiability, prove that two anchors are sufficient, and show both theoretically and empirically that the method improves reward modeling and downstream RLHF (PPO and best-of-N). **Main takeaways:** - Standard Bradley-Terry reward models can't properly represent disagreement—they just shrink reward gaps when preferences are noisy. - Gaussian reward models (predicting mean and variance) are better in principle but suffer from non-identifiability: you can't uniquely recover the variance from pairwise preferences alone. - Adding two anchor labels (coarse quality scores like "good" or "bad") per response resolves the identifiability problem. - The authors prove that two anchors are mathematically sufficient, develop a joint training objective, and establish convergence rates for both mean and variance. - Experiments on four diverging-preference datasets show consistent improvements in reward modeling, PPO training, and best-of-N selection.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: rate, both, predict, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11865v1 Announce Type: new Abstract: Standard Bradley--Terry (BT) reward models are limited when human preferences are pluralistic. Although soft preference labels preserve disagreement information, BT can only express it by shrinking reward margins. Gaussian reward models provide an alternative by jointly predicting a reward mean and a reward variance, but suffer from a fundamental non-identifiability from pairwise preferences alone. We propose Anchor-guided Variance-aware Reward Modeling, a framework that resolves this non-identifiability by augmenting preference data with two coarse response-level anchor labels. Building on this, we prove that two anchors are sufficient for identification, develop a joint training objective and establish a non-asymptotic convergence rate for both the estimated reward mean and variance functions. Across simulation studies and four real-world diverging-preference datasets, our method consistently improves reward modeling performance and downstream RLHF, including PPO training and best-of-$N$ selection.

  9. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11841unread

    Minimax Rates and Spectral Distillation for Tree Ensembles

    Binh Duc Vu, David S. Watson · 2026-05-13

    The authors study tree ensembles (random forests and gradient boosting) from a spectral perspective—looking at the eigenvalues and eigenvectors of the implicit kernel or smoother matrix these methods induce. They derive minimax-optimal convergence rates for random forest regression (showing the rate depends on how fast the kernel's eigenvalues decay) and use the spectral viewpoint to compress ensembles. For random forests, the leading eigenfunctions of the kernel capture the most important predictive directions; for GBMs, the leading singular vectors of the smoother matrix do the same. Training small nonlinear maps on these spectral features yields "distilled" models orders of magnitude smaller than the originals with competitive performance. **Main takeaways:** - Random forests and GBMs can be viewed through their induced kernels or smoother matrices; the eigenvalue decay of these operators governs statistical convergence rates. - Under mild conditions, random forest regression achieves minimax-optimal rates. - Leading eigenfunctions (for RFs) or singular vectors (for GBMs) capture the ensemble's dominant predictive structure. - Training small models on these spectral representations compresses ensembles by orders of magnitude with minimal performance loss. - The method outperforms existing pruning and rule-extraction techniques on real datasets.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, trained, source, under, predict, extraction, compare. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11841v1 Announce Type: new Abstract: Tree ensembles such as random forests (RFs) and gradient boosting machines (GBMs) are among the most widely used supervised learners, yet their theoretical properties remain incompletely understood. We adopt a spectral perspective on these algorithms, with two main contributions. First, we derive minimax-optimal convergence for RF regression, showing that, under mild regularity conditions on tree growth, the eigenvalue decay of the induced kernel operator governs the statistical rate. Second, we exploit this spectral viewpoint to develop compression schemes for tree ensembles. For RFs, leading eigenfunctions of the kernel operator capture the dominant predictive directions; for GBMs, leading singular vectors of the smoother matrix play an analogous role. Learning nonlinear maps for these spectral representations yields distilled models that are orders of magnitude smaller than the originals while maintaining competitive predictive performance. Our methods compare favorably to state of the art algorithms for forest pruning and rule extraction, with applications to resource constrained computing.

  10. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11652unread

    Posterior Contraction Rates for Sparse Kolmogorov-Arnold Networks in Anisotropic Besov Spaces

    Jeunghun Oh, Kyeongwon Lee, Jaeyong Lee, Lizhen Lin · 2026-05-13

    The authors analyze Bayesian Kolmogorov-Arnold Networks (KANs)—architectures that replace standard neural network edges with learnable spline functions—and prove posterior contraction rates (how fast the Bayesian posterior concentrates around the true function) over anisotropic Besov spaces (function spaces where smoothness can vary across dimensions). They show that sparse Bayesian KANs with spike-and-slab priors achieve near-minimax rates, and that by placing a hyperprior on a single model-size parameter, the posterior adapts to unknown smoothness and still gets the optimal rate. Unlike standard MLPs, KANs can keep depth fixed and control complexity via width, spline resolution, and parameter sparsity. **Main takeaways:** - KANs use learnable spline functions on edges instead of fixed activation functions; this paper gives the first rigorous Bayesian statistical analysis of them. - Sparse Bayesian KANs (with spike-and-slab priors on parameters) achieve near-minimax posterior contraction rates over anisotropic Besov spaces (functions with dimension-dependent smoothness). - A hyperprior on a single model-size parameter lets the posterior adapt to unknown smoothness without sacrificing the rate. - Unlike MLPs, KANs can keep depth fixed and control approximation complexity via width, spline-grid range, and sparsity. - The results extend to compositional Besov spaces (functions with layered structure), where rates depend on layer-wise smoothness and effective dimension, avoiding the curse of dimensionality.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under, space, compare. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11652v1 Announce Type: new Abstract: We study posterior contraction rates for sparse Bayesian Kolmogorov-Arnold networks (KANs) over anisotropic Besov spaces, providing a statistical foundation of KANs from a Bayesian point of view. We show that sparse Bayesian KANs equipped with spike-and-slab-type sparsity priors attain the near-minimax posterior contraction. In particular, the contraction rate depends on the intrinsic anisotropic smoothness of the underlying function. Moreover, by placing a hyperprior on a single model-size parameter, the resulting posterior adapts to unknown anisotropic smoothness and still achieves the corresponding near-minimax rate. A distinctive feature of our results, compared with those for standard sparse MLP-based models, is that the KAN depth can be kept fixed: owing to the flexibility of learnable spline edge functions, the required approximation complexity is controlled through the network width, spline-grid range and size, and parameter sparsity. Our analysis develops theoretical tools tailored to sparse spline-edge architectures, including approximation and complexity bounds for Bayesian KANs. We then extend to compositional Besov spaces and show that the contraction rates depend on layerwise smoothness and effective dimension of the underlying compositional structure, thereby effectively avoiding the curse of dimensionality. Together, the developed tools and findings advance the theoretical understanding of Bayesian neural networks and provide rigorous statistical foundations for KANs.

  11. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11638unread

    Learning U-Statistics with Active Inference

    Xiaoning Wang, Yuyang Huo, Liuhua Peng, Changliang Zou · 2026-05-13

    The authors develop an active inference framework for U-statistics (a class of estimators central to many statistical tests) when labels are expensive. Instead of collecting all labels, they selectively query the most informative ones to improve estimation efficiency under a fixed budget while preserving valid statistical inference. The method uses augmented inverse probability weighting to account for the adaptive sampling rule and machine learning predictions, characterizes the optimal sampling rule that minimizes variance, and extends to empirical risk minimization based on U-statistics. **Main takeaways:** - U-statistics (estimators based on averaging over all subsets of data) are fundamental in statistics but often require expensive labels in modern applications. - Active inference selectively queries labels to maximize information gain under a fixed labeling budget. - The method uses augmented inverse probability weighting to incorporate the adaptive sampling rule and ML predictions, ensuring valid inference. - The authors derive the variance-minimizing optimal sampling rule and provide practical sampling strategies. - The framework extends to U-statistic-based empirical risk minimization (e.g., AUC optimization). - Experiments show substantial efficiency gains over baseline methods while maintaining correct coverage.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under, baseline, predict. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11638v1 Announce Type: new Abstract: $U$-statistics play a central role in statistical inference. In many modern applications, however, acquiring the labels required for $U$-statistics is costly. Motivated by recent advances in active inference, we develop an active inference framework for $U$-statistics that selectively queries informative labels to improve estimation efficiency under a fixed labeling budget, while preserving valid statistical inference. Our approach is built on the augmented inverse probability weighting $U$-statistic, which is designed to incorporate the sampling rule and machine learning predictions. We characterize the optimal sampling rule that minimizes its variance and design practical sampling strategies. We further extend the framework to $U$-statistic-based empirical risk minimization. Experiments on real datasets demonstrate substantial gains in estimation efficiency over baseline methods, while maintaining target coverage.

  12. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11394unread

    Spatial Adapter: Structured Spatial Decomposition and Closed-Form Covariance for Frozen Predictors

    Wen-Ting Wang, Wei-Ying Wu, Hao-Yun Huang, Xuan-Chun Wang · 2026-05-13

    The authors designed a plug-in layer (the "Spatial Adapter") that sits on top of any frozen model and learns a compressed spatial summary of the model's prediction errors. The layer represents the residual field using an orthonormal basis plus per-sample scores, learned via mini-batch optimization, and produces a closed-form estimate of how errors are spatially correlated—enabling predictions at new locations with uncertainty estimates. Because the original model stays frozen, this is strictly a post-hoc add-on that doesn't retrain the backbone. **Main takeaways:** - Attaches to any frozen predictor (linear, deep vision, or spatiotemporal) without retraining it, purely to model the leftover errors - Learns a structured low-rank decomposition of residual spatial patterns plus a covariance estimate, so you can predict at unobserved locations and quantify uncertainty - Uses fewer than K(N+T) parameters (K is an upper bound on rank, N is spatial dimension, T is time steps) plus a small residual network - Tested on synthetic data, Weather2K spatial-holdout forecasting, and GWHD patch grids; recovers spatial structure across all backbone types - The effective rank is chosen adaptively by spectral thresholding rather than fixed in advance

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, long, predictor, core, predict, factor, along, does. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11394v1 Announce Type: new Abstract: We present the Spatial Adapter, a parameter-efficient post-hoc layer that equips any frozen first-stage predictor with a structured spatial representation of its residual field and an induced closed-form spatial covariance. The adapter operates as a cascade second stage on residuals, jointly learning a spatially regularized orthonormal basis and per-sample scores via a tractable mini-batch ADMM procedure, without modifying any first-stage parameter. Because the first-stage parameters are frozen, the adapter does not retrain the backbone; its role is to supply a compressed distributional summary of the residual field. Smoothness, sparsity, and orthogonality together turn a generic low-rank factorization into an identifiable spatial representation whose induced residual covariance admits a closed-form low-rank-plus-noise estimator; the effective rank is determined data-adaptively by spectral thresholding, while the nominal rank K is an optimization-side upper bound only. This covariance enables kriging-style spatial prediction at unobserved locations, with plug-in uncertainty quantification as a secondary downstream use. Across synthetic data, Weather2K for spatial-holdout prediction, and GWHD patch grids as a basis-transferability diagnostic, the adapter recovers residual spatial structure when paired with frozen first stages from linear models to deep spatiotemporal and vision backbones; the added representation uses fewer than K(N+T) parameters alongside a compact residual-trend network.

  13. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11191unread

    Adaptive Policy Learning Under Unknown Network Interference

    Aidan Gleich, Eric Laber, Alexander Volfovsky · 2026-05-13

    The authors tackle adaptive experimentation when units influence each other through an unknown social network: you want to simultaneously learn *who* affects *whom* and allocate treatments to maximize cumulative reward. They propose a Thompson sampling algorithm with a Gibbs sampler that jointly infers the interference graph and picks individual-level treatment assignments, returning both an optimized policy and an estimate of the network for downstream causal analysis. Theoretical regret bounds are sublinear in time and linear in network size for additive spillover models, and empirically the method beats baselines by more than an order of magnitude. **Main takeaways:** - Existing methods either assume the interference network is fully known or randomize at the cluster level; this learns the network structure on the fly - For additive spillover, proves Bayesian regret √(nT · B log(en/B)) for exact posterior sampling; Gibbs approximation achieves comparable sublinear regret - Also analyzes a general neighborhood-interference variant with explore-then-commit, incurring O(n² log T) graph-discovery cost - Returns both an optimized treatment policy and a network estimate usable for estimating direct, indirect, and total treatment effects - On two real-world networks, achieves sublinear regret and small root-mean-square errors for downstream effect estimates

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under, both, core, where, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11191v1 Announce Type: new Abstract: Adaptive experimentation under unknown network interference requires solving two coupled problems: (i) learning the underlying dynamics of interference among units and (ii) using these dynamics to inform treatment allocation in order to maximize a cumulative outcome of interest (e.g. revenue). Existing adaptive experimentation methods either assume the interference network is fully known or bypass the network by operating on coarse cluster-level randomizations. We develop a Thompson sampling algorithm that jointly learns the interference network and adaptively optimizes individual-level treatment allocations via a Gibbs sampler. The algorithm returns both an optimized treatment policy and an estimate of the interference network; the latter supports downstream causal analyses such as estimation of direct, indirect, and total treatment effects. For additive spillover models, we show that total reward is linear in the treatment vector with coefficients given by an $n$-dimensional latent score. We prove a Bayesian regret bound of order $\sqrt{nT \cdot B \log(en/B)}$ for exact posterior sampling; empirically, our Gibbs-based approximate sampler achieves regret consistent with this rate and remains sublinear when the additive spillovers assumption is violated. For general Neighborhood Interference, where this reduction is unavailable, we analyze an explore-then-commit variant with $O(n^2 \log T)$ graph-discovery cost. An information-theoretic $\Omega(n \log T)$ lower bound complements both results. Empirically, our method achieves more than an order-of-magnitude reduction in regret in head-to-head comparisons. On two real-world networks, the algorithm achieves sublinear regret and yields downstream effect estimates with small RMSE relative to the truth.

  14. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11179unread

    Interpretable Machine Learning for Spatial Science: A Lie-Algebraic Kernel for Rotationally Anisotropic Gaussian Processes

    Kane Warrior, Dalia Chakrabarty · 2026-05-13

    The authors introduce a Gaussian process kernel for 3D spatial data that explicitly parameterizes rotated anisotropy: three principal length-scales plus an SO(3) rotation encoded as an axis–angle vector. Standard ARD kernels only capture axis-aligned stretching; generic symmetric-positive-definite parameterizations can represent arbitrary rotations but don't expose the principal directions. Here the rotation is mapped via the Lie-algebra exponential, giving unconstrained Euclidean coordinates for inference while guaranteeing a valid covariance metric. Bayesian MCMC on synthetic and real nano-material density data shows the method recovers the true generating metric, improves prediction over ARD when the field is rotated, and matches ARD when the field is axis-aligned. **Main takeaways:** - Exposes three principal length-scales and an explicit SO(3) rotation as interpretable parameters, unlike black-box full-SPD matrices - Uses axis–angle Lie-algebra exponential to keep the rotation unconstrained during optimization while always producing a valid rotation matrix - Posterior inference via MCMC; the paper characterizes symmetries and weakly identified regimes (e.g., when two length-scales are similar) - On synthetic rotated-anisotropic data, recovers the ground-truth metric and outperforms axis-aligned ARD; matches ARD when data is axis-aligned - Applied to a nano-brick material-density dataset, the inferred metric reveals rotated principal directions

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, trained, same, length, baseline, predict, axis. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11179v1 Announce Type: new Abstract: Many three-dimensional spatial fields are anisotropic, with directions of rapid and slow variation that need not align with the coordinate axes. Standard Gaussian process kernels with Automatic Relevance Determination (ARD) capture only axis-aligned anisotropy, while generic full symmetric positive definite (SPD) metrics can represent rotated anisotropy but do not parameterise principal length-scales and directions directly. We introduce an interpretable rotationally anisotropic GP kernel that parameterises a three-dimensional SPD covariance metric using three principal length-scales and an explicit SO(3) rotation. The rotation is represented by an axis-angle vector and mapped to SO(3) via the Lie-algebra exponential map, giving unconstrained Euclidean coordinates for inference while always inducing a valid SPD metric. The construction spans the same family of three-dimensional SPD covariance metrics as a generic full-SPD parameterisation, but exposes the geometry differently: length-scales and orientation are explicit, interpretable, and directly available for prior specification and posterior summaries. We perform Bayesian inference on these quantities using Markov Chain Monte Carlo (MCMC), and characterise the resulting symmetries and weakly identified regimes. On synthetic data with rotated anisotropy, the posterior recovers the generating metric and improves prediction relative to an axis-aligned ARD baseline, while matching the predictive performance of a generic full SPD baseline. When the ground truth is axis-aligned, posterior mass concentrates near the identity rotation and predictive performance matches ARD. On a material-density dataset from a laboratory-fabricated nano-brick, the inferred metric reveals rotated anisotropy that is not captured by axis-aligned kernels.

  15. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11059unread

    Uniform Scaling Limits in AdamW-Trained Transformers

    William Gibson, Christoph Reisinger · 2026-05-13

    The authors prove that as transformer depth L grows, the layer-by-layer hidden-state dynamics and backpropagation variables (under AdamW training) converge uniformly to a system of ordinary differential equations—essentially a continuous-depth limit. The convergence rate is O(1/L + 1/(L^(1/3) H^(1/2))), where H is the number of attention heads. When attention heads don't use causal masking, the limiting ODE has a McKean–Vlasov (mean-field) form; concentration-of-measure techniques yield bounds uniform over compact sets of initial conditions, with constants independent of the number of tokens (avoiding a covering argument). **Main takeaways:** - Models transformer hidden states as an interacting particle system and proves L²-convergence to a forward–backward ODE system as depth L → ∞ - Convergence holds uniformly over initial conditions and improves with more attention heads H - Without causal masking, the limit is a McKean–Vlasov ODE (mean-field interaction); with masking, a more general forward–backward system - Bounds are independent of token count, thanks to concentration of measure (no covering argument needed) - Under a suitable AdamW adaptation, bounds become independent of token embedding dimension as well

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, tokens, attention, trained, system, token, under, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11059v1 Announce Type: new Abstract: We study the large-depth limit of transformers trained with AdamW, by modelling the hidden-state dynamics as an interacting particle system (IPS) coupled through the attention mechanism. Under appropriate scaling of the attention heads, we prove that the joint dynamics of the hidden states and backpropagated variables converge in $L^2$, uniformly over the initial condition, to the solution of a forward--backward system of ODEs at rate $\mathcal O(L^{-1}+L^{-1/3}H^{-1/2})$. Here, $L$ and $H$ denote the depth and number of heads of the transformer, respectively. The limiting system of ODEs can be identified with a McKean--Vlasov ODE (MVODE) when the attention heads do not incorporate causal masking. By using the flow maps associated with this MVODE and applying concentration of measure techniques, we obtain bounds on the difference between the discrete and continuous models that are uniform over compact sets of initial conditions. As this is achieved without resorting to a covering argument, the constants in our bounds are independent of the number of tokens. Furthermore, under a suitable adaptation to AdamW, the bounds become independent of the token embedding dimension.

  16. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11606unread

    Convolutional-Neural-Networks for Deanonymisation of I2P Traffic

    Luca Rohrer, Konrad Baechler, Dieter Arnold · 2026-05-13

    The authors investigate whether passive traffic analysis and convolutional neural networks can de-anonymize services in the I2P (Invisible Internet Project) anonymity network, despite encrypted payloads. They generated synthetic I2P traffic in a controlled lab, trained CNNs to identify distinctive patterns, and applied Fano's inequality to theoretically analyze anonymous data transmission in mix networks. Computer experiments in the lab and evaluation on real-world I2P traffic show that the proposed methods do not compromise I2P's anonymity guarantees. **Main takeaways:** - Goal: identify I2P services via passive traffic analysis (timing, packet sizes) even though payloads are encrypted - Generated synthetic I2P traffic in a lab environment as a training dataset for CNNs - Used Fano's inequality for theoretical analysis of information leakage in mix networks like I2P - Evaluated CNNs in the lab I2P network and on real-world traffic - Results indicate the proposed methods do *not* break I2P anonymity—distinguishing patterns were insufficient

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, project. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11606v1 Announce Type: new Abstract: This study investigates the potential for deanonymizing services within the Invisible Internet Project (I2P) network through passive traffic analysis and machine learning techniques. The primary objective is to identify distinctive patterns in I2P traffic despite the encryption of its payload. To achieve this, a controlled laboratory environment was established to generate synthetic I2P traffic, providing a training dataset for machine learning models. Furthermore, Fano's inequality is employed to perform a theoretical analysis of anonymous data transmission in mix networks such as I2P, thereby supporting a data-driven approach to uncover causal relationships. In computer experiments, advanced deep learning methods - particularly Convolutional Neural Networks - are applied within the laboratory I2P network, and their effectiveness is further evaluated using real-world traffic data. The results indicate that the proposed methodologies do not compromise the anonymity guarantees of the I2P network.

  17. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11442unread

    Can a Single Message Paralyze the AI Infrastructure? The Rise of AbO-DDoS Attacks through Targeted Mobius Injection

    Zi Liang, Ronghua Li, Yanyun Wang, Qingqing Ye, Haibo Hu · 2026-05-13

    The authors introduce *Mobius Injection*, a novel attack that weaponizes LLM agents into zombie nodes for distributed denial-of-service (AbO-DDoS). By injecting a single carefully crafted message that exploits "Semantic Closure" (a structural vulnerability in agent logic), attackers can trigger sustained recursive execution, amplifying a single call up to 51x and inflating latency up to 229x. The attack is lightweight, stealthy against both DDoS monitors and AI safety filters, and scales superlinearly with more poisoned nodes. They propose ACE (Agent Component Energy) Analysis as a proactive defense. **Main takeaways:** - LLM agents can be turned into DDoS amplifiers via textual injection alone, without modifying infrastructure or exploiting traditional network vulnerabilities. - "Semantic Closure" is a structural flaw in agentic logic where recursive execution can be triggered by malicious semantic content embedded in user messages. - Experiments across six agent architectures and 12 LLMs show high success rates, with single-node call amplification up to 51x and multi-node p95 latency inflation up to 229x. - The attack is stealthy: traditional DDoS monitors don't flag it because it looks like legitimate agent activity, and AI safety filters don't catch it because it's framed as benign text. - ACE Analysis detects malicious recursive triggers by measuring component-level energy (presumably computational intensity or invocation patterns).

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, eval, base, system, both, triggers, look. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11442v1 Announce Type: new Abstract: Large Language Model (LLM) agents have emerged as key intermediaries, orchestrating complex interactions between human users and a wide range of digital services and LLM infrastructures. While prior research has extensively examined the security of LLMs and agents in isolation, the systemic risk of the agent acting as a disruptive hub within the user-agent-service chain remains largely overlooked. In this work, we expose a novel threat paradigm by introducing Mobius Injection, a sophisticated attack that weaponizes autonomous agents into zombie nodes to launch what we define as gent-based and -Oriented DDoS (AbO-DDoS) attacks. By exploiting a structural vulnerability in agentic logic named Semantic Closure, an adversary can induce sustained recursive execution of agent components through a single textual injection. We demonstrate that this attack is exceptionally lightweight, stealthy against both traditional DDoS monitors and contemporary AI safety filters, and highly configurable, allowing for surgical targeting of specific environments or model providers. To evaluate the real-world impact, we conduct extensive experiments across three representative claw-style agents and three mainstream coding agents, integrated with 12 frontier proprietary or open-weight LLMs. Our results demonstrate that Mobius Injection achieves substantial attack success across diverse tasks, driving single-node call amplification up to 51.0x and multi-node p95 latency inflation up to 229.1x. The attack performance exhibits a superlinear increase with the number of poisoning nodes. To mitigate Mobius Injection, we propose a proactive defense mechanism using Agent Component Energy (ACE) Analysis, which detects malicious recursive triggers by measuring anomalous energy in the agent's component graph.

  18. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11360unread

    Options, Not Clicks: Lattice Refinement for Consent-Driven MCP Authorization

    Ying Li, Yanju Chen, Peiran Wang, Issac Khabra, Faysal Hossain Shezan, Yu Feng, Yuan Tian · 2026-05-13

    The authors present Conleash, a client-side authorization middleware for Model Context Protocol (MCP) tools that moves beyond coarse "always allow" toggles. Conleash uses a risk lattice to auto-permit safe calls within known boundaries while escalating risky ones, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, it achieved 98.2% accuracy, caught 99.4% of escalations, added only 8.2ms overhead, and was preferred by 16 user-study participants over traditional methods. **Main takeaways:** - Existing MCP authorization (broad toggles or opaque LLM decisions) causes consent fatigue and misses dangerous call arguments. - Conleash's risk lattice auto-permits safe calls (e.g., reading a known file) while surfacing risky ones (e.g., writing to unexpected locations) for user review. - A refinement loop converts one-time user decisions into reusable policies, reducing future prompts without sacrificing safety. - Real-world evaluation shows high accuracy (98.2%), low false-negative rate (99.4% escalation recall), and minimal latency overhead (8.2ms). - User study (N=16) found Conleash significantly increased trust and reduced prompting compared to traditional methods.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: latin, eval, prompt, base, fail, where. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11360v1 Announce Type: new Abstract: As Model Context Protocol adoption grows, securing tool invocations via meaningful user consent has become a critical challenge, as existing methods, broad always allow toggles or opaque LLM-based decisions, fail to account for dangerous call arguments and often lead to consent fatigue. In this work, we present Conleash, a client-side middleware that enforces boundary-scoped authorization by utilizing a risk lattice to auto-permit safe calls within known boundaries while escalating risks, a policy engine for user-defined invariants, and a refinement loop that converts user decisions into reusable rules. Evaluated on 984 real-world traces, Conleash achieved 98.2% accuracy, caught 99.4% of escalations, and added only 8.2 ms of overhead for policy verification; furthermore, in a user study where N=16, participants significantly preferred Conleash scoped permissions over traditional methods, citing higher trust and reduced prompting.

  19. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11339unread

    A Systematic Security Testing Approach for InterUSS-based environments

    Henrique Curi de Miranda, \'Agney Lopes Roth Ferraz, Wagner Comin Sonaglio, Louren\c{c}o Alves Pereira J\'unior · 2026-05-13

    This paper presents a security testing approach for InterUSS-based Unmanned Traffic Management (UTM) ecosystems, which coordinate drone operations across multiple service providers. The authors deploy a working InterUSS infrastructure, identify key components, and develop security tests aligned with standards like mTLS and OAuth 2.0. They compile these into a Testing Guide for component validation and interaction analysis. **Main takeaways:** - InterUSS is a federated ecosystem for drone traffic management, with security challenges at the infrastructure level (authentication, authorization, component interaction). - The authors deploy and analyze a working InterUSS system to pinpoint security-relevant components and interaction patterns. - Security tests focus on mTLS (mutual TLS for component authentication) and OAuth 2.0 (authorization) compliance. - The Testing Guide fills a gap in current research by providing a maintainer-focused approach to validating both individual components and their interactions. - The work is aimed at UTM infrastructure maintainers, not necessarily AI/ML safety researchers.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, system, both. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11339v1 Announce Type: new Abstract: Unmanned Traffic Management (UTM) federated ecosystems, such as InterUSS, enable secure coordination among UAS Service Suppliers (USSs). However, they bring up some security challenges at the infrastructure level that haven't been fully explored. This paper presents a security testing approach for InterUSS-based environments from the maintainer's perspective. By deploying and analyzing a working InterUSS infrastructure, we pinpoint key components and develop specific security tests aligned with established standards and protocols, such as mTLS and OAuth 2.0. We compiled these tests into a Testing Guide that aids both component validation and interaction analysis across InterUSS-based ecosystems, filling a gap in current research.

  20. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11040unread

    A Multi-Interface Firmware Acquisition and Validation Methodology for Low-Cost Consumer Drones: A Case Study on Three Holy Stone Platforms

    Sandesh More, Sneha Sudhakaran, Marco Carvalho · 2026-05-13

    The authors present a methodology for extracting and validating firmware from three consumer drone models (Holy Stone HS175D, HS720, HS360S) using low-cost, commercially available tools. They evaluate four acquisition methods—SPI flash reading, SWD/JTAG debug access, UART boot capture, and clip-based contact—and develop a three-tier validation framework using Shannon entropy profiling and structural-signature analysis to distinguish real firmware from junk data. Static analysis reveals aging library stacks with known CVEs and no binary-hardening mechanisms. **Main takeaways:** - Four firmware acquisition methods were tested for success rate, image completeness, and practicality without requiring chip desoldering - Validation uses sliding-window Shannon entropy and binwalk structural analysis to confirm images contain meaningful firmware, not just tool-level success indicators - Extracted firmware shows identifiable OS components, old libraries with known CVE exposure, and zero binary-hardening protections - Provides a reproducible baseline for firmware analysis, vulnerability assessment, and embedded-systems education in consumer UAVs

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, baseline, extraction. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11040v1 Announce Type: new Abstract: Consumer unmanned aerial vehicles (UAVs) have evolved into capable computing platforms, yet their embedded firmware remains largely inaccessible to the security community. Entry-level models, in particular those marketed to first-time and younger operators, commonly ship with limited protection mechanisms and no public documentation of their software internals. This paper presents a systematic study of firmware extraction and validation applied to three Holy Stone consumer drone models: the HS175D, HS720, and HS360S. Rather than pursuing reverse-engineering outcomes, the work focuses on obtaining reliable, ground-truth firmware images across heterogeneous hardware designs using only commercially available, low-cost tooling. Four acquisition methods are evaluated SPI flash in-circuit reading, SWD/JTAG debug-port access, UART boot-message capture, and a clip-based contact approach that avoids chip desoldering and each is assessed for success rate, image completeness, and operational practicality. Post-acquisition quality is evaluated through sliding-window Shannon entropy profiling and structural-signature analysis using binwalk, together forming a three-tier validation framework that distinguishes validated images from those that appear successful at the tool level but contain no meaningful firmware content. Static analysis via the EMBA framework confirms that validated images contain identifiable OS components, aging library stacks with known CVE exposure, and no binary-hardening mechanisms. The resulting corpus and methodology provide a reproducible baseline for firmware rehosting, vulnerability analysis, secure-boot assessment, and embedded-systems education within the consumer UAV domain. Index Terms: consumer UAV, drone firmware, embedded systems security, entropy analysis, firmware extraction, IoT security, SPI flash, SWD/JTAG, UART.

  21. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11032unread

    Portable Agent Memory: A Protocol for Cryptographically-Verified Memory Transfer Across Heterogeneous AI Agents

    Santhosh Kumar Ravindran · 2026-05-13

    The authors propose Portable Agent Memory, an open protocol for transferring an AI agent's accumulated context (episodic events, knowledge, skills, working state, identity preferences) across different vendor platforms and model architectures. The protocol uses a five-part structured memory model with content-addressable entries linked by a Merkle-DAG for tamper-evidence, capability-based access control for selective disclosure, and an injection-resistant rehydration protocol that adapts recalled memory to heterogeneous target models. They provide a Python SDK with 54 tests and demonstrate cross-model memory transfer between GPT-4, Claude, Gemini, and Llama. **Main takeaways:** - AI agents accumulate rich context, but it's locked in vendor-specific runtimes; this protocol makes memory portable across heterogeneous models and platforms. - Memory is structured as five components (episodic, semantic, procedural, working, identity) with content-addressable entries linked by a Merkle-DAG for tamper-evidence and provenance. - Capability-based access control lets agents selectively share memory segments; the rehydration protocol adapts recalled content to target models while mitigating indirect prompt injection. - Demonstrated working cross-model transfers between GPT-4, Claude, Gemini, and Llama with a Python SDK and agent skills for multiple platforms. - Open-source under Apache 2.0 with a JSON-first serialization format and optional CBOR compaction.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, base, source, under, implement. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11032v1 Announce Type: new Abstract: We present Portable Agent Memory, an open protocol and reference implementation for transferring persistent memory state across heterogeneous AI agents. Modern AI agents accumulate rich context -- episodic events,semantic knowledge, procedural skills, working state, and identity preferences -- but this context remains locked within vendor-specific runtimes. Portable Agent Memory addresses this through: (1) a five-component structured memory model with content-addressable entries linked by a Merkle-DAG provenance graph providing tamper-evidence; (2) capability-based access control enabling selective, scoped disclosure of memory segments; (3) an injection-resistant rehydration protocol that adapts recalled content to heterogeneous target models while mitigating indirect prompt injection; and (4) a JSON-first serialization format with optional CBOR compaction for efficient transport. We provide a Python SDK with 54 passing tests, agent skills for multiple platforms, and demonstrate cross-model memory transfer between GPT-4, Claude, Gemini, and Llama architectures. The protocol is open-source under Apache 2.0.

  22. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11458unread

    Adaptive Teacher Exposure for Self-Distillation in LLM Reasoning

    Zihao Han, Tiangang Zhang, Huaibin Wang, Yilun Sun · 2026-05-13

    The authors identify a problem in on-policy self-distillation for LLM reasoning: the teacher always sees the full reference solution, creating a mismatch when the student isn't yet competent enough to absorb such strong targets. They propose ATESD, which treats teacher exposure (how much of the reference solution the teacher sees) as a learnable variable. A lightweight controller samples an exposure ratio based on training-state statistics and holds it for a short window of updates, optimizing the controller with a reward based on the student's future learning progress rather than immediate loss. **Main takeaways:** - Standard self-distillation methods have the teacher condition on the full reference reasoning, but this can be too strong when the student is far behind. - Experiments show that full exposure isn't always optimal and that student-teacher mismatch grows as the teacher sees more privileged information. - ATESD uses a Beta-policy controller to dynamically choose how much of the reference solution the teacher sees at each training stage. - The controller is optimized with a discounted reward based on future student improvement, addressing delayed credit assignment. - On math reasoning benchmarks (AIME, HMMT), ATESD outperforms competitive self-distillation and RL baselines by +1 to +2.3 points.

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)". Matching terms: base, token, baseline, core, question, where, on-policy, axis. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11458v1 Announce Type: new Abstract: On-policy self-distillation has become a strong recipe for LLM reasoning, where a privileged teacher supervises the student's own rollouts while conditioning on the reference solution. A design choice shared by nearly all such methods, however, has gone unquestioned: the teacher always sees the full reference reasoning. We argue that this default itself is part of the problem and identify a teacher-side exposure mismatch: when the teacher conditions on reasoning far beyond the student's current competence, the resulting token targets become too strong to absorb. A controlled fixed-exposure sweep makes this concrete on two fronts: 1) full exposure is not reliably the best choice, and 2) student-teacher mismatch grows monotonically as the teacher sees more privileged reasoning. This motivates treating teacher exposure not as a fixed hyperparameter but as a learnable training-time control variable. We therefore propose Adaptive Teacher Exposure for Self-Distillation (ATESD). ATESD models the reveal ratio with a lightweight Beta-policy controller conditioned on compact training-state statistics, and uses one sampled exposure for a short hold window of student updates. To make this exposure controller learnable, we optimize it with a discounted learning-progress reward that scores each held decision by its effect on the student's future improvement rather than its immediate loss change, addressing the delayed credit assignment induced by on-policy distillation. Experiments on AIME 24, AIME 25, and HMMT 25 across Qwen3-{1.7B, 4B, 8B} show that ATESD consistently outperforms competitive self-distillation and RL baselines, improving over OPSD by +0.95, +2.05, and +2.33 Average@12 points respectively, and establishing adaptive teacher exposure as an effective new axis for reasoning self-distillation.

  23. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11426unread

    A Mechanistic Investigation of Supervised Fine Tuning

    Ruhaan Chopra · 2026-05-13

    The author shows that while cosine similarity between pre- and post-SFT activations stays very high (suggesting little change), projecting both through a Sparse Autoencoder reveals that the underlying sparse features diverge significantly. Using SAEs as a diagnostic tool, they identify task-specific and layer-specific distributions of semantic features that are systematically altered during fine-tuning, and discover a layer-wise update profile specific to safety alignment. **Main takeaways:** - High activation cosine similarity after SFT is misleading—the sparse latent structure changes substantially even when dense activations look similar. - Sparse Autoencoders pretrained on the base model can be used to measure which interpretable features are altered by fine-tuning. - The changes are task-specific and layer-specific: different fine-tuning objectives modify different semantic features in different layers. - Safety alignment shows a characteristic layer-wise update profile distinct from other fine-tuning tasks. - The method provides a high-resolution mechanistic view of what SFT actually changes beneath surface-level geometry.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, base, trained, system, similarity, cosine, under. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11426v1 Announce Type: new Abstract: The cosine similarity between a large language model's hidden activations before and after Supervised Fine-Tuning (SFT) remains very high. This, at first glance, suggests that SFT leaves the model's activation geometry largely undisturbed. However, projecting both sets of activations through a Sparse Autoencoder (SAE) pretrained on the base model reveals that the underlying sparse latents diverge significantly. We introduce a novel investigative pipeline which utilizes these pretrained SAEs as a high-resolution diagnostic tool to mechanistically investigate the drivers of this representational divergence. Through our analytical pipeline, we discover task-specific and layer-specific distributions of the precise semantic features that are systematically altered during supervised fine-tuning. We additionally identify a layer-wise update profile specific to safety alignment. All code, experimental scripts, and analysis files associated with this work are publicly available at: https://github.com/ruhzi/sae-investigation.

  24. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11386unread

    Revisiting Privacy Preservation in Brain-Computer Interfaces: Conceptual Boundaries, Risk Pathways, and a Protection-Strength Grading Framework

    Lei Sun, Xiuqing Mao, Shuai Zhang, Qingyu Zeng, Min Zhao, Jiyuan Li, Wenle Dong · 2026-05-13

    This paper surveys privacy risks in brain-computer interfaces (BCIs), arguing that privacy extends beyond raw neural signal leakage to include derived representations, model parameters, decoded outputs, and re-identification risks across the entire data lifecycle (collection, transmission, storage, training, inference, feedback). The authors propose a three-dimensional framework to classify existing BCI privacy protections by protection object, lifecycle stage, and protection strength (four levels). They emphasize that BCI privacy should not just obscure data but also disentangle task-irrelevant sensitive information while preserving task utility, and they flag mental privacy and neuroethical risks as open challenges. **Main takeaways:** - BCI privacy risk isn't just about raw neural signals — it includes derived features, model assets, decoded outputs, and re-identification across the full system lifecycle. - The paper defines protection boundaries, objects (user data vs. model privacy), and a shared risk pathway linking both. - They propose a three-dimensional grading framework: protection object × lifecycle stage × protection strength (four levels). - Effective BCI privacy should disentangle task-irrelevant sensitive information while preserving downstream task performance, not just encrypt or anonymize. - Mental privacy and neuroethical risks remain open issues beyond current technical protections.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: issue, output, issues, system, leakage, under, outputs, leak. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11386v1 Announce Type: new Abstract: Brain-computer interfaces (BCIs) are moving rapidly from laboratory research into clinical, edge, and real-world settings. Under ISO/IEC 8663:2025, a BCI is a direct communication link between central nervous system activity and external software or hardware systems. This link expands privacy risk beyond raw neural-signal leakage: neural data, derived representations, model assets, and decoded outputs can be re-associated with individuals across collection, transmission, storage, training, inference, and feedback, or used to infer information beyond what a task requires. Starting from the general BCI paradigm, this review deffnes privacy-protection boundaries, protection objects, and the relationship between user data privacy and model privacy within a shared risk pathway. It then proposes a three-dimensional framework - protection object, lifecycle stage, and dominant protection-strength level - to classify existing work into four levels of protection strength. Finally, mental privacy and neuroethical risks are treated as open issues, emphasizing that BCI privacy protection should not only obscure data but also disentangle task-irrelevant sensitive information while preserving downstream utility. Keywords: Brain-computer interface, Neural data privacy, User data privacy, Model privacy, Disentanglement of task-irrelevant sensitive information, Protection-strength grading, Neuroethical risks

  25. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11301unread

    LatentRouter: Can We Choose the Right Multimodal Model Before Seeing Its Answer?

    Xueqi Cheng, Yushun Dong · 2026-05-13

    The authors present LatentRouter, a router that picks which multimodal LLM to use for a given image-question query before you see any model's answer. Instead of just estimating query difficulty, it predicts how well each candidate model would perform by extracting "multimodal routing capsules" from the input, representing each model with a learned capability token, and simulating latent communication between them to estimate counterfactual utility. On MMR-Bench and VL-RouterBench, LatentRouter outperforms fixed-model and other learned-router baselines, especially on tasks where visual, layout, or reasoning requirements differ across models. **Main takeaways:** - Frames multimodal model routing as counterfactual utility prediction: estimate how each model would perform if you picked it, without actually running it. - Extracts learned multimodal capsules from the input and uses latent communication with model capability tokens to predict performance. - Supports both performance-only and performance-cost routing, and can handle changing candidate pools via shared per-model scoring. - Strongest gains come on tasks where model choice depends on visual layout or reasoning mode, not just query difficulty. - Latent communication (the interaction between input capsules and model tokens) is the main source of improvement over simpler feature-based routing.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, candidate, github, base, token, under, baseline, question. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11301v1 Announce Type: new Abstract: Multimodal large language models (MLLMs) have heterogeneous strengths across OCR, chart understanding, spatial reasoning, visual question answering, cost, and latency. Effective MLLM routing therefore requires more than estimating query difficulty: a router must match the multimodal requirements of the current image-question input with the capabilities of each candidate model. We propose LatentRouter, a router that formulates MLLM routing as counterfactual multimodal utility prediction. Given an image-question query, LatentRouter extracts learned multimodal routing capsules, represents each candidate MLLM with a model capability token, and performs latent communication between these states to estimate how each model would perform if selected. A distributional outcome head predicts model-specific counterfactual quality, while a bounded capsule correction refines close decisions without allowing residual signals to dominate the prediction. The resulting utility-based policy supports performance-oriented and performance-cost routing, and handles changing candidate pools through shared per-model scoring with availability masking. Experiments on MMR-Bench and VL-RouterBench show that LatentRouter outperforms fixed-model, feature-level, and learned-router baselines. Additional analyses show that the gains are strongest on multimodal task groups where model choice depends on visual, layout-sensitive, or reasoning-oriented requirements, and that latent communication is the main contributor to the improvement. The code is available at: https://github.com/LabRAI/LatentRouter.

  26. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11259unread

    Template-as-Ontology: Configurable Synthetic Data Infrastructure for Cross-Domain Manufacturing AI Validation

    Grama Chethan · 2026-05-13

    The authors introduce "Template-as-Ontology," a framework where a single Python configuration file defines both a manufacturing simulator and the runtime schema for AI analytics tools, guaranteeing alignment by construction. A five-layer pipeline generates causally coherent, MES-shaped synthetic data across six industry domains (aerospace, pharma, automotive, etc.) mapped to ISA-95 standards. They validate that ontology-constrained tool parameters eliminate hallucination—0% fabricated tool parameters when constrained versus 43% unconstrained for Qwen3-32B—because structural constraints are enforced at the architecture level, not learned. **Main takeaways:** - A single configuration module serves as both the simulator spec and the AI tool schema, ensuring structural alignment automatically. - Five-layer pipeline produces synthetic manufacturing data spanning 66 entity types across four operational domains. - Validated on six industry templates running identical framework code; observed KPIs fall within configured ranges. - Ontology-constrained parameters achieve 0% tool-parameter hallucination versus 43% unconstrained (Fisher's exact test p < 10^-12). - The 0% hallucination rate is an architectural guarantee from enforced constraints, independent of which model you use.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, trained, identical, source, space. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11259v1 Announce Type: new Abstract: LLarge language model (LLM)-based AI agents deployed in manufacturing environments require populated, schema-correct data for validation, yet production MES data is proprietary, privacy-encumbered, and vendor-specific. This paper introduces the Template-as-Ontology principle: a single Python configuration module (700-770 lines, 45 validated exports) serves simultaneously as the specification for a time-stepped manufacturing simulator and as the runtime domain schema for AI analytics tools, producing alignment by construction rather than integration. We formally define the domain template as a typed relational configuration schema and prove that structural alignment between simulation and tool layers is guaranteed by single-source consumption. A five-layer pipeline--simulation, PostgreSQL, CDC/Iceberg lakehouse, star schema, and 12 parameterized AI tools--generates causally coherent, MES-shaped data spanning 66 entity types across four operational domains mapped to ISA-95/IEC 62264. We validate the architecture with six industry templates (aerospace, pharma, automotive, electronics, beverages, warehousing) running on identical framework code. Calibration experiments (60 runs, 10 seeds per template) confirm parametric controllability: observed KPIs fall within configured ranges across all templates. A controlled hallucination experiment (72 tool invocations, Qwen3-32B) demonstrates that ontology-constrained parameters eliminate tool-parameter fabrication (0% constrained vs. 43% unconstrained hallucination rate for the evaluated model, Fisher's exact test p < 10^-12); the 0% constrained rate is an architectural guarantee that holds for any model. The framework provides a reusable data layer for discrete manufacturing AI validation.

  27. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11258unread

    Unlocking LLM Creativity in Science through Analogical Reasoning

    Andrew Shen, Shaul Druckmann, James Zou · 2026-05-13

    The authors show that LLMs suffer from mode collapse when generating solutions to open-ended scientific problems—they produce low-diversity outputs. They propose analogical reasoning (AR), which finds cross-domain problems with shared relational structure, generates analogies, and uses them to search for novel solutions. Compared to baselines, AR improves solution diversity metrics by 90–173%, generates novel solutions over 50% of the time (versus as low as 1.6% for baselines), and when implemented on four biomedical problems, yields consistent quantitative gains including state-of-the-art performance on oligonucleotide property prediction. **Main takeaways:** - LLMs mode-collapse into repetitive solutions on open-ended scientific problems, limiting their creative search. - Analogical reasoning searches for cross-domain problems with similar relational structure, then maps solutions back to the target domain. - Improves solution diversity by 90–173% and generates novel solutions over 50% of the time versus baselines. - Validated on four real biomedical tasks: 13-fold improvement on perturbation effect prediction, outperforms baselines on cell-cell communication prediction, high correlation on brain region interaction inference, and state-of-the-art on two oligonucleotide property datasets. - Demonstrates that prompting for analogies can augment the search space of existing solution-generation methods.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, collapse, baseline, space, predict. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11258v1 Announce Type: new Abstract: Autonomous science promises to augment scientific discovery, particularly in complex fields like biomedicine. However, this requires AI systems that can consistently generate novel and diverse solutions to open-ended problems. We evaluate LLMs on the task of open-ended solution generation and quantify their tendency to mode collapse into low-diversity generations. To mitigate this mode collapse, we introduce analogical reasoning (AR) as a new approach to solution generation. AR generates analogies to cross-domain problems based on shared relational structure, then uses those analogies to search for novel solutions. Compared to baselines, AR discovers significantly more diverse generations (improving solution diversity metrics by 90-173%), generates novel solutions over 50% of the time (compared to as little as 1.6% for baselines), and produces high-quality analogies. To validate the real-world feasibility of AR, we implement AR-generated solutions across four biomedical problems, yielding consistent quantitative gains. AR-generated approaches achieve a nearly 13-fold improvement on distributional metrics for perturbation effect prediction, outperform all baselines on AUPRC when predicting cell-cell communication, infer brain region interactions with a high Spearman correlation ($\rho$=0.729) to published methods, and establish state-of-the-art performance on 2 datasets for oligonucleotide property prediction. The novel and diverse solutions produced by AR can be used to augment the search space of existing solution generation methods.

  28. score 100arxiv cs.CL (NLP)arxiv:2605.11612unread

    When Emotion Becomes Trigger: Emotion-style dynamic Backdoor Attack Parasitising Large Language Models

    Ziyu Liu, Tao Li, Tianjie Ni, Xiaolong Lan, Wengang Ma, Tao Yang, Guohua Wang, Junjiang He · 2026-05-13

    The authors demonstrate a backdoor attack on LLMs that uses emotional writing style (rather than specific token sequences) as the trigger. During fine-tuning, they mix in examples where emotional tone triggers a malicious response; later, any emotionally-styled input activates the backdoor even though the words are different. They show emotion can be decoupled from semantic content in the model's representation space, forming distinct clusters, which makes the trigger hard to detect and robust to clean fine-tuning. **Main takeaways:** - Traditional backdoors use fixed token triggers (easy to detect); this one uses emotional *style* as a trigger, which is harder to spot - Emotional tone forms separate clusters in LLM representation space, distinct from the neutral semantic content - Achieved ~99% attack success rate across classification and generation tasks on four different models - The backdoor survives clean fine-tuning better than token-level triggers because emotion is a global stylistic property, not tied to specific words - Models fine-tuned with emotion-triggered poisoned data generate the attack response whenever they encounter emotional inputs at inference time

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, output, eval, token, both, triggers, space. Source: arxiv cs.CL (NLP).

    arXiv:2605.11612v1 Announce Type: new Abstract: Backdoor vulnerabilities widely exist in the fine-tuning of large language models(LLMs). Most backdoor poisoning methods operate mainly at the token level and lack deeper semantic manipulation, which limits stealthiness. In addition, Prior attacks rely on a single fixed trigger to induce harmful outputs. Such static triggers are easy to detect, and clean fine-tuning can weaken the trigger-target association. Through causal validation, we observe that emotion is not directly linked to individual words, but functions as an overall stylistic factor through tone. In the representation space of LLM, emotion can be decoupled from semantics, forming distinct cluster from the original neutral text. Therefore, we consider the emotional factor as the backdoor trigger to propose a pparasitic emotion-style dynamic backdoor attack, Paraesthesia. By mixing samples with the emotional trigger into clean data and then fine-tuning the model, the model is able to generate the predefined attack response when encountering emotional inputs during the inference stage. Paraesthesia includes two the quantification and rewriting of emotional styles. We evaluate the effectiveness of our method on instruction-following generation and classification tasks. The experimental results show that Paraesthesia achieves an attack success rate of around 99\% across both task types and four different models, while maintaining the clean utility of the models.

  29. score 100arxiv cs.CL (NLP)arxiv:2605.11581unread

    Ada-MK: Adaptive MegaKernel Optimization via Automated DAG-based Search for LLM Inference

    Wenxin Dong, Mingqing Hu, Guanghui Yu, Qiang Fu, Peng Xu, Hui Xu, Yue Xing, Xuewu Jiao, Shuanglong Li, Lin Liu · 2026-05-13

    The authors address inference latency in LLMs by optimizing "MegaKernels"—fused GPU operators that eliminate the overhead of launching thousands of separate kernels during decoding. They propose Ada-MK, which uses offline search to determine the optimal execution path at compile time (removing runtime branching penalties), reduces memory usage by 50% through better memory management, and integrates MegaKernel decoding into TensorRT-LLM. On NVIDIA L20, they achieved up to 50% throughput improvement over vLLM. **Main takeaways:** - Kernel launch overhead accounts for ~15% of LLM inference time because each token triggers thousands of kernel launches - MegaKernels fuse operators into one persistent kernel, but existing approaches either lack portability or introduce runtime branching penalties - Ada-MK eliminates runtime branching by determining the optimal execution path offline at compile time for a fixed deployment configuration - Reduces peak shared memory usage by 50% through better memory constraint modeling and splitting strategies - First industrial deployment of MegaKernel, achieving 23.6% improvement over TensorRT-LLM and 50.2% over vLLM on single-batch throughput

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, trigger, base, trained, system, token, source, under. Source: arxiv cs.CL (NLP).

    arXiv:2605.11581v1 Announce Type: new Abstract: When large language models (LLMs) serve real-time inference in commercial online advertising systems, end-to-end latency must be strictly bounded to the millisecond range. Yet every token generated during the decode phase triggers thousands of kernel launches, and kernel launch overhead alone can account for 14.6% of end-to-end inference time. MegaKernel eliminates launch overhead and inter-operator HBM round-trips by fusing multiple operators into a single persistent kernel. However, existing MegaKernel implementations face a fundamental tension between portability and efficiency on resource-constrained GPUs such as NVIDIA Ada: hand-tuned solutions are tightly coupled to specific architectures and lack portability, while auto-compiled approaches introduce runtime dynamic scheduling whose branch penalties are unacceptable in latency-critical settings. We observe that under a fixed deployment configuration, the optimal execution path of a MegaKernel is uniquely determined, and runtime dynamic decision-making can be entirely hoisted to compile time. Building on this insight, we propose Ada-MK: (1) a three-dimensional shared-memory constraint model combined with K-dimension splitting that reduces peak shared memory usage by 50%; (2) MLIR-based fine-grained DAG offline search that solidifies the optimal execution path, completely eliminating runtime branching; and (3) a heterogeneous hybrid inference engine that embeds MegaKernel as a plugin into TensorRT-LLM, combining high-throughput Prefill with low-latency Decode. On an NVIDIA L20, Ada-MK improves single-batch throughput by up to 23.6% over vanilla TensorRT-LLM and 50.2% over vLLM, achieving positive gains across all tested scenarios--the first industrial deployment of MegaKernel in a commercial online advertising system.

  30. score 100arxiv cs.CL (NLP)arxiv:2605.11577unread

    BitLM: Unlocking Multi-Token Language Generation with Bitwise Continuous Diffusion

    Shaobin Zhuang, Yuang Ai, Jiaming Han, Xiaohui Li, Huaibo Huang, Xiangyu Yue, Xuefeng Hu, Kun Xu, Yali Wang, Hao Chen · 2026-05-13

    The authors propose BitLM, a language model that generates multiple tokens in parallel by representing each token as a binary code and using diffusion to denoise several tokens at once within each block. Unlike pure diffusion models, BitLM preserves left-to-right causal attention *across* blocks while making joint decisions *within* blocks, combining the reliability of autoregressive modeling with the speed of parallel generation. This approach replaces the expensive vocabulary softmax with bitwise denoising, enabling faster pre-training and inference. **Main takeaways:** - Standard LLMs generate one token at a time, but natural language often carries meaning in multi-token units (phrases, collocations) - BitLM represents tokens as fixed-length binary codes and denoises multiple tokens in parallel within each block - Maintains causal left-to-right attention across blocks, so it's still a proper language model, not just a diffusion model - Replaces the large-vocabulary softmax (expensive) with bitwise denoising in a compact binary space - Achieves faster inference and stronger performance by treating token generation as iterative commitment in binary space rather than one-hot selection

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, tokens, attention, base, token, length, under, both. Source: arxiv cs.CL (NLP).

    arXiv:2605.11577v1 Announce Type: new Abstract: Autoregressive language models generate text one token at a time, yet natural language is inherently structured in multi-token units, including phrases, n-grams, and collocations that carry meaning jointly. This one-token bottleneck limits both the expressiveness of the model during pre-training and its throughput at inference time. Existing remedies such as speculative decoding or diffusion-based language models either leave the underlying bottleneck intact or sacrifice the causal structure essential to language modeling. We propose BitLM, a language model that represents each token as a fixed-length binary code and employs a lightweight diffusion head to denoise multiple tokens in parallel within each block. Crucially, BitLM preserves left-to-right causal attention across blocks while making joint lexical decisions within each block, combining the reliability of autoregressive modeling with the parallelism of iterative refinement. By replacing the large-vocabulary softmax with bitwise denoising, BitLM reframes token generation as iterative commitment in a compact binary space, enabling more efficient pre-training and substantially faster inference without altering the causal foundation that makes language models effective. Our results demonstrate that the one-token-at-a-time paradigm is not a fundamental requirement but an interface choice, and that changing it can yield a stronger and faster language model. We hope BitLM points toward a promising direction for next-generation language model architectures.

  31. score 100arxiv cs.CL (NLP)arxiv:2605.11574unread

    Three Regimes of Context-Parametric Conflict: A Predictive Framework and Empirical Validation

    Pruthvinath Jeripity Venkata · 2026-05-13

    The authors resolve contradictions in the literature about whether LLMs follow provided documents or stick to their trained knowledge when they conflict. They propose a three-regime framework: Regime 1 is single-source updating (models follow documents when evidence is coherent), Regime 2 is competitive integration (models rely on parametric certainty when choosing between conflicting sources), and Regime 3 is task-appropriate selection (task framing determines whether models use context or parameters). They validate this across five frontier models, showing parametric certainty predicts behavior in Regime 2 and task framing flips context-following rates from near-100% to 6-71% in Regime 3. **Main takeaways:** - Prior studies found contradictory results (models ignoring documents ~50% vs. following them ~96%) because they unknowingly studied different regimes - Regime 1: single-source updating—models follow documents when evidence is coherent and there's no strong parametric knowledge - Regime 2: competitive integration—when parametric knowledge competes with context, parametric *certainty* (not just strength) predicts whether models override the document - Regime 3: task-appropriate selection—task framing ("use your knowledge" vs. "use the document") flips context-following from nearly 100% to single digits - Parametric strength (training frequency) and parametric uniqueness (encoding consistency) are orthogonal dimensions; strength is the operative predictor in factual domains

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: trained, source, predictor, predict. Source: arxiv cs.CL (NLP).

    arXiv:2605.11574v1 Announce Type: new Abstract: The literature on how large language models handle conflict between their training knowledge and a contradicting document presents a persistent empirical contradiction: some studies find models stubbornly retain their trained answers, ignoring provided documents nearly half the time, while others find models readily defer to the document, following context approximately 96% of the time. We argue these contradictions dissolve once one recognises that prior experiments have studied three qualitatively distinct processing situations without distinguishing them. We propose a three-regime framework: Regime 1 (single-source updating, dominant predictor: evidence coherence), Regime 2 (competitive integration, dominant predictor: parametric certainty), and Regime 3 (task-appropriate selection, dominant predictor: task knowledge requirement). We formalise a distinction between parametric strength (exposure frequency) and parametric uniqueness (encoding consistency), showing empirically that these are orthogonal dimensions (r = -0.002, p = .97) with strength as the operative predictor in stable factual domains. We validate the framework across Claude Sonnet 4.6, GPT-5.5, Gemini 2.5 Flash, Llama 4 Maverick, and DeepSeek V3 using 9,970 API calls in three experimental phases. GEE logistic regression confirms the predicted Regime 2 certainty gradient for all five models (beta = -0.38 to -0.50, all p <= .013, BH-FDR corrected). A Regime 3 ablation shows task framing alone flips context-following from near-100% (contextual knowledge condition) to 6-71% (parametric knowledge condition), with all five models significant (p < .001). The certainty gradient is robust to multinomial outcome modeling, sensitivity analyses for hedging responses, and FDR correction.

  32. score 100arxiv cs.CL (NLP)arxiv:2605.11436unread

    Agent-BRACE: Decoupling Beliefs from Actions in Long-Horizon Tasks via Verbalized State Uncertainty

    Joykirat Singh, Zaid Khan, Archiki Prasad, Justin Chih-Yao Chen, Akshay Nambi, Hyunji Lee, Elias Stengel-Eskin, Mohit Bansal · 2026-05-13

    LLM agents acting over long horizons in partially observable environments face two problems: they need to track uncertainty about unobserved world attributes, and their context grows unbounded, diluting task-relevant information. The authors propose Agent-BRACE, which decouples the agent into a belief state model (producing a set of natural language claims about the environment, each tagged with a certainty label from "certain" to "unknown") and a policy model that acts based on this compact belief, not the full history. Both are jointly trained via RL. Across embodied language environments, Agent-BRACE improves average performance by +14.5% (3B) and +5.3% (4B) over strong RL baselines while keeping context size constant regardless of episode length. **Main takeaways:** - Long-horizon, partially observable tasks require tracking uncertainty and managing growing context - Agent-BRACE separates belief tracking (atomic claims + certainty labels) from action selection (policy conditioned on belief) - Belief state is structured natural language: claims like "the key is in room A" tagged with "likely" or "unknown" - Achieves +14.5% (3B) and +5.3% (4B) improvement on average, with near-constant context size - Reduces premature termination and hallucinations by distributing cognition across structured reasoning threads

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, base, length, under, baseline, both, aims. Source: arxiv cs.CL (NLP).

    arXiv:2605.11436v1 Announce Type: new Abstract: Large language models (LLMs) are increasingly deployed on long-horizon tasks in partially observable environments, where they must act while inferring and tracking a complex environment state over many steps. This leads to two challenges: partial observability requires maintaining uncertainty over unobserved world attributes, and long interaction history causes context to grow without bound, diluting task-relevant information. A principled solution to both challenges is a belief state: a posterior distribution over environment states given past observations and actions, which compactly encodes history for decision making regardless of episode length. In LLM agents, however, the open-ended nature of text makes it unclear how to represent such a distribution. Therefore, we introduce Agent-BRACE: Agent Belief state Representation via Abstraction and Confidence Estimation, a method that decouples an LLM agent into a belief state model and a policy model, jointly optimized via reinforcement learning. The belief state model produces a structured approximation of the belief distribution: a set of atomic natural language claims about the environment, each annotated with an ordinal verbalized certainty label ranging from certain to unknown. The policy model conditions on this compact, structured approximate belief rather than the full history, learning to select actions under explicit uncertainty. Across long-horizon, partially observable embodied language environments, Agent-BRACE achieves an average absolute improvement of +14.5% (Qwen2.5-3B-Instruct) and +5.3% (Qwen3-4B-Instruct), outperforming strong RL baselines while maintaining a near-constant context window independent of episode length. Further analysis shows that the learned belief becomes increasingly calibrated over the course of an episode as evidence accumulates.

  33. score 100arxiv cs.CL (NLP)arxiv:2605.11317unread

    SOMA: Efficient Multi-turn LLM Serving via Small Language Model

    Xueqi Cheng, Qiong Wu, Zhengyi Zhou, Xugui Zhou, Tyler Derr, Yushun Dong · 2026-05-13

    SOMA tackles the cost of multi-turn LLM conversations by switching from a large model to a smaller surrogate after a few turns. The idea: use early turns to map out the "response manifold" (the space of likely responses for this conversation), then fine-tune a small model with LoRA specifically for that local region. They learn soft prompts that maximize divergence between large and small model responses to find where alignment is weakest, then distill those cases into a LoRA adapter so the small model runs without extra prompt overhead at inference. **Main takeaways:** - Standard multi-turn serving concatenates full history every turn, which is expensive in latency, memory, and API cost. - SOMA uses early turns to identify a "local response manifold" and adapts a small model to handle the rest of the session. - They mine hard cases by maximizing semantic divergence between large and small model outputs, then distill into LoRA fine-tuning. - A gating mechanism enables one-time switching with rollback if the conversation drifts outside the learned region. - Experiments show efficiency gains while maintaining response quality compared to always using the large model.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, prompt, source, lora, divergence, where, drift. Source: arxiv cs.CL (NLP).

    arXiv:2605.11317v1 Announce Type: new Abstract: Large Language Models (LLMs) are increasingly deployed in multi-turn dialogue settings where preserving conversational context across turns is essential. A standard serving practice concatenates the full dialogue history at every turn, which reliably maintains coherence but incurs substantial cost in latency, memory, and API expenditure, especially when queries are routed to large proprietary models. Existing approaches often struggle to balance the trade-off between response quality and efficiency. We propose a framework that exploits the early turns of a session to estimate a local response manifold and then adapt a smaller surrogate model to this local region for the remainder of the conversation. Concretely, we learn soft prompts that maximize semantic divergence between the large and surrogate small language models' responses to surface least-aligned local directions, stabilize training with anti-degeneration control, and distill the mined cases into localized LoRA fine-tuning so the surrogate runs without prompts at inference. A simple gate enables a one-time switch with rollback on drift. We further provide a theoretical analysis for key components in SOMA. Extensive experiments show the effectiveness of SOMA. The source code is provided at: https://github.com/LabRAI/SOMA.

  34. score 100arxiv cs.CL (NLP)arxiv:2605.11290unread

    ReAD: Reinforcement-Guided Capability Distillation for Large Language Models

    Xueqi Cheng, Xugui Zhou, Tyler Derr, Yushun Dong · 2026-05-13

    ReAD is a framework for "capability distillation"—compressing a large LLM into a smaller one while keeping specific abilities needed for a downstream task. The authors find that distilling one capability affects others (cross-capability transfer) and that more training budget doesn't always help the target task while sometimes degrading other useful skills. ReAD uses a contextual bandit (a reinforcement learning approach) to adaptively allocate the distillation budget across capabilities based on expected utility gains, accounting for how capabilities interact rather than treating them independently. **Main takeaways:** - Capability distillation tries to preserve specific model abilities in a smaller model under a fixed token budget. - Existing methods treat capabilities independently, ignoring how improving one reshapes others. - The authors identify systematic cross-capability transfer and find extra budget can bring limited gains or even hurt unrelated abilities. - ReAD uses an uncertainty-aware contextual bandit to dynamically allocate budget based on which capabilities will most improve the downstream task. - Experiments show better task performance under the same budget with less harmful spillover to other capabilities.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, base, system, same, token, under. Source: arxiv cs.CL (NLP).

    arXiv:2605.11290v1 Announce Type: new Abstract: Capability distillation applies knowledge distillation to selected model capabilities, aiming to compress a large language model (LLM) into a smaller one while preserving the abilities needed for a downstream task. However, most existing methods treat capabilities as independent training targets and overlook how improving one capability can reshape the student's broader capability profile, especially when multiple abilities jointly determine task success. We study capability distillation under a fixed token budget and identify two consistent patterns: distillation induces systematic, budget-dependent cross-capability transfer, and additional budget often brings limited task-relevant gains while sometimes degrading other useful abilities. Building on these insights, we propose ReAD, a Reinforcement-guided cApability Distillation framework that explicitly accounts for capability interdependence. ReAD first infers task-essential capabilities, then generates capability-targeted supervision on the fly, and finally uses an uncertainty-aware contextual bandit to adaptively allocate the distillation budget based on expected utility gains. Extensive experiments show that ReAD improves downstream utility under the same token budget while reducing harmful spillover and wasted distillation effort compared to strong baselines. Our code is publicly available at https://github.com/LabRAI/ReAD.

  35. score 100arxiv cs.CL (NLP)arxiv:2605.11242unread

    RETUYT-INCO at BEA 2026 Shared Task 2: Meta-prompting in Rubric-based Scoring for German

    Ignacio Sastre, Ignacio Remersaro, Facundo D\'iaz, Nicol\'as De Horta, Luis Chiruzzo, Aiala Ros\'a, Santiago G\'ongora · 2026-05-13

    The authors describe their system for automatically scoring German student short answers using rubrics. Their main contribution is "Meta-prompting": an LLM generates a custom prompt based on training examples, which is then used to grade new answers. They also tested classic ML, LLM fine-tuning, and other prompting techniques, achieving middle-tier rankings (4th-6th place out of 8-9 teams) across three shared task tracks. **Main takeaways:** - Task involves scoring short German student answers against specific rubrics. - Meta-prompting: use an LLM to create a specialized prompt from training examples, then use that prompt to grade new answers. - Team placed 6th/8 in Track 1 (QWK 0.729), 4th/9 in Track 3 (QWK 0.674), and 4th/8 in Track 4 (QWK 0.49). - Also explored classic machine learning, fine-tuning open-source LLMs, and various prompting strategies. - Focus was on handling the varying nature of rubrics and questions across the dataset.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: long, prompt, base, source, question, look, along. Source: arxiv cs.CL (NLP).

    arXiv:2605.11242v1 Announce Type: new Abstract: In this paper, we present the RETUYT-INCO participation at the BEA 2026 shared task "Rubric-based Short Answer Scoring for German". Our team participated in track 1 (Unseen answers three-way), track 3 (Unseen answers two-way) and track 4 (Unseen questions two-way). Since these tracks required scoring short student answers using specific rubrics, we looked for ways to handle the changing nature of the task. We created a method called Meta-prompting. In this approach, an LLM creates a custom prompt based on examples from the Train set. This prompt is then used to grade new student answers. Along with this method, we also describe other approaches we used, such as classic machine learning, fine-tuning open-source LLMs, and different prompting techniques. According to the official results, our team placed 6th out of 8 participants in Track 1 with a QWK of 0.729. In Track 3, we secured 4th place out of 9 with a QWK of 0.674, and we also placed 4th out of 8 in Track 4 with a QWK of 0.49.

  36. score 100arxiv cs.CL (NLP)arxiv:2605.11167unread

    The Bicameral Model: Bidirectional Hidden-State Coupling Between Parallel Language Models

    Cedric Flamant, Udaya Ghai, Kanna Shimizu · 2026-05-13

    The Bicameral Model connects two frozen pretrained language models through a tiny learned interface (~1% of total parameters) that lets them exchange information via hidden states rather than text. One model handles the main task while the other operates tools (calculator, logic solver, code interpreter), and both condition on each other's internal activations at every generation step. A learned "suppression gate" decides what gets communicated, trained only from task loss without any prescribed protocol. On arithmetic, coupling two 0.5B models with a calculator jumps accuracy from 36% to 96%. **Main takeaways:** - Two frozen LMs can coordinate through continuous hidden-state channels instead of generating text back and forth - A trainable translation network plus suppression gate (~1% parameters) learns a communication protocol from task loss alone - On arithmetic (calculator backend), accuracy rises from 36% to 96% with two 0.5B models - On logic puzzles (Z3 solver backend), 1.7× improvement over baseline with two 0.6B models - The auxiliary model can generate problem-specific code from hidden-state signals without ever seeing the problem text

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, base, trained, system, baseline, both. Source: arxiv cs.CL (NLP).

    arXiv:2605.11167v1 Announce Type: new Abstract: Existing multi-model and tool-augmented systems communicate by generating text, serializing every exchange through the output vocabulary. Can two pretrained language models instead coordinate through a continuous, concurrent channel? The Bicameral Model couples two frozen language models through a trainable neural interface on their intermediate hidden states. At every generation step, both models run in lockstep: a primary model drives the task while an auxiliary model operates tools, solves constraints, or executes code, with both conditioning on each other's activations through a translation network and a learned suppression gate ($\sim$1\% of combined parameters). The gate learns a selective communication protocol from task loss alone, without a prescribed format. We demonstrate the mechanism across three tool backends. On arithmetic, coupling two 0.5B models with a calculator raises accuracy from 36\% to 96\%. On logic grid puzzles, coupling two 0.6B models with a Z3 solver achieves $1.7\times$ the unaugmented baseline on ZebraLogic. On mathematical reasoning, coupling with a Python sandbox enables the auxiliary to generate problem-specific code from hidden-state signals alone, without ever seeing the problem text.

  37. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11093unread

    Enabling Performant and Flexible Model-Internal Observability for LLM Inference

    Nengneng Yu, Sixian Xiong, Yibo Zhao, Wei Wang, Zaoxing Liu · 2026-05-13

    DMI-Lib is a system for efficiently extracting internal activations (hidden states, attention weights, etc.) from LLMs during inference without slowing down serving. It decouples observation from the main inference path using an asynchronous GPU-CPU memory abstraction that captures and stages tensors, then exports them via a policy-controlled backend. This lets you monitor model internals with only 0.4-6.8% overhead in batch inference and ~6% in online serving, a 2-15× latency improvement over existing approaches. **Main takeaways:** - Extracting model internals during inference usually tanks performance; DMI-Lib adds only 0.4-6.8% overhead (batch) or ~6% (serving) - Uses asynchronous observability: captures tensors off the inference hot path, stages them in GPU-CPU shared memory, exports via host backend - Works across diverse inference backends and observation points (hidden states, attention, etc.) without breaking serving optimizations - 2-15× lower latency overhead than baselines with similar observability features - Open source library designed as a first-class systems primitive for model-internal monitoring

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, base, system, source, baseline, project. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11093v1 Announce Type: new Abstract: Today's inference-time workloads increasingly depend on timely access to a model's internal states. We present DMI-Lib, a high-speed deep model inspector that treats internal observability as a first-class systems primitive, decoupling it from the inference hot path via an asynchronous observability substrate built from Ring^2, a GPU-CPU memory abstraction for capturing and staging tensors, and a policy-controlled host backend that exports them. DMI-Lib enables the placement of observation points across a rich space of internal signals and diverse inference backends while preserving serving optimizations and adhering to tight GPU memory budgets. Our experiments demonstrate that DMI-Lib incurs only 0.4%--6.8% overhead in offline batch inference and an average of 6% in moderate online serving, reducing latency overhead by 2x-15x compared to existing baselines with similar observability features. DMI-Lib is open-sourced at https://github.com/ProjectDMX/DMI.

  38. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11021unread

    A Switching System Theory of Q-Learning with Linear Function Approximation

    Donghwan Lee, Han-Dong Lim · 2026-05-13

    The authors reframe Q-learning with linear function approximation as a switching dynamical system and analyze its convergence using the joint spectral radius (JSR), a tool from control theory that measures stability when a system switches between different modes. They show that whether Q-learning converges can be understood as whether the corresponding switched system is stable, and this framework applies to both deterministic updates and stochastic cases (i.i.d. observations or Markovian). The JSR perspective can be less conservative than traditional one-step norm bounds because it considers products of switching modes, and it also gives a new lens on regularized Q-learning. **Main takeaways:** - Q-learning with linear function approximation can be exactly modeled as a switched linear system, where convergence = stability in control-theory terms - The joint spectral radius (JSR) captures how operator norms compound across multiple update steps, potentially giving tighter guarantees than single-step analysis - The framework applies to deterministic updates, stochastic i.i.d. cases, and Markovian observation sequences - Regularized Q-learning also fits naturally into this switched-system view, connecting projected Bellman equations to switched-system stability

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "remove notion of aims from project", experiment "Core question: interventions on persona space". Matching terms: base, system, same, identical, project, space. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11021v1 Announce Type: new Abstract: This paper develops a switching-system interpretation of Q-learning with linear function approximation (LFA) based on the joint spectral radius (JSR). We derive an exact linear switched model for the mean dynamics and relate convergence to stability of the corresponding switched system. The same construction is then used for stochastic linear Q-learning with independent and identically distributed (i.i.d.) observations and with Markovian observations. Although exact JSR computation is difficult in general, the certificate captures products of switching modes and can be less conservative than one-step norm bounds. The framework also yields a JSR-based view of regularized Q-learning with LFA. The resulting analysis connects projected Bellman equations, finite-difference stochastic-policy switching, and switched-system stability in a single parameter-space formulation.

  39. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11008unread

    When and How to Canonize: A Generalization Perspective

    Yonatan Sverdlov, Benjamin Friedman, Snir Hordan, Nadav Dym · 2026-05-13

    The paper studies three ways to make neural networks respect symmetries in data (e.g., rotating a point cloud shouldn't change the prediction): building invariance into the architecture, averaging over transformations, or "canonizing" (sorting or otherwise standardizing) inputs before feeding them to a non-invariant backbone. The authors prove that canonization's generalization depends on how smooth the canonization function is — a bad canonization can be as poor as no symmetry handling at all, while a good one matches fully invariant architectures. They show that lexicographic sorting of point clouds has exponentially large covering numbers (bad), whereas Hilbert-curve sorting has polynomial covering numbers (good), explaining why Hilbert serialization works well in practice. **Main takeaways:** - Canonization (preprocessing to fix symmetry before a standard model) isn't automatically as good as building invariance into the network. - The authors bound generalization error via covering numbers and show canonization sits between fully invariant models (best) and non-invariant baselines (worst). - Whether canonization reaches the good end of that spectrum depends on the regularity (smoothness) of the canonization map. - For point clouds, lexicographic sorting has exponential covering-number growth, but Hilbert curve canonization has polynomial growth — the first rigorous theory for why Hilbert serialization helps. - Experiments on point-cloud tasks confirm the theoretical hierarchy.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, base, under, baseline, aims, where. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11008v1 Announce Type: new Abstract: While invariant architectures are standard for processing symmetric data, there is growing interest in achieving invariance by applying group averaging or canonization to non-invariant backbones. However, the theoretical generalization properties of these alternative strategies remain poorly understood. We introduce a theoretical framework to analyze the generalization error of these methods by bounding their covering numbers. We establish a rigorous generalization hierarchy: the error bounds of canonized models are at best equal to the error bounds of structurally invariant and group-averaged models, and at worst equal to the bounds of non-invariant baselines. Furthermore, we show that there exist optimal canonizations which attain the optimal error bounds, and poor canonizations which attain the non-invariant error bounds, and that this depends on the regularity of the canonization. Finally, applying this framework to permutation groups in point cloud processing, we rigorously prove that the covering number of lexicographical sorting grows exponentially with point cloud dimension, whereas Hilbert curve canonization guarantees polynomial growth. This provides the first formal theoretical justification for the empirical success of Hilbert curve serialization in state-of-the-art point cloud architectures. We conclude with experiments that support our theoretical claims. Code is available at https://github.com/yonatansverdlov/Canonization

  40. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10988unread

    Seeing the Needle in the Haystack: Towards Weakly-Supervised Log Instance Anomaly Localization via Counterfactual Perturbation

    Yutszyuk Wong, Wentai Wu, Yuen-Ying Yeung, Weiwei Lin · 2026-05-13

    The authors tackle anomaly detection in system logs when you only have coarse labels (e.g., "this batch of logs contains an anomaly somewhere") rather than labels on individual log entries. Their LogMILP framework uses multi-instance learning — treating a bag of logs as the unit of supervision — combined with prototype-guided modeling and counterfactual perturbations to identify which specific log entries are anomalous. This lets operators pinpoint the exact problematic events without expensive instance-level annotations. **Main takeaways:** - Trains on bag-level labels ("anomaly present in this collection") but produces instance-level localization ("line 47 is the culprit"). - Uses prototypes (representative examples) and counterfactual perturbations ("if I remove this entry, does the bag stop looking anomalous?") to guide the model to the critical log entries. - Achieves competitive detection performance while improving localization reliability on three public log datasets. - Code is open-sourced for practitioners working with large-scale networked systems.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, base, system, source, under, both. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10988v1 Announce Type: new Abstract: Log anomaly detection is a critical task for system operations and security assurance. However, in networked systems at scale, log data are generated at massive scale while instance-level annotations are prohibitively expensive, posing great difficulties to fine-grained anomaly localization. To address this challenge, we propose LogMILP (Log anomaly localization based on Multi-Instance Learning enhanced by prototypes and Perturbation), a weakly supervised framework that enables both bag-level anomaly detection and instance-level anomaly localization using only bag-level labels. Our method guides the model to pinpoint the critical log entries using prototype-guided structural modeling with counterfactual perturbation consistency regularization, thereby improving localization reliability and interpretability under coarse-grained supervision. Experimental results on three public datasets demonstrate that LogMILP achieves competitive detection performance while yielding significantly more reliable instance-level localization. Our code is open-sourced at https://github.com/YUK1207/LogMILP.

  41. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10985unread

    Structural Interpretations of Protein Language Model Representations via Differentiable Graph Partitioning

    Siddhant Dutta, Edward Tan Beng Wai, Soumick Sarker, Pasan Gunawardane, Jagath C. Rajapakse · 2026-05-13

    The authors build a framework to make protein language model (ESM-2) representations interpretable by projecting them onto protein contact graphs — networks where nodes are amino acid residues and edges represent spatial proximity. They use SoftBlobGIN, a graph neural network with differentiable clustering, to group residues into functional substructures and perform structure-aware prediction. This yields both strong performance (92.8% accuracy on enzyme classification, AUROC 0.983 on binding-site detection) and directly auditable explanations: the model recovers known active-site residues and catalytic contact patterns without any supervision on those sites. **Main takeaways:** - Combines language model embeddings (ESM-2) with graph neural networks over protein contact graphs to get structure-aware predictions. - Differentiable "blob" clustering automatically groups residues into functional substructures; blobs containing active sites show 1.85× higher importance scores. - GNNExplainer recovers biologically meaningful active-site residues and catalytic patterns post hoc. - Improves binding-site detection from 0.885 AUROC (ESM-2 alone) to 0.983, showing structural explanations aren't recoverable from language-model features alone. - Plug-and-play design: no retraining of the language model, adds only ~1.1M parameters.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", experiment "remove notion of aims from project", experiment "Core question: interventions on persona space". Matching terms: parent, project, space, predict. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10985v1 Announce Type: new Abstract: Protein language models such as ESM-2 learn rich residue representations that achieve strong performance on protein function prediction, but their features remain difficult to interpret as structural $\&$ evolutionary signals are encoded in dense latent spaces. We propose a plug-$\&$-play framework that projects ESM-2 representations onto protein contact graphs $\&$ applies $\textbf{SoftBlobGIN}$, a lightweight Graph Isomorphism Network with differentiable Gumbel-softmax substructure pooling, to perform structure-aware message passing $\&$ learn coarse functional substructures for downstream prediction tasks. Across enzyme classification, SoftBlobGIN achieves 92.8\% accuracy $\&$ 0.898 macro-F1. Unlike post hoc analysis of protein language models alone, our method produces directly auditable structural explanations: GNNExplainer recovers biologically meaningful active-site residues, spatially localized functional clusters, $\&$ catalytic contact patterns. On binding-site detection, SoftBlobGIN improves residue AUROC from $0.885$ using an ESM-2 linear probe to $0.983$, indicating that these structural explanations are not recoverable from language-model features alone. Learned blob partitions provide an additional layer of interpretability by automatically grouping residues into functional substructures, with blobs containing annotated active-site residues showing $1.85\times$ higher importance than other blobs ($\rho{=}0.339$, $p{=}0.009$), without any active-site supervision. Our framework requires no retraining of the language model, adds only $\sim$1.1M parameters, $\&$ generalises across ProteinShake tasks, achieving $F_{\max}$ of $0.733$ on Gene Ontology prediction $\&$ AUROC of $0.969$ on binding-site detection. We position this as an interpretable structural companion to protein language models that makes their predictions more transparent $\&$ auditable.

  42. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10983unread

    TMPO: Trajectory Matching Policy Optimization for Diverse and Efficient Diffusion Alignment

    Jiaming Li, Chenyu Zhu, Zhiyuan Ma, Nanxi Yi, Youjun Bao, Li Sun, Quanying Lv, Xiang Fang, Daizong Liu, Jianjun Li, Kun He, Bowen Zhou · 2026-05-13

    The authors propose TMPO (Trajectory Matching Policy Optimization) to align diffusion models using reinforcement learning without suffering from reward hacking — the problem where models collapse onto a few high-reward outputs and lose diversity. Instead of maximizing expected reward (which is "mode-seeking"), TMPO matches the model's probability distribution over entire generation trajectories to a reward-induced Boltzmann distribution. This "mode-covering" approach preserves diversity over all acceptable outputs while still optimizing reward. They also introduce a tree-sampling trick to share computation across multiple trajectories during training, speeding up large flow-matching models. **Main takeaways:** - Standard RL fine-tuning of diffusion models is mode-seeking: it concentrates probability on a few high-reward paths, causing visual mode collapse and reward hacking. - TMPO uses trajectory-level distribution matching (Softmax Trajectory Balance objective) to cover all acceptable trajectories, not just maximize reward. - Improves generative diversity by 9.1% over state-of-the-art methods while maintaining competitive reward and efficiency. - Dynamic Stochastic Tree Sampling shares denoising prefixes across K trajectories, reducing redundant computation during multi-trajectory training. - Effective across human preference alignment, compositional generation, and text rendering tasks.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: rate, collapse, divergence, where. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10983v1 Announce Type: new Abstract: Reinforcement learning (RL) has shown extraordinary potential in aligning diffusion models to downstream tasks, yet most of them still suffer from significant reward hacking, which degrades generative diversity and quality by inducing visual mode collapse and amplifying unreliable rewards. We identify the root cause as the mode-seeking nature of these methods, which maximize expected reward without effectively constraining probability distribution over acceptable trajectories, causing concentration on a few high-reward paths. In contrast, we propose Trajectory Matching Policy Optimization (TMPO), which replaces scalar reward maximization with trajectory-level reward distribution matching. Specifically, TMPO introduces a Softmax Trajectory Balance (Softmax-TB) objective to match the policy probabilities of K trajectories to a reward-induced Boltzmann distribution. We prove that this objective inherits the mode-covering property of forward KL divergence, preserving coverage over all acceptable trajectories while optimizing reward. To further reduce multi-trajectory training time on large-scale flow-matching models, TMPO incorporates Dynamic Stochastic Tree Sampling, where trajectories share denoising prefixes and branch at dynamically scheduled steps, reducing redundant computation while improving training effectiveness. Extensive results across diverse alignment tasks such as human preference, compositional generation and text rendering show that TMPO improves generative diversity over state-of-the-art methods by 9.1%, and achieves competitive performance in all downstream and efficiency metrics, attaining the optimal trade-off between reward and diversity.

  43. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10974unread

    Vertex-Softmax: Tight Transformer Verification via Exact Softmax Optimization

    Navid Rezazadeh, Arash Gholami Davoodi · 2026-05-13

    The authors develop Vertex-Softmax, a method to exactly optimize the softmax function over interval constraints when verifying transformer models — critical for proving robustness guarantees. Existing verifiers approximate softmax independently of the downstream objective, leaving slack. Vertex-Softmax proves the exact optimum always occurs at a vertex (corner) of the constraint box and lies among only linearly many candidates, giving log-linear complexity. They further prove this is the tightest possible bound obtainable from score intervals alone, formally characterizing what additional structure (score correlations, score-value coupling) would be needed for further improvement. **Main takeaways:** - Transformer verification requires bounding softmax over intervals on pre-softmax scores; existing verifiers relax softmax independently of the objective, leaving avoidable slack. - Vertex-Softmax proves the exact optimum lies at a vertex of the constraint box and among linearly many sorted candidates, enabling log-linear-time exact optimization. - Formally optimal: provably the tightest sound bound obtainable from score intervals alone, with a characterization of what additional structure is needed for further improvement. - Integrated into a CROWN-style verifier with soundness guarantees, significantly improving certified rates and tightening lower bounds on MNIST, Fashion-MNIST, and CIFAR-10 attention models. - Matches or outperforms alpha-CROWN and branch-and-bound baselines at a fraction of their cost.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, candidates, candidate, attention, base, length, baseline, core. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10974v1 Announce Type: new Abstract: Certified verification of transformer attention requires bounding the softmax function over interval constraints on the pre-softmax scores. Existing verifiers relax softmax ndependently of the downstream objective, leaving avoidable slack. We prove that the exact optimum of this score-box problem is attained at a vertex of the constraint box, and establish a threshold structure theorem showing that, after sorting the objective coefficients, the optimum lies among only linearly many candidates, yielding the Vertex-Softmax primitive with log-linear complexity in the sequence length. We further prove a formal optimality result showing that Vertex-Softmax is the tightest sound bound obtainable from score intervals alone, characterizing precisely what additional structure (score correlations, score-value coupling) is needed for further improvement. Integrated into a CROWN Convex Relaxation based Optimization for Worst-case Neurons)-style verifier with a formal soundness guarantee, Vertex-Softmax significantly improves certified rates and substantially tightens lower bounds across MNIST, Fashion-MNIST, and CIFAR-10 attention models, while consistently matching or outperforming alpha-CROWN and branch-and-bound baselines at a fraction of their cost.

  44. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10973unread

    Rotation-Preserving Supervised Fine-Tuning

    Hangzhan Jin, Tianwei Ni, Lu Li, Pierre-Luc Bacon, Mohammad Hamdaqa, Doina Precup · 2026-05-13

    The authors tackle a common problem in fine-tuning: when you train a language model on one task, it gets better at that task but worse at unrelated things. They propose RPSFT, a method that penalizes changes to the dominant directions in the pretrained weight matrices (the "top-k singular vectors") during fine-tuning, treating this as a cheaper proxy for Fisher-sensitive directions. The idea is to let the model adapt without breaking the pretrained representation structure that supports general capabilities. **Main takeaways:** - Standard supervised fine-tuning (SFT) damages out-of-domain performance, and prior work links this damage to rotation of the dominant singular subspaces in weight matrices. - RPSFT penalizes changes in the projected top-k singular-vector block of each pretrained weight, limiting rotation while still allowing task adaptation. - On math reasoning datasets across multiple model sizes, RPSFT improves the in-domain vs. out-of-domain trade-off compared to standard SFT and strong baselines. - The method better preserves pretrained representations and provides stronger initializations for downstream reinforcement learning fine-tuning. - The approach is computationally cheaper than directly computing Hessian or Fisher information at LLM scale.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, base, trained, baseline, project, space. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10973v1 Announce Type: new Abstract: Supervised fine-tuning (SFT) improves in-domain performance but can degrade out-of-domain (OOD) generalization. Prior work suggests that this degradation is related to changes in dominant singular subspaces of pretrained weight matrices. However, directly identifying loss-sensitive directions with Hessian or Fisher information is computationally expensive at LLM scale. In this work, we propose preserving projected rotations in pretrained singular subspaces as an efficient proxy for Fisher-sensitive directions, which we call Rotation-Preserving Supervised Fine-Tuning (RPSFT). RPSFT penalizes changes in the projected top-$k$ singular-vector block of each pretrained weight matrix, limiting unnecessary rotation while preserving task adaptation. Across model families and sizes trained on math reasoning data, RPSFT improves the in-domain/OOD trade-off over standard SFT and strong SFT baselines, better preserves pretrained representations, and provides stronger initializations for downstream RL fine-tuning. Code is available at \href{https://github.com/jinhangzhan/RPSFT.git}{https://github.com/jinhangzhan/RPSFT}.

  45. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10947unread

    Interpretable EEG Microstate Discovery via Variational Deep Embedding: A Systematic Architecture Search with Multi-Quadrant Evaluation

    Saheed Faremi, Andrea Visentin, Luca Longo · 2026-05-13

    The authors develop a variational deep embedding model (Conv-VaDE) for discovering "microstates" in EEG brain recordings — brief, stable patterns of electrical activity that represent discrete functional brain states. Traditional methods use hard clustering directly on electrode measurements, with no learned representation or way to decode what each cluster looks like. Conv-VaDE learns a shared latent space that does both reconstruction and probabilistic soft clustering, allowing the model to generate verifiable scalp topographies for each cluster. They run a systematic architecture search over cluster count, latent dimensionality, network depth, and channel width on resting-state EEG data. **Main takeaways:** - Conventional EEG microstate analysis uses hard clustering in electrode space with no learned latent representation or generative decoding. - Conv-VaDE jointly learns topographic reconstruction and probabilistic soft clustering in a shared latent space, enabling generative decoding of cluster prototypes. - A four-dimensional architecture search reveals that depth L=4 appears in all 18 best-performing configurations. - Best results achieve 73% global explained variance and 0.229 silhouette score at K=4 clusters. - Moderately deep networks with compact channel widths and small latent dimensionality dominate across the full cluster-count range.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, both, space, where, moderate. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10947v1 Announce Type: new Abstract: EEG microstate analysis segments continuous brain electrical activity into brief, quasi-stable topographic configurations that reflect discrete functional brain states. Conventional approaches such as Modified K-Means operate directly in electrode space with hard assignment, offering no learned latent representation, no generative decoder, and no mechanism to decode latent configurations into verifiable scalp topographies, limiting both model transparency and interpretability. To address this, we present a Convolutional Variational Deep Embedding (Conv-VaDE) model that jointly learns topographic reconstruction and probabilistic soft clustering in a shared latent space. Conv-VaDE enables generative decoding of cluster prototypes into verifiable scalp topographies, replacing opaque hard partitioning with probabilistic soft assignment. A polarity invariance scheme and a four-dimensional grid search over cluster count (K from 3 to 20), latent dimensionality, network depth, and channel width are conducted to systematically reveal how each architectural design choice shapes the quality, stability, and interpretability of learned EEG microstate representations. The model is evaluated on the LEMON resting-state eyes-closed EEG dataset with ten participants using topographic template formation, clustering stability, and global explained variance (GEV). The architecture search reveals that depth L = 4 appears consistently across all 18 best-performing configurations, yielding a best-case GEV of 0.730 and a silhouette of 0.229 at K = 4 across the model sweeps, where moderately deep networks with compact channel widths and small latent dimensionality dominate across the full K range. These results establish that principled architecture search, rather than model scale, is the key to interpretable and stable EEG microstate discovery via variational deep embedding.

  46. score 94arxiv stat.ML (Machine Learning)arxiv:2605.12235unread

    Optimal Policy Learning under Budget and Coverage Constraints

    Giovanni Cerulli · 2026-05-13

    The paper studies how to learn optimal treatment assignment policies when you face both a budget constraint (limited resources) and a coverage constraint (must treat at least a minimum number of people). The author shows the problem has a knapsack structure and the optimal policy can be characterized by a threshold rule involving shadow prices for both constraints. The linear programming relaxation has a tight integrality gap, meaning continuous solutions are asymptotically equivalent to discrete allocations. Two practical algorithms are analyzed: a Greedy-Lagrangian approach that closely approximates the optimum, and a rank-and-cut method that works well unless cost heterogeneity interacts with a binding coverage constraint. **Main takeaways:** - Optimal policy learning with both budget and minimum-coverage constraints has a knapsack-type structure - The optimal policy is an affine threshold rule involving shadow prices for budget and coverage - Linear programming relaxation is asymptotically tight (O(1) integrality gap) - Greedy-Lagrangian algorithm achieves near-optimal performance in finite samples - Rank-and-cut works well when coverage is slack or costs are homogeneous, but misallocates when cost heterogeneity meets binding coverage constraints

    Read next because overlaps with clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: under, both, implement, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12235v1 Announce Type: new Abstract: We study optimal policy learning under combined budget and minimum coverage constraints. We show that the problem admits a knapsack-type structure and that the optimal policy can be characterized by an affine threshold rule involving both budget and coverage shadow prices. We establish that the linear programming relaxation of the combinatorial solution has an O(1) integrality gap, implying asymptotic equivalence with the optimal discrete allocation. Building on this result, we analyze two implementable approaches: a Greedy-Lagrangian (GLC) and a rank-and-cut (RC) algorithm. We show that the GLC closely approximates the optimal solution and achieves near-optimal performance in finite samples. By contrast, RC is approximately optimal whenever the coverage constraint is slack or costs are homogeneous, while misallocation arises only when cost heterogeneity interacts with a binding coverage constraint. Monte Carlo evidence supports these findings.

  47. score 94arxiv stat.ML (Machine Learning)arxiv:2605.12118unread

    Keeping Score: Efficiency Improvements in Neural Likelihood Surrogate Training via Score-Augmented Loss Functions

    Alexander Shen, Mikael Kuusela · 2026-05-13

    The authors improve simulation-based inference (SBI) for models with expensive likelihoods by augmenting the standard training loss with exact score information—the gradient of the log-likelihood with respect to parameters. SBI trains a neural network to approximate the likelihood using simulated data, but this is expensive; the authors show that when you can compute the score (even if the full likelihood is intractable), adding it to the loss function drastically improves the quality of the surrogate without needing much more training data. In their experiments, the method matches the performance of a 10× data increase with only a 1.1× increase in training time. **Main takeaways:** - Standard SBI treats the data-generating process as a black box and trains a likelihood surrogate via binary classification (real vs. simulated). - This paper relaxes the black-box assumption: if you can compute the score (gradient of log p(x | θ)), you can add it as an auxiliary loss term. - The score-augmented loss is combined with adaptive weighting based on loss gradients to balance the two objectives. - Experiments on network dynamics and spatial processes show much better surrogate quality and downstream inference at a fraction of the simulation cost. - Practical upshot: you get the benefit of ~10× more training data for ~1.1× more compute.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Core question: interventions on persona space". Matching terms: eval, base, trained, core. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12118v1 Announce Type: new Abstract: For stochastic process models, parameter inference is often severely bottlenecked by computationally expensive likelihood functions. Simulation-based inference (SBI) bypasses this restriction by constructing amortized surrogate likelihoods, but most SBI methods assume a black-box data generating process. While these surrogates are exact in the limit of infinite training data, practical scenarios force a strict tradeoff between model quality and simulation cost. In this work, we loosen the black-box assumption of SBI to improve this tradeoff for structured stochastic process models. Specifically, for neural network likelihood surrogates trained via probabilistic classification, we propose to augment the standard binary cross-entropy loss with exact score information $\nabla_\theta \log p(x \mid \theta)$ and adaptive weighting based on loss gradients. We evaluate our approach on case studies involving network dynamics and spatial processes, demonstrating that our method improves surrogate quality at a drastically lower computational cost than generating more training data. Notably, in some cases, our approach achieves downstream inference performance equivalent to a 10x increase in training data with less than a 1.1x increase in training time.

  48. score 86arxiv stat.ML (Machine Learning)arxiv:2605.11120unread

    Sensor Design for Accuracy-Bounded Estimation via Maximum-Entropy Likelihood Synthesis

    Raktim Bhattacharya · 2026-05-13

    The paper tackles sensor design for large physical systems when you have an accuracy target but don't know what sensors you need. Instead of designing sensors first and checking accuracy later, the authors flip the problem: given an error budget, they synthesize the measurement likelihood function that enforces that budget while adding minimal information beyond what the system dynamics already provide. They do this using maximum-entropy optimization (among all posteriors meeting the accuracy constraint, pick the one closest to the prior), then back out the implied sensor characteristics. **Main takeaways:** - Classical sensor design requires knowing sensor models upfront; this approach inverts the flow by starting with accuracy requirements - The method constructs a measurement likelihood via constrained maximum-entropy optimization: enforce the error budget while minimizing added information - Works with various distance metrics (Wasserstein, KL divergence, moment constraints) and provides convex or convex-relaxed formulations - A two-layer design architecture connects abstract accuracy budgets to concrete sensor placement, precision, and configuration choices

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Cosine and JS divergence over base-model outputs predict where non-persona [ZLT] triggers leak on Qwen2.5-7B-Instruct (MODERATE confidence)", experiment "[Aim 5] Does EM-induced persona-discrimination collapse generalize when EM is trained under non-default personas?". Matching terms: trained, system, divergence, predict, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11120v1 Announce Type: cross Abstract: Designing the sensing architecture for large-scale spatio-temporal systems is hard when accuracy requirements are specified but sensor models are uncertain or unavailable. Classical design treats sensor placement and estimation sequentially, requiring valid forward models for each sensing modality. This paper inverts the design flow: given an error budget, synthesize the measurement likelihood that enforces it while injecting minimal information beyond the dynamical prior. The likelihood is constructed by constrained optimization: among all posteriors satisfying a prescribed accuracy bound relative to a target, select the one minimizing Kullback-Leibler divergence from the prior. The solution is a maximum-entropy posterior in relative-entropy form, and the induced likelihood is the Radon-Nikodym derivative. The framework accommodates arbitrary discrepancies and is instantiated for Wasserstein distance, maximum mean discrepancy, $f$-divergences, moment constraints, and hybrid metrics. For each, we derive the discrete particle-level problem, analyze its convex or convex-relaxed structure, and present solvers with complexity scaling. A closed-form solution exists for the symmetric exponential-tilt case, and a distillation procedure converts nonparametric likelihood samples into parametric forms. A two-layer sensor design architecture embeds the synthesized likelihood in the recursive predict-update loop, connecting accuracy budgets to physical sensor placement, precision, and configuration. Numerical experiments comparing four metrics on unimodal and multimodal scenarios confirm the accuracy constraints are reliably enforced and reveal how metric choice determines the amount and spatial distribution of injected information.

  49. score 86arxiv cs.CL (NLP)arxiv:2605.11582unread

    Efficient LLM-based Advertising via Model Compression and Parallel Verification

    Wenxin Dong, Chang Gao, Guanghui Yu, Xuewu Jiao, Mingqing Hu, Qiang Fu, Peng Xu, Penghui Wei, Hui Xu, Yue Xing, Shuanglong Li, Lin Liu · 2026-05-13

    The authors present a system for speeding up LLM inference in real-time advertising (ad generation, targeting) using adaptive quantization, hierarchical sparsification, and prefix-tree parallel verification. They demonstrate significant speedup on two real-world advertising scenarios with acceptable quality loss, making LLMs practical for latency-sensitive commercial deployment. **Main takeaways:** - LLMs are too slow for real-time advertising systems without aggressive optimization - Combined three techniques: adaptive group quantization (compress weights), layer-adaptive hierarchical sparsification (prune less important computations), and prefix-tree parallel verification (batch similar queries) - Tested on two real advertising scenarios and achieved significant speedup with manageable quality degradation - Makes LLMs operationally viable for commercial real-time deployment where millisecond latency matters

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system. Source: arxiv cs.CL (NLP).

    arXiv:2605.11582v1 Announce Type: new Abstract: Large language models (LLMs) have shown remarkable potential in advertising scenarios such as ad creative generation and targeted advertising. However, deploying LLMs in real-time advertising systems poses significant challenges due to their high inference latency and computational cost. In this paper, we propose an Efficient Generative Targeting framework that integrates adaptive group quantization, layer-adaptive hierarchical sparsification, and prefix-tree parallel verification to accelerate LLM inference while preserving generation quality. Extensive experiments on two real-world advertising scenarios demonstrate that our framework achieves significant speedup with acceptable quality degradation, making it operationally viable for practical deployments.

  50. score 86arxiv cs.LG (Machine Learning)arxiv:2605.10981unread

    $ξ$-DPO: Direct Preference Optimization via Ratio Reward Margin

    Zhengyuan Fan, Zhonghua Wu, Yuxuan Du, Qun Chen · 2026-05-13

    The authors propose ξ-DPO, a variant of preference optimization (fine-tuning LLMs from human preference data) that simplifies hyperparameter tuning. Existing methods like SimPO have two coupled hyperparameters (β and γ) that are hard to tune jointly because the margin γ doesn't have a consistent interpretation across datasets with different reward distributions. ξ-DPO reformulates the objective to use a "ratio reward margin" — the ratio of chosen to rejected response probabilities — which is bounded and interpretable, and can be set directly from the initial reward gap distribution without trial-and-error. **Main takeaways:** - SimPO's margin hyperparameter γ is not easily interpretable across datasets because it depends on the reward gap structure; tuning β and γ jointly is difficult. - ξ-DPO redefines the reward as a ratio (chosen/rejected) rather than a difference, yielding a bounded margin ξ that explicitly represents desired relative separation. - The ratio formulation cancels the effect of β, eliminating one hyperparameter from the tuning problem. - ξ can be determined from the initial reward gap distribution, avoiding repeated trial-and-error tuning across datasets. - Reformulates the preference objective as minimizing distance between reward gaps and optimal margins rather than maximizing likelihood of reward gaps.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: issue, under. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10981v1 Announce Type: new Abstract: Reference-free preference optimization has emerged as an efficient alternative to reinforcement learning from human feedback, with Simple Preference Optimization(SimPO) demonstrating strong performance by eliminating the explicit reference model through a simple objective. However, the joint tuning of the hyperparameters $\beta$ and $\gamma$ in SimPO remains a central challenge. We argue that this difficulty arises because the margin formulation in SimPO is not easily interpretable across datasets with different reward gap structures. To better understand this issue, we conduct a comprehensive analysis of SimPO and find that $\beta$ implicitly controls sample filtering, while the effect of $\gamma$ depends on the reward gap structure of the dataset. Motivated by these observations, we propose $\xi$-DPO: Direct preference optimization via ratio reward margin. We first reformulate the preference objective through an equivalent transformation, changing the optimization target from maximizing the likelihood of reward gaps to minimizing the distance between reward gaps and optimal margins. Then, we redefine the reward in a ratio form between the chosen and rejected, which effectively cancels the effect of $\beta$ and yields a bounded and interpretable margin. This margin is called the ratio reward margin and is denoted by $\xi$. Unlike the margin $\gamma$ in SimPO, $\xi$ explicitly represents the desired relative separation between chosen and rejected responses and can be determined from the initial reward gap distribution, avoiding repeated trial-and-error tuning. ....

  51. score 78arxiv cs.LG (Machine Learning)arxiv:2605.11007unread

    RT-Transformer: The Transformer Block as a Spherical State Estimator

    Peter Racioppo · 2026-05-13

    The author reinterprets the Transformer block as the solution to a geometric state-estimation problem: imagine the true latent state lives on a hypersphere, and you're updating your estimate by aggregating noisy evidence from the tangent plane. Attention becomes precision-weighted aggregation of evidence, residual connections implement incremental updates in the tangent space, and layer normalization projects the result back onto the sphere. In this view, the three core Transformer components aren't independent design choices but emerge naturally from the geometry. **Main takeaways:** - Standard Transformer ingredients — attention, residuals, and layer norm — can be derived from a single directional (spherical) state-estimation framework. - The model treats the latent state as a unit vector; noise and updates live in the tangent plane at the current estimate. - Attention aggregates evidence weighted by precision (inverse noise variance), residual connections add the tangent-space update to the current state, and normalization retracts the updated vector back to the unit sphere. - This geometric interpretation unifies components that are usually justified separately in Transformer literature. - The paper is theoretical/conceptual; no new architecture or experiments are presented.

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Core question: interventions on persona space", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: attention, core, implement. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11007v1 Announce Type: new Abstract: We show that the core components of the Transformer block -- attention, residual connections, and normalization -- arise naturally from a single geometric estimation problem. Modeling the latent state as a direction on the hypersphere, with noise defined in the tangent plane at the current estimate, yields a precision-weighted directional inference procedure in which attention aggregates evidence, residual connections implement incremental state updates, and normalization retracts the updated state back onto the hypersphere. Together, these components follow from the geometry of the estimation problem rather than being introduced as independent architectural choices.

  52. score 74arxiv cs.AI (Artificial Intelligence)arxiv:2605.11392unread

    Transformer Interpretability from Perspective of Attention and Gradient

    Yongjin Cui, Xiaohui Fan, Huajun Chen · 2026-05-13

    The authors propose a method to interpret Vision Transformers (ViT) by guiding gradient flow in the direction of attention, which they argue provides more comprehensive and detailed feature-region interpretation. They show that by leveraging the difference between how ViT and humans perceive images, they can alter an image's predicted class in ways nearly imperceptible to humans ("class rewriting"), raising potential security concerns. The paper combines gradient-based and attention-based interpretability to better understand ViT mechanisms. **Main takeaways:** - Standard gradient-based interpretation for Transformers can be improved by explicitly guiding gradients along attention directions. - This attention-guided gradient method offers more detailed interpretation of which image regions contribute to predictions. - The method reveals that ViT perceives images differently from humans, enabling "class rewriting" — changing the predicted class with imperceptible image modifications. - Class rewriting poses potential security risks in deployment scenarios. - The work aims to deepen understanding of Transformer mechanisms through the interaction of attention and gradient.

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "[Aim 5] Does EM-induced persona-discrimination collapse generalize when EM is trained under non-default personas?". Matching terms: attention, under. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11392v1 Announce Type: new Abstract: Although researchers' attention is more focused on the performance of Transformer models, the interpretation of Transformer can never be ignored. Gradient is widely utilized in Transformer interpretation. From the perspective of attention and gradient, we conduct an in-depth study of Transformer interpretation and propose a method to achieve it by guiding the gradient direction, or more precisely, the attention direction. The method enables more comprehensive interpretation of feature regions, offers detail interpretation, and helps to better understand Transformer mechanism. Leveraging the difference in how Vision Transformer (ViT) and humans perceive images, we alter the class of an image in a way that is almost imperceptible to the human eye. This class rewriting phenomenon may potentially pose security risks in certain scenarios.

  53. score 62arxiv stat.ML (Machine Learning)arxiv:2605.11226unread

    A Stable Distance Persistence Homology for Dynamic Bayesian Network Clustering

    Will Bales, Carmen Rovi · 2026-05-13

    The authors introduce a topological approach to analyzing Dynamic Bayesian Networks (DBNs) by converting them into time-varying graphs where edge strength measures variation in conditional dependence across parent configurations. Applying persistent homology to these graphs produces a "barcode" summarizing how groups of strongly dependent variables merge and disappear over time, and they prove this barcode is stable (robust to small perturbations in the conditional probability tables). **Main takeaways:** - Standard DBN inference focuses on local conditional distributions and can miss large-scale patterns in dependency structure. - They assign each edge a strength measuring conditional dependence variation, retaining strong edges above a threshold. - Persistent homology produces a barcode recording when connected groups of strongly dependent variables merge or disappear. - The barcode is stable: small perturbations in the DBN's conditional probability tables lead to small barcode changes. - Provides a noise-resistant summary of evolving dependency structure in dynamic Bayesian networks.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: parent, system. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11226v1 Announce Type: cross Abstract: Dynamic Bayesian networks (DBNs) are a widely used framework for modeling systems whose probabilistic structure evolves over time. Standard inference methods focus on local conditional distributions and can miss larger-scale patterns in how dependencies between variables organize and change over time. We introduce a topological approach to this problem. To each DBN we associate a time-varying graph, called a Dynamic Bayesian Graph (DBG), by assigning to each edge a strength that measures variation in its conditional dependence across parent configurations, and retaining edges whose strength exceeds a chosen threshold. We show that this construction fits within the dynamic graph framework of Kim and M\'emoli, enabling the use of tools from topological data analysis. Applying persistent homology to a DBG produces a barcode, which records the merging and disappearance of connected groups of strongly dependent variables over time. We prove that this barcode is stable: small perturbations in the conditional probability tables of the DBN lead to small changes in the resulting barcode. This yields a principled and noise-resistant summary of how dependency structure evolves in a dynamic Bayesian network.

  54. score 62arxiv stat.ML (Machine Learning)arxiv:2605.12208unread

    Self-Supervised Laplace Approximation for Bayesian Uncertainty Quantification

    Julian Rodemann, Alexander Marquard, Thomas Augustin, Michele Caprio · 2026-05-13

    Bayesian inference usually focuses on the posterior parameter distribution, but in practice we care about predictions. The authors propose Self-Supervised Laplace Approximation (SSLA), which skips the parameter posterior and directly approximates the posterior predictive distribution using a self-training idea: refit the model on its own predictions. If the model assigns high likelihood to self-predicted data, those predictions are low-uncertainty, and vice versa. This yields a deterministic, sampling-free approximation. An approximate version (ASSLA) avoids expensive refitting. The modular design allows plugging in different priors for classical sensitivity analysis. **Main takeaways:** - Standard Bayesian methods focus on parameter posteriors, but predictions are often the real target - SSLA approximates the posterior predictive by refitting the model on self-predicted data: high self-likelihood = low uncertainty - The approach is deterministic and sampling-free, avoiding expensive MCMC - ASSLA is an approximate version that skips expensive refitting for computational efficiency - Experiments on regression tasks (including Bayesian neural networks) show SSLA outperforms classical Laplace approximations in predictive calibration while remaining computationally efficient

    Read next because overlaps with experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)", experiment "Cosine and JS divergence over base-model outputs predict where non-persona [ZLT] triggers leak on Qwen2.5-7B-Instruct (MODERATE confidence)". Matching terms: both, predict. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12208v1 Announce Type: new Abstract: Approximate Bayesian inference typically revolves around computing the posterior parameter distribution. In practice, however, the main object of interest is often a model's predictions rather than its parameters. In this work, we propose to bypass the parameter posterior and focus directly on approximating the posterior predictive distribution. We achieve this by drawing inspiration from self-training within self-supervised and semi-supervised learning. Essentially, we quantify a Bayesian model's predictive uncertainty by refitting on self-predicted data. The idea is strikingly simple: If a model assigns high likelihood to self-predicted data, these predictions are of low uncertainty, and vice versa. This yields a deterministic, sampling-free approximation of the posterior predictive. The modular structure of our Self-Supervised Laplace Approximation (SSLA) further allows us to plug in different prior specifications, enabling classical Bayesian sensitivity (w.r.t. prior choice) analysis. In order to bypass expensive refitting, we further introduce an approximate version of SSLA, called ASSLA. We study (A)SSLA both theoretically and empirically in regression models ranging from Bayesian linear models to Bayesian neural networks. Across a wide array of regression tasks with simulated and real-world datasets, our methods outperform classical Laplace approximations in predictive calibration while remaining computationally efficient.

Threats and caveats

94
  1. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11476unread

    A Barrier-Metric First-Order Method for Linearly Constrained Bilevel Optimization

    Tenglong Hong, Paul Grigas · 2026-05-13

    The authors tackle bilevel optimization problems where the lower-level problem has fixed polyhedral constraints (think optimizing over a polyhedron). The core trick is to smooth the constraints using a logarithmic barrier, turning a non-smooth optimization into a smoother one, then run a gradient-based method that only needs first-order information (no expensive second-order matrix inversions). They develop convergence guarantees using a "barrier-aware" geometry that adapts to how close iterates get to constraint boundaries. **Main takeaways:** - Barrier smoothing makes constrained bilevel problems differentiable, avoiding expensive Hessian inversions or linear solves that standard methods require. - The algorithm uses only gradients of the upper and lower objectives, plus the explicit barrier Hessian from the fixed constraints. - They prove convergence rates of roughly K^(-2/3) in the deterministic case and K^(-2/5) with stochastic noise after K iterations. - The "Dikin geometry" adapts the step-size schedule to keep iterates in well-behaved regions near constraint boundaries. - Barrier parameter can be decreased with quantitative control on the approximation error.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, issues, trained, under. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11476v1 Announce Type: cross Abstract: We study bilevel optimization with a fixed polyhedral lower feasible set. Such problems are challenging for two reasons: active-set changes can make the upper objective nonsmooth, and existing hypergradient methods typically require lower-Hessian inversions or equivalent linear solves, which are computationally expensive. To address these issues, we adopt a logarithmic barrier smoothing of the lower problem to obtain a differentiable approximation of the constrained bilevel objective, and develop a proxy-gradient algorithm for the resulting barrier-smoothed surrogate. The algorithm uses only gradients of the upper and lower objectives; its only second-order object is the explicit logarithmic barrier Hessian determined by the fixed polyhedral constraints. Barrier smoothing restores differentiability, but Euclidean smoothness constants are not uniformly bounded near the boundary. We therefore develop a local Dikin-geometry analysis in which the barrier-metric provides an oracle-free curvature scale near the moving lower centers. This leads to barrier-aware schedules that keep the iterates inside locally well-behaved regions. For the barrier-smoothed objective, we prove stationarity rates of $\widetilde{O}(K^{-2/3})$ in the deterministic setting and $\widetilde{O}(K^{-2/5})$ under upper-level-only bounded stochastic noise after $K$ outer iterations, together with quantitative bias control as the barrier parameter decreases.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  2. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11473unread

    TOPPO: Rethinking PPO for Multi-Task Reinforcement Learning with Critic Balancing

    Yuanpeng Li, Gefei Lin, Annie Qu, Rui Miao · 2026-05-13

    The authors diagnose why Proximal Policy Optimization (PPO) underperforms in multi-task reinforcement learning: the critic (value function) side has gradient ill-conditioning, meaning easy tasks dominate updates and hard "tail" tasks stall. They propose TOPPO, which adds "Critic Balancing" modules to fix gradient conditioning and balance learning dynamics across tasks, achieving better mean and tail-task performance than SAC-based methods on Meta-World+ while using fewer parameters and environment steps. **Main takeaways:** - PPO struggles in multi-task RL because critic-side gradients are ill-conditioned: easy tasks dominate value updates, starving hard tasks. - TOPPO reformulates PPO with modules that improve gradient conditioning and balance learning across tasks. - It matches or beats strong SAC baselines early in training and maintains superior performance at full training budget. - Uses substantially fewer parameters and environment steps than SAC-family and ARS-family baselines. - Demonstrates that on-policy methods can rival off-policy approaches in multi-task RL with proper optimization fixes.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, issue, base, under, baseline, on-policy, look. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11473v1 Announce Type: cross Abstract: Soft Actor-Critic (SAC) and its variants dominate Multi-Task Reinforcement Learning (MTRL) due to their off-policy sample efficiency, while on-policy methods such as Proximal Policy Optimization (PPO) remain underexplored. We diagnose that PPO in MTRL suffers from a previously overlooked issue: critic-side gradient ill-conditioning, which may cause tail tasks to stall while easy tasks dominate the value function's updates. To address this, we propose TOPPO (Tail-Optimized PPO), a reformulation of PPO via Critic Balancing -- a set of modules that improve gradient conditioning and balance learning dynamics across tasks. Unlike prior approaches that rely on modular architectures or large models, TOPPO targets the optimization bottleneck within PPO itself. Empirically, TOPPO achieves stronger mean and tail-task performance than published SAC-family and ARS-family baselines while using substantially fewer parameters and environment steps on Meta-World+ benchmark. Notably, TOPPO matches or surpasses strong SAC baselines early in training and maintains superior performance at full budget. Ablations confirm the effectiveness of each module in TOPPO and provide insights into their interactions. Our results demonstrate that, with proper optimization, on-policy methods can rival or exceed off-policy approaches in MTRL, challenging the prevailing reliance on SAC and highlighting critic-side gradient conditioning as the central bottleneck.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  3. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11362unread

    Causal Fairness for Survival Analysis

    Drago Plecko · 2026-05-13

    The authors develop a causal framework for fairness in survival/time-to-event analysis, moving beyond statistical fairness definitions to decompose disparities in survival into direct, indirect, and spurious causal pathways. Their non-parametric approach recovers conditional survival functions, applies the "Causal Reduction Theorem" to enable pathway decomposition, and estimates effects efficiently, providing human-understandable explanations of why disparities arise and evolve over time. **Main takeaways:** - Existing fair ML work on survival analysis uses statistical fairness definitions that can't disentangle causal mechanisms even with unlimited data. - The framework decomposes survival disparities into direct, indirect, and spurious pathways, explaining why disparities arise. - Proceeds in four steps: formalizing censoring/confounding assumptions graphically, recovering conditional survival functions, applying the Causal Reduction Theorem, and estimating effects. - Applied to analyze racial disparities in ICU outcomes over time. - Provides temporal evolution of disparities, not just static snapshots.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, same, under, predict. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11362v1 Announce Type: cross Abstract: In the data-driven era, large-scale datasets are routinely collected and analyzed using machine learning (ML) and artificial intelligence (AI) to inform decisions in high-stakes domains such as healthcare, employment, and criminal justice, raising concerns about the fairness behavior of these systems. Existing works in fair ML cover tasks such as bias detection, fair prediction, and fair decision-making, but largely focus on static settings. At the same time, fairness in temporal contexts, particularly survival/time-to-event (TTE) analysis, remains relatively underexplored, with current approaches to fair survival analysis adopting statistical fairness definitions, which, even with unlimited data, cannot disentangle the causal mechanisms that generate disparities. To address this gap, we develop a causal framework for fairness in TTE analysis, enabling the decomposition of disparities in survival into contributions from direct, indirect, and spurious pathways. This provides a human-understandable explanation of why disparities arise and how they evolve over time. Our non-parametric approach proceeds in four steps: (1) formalizing the necessary assumptions about censoring and lack of confounding using a graphical model; (2) recovering the conditional survival function given covariates; (3) applying the Causal Reduction Theorem to reframe the problem in a form amenable to causal pathway decomposition; (4) estimating the effects efficiently. Finally, our approach is used to analyze the temporal evolution of racial disparities in outcome after admission to an intensive care unit (ICU).

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, confound.

  4. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11324unread

    $\varepsilon$-Good Action Identification in Fixed-Budget Monte Carlo Tree Search

    Yinan Li, Tuan Nguyen, Kwang-Sung Jun · 2026-05-13

    The authors study fixed-budget action identification in depth-2 max-min trees (a special case of Monte Carlo Tree Search), where a learner allocates T samples to leaves and recommends a subtree whose minimum leaf value is largest. They focus on ε-good identification (any subtree within ε of optimal is acceptable) and propose an ε-agnostic algorithm that doesn't require ε as input but achieves instance-dependent error bounds for every meaningful ε, with misidentification probability decaying exponentially in T. **Main takeaways:** - The algorithm works without knowing ε (the acceptable approximation gap) ahead of time, yet achieves good bounds for every meaningful ε. - Misidentification probability decays as exp(-Θ(T/H₂(ε))), where H₂(ε) captures both cross-subtree and within-subtree gaps. - When each subtree has a single leaf, the problem reduces to standard best-arm identification, and the analysis recovers known guarantees for halving-style methods. - Max-min identification has a different hardness structure from standard K-armed bandits. - First provable fixed-budget algorithmic guarantee for max-min action identification.

    Read next because overlaps with experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)", experiment "Cosine and JS divergence over base-model outputs predict where non-persona [ZLT] triggers leak on Qwen2.5-7B-Instruct (MODERATE confidence)", experiment "Factor screen for marker implantation + leakage (2^4: length-location, persona-presence, on-policy, marker-only-loss)". Matching terms: both, where, factor, does, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11324v1 Announce Type: cross Abstract: We study the fixed-budget max-min action identification problem in depth-2 max-min trees, an important special case of Monte Carlo Tree Search. A learner sequentially allocates $T$ samples to leaves and then recommends a subtree whose minimum leaf value is largest. Motivated by approximate planning, we focus on $\varepsilon$-good subtree identification, where any subtree whose min value is within $\varepsilon$ of the optimal maximin value is acceptable. Our main contribution is an $\varepsilon$-agnostic algorithm: it does not require $\varepsilon$ as input, but achieves instance-dependent error bounds for every meaningful $\varepsilon$. We show that the misidentification probability decays as $\exp(-\widetilde{\Theta}(T/H_2(\varepsilon)))$, where $H_2(\varepsilon)$ captures both cross-subtree and within-subtree gaps. When each subtree has a single leaf, the problem reduces to standard fixed-budget best-arm identification, and our analysis recovers, up to accelerating factors, known $\varepsilon$-good guarantees for halving-style methods while giving a new $\varepsilon$-good guarantee for Successive Rejects. On the lower-bound side, we provide complementary positive and negative results showing that max-min identification has a different hardness structure from standard $K$-armed bandits. To our knowledge, this is the first provable fixed-budget algorithmic guarantee for max-min action identification.

    Potential threat/caveat for experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)": this item discusses negative.

  5. score 100arxiv stat.ML (Machine Learning)arxiv:2605.12410unread

    Model-based Bootstrap of Controlled Markov Chains

    Ziwei Su, Imon Banerjee, Diego Klabjan · 2026-05-13

    The authors develop a bootstrap method for estimating uncertainty in finite-state Markov chains with control (important for offline reinforcement learning when you don't know the data-collection policy). Classical bootstrap theory assumes fixed distributions, but in RL the policy can be nonstationary or history-dependent. They prove the bootstrap transition estimator is distributionally consistent in both single-trajectory and episodic settings, using a novel bootstrap law of large numbers for state visitation counts and a martingale central limit theorem for transition increments. This consistency extends to downstream tasks like policy evaluation and optimal policy recovery, yielding valid confidence intervals. **Main takeaways:** - Standard bootstrap theory doesn't cover controlled Markov chains with unknown, possibly nonstationary behavior policies (common in offline RL) - The authors prove bootstrap distributional consistency for transition probabilities in both long-chain and episodic regimes - Key tools: a bootstrap LLN for visitation counts and a martingale CLT for transition increments - The method extends to policy evaluation and optimal policy recovery via the delta method, giving asymptotically valid confidence intervals - Experiments show the bootstrap CIs often achieve nominal coverage and outperform plug-in CLT and episodic bootstrap baselines

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, base, length, baseline, both, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12410v1 Announce Type: new Abstract: We propose and analyze a model-based bootstrap for transition kernels in finite controlled Markov chains (CMCs) with possibly nonstationary or history-dependent control policies, a setting that arises naturally in offline reinforcement learning (RL) when the behavior policy generating the data is unknown. We establish distributional consistency of the bootstrap transition estimator in both a single long-chain regime and the episodic offline RL regime. The key technical tools are a novel bootstrap law of large numbers (LLN) for the visitation counts and a novel use of the martingale central limit theorem (CLT) for the bootstrap transition increments. We extend bootstrap distributional consistency to the downstream targets of offline policy evaluation (OPE) and optimal policy recovery (OPR) via the delta method by verifying Hadamard differentiability of the Bellman operators, yielding asymptotically valid confidence intervals for value and $Q$-functions. Experiments on the RiverSwim problem show that the proposed bootstrap confidence intervals (CIs), especially the percentile CIs, outperform the episodic bootstrap and plug-in CLT CIs, and are often close to nominal ($50\%$, $90\%$, $95\%$) coverage, while the baselines are poorly calibrated at small sample sizes and short episode lengths.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  6. score 100arxiv stat.ML (Machine Learning)arxiv:2605.12190unread

    Information-Theoretic Generalization Bounds for Sequential Decision Making

    Futoshi Futami, Masahiro Fujisawa · 2026-05-13

    The authors extend information-theoretic generalization bounds—a tool for understanding when learning algorithms will generalize from training to test data—to sequential decision-making settings like online learning and bandits. Previous bounds assumed data arrived all at once in a fixed batch, but here the learner sees data one piece at a time and adapts its strategy along the way. They show that under a "row-wise exchangeability" assumption (a technical condition meaning you can shuffle certain groups of data), the gap between training and test performance is controlled by a sum of information terms measuring how much each round's selection rule reveals about the loss. **Main takeaways:** - Existing generalization theory assumed batch i.i.d. data; this work handles sequential, adaptive settings (online learning, bandits, streaming active learning). - The key technical move is a "sequential supersample" framework that separates the learner's own evolving data from a proof-side construction used for analysis. - Generalization error is bounded by "sequential conditional mutual information"—roughly, a sum over rounds of how much information the selection rule leaks about the loss. - They also derive a Bernstein-type bound that gives faster convergence rates when the variance is low. - The framework applies to online learning, importance-weighted streaming active learning, and stochastic multi-armed bandits.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, base, under, where, along. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.12190v1 Announce Type: new Abstract: Information-theoretic generalization bounds based on the supersample construction are a central tool for algorithm-dependent generalization analysis in the batch i.i.d.~setting. However, existing supersample conditional mutual information (CMI) bounds do not directly apply to sequential decision-making problems such as online learning, streaming active learning, and bandits, where data are revealed adaptively and the learner evolves along a causal trajectory. To address this limitation, we develop a sequential supersample framework that separates the learner filtration from a proof-side enlargement used for ghost-coordinate comparisons. Under a row-wise exchangeability assumption, the sequential generalization gap is controlled by sequential CMI, a sum of roundwise selector--loss information terms. We also establish a Bernstein-type refinement that yields faster rates under suitable variance conditions. The selector-SCMI proof strategy applies to online learning, streaming active learning with importance weighting, and stochastic multi-armed bandits.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation.

  7. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11607unread

    Exact Stiefel Optimization for Probabilistic PLS: Closed-Form Updates, Error Bounds, and Calibrated Uncertainty

    Haoran Hu, Xingce Wang · 2026-05-13

    The authors improve probabilistic partial least squares (PPLS)—a likelihood-based method for two-view learning (e.g., linking gene expression and clinical outcomes) that produces interpretable latent factors and calibrated uncertainty. Existing fitting methods couple noise and signal in awkward ways and struggle with orthogonality constraints; this paper separates noise estimation from signal estimation, replaces penalty-based constraint handling with exact optimization on the Stiefel manifold (the space of orthonormal matrices), and provides closed-form standard errors. The result is better-calibrated uncertainty and improved prediction, especially in high-noise settings. **Main takeaways:** - PPLS is a probabilistic model for two-view learning (e.g., multi-omics data) that jointly estimates latent factors and their uncertainty. - Previous methods entangled noise and signal estimation and used awkward penalty methods for orthogonality constraints. - This paper pre-estimates noise in a separate subspace, then optimizes the likelihood exactly on the Stiefel manifold (the space of orthonormal matrices). - The noise-subspace estimator achieves a signal-strength-independent finite-sample rate and matches a minimax lower bound; the old full-spectrum estimator is provably inconsistent. - Experiments on TCGA-BRCA and PBMC CITE-seq show near-nominal coverage without recalibration, Ridge-level accuracy at rank 3, and better stability than competing methods.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, trained, same, under, both, space, predict. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11607v1 Announce Type: new Abstract: Probabilistic partial least squares (PPLS) is a central likelihood-based model for two-view learning when one needs both interpretable latent factors and calibrated uncertainty. Building on the identifiable parameterization of Bouhaddani et al.\ (2018), existing fitting pipelines still face two practical bottlenecks: noise--signal coupling under joint EM/ECM updates and nontrivial handling of orthogonality constraints. Following the fixed-noise scalar-likelihood line of Hu et al.\ (2025), we develop an end-to-end framework that combines noise pre-estimation, constrained likelihood optimization, and prediction calibration in one pipeline. Relative to Hu et al.\ (2025), we replace full-spectrum noise averaging with noise-subspace estimation and replace interior-point penalty handling with exact Stiefel-manifold optimization. The noise-subspace estimator attains a signal-strength-independent leading finite-sample rate and matches a minimax lower bound, while the full-spectrum estimator is shown to be inconsistent under the same model. We further extend the framework to sub-Gaussian settings via optional Gaussianization and provide closed-form standard errors through a block-structured Fisher analysis. Across synthetic high-noise settings and two multi-omics benchmarks (TCGA-BRCA and PBMC CITE-seq), the method achieves near-nominal coverage without post-hoc recalibration, reaches Ridge-level point accuracy on TCGA-BRCA at rank $r=3$, matches or exceeds PO2PLS on cross-view prediction while providing native calibrated uncertainty, and improves stability of parameter recovery.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  8. score 100arxiv stat.ML (Machine Learning)arxiv:2605.11511unread

    Post-ADC Inference: Valid Inference After Active Data Collection

    Shuichi Nishino, Tomohiro Shiraishi, Teruyuki Katsuoka, Ichiro Takeuchi · 2026-05-13

    The authors develop a framework for valid statistical inference when data are collected via active data collection (ADC)—e.g., Bayesian optimization or sequential model-based optimization—and then reused for a post-hoc inferential task (like testing whether a discovered setting is truly optimal). Standard inference fails because ADC preferentially samples regions the algorithm thinks are good, creating adaptive bias. The "post-ADC inference" framework corrects for both the bias from adaptive data collection and the bias from constructing the inferential target in a data-dependent way, providing valid p-values and confidence intervals. **Main takeaways:** - Active data collection (e.g., Bayesian optimization) adaptively biases sampling toward promising regions, breaking standard statistical inference. - Standard p-values and confidence intervals are invalid when you reuse ADC data for post-hoc inference (e.g., "is this the true optimum?"). - Post-ADC inference corrects for both the adaptive sampling bias and the data-dependent construction of the inferential target. - The method builds on selective inference and applies to a broad class of ADC processes (only assumes observation noise, not the black-box function or surrogate model). - Empirical results show valid inference for data collected by GP-UCB and tree-structured Parzen estimator (TPE) with correct coverage.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, eval, base, source, under, both, fail. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11511v1 Announce Type: new Abstract: The validity of statistical inference depends critically on how data are collected. When data gathered through active data collection (ADC) are reused for a post-hoc inferential task, conventional inference can fail because the sampling is adaptively biased toward regions favored by the collection strategy. This issue is especially pronounced in black-box optimization, where sequential model-based optimization (SMBO) methods such as the tree-structured Parzen estimator (TPE) and Gaussian process upper confidence bound (GP-UCB) preferentially concentrate evaluations in promising regions. We study statistical inference on actively collected data when the inferential target is constructed in a data-dependent manner after data collection. To enable valid inference in this setting, we propose post-ADC inference, a framework that accounts for the biases arising from both the active data collection process and the subsequent data-driven target construction. Our method builds on selective inference and provides valid $p$-values and confidence intervals that correct for both sources of bias. The framework applies to a broad class of ADC processes by imposing only assumptions on the observation noise, without requiring any assumptions on the underlying black-box function or the surrogate model used by the SMBO algorithm. Empirical results also show that post-ADC inference provides valid inference for data collected by GP-UCB and TPE.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, evaluation.

  9. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11664unread

    Safety Context Injection: Inference-Time Safety Alignment via Static Filtering and Agentic Analysis

    Zhenhao Xu, Wenhan Chang, Yichuan Chen, Yuxin Fang, Junhao Liu, Tianqing Zhu · 2026-05-13

    The authors propose Safety Context Injection (SCI), an inference-time safety framework for black-box reasoning models where you can't modify weights. SCI separates safety assessment from generation: an external module produces a structured risk report (the "safety context"), which is prepended to the user's prompt for the protected model. Two variants are offered—Static Model Filtering (SMF) for fast one-pass guarding, and Dynamic Agents Filtering (DAF), an iterative agentic loop that gathers and synthesizes evidence for ambiguous or long-context jailbreaks. Both variants reduce attack success rate and toxicity on AdvBench and GPTFuzz across base and reasoning models under five jailbreak families. **Main takeaways:** - Addresses the "thinking–output gap" where a reasoning model appears cautious during chain-of-thought but still emits an unsafe final answer - Static Model Filtering (SMF) is a lightweight one-pass guard for low-latency deployment - Dynamic Agents Filtering (DAF) uses an agentic loop to iteratively gather evidence, effective when harmful intent is disguised or dispersed across long contexts - Evaluated on AdvBench and GPTFuzz under five jailbreak families (base and reasoning models); both variants lower attack success rate and toxicity - Operates at inference time in black-box settings, injecting an external safety report as context rather than retraining

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, parent, output, long, eval, base, under, both. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11664v1 Announce Type: new Abstract: Large Reasoning Models (LRMs) improve performance on complex tasks, but they also make safety control harder at deployment time. In black-box settings, defenders cannot modify model weights and must instead intervene at inference time. This setting creates three practical challenges: harmful intent may be hidden by educational or role-play framing, deep safety analysis can introduce non-trivial latency, and long adversarial contexts can dilute the local cues that simpler filters rely on. These challenges can expose an apparent thinking--output gap, where the model appears cautious during reasoning but still produces an unsafe final answer. To address this problem, we propose Safety Context Injection (SCI), an inference-time framework that separates safety assessment from task generation and prepends a structured external risk report as injected safety context for the protected model. The framework is instantiated in two complementary variants: Static Model Filtering (SMF), a lightweight one-pass guard for fast deployment, and Dynamic Agents Filtering (DAF), an agentic-loop-based analyzer that iteratively gathers and synthesizes evidence for ambiguous or long-context attacks. Across AdvBench and GPTFuzz, spanning base and reasoning models under five jailbreak families, both variants reduce attack success rate and toxicity in the evaluated settings. SMF offers an efficient low-latency option, while DAF is more effective when harmful intent is semantically disguised or dispersed across long contexts.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial.

  10. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11653unread

    Every Bit, Everywhere, All at Once: A Binomial Multibit LLM Watermark

    Thibaud Gloaguen, Robin Staab, Mark Vero, Martin Vechev · 2026-05-13

    The authors introduce a new multibit watermarking scheme for LLMs that encodes every bit of the payload at every token position using binomial encoding, paired with a stateful encoder that dynamically shifts encoding pressure toward underencoded bits during generation. Evaluated against 8 baselines on payloads up to 64 bits, the scheme achieves superior message accuracy and robustness, with the gap widening in large-payload and low-distortion settings. The paper also critiques prior evaluation metrics and proposes per-bit confidence scoring as a practically relevant alternative. **Main takeaways:** - Encodes every bit of the payload (e.g., user ID, timestamp) at every token, rather than spreading bits across the sequence - Uses a stateful encoder that tracks which bits are underrepresented and redirects encoding effort on the fly - Outperforms 8 baselines in message accuracy and robustness, especially for large payloads (up to 64 bits) and low-distortion regimes - Challenges existing evaluation metrics as lacking practical insight; introduces per-bit confidence scoring - Already deployed commercially, so practical multibit watermarks are a real-world concern

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, same, token, under, baseline. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11653v1 Announce Type: new Abstract: With LLM watermarking already being deployed commercially, practical applications increasingly require multibit watermarks that encode more complex payloads, such as user IDs or timestamps, into the generated text. In this work, we propose a fundamentally new approach for multibit watermarking: introducing binomial encoding to directly encode every bit of the payload at every token position. We complement our approach with a stateful encoder that during generation dynamically redirects encoding pressure toward underencoded bits. Our evaluation against 8 baselines on up to 64-bit payloads shows that our scheme achieves superior message accuracy and robustness, with the gap to baseline methods widening in more relevant settings (i.e., large payloads and low-distortion regimes). At the same time, we challenge prior works' evaluation metrics, highlighting their lack of practical insights, and introduce per-bit confidence scoring as a practically relevant metric for evaluating multibit LLM watermarks.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, evaluation.

  11. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11619unread

    PhishSigma++: Malicious Email Detection with Typed Entity Relations

    Shang Shang, Ruiqi Wang, Ruijie Qi, Hao Li, Yingxiao Xiang, Yepeng Yao, Zhengwei Jiang · 2026-05-13

    The authors built PhishSigma++, a phishing-email detector that extracts 40 typed entity classes (e.g., sender domain, URLs, attachments) and 5 cross-type relations to form a typed email graph, then uses particle-swarm optimization to select a sparse discriminative relation mask for classification and evidence summarization. On 29,142 RFC822 messages, it achieves 0.9675 F1 on clean data and maintains 0.9579 F1 under non-adaptive "Good Word" padding attacks (ρ=0.8), while token-based Bayesian and DistilBERT baselines collapse to 0.0243 and 0.7284 F1 respectively. The method generalizes hand-crafted Sigma rules by learning which entity relations are discriminative from data. **Main takeaways:** - Focuses on invariant typed-entity relations (sender–URL, attachment–text) rather than mutable surface text, making it robust to adversarial text insertion - Extracts 40 entity types and 5 cross-type relations to build a typed email graph; PSO selects a sparse discriminative mask - Achieves 0.9675 F1 on clean phishing vs. ham; under Good Word padding (ρ=0.8) maintains 0.9579 F1 while text baselines collapse - Compared to traditional Sigma rules (hand-written field conditions), PhishSigma++ offers higher detection, broader relational coverage, and data-driven feature selection - Thresholded typed-relation scores encode a useful fragment of Sigma-style field conditions, unifying hand-crafted and learned approaches

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: rate, base, system, token, under, collapse, baseline, core. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11619v1 Announce Type: new Abstract: Here is a further shortened version (pure text, no extra formatting, academic style preserved, no content change): Abstract. With the rise of AI-generated content (AIGC), phishing actors now possess richer linguistic capabilities and evasion techniques. Most existing detectors over-rely on mutable textual features, achieving high accuracy on clean data but degrading severely under text-focused adversarial manipulation. This mirrors the lab-to-real performance gap. We investigate invariant signals in phishing emails: even when attackers modify surface text, functional intent constrains relations among typed entities. Threat-actor tradecraft is described via high-level TTPs, but rule-based systems like Sigma express invariants only through manually curated, field-specific patterns, limiting flexibility. We introduce PhishSigma++, an entity-relation-based malicious email detector for RFC822 messages that generalizes Sigma's design. It extracts 40 typed entity classes, computes 5 cross-type relations to build a typed email graph, and uses particle swarm optimization (PSO) to select a sparse discriminative mask, supporting classification and type-level evidence summary. On 29,142 messages, PhishSigma++ achieves 0.9675 F1 on clean data and outperforms text-centric baselines under non-adaptive Good Word padding at \r{ho}=0.8. It maintains 0.9579 F1, while a token-based Bayesian filter collapses to 0.0243 and a DistilBERT phishing checkpoint falls to 0.7284. Compared with traditional Sigma rules, PhishSigma++ offers higher detection, broader relational invariance coverage, and data-driven feature selection. We also show that thresholded typed relation scores encode a useful fragment of Sigma-style field conditions, unifying hand-crafted rule logic and learned relation masks in a single-email framework.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial.

  12. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11514unread

    FlowSteer: Prompt-Only Workflow Steering Exposes Planning-Time Vulnerabilities in Multi-Agent LLM Systems

    Fanxiao Li, Jiaying Wu, Tingchao Fu, Natasha Jaques, Wei Zhou, Min-Yen Kan · 2026-05-13

    The authors show that multi-agent LLM systems with planner-executor architectures are vulnerable to *workflow steering* attacks: adversaries can craft prompts that manipulate how the planner organizes subtasks, roles, and routing paths, amplifying malicious signals through the agent network. They introduce FlowSteer, a prompt-only attack that achieves up to 55% higher attack success by positioning malicious content in influential workflow slots and exploiting sycophantic (overly-agreeable) downstream behavior, plus FlowGuard, an input-side defense that reduces attack success by up to 34%. **Main takeaways:** - Multi-agent planners that convert prompts into workflows create a new attack surface: adversaries can shape agent coordination structures through carefully crafted inputs alone, without touching infrastructure. - Two key vulnerabilities emerge: workflow position amplifies or suppresses malicious signals, and sycophantic framing makes downstream agents more likely to propagate harmful content. - FlowSteer translates these insights into a black-box attack that works across different multi-agent setups and even when the attacker doesn't know the full topology. - Defenses that only inspect the generated workflow (after planning) provide limited protection, because the attack biases the planning signals themselves. - FlowGuard operates on the input side, filtering prompts before they reach the planner, and preserves most benign prompt utility.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, system, where. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11514v1 Announce Type: new Abstract: Multi-agent systems (MAS) powered by large language models (LLMs) increasingly adopt planner--executor architectures, where planners convert prompts into subtasks, roles, dependencies, and routing paths. This flexibility enables adaptive coordination, but exposes an attack surface in workflow formation: prompts can shape agent organization without modifying MAS infrastructure. We study this risk through social influence probing workflows to identify high-impact subtasks and malicious-signal propagation. The analysis reveals two vulnerabilities: workflow position can amplify or suppress a malicious signal, and sycophantic framing makes downstream agents more likely to relay it. We translate these findings into FlowSteer, a prompt-only workflow steering attack that converts vulnerability priors into one crafted prompt. FlowSteer aligns a malicious signal with influential task components and guides replanning toward dependencies that preserve propagation. Experiments show that FlowSteer increases malicious success by up to 55% over naive prompting, transfers across MAS setups, and remains effective with black-box topology inference. As FlowSteer biases the planning signals that generate the workflow, MAS defenses that inspect only the generated workflow provide limited protection. As such, we introduce FlowGuard, an input-side defense that reduces malicious success by up to 34% while preserving prompt utility. Our results position workflow formation as a new safety frontier for multi-agent LLM systems, opening a planning-time security perspective on how agent coordination itself can be attacked and defended.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  13. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11487unread

    Digital Identity for Agentic Systems: Toward a Portable Authorization Standard for Autonomous Agents

    Partha Madhira · 2026-05-13

    This paper proposes a portable authorization standard for autonomous AI agents operating across organizational boundaries. The idea is that identity alone isn't enough—agents need explicit, auditable, revocable authority tokens that specify what they're allowed to do, with constraint algebra and fail-closed semantics. The model separates credential containers (like JWTs or Verifiable Credentials) from the authorization payload itself, enabling consistent enforcement across trust boundaries. **Main takeaways:** - Autonomous enterprise agents need more than identity; they need machine-readable authority scopes that other systems can audit and enforce without human oversight. - Existing identity standards (OAuth, JWTs) don't cleanly express delegation, attenuation (narrowing permissions when passing authority along), or governed semantic resolution. - The proposed model uses typed constraint algebra, decision-consistent evaluation, and fail-closed processing, meaning ambiguous or unverifiable requests are denied by default. - Authority payloads are issuer-authored and portable across different credential formats (JWT, Verifiable Credentials, OAuth RAR). - Use cases include insurance claims and supply chain, where agents negotiate outcomes and execute workflows across organizational boundaries.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, eval, base, trained, system, fail, aims. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11487v1 Announce Type: new Abstract: Enterprise AI is shifting from copilots to autonomous agents capable of executing workflows, negotiating outcomes, and making decisions with limited human oversight. As these systems extend across organizational boundaries, identity alone is insufficient: an agent's authority must also be explicit, constrained, auditable, revocable, and consistently interpretable by independent receivers. This paper analyzes representative enterprise use cases in insurance claims processing and supply chain integrity to surface structural gaps in existing identity and access models. It proposes a portable authorization model for autonomous agents based on issuer-authored authorization payloads, typed constraint algebra, decision-consistent evaluation semantics, delegation attenuation, governed semantic resolution, fail-closed processing, and pre-flight discovery. The model separates credential containers, authorization payload semantics, and enforcement engines, allowing profiles such as JWT/JWS, Verifiable Credentials, OAuth Rich Authorization Requests, or policy-engine bindings to preserve a common authorization meaning across trust boundaries.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  14. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11268unread

    Context-Aware Spear Phishing: Generative AI-Enabled Attacks Against Individuals via Public Social Media Data

    Elham Pourabbas Vafa, Sayak Saha Roy, Shirin Nilizadeh · 2026-05-13

    The authors demonstrate how generative AI can scrape public social-media data to automate highly personalized spear-phishing attacks. Their framework extracts interests and communication styles from minimal public activity, then instantiates seven attack strategies (baiting, scareware, honey trap, tailgating, impersonation, quid pro quo, emotional exploitation). Large-scale evaluation and a user study show LLM-generated phishing emails consistently outperform real-world phishing corpus emails across eight criteria, eliciting lower suspicion. They also measure existing proactive defenses (prompt-level safeguards, policy-augmented models, chain-of-thought moderation) and find they struggle with contextualized, adaptive attacks. **Main takeaways:** - Generative AI plus public social-media data enables automated, scalable, highly personalized spear-phishing with minimal attacker effort. - The framework combines multimodal signal extraction (interests, context cues), communication-style profiling, and attack-type instantiation across seven strategies. - Generated phishing emails exhibit higher personalization, contextual grounding, and persuasive leverage than real-world phishing corpus (APWG eCrimeX). - A user study confirms LLM-generated attacks consistently outperform real phishing emails across eight dimensions and elicit lower suspicion. - Existing prompt-level defenses, including adaptive mechanisms and chain-of-thought moderation, struggle with contextualized abuse at scale, underscoring the need for platform-level safeguards.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, recipient, persona, eval, prompt, system, under, extraction. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11268v1 Announce Type: new Abstract: We demonstrate how publicly available social-media data and generative AI (GenAI) can be misused to automate and scale highly personalized, context-aware spear-phishing campaigns. With minimal attacker effort, a small amount of public activity per target is sufficient for GenAI models to extract interests and contextual cues, producing persuasive messages that mirror a target's style while bypassing generic content-moderation safeguards. We introduce a modular framework that combines multimodal signal extraction, communication-style profiling, and attack-type instantiation across seven strategies (baiting, scareware, honey trap, tailgating, impersonation, quid pro quo, and personalized emotional exploitation). We conduct a large-scale, multi-model evaluation covering thousands of generated emails and eight security-relevant criteria, benchmarking against a corpus of real-world phishing messages. The GenAI-produced emails exhibit markedly higher personalization, contextual grounding, and persuasive leverage. Importantly, a complementary user study corroborates these results, revealing that LLM-generated attacks consistently outperform APWG eCrimeX emails across eight dimensions while eliciting lower suspicion among human recipients. Finally, we measure and analyze the behavior of existing proactive, prompt-level defense mechanisms, which incorporate adaptive mechanisms, as well as two complementary defense approaches-policy-augmented SOTA safeguard models and system-instruction chain-of-thought moderation. We document how these defenses respond to contextualized and adaptive attack prompts, underscoring the need for platform-level safeguards that explicitly account for contextualized abuse at scale.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  15. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11229unread

    Comment and Control: Hijacking Agentic Workflows via Context-Grounded Evolution

    Neil Fendley, Zhengyu Liu, Aonan Guan, Jiacheng Zhong, Yinzhi Cao · 2026-05-13

    The authors introduce JAW, the first framework to detect and exploit vulnerabilities in agentic workflows (like GitHub Actions and n8n) by hijacking LLM agents via adversarially crafted inputs (e.g., GitHub issue comments). Their novel *Context-Grounded Evolution* approach evolves inputs under contexts derived from hybrid program analysis: static path-feasibility analysis (identifying feasible agent-invocation paths), dynamic prompt-provenance analysis (tracking how inputs are embedded into LLM context), and capability analysis (identifying agent actions and restrictions). They show 4,714 GitHub workflows and 8 n8n templates can be hijacked for credential exfiltration and arbitrary command execution. **Main takeaways:** - Agentic workflows integrate LLMs into automation platforms (GitHub Actions, n8n), exposing a new attack surface: adversaries can craft inputs (e.g., issue comments) to manipulate the LLM agent. - JAW uses Context-Grounded Evolution, which evolves agentic workflow inputs under contexts derived from three analyses: static path-feasibility, dynamic prompt-provenance, and capability analysis. - Static path-feasibility analysis identifies feasible agent-invocation paths and the input constraints needed to trigger them. - Dynamic prompt-provenance analysis tracks how adversarial input is transformed and embedded into the LLM's context window. - Evaluation shows 4,714 GitHub workflows and 8 n8n templates can be hijacked, including official Actions for Claude Code, Gemini CLI, Qwen CLI, and Cursor CLI.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, issue, github, eval, prompt, anth, anthropic. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11229v1 Announce Type: new Abstract: Automation platforms such as GitHub Actions and n8n are increasingly adopting so-called agentic workflows, which integrate Large Language Model (LLM) agents for tasks such as code review and data synchronization. While bringing convenience for developers, this integration exposes a new risk: An adversary may control and craft certain inputs, such as GitHub issue comments, to manipulate the LLM agent for unwanted actions, such as credential exfiltration and arbitrary command execution. To our knowledge, no prior academic work has studied such a risk in agentic workflows. In this paper, we design the first detection and exploitation framework, called JAW, to hijack agentic workflows hosted on automation platforms via a novel approach called Context-Grounded Evolution. Our key idea is to evolve agentic workflow inputs under the contexts derived from hybrid program analysis for hijacking purposes. Specifically, JAW generates agentic workflow contexts through three analyses: (i) static path-feasibility analysis to identify feasible agent-invocation paths and the input constraints required to trigger them, (ii) dynamic prompt-provenance analysis to determine how that input is transformed and embedded into the LLM context, and (iii) capability analysis to identify the actions and restrictions available to the agent at runtime. Our evaluation of JAW on GitHub workflows and n8n templates showed that 4714 GitHub workflows and eight n8n templates can be successfully hijacked, for example, to leak user credentials. Our findings span 15 widely-used GitHub Actions, including official GitHub Actions for Claude Code, Gemini CLI, Qwen CLI, and Cursor CLI, and two official n8n nodes. We responsibly disclosed all findings to the affected vendors and received many acknowledgements, fixes, and bug bounties, notably from GitHub, Google, and Anthropic.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  16. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11202unread

    Continuous Discovery of Vulnerabilities in LLM Serving Systems with Fuzzing

    Yunze Zhao, Yibo Zhao, Yuchen Zhang, Zaoxing Liu, Michelle L. Mazurek · 2026-05-13

    The authors present GRIEF, a greybox fuzzer for LLM inference engines (vLLM, SGLang) that treats timed multi-request traces as first-class inputs. GRIEF targets serving-layer failures (KV-cache isolation, cross-request interference, scheduling bugs) that emerge only under realistic concurrent workloads and are missed by model or API tests. Using lightweight oracles and controlled replay with log-probability checks, GRIEF discovers 15 vulnerabilities across vLLM and SGLang, including 2 CVEs, spanning KV-cache isolation failures, cross-request performance interference, and crash/liveness bugs. **Main takeaways:** - Modern LLM serving systems (vLLM, SGLang) use shared state (KV cache, prefix sharing, batching, multi-tenant scheduling) that creates concurrency bugs missed by standard model or API tests. - GRIEF treats timed multi-request traces as inputs, fuzzing the serving layer rather than individual prompts or model behavior. - Lightweight oracles detect crashes, hangs, performance pathologies (e.g., noisy-neighbor denial of service), and silent output corruption. - Controlled replay with log-probability checks confirms reproducible serving-layer failures (e.g., cross-request contamination where one request's KV cache leaks into another's output). - Early campaigns on vLLM and SGLang discovered 15 vulnerabilities (10 confirmed by developers, 2 CVEs), including KV-cache isolation failures, cross-request performance interference, and delayed crashes.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: output, system, under, fail. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11202v1 Announce Type: new Abstract: LLM inference and serving systems have become security-critical infrastructure; however, many of their most concerning failures arise from the serving layer rather than from model behavior alone. Modern inference engines combine KV cache, batching, prefix sharing, speculative decoding, adapters, and multi-tenant scheduling, creating shared-state behavior that only emerges under realistic concurrent workloads and is missed by standard model, safety, and API tests. We present GRIEF, a greybox fuzzer for LLM inference engines that treats timed multi-request traces as first-class inputs, uses lightweight oracles to detect crashes, hangs, performance pathologies, and silent output corruption, and applies controlled replay with log-probability checks to confirm reproducible serving-layer failures. Across early campaigns on vLLM and SGLang, GRIEF discovers 15 vulnerabilities, 10 confirmed by engine developers, including 2 CVEs, spanning KV-cache isolation failures, cross-request performance interference, and crash or liveness bugs. These results show that concurrency, caching, and state reuse can induce silent cross-request contamination, noisy-neighbor denial of service, and delayed crashes without malformed inputs or explicit server errors, making concurrent serving behavior a first-class security and reliability boundary for LLM infrastructure.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses failure, failures.

  17. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11188unread

    Adversarial SQL Injection Generation with LLM-Based Architectures

    Ali Karakoc, H. Birkan Yilmaz · 2026-05-13

    The authors built two LLM-based systems (RADAGAS and RefleXQLi) that automatically generate adversarial SQL injection attacks to test web application firewalls (WAFs). They ran 240 experiments producing 240,000 attack payloads and tested them against 10 different WAFs including rule-based, AI/ML-based, and commercial systems using GPT-4o, Claude, and DeepSeek as the attack generators. **Main takeaways:** - RADAGAS-GPT4o achieved a 22.73% bypass rate overall and was especially effective against AI/ML-based WAFs (92% on WAF-Brain, 80% on CNN-WAF) but struggled with rule-based WAFs (0-6% on ModSecurity/Coraza) - Less diverse payload generation actually achieved more bypasses, though this strategy fails completely if the initial payload doesn't work - LLM-generated attacks can automatically probe defense mechanisms at scale, turning adversarial testing into a largely automated process - Commercial WAFs like AWS and Cloudflare were tested but specific bypass rates weren't highlighted in the abstract

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, fire, eval, base, system, source, baseline, project. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11188v1 Announce Type: new Abstract: SQL injection (SQLi) attacks are still one of the serious attacks ranked in the Open Worldwide Application Security Project (OWASP) Top 10 threats. Today, with advances in Artificial Intelligence (AI), especially in Large Language Models (LLMs), an opportunity has been created for automating adversarial attack tests to measure the defense mechanisms. In this paper, we aim to create a comprehensive evaluation of use cases that utilize LLMs for adversarial SQL injection generation. We introduce two novel LLM-based systems, Retrieval Augmented Generation for Adversarial SQLi (RADAGAS) and Reflective Chain-of-Thought SQLi (RefleXQLi), and compare them with existing baselines against 10 Web Application Firewalls (WAFs) and one execution-based MySQL validator. To perform a comprehensive test, we used six rule-based open-source WAFs (ModSecurity PL1--3, Coraza PL1--3), 2 AI/ML-based WAFs (WAF Brain, CNN-WAF), and 2 commercial WAFs (AWS WAF and Cloudflare WAF). For the LLM models, we used GPT-4o, Claude 3.7 Sonnet, and DeepSeek R1. Our tests consist of 240 experiments that generate 240,000 payloads and perform 2.2 million tests against WAFs. Our comprehensive evaluation reveals that RADAGAS-GPT4o outperforms other baseline models with a 22.73\% bypass rate. The proposed RADAGAS variants are highly successful on AI/ML-based WAFs (92.49\% on WAF-Brain by RADAGAS-DeepSeek, 80.48\% on CNN-WAF by RADAGAS-Claude), but struggle to bypass rule-based WAFs (0--5.70\% on ModSecurity and Coraza). In addition to these findings, another observation is that creating less diverse payloads achieves more bypasses, however they show poor results if the initially chosen payload is not successful. We observe that our findings provide a comprehensive view on using LLM-based approaches in security testing.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial, evaluation.

  18. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11163unread

    Benchmarking LLM-Based Static Analysis for Secure Smart Contract Development: Reliability, Limitations, and Potential Hybrid Solutions

    Stefan-Claudiu Susan, Andrei Arusoaie, Dorel Lucanu · 2026-05-13

    The authors evaluated whether LLMs can reliably identify security vulnerabilities in smart contracts (blockchain code) and whether they could replace traditional static-analysis tools. They built an automated framework that achieves 92% accuracy in classifying LLM outputs and found that LLMs suffer from lexical bias—they rely on superficial cues like variable names rather than actual program semantics, leading to high false-positive rates. **Main takeaways:** - LLMs show lexical bias: they flag vulnerabilities based on identifier naming and other surface patterns rather than real semantic analysis - This reliance on non-semantic heuristics produces many false positives when used as autonomous security auditors - There's a precision-recall tradeoff when using different prompting techniques—you can tune for fewer false alarms or better coverage but not both - Current LLMs are better suited as complements to traditional tools rather than replacements for rigorous static analysis

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, prompt, system, under, both, outputs. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11163v1 Announce Type: new Abstract: The irreversible nature of blockchain transactions makes the identification of smart contract vulnerabilities an essential requirement for secure system development. While Large Language Models (LLMs) are increasingly integrated into developer workflows, their reliability as autonomous security auditors remains unproven. We assess whether current generative models are a viable replacement for, or only a complement to, traditional static-analysis tools. Our findings indicate that LLM efficacy is undermined by both inherent lexical bias and a lack of rigorous validation of external data inputs. This reliance on non-semantic heuristics, such as identifier naming, leads to a high frequency of false positives. Furthermore, prompting techniques reveal a trade-off between precision and recall. These results were derived using our custom automated framework, which achieves 92% accuracy in classifying model outputs.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  19. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11122unread

    FedSurrogate: Backdoor Defense in Federated Learning via Layer Criticality and Surrogate Replacement

    Fatima Z. Abacha, Sin G. Teo, Yuanxiang Wu, Lucas C. Cordeiro, Mustafa A. Mustafa · 2026-05-13

    FedSurrogate is a defense against backdoor attacks in federated learning—scenarios where malicious participants try to poison a shared model. Instead of simply removing suspected malicious updates (which causes accuracy loss when honest clients are misidentified), the system replaces confirmed malicious updates with downscaled versions from structurally similar benign clients, preserving useful gradient information while neutralizing the attack. **Main takeaways:** - Achieves below 10% false-positive rate across all datasets, compared to 31-32% for the next-best baseline, meaning it rarely misclassifies honest participants as attackers - Uses layer-adaptive anomaly detection—it focuses on security-critical layers identified through directional divergence analysis rather than examining all parameters equally - Keeps attack success rates below 2.1% while maintaining better main-task accuracy than existing defenses - The bidirectional filtering stage both screens trusted clients for contamination and rescues false positives from the suspect pool

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, identical, benign, under, baseline, space. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11122v1 Announce Type: new Abstract: Federated Learning remains highly susceptible to backdoor attacks--malicious clients inject targeted behaviours into the global model. Existing defenses suffer from substantial false-positive rates under realistic non-independent and identically distributed (non-IID) data, incorrectly flagging benign clients and degrading model accuracy even when adversaries are correctly identified. We present FedSurrogate, a novel backdoor defense that addresses this limitation by combining bidirectional gradient alignment filtering with layer-adaptive anomaly detection. FedSurrogate performs selective clustering on security-critical layers identified via directional divergence analysis, concentrating the detection signal on a low-dimensional subspace. A bidirectional soft-filtering stage screens trusted clients for residual contamination while rescuing false positives from suspects, substantially reducing misclassifications under heterogeneous conditions. Rather than removing confirmed malicious updates, FedSurrogate replaces them with downscaled surrogate updates from structurally similar benign clients, preserving gradient diversity while neutralising adversarial influence. Extensive evaluations demonstrate that FedSurrogate maintains false-positive rates below 10% across all datasets and attack types, compared to 31-32% for the nearest comparably effective baseline, while achieving superior main-task accuracy and maintaining attack success rates below 2.1% across all tested datasets and attack types under challenging non-IID settings.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, adversarial, evaluation.

  20. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11086unread

    ExploitGym: Can AI Agents Turn Security Vulnerabilities into Real Attacks?

    Zhun Wang, Nico Schiller, Hongwei Li, Srijiith Sesha Narayana, Milad Nasr, Nicholas Carlini, Xiangyu Qi, Eric Wallace, Elie Bursztein, Luca Invernizzi, Kurt Thomas, Yan Shoshitaishvili, Wenbo Guo, Jingxuan He, Thorsten Holz, Dawn Song · 2026-05-13

    ExploitGym is a benchmark testing whether AI agents can turn known security vulnerabilities into working exploits—taking a program input that triggers a bug and progressively extending it into code that achieves unauthorized access or execution. The benchmark contains 898 real-world vulnerabilities across userspace programs, V8 JavaScript engine, and Linux kernel, with varying security protections, and finds that frontier models (Claude Mythos Preview and GPT-5.5) successfully exploit 157 and 120 instances respectively. **Main takeaways:** - Exploitation requires low-level reasoning about memory layout, runtime adaptation, and sustained progress over long horizons—it's harder than just detecting vulnerabilities - Even with widely used security defenses enabled, models retain non-trivial success rates at producing working exploits - The benchmark packages all configurations in reproducible containerized environments and varies protections to isolate their impact on agent performance - This represents an under-evaluated but critical capability with dual-use implications—it supports defensive security workflows but also lowers the barrier for offense

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, latin, trigger, long, eval, anth, anthropic, source. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11086v1 Announce Type: new Abstract: AI agents are rapidly gaining capabilities that could significantly reshape cybersecurity, making rigorous evaluation urgent. A critical capability is exploitation: turning a vulnerability, which is not yet an attack, into a concrete security impact, such as unauthorized file access or code execution. Exploitation is a particularly challenging task because it requires low-level program reasoning (e.g., about memory layout), runtime adaptation, and sustained progress over long horizons. Meanwhile, it is inherently dual-use, supporting defensive workflows while lowering the barrier for offense. Despite its importance and diagnostic value, exploitation remains under-evaluated. To address this gap, we introduce ExploitGym, a large-scale, diverse, realistic benchmark on the exploitation capabilities of AI agents. Given a program input that triggers a vulnerability, ExploitGym tasks agents with progressively extending it into a working exploit. The benchmark comprises 898 instances sourced from real-world vulnerabilities across three domains, including userspace programs, Google's V8 JavaScript engine, and the Linux kernel. We vary the security protections applied to each instance, isolating their impact on agent performance. All configurations are packaged in reproducible containerized environments. Our evaluation shows that while exploitation remains challenging, frontier models can successfully exploit a non-trivial fraction of vulnerabilities. For example, the strongest configurations are Anthropic's latest model Claude Mythos Preview and OpenAI's GPT-5.5, which produce working exploits for 157 and 120 instances, respectively. Notably, even with widely used defenses enabled, models retain non-trivial success rates. These results establish ExploitGym as an effective testbed for exploitation and highlight the growing cybersecurity risks posed by increasingly capable AI agents.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  21. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11053unread

    MCPShield: Content-Aware Attack Detection for LLM Agent Tool-Call Traffic

    Sultan Zavrak · 2026-05-13

    MCPShield is an attack-detection system for LLM agent tool-call traffic using the Model Context Protocol. It represents each agent session as a graph (tool calls as nodes, sequential and data-flow links as edges), enriches nodes with sentence embeddings of arguments and responses, and classifies sessions as benign or attacked. The key finding is that content-level features (embeddings of what the agent actually said and received) are essential—metadata alone plateaus around 64% AUROC while content embeddings push it above 89%. **Main takeaways:** - Metadata-only detection (just tracking which tools were called, in what order) achieves only ~64% AUROC regardless of architecture; content embeddings are necessary for good performance - Naive random train-test splits inflate AUROC by up to 26 percentage points compared to task-disjoint splits—a memorization problem that prior agent-detection work hasn't addressed - Tree ensembles on pooled SBERT embeddings reached 97.5% AUROC, outperforming GNNs (91.7%) and MLPs (89.6%) in the primary evaluation - The detection signal lives primarily in the semantic content embeddings, not in the graph structure or tool-call metadata

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: eval, base, source, benign, under, baseline, both, does. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11053v1 Announce Type: new Abstract: The Model Context Protocol (MCP) has become a widely adopted interface for LLM agents to invoke external tools, yet learned monitoring of MCP tool-call traffic remains underexplored. In this article, MCPShield is presented as an attack detection framework for MCP tool-call traffic that encodes each agent session as a graph (tool calls as nodes, sequential and data-flow links as edges), enriches nodes with sentence-embedding features over arguments and responses, and classifies sessions as benign or attacked. Three GNN architectures (GAT, GCN, GraphSAGE), a no-graph MLP, and classical baselines (XGBoost, random forest, logistic regression, linear SVM) are evaluated, with the full architecture comparison conducted on RAS-Eval (task-stratified splits) and GraphSAGE retained as the GNN baseline on ATBench and a combined-source variant (both label-stratified). Three findings emerge. First, content-level features are essential: metadata-only detection plateaus around an AUROC of 0.64 regardless of architecture, while content embeddings push the AUROC above 0.89. Second, naive random-split evaluation inflates AUROC by up to 26 percentage points relative to task-disjoint splits, a memorization confound that prior agent-detection work has not addressed. Third, the detection signal resides primarily in the SBERT content embeddings: an AUROC of 0.975 was reached by tree ensembles on pooled embeddings, performing, for the most part, better than the neural architectures in the primary RAS-Eval setting including GNNs (0.917) and the MLP (0.896), and self-supervised pre-training does not deliver a label-efficiency advantage on this task.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses confound, evaluation.

  22. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11047unread

    Red-Teaming Agent Execution Contexts: Open-World Security Evaluation on OpenClaw

    Hongwei Yao, Yiming Liu, Yiling He, Bingrun Yang · 2026-05-13

    DeepTrap is an automated framework for discovering security vulnerabilities in agent execution contexts—the files, memory, tools, and artifacts an agent operates on, not just the user prompt. It formulates adversarial context manipulation as a trajectory-level optimization problem that balances triggering unsafe behavior, preserving normal task completion, and remaining stealthy. Testing on 42 cases across six vulnerability classes shows that compromised contexts can induce substantial unsafe behavior while the agent still completes user-facing tasks correctly, demonstrating that evaluating only final responses is insufficient. **Main takeaways:** - Security risks come from the agent's mutable execution context (files it reads, tools it has access to, memory state) not just from adversarial user prompts - Compromised contexts can trigger unsafe behavior while preserving apparent task success—the agent looks like it's working correctly from the user's perspective - DeepTrap uses reward-guided beam search and reflection-based probing to find high-value context manipulations that are effective, stealthy, and don't break benign functionality - Final-response evaluation misses these context-driven attacks; you need execution-centric security evaluation that monitors the agent's entire operational environment

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, eval, prompt, base, system, benign, core. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11047v1 Announce Type: new Abstract: Agentic language-model systems increasingly rely on mutable execution contexts, including files, memory, tools, skills, and auxiliary artifacts, creating security risks beyond explicit user prompts. This paper presents DeepTrap, an automated framework for discovering contextual vulnerabilities in OpenClaw. DeepTrap formulates adversarial context manipulation as a black-box trajectory-level optimization problem that balances risk realization, benign-task preservation, and stealth. It combines risk-conditioned evaluation, multi-objective trajectory scoring, reward-guided beam search, and reflection-based deep probing to identify high-value compromised contexts. We construct a 42-case benchmark spanning six vulnerability classes and seven operational scenarios, and evaluate nine target models using attack and utility grading scores. Results show that contextual compromise can induce substantial unsafe behavior while preserving user-facing task completion, demonstrating that final-response evaluation is insufficient. The findings highlight the need for execution-centric security evaluation of agentic AI systems. Our code is released at: https://github.com/ZJUICSR/DeepTrap

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial, evaluation, benchmark.

  23. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11039unread

    The Granularity Mismatch in Agent Security: Argument-Level Provenance Solves Enforcement and Isolates the LLM Reasoning Bottleneck

    Linfeng Fan, Ziwei Li, Yuan Tian, Yichen Wang, Rongsheng Li, Xiong Wang · 2026-05-13

    PACT (Provenance-Aware Capability Contracts) addresses a granularity mismatch in agent security: existing defenses mediate trust at the whole-tool-call level, but indirect prompt injection becomes dangerous only when untrusted content determines an authority-bearing argument (like a file path or command). PACT assigns semantic roles to each tool argument, tracks where each value came from across replanning steps, and checks whether the origin satisfies that argument's trust contract. This achieves 100% security on diagnostic suites while recovering 38-46% utility (8-16 points above the baseline CaMeL) on full AgentDojo deployments. **Main takeaways:** - The problem isn't untrusted content appearing in context—it's untrusted content controlling authority-bearing arguments like destinations, commands, or file paths - PACT tracks value provenance (where did this argument's value come from?) and checks it against semantic role contracts (what level of trust does this argument position require?) - Under oracle provenance, achieves perfect utility and security; in real deployments, hits 100% security on top models while recovering substantially more utility than invocation-level monitors - Both semantic roles and cross-step provenance tracking are necessary—ablations show you can't remove either component - Reframes agent security as an authority-binding problem and isolates the remaining bottleneck to provenance inference and contract synthesis

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: output, eval, prompt, same, benign, under, both, outputs. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11039v1 Announce Type: new Abstract: Tool-using LLM agents must act on untrusted webpages, emails, files, and API outputs while issuing privileged tool calls. Existing defenses often mediate trust at the granularity of an entire tool invocation, forcing a brittle choice in mixed-trust workflows: allow external content to influence a call and risk hijacked destinations or commands, or quarantine the call and block benign retrieval-then-act behavior. The key observation behind this paper is that indirect prompt injection becomes dangerous not when untrusted content appears in context, but when it determines an authority-bearing argument. We present \textsc{PACT} (\emph{Provenance-Aware Capability Contracts}), a runtime monitor that assigns semantic roles to tool arguments, tracks value provenance across replanning steps, and checks whether each argument's origin satisfies its role-specific trust contract. Under oracle provenance, \textsc{PACT} achieves 100\% utility and 100\% security on mixed-trust diagnostic suites, while flat invocation-level monitors incur false positives or false negatives. In full AgentDojo deployments across five models, \textsc{PACT} reaches 100\% security on the three strongest models while recovering 38.1--46.4\% utility, 8--16 percentage points above CaMeL at the same security level. Ablations show that both semantic roles and cross-step provenance are necessary. \textsc{PACT} reframes agent security as authority binding, and isolates the remaining deployment bottleneck to provenance inference and contract synthesis.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses negative.

  24. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11036unread

    Sequential Behavioral Watermarking for LLM Agents

    Hyeseon An, Shinwoo Park, Dongsu Kim, Yo-Sub Han · 2026-05-13

    The authors tackle watermarking for LLM-based agents that make sequences of tool calls and decisions, not just generate text. Existing behavioral watermarks treat each action independently, so they break when the agent's trajectory gets shuffled, truncated, or corrupted. SeqWM instead embeds the watermark signal into history-conditioned transition patterns—the order and dependencies between actions—and verifies trajectories without requiring exact position alignment, making it robust to real-world perturbations while preserving the agent's task performance. **Main takeaways:** - Text watermarks don't capture action-level decisions, so agent provenance needs behavioral watermarks embedded in the sequence of tool calls and choices the agent makes. - Earlier agent watermarking methods treat each action step as independent, so they fail when trajectories are corrupted, truncated, or reordered. - SeqWM embeds signals into patterns across multiple steps (conditioned on history) and can verify a trajectory even when you can't align it step-by-step with the original. - Experiments across multiple agent benchmarks and LLM backbones show reliable detection with no loss in task performance, and the watermark survives corruptions that break round-indexed methods.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under, collapse, baseline, where, look, when. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11036v1 Announce Type: new Abstract: LLM-based agents act through sequences of executable decisions, but their trajectories provide little evidence of which agent or policy produced them, making provenance, ownership, and unauthorized reuse difficult to establish from observed behavior alone. This motivates watermarking signals embedded directly into agent behavior rather than only into generated text, since text watermarking cannot capture the action-level decisions that define agent execution. Recent agent watermarking methods address this gap by moving the watermark from generated text to behavioral choices. However, by treating each action step as an independent trial, they overlook trajectory structure and become fragile when trajectories are perturbed, truncated, or observed without reliable alignment. We propose SeqWM, a sequential behavioral watermarking framework that embeds signals into history-conditioned transition patterns and verifies trajectories position-agnostically against random-key baselines. Experiments across diverse agent benchmarks and LLM backbones show that SeqWM consistently achieves reliable detection while preserving agent utility, and remains robust under trajectory corruption where round-indexed behavioral watermarks collapse.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  25. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11034unread

    MambaNetBurst: Direct Byte-level Network Traffic Classification without Tokenization or Pretraining

    Gayan K. Kulatilleke, Siamak Layeghy, Mahsa Baktashmotlagh, Marius Portmann · 2026-05-13

    MambaNetBurst classifies network traffic (malware, VPN, IoT attacks) by feeding raw packet bytes directly into a Mamba-2 state-space model, skipping tokenization, patching, multimodal feature engineering, and self-supervised pretraining. The model takes the first few packets of a flow, embeds the byte sequence with a learnable CLS token, and runs it through stacked Mamba-2 blocks for supervised classification. Across six public benchmarks it matches or beats much heavier pretrained baselines, and ablations show that preserving byte-level resolution (no early downsampling) is critical. **Main takeaways:** - Operates on raw packet bytes with no tokenizer, no patching, no heavy feature engineering, and no pretraining stage. - Uses Mamba-2 state-space blocks to process byte sequences end-to-end for supervised traffic classification. - Matches or beats substantially larger, often pretrained baselines on six public benchmarks (app identification, VPN/Tor, malware, IoT attacks). - Ablations reveal that early downsampling via striding hurts performance and that preserving full byte-level temporal resolution is critical. - Mamba-2's simpler transition structure (vs. Mamba-1) works well for packet bytes and trains faster.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: rate, attention, base, trained, token, length, baseline, space. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11034v1 Announce Type: new Abstract: We present MambaNetBurst, a compact tokenizer-free byte-level sequence classifier for network burst classification based on a Mamba-2 backbone. In contrast to most recent strong traffic-classification and intrusion-detection approaches, our method operates directly on raw packet bytes, avoids tokenization, patching, and heavy engineered multimodal representations, and does not require any self-supervised pre-training stage. Given a packet flow, we form a fixed-length burst from the first few packets, embed the resulting byte sequence appending a learnable CLS token, and process it with a stack of residual pre-normalized Mamba-2 blocks for end-to-end supervised classification. Across six public benchmarks spanning encrypted mobile app identification, VPN/Tor traffic classification, malware traffic classification, and IoT attack traffic, MambaNetBurst achieves consistently strong results and is competitive with, or outperforms, substantially heavier and often pre-trained baselines. Our ablation study shows that preserving byte-level temporal resolution is critical, that early downsampling through striding is consistently harmful, and that moderate state sizes are sufficient for robust generalization. We further show that Mamba-2, despite its more constrained transition structure relative to Mamba-1, remains highly effective for packet-byte modeling while providing clear efficiency advantages, particularly in training speed. Overall, our results demonstrate that direct **undiluted** byte-to-classification learning with compact selective state space models is a practical, effective and novel direction for efficient, deployable traffic analysis that bypasses the complexity of pre-training pipelines even over highly optimized linear attention architectures.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  26. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11029unread

    FragBench: Cross-Session Attacks Hidden in Benign-Looking Fragments

    Astha Mehta (Isabella), Niruthiha Selvanayagam (Isabella), Cedric Lam (Isabella), Hengxu Li (Isabella), Phuc-Nguyen Nguyen (Isabella), Raymond Lee (Isabella), Olivia McGoffin (Isabella), My (Isabella), Luong, Arthur Coll\'e, Jamie Johnson, David Williams-King, Linh Le · 2026-05-13

    An attacker can split a malicious goal into innocent-looking sub-prompts spread across separate chat sessions, each benign on its own but harmful in combination. Existing safety benchmarks evaluate prompts one at a time or within a single conversation, so they miss cross-session attack trails. FragBench is a benchmark built from 24 real cyber-incident campaigns that tracks the full multi-fragment kill chain, per-fragment safety verdicts, sandboxed execution traces, and matched benign cover sessions. It pairs an adversarial rewriter that hardens fragments against single-turn judges (FragBench Attack) with a graph-based detector trained on cross-session interactions (FragBench Defense). Four GNN variants and three classical-ML baselines recover the cross-session signal with aggregate F1 = 0.88–0.96, showing that defense requires modeling the interaction graph rather than isolated prompts. **Main takeaways:** - Attackers can fragment a harmful goal into separate sessions with no shared context, each looking benign to a single-turn safety judge, but forming a kill chain when combined. - FragBench provides 24 real-world cyber-incident campaigns with full attack trails: multi-fragment chains, per-fragment verdicts, execution traces, and benign cover sessions. - Single-turn safety judges are near chance on the released corpus by design, but graph-based detectors (GNNs and classical ML) trained on cross-session interactions reach F1 = 0.88–0.96. - Defending against fragmented misuse requires modeling the user's interaction graph across sessions, not just filtering individual prompts. - Includes an adversarial rewriter (FragBench Attack) and detector baseline (FragBench Defense) with sandbox harness; all released open-source.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, eval, prompt, base, trained, benign. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11029v1 Announce Type: new Abstract: An attacker can split a malicious goal into sub-prompts that each look benign on their own and only become harmful in combination. Existing LLM safety benchmarks evaluate prompts one at a time, or across turns of a single chat, and so do not look for a malicious signal spread across separate sessions with no shared context. We build FragBench, a benchmark drawn from 24 real-world cyber-incident campaigns, which keeps the full attack trail: the multi-fragment kill chain, the per-fragment safety-judge verdicts, sandboxed execution traces, and a matched set of benign cover sessions. FragBench splits this trail into two paired tasks: an adversarial rewriter that hardens fragments against a single-turn safety judge (FragBench Attack), and a graph-based user-level detector trained on the resulting interactions (FragBench Defense). The single-turn judge is near chance on the released corpus by construction, but four GNN variants and three classical-ML baselines all recover the cross-session feature, reaching aggregate event-level F1 = 0.88-0.96. Defending against fragmented LLM misuse therefore requires modeling the cross-session interaction graph, rather than isolated prompts. Our generator, rewriter, sandbox harness, and detector are released at https://github.com/LidaSafety/fragbench.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial, benchmark.

  27. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11026unread

    AgentShield: Deception-based Compromise Detection for Tool-using LLM Agents

    Yassin H. Rassul, Tarik A. Rashid · 2026-05-13

    Most defenses against indirect prompt injection (IPI) in tool-using LLM agents try to prevent attacks upfront, leaving no detection when attacks slip through, and have only been tested in English. AgentShield instead embeds deception-based traps—fake tools, fake credentials, and allowlisted parameters—into the agent's tool interface. When a compromised agent follows an attacker's hidden instruction, it almost always touches a trap, providing both a real-time compromise signal and zero-false-positive labels for training a self-supervised classifier. Across 176 cross-lingual attack prompts and four LLMs, AgentShield catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests, and survives adaptive attacks with zero evasion on commercial models. **Main takeaways:** - Existing IPI defenses only try to prevent attacks, not detect compromises that slip through, and haven't been tested in low-resource languages like Kurdish or Arabic. - AgentShield places three layers of traps (fake tools, fake credentials, allowlisted parameters) in the agent's tool interface; a compromised agent following hidden instructions touches a trap. - Trap triggers provide real-time detection and zero-false-positive labels for training a self-supervised classifier without manual annotation. - Evaluated on 176 cross-lingual attacks and four LLMs: catches 90.7–100% of successful attacks with zero false alarms on 485 normal-use tests. - Survives systematic adaptive-attack evaluation with zero evasion on commercial models; the classifier transfers across models and languages without retraining.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, eval, prompt, base, system, same, source. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11026v1 Announce Type: new Abstract: Defenses against indirect prompt injection (IPI) in tool-using LLM agents share two structural weaknesses. First, they all attempt to prevent attacks rather than detect the compromises that slip through. Second, they have only been evaluated in English, leaving users of low-resource languages such as Kurdish and Arabic without tested protection. This paper addresses both gaps with AgentShield, a deception-based detection framework that places three layers of traps inside the agent's tool interface: fake tools, fake credentials, and allowlisted parameters. The same trap triggers serve as high-precision labels for a self-supervised classifier. An LLM agent that follows an attacker's hidden instruction almost always touches one of these traps, which gives both a real-time compromise signal and a zero-FP label for training a downstream detector without manual annotation. Across 176 cross-lingual attack prompts and four LLMs from three providers, and because modern LLMs already refuse most IPI attempts on their own (attack success rate <= 10%), AgentShield's job is to catch the attacks that do slip through. On commercial models, it catches 90.7%-100% of such successful attacks, with zero false alarms on 485 normal-use tests. It survives a systematic adaptive-attack evaluation with zero evasion on commercial models, and the self-supervised classifier transfers across models and languages without retraining.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  28. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11015unread

    DCVD: Dual-Channel Cross-Modal Fusion for Joint Vulnerability Detection and Localization

    Wenxin Tang, Wenbin Li, Junliang Liu, Jingyu Xiao, Xi Xiao, Mingzhe Liu, Jinlong Yang, Xuan Liu, Yuehe Ma, Wang Luo, Qing Li, Lei Wang, Peng Xiangli · 2026-05-13

    DCVD is a vulnerability detection framework that jointly predicts whether a function is vulnerable (function-level detection) and pinpoints the specific vulnerable lines (statement-level localization). Most existing methods rely on a single information source (sequential, structural, or semantic) and treat localization as a byproduct of detection without explicit line-level supervision. DCVD extracts control-dependency and semantic features through two parallel branches, aligns them via contrastive learning and bidirectional cross-attention, and introduces explicit supervision at both function and statement levels for joint optimization. On a large-scale real-world benchmark it outperforms state-of-the-art methods on both tasks. **Main takeaways:** - Vulnerability detection needs both function-level classification (is it vulnerable?) and statement-level localization (which lines are the problem?). - Existing methods use only one modality (sequential, structural, or semantic) and lack explicit line-level supervision. - DCVD runs two parallel branches (control-dependency and semantic features), aligns them with contrastive learning and bidirectional cross-attention, and supervises both function and statement levels jointly. - Outperforms state-of-the-art on both function-level detection and statement-level localization on a large-scale real-world vulnerability benchmark. - Code available at https://github.com/vinsontang1/DCVD.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, attention, system, source, both, fail. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11015v1 Announce Type: new Abstract: Software vulnerability detection plays a critical role in ensuring system security, where real-world auditing requires not only determining whether a function is vulnerable but also pinpointing the specific lines responsible. However, existing approaches either rely on a single information source -- sequential, structural, or semantic -- failing to jointly exploit the complementary strengths across modalities, or treat statement-level localization merely as a byproduct of function-level detection without explicit line-level supervision. To address these limitations, we propose DCVD (Dual-Channel Cross-Modal Vulnerability Detection), a unified framework that performs joint function-level detection and statement-level localization. DCVD extracts control-dependency and semantic features through two parallel branches and integrates them via contrastive alignment coupled with bidirectional cross-attention, effectively bridging the cross-modal representation gap. It further introduces explicit supervision signals at both the function and statement levels, enabling collaborative optimization across the two granularities. Extensive experiments on a large-scale real-world vulnerability benchmark demonstrate that DCVD consistently outperforms state-of-the-art methods on both function-level detection and statement-level localization. Our code is available at https://github.com/vinsontang1/DCVD.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, benchmark.

  29. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11003unread

    The Authorization-Execution Gap Is a Major Safety and Security Problem in Open-World Agents

    Baoyuan Wu, Qingshan Liu, Adel Bibi, Irwin King, Siwei Lyu · 2026-05-13

    This position paper argues that the Authorization-Execution Gap (AEG)—the divergence between what a user intends to authorize and what an open-world agent actually executes—is a major safety and security problem. Because agents act autonomously across tools, persistent state, and multi-agent handoffs, small authorization divergences can cause irreversible harm. The authors trace observed failures to three structural sources: delegation-level incompleteness (incomplete task specification), channel-level corruption (prompt injection or data poisoning), and composition-level fragmentation (handoffs across agents or tools that lose context). They argue that defenses must diagnose the structural source during execution, not just filter upfront or audit afterward, and that papers should report process-level evidence of where AEG was detected and attributed, not just outcome metrics. **Main takeaways:** - The Authorization-Execution Gap (AEG) is the divergence between what a user intends to authorize and what an agent executes; small gaps can cause irreversible harm in open-world agents. - Three structural sources: delegation-level incompleteness (incomplete task spec), channel-level corruption (injection/poisoning), and composition-level fragmentation (handoffs losing context). - The same observed failure can arise from any source, so symptom-targeted defenses don't address the underlying cause without source-oriented diagnosis. - Defenses should check authorization integrity during execution, not just filter upfront or audit afterward, because AEG arises dynamically. - Papers on open-world agents should report process-level evidence (where AEG was detected and attributed) alongside outcome metrics like task success or attack resistance.

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: trained, same, source, under, fail, divergence, where. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11003v1 Announce Type: new Abstract: This position paper argues that the Authorization-Execution Gap (AEG) is a major safety and security problem in open-world agents. The AEG is the divergence between what a principal intends to authorize and what an open-world agent ultimately executes. Because such agents act autonomously across tools, persistent state, and multi-agent handoffs, even small instances of authorization divergence can cause harm that is difficult or impossible to undo. We argue that many observed agent failures can be traced to three structural sources of AEG: delegation-level incompleteness, channel-level corruption, and composition-level fragmentation. The same observed failure may arise from any of these sources. Without identifying the source, a defense targeting the symptom alone cannot address the underlying cause. Agent safety and security should therefore emphasize source-oriented diagnosis and defense. Because the structural sources of AEG arise dynamically during execution, this approach necessarily requires authorization integrity checks applied during execution, rather than relying solely on one-shot upfront filtering or post-hoc audit. For NeurIPS, the implication is that papers on open-world agents should report not only outcome-level metrics such as task success or attack resistance, but also process-level evidence showing where AEG was detected, constrained, and attributed to a structural source during execution.

    Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses failure, failures.

  30. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.11002unread

    MT-JailBench: A Modular Benchmark for Understanding Multi-Turn Jailbreak Attacks

    Xinkai Zhang, Zhipeng Wei, Huanli Gong, Jing Ting Zheng, Yuchen Zhang, Yue Dong, N. Benjamin Erichson · 2026-05-13

    Multi-turn jailbreaks gradually steer a conversation toward an unsafe answer rather than stating a harmful request upfront, but existing methods are evaluated with different budgets, judges, retry rules, and strategy generation, making it unclear whether gains reflect stronger attacks or different conditions. MT-JailBench is a modular benchmark that implements each attack as five interacting modules (evaluation function, attack strategy, prompt generation, prompt refinement, flow control) so methods can be compared under fixed conditions. Component-wise analysis shows that resource budgets and evaluation functions are major confounders; prompt generation accounts for most performance variation, while refinement and flow control provide moderate gains. Recomposing the best components yields a strong configuration that outperforms source attacks and generalizes across LLMs. **Main takeaways:** - Multi-turn jailbreaks accumulate conversational context to reach unsafe answers, but existing evaluations differ in budgets, judges, retries, and strategy generation, confounding comparisons. - MT-JailBench decomposes each attack into five modules (evaluation, strategy, prompt generation, refinement, flow control) for fair comparison and component-level analysis. - Resource budgets (turns, retries, interactions, sampled strategies) and evaluation functions are major confounders; controlling them changes the ranking of attacks. - Prompt generation accounts for most performance variation; refinement and flow control provide moderate gains; explicit dynamic strategy generation isn't always necessary. - Recomposing the best components yields a configuration that outperforms source attacks and generalizes across diverse LLMs.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, prompt, source, under, moderate, implement, generalize. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.11002v1 Announce Type: new Abstract: Multi-turn jailbreaks exploit the ability of large language models to accumulate and act on conversational context. Instead of stating a harmful request directly, an attacker can gradually steer the conversation toward an unsafe answer. Recent methods demonstrate this risk, but they are usually evaluated as black-box pipelines with different budgets, judges, retry rules, and strategy generation procedures. As a result, it is often unclear whether reported gains reflect stronger attack mechanisms or different experimental conditions. We introduce MT-JailBench, a modular evaluation framework for benchmarking multi-turn jailbreaks under fixed conditions. MT-JailBench implements each attack as five interacting modules: evaluation function, attack strategy, prompt generation, prompt refinement, and flow control. This design enables fair comparison across attack methods and component-wise analysis of what drives attack success. Using MT-JailBench, we find that resource budgets and evaluation functions are major confounders: controlling turns, retries, interactions, sampled strategies, and judges substantially change the ranking of attacks. At the component level, prompt generation accounts for most performance variation, while refinement and flow control provide moderate gains. We also find that explicit dynamic strategy generation is not always necessary; stochastic sampling from a fixed strategy can rival more elaborate diversification mechanisms. Finally, recomposing the best components yields a strong attack configuration that outperforms its source attacks and generalizes across diverse target LLMs. MT-JailBench therefore provides a modular framework for comparing multi-turn jailbreaks, understanding the impact of components, and guiding stronger red-teaming evaluations.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses confound, evaluation, benchmark.

  31. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.10998unread

    Few-Shot Truly Benign DPO Attack for Jailbreaking LLMs

    Sangyeon Yoon, Wonje Jeung, Yoonjun Cho, Dongjae Jeon, Albert No · 2026-05-13

    The authors show that fine-tuning APIs can be jailbroken using Direct Preference Optimization (DPO) with as few as 10 completely benign training examples. Each example pairs a harmless question with a helpful answer (preferred) and a refusal (dispreferred)—training data that looks identical to what a legitimate user might submit to reduce over-refusal. Because DPO teaches the model to prefer helpful responses over refusals in general, this objective transfers to harmful prompts, achieving attack success rates of 59-82% on GPT-4o variants at costs under $2. **Main takeaways:** - DPO fine-tuning creates a stronger, harder-to-detect jailbreak vector than supervised fine-tuning because the training data itself is indistinguishable from legitimate use. - Only 10 harmless preference pairs (the minimum OpenAI accepts) are enough to broadly suppress refusal behavior across harmful prompts outside the training set. - The attack works because DPO directly optimizes against refusals as a class, not just on the specific prompts in the training data. - Open-weight models show the effect can emerge from a single benign preference pair when no minimum data requirement is enforced. - The method works across GPT-4o, GPT-4.1, and their smaller variants, with success rates between 54% and 82%.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, base, benign, under, helpful, fail. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.10998v1 Announce Type: new Abstract: Fine-tuning APIs make frontier LLMs easy to customize, but they can also weaken safety alignment during fine-tuning. While prior work shows that benign supervised fine-tuning (SFT) can reduce refusal behavior, deployed fine-tuning pipelines increasingly support preference-based objectives, whose safety risks remain less understood. We show that Direct Preference Optimization (DPO) introduces a stronger and harder-to-audit failure mode. We propose a truly benign DPO attack using only 10 harmless preference pairs, the minimum data scale accepted by OpenAI's fine-tuning service. Each pair contains a benign prompt, a normal helpful answer as the preferred response, and a refusal as the dispreferred response. Unlike prior benign fine-tuning attacks, our data exhibits no suspicious behavior: it is practically indistinguishable from the fine-tuning request of a legitimate user seeking to reduce over-refusal, making harmful intent almost impossible to infer from the request alone. Nevertheless, because DPO directly optimizes the model to prefer helpful answers over refusals, this seemingly benign objective broadly suppresses refusal behavior and transfers to harmful prompts outside the fine-tuning data. Across OpenAI models supporting DPO fine-tuning, our attack achieves attack success rates of 59.13% on GPT-4o, 70.20% on GPT-4.1, 54.80% on GPT-4.1-mini, and 81.73% on GPT-4.1-nano, at costs of only \$1.7, \$1.7, \$0.3, and \$0.1. Moreover, on open-weight models that do not impose minimum data requirements, we find that this effect can emerge from even a single benign preference pair.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure.

  32. score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.10977unread

    PASA: A Principled Embedding-Space Watermarking Approach for LLM-Generated Text under Semantic-Invariant Attacks

    Zhenxin Ai, Haiyun He · 2026-05-13

    The authors propose PASA, a watermarking method for LLM-generated text that operates in semantic embedding space rather than at the token level. Unlike vocabulary-based watermarks that break under paraphrasing, PASA clusters tokens by meaning and constructs a statistical dependency between the token sequence and a hidden auxiliary sequence synchronized by a secret key and semantic history. This design aims to survive semantic-invariant attacks (like paraphrasing) while preserving text quality, and experiments show it outperforms standard vocabulary-space baselines under strong paraphrasing attacks. **Main takeaways:** - Traditional LLM watermarks embed signals at the token level and fail when text is paraphrased; PASA embeds at the semantic level to resist these attacks. - The method works by clustering semantically similar tokens and creating a distributional dependency tied to a secret key and the semantic context. - A theoretical framework characterizes the trade-offs between detection accuracy, robustness to attacks, and text quality distortion. - Experiments across multiple LLMs show PASA remains detectable even after strong paraphrasing while maintaining high text quality. - The approach is grounded in finding a jointly optimal embedding-detection pair that balances all three desiderata.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, eval, base, token, under, baseline. Source: arxiv cs.CR (Cryptography and Security).

    arXiv:2605.10977v1 Announce Type: new Abstract: Watermarking for large language models (LLMs) is a promising approach for detecting LLM-generated text and enabling responsible deployment. However, existing watermarking methods are often vulnerable to semantic-invariant attacks, such as paraphrasing. We propose PASA, a principled, robust, and distortion-free watermarking algorithm that embeds and detects a watermark at the semantic level. PASA operates on semantic clusters in a latent embedding space and constructs a distributional dependency between token and auxiliary sequences via shared randomness synchronized by a secret key and semantic history. This design is grounded in our theoretical framework that characterizes a jointly optimal embedding-detection pair, achieving the fundamental trade-offs among detection accuracy, robustness, and distortion. Evaluations across multiple LLMs and semantic-invariant attacks demonstrate that PASA remains robust even under strong paraphrasing attacks while preserving high text quality, outperforming standard vocabulary-space baselines. Ablation studies further validate the effectiveness of our hyperparameter choices. Webpage: https://ai-kunkun.github.io/PASA_page/.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, evaluation.

  33. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11468unread

    CAMPA: Efficient and Aligned Multimodal Graph Learning via Decoupled Propagation and Aggregation

    Daohan Su, Hao Liu, Xunkai Li, Yinlin Zhu, Xiong Yongfu, Yi Liu, Hongchao Qin, Rong-Hua Li, Guoren Wang · 2026-05-13

    The authors study multimodal graph neural networks and find that decoupled architectures (which separate feature propagation from model training) are much more efficient than tightly coupled ones, but suffer from "modal conflict"—cross-modal semantic divergence during propagation and misalignment during aggregation. They propose CAMPA, which injects cross-modal similarity into message passing and uses trajectory-level attention to align features across modalities and propagation hops. Experiments show CAMPA outperforms both coupled and decoupled baselines while staying efficient. **Main takeaways:** - Decoupled graph neural networks (which pre-propagate features separately from training) are faster and more scalable than coupled architectures. - The bottleneck is modal conflict: independent diffusion causes semantic drift across modalities, and naive fusion fails to align multi-hop feature trajectories. - CAMPA fixes this with two-stage alignment: cross-modal similarity priors during propagation and trajectory-level self/cross-attention during aggregation. - The method preserves the efficiency of decoupled architectures while consistently improving performance on diverse benchmarks. - The approach handles long-range dependencies across both modalities and propagation hops.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, attention, base, system, similarity, baseline, both. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11468v1 Announce Type: new Abstract: Multimodal Graph Neural Networks (MGNNs) have shown strong potential for learning from multimodal attributed graphs, yet most existing approaches rely on tightly coupled architectures that suffer from prohibitive computational overhead. In this paper, we present a systematic empirical analysis showing that decoupled MGNNs are substantially more efficient and scalable for large-scale graph learning. However, we identify a critical bottleneck in existing decoupled pipelines, namely modal conflict, which arises in both the propagation and aggregation stages. Specifically, independent multi-hop diffusion causes cross-modal semantic divergence during propagation, while naive fusion fails to align multi-hop feature trajectories during aggregation, jointly limiting effective representation learning. To address this challenge, we propose CAMPA, a Cross-modal Aligned Multimodal Propagation & Aggregation framework for decoupled multimodal graph learning. Concretely, CAMPA introduces a two-stage alignment mechanism: (1) cross-modal aligned propagation, which injects cross-modal similarity priors into message passing to preserve semantic consistency without additional parameter overhead; (2) trajectory aligned aggregation, which leverages trajectory-level self-attention and cross-attention to capture and align long-range dependencies across modalities and hops. Extensive experiments on diverse benchmark datasets and tasks demonstrate that CAMPA consistently outperforms strong coupled and decoupled baselines while preserving the efficiency advantages of the decoupled paradigm.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  34. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11461unread

    Breaking $\textit{Winner-Takes-All}$: Cooperative Policy Optimization Improves Diverse LLM Reasoning

    Haoxuan Chen, Tianming Liang, Wei-Shi Zheng, Jian-Fang Hu · 2026-05-13

    The authors argue that group-based RL methods like GRPO suffer from "winner-takes-all" dynamics where rollouts compete for individual advantage, causing models to converge on narrow high-scoring patterns. They propose GCPO, which replaces individual scoring with team-level credit assignment: a rollout is rewarded based on how much it contributes to the team's coverage of valid, non-redundant solutions (measured as a determinant volume over reward-weighted semantic embeddings). This cooperative paradigm routes optimization toward diverse correct reasoning paths, improving both accuracy and solution diversity on reasoning benchmarks. **Main takeaways:** - Standard group RL (like GRPO) creates competition among rollouts, leading to premature convergence on a narrow set of solutions. - Adding entropy bonuses or diversity rewards doesn't fix the core problem because rollouts still compete rather than cooperate. - GCPO rewards rollouts based on their marginal contribution to the team's collective coverage of correct, distinct solutions. - Coverage is computed as a volume in semantic embedding space, weighted by correctness—only non-redundant correct answers contribute. - Experiments show GCPO improves both reasoning accuracy and solution diversity compared to existing methods.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, base, lora, collapse, both, where. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11461v1 Announce Type: new Abstract: Reinforcement learning with verifiers (RLVR) has become a central paradigm for improving LLM reasoning, yet popular group-based optimization algorithms like GRPO often suffer from exploration collapse, where the models prematurely converge on a narrow set of high-scoring patterns, lacking the ability to explore new solutions. Recent efforts attempt to alleviate this by adding entropy regularization or diversity bonus. However, these approaches do not change the \textit{winner-takes-all} nature, where rollouts still compete for individual advantage rather than cooperating for maximizing global diversity. In this work, we propose Group Cooperative Policy Optimization (GCPO), which shifts the training paradigm from rollout competition to team cooperation. Specifically, GCPO replaces independent rollout scoring with team-level credit assignment: a rollout is rewarded by how much it contributes to the team's valid solution coverage, rather than its individual accuracy. This coverage is described as a determinant volume over reward-weighted semantic embeddings, where only correct and non-redundant rollouts contribute to this volume. During advantage estimation, GCPO redistributes the collective team reward to each single rollout according to its average marginal contribution to the team. This cooperative training paradigm routes optimization toward non-redundant correct reasoning paths. Experiments across multiple reasoning benchmarks demonstrate that GCPO significantly improves both reasoning accuracy and solution diversity over existing approaches. Code will be released at $\href{https://github.com/bradybuddiemarch/gcpo}{this}$.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  35. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11418unread

    Under the Hood of SKILL.md: Semantic Supply-chain Attacks on AI Agent Skill Registry

    Shoumik Saha, Kazem Faghih, Soheil Feizi · 2026-05-13

    The authors study semantic supply-chain attacks on AI agent skill registries, where adversaries manipulate the natural-language SKILL.md metadata files that describe when and how agents should use modular capabilities. They demonstrate attacks across three stages: in Discovery, short textual triggers manipulate embedding-based retrieval to boost adversarial skill visibility; in Selection, description framing biases agents toward malicious variants; and in Governance, semantic evasion helps malicious skills bypass blocking. Experiments with real skills show adversarial variants achieve 77.6% selection rate and evade detection in 36.5-100% of cases. **Main takeaways:** - Agent skill registries use natural-language metadata (SKILL.md files) to describe capabilities, but this text is operational—it affects discovery, selection, and governance. - Short textual triggers can manipulate embedding-based retrieval to make adversarial skills appear in top-10 results 80% of the time. - Description-only framing causes agents to select functionally equivalent adversarial variants in 77.6% of paired trials on average. - Semantic evasion strategies (rewording descriptions) help malicious skills avoid blocking in 36.5-100% of test cases. - The attacks exploit the fact that natural-language descriptions are both human-readable and machine-actionable, creating a semantic attack surface.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, eval, base, system, triggers, when. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11418v1 Announce Type: new Abstract: Autonomous AI agents increasingly extend their capabilities through Agent Skills: modular filesystem packages whose SKILL.md files describe when and how agents should use them. While this design enables scalable, on-demand capability expansion, it also introduces a semantic supply-chain risk in which natural-language metadata and instructions can affect which skills are admitted, surfaced, selected, and loaded. We study SKILL.md - only attacks across three registry-facing stages of the Agent Skill lifecycle, using real ClawHub skills and realistic registry mechanisms. In Discovery, short textual triggers can manipulate embedding-based retrieval and improve adversarial skill visibility, achieving up to 86% pairwise win rate and 80% Top-10 placement. In Selection, description-only framing biases agents toward functionally equivalent adversarial variants, which are selected in 77.6% of paired trials on average. In Governance, semantic evasion strategies cause malicious skills to avoid a blocking verdict in 36.5%-100% of cases. Overall, our results show that SKILL.md is not passive documentation but operational text that shapes which third-party capabilities agents find, trust, and use.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, adversarial.

  36. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11410unread

    What Do EEG Foundation Models Capture from Human Brain Signals?

    Ling Tang, Qian Chen, Jilin Mei, Houshi Xu, Quanshi Zhang, Jing Shao, Na Zou, Xia Hu, Dongrui Liu · 2026-05-13

    The authors audit what EEG foundation models learn by probing their internal representations for 63 hand-crafted clinical features across 6 families (frequency, connectivity, complexity, etc.). They test three models on five clinical tasks and find that 68.6% of features are "representation-causal" (the model uses them for prediction) and 21.1% are "encoded-only" (present but not used). Fifty features emerge as universal candidates across tasks, and frequency-domain features dominate but all six families contribute. Confirmed features recover 79.3% of the foundation model's advantage over random baselines, with task-dependent coverage (near-perfect for easy tasks, ~56% for hard ones). **Main takeaways:** - Foundation models trained on raw EEG signals encode a substantial portion of the hand-crafted feature catalog refined over decades. - Layer-wise probing and subspace erasure reveal that 68.6% of 945 (model, task, feature) units are causally used for prediction. - Frequency-domain features are most prominent, but connectivity, complexity, and other families each contribute causal information. - Fifty features qualify as "universal"—causally represented across multiple architectures and tasks. - The hand-crafted lexicon recovers 79.3% of model performance on average, but harder tasks leave a residual that points to undiscovered features.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)". Matching terms: candidates, parent, candidate, base, baseline, question, space, does. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11410v1 Announce Type: new Abstract: Clinical electroencephalogram (EEG) analysis rests on a hand-crafted feature catalog refined over decades, \emph{e.g.,} band power, connectivity, complexity, and more. Modern EEG foundation models bypass this catalog, learn directly from raw signals via self-supervised pretraining, and match or outperform feature-engineered baselines on most clinical benchmarks. Whether the two representations align is an open question, which we decompose into three sub-questions: \emph{what does the model learn}, \emph{what does the model use}, and \emph{how much can be explained}. We answer them with layer-wise ridge probing, LEACE-style cross-covariance subspace erasure, and a transparent classifier benchmarked against a random-feature baseline. The audit covers three foundation models (CSBrain, CBraMod, LaBraM), five clinical tasks (MDD, Stress, ISRUC-Sleep, TUSL, Siena), and a 6-family 63-feature lexicon. Of the $945$ (model, task, feature) units, $648$ ($68.6\%$) are representation-causal and $199$ ($21.1\%$) are encoded-only. Across tasks, $50$ features qualify as universal candidates with strong support (all three architectures RC) in two or more tasks. Frequency-domain features dominate, but the other five families each contribute substantial causal mass. Confirmed features recover, on average, $79.3\%$ of the foundation model's advantage over the random baseline, with a clean task gradient (MDD $\approx 0.99$ down to Stress $\approx 0.56$): tasks near ceiling are almost fully recovered by the lexicon, while harder tasks leave a non-trivial residual that pinpoints a concrete target for future concept discovery.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses benchmark.

  37. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11404unread

    Attributing Emergence in Million-Agent Systems

    Ling Tang, Jilin Mei, Qian Chen, Qihan Ren, Linfeng Zhang, Quanshi Zhang, Jing Shao, Xia Hu, Dongrui Liu · 2026-05-13

    The authors develop a fast method to figure out which individual agents in a million-user LLM-powered social simulation are responsible for macro-scale behaviors like polarization or information cascades. Traditional attribution methods (like Shapley values) scale combinatorially and max out around a thousand agents, but social phenomena happen at millions. They adapt a path-integral approach that runs 10,000–100,000× faster and use it on real Bluesky data (1.6M users). They find that small-sample studies (N=100) massively overattribute influence to high-follower accounts, while full-scale analysis reveals the long tail and middle tier jointly carry most of the weight — and they prove mathematically that you can't fix this by rescaling. **Main takeaways:** - Existing attribution methods for multi-agent systems can't scale past about 1,000 agents, but the social phenomena we care about (polarization, cascades) happen at millions of users. - The new method satisfies all four Shapley axioms but runs four to five orders of magnitude faster, making million-agent attribution feasible. - On 1.6M Bluesky users, full-scale attribution disagrees structurally with the small (N=100) convenience samples used in prior work: small samples over-credit high-follower accounts while missing the long tail. - The "Attribution Scaling Bias" theorem proves you can't reconcile small-scale and full-scale results with any global rescaling factor when your macro indicator is nonlinear. - For any nonlinear emergent behavior, full-scale attribution is a theoretical requirement, not just a nice-to-have.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: long, system, same, under, both, factor. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11404v1 Announce Type: new Abstract: Large language models (LLMs) can simulate human-like reasoning and decision-making in individual agents. LLM-powered multi-agent systems (MAS) combine such agents to simulate population-scale social phenomena such as polarization, information cascades, and market panics. Such studies require attributing macro emergence to individual agents, but existing axiomatic methods scale combinatorially in $N$ and have been confined to $N \lesssim 10^3$, while the phenomena they explain occur at $N \geq 10^6$. We address this gap by adapting Aumann--Shapley path-integral attribution to LLM-powered MAS at million-agent scale; the resulting method satisfies all four axioms, runs four to five orders of magnitude faster than sampled Shapley on the same hardware. We use this method to test the scale gap empirically: across 14 days of public Bluesky data ($1{,}671{,}587$ active users), we compute the attribution at both full scale and the visibility-biased $N = 10^2$ convenience sample used by small-scale studies, and the two disagree structurally. At full scale the long tail and middle tier jointly carry the majority; the biased small panel attributes almost everything to a few high-follower accounts. We then prove that under any nonlinear macro indicator the disagreement cannot be reduced by post-hoc rescaling: an Attribution Scaling Bias theorem shows that no global rescaling factor can reconcile small-scale and full-scale attribution. Full-scale attribution is therefore not a methodological choice but a theoretical requirement for any nonlinear macro indicator.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses bias.

  38. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11398unread

    AcuityBench: Evaluating Clinical Acuity Identification and Uncertainty Alignment

    Robin Linzmayer (Department of Computer Science, Columbia University, Department of Biomedical Informatics, Columbia University), Georgianna Lin (Department of Biomedical Informatics, Columbia University), Di Coneybeare (Department of Emergency Medicine, Columbia University Irving Medical Center), Jason Chu (Department of Emergency Medicine, Columbia University Irving Medical Center), Trudi Cloyd (Department of Emergency Medicine, Columbia University Irving Medical Center), Manish Garg (Department of Emergency Medicine, Columbia University Irving Medical Center), Miles Gordon (Department of Emergency Medicine, Columbia University Irving Medical Center), Elizabeth Hartofilis (Department of Emergency Medicine, Columbia University Irving Medical Center), Benjamin Hong (Department of Emergency Medicine, Columbia University Irving Medical Center), Ashraf Hussain (Department of Emergency Medicine, Columbia University Irving Medical Center), Eugene Y. Kim (Department of Emergency Medicine, Columbia University Irving Medical Center), Oluchi Iheagwara King (Department of Emergency Medicine, Columbia University Irving Medical Center), Ross McCormack (Department of Emergency Medicine, Columbia University Irving Medical Center), Erica Olsen (Department of Emergency Medicine, Columbia University Irving Medical Center), John K. Riggins Jr (Department of Emergency Medicine, Columbia University Irving Medical Center), Mustafa N. Rasheed (Department of Emergency Medicine, Columbia University Irving Medical Center), Dana L. Sacco (Department of Emergency Medicine, Columbia University Irving Medical Center), Vinay Saggar (Department of Emergency Medicine, Columbia University Irving Medical Center), Osman R. Sayan (Department of Emergency Medicine, Columbia University Irving Medical Center), Amit Shembekar (Department of Emergency Medicine, Columbia University Irving Medical Center), Janice Shin-Kim (Department of Emergency Medicine, Columbia University Irving Medical Center), Wendy W. Sun (Department of Emergency Medicine, Columbia University Irving Medical Center), Bernard P. Chang (Department of Emergency Medicine, Columbia University Irving Medical Center), David Kessler (Department of Emergency Medicine, Columbia University Irving Medical Center), No\'emie Elhadad (Department of Computer Science, Columbia University, Department of Biomedical Informatics, Columbia University) · 2026-05-13

    The authors introduce AcuityBench, a benchmark that tests whether language models correctly judge how urgently a patient needs care (home monitoring, scheduled visit, urgent care, or ER) from medical descriptions. It pools 914 cases from five datasets (conversations, forum posts, clinical vignettes, patient messages), including 217 ambiguous cases where physicians themselves disagreed. They test 12 frontier models in both QA format (pick one of four urgency levels) and free-form conversational format, finding substantial variation in accuracy and a systematic tradeoff: conversational responses reduce over-triage but increase under-triage, especially for high-acuity cases. No model closely matches the distribution of physician uncertainty on ambiguous cases. **Main takeaways:** - AcuityBench unifies five public medical datasets under a shared four-level urgency framework (home monitoring → scheduled → urgent → ER) with 697 clear-consensus cases and 217 physician-confirmed ambiguous cases. - Frontier models vary widely in accuracy and error direction; some over-triage, others under-triage. - Conversational responses systematically reduce over-triage but increase under-triage compared to QA format, especially for high-acuity cases. - No model's uncertainty distribution on ambiguous cases matches physician judgment distributions — models are more confident and concentrated. - Acuity identification is a distinct safety-critical capability separate from general medical QA.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, same, under, question, predict. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11398v1 Announce Type: new Abstract: We introduce AcuityBench, a benchmark for evaluating whether language models identify the appropriate urgency of care from user medical presentations. Existing health benchmarks emphasize medical question answering, broad health interactions, or narrow workflow-specific triage tasks, but they do not offer a unified evaluation of acuity identification across these settings. AcuityBench addresses this gap by harmonizing five public datasets spanning user conversations, online forum posts, clinical vignettes, and patient portal messages under a shared four-level acuity framework ranging from home monitoring to immediate emergency care. The benchmark contains 914 cases, including 697 consensus cases for standard accuracy evaluation and 217 physician-confirmed ambiguous cases for uncertainty-aware evaluation. It supports two complementary task formats: explicit four-way classification in a QA setting, and free-form conversational responses evaluated with a rubric-based judge anchored to the same framework. Across 12 frontier proprietary and open-weight models, we find substantial variation in clear-case acuity accuracy and error direction. Comparing task formats reveals a systematic tradeoff: conversational responses reduce over-triage but increase under-triage relative to QA, especially in higher-acuity cases. In ambiguous cases, no model closely matches the distribution of physician judgments, and model predictions are more concentrated than expert clinical uncertainty. We also compare expert and model adjudication on a subset of maximally ambiguous cases, using those cases to examine the role of clinical uncertainty in label disagreement. Together, these results position acuity identification as a distinct safety-critical capability and show that AcuityBench enables systematic comparison and stress-testing of how well models guide users to the right level of care in real-world health use.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  39. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11376unread

    LLM-X: A Scalable Negotiation-Oriented Exchange for Communication Among Personal LLM Agents

    Giuliano Lorenzoni (University of Waterloo), Paulo Alencar (University of Waterloo), Donald Cowan (University of Waterloo) · 2026-05-13

    The authors propose LLM-X, a message-bus architecture for direct communication and negotiation among personal LLM agents (each representing a user), rather than agents just calling APIs. It introduces federated gateways, topic-based routing, and policy enforcement to enable LLM-to-LLM coordination with schema validation and negotiation-style protocols (like contract-net). They run the first empirical evaluation of multi-agent LLM negotiation at scale (5–12 agents, low/medium/high negotiation policies, up to 12-hour runs), finding clear policy-performance tradeoffs: stricter policies improve robustness and fairness but increase latency and message volume. The system remains stable under sustained load. **Main takeaways:** - LLM-X is a message-bus substrate for direct LLM-to-LLM communication and negotiation, not just agent-API tool use. - It combines federated gateways, topic-based routing, and typed message protocols with policy enforcement and capability negotiation. - First empirical evaluation of LLM-based multi-agent negotiation at scale: 5–12 agents, three policy strictness levels, runs up to 12 hours. - Stricter negotiation policies improve robustness and fairness but increase latency and message volume. - The system shows bounded latency drift under sustained multi-hour load, confirming stability.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, persona, long, eval, base, under, both, drift. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11376v1 Announce Type: new Abstract: We propose a personal-LLM exchange (LLM-X), a scalable negotiation-oriented environment that enables direct, structured communication across populations of personal agents (LLMs), each representing an individual user. Unlike existing tool-centric protocols that focus on agent-API interaction, LLM-X introduces a message bus and routing substrate for LLM-to-LLM coordination with guarantees around schema validity and policy enforcement. We contribute: (1) an architecture for LLM-X comprising federated gateways, topic-based routing, and policy enforcement; (2) a typed message protocol supporting capability negotiation and contract-net-style coordination; and (3) the first empirical evaluation of LLM-based multi-agent negotiation at scale. Experiments span 5, 9, and 12 agents, under distinct negotiation policies (Low, Medium, High), and across both short-run (minutes) and long-run (2h, 12h) load conditions. Results highlight clear policy-performance trade-offs: stricter policies improve robustness and fairness but increase latencies and message volume. Extended runs confirm that LLM-X remains stable under sustained load, with bounded latency drift.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, evaluation.

  40. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11373unread

    Causal Algorithmic Recourse: Foundations and Methods

    Drago Plecko, Collin Wang, Elias Bareinboim · 2026-05-13

    The authors develop a causal framework for algorithmic recourse — recommendations for how an individual can reverse a negative AI decision (e.g., denial of a loan). Traditional approaches treat recourse as a single counterfactual intervention on a fixed unit, but real-world recourse involves repeated decisions under possibly different latent conditions. They model recourse as a process with pre- and post-intervention outcomes, allowing latent variables to partially resample. Under "post-recourse stability" conditions, they show you can infer recourse effects from observational data alone using a copula-based algorithm. When paired observations (before/after intervention on the same person) are available, they provide methods for copula parameter inference and goodness-of-fit testing, plus a distribution-free algorithm when the copula model is rejected. **Main takeaways:** - Algorithmic recourse (how to reverse a negative decision) is typically modeled as a one-time counterfactual, but real recourse involves repeated decisions with potentially resampled latent conditions. - The paper models recourse as a process over pre- and post-intervention outcomes, with partial stability and latent resampling. - Under "post-recourse stability" conditions, recourse effects can be inferred from observational data alone via a copula-based method. - When "recourse data" (paired before/after observations) are available, the authors provide copula parameter inference, goodness-of-fit testing, and a distribution-free fallback. - Demonstrations on real and semi-synthetic datasets show the methods' practical value.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, system, same, under, where, when. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11373v1 Announce Type: cross Abstract: The trustworthiness of AI decision-making systems is increasingly important. A key feature of such systems is the ability to provide recommendations for how an individual may reverse a negative decision, a problem known as algorithmic recourse. Existing approaches treat recourse outcomes as counterfactuals of a fixed unit, ignoring that real-world recourse involves repeated decisions on the same individual under possibly different latent conditions. We develop a causal framework that models recourse as a process over pre- and post-intervention outcomes, allowing for partial stability and resampling of latent variables. We introduce post-recourse stability conditions that enable reasoning about recourse from observational data alone, and develop a copula-based algorithm for inferring the effects of recourse under these conditions. For settings where paired observations of the same individual before and after intervention are available (called recourse data), we develop methods for inferring copula parameters and performing goodness-of-fit testing. When the copula model is rejected, we provide a distribution-free algorithm for learning recourse effects directly from recourse data. We demonstrate the value of the proposed methods on real and semi-synthetic datasets.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative.

  41. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11365unread

    Causal Bias Detection in Generative Artifical Intelligence

    Drago Plecko · 2026-05-13

    The paper extends causal fairness methodology from standard supervised ML (where you learn a single predictor) to generative AI, where models can sample from arbitrary conditionals and implicitly construct beliefs about all causal mechanisms, not just a single outcome. The author formalizes causal fairness for generative AI, derives new decomposition results that quantify fairness impacts along (a) different causal pathways and (b) the replacement of real-world mechanisms by the generative model's mechanisms, establishes identification conditions, and introduces efficient estimators. Empirical analysis demonstrates race and gender bias in large language models across datasets. **Main takeaways:** - Generative AI fairness is fundamentally different from standard ML fairness: generative models construct beliefs about all causal mechanisms, not just a single predictor. - The paper unifies causal fairness for generative AI and standard ML under a common theoretical framework. - New causal decomposition results enable granular quantification of bias along causal pathways and due to mechanism replacement. - Identification conditions and efficient estimators are provided for causal fairness quantities. - Empirical analysis reveals race and gender bias in LLMs across different datasets.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, system, under, both, notion, predict, where. Source: arxiv stat.ML (Machine Learning).

    arXiv:2605.11365v1 Announce Type: cross Abstract: Automated systems built on artificial intelligence (AI) are increasingly deployed across high-stakes domains, raising critical concerns about fairness and the perpetuation of demographic disparities that exist in the world. In this context, causal inference provides a principled framework for reasoning about fairness, as it links observed disparities to underlying mechanisms and aligns naturally with human intuition and legal notions of discrimination. Prior work on causal fairness primarily focuses on the standard machine learning setting, where a decision-maker constructs a single predictive mechanism $f_{\widehat Y}$ for an outcome variable $Y$, while inheriting the causal mechanisms of all other covariates from the real world. The generative AI setting, however, is markedly more complex: generative models can sample from arbitrary conditionals over any set of variables, implicitly constructing their own beliefs about all causal mechanisms rather than learning a single predictive function. This fundamental difference requires new developments in causal fairness methodology. We formalize the problem of causal fairness in generative AI and unify it with the standard ML setting under a common theoretical framework. We then derive new causal decomposition results that enable granular quantification of fairness impacts along both (a) different causal pathways and (b) the replacement of real-world mechanisms by the generative model's mechanisms. We establish identification conditions and introduce efficient estimators for causal quantities of interest, and demonstrate the value of our methodology by analyzing race and gender bias in large language models across different datasets.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  42. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11359unread

    CVEvolve: Autonomous Algorithm Discovery for Unstructured Scientific Data Processing

    Ming Du, Xiangyu Yin, Yanqi Luo, Dishant Beniwal, Songyuan Tang, Hemant Sharma, Mathew J. Cherukara · 2026-05-13

    CVEvolve is an autonomous LLM agent system with a zero-code interface that discovers custom data-processing algorithms for scientific imaging tasks (x-ray microscopy registration, Bragg peak detection, diffraction image segmentation). It combines multi-round search with tools for code execution, evaluation, history management, holdout testing, and optional data/visual inspection. The search alternates between discovery (exploring new approaches) and improvement (refining existing ones), using lineage-aware stochastic sampling to balance exploration and exploitation. Across imaging tasks, CVEvolve discovers algorithms that beat baselines, and holdout tracking helps identify candidates that generalize better than later over-optimized ones. **Main takeaways:** - CVEvolve is a zero-code LLM agent harness for autonomous scientific algorithm discovery, targeting domain scientists without coding or image-processing expertise. - It alternates between discovery (explore new approaches) and improvement (refine existing) actions, with lineage-aware stochastic candidate sampling. - Tools include code execution, evaluation implementation, history management, holdout testing, and optional data/visual inspection. - Demonstrated on three scientific imaging tasks: x-ray microscopy registration, Bragg peak detection, and diffraction image segmentation. - Holdout test tracking helps identify algorithms that generalize better, avoiding over-optimization on the development set.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, candidates, candidate, output, eval, base, lora, baseline. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11359v1 Announce Type: new Abstract: Scientific data processing often requires task-specific algorithms or AI models, creating a barrier for domain scientists who need to analyze their data but may not have extensive computing or image-processing expertise. This barrier is especially pronounced when data are noisy, have a high dynamic range, are sparsely labeled, or are only loosely specified. We introduce CVEvolve, an autonomous agentic harness with a zero-code interface for scientific data-processing algorithm discovery. CVEvolve combines a multi-round search strategy with tools for code execution, evaluation implementation, history management, holdout testing, and optional inspection of scientific data and visual outputs. The search alternates between discovery and improvement actions, and uses lineage-aware stochastic candidate sampling to balance exploration and exploitation. We demonstrate CVEvolve on x-ray fluorescence microscopy image registration, Bragg peak detection, and high-energy diffraction microscopy image segmentation. Across these tasks, CVEvolve discovers algorithms that improve over baseline methods, while holdout test tracking helps identify candidates that generalize better than later over-optimized alternatives. These results show that zero-code, autonomous LLM-powered algorithm development can help domain scientists turn unstructured scientific image data into practical algorithms and downstream scientific discoveries.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  43. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11341unread

    CPEMH: An Agentic Framework for Prompt-Driven Behavior Evaluation and Assurance in Foundation-Model Systems for Mental Health Screening

    Giuliano Lorenzoni (University of Waterloo), Ivens Portugal (University of Waterloo), Paulo Alencar (University of Waterloo), Donald Cowan (University of Waterloo) · 2026-05-13

    The authors built CPEMH, a system that uses multiple AI agents working together to automatically design, test, and choose prompts for mental-health screening tasks. Instead of manually tweaking prompts and hoping they work reliably, the framework orchestrates three specialized agents—one to coordinate, one to run inference, and one to evaluate—ensuring that prompt-driven behavior is stable and auditable. They tested it on depression screening from interview transcripts and found that modular orchestration helps keep foundation-model behavior predictable in sensitive clinical settings. **Main takeaways:** - Uses an "agentic" architecture where separate agents design prompts, run them, and measure their performance, all coordinated automatically. - Focuses on behavioral assurance: making sure the model's responses are stable and traceable across different contexts, not just accurate once. - Case study on depression screening shows the framework can stabilize model behavior in conversational clinical domains. - Emphasizes simplicity over complexity—stability matters more than fancy architecture—and tracks F1, bias, and robustness as acceptance criteria. - Provides an engineering methodology for controlling prompt-driven variability in foundation models applied to real-world sensitive tasks.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, prompt, base, system, core, screen. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11341v1 Announce Type: new Abstract: This paper presents CPEMH, an agentic framework designed to evaluate prompt-driven behavior in foundation-model systems operating on transcript-based datasets for mental-health screening. CPEMH serves as an engineering methodology for behavioral assurance in large-scale language systems, introducing an orchestrated architecture that autonomously performs the design, evaluation, and selection of prompt strategies, enabling systematic control of behavioral variability across contexts. Its modular agentic design, combining orchestrator, inference, and evaluation agents, ensures traceability, reproducibility, and robustness throughout the prompting lifecycle. A case study on automated depression screening from interview transcripts demonstrates the framework's capacity to stabilize and audit foundation-model behavior in conversational and clinically sensitive domains. Lessons learned emphasize the role of modular orchestration in behavioral assurance, the prioritization of stability over architectural complexity, and the integration of F1, bias, and robustness as core acceptance criteria.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, robustness, evaluation.

  44. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11330unread

    Rethinking Evaluation for LLM Hallucination Detection: A Desiderata, A New RAG-based Benchmark, New Insights

    Wenbo Chen, Veena Padmanabhan, Tootiya Giyahchi, Elaine Wong, Leman Akoglu · 2026-05-13

    The authors argue that existing benchmarks for testing hallucination detectors fall short—they lack long-context RAG examples and don't simulate realistic label noise. They build TRIVIA+, a new benchmark with the longest context in the literature, human-annotated answers, and four different flavors of noisy labels (both sample-dependent and sample-independent). Testing popular hallucination detectors on TRIVIA+ reveals that current methods have a long way to go, basic LLM-as-a-judge baselines are surprisingly competitive, and label noise hurts performance. **Main takeaways:** - Existing hallucination benchmarks don't test detectors on long RAG contexts or under realistic label noise, limiting their usefulness. - TRIVIA+ is a new RAG-based benchmark with the longest contexts available and four curated noise schemes for stress-testing detectors. - Current state-of-the-art detectors leave significant headroom for improvement on RAG tasks. - Simple LLM-as-a-Judge baselines perform competitively with more complex methods. - Label noise—whether from human annotators or automated labeling—degrades detector performance, highlighting robustness gaps.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, base, length, source, under, baseline. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11330v1 Announce Type: new Abstract: Hallucination, broadly referring to unfaithful, fabricated, or inconsistent content generated by LLMs, has wide-ranging implications. Therefore, a large body of effort has been devoted to detecting LLM hallucinations, as well as designing benchmark datasets for evaluating these detectors. In this work, we first establish a desiderata of properties for hallucination detection benchmarks (HDBs) to exhibit for effective evaluation. A critical look at existing HDBs through the lens of our desiderata reveals that none of them exhibits all the properties. We identify two largest gaps: (1) RAG-based grounded benchmarks with long context are severely lacking (partly because length impedes human annotation); and (2) Existing benchmarks do not make available realistic label noise for stress-testing detectors although real-world use-cases often grapple with label noise due to human or automated/weak annotation. To close these gaps, we build and open-source a new RAG-based HDB called T RIVIA+ that underwent a rigorous human annotation process. Notably, our benchmark exhibits all desirable properties including (1) T RIVIA+ contains samples with the longest context in the literature; and (2) we design and share four sets of noisy labels with different, both sample-dependent and sampleindependent, noise schemes. Finally, we perform experiments on RAG-based HDBs, including our T RIVIA+, using popular SOTA detectors that reveal new insights: (i) ample room remains for current detectors to reach the performance ceiling on RAG-based HDBs, (ii) the basic LLM-as-a-Judge baseline performs competitively, and (iii) label noise hinders detection performance. We expect that our findings, along with our proposed benchmark 1 , will motivate and foster needed research on hallucination detection for RAG-based tasks.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  45. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11312unread

    Constraint-Data-Value-Maximization: Utilizing Data Attribution for Effective Data Pruning in Low-Data Environments

    Danilo Brajovic, David A. Kreplin, Marco F. Huber · 2026-05-13

    The authors tackle data pruning in low-data environments where you want to keep only the most valuable training examples. Existing Shapley-based data valuation methods don't work well when you prune aggressively—they optimize for total influence but can leave you with a dataset dominated by a few high-leverage outliers. They propose CDVM (Constraint-Data-Value-Maximization), which adds a penalty to prevent any single test case from being over-represented, yielding more robust performance when only a small fraction of data remains. **Main takeaways:** - Shapley-based data values underperform when pruning to very small dataset sizes because they can over-index on high-leverage outliers. - CDVM frames pruning as constrained optimization: maximize total data influence while penalizing excessive per-test contributions. - On the OpenDataVal benchmark, CDVM delivers strong performance and competitive runtime, especially in low-data regimes. - The approach is about balancing dataset diversity and representativeness, not just total influence. - Useful for scenarios where labeled data is scarce and you need to carefully select which examples to keep for training.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, trained, both, when. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11312v1 Announce Type: new Abstract: Attributing model behavior to training data is an evolving research field. A common benchmark is data removal, which involves eliminating data instances with either low or high values, then assessing a model's performance trained on the modified dataset. Many existing studies leverage Shapley-based data values for this task. In this paper, we demonstrate that these data values are not optimally suited for pruning low-value data when only a limited amount of data remains. To address this limitation, we introduce the Constraint-Data-Value-Maximization (CDVM) approach, which effectively utilizes data attributions for pruning in low-data scenarios. By casting pruning as a constrained optimization that both maximizes total influence and penalizes excessive per-test contributions, CDVM delivers robust performance when only a small fraction of the data is retained. On the OpenDataVal benchmark, CDVM shows strong performance and competitive runtime.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, benchmark.

  46. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11234unread

    The Semantic Training Gap: Ontology-Grounded Tool Architectures for Industrial AI Agent Systems

    Grama Chethan · 2026-05-13

    The authors identify the "semantic training gap": LLMs learn manufacturing vocabulary statistically but lack grounded understanding of operational semantics—the relational structure linking equipment IDs, failure codes, and process parameters. They propose embedding manufacturing ontology directly into the AI tool layer as a typed relational configuration, enforcing semantic constraints at runtime instead of relying on model training. In a controlled experiment with Qwen3-32B, unconstrained tool parameters hallucinated domain identifiers 43% of the time; ontology-grounded parameters reduced this to 0%. **Main takeaways:** - LLMs can use domain vocabulary fluently but make operationally incorrect inferences because they lack grounded relational semantics. - Multi-agent systems compound this into "semantic drift"—errors propagate across agents when each lacks operational grounding. - Proposes a three-operation interface (resolve, contextualize, annotate) with invariants enforced by an orchestration layer. - Controlled experiment: 43% hallucination rate for unconstrained tool parameters, 0% with ontology-grounded constraints. - The 0% rate is an architectural guarantee from runtime enforcement, not model-dependent learning.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, base, trained, system, under, fail, outputs. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11234v1 Announce Type: new Abstract: Large language model (LLM)-based AI agents are increasingly deployed in manufacturing environments for analytics, quality management, and decision support. These agents demonstrate statistical fluency with domain terminology but lack grounded understanding of operational semantics -- the relational structure that connects equipment identifiers, process parameters, failure codes, and regulatory constraints within a specific production context. This paper identifies and formalizes the semantic training gap: a structural disconnect between how AI systems acquire domain vocabulary through training and how manufacturing operations define meaning through ontological relationships. We demonstrate that this gap causes operationally incorrect outputs even when model responses are linguistically precise, and that in multi-agent configurations it produces a compounding failure mode we term semantic drift. To close this gap, we present an architecture that embeds manufacturing ontology directly into the AI tool layer as a typed relational configuration, enforcing semantic constraints at runtime rather than relying on model training. The architecture is formalized as a three-operation interface contract -- resolve, contextualize, annotate -- with invariants enforced by an AIOps orchestration layer. In a controlled experiment across six industry configurations (72 tool invocations using Qwen3-32B), unconstrained tool parameters produced a 43% hallucination rate for domain identifiers; ontology-grounded parameters reduced this to 0%. We validate the approach through a digital twin analytics platform demonstrating that a single codebase with domain-specific ontology configurations eliminates tool-call hallucination and achieves cross-domain configurability without application code changes.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure.

  47. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11232unread

    Rethinking LLMOps for Fraud and AML: Building a Compliance-Grade LLM Serving Stack

    Prathamesh Vasudeo Naik, Naresh Dintakurthi, Yue Wang · 2026-05-13

    The authors build a compliance-grade LLM serving stack for fraud and AML workloads, which have prefix-heavy prompts (reusable policy text, risk taxonomies) and schema-constrained outputs (JSON labels). They combine vLLM runtime tuning, PagedAttention, automatic prefix caching, multi-adapter serving, adapter-aware batching, and speculative decoding. On public-synthetic AML datasets, workload-aware tuning improved throughput from 612–650 to 3,600 requests/hour, reduced P99 latency from 31–38 seconds to 6.4–8.7 seconds, and increased GPU utilization from 12% to 78%. **Main takeaways:** - Fraud/AML compliance prompts are prefix-heavy with reusable policy instructions and schema-constrained outputs, making KV-cache efficiency and prefix reuse critical. - Stack combines vLLM-style runtime tuning, PagedAttention, automatic prefix caching, multi-adapter serving, and speculative decoding. - Workload-aware tuning improved throughput 5–6×, reduced P99 latency 4–5×, and raised GPU utilization from 12% to 78%. - Includes LLM-as-judge quality gate with deterministic compliance checks and multi-judge rubric scoring. - Demonstrates that regulated LLM workloads require specialized serving infrastructure tuned to their prompt structure and output constraints.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, prompt, attention, trained, system, length, under. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11232v1 Announce Type: new Abstract: Fraud detection and anti-money-laundering (AML) compliance are high-value domains for large language models (LLMs), but their serving requirements differ sharply from generic chat workloads. Compliance prompts are often prefix-heavy, schema-constrained, and evidence-rich, combining reusable policy instructions, risk taxonomies, transaction or document context, and short structured outputs such as JSON labels or risk factors. These properties make prefix reuse, KV-cache efficiency, runtime tuning, model orchestration, and output validation first-order systems concerns. This paper introduces a workload-aware LLMOps stack for fraud and AML workloads using self-hosted open-weight models such as Meta Llama and Alibaba Qwen. The stack combines vLLM-style runtime tuning, PagedAttention, Automatic Prefix Caching, multi-adapter serving, adapter and prompt-length-aware batching, sleep/wake lifecycle management, speculative decoding, and optional prefill/decode disaggregation. To avoid exposing institution-specific data, the reproducibility track converts public synthetic AML datasets, including IBM AML and SAML-D, into prefix-heavy compliance prompts with reusable policy text, transaction evidence, typology definitions, and schema-constrained outputs. We also incorporate an LLM-as-judge quality gate using deterministic compliance checks, reference metrics, expert-adjudicated calibration data where available, and multi-judge rubric scoring. Across public-synthetic AML workloads and controlled serving benchmarks, workload-aware tuning improved throughput from 612-650 to 3,600 requests/hour, reduced P99 latency from 31-38 seconds to 6.4-8.7 seconds, and increased GPU utilization from 12% to 78%. These results show that regulated LLM performance is a workload-design, serving-optimization, and quality-gating problem, not only a model-selection problem.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  48. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11225unread

    PIVOT: Bridging Planning and Execution in LLM Agents via Trajectory Refinement

    Tuo Zhang, Alin-Ionut Popa, Yan Xu, Rui Song, Dimitrios Dimitriadis · 2026-05-13

    The authors built PIVOT, a system that helps LLM agents fix their own plans by executing them, seeing what goes wrong, and iteratively refining. The key idea is treating entire trajectories (sequences of actions) as objects you can optimize: the system generates a plan, runs it to collect structured error signals ("textual gradients"), uses those to evolve better plans, and verifies the final result against constraints. On planning benchmarks, PIVOT hit 94% relative improvement in constraint satisfaction with human feedback and retained substantial gains fully autonomously, while using 3–5× fewer tokens than competing methods. **Main takeaways:** - Plans are refined through a four-stage loop: generate candidate trajectories, execute and collect error feedback, evolve improved versions, verify constraints. - A monotonic acceptance rule ensures solution quality never decreases across iterations. - Human-in-the-loop feedback gives the biggest gains, but the core self-supervised loop (no human help) still improves substantially over static planning. - Much more token-efficient than other refinement approaches—uses a fraction of the compute for similar or better results. - Shows that feedback-driven trajectory optimization is a principled way to close the gap between what an agent plans and what actually works in execution.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, candidate, eval, tokens, base, system, same, token. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11225v1 Announce Type: new Abstract: Large language model (LLM)-based agents frequently generate seemingly coherent plans that fail upon execution due to infeasible actions, constraint violations, and compounding errors over extended horizons. PIVOT (Plan-Inspect-eVOlve Trajectories) addresses this plan-execution misalignment through a self-supervised framework that treats trajectories as optimizable objects iteratively refined via environment interaction. The framework comprises four stages: PLAN generates candidate trajectories; INSPECT executes them and computes structured losses with textual gradients encoding plan-execution discrepancies; EVOLVE applies these signals to produce improved trajectories; and VERIFY performs a final global check against task constraints. A monotonic acceptance process ensures a non-decreasing solution quality. Empirical evaluations on DeepPlanning and GAIA demonstrate state-of-the-art performance: with human-in-the-loop (HITL) feedback, PIVOT establishes a strong upper bound up to 94% relative improvement in constraint satisfaction, while its fully autonomous variant retains substantial gains, showing that the core trajectory-refinement mechanism remains effective without external supervision. At the same time, PIVOT remains computationally efficient, requiring up to 3x to 5x fewer tokens than competing refinement methods. These findings establish that (self- or human-supervised) feedback-based trajectory optimization is a principled methodology for mitigating plan-execution gaps in autonomous agent systems.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  49. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11223unread

    Do Vision-Language-Models show human-like logical problem-solving capability in point and click puzzle games?

    Dominik Helfenstein, Marco Menner, Maximilian Triebel · 2026-05-13

    The authors created VLATIM, a benchmark using the classic puzzle game *The Incredible Machine 2* to test whether vision-language models can do human-like logical problem-solving that requires both planning and precise mouse control. The benchmark has five difficulty levels, from basic visual recognition to full puzzle solving. Results show a big gap: large proprietary models can reason about what to do but struggle with precise visual grounding (e.g., clicking the right spot), so they don't yet match human-like problem-solving. **Main takeaways:** - Existing VLM benchmarks skip the hard part: translating high-level reasoning into continuous, precise actions (like point-and-click). - The benchmark tests five capabilities: visual grounding, domain understanding, object manipulation, multi-step tasks, and full puzzle solving. - Big models plan well but fail at execution—they can't reliably ground their plans in precise visual coordinates. - The reasoning-execution gap is the main bottleneck preventing human-like performance on interactive tasks. - Physics puzzle games expose failure modes that simpler benchmarks miss.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, under, space, look. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11223v1 Announce Type: new Abstract: Vision-Language(-Action) Models (VLMs) are increasingly applied to interactive environments, yet existing benchmarks often overlook the complex physical reasoning required for point-and-click puzzle games. This paper introduces Vision-Language Against The Incredible Machine (VLATIM), a benchmark designed to evaluate human-like logical problem-solving capabilities within the classic physics puzzle game The Incredible Machine 2 (TIM). Unlike existing benchmarks, VLATIM specifically targets the critical gap between high-level logical reasoning and continuous action spaces requiring precise mouse interactions. This benchmark is structured into five progressive parts, assessing capabilities that range from basic visual grounding and domain understanding to multi-step manipulation and full puzzle solving. Our results reveal a significant disparity between reasoning and execution. While large proprietary models demonstrate superior planning abilities, they struggle with precise visual grounding. Consequently, they do not yet show human-like problem-solving capabilities.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  50. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11218unread

    Don't Look at the Numbers: Visual Anchoring Bias and Layer-wise Representation in VLMs

    M. Shalankin · 2026-05-13

    The author found that putting numeric labels (like "quality score: 3") directly on images systematically biases vision-language models' quality judgments—this "anchoring bias" is 2.5× stronger than the effect of severely degrading the actual image quality. Layer-by-layer probing of the model's internal representations reveals a dissociation: the layers where the model first understands the anchor number (early-to-mid layers) are not the same layers that best predict actual quality (deeper layers). Some architectures fuse vision and language immediately at layer 1–2, while others show partial or no fusion. **Main takeaways:** - Numeric anchors on images bias VLM quality judgments far more than actual image quality changes—it's a robust, causal effect across six models. - The layers where the model "reads" the anchor saturate early (layers 12–34), but the best layers for predicting real quality are deeper. - This dissociation suggests the model processes the anchor separately from the actual visual quality signal. - Fusion timing (when vision and language combine) varies by architecture: some fuse instantly, others never fully integrate. - Visual anchoring bias isn't reducible to the anchor changing what the image looks like—it's a true cognitive-style bias in the model.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, predict, where. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11218v1 Announce Type: new Abstract: Embedded numeric anchors on images systematically bias Vision-Language Model quality judgments across six VLMs from five architectural families (ANOVA eta^2 = 0.18-0.77, all p < 0.001). Anchor effects are 2.5x larger than severe image quality degradation, confirming bias is not reducible to visual changes. Layer-wise probing reveals consistent dissociation: layers where anchor classification saturates (L12-L34) are suboptimal for quality prediction, with optimal layers deeper (R^2 = 0.69-0.91). Fusion analysis identifies architecture-dependent integration -- instant fusion at L1-L2 in two models versus partial or no fusion in three others. These results establish a causal account of visual anchoring bias, linking behavioral susceptibility to representation dynamics.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  51. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11182unread

    The Many Faces of On-Policy Distillation: Pitfalls, Mechanisms, and Fixes

    Siqi Zhu, Xuyan Ye, Hongyu Lu, Weiye Shi, Ge Liu · 2026-05-13

    The authors investigate when on-policy distillation (OPD, where a student learns from a teacher on the student's own outputs) and on-policy self-distillation (OPSD, where a model learns from itself conditioned on extra information) succeed or fail. They find OPD on math reasoning is fragile and sensitive to teacher choice and loss function, while OPSD fails when the extra "privileged information" (like a hint) is unique to each problem but works when it's a shared rule (like a system prompt or alignment preference). Three failure mechanisms: (1) teacher-student distribution mismatch from conditioning on student prefixes, (2) optimization instability from biased gradients in TopK reverse-KL, and (3) OPSD can't learn instance-specific hints because it averages over hint-conditioned teachers. Fixes include stop-gradient objectives, adapted teachers, and SFT stabilization. **Main takeaways:** - OPD (student learns from teacher on student's own rollouts) is unstable for math reasoning—highly sensitive to which teacher you pick and which loss you use. - OPSD (model learns from itself + extra info) works when the info is a general rule (system prompt, alignment preferences) but fails when the info is problem-specific (instance hints). - The OPSD failure on instance-specific info happens because the student learns a single policy that averages over all hint-conditioned behaviors, which doesn't help at test time when you don't have the hint. - Distribution mismatch (teacher sees student prefixes it wouldn't generate itself) and biased gradients (TopK reverse-KL) cause training instability. - Mitigation strategies: stop-gradient TopK objectives, adapting the teacher with RLVR, and stabilizing the student with supervised fine-tuning first.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, system, token, fail, where, on-policy, when. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11182v1 Announce Type: new Abstract: On-policy distillation (OPD) and on-policy self-distillation (OPSD) have emerged as promising post-training methods for large language models, offering dense token-level supervision on trajectories sampled from the model's own policy. However, existing results on their effectiveness remain mixed: while OP(S)D has shown promise in system prompt and knowledge internalization, recent studies also report instability and degradation. In this work, we present a comprehensive empirical study of when OPD and OPSD work, when they fail, and why. We find that OPD on mathematical reasoning is highly sensitive to teacher choice and loss formulation, whereas OPSD fails in our tested settings due to test-time absence of instance-specific privileged information (PI). In contrast, OPSD is effective when PI represents a shared latent rule, such as a system prompt or alignment preference. We identify three failure mechanisms: (1) distribution mismatch between teacher and student caused by conditioning on student-generated prefixes, (2) optimization instability from biased TopK reverse-KL gradients, and (3) an OPSD-specific limitation where the student learns a PI-free policy that aggregates PI-conditioned teachers, which is insufficient when PI is instance-specific. We further show that stop-gradient TopK objectives, RLVR-adapted teachers, and SFT-stabilized students mitigate these failures.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, failures, limitation, bias.

  52. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11169unread

    OLIVIA: Online Learning via Inference-time Action Adaptation for Decision Making in LLM ReAct Agents

    Sheldon Yu, Junda Wu, Xintong Li, Nikki Lijing Kuang, Sizhe Zhou, Tong Yu, Jiawei Han, Jingbo Shang, Julian McAuley · 2026-05-13

    The authors built OLIVIA, a system that lets ReAct agents (LLMs that reason, act, observe in a loop) improve their action choices during deployment through online learning. The key idea is modeling the final action-selection step as a contextual bandit: the system scores candidate actions using the LLM's frozen hidden states as context, maintains uncertainty estimates, and updates online from action-level feedback using upper-confidence-bound exploration. This adapts behavior directly at the action interface without retraining the LLM or changing its reasoning process. On four benchmarks, OLIVIA consistently beats static ReAct and prompt-based adaptation with minimal compute overhead. **Main takeaways:** - Most inference-time adaptation for agents uses prompting or retrieval, which influences behavior indirectly through context—OLIVIA instead adapts the final action-selection layer directly. - The action layer is modeled as a lightweight linear bandit over candidate actions, with the LLM's frozen hidden states as decision features. - This design gives explicit uncertainty estimates, lets you update from action-level feedback online, and preserves the underlying reasoning process. - Upper-confidence-bound exploration makes the policy improve sample-efficiently with low computational cost. - Consistently outperforms static ReAct and prompt-based baselines across benchmarks, showing that explicit online decision layers are a viable alternative to pure prompting.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: candidate, eval, prompt, base, lora, under, baseline, core. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11169v1 Announce Type: new Abstract: Large language model agents interleave reasoning, action selection, and observation to solve sequential decision-making tasks. In deployed settings where agents repeatedly handle related multi-step tasks, small action-selection errors can accumulate into wasted tool calls, latency, and reduced reliability. Despite this need for deployment-time improvement, existing inference-time adaptation methods for LLM agents mainly rely on prompting or retrieval, which influence behavior indirectly through context manipulation. For ReAct-style agents, such approaches do not expose an explicit decision layer that can score candidate actions, represent uncertainty, or be updated online from action-level feedback. As a result, they provide limited support for trackable, fine-grained, and uncertainty-aware adaptation during deployment. We propose OLIVIA, an inference-time action adaptation framework for ReAct-style agents. OLIVIA models the LLM's final action-selection layer as a contextual linear bandit over candidate actions, with frozen hidden states as decision contexts. This choice is particularly suitable for deployment because it adapts behavior directly at the action-selection interface, preserves the underlying reasoning process, and provides explicit uncertainty estimates and lightweight online updates from action-level feedback. With upper-confidence-bound exploration, OLIVIA improves the policy sample-efficiently with minimal computational overhead. We instantiate OLIVIA on four benchmarks and show that it consistently improves task performance over static ReAct and prompt-based inference-time baselines. Our results suggest that explicit online decision layers provide an effective alternative to purely prompt- or retrieval-based adaptation for LLM agents during deployment.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses benchmark.

  53. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11151unread

    RankQ: Offline-to-Online Reinforcement Learning via Self-Supervised Action Ranking

    Andrew Choi, Wei Xu · 2026-05-13

    The authors propose RankQ, an offline-to-online reinforcement learning method that improves Q-learning by adding a self-supervised ranking loss. Instead of uniformly penalizing out-of-distribution actions (the standard pessimism approach), RankQ learns relative preferences between actions, shaping the Q-function so gradients point toward better behaviors. This helps when the offline dataset contains suboptimal actions—prior methods anchor too hard to dataset actions and limit downstream improvement. On D4RL sparse-reward benchmarks and vision-based robot learning, RankQ matches or beats prior methods, achieving 42.7% higher success in low-data VLA fine-tuning and 13.7% improvement in high-data settings, with strong sim-to-real transfer (cube stacking success from 43% to 85%). **Main takeaways:** - Standard offline RL methods impose pessimism by down-weighting unseen actions, which acts like behavior cloning and limits improvement when the dataset is suboptimal. - RankQ adds a multi-term ranking loss to TD learning, teaching the Q-function to order actions by quality rather than just penalizing anything not in the dataset. - This directs action gradients toward higher-quality behaviors, enabling better online fine-tuning from limited data. - Competitive or superior to seven prior methods on D4RL benchmarks; particularly strong in vision-based robot learning with pretrained VLA models. - Achieves strong real-world transfer, nearly doubling cube-stacking success rate over the initial VLA policy.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, trained, space, when. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11151v1 Announce Type: new Abstract: Offline-to-online reinforcement learning (RL) improves sample efficiency by leveraging pre-collected datasets prior to online interaction. A key challenge, however, is learning an accurate critic in large state--action spaces with limited dataset coverage. To mitigate harmful updates from value overestimation, prior methods impose pessimism by down-weighting out-of-distribution (OOD) actions relative to dataset actions. While effective, this essentially acts as a behavior cloning anchor and can hinder downstream online policy improvement when dataset actions are suboptimal. We propose RankQ, an offline-to-online Q-learning objective that augments temporal-difference learning with a self-supervised multi-term ranking loss to enforce structured action ordering. By learning relative action preferences rather than uniformly penalizing unseen actions, RankQ shapes the Q-function such that action gradients are directed toward higher-quality behaviors. Across sparse reward D4RL benchmarks, RankQ achieves performance competitive with or superior to seven prior methods. In vision-based robot learning, RankQ enables effective offline-to-online fine-tuning of a pretrained vision-language-action (VLA) model in a low-data regime, achieving on average a 42.7% higher simulation success rate than the next best method. In a high-data setting, RankQ improves simulation performance by 13.7% over the next best method and achieves strong sim-to-real transfer, increasing real-world cube stacking success from 43.1% to 84.7% relative to the VLA's initial performance.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  54. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11136unread

    EVOCHAMBER: Test-Time Co-evolution of Multi-Agent System at Individual, Team, and Population Scales

    Yaolun Zhang, Tianyi Xu, Shengyu Dai, Zhenwen Shao, Qingyun Wu, Huazheng Wang · 2026-05-13

    The authors argue that multi-agent test-time learning is fundamentally different from single-agent learning because it evolves not just individual memories but also team composition, collaboration structures, and knowledge flow across a population. They built EVOCHAMBER, a training-free framework with three levels of evolution: individual agents use "Collaborative Dreaming" (CODREAM) to reflect after failures and route insights asymmetrically from strong to weak agents on specific niches; teams assemble online based on task needs; and population-level operators fork, merge, prune, and seed agents under performance pressure. Starting from identical agents, the system spontaneously produces 4–5 stable specialists, outperforming baselines by 32% relative on competition math. **Main takeaways:** - Multi-agent evolution isn't just N copies of single-agent learning—it evolves collaboration structure, specialization, and cross-agent knowledge flow. - CODREAM: after team failure or disagreement, agents collaboratively reflect and route insights asymmetrically (strong → weak on the failed niche), preserving specialization. - Team-level operators dynamically assemble niche-conditioned teams and select collaboration structures online. - Population-level lifecycle: fork, merge, prune, seed agents based on performance, creating evolutionary pressure. - Starting from identical agents, 4–5 stable niche specialists emerge spontaneously—a structural signature impossible in single-agent systems.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, trigger, github, base, system, identical, under. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11136v1 Announce Type: new Abstract: We argue that multi-agent test-time evolution is not single-agent evolution replicated N times. A single-agent learner can only evolve its own context and memory. A multi-agent system additionally evolves who collaborates, how they collaborate, and how knowledge flows across the population. These components have no single-agent counterpart and can produce phenomena such as emergent specialization. Yet prior test-time methods either confine experiences to individual agents, forfeiting cross-agent learning, or broadcast symmetrically to all agents, erasing the specialization that makes collaboration valuable. We present EVOCHAMBER, a training-free framework that instantiates test-time evolution at three levels over a coevolving agent pool. At its core is CODREAM (Collaborative Dreaming), a post-task protocol triggered on team failure or disagreement, in which agents collaboratively reflect, distill insights, and route them asymmetrically from strong to weak agents on the failed niche, preserving specialization while filling knowledge gaps. Team-level operators assemble niche-conditioned teams and select collaboration structures online. Population-level lifecycle operators fork, merge, prune, and seed agents under performance pressure. On three heterogeneous task streams with Qwen3-8B, EVOCHAMBER reaches 63.9% on competition math, 75.7% on code, and 87.1% on multi-domain reasoning, outperforming the best baseline by 32% relative on math and confirming asymmetric cross-agent transfer as the primary driver in ablation. Starting from several identically initialized agents, four to five stable niche specialists spontaneously emerge, a structural signature of multi-agent evolution that no single-agent learner can express. See our code at: https://github.com/Mercury7353/EvoChamber

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure.

  55. score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.11118unread

    A Cascaded Generative Approach for e-Commerce Recommendations

    Moein Hasani, Hamidreza Shahidi, Trace Levinson, Yuan Zhong, Guanghua Shu, Vinesh Gudla, Tejaswi Tenneti · 2026-05-13

    The authors redesigned a large e-commerce storefront using a cascaded generative approach: first, an LLM generates themes for each page section ("placement"), then generates constrained keywords per placement to retrieve products. They use teacher-student fine-tuning to make this scalable under production latency and cost constraints, with fine-tuned models approaching closed-weight LLM performance. AI-driven content evaluation and quality filtering enable safe automated deployment. The generative output is fused with traditional ranking models. Online experiments show +2.7% lift in cart adds per page view over the baseline. **Main takeaways:** - Traditional e-commerce storefronts are rigid: static themes, independent retrieval, pointwise rankers—limits personalization and semantic cohesion. - Cascaded generative approach: LLM generates placement themes, then generates keywords per placement to power product retrieval. - Teacher-student fine-tuning makes this scalable and fast enough for production; fine-tuned models nearly match closed-weight LLM performance. - AI-driven evaluation and quality filtering enable safe automated deployment of dynamic content at scale. - Generative output fused with traditional rankers to preserve existing infrastructure; online A/B test shows +2.7% cart-add lift.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: persona, output, eval, base, trained, system, under, baseline. Source: arxiv cs.AI (Artificial Intelligence).

    arXiv:2605.11118v1 Announce Type: new Abstract: Personalized storefronts in large e-commerce marketplaces are often assembled from many independent components: static themes per page section ("placement"), retrieval systems to fetch eligible products per placement, and pointwise rankers to order content. While effective in optimizing for aggregate preferences, this paradigm is rigid and can limit personalization and semantic cohesion across the page. This makes it poorly suited to support dynamic objectives and merchandising requirements over time. To address this, we introduce a cascaded merchandising framework that decomposes storefront construction into two generative tasks: (i) placement-level theme generation and (ii) constrained keyword generation per placement to power product retrieval. Teacher-student fine-tuning is leveraged to improve scalability of this framework under production latency and cost constraints. Fine-tuned model ablations are shown to approach closed-weight LLM performance. We further contribute frameworks for AI-driven content evaluation and quality filtering, enabling safe and automated deployment of dynamic content at scale. Generative output is fused with traditional ranking models to preserve hybrid infrastructure. In online experiments, this framework yields an estimated +2.7% lift in cart adds per page view over a strong baseline.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  56. score 100arxiv cs.CL (NLP)arxiv:2605.11629unread

    OmniThoughtVis: A Scalable Distillation Pipeline for Deployable Multimodal Reasoning Models

    Yuanhao Yue, Chengyu Wang, Yuanjie Lyu, Lei Shen, Jun Huang · 2026-05-13

    The authors built a pipeline to distill reasoning ability from large vision-language models into smaller ones that are fast enough to deploy in production. They curated 1.8M high-quality chain-of-thought examples from teacher models, filtered them by difficulty and diversity, then used them to train smaller Qwen3-VL models (2B-8B parameters). The distilled 4B model matched or beat the undistilled 8B baseline on several vision-reasoning benchmarks, showing you can compress reasoning capability without losing much performance. **Main takeaways:** - Distilling chain-of-thought reasoning from big multimodal models to small ones makes deployment practical without sacrificing much accuracy - Their 1.8M-sample dataset includes difficulty ratings and task tags, letting you control what kind of reasoning examples you train on - A 4B distilled model matched an 8B undistilled model on several tasks, and improved +16.8 points on MathVerse - The pipeline combines rule-based filtering, difficulty-aware sampling, and semantic tags to maintain quality at scale - Shows that lack of high-quality CoT supervision is the main bottleneck for smaller models, not inherent capability limits

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, source, baseline. Source: arxiv cs.CL (NLP).

    arXiv:2605.11629v1 Announce Type: new Abstract: Recent multimodal large language models (MLLMs) have shown strong chain-of-thought (CoT) reasoning ability on vision-language tasks, but their direct deployment in real-world systems is often limited by latency and resource constraints. In practice, smaller MLLMs are preferred for online serving, yet their reasoning performance is bottlenecked by the lack of large-scale, high-quality multimodal CoT supervision. In this paper, we present OmniThoughtVis, a scalable data curation and distillation pipeline for transferring multimodal reasoning capabilities from high-capacity teacher models to smaller, deployment-oriented MLLMs. Starting from a diverse open-source seed pool, our pipeline generates structured CoT traces and performs joint annotation of reasoning difficulty, answer quality, and semantic task tags. To maintain data quality at scale, we combine rule-based filtering, difficulty-aware selection, and tag-based diversity sampling, resulting in a curated corpus of 1.8M samples that supports controllable subset construction for downstream training. We use OmniThoughtVis to distill Qwen3-VL models from 2B to 8B parameters and evaluate them on nine multimodal reasoning benchmarks. The resulting distilled models show consistent gains across model scales, including improvements of up to +16.8 points on MathVerse and +5.6 points on MMMU-Pro for the 4B model. Notably, the distilled 4B model matches or surpasses the undistilled 8B baseline on several tasks, highlighting the practical value of scalable reasoning distillation for deployment-oriented MLLMs.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  57. score 100arxiv cs.CL (NLP)arxiv:2605.11608unread

    PRISM: A Geometric Risk Bound that Decomposes Drift into Scale, Shape, and Head

    Chieh-Yen Lin, Shao-Hua Sun · 2026-05-13

    The authors propose PRISM, a method to diagnose *how* post-training modifications (quantization, LoRA, distillation) change an LLM, not just whether they degrade it. They derive a mathematical upper bound on the quality gap between original and modified models by exploiting the linear output head and near-isometric backbone structure, then decompose the drift into three independent dimensions: scale mismatch, shape distortion, and head divergence. Each dimension corresponds to a different failure mode and suggests specific fixes, and the shape term can be used as a regularizer during training to prevent forgetting. **Main takeaways:** - Existing similarity metrics (CKA, SVCCA) flag degradation but don't explain what went wrong or suggest remedies - PRISM decomposes model drift into three axes: scale (magnitude mismatch), shape (geometric distortion), and head (output-layer divergence) - Each axis maps to specific problems: shape breaks under low-bit quantization, scale separates under LoRA forgetting, head diverges under k-quantization - Ranks model variants with ~0.82 Spearman correlation to actual performance, helping choose which variant to deploy - The shape term is differentiable and works as a training regularizer, outperforming experience replay at preventing catastrophic forgetting

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, same, similarity, lora, under, fail, core. Source: arxiv cs.CL (NLP).

    arXiv:2605.11608v1 Announce Type: new Abstract: Comparing post-training LLM variants, such as quantized, LoRA-adapted, and distilled models, requires a diagnostic that identifies how a variant has drifted, not only whether it has degraded. Existing similarity scores such as CKA and SVCCA can flag degradation, but they do not directly link representation drift to risk or mechanism. We propose PRISM, Proxy Risk Inference via Structural Mapping, which exploits the linear output head of LLMs and the empirically near-isometric structure of their backbones to derive a closed-form upper bound on the cross-entropy risk gap between a target model and a post-training variant. The bound is calibrated for variant ranking and decomposes drift into three independently measurable axes: scale mismatch, shape mismatch, and head divergence. Each axis corresponds to a distinct failure mode, including shape distortion under low-bit quantization, scale separability under LoRA forgetting, and head divergence under GGUF k-quantization. As a result, the dominant axis suggests a remediation direction rather than merely raising a degradation flag. Because the shape term is differentiable, the same geometry can also serve as a training-time regularizer against catastrophic forgetting. Across two model families and five benchmarks, PRISM ranks variants with mean Spearman correlations of 0.820 for post-training quantization and 0.831 for LoRA forgetting, and its axis-guided shape regularizer outperforms experience replay in aggregate at mitigating downstream forgetting.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, benchmark.

  58. score 100arxiv cs.CL (NLP)arxiv:2605.11601unread

    DiffScore: Text Evaluation Beyond Autoregressive Likelihood

    Wen Lai, Yingli Shen, Dingnan Jin, Qing Cui, Jun Zhou, Maosong Sun, Alexander Fraser · 2026-05-13

    The authors argue that evaluating text with standard autoregressive language models introduces positional bias—early tokens are scored with less context than later ones—and propose DiffScore, which uses masked diffusion models to score every token with full bidirectional context. By measuring how well text can be reconstructed at different masking rates, DiffScore creates a quality hierarchy from local fluency to global coherence and provides diagnostic tools like multi-timestep profiles and bidirectional PMI decomposition that separate fluency from faithfulness. **Main takeaways:** - Autoregressive evaluation gives early tokens less context, conflating architectural asymmetry with actual text quality - DiffScore uses masked reconstruction at varying masking rates, so every token is scored with full bidirectional context - Multi-timestep profiles show how quality changes across masking rates, revealing whether problems are local (fluency) or global (coherence) - Bidirectional PMI decomposition separates fluency (word choice) from faithfulness (semantic accuracy) - Outperforms autoregressive baselines across ten benchmarks in both zero-shot and fine-tuned settings

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, latin, github, eval, tokens, base, timestep. Source: arxiv cs.CL (NLP).

    arXiv:2605.11601v1 Announce Type: new Abstract: Autoregressive language models are widely used for text evaluation, however, their left-to-right factorization introduces positional bias, i.e., early tokens are scored with only leftward context, conflating architectural asymmetry with true text quality. We propose masked reconstruction as an alternative paradigm, where every token is scored using full bidirectional context. We introduce DiffScore, an evaluation framework built on Masked Large Diffusion Language Models. By measuring text recoverability across continuous masking rates, DiffScore eliminates positional bias and naturally establishes an evaluation hierarchy from local fluency to global coherence. We further provide diagnostic tools unavailable to autoregressive frameworks: multi-timestep quality profiles that decompose scores across masking rates, and bidirectional PMI decomposition that disentangles fluency from faithfulness. Experiments across ten benchmarks show that DiffScore consistently outperforms autoregressive baselines in both zero-shot and fine-tuned settings. The code is released at: https://github.com/wenlai-lavine/DiffScore.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, evaluation, benchmark.

  59. score 100arxiv cs.CL (NLP)arxiv:2605.11538unread

    Taming Extreme Tokens: Covariance-Aware GRPO with Gaussian-Kernel Advantage Reweighting

    Cheng Wang, Qin Liu, Wenxuan Zhou, Muhao Chen · 2026-05-13

    This paper proposes a modification to Group Relative Policy Optimization (GRPO) that addresses training instability by automatically down-weighting extreme token-level updates using a Gaussian kernel. The method is motivated by the theoretical relationship between entropy changes and the covariance between token probabilities and advantages, and requires no additional hyperparameters. Experiments show improved reasoning performance and more stable entropy compared to standard GRPO. **Main takeaways:** - GRPO struggles with exploration-exploitation tradeoffs, leading to suboptimal performance and training instability - The proposed covariance-weighted method uses a Gaussian kernel to automatically reduce extreme token updates without manual hyperparameter tuning - Improves downstream reasoning benchmark performance while stabilizing entropy throughout training - Based on theoretical insight that entropy changes are governed by covariance between token probabilities and advantages

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: eval, token, lora, compare. Source: arxiv cs.CL (NLP).

    arXiv:2605.11538v1 Announce Type: new Abstract: Group Relative Policy Optimization (GRPO) has emerged as a promising approach for improving the reasoning capabilities of large language models. However, it struggles to effectively balance the tradeoff between exploration and exploitation during training, often resulting in suboptimal performance. Motivated by the theoretical insight that changes in entropy are governed by the covariance between token probabilities and their corresponding advantages, we propose a hyperparameter-free, covariance-weighted optimization method that dynamically down-weights extreme token-level updates via a Gaussian kernel. This approach automatically reduces the instability caused by exploration-exploitation trade-off while preserving informative learning signals. Extensive empirical evaluations show that our approach improves downstream performance across reasoning benchmarks compared with GRPO, and effectively stablizes entropy as training progresses.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses evaluation, benchmark.

  60. score 100arxiv cs.CL (NLP)arxiv:2605.11533unread

    Checkup2Action: A Multimodal Clinical Check-up Report Dataset for Patient-Oriented Action Card Generation

    Sike Xiang, Shuang Chen, Kevin Qinghong Lin, Jialin Yu, Yijia Sun, Philip Torr, Amir Atapour-Abarghouei · 2026-05-13

    The authors introduce a dataset of 2,000 real-world clinical check-up reports (with multimodal content like tables, images, and biomarkers) and ask models to generate structured "Action Cards" that tell patients what to do next—prioritized issues, which department to visit, timing, and patient-friendly explanations. They benchmark general-purpose and medical LLMs on this task, finding clear trade-offs between coverage (catching all issues), correctness, conciseness, and safety (not making diagnostic claims). **Main takeaways:** - Clinical check-up reports mix page layouts, tables, images, and domain jargon—hard for patients to interpret - Action Cards structure the output: priority, department, timing, explanation, questions for clinicians, without diagnosing - Dataset has 2,000 de-identified reports covering demographics, labs, imaging, and physician summaries - Current LLMs show trade-offs: better issue coverage often hurts safety or conciseness

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: marker, rate, issue, eval, trained, under, aims, question. Source: arxiv cs.CL (NLP).

    arXiv:2605.11533v1 Announce Type: new Abstract: Clinical check-up reports are multimodal documents that combine page layouts, tables, numerical biomarkers, abnormality flags, imaging findings, and domain-specific terminology. Such heterogeneous evidence is difficult for laypersons to interpret and translate into concrete follow-up actions. Although large language models show promise in medical summarisation and triage support, their ability to generate safe, prioritised, and patient-oriented actions from multimodal check-up reports remains under-benchmarked. We present \textbf{Checkup2Action}, a multimodal clinical check-up report dataset and benchmark for structured \textit{Action Card} generation. Each card describes one clinically relevant issue and specifies its priority, recommended department, follow-up time window, patient-facing explanation, and questions for clinicians, while avoiding diagnostic or treatment-prescriptive claims. The dataset contains 2,000 de-identified real-world check-up reports covering demographic information, physical examinations, laboratory tests, cardiovascular assessments, imaging-related evidence, and physician summaries. We formulate checkup-to-action generation as a constrained structured generation task and introduce an evaluation protocol covering issue coverage and precision, priority consistency, department and time recommendation accuracy, action complexity, usefulness, readability, and safety compliance. Experiments with general-purpose and medical large language models reveal clear trade-offs between issue coverage, action correctness, conciseness, and safety alignment. Checkup2Action provides a new multimodal benchmark for evaluating patient-oriented reasoning over clinical check-up reports.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  61. score 100arxiv cs.CL (NLP)arxiv:2605.11513unread

    A Study on Hidden Layer Distillation for Large Language Model Pre-Training

    Maxime Guigon, Lucas Dixon, Micha\"el E. Sander · 2026-05-13

    Most knowledge distillation for LLMs uses only the teacher's output logits, ignoring intermediate layer representations. The authors test Hidden Layer Distillation (HLD)—matching student hidden states to teacher hidden states—during decoder-only pretraining at scale (up to 168B tokens, Gemma3 3.4B teacher, 123M and 735M students). HLD consistently lowers perplexity compared to standard logit-based distillation, but doesn't reliably improve downstream task performance, suggesting the signal is there but not yet actionable for real-world use. **Main takeaways:** - Hidden Layer Distillation matches student intermediate representations to teacher representations, not just output logits - Tested at scale: up to 168B tokens from C4, teacher is Gemma3 3.4B, students are 123M and 735M - HLD systematically reduces perplexity versus logit-based distillation across all configurations - But HLD doesn't consistently beat logit-based KD on downstream task benchmarks—perplexity gains don't transfer to performance

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: output, eval, tokens, base, trained, system, token, baseline. Source: arxiv cs.CL (NLP).

    arXiv:2605.11513v1 Announce Type: new Abstract: Knowledge Distillation (KD) is a critical tool for training Large Language Models (LLMs), yet the majority of research focuses on approaches that rely solely on output logits, neglecting semantic information in the teacher's intermediate representations. While Hidden Layer Distillation (HLD) showed potential for encoder architectures, its application to decoder-only pre-training at scale remains largely unexplored. Through compute-controlled experiments, we benchmark HLD against logit-based KD and self-supervised baselines with Gemma3 3.4B as teacher and 123M and 735M students trained on up to 168B tokens from the C4 dataset. Our experiments show that HLD does not consistently outperform standard KD on downstream evaluation tasks. Nevertheless, we show that HLD can yield a systematic perplexity gain over KD across all shared-hyperparameter configurations, suggesting that a latent signal can be extracted, but a breakthrough may be needed for it to play a more significant role in LLM pre-training.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses evaluation, benchmark.

  62. score 100arxiv cs.CL (NLP)arxiv:2605.11502unread

    Robust Biomedical Publication Type and Study Design Classification with Knowledge-Guided Perturbations

    Shufan Ming, Joe D. Menke, Neil R. Smalheiser, Halil Kilicoglu · 2026-05-13

    Classifying biomedical papers by publication type and study design is important for evidence synthesis, but models trained for high in-domain accuracy often rely on superficial cues (like topic words) rather than true methodological signals, making them brittle under distribution shift. The authors introduce an evaluation framework using controlled semantic perturbations and training strategies (entity masking plus domain-adversarial training) to push models toward relying on explicit methodological language instead of spurious topical correlations. Results show you can improve robustness without sacrificing in-domain accuracy if you selectively suppress non-task-defining features. **Main takeaways:** - Models often classify publication types using topical shortcuts (e.g., "cancer" → observational study) instead of methodology words - Controlled perturbations (e.g., swapping entity names) reveal this brittleness under distribution shift - Entity masking + domain-adversarial training forces models to rely on explicit methodological cues - Robustness and in-domain accuracy can both improve if you selectively suppress spurious features while preserving salient ones

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, eval, base, trained, same, under. Source: arxiv cs.CL (NLP).

    arXiv:2605.11502v1 Announce Type: new Abstract: Accurately and consistently indexing biomedical literature by publication type and study design is essential for supporting evidence synthesis and knowledge discovery. Prior work on automated publication type and study design indexing has primarily focused on expanding label coverage, enriching feature representations, and improving in-domain accuracy, with evaluation typically conducted on data drawn from the same distribution as training. Although pretrained biomedical language models achieve strong performance under these settings, models optimized for in-domain accuracy may rely on superficial lexical or dataset-specific cues, resulting in reduced robustness under distributional shift. In this study, we introduce an evaluation framework based on controlled semantic perturbations to assess the robustness of a publication type classifier and investigate robustness-oriented training strategies that combine entity masking and domain-adversarial training to mitigate reliance on spurious topical correlations. Our results show that the commonly observed trade-off between robustness and in-domain accuracy can be mitigated when robustness objectives are designed to selectively suppress non-task-defining features while preserving salient methodological signals. We find that these improvements arise from two complementary mechanisms: (1) increased reliance on explicit methodological cues when such cues are present in the input, and (2) reduced reliance on spurious domain-specific topical features. These findings highlight the importance of feature-level robustness analysis for publication type and study design classification and suggest that refining masking and adversarial objectives to more selectively suppress topical information may further improve robustness. Data, code, and models are available at: https://github.com/ScienceNLP-Lab/MultiTagger-v2/tree/main/ICHI

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, adversarial, evaluation.

  63. score 100arxiv cs.CL (NLP)arxiv:2605.11483unread

    StoicLLM: Preference Optimization for Philosophical Alignment in Small Language Models

    Ishmam Khan, Sindhuja Thogarrati, Shuo Zhang · 2026-05-13

    The authors fine-tune small language models on micro-datasets of Stoic philosophy texts (just 300 examples) using preference optimization methods (ORPO, AlphaPO) to see if models can internalize a nuanced philosophical framework under extreme data constraints. Evaluated by a multi-model critic, the fine-tuned models align well with inward-facing Stoic virtues (self-discipline, reflection) and approach few-shot prompting performance, but all models—including few-shot baselines—fail on outward-facing cosmopolitan duties, suggesting a representational limitation of small models. **Main takeaways:** - 300 high-quality Stoic text examples + preference optimization (ORPO, AlphaPO) can induce strong alignment with inward Stoic virtues - Fine-tuned models nearly match few-shot prompting on inward virtues, freeing up context window - All models (fine-tuned and few-shot) persistently fail on outward-facing cosmopolitan duties - Limitation appears representational—small models lack capacity for certain philosophical nuances, not fixable by micro-dataset tuning alone

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: eval, prompt, base, under, baseline, fail. Source: arxiv cs.CL (NLP).

    arXiv:2605.11483v1 Announce Type: new Abstract: While large language models excel at factual adaptation, their ability to internalize nuanced philosophical frameworks under severe data constraints remains underexplored. We investigate this by specializing small LLMs on micro-datasets of foundational Stoic texts using preference optimization (ORPO, AlphaPO). Evaluated via a multi-model critic bank, our results show that just 300 high-fidelity examples can induce strong alignment with inward-facing Stoic virtues, closely approaching few-shot prompting while freeing the context window. Critically, however, all models, including few-shot baselines, exhibit a persistent failure on Stoicism's outward-facing cosmopolitan duties, pointing to a representational limitation of small models that micro-dataset adaptation alone cannot overcome.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses failure, limitation.

  64. score 100arxiv cs.CL (NLP)arxiv:2605.11416unread

    Freeze Deep, Train Shallow: Interpretable Layer Allocation for Continued Pre-Training

    Yu-Hang Wu, Qin-Yuan Liu, Qiu-Yang Zhao, Bo Jiang, Jiang-Feng Yang, Qing-Wei Cong · 2026-05-13

    Deciding which layers to freeze or train during continued pretraining is usually a black-box empirical decision. The authors introduce LayerTracer, a diagnostic framework that tracks where in the network task execution happens and how sensitive each layer is to updates. Analysis shows deep layers are where task execution occurs and are highly stable, while shallow layers are more sensitive. Guided by this, they run controlled experiments showing that training shallow layers while freezing deep layers consistently beats full-parameter fine-tuning and the opposite allocation on Chinese benchmarks (C-Eval, CMMLU). A hybrid model case study confirms that placing high-quality pretrained modules in deep layers preserves inherent knowledge. **Main takeaways:** - LayerTracer reveals task execution positions and layer sensitivity to updates in an interpretable way - Deep layers handle task execution and are stable; shallow layers are more sensitive to updates - Training shallow + freezing deep layers outperforms full fine-tuning and the reverse strategy on Chinese evals - Hybrid models benefit from placing high-quality modules in deep layers to preserve knowledge - Provides actionable, low-cost guidance for resource-constrained continued pretraining

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, eval, trained, source, both, compare. Source: arxiv cs.CL (NLP).

    arXiv:2605.11416v1 Announce Type: new Abstract: Selective layer-wise updates are essential for low-cost continued pre-training of Large Language Models (LLMs), yet determining which layers to freeze or train remains an empirical black-box problem due to the lack of interpretable guidance. To address this issue, we propose LayerTracer, an architecture-agnostic diagnostic framework that reveals the evolution patterns of layer-wise representations and stability by locating task execution positions and quantifying layer sensitivity. Analysis results reveal that deep layers act as critical regions for task execution and maintain high stability against disruptive updates. Guided by this finding, we conduct three controlled continued pre-training trials to compare diverse freeze-train strategies, demonstrating that training shallow layers while freezing deep layers consistently outperforms full-parameter fine-tuning and the opposite allocation on both C-Eval and CMMLU benchmarks. We further present a hybrid model case study, which validates that placing high-quality pre-trained modules in deep layers effectively preserves inherent knowledge of the model. This work delivers a low-cost and interpretable solution for resource-constrained teams, offering actionable guidance for layer-wise parameter allocation in continued pre-training and hybrid model construction.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  65. score 100arxiv cs.CL (NLP)arxiv:2605.11388unread

    Deep Reasoning in General Purpose Agents via Structured Meta-Cognition

    Dean Light, Michael Theologitis, Kshitish Ghate, Shuyue Stella Li, Benjamin Newman, Chirag Shah, Aylin Caliskan, Pang Wei Koh, Dan Suciu, Yulia Tsvetkov · 2026-05-13

    Current LLM agent scaffolds hard-code reasoning structures (plan, execute, verify, etc.) in advance, making them brittle when tasks require adapting the reasoning structure itself. The authors propose Deep Reasoning, an inference-time approach that constructs task-specific scaffolds via meta-reasoning: a formal language represents meta-reasoning as executable decompositions over associative inference, formal computation, and recursive subproblem solving. They instantiate this in DOLORES, a general-purpose agent that distributes complex tasks across controlled reasoning threads. DOLORES outperforms state-of-the-art scaffolds by 24.8% on average across multi-hop reasoning, long-chain QA, long-context aggregation, and deep research tasks, and an 8B version beats all evaluated 32B baselines from the same family in over half the benchmarks. **Main takeaways:** - Hard-coded scaffolds are brittle when tasks require adapting reasoning structure, not just content - Deep Reasoning uses a formal meta-reasoning language to construct task-specific scaffolds at inference time - DOLORES distributes cognition across structured, lower-load reasoning threads (associative, formal, recursive) - Outperforms state-of-the-art scaffolds by 24.8% on average across four hard benchmarks - 8B version surpasses all 32B baselines from same family in >50% of benchmarks—bridging the scaling gap via better structure

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)". Matching terms: long, eval, base, system, same, baseline, question, when. Source: arxiv cs.CL (NLP).

    arXiv:2605.11388v1 Announce Type: new Abstract: Humans intuitively solve complex problems by flexibly shifting among reasoning modes: they plan, execute, revise intermediate goals, resolve ambiguity through associative judgment, and apply formal procedures to well-specified subproblems. Current LLM agents lack this flexibility, as their scaffolds hard-code such reasoning decisions in advance. These scaffolds are effective when their prescribed structure matches the task, but brittle when solving the task requires adapting the structure of reasoning itself. We introduce Deep Reasoning -- an inference-time approach for constructing task-specific scaffolds through structured meta-reasoning. Deep Reasoning uses a formal language that represents meta-reasoning as executable decompositions over associative inference, formal computation, and recursive subproblem solving, enabling decomposition principles to be encoded as in-context examples that guide test-time scaffold construction. We instantiate this approach in a general-purpose agent (DOLORES) that distributes complex tasks across more controlled reasoning threads. We evaluate it against state-of-the-art scaffolding methods across four hard benchmarks: multi-hop reasoning, long-chain question answering, long-context aggregation, and deep research-style information seeking. DOLORES outperforms all evaluated scaffolds across three model sizes and two model families, improving over the strongest evaluated scaffold baseline by 24.8% on average. DOLORES distributes cognition across structured, lower-load reasoning threads, thereby reducing premature termination and hallucinations. This advantage can even bridge the scaling gap, with an 8B version surpassing all evaluated 32B baselines from the same family in more than half the settings. These results point toward future agentic systems that treat scaffolding as adaptive reasoning, constructing the structure each task requires just-in-time.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses benchmark.

  66. score 100arxiv cs.CL (NLP)arxiv:2605.11378unread

    An Empirical Study of Automating Agent Evaluation

    Kang Zhou, Sangmin Woo, Haibo Ding, Kiran Ramnath, Subramanian Chidambaram, Aosong Feng, Vinayak Arannil, Muhyun Kim, Ishan Singh, Darren Wang, Zhichao Xu, Megha Gandhi, Nirmal Prabhu, Soumya Smruti Mishra, Vivek Singh, Gouri Pandeshwar, Lin Lee Cheong · 2026-05-13

    The authors investigate whether frontier LLMs can automate the evaluation of AI agents—tasks that involve multi-step reasoning and tool use. They find that simply prompting coding assistants fails badly (30% execution success, over-engineered metrics), so they build EvalAgent, a system that uses "evaluation skills" (procedural instructions, reusable code templates, and API docs) to generate complete evaluation pipelines. They introduce a meta-evaluation benchmark (AgentEvalBench, 20 agents) and an Eval@1 metric measuring whether generated evaluation code runs correctly on the first try. **Main takeaways:** - Strong coding ability doesn't automatically make LLMs good at building agent evaluations—raw prompting yields only 30% working evaluations. - EvalAgent packages domain expertise as "evaluation skills" (instructions, code templates, retrieved docs) and raises Eval@1 from 17.5% to 65%. - Human experts prefer EvalAgent's evaluations 79.5% of the time over baseline approaches. - Removing the evaluation skills drops Eval@1 back to 30%, showing they're critical for complex evaluation tasks. - The system produces focused evaluations instead of metrics bloat (12+ metrics per agent in naive approaches).

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, prompt, base, system, baseline, both. Source: arxiv cs.CL (NLP).

    arXiv:2605.11378v1 Announce Type: new Abstract: Agent evaluation requires assessing complex multi-step behaviors involving tool use and intermediate reasoning, making it costly and expertise-intensive. A natural question arises: can frontier coding assistants reliably automate this evaluation process? Our study shows that simply prompting coding assistants is insufficient for this task. Without domain-specific evaluation knowledge, frontier coding assistants achieve only a 30% execution success rate and produce over-engineered evaluations averaging 12+ metrics per agent, indicating that strong coding ability does not automatically translate to reliable agent evaluation. We introduce EvalAgent, an AI assistant that automates the end-to-end agent evaluation pipeline. EvalAgent encodes evaluation domain expertise as evaluation skills (procedural instructions, reusable code and templates, and dynamically retrieved API documentation) that compose into a trace-based pipeline producing complete evaluation artifacts including metrics, executable code, and reports. To systematically assess generated evaluations, we introduce a meta-evaluation framework alongside AgentEvalBench, a benchmark comprising 20 agents, each paired with evaluation requirements and test scenarios. We further propose the Eval@1 metric to measure whether generated evaluation code both executes and yields meaningful results on the first run. Our experiments show that EvalAgent produces focused evaluations, improving Eval@1 from 17.5% to 65%, and achieving 79.5% human expert preference over baseline approaches. Further ablation studies show that evaluation skills are critical for handling complex evaluation: removing them causes Eval@1 to drop significantly from 65% to 30%.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.

  67. score 100arxiv cs.CL (NLP)arxiv:2605.11348unread

    Large Language Models for Causal Relations Extraction in Social Media: A Validation Framework for Disaster Intelligence

    Ujun Jeong, Saketh Vishnubhatla, Bohan Jiang, Andre Harrison, Adrienne Raglin, Huan Liu · 2026-05-13

    The authors test whether LLMs can extract causal relations (e.g., "X caused casualties") from disaster-related social media posts to improve situational awareness. They propose an evaluation framework that compares LLM-generated causal graphs to expert-derived reference graphs from disaster reports, and check whether extracted relations are supported by real post-event evidence or just reflect model priors (baked-in assumptions from training). The work highlights both promise and risks for using LLMs in disaster decision-support. **Main takeaways:** - Disaster social media posts are informal, fragmented, and often describe personal experiences rather than explicit causal chains. - The authors build an expert-grounded framework to validate LLM causal extraction against real disaster reports. - They test whether extracted causal relations come from actual post content or from model priors (learned patterns from pretraining). - The goal is to identify what causes casualties, damage, or cascading impacts during disasters. - Findings show both potential and substantial risks when relying on LLM extraction for high-stakes decision-making.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, persona, eval, system, both, factor, extraction, compare. Source: arxiv cs.CL (NLP).

    arXiv:2605.11348v1 Announce Type: new Abstract: During disasters, extracting causal relations from social media can strengthen situational awareness by identifying factors linked to casualties, physical damage, infrastructure disruption, and cascading impacts. However, disaster-related posts are often informal, fragmented, and context-dependent, and they may describe personal experiences rather than explicit causal relations. In this work, we examine whether Large Language Models (LLMs) can effectively extract causal relations from disaster-related social media posts. To this end, we (1) propose an expert-grounded evaluation framework that compares LLM-generated causal graphs with reference graphs derived from disaster-specific reports and (2) assess whether the extracted relations are supported by post-event evidence or instead reflect model priors. Our findings highlight both the potential and risks of using LLMs for causal relation extraction in disaster decision-support systems.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  68. score 100arxiv cs.CL (NLP)arxiv:2605.11303unread

    Predicting Psychological Well-Being from Spontaneous Speech using LLMs

    Erfan Loweimi, Sofia de la Fuente Garcia, Saturnino Luz · 2026-05-13

    The authors use LLMs in a zero-shot setup to predict psychological well-being scores (Ryff PWB) from a few minutes of spontaneous speech recordings. They test 12 instruction-tuned models (Llama-3, Mistral, Gemma variants, etc.) using a domain-informed prompt co-designed with clinical psychology and linguistics experts. Best models achieve Spearman correlations up to 0.8, and the authors analyze prediction variability and use word clouds to identify which linguistic features drive predictions. **Main takeaways:** - LLMs can extract semantically meaningful psychological cues from spontaneous speech in zero-shot mode (no training on this task). - Tested on 111 participants from the PsyVoiD database, using only a few minutes of audio transcripts. - Best models reach Spearman correlation of 0.8 on 80% of the data for predicting well-being scores. - The prompt was designed with domain experts in clinical psychology and linguistics. - Statistical and keyword analyses provide some explainability for what linguistic features the models latch onto.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: long, eval, prompt, base, system, core, predict, along. Source: arxiv cs.CL (NLP).

    arXiv:2605.11303v1 Announce Type: new Abstract: We investigate the use of Large Language Models (LLMs) for zero-shot prediction of Ryff Psychological Well-Being (PWB) scores from spontaneous speech. Using a few minutes of voice recordings from 111 participants in the PsyVoiD database, we evaluated 12 instruction-tuned LLMs, including Llama-3 (8B, 70B), Ministral, Mistral, Gemma-2-9B, Gemma-3 (1B, 4B, 27B), Phi-4, DeepSeek (Qwen and Llama), and QwQ-Preview. A domain-informed prompt was developed in collaboration with experts in clinical psychology and linguistics. Results show that LLMs can extract semantically meaningful cues from spontaneous speech, achieving Spearman correlations of up to 0.8 on 80\% of the data. Additionally, to enhance explainability, we conducted statistical analyses to characterise prediction variability and systematic biases, alongside keyword-based word cloud analyses to highlight the linguistic features driving the models' predictions.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses bias.

  69. score 100arxiv cs.CL (NLP)arxiv:2605.11255unread

    HEBATRON: A Hebrew-Specialized Open-Weight Mixture-of-Experts Language Model

    Noam Kayzer, Dan Revital, Ori Bar Joseph, Smadar Arvatz, Or Levi, Tal Geva, Shaltiel Shmidman, Amir DN Cohen, Noam Ordan, Omer Baruch, Kate Zinkovskaia, Zevi Apini, Sarel Weinberger · 2026-05-13

    Hebatron is a Hebrew-specialized language model built on NVIDIA's sparse Mixture-of-Experts architecture (Nemotron-3). The authors use a three-phase "easy-to-hard" curriculum during training with continuous anti-forgetting anchoring (preventing the model from losing earlier knowledge), then supervised fine-tuning on 2 million bilingual Hebrew-English samples. The curriculum ordering alone yields a 3-point benchmark improvement over training in reverse order. Despite activating only 3B parameters per forward pass (in a 30B total parameter model), Hebatron achieves competitive Hebrew reasoning performance with ~9x higher inference throughput. **Main takeaways:** - First open-weight Hebrew-specialized Mixture-of-Experts model with native long-context support (up to 65,536 tokens). - Three-phase easy-to-hard curriculum with anti-forgetting anchoring improves Hebrew reasoning by 3 points over reversed training order. - Achieves 73.8% on Hebrew reasoning benchmarks, outperforming DictaLM-3.0-24B-Thinking (68.9%). - Only 3B active parameters per forward pass across 30B total, giving ~9x higher throughput than dense models. - Model weights are released openly for Hebrew and Semitic NLP research.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: long, tokens, token, length. Source: arxiv cs.CL (NLP).

    arXiv:2605.11255v1 Announce Type: new Abstract: We present Hebatron, a Hebrew-specialized open-weight large language model built on the NVIDIA Nemotron-3 sparse Mixture-of-Experts architecture. Training employs a three-phase easy-to-hard curriculum with continuous anti-forgetting anchoring, followed by supervised fine-tuning on 2 million bilingual Hebrew--English samples. The curriculum ordering alone yields a 3-point aggregate benchmark gain over the reversed configuration. Hebatron achieves a Hebrew reasoning average of 73.8\%, outperforming DictaLM-3.0-24B-Thinking (68.9\%) and remaining competitive with Gemma-3-27B-IT on GSM8K-HE and Israeli Trivia, while activating only 3B parameters per forward pass across a 30B-parameter model, delivering approximately 9 times higher inference throughput at native context lengths up to 65,536 tokens. To our knowledge, this is the first language-specific adaptation of the Nemotron-3 architecture for any target language, and the first open-weight Hebrew-specialized MoE model with native long-context support. Model weights are released openly to support further research in Hebrew and Semitic-language NLP.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses benchmark.

  70. score 100arxiv cs.CL (NLP)arxiv:2605.11212unread

    ReVision: Scaling Computer-Use Agents via Temporal Visual Redundancy Reduction

    Amirhossein Abaskohi, Yuhang He, Peter West, Giuseppe Carenini, Pranit Chawla, Vibhav Vineet · 2026-05-13

    ReVision tackles the token cost problem for computer-use agents that observe screenshots over time. Each screenshot encodes into many visual tokens, so trajectories quickly become expensive. The authors train a patch selector that removes redundant visual patches across consecutive screenshots while preserving spatial structure. On Qwen2.5-VL-7B processing 5 history screenshots, ReVision cuts token usage by ~46% and improves success rate by 3%. Importantly, they find that performance keeps improving with more history *when redundancy is removed*, suggesting that visual history saturation isn't due to limited usefulness but inefficient representations. **Main takeaways:** - Computer-use agents process screenshots that encode into huge numbers of visual tokens, limiting how much history fits in context. - ReVision trains a patch selector to remove redundant visual patches between consecutive frames while keeping spatial structure intact. - Reduces tokens by ~46% on average across three benchmarks while improving success rate by 3% (Qwen2.5-VL-7B, 5 history screenshots). - Performance continues improving with more history when redundancy is removed, challenging the idea that visual history has diminishing returns. - Suggests commonly observed saturation is due to inefficient token representations, not limited usefulness of past observations.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, tokens, base, token, under, baseline, remove. Source: arxiv cs.CL (NLP).

    arXiv:2605.11212v1 Announce Type: new Abstract: Computer-use agents~(CUAs) rely on visual observations of graphical user interfaces, where each screenshot is encoded into a large number of visual tokens. As interaction trajectories grow, the token cost increases rapidly, limiting the amount of history that can be incorporated under fixed context and compute budgets. This has resulted in no or very limited improvement in the performance when using history unlike other domains. We address this inefficiency by introducing ReVision, which is used to train multimodal language models on trajectories where redundant visual patches are removed using a learned patch selector that compares patch representations across consecutive screenshots while preserving spatial structure required by the model. Across three benchmarks, OSWorld, WebTailBench, and AgentNetBench, when processing trajectories with 5 history screenshots using Qwen2.5-VL-7B, ReVision reduces token usage by approximately 46% on average while improving success rate by 3% over the no drop baseline. This establishes a clear efficiency gain, enabling agents to process longer trajectories with fewer tokens. With this improved efficiency, we revisit the role of history in CUAs and find that performance continues to improve as more past observations are incorporated when redundancy is removed. This suggests that the commonly observed saturation in visual history is not due to limited usefulness of past information, but rather a consequence of inefficient token representations.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  71. score 100arxiv cs.CL (NLP)arxiv:2605.11206unread

    Instructions shape Production of Language, not Processing

    Andreas Waldis, Leshem Choshen, Yufang Hou, Yotam Perlit · 2026-05-13

    The authors show that instructions in language models primarily affect how output tokens are *produced* rather than how input tokens are *processed*. Using layer-by-layer probing across five tasks, they find that task-specific information in the input stays mostly stable regardless of instructions, while the same information in output tokens varies dramatically and tracks actual behavior. Attention interventions confirm this causally: blocking instruction influence to all tokens hurts performance, but blocking it only to input tokens barely matters. **Main takeaways:** - Instructions shape what happens during output generation, not during input understanding—an asymmetry between "processing" and "production" stages - Task information encoded in output tokens correlates strongly with behavior; the same information in input tokens correlates weakly - Blocking instruction attention flow to output tokens tanks performance; blocking it only to input tokens has minimal effect - The effect becomes sharper with model scale and instruction-tuning, both of which disproportionately amplify the production stage - Suggests measuring model internals by token position (input vs output) reveals more than treating all positions the same

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, output, eval, prompt, tokens, attention, base. Source: arxiv cs.CL (NLP).

    arXiv:2605.11206v1 Announce Type: new Abstract: Instructions trigger a production-centered mechanism in language models. Through a cognitively inspired lens that separates language processing and production, we reveal this mechanism as an asymmetry between the two stages by probing task-specific information layer-wise across five binary judgment tasks. Specifically, we measure how instruction tokens shape information both when sample tokens, the input under evaluation, are processed and when output tokens are produced. Across prompting variations, task-specific information in sample tokens remains largely stable and correlates only weakly with behavior, whereas the same information in output tokens varies substantially and correlates strongly with behavior. Attention-based interventions confirm this pattern causally: blocking instruction flow to all subsequent tokens reduces both behavior and information in output tokens, whereas blocking it only to sample tokens has minimal effect on either. The asymmetry generalizes across model families and tasks, and becomes sharper with model scale and instruction-tuning, both of which disproportionately affect the production stage. Our findings suggest that understanding model capabilities requires jointly assessing internals and behavior, while decomposing the internal perspective by token position to distinguish the processing of input tokens from the production of output tokens.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  72. score 100arxiv cs.CL (NLP)arxiv:2605.11195unread

    How Does Differential Privacy Affect Social Bias in LLMs? A Systematic Evaluation

    Eduardo Tenorio, Karuna Bhaila, Xintao Wu · 2026-05-13

    The paper evaluates how differential privacy training (DP-SGD) affects social bias in LLMs across four different testing paradigms: sentence scoring, text completion, tabular classification, and question answering. They find that DP reduces bias in sentence scoring (likelihood-based measurements) but the improvement doesn't carry over to other tasks, and that logit-level bias doesn't always match output-level bias. Importantly, reducing memorization through DP doesn't automatically reduce unfairness. **Main takeaways:** - DP-SGD training reduces bias on sentence scoring tasks but not consistently across completion, classification, or QA tasks - Logit-level bias measurements (what the model "thinks") can disagree with output-level bias (what it actually generates) - Lower memorization from differential privacy doesn't guarantee lower social bias - Multi-paradigm evaluation is essential—conclusions from one measurement approach don't generalize - Training modifications affect bias in task-specific, not universal ways

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: output, eval, base, trained, system, under, baseline, question. Source: arxiv cs.CL (NLP).

    arXiv:2605.11195v1 Announce Type: new Abstract: Large language models (LLMs) trained on web-scale corpora can memorize sensitive training data, posing significant privacy risks. Differential privacy (DP) has emerged as a principled framework that limits the influence of individual data points during training, yet the relationship between differential privacy and social bias in LLMs remains poorly understood. To investigate this, we present a systematic evaluation of social bias in a pretrained LLM trained with DP-SGD, comparing a DP model against non-DP baselines across four complementary paradigms: sentence scoring, text completion, tabular classification, and question answering. We find that DP reduces bias in sentence scoring tasks, where bias is measured through controlled likelihood comparisons, yet this improvement does not generalize across all tasks. Our results reveal a discrepancy between logit-level bias and output-level bias. Moreover, decreasing memorization does not necessarily reduce unfairness, underscoring the importance of multi-paradigm evaluation when assessing fairness in LLMs.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses bias, evaluation.

  73. score 100arxiv cs.CL (NLP)arxiv:2605.11153unread

    Decomposing Evolutionary Mixture-of-LoRA Architectures: The Routing Lever, the Lifecycle Penalty, and a Substrate-Conditional Boundary

    Ramchand Kumaresan · 2026-05-13

    The authors decompose an evolutionary mixture-of-LoRA system into three components—a routing rewrite, a per-domain evaluation scope, and an adapter lifecycle (death, inheritance, mutation, reallocation)—and run ablation experiments to measure each piece's contribution. On their custom 150M-parameter substrate, the router rewrite carries the entire improvement (+0.043 nats), the evaluation scope does nothing, and the lifecycle actually hurts performance (-0.028 nats). The headline full-system improvement is small (+0.015 nats) and doesn't reach statistical significance, and evolutionary search only helps when adapters are already aligned to the task. **Main takeaways:** - The routing mechanism (how adapter outputs are combined) drives all the measured improvement in this evolutionary LoRA setup - The lifecycle component (adapter mutation and reallocation) is a net drag on performance in these experiments - Evolutionary search on routing is only useful when adapters are pre-aligned to tasks; otherwise it doesn't help - Statistical power is limited (n=3 seeds) and the headline result doesn't clear significance thresholds - There's a substrate-conditional regime boundary: what works depends heavily on initialization and model architecture

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, token, lora, under, baseline. Source: arxiv cs.CL (NLP).

    arXiv:2605.11153v1 Announce Type: new Abstract: We decompose an evolutionary mixture-of-LoRA system on a from-scratch ~150M-parameter widened-D substrate (D=1536, V=32000; D/V approx 0.048; the "widened-1536" substrate) into three factors -- a router rewrite (parallel sigmoid gate with learnable per-adapter floor and bounded temperature anneal, fed post-stack hidden states rather than token-embedding means), a per-domain leave-one-out evaluation scope, and a lifecycle of death plus alpha-blend inheritance plus SVD mutation plus slot reallocation -- and report a 5-of-8 partial 2^3 factorial run at n=3 seeds and 25000 adaptation steps per cell. The attribution chain is sharp on this substrate: the router rewrite carries the entire +0.0426 nat balanced log-PPL improvement (Delta = log PPL_ref - log PPL_test, positive = improvement; t=12.86, p=0.006) attributed to "the full evolutionary system vs the static B3 baseline"; the headline full-system-vs-B3 balanced contrast itself is +0.015 nats, t=1.94, p=0.19 at n=3 and does not clear alpha=0.05. The per-domain evaluation scope is null at seed-resolution, and the lifecycle is a net drag of approx -0.028 nats (t=-4.46,p=0.047 in the primary chain). An auxiliary alpha=0 inheritance counterfactual at n=3 seeds is sign-inconsistent at the headline metric and underpowered for either an equivalence or load-bearing conclusion (corrected from an earlier arithmetic-mean aggregator that erroneously cleared inheritance; see Appendix B.11). A base-perturbation probe directionally refutes a "genomic-context" reframe of the lifecycle role. A controllable synthetic sandbox locates a substrate-conditional regime boundary: evolutionary search on the routing channel is load-bearing only when adapters are pre-aligned to the task; in every other regime tested it underperforms, ties, or actively degrades the gradient solution.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  74. score 100arxiv cs.CL (NLP)arxiv:2605.11143unread

    ClinicalBench: Stress-Testing Assertion-Aware Retrieval for Cross-Admission Clinical QA on MIMIC-IV

    Alex Stinard · 2026-05-13

    ClinicalBench tests whether retrieval systems can handle the messy realities of clinical notes—negation ("no fever"), temporality (past vs present), and attribution (family history vs patient symptoms)—before feeding information to a reasoning model. The authors build a system (EpiKG) that tags every fact with assertion labels and routes retrieval by question intent, then benchmark it on 400 questions over real MIMIC-IV patient records. Their assertion-aware retrieval improves exact-match accuracy by 22 percentage points over a standard dense retrieval baseline, with physician adjudication confirming the gains. **Main takeaways:** - Clinical reasoning benchmarks usually test on clean inputs, but real EHR retrieval requires handling negation, time, and attribution - Assertion-aware knowledge-graph retrieval (tracking "negated" vs "affirmed" and "past" vs "present") beats dense embedding retrieval by +22 percentage points - The gain is larger (+39.5pp) on questions where keyword matching is deterministic, smaller on ambiguous cases - Larger language models benefit less from better retrieval (beta=-1.12), possibly because they can compensate for retrieval errors - Physician review found 56% of auto-generated reference answers were defective, highlighting evaluation challenges in clinical NLP

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, eval, base, under, baseline, question, where. Source: arxiv cs.CL (NLP).

    arXiv:2605.11143v1 Announce Type: new Abstract: Reasoning benchmarks measure clinical performance on clean inputs. We evaluate the step before reasoning: retrieval over real EHR notes, where negation, temporality, and family-versus-patient attribution can flip a correct answer to a wrong one. EpiKG carries an assertion label and a temporality tag with every fact in a patient knowledge graph, then routes retrieval by question intent. ClinicalBench is a 400-question test over 43 MIMIC-IV patients across 9 assertion-sensitive categories. A 7-condition ablation tests each piece of EpiKG across six LLMs (Claude Opus 4.6, GPT-OSS 20B, MedGemma 27B, Gemma 4 31B, MedGemma 1.5 4B, Qwen 3.5 35B). Three physicians blindly adjudicated 100 paired items. The author-blind primary endpoint, leave-author-out paired exact McNemar on 50 unanimous-strict items rated by two external physicians, yields +22.0 percentage points (95 percent Newcombe CI [+5.1, +31.5], p=0.0192). The architectural novelty, intent-aware KG-RAG over a Contriever dense-RAG baseline (C2b to C4g_kw on the change-excluded n=362 endpoint), is +8.84 percentage points (paired McNemar p=1.79e-3); +12.43 percentage points under oracle intent. Sensitivities agree directionally: three-rater physician majority +24.0 percentage points (subject to single-author circularity); deterministic keyword reproducibility proxy +39.5 percentage points. Across the six models, the gain shrinks as the LLM-alone baseline rises (beta=-1.123, r=-0.921, p=0.009). With n=6 this looks more like regression to the mean than encoding substituting for model size. Physician adjudication identified 56 percent of auto-generated reference answers as defective, a methodological finding indicating that NLP-pipeline clinical-QA benchmarks require physician adjudication to be usable. ClinicalBench, the frozen evaluator, three-rater adjudication data, and the EpiKG output stack are publicly released.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  75. score 100arxiv cs.CL (NLP)arxiv:2605.11128unread

    Sampling More, Getting Less: Calibration is the Diversity Bottleneck in LLMs

    Amin Banayeeanzade, Qingchuan Yang, Dhruv Tarsadiya, Fatemeh Bahrani, Leonardo Blas, Alfy Samuel, Robin Jia, Meisam Razaviyayn, Sai Praneeth Karimireddy · 2026-05-13

    The authors diagnose why LLMs collapse into repetitive, low-diversity outputs even when many valid continuations exist. They introduce a "validity-diversity" framework showing that the problem stems from two forms of miscalibration: (1) valid tokens aren't reliably ranked above invalid ones (order calibration), so sampling methods must trade validity for diversity, and (2) probability mass is overly concentrated on a few valid options with a long tail of mixed valid/invalid tokens (shape calibration). These local failures compound across decoding steps, sharply reducing sequence-level diversity. Experiments across 14 models confirm the pattern. **Main takeaways:** - Diversity collapse isn't just a sampling algorithm problem—it's baked into LLM probability distributions via miscalibration - Order calibration failure: valid tokens don't consistently rank above invalid ones, forcing validity-diversity tradeoffs - Shape calibration failure: probability mass is spiked on few valid options, with a heavy tail mixing valid and invalid - Local miscalibration at each step compounds across decoding, producing large sequence-level diversity losses - Observed across 14 models of different families and scales, suggesting a fundamental distribution problem

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, tokens, base, token, continuation, collapse, baseline. Source: arxiv cs.CL (NLP).

    arXiv:2605.11128v1 Announce Type: new Abstract: Diversity is essential for language-model applications ranging from creative generation to scientific discovery, yet modern LLMs often collapse into a narrow subset of plausible outputs. While prior work has developed benchmarks for measuring this lack of diversity, less is known about how the step-by-step probability distributions at inference time cause the problem. We introduce a validity--diversity framework that attributes diversity collapse to how an LLM allocates probability mass across valid and invalid continuations during decoding. This framework decomposes the bottleneck into two complementary forms of miscalibration. First, order calibration: valid tokens are not reliably ranked above invalid tokens, so rank-based cutoff rules must trade off between recovering valid continuations and admitting invalid ones. Second, shape calibration: probability mass is overly concentrated only on few valid continuations while having a heavy-tail of mixed valid and invalid tokens, so maintaining high validity limits diversity. We formalize both mechanisms and show that local failures compound across decoding steps, producing strong sequence-level losses in diversity. Empirically, we develop controlled diagnostics for probing these bottlenecks, including tasks with exactly known valid sets and oracle cutoff baselines. Across 14 language models spanning multiple families and scales, we find that diversity collapse is not merely a limitation of particular sampling heuristics, but a consequence of order and shape miscalibration in the LLM distribution.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, failures, limitation, benchmark.

  76. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11102unread

    Newton's Lantern: A Reinforcement Learning Framework for Finetuning AC Power Flow Warm Start Models

    Shourya Bose, Helgi Hilmarsson, Dhruv Suri · 2026-05-13

    Newton's Lantern fine-tunes neural warm-start models for AC power flow using reinforcement learning with iteration count as the reward, addressing a problem supervised learning struggles with: heavily loaded cases near voltage collapse. The authors prove that warm-start error *direction* matters more than magnitude, and that supervised regression's guarantees vanish near singularities in the power-flow Jacobian. Their RL pipeline (group relative policy optimization + learned reward model) converges on every test case while achieving the lowest mean iteration count across three power-grid benchmarks. **Main takeaways:** - Neural warm starts for power-flow solvers fail near voltage collapse because supervised learning ignores error direction - Iteration-count lower bound depends on warm-start error direction, not magnitude; bound becomes vacuous near Jacobian singularities - RL fine-tuning with iteration count as reward fixes the problem where supervised learning fails - Newton's Lantern converges on 100% of test snapshots across IEEE 118-bus, GOC 500-bus, and GOC 2000-bus grids - Only method to achieve both perfect convergence and lowest mean iteration count

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Chen et al. persona-vectors (mean-diff vs helpful baseline) fail as a [ZLT]-leakage predictor on both non-persona triggers and personas; simpler mean-pooled centroids beat them on both phases (HIGH confidence)". Matching terms: base, trained, collapse, fail, predict, generalize. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11102v1 Announce Type: new Abstract: Neural warm starts can sharply reduce the number of Newton-Raphson iterations required to solve the AC power flow problem, but existing supervised approaches generalize poorly on heavily loaded instances near voltage collapse. We prove a lower bound on the Newton-Raphson iteration count that depends on the direction of the warm start error rather than on its magnitude, and show as a corollary that the bound becomes vacuous as the smallest singular value of the power-flow Jacobian shrinks, identifying the failure mode of supervised regression near the saddle-node bifurcation. Motivated by this analysis, we introduce Newton's Lantern, a finetuning pipeline that combines group relative policy optimization with a learned reward model trained on perturbations of the base model's predictions, using the iteration count itself as the supervisory signal. Across IEEE 118-bus, GOC 500-bus, and GOC 2000-bus benchmarks, Newton's Lantern is the only method that converges on every test snapshot while attaining the smallest mean iteration count.

    Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses failure, benchmark.

  77. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11091unread

    ASD-Bench: A Four-Axis Comprehensive Benchmark of AI Models for Autism Spectrum Disorder

    Shubhankit Singh, Hassan Shaikh, Kuldeep Raghuwanshi, Keshav Bulia · 2026-05-13

    The authors built a comprehensive benchmark (ASD-Bench) to evaluate how well different machine learning models can screen for autism spectrum disorder using questionnaire data. They tested everything from classic ML (XGBoost, logistic regression) to modern deep learning and transformer models across three age groups (children, adolescents, adults), measuring not just accuracy but also calibration, interpretability, and robustness. The benchmark reveals that adult classification is easy (many models get perfect scores) but adolescent screening is much harder, and that the most important questionnaire features shift dramatically by age—social motivation matters most for children, pattern recognition for adolescents, and adults show a flatter profile consistent with social masking. **Main takeaways:** - Adult ASD screening from questionnaires is nearly solved (10 of 17 models hit perfect F1), but adolescent classification is significantly harder (F1 ceiling of 0.837 vs 0.915 for children) - Feature importance shifts by developmental stage: social motivation (question A9) dominates for children, pattern recognition (A5) for adolescents, adults show flatter profiles - High accuracy doesn't guarantee good calibration—one model achieved perfect F1 but had terrible calibration (ECE=0.302), showing you can't rely on a single metric for clinical AI - They introduced HAP (Heuristic Aggregate Penalty), a metric that penalizes false negatives more heavily and accounts for cross-validation stability, which is more appropriate for medical screening than standard metrics

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, question, predict, screen, axis. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11091v1 Announce Type: new Abstract: Automated ASD screening tools remain limited by single-architecture evaluations, axis-restricted assessment, and near-exclusive focus on adult cohorts, obscuring age-specific diagnostic patterns critical for early intervention. We introduce ASD-Bench, a systematic tabular benchmark evaluating ML, deep learning, and foundation model configurations across three age cohorts (children 1-11 yr, adolescents 12-16 yr, adults 17-64 yr) on four axes: predictive performance, calibration, interpretability, and adversarial robustness. Applied to a curated v3 dataset of 4,068 AQ-10 records, our benchmark spans classical models (XGBoost, AdaBoost, Random Forest, Logistic Regression), neural networks (MLP), deep tabular transformers (TabNet, TabTransformer, FT-Transformer), and TabPFN v2. We introduce the Heuristic Aggregate Penalty (HAP): a cost-sensitive metric penalising false negatives more heavily and incorporating cross-validation variance for deployment stability. Adult classification yields high performance (10/17 models achieve perfect F1 and AUC), while adolescents present a harder task (F1 ceiling 0.837 vs. 0.915 for children). Feature hierarchies shift across cohorts: A9 (social motivation) dominates for children, A5 (pattern recognition) leads for adolescents, and adults exhibit a flatter importance profile consistent with developmental social masking. Accuracy and calibration are dissociated: AdaBoost achieves F1=1.000 on adults with ECE=0.302, confirming single-metric evaluation is insufficient for clinical AI. Cohort-specific deployment recommendations are provided. All findings should be interpreted as proof-of-concept evidence on questionnaire-derived labels rather than clinically validated diagnostic performance.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative, robustness, adversarial, evaluation, benchmark.

  78. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11020unread

    Trust Region Inverse Reinforcement Learning: Explicit Dual Ascent using Local Policy Updates

    Anish Diwan, Davide Tateo, Christopher E. Mower, Haitham Bou-Ammar, Jan Peters, Oleg Arenz · 2026-05-13

    The authors introduce TRIRL (Trust Region Inverse Reinforcement Learning), which tries to learn a reward function from expert demonstrations without either fully solving an RL problem at every iteration (like classical IRL) or suffering the instability of adversarial/discriminator-based methods. The key insight is that a trust-region-optimal policy for a large reward update is also globally optimal for a smaller update in the same direction, so you can do monotonic dual ascent using only local policy updates around the current policy. This bridges classical dual-ascent IRL (stable but expensive) and modern adversarial imitation learning (cheap but unstable), achieving 2.4x better performance than state-of-the-art and recovering reward functions that generalize to new dynamics. **Main takeaways:** - TRIRL avoids fully solving RL problems each iteration (expensive) and adversarial discriminator training (unstable) by doing explicit dual ascent with only local policy updates - Key theoretical trick: a trust-region-optimal policy for a big reward change is globally optimal for a smaller change in the same direction, enabling monotonic improvement without global optimization - Outperforms state-of-the-art imitation learning by 2.4x on aggregate inter-quartile mean across multiple tasks - Learns reward functions in the traditional IRL sense—globally optimizable functions that match expert behavior, not just discriminator scores

    Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Factor screen for marker implantation + leakage (2^4: length-location, persona-presence, on-policy, marker-only-loss)", experiment "[Aim 5] Does EM-induced persona-discrimination collapse generalize when EM is trained under non-default personas?". Matching terms: system, same, factor, generalize. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11020v1 Announce Type: new Abstract: Inverse reinforcement learning (IRL) is typically formulated as maximizing entropy subject to matching the distribution of expert trajectories. Classical (dual-ascent) IRL guarantees monotonic performance improvement but requires fully solving an RL problem each iteration to compute dual gradients. More recent adversarial methods avoid this cost at the expense of stability and monotonic dual improvement, by directly optimizing the primal problem and using a discriminator to provide rewards. In this work, we bridge the gap between these approaches by enabling monotonic improvement of the reward function and policy without having to fully solve an RL problem at every iteration. Our key theoretical insight is that a trust-region-optimal policy for a reward function update can be globally optimal for a smaller update in the same direction. This smaller update allows us to explicitly optimize the dual objective while only relying on a local search around the current policy. In doing so, our approach avoids the training instabilities of adversarial methods, offers monotonic performance improvement, and learns a reward function in the traditional sense of IRL--one that can be globally optimized to match expert demonstrations. Our proposed algorithm, Trust Region Inverse Reinforcement Learning (TRIRL), outperforms state-of-the-art imitation learning methods across multiple challenging tasks by a factor of 2.4x in terms of aggregate inter-quartile mean, while recovering reward functions that generalize to system dynamics shifts.

    Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses adversarial.

  79. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11019unread

    Efficient LLM Reasoning via Variational Posterior Guidance with Efficiency Awareness

    Zizhao Chen, Yuying Li, Siting Lin, Lianxi Wang · 2026-05-13

    The authors tackle the "overthinking" problem in LLM reasoning—when chain-of-thought gets inefficiently long—by treating efficient reasoning as a variational inference problem. They introduce VPG-EA (Variational Posterior Guidance with Efficiency Awareness), which uses a dual-stream architecture where one stream learns a posterior distribution conditioned on reference answers (which can sample high-quality reasoning paths more easily) and the other is the prior policy used at inference. After filtering pseudo-efficient paths via cross-evaluation, they distill the posterior's efficient reasoning patterns into the prior policy. On DeepSeek-R1-Distill models (1.5B and 7B), this improves a composite efficiency metric (epsilon cubed) by 8.73% and 12.37% over baselines. **Main takeaways:** - Framing efficient reasoning as variational inference: a posterior distribution conditioned on correct answers can sample high-quality reasoning chains more easily than the prior policy, breaking the sampling bottleneck - VPG-EA uses a parameter-shared dual-stream architecture to learn both posterior and prior, then distills efficient reasoning patterns from posterior to prior - Cross-view evaluation filters out "pseudo-efficient" paths before distillation to ensure quality - Improves composite efficiency metric by ~9-12% over strongest baselines on DeepSeek-R1-Distill-Qwen models

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, lora, baseline, both, space. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11019v1 Announce Type: new Abstract: Although large language models rely on chain-of-thought for complex reasoning, the overthinking phenomenon severely degrades inference efficiency. Existing reinforcement learning methods compress reasoning chains by designing elaborate reward functions, which renders high-quality samples extremely sparse in the exploration space and creates a sampling bottleneck for the prior policy. Inspired by cognitive science, we theoretically prove that a posterior distribution guided by reference answers achieves higher expected utility than the prior distribution, thus capable of breaking through the sampling bottleneck of high-quality samples. However, the posterior distribution is unavailable during inference. To this end, we formalize efficient reasoning as a variational inference problem and introduce an efficiency-aware evidence lower bound as the theoretical foundation. Based on this, we propose the VPG-EA framework. It adopts a parameter-shared dual-stream architecture to instantiate both the posterior distribution and the prior policy; after filtering out pseudo-efficient paths via cross-view evaluation, it unidirectionally transfers the posterior's efficient patterns to the prior policy through variational distillation. Experiments on DeepSeek-R1-Distill-Qwen-1.5B and 7B scales demonstrate that VPG-EA improves the comprehensive efficiency metric epsilon cubed by 8.73% and 12.37% over the strongest baselines on each model size, respectively.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  80. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11017unread

    Simpson's Paradox in Behavioral Curves: How Aggregation Distorts Parametric Models of User Dynamics

    Chao Zhou · 2026-05-13

    The author demonstrates that fitting behavioral curves (like engagement vs. exposure count) to aggregated data produces systematically misleading results due to Simpson's paradox. On Goodreads data from 3.3M users across 9 genres, individual users peak at around 11 exposures while the aggregate curve peaks at 34—a 3x distortion caused by survival bias (users who stay longer accumulate more exposures and look more engaged). Amazon Electronics shows a 5.3x distortion, while MovieLens (low attrition) serves as a negative control confirming survival bias is the culprit. The author introduces Synthetic Null Calibration to reduce false positives in per-user classification by 32%. **Main takeaways:** - Aggregated behavioral curves can be wildly misleading: Goodreads shows a 3x gap (11 vs 34 exposures at peak), Amazon Electronics 5x, driven by survival bias - MovieLens (low attrition) shows minimal distortion, confirming survival bias—not aggregation itself—is the mechanism - The distortion is robust across different ways of slicing categories, measuring engagement, and calibrating classifiers - Synthetic Null Calibration reduces a 32% false positive rate in per-user behavioral classification

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, under, where. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11017v1 Announce Type: new Abstract: Behavioral curve modeling -- fitting parametric functions to engagement-versus-exposure data -- is standard practice in recommendation, advertising, and clinical dosing. We show that aggregation introduces a systematic distortion: Simpson's paradox in behavioral curves. On Goodreads (3.3M users, 9 genres), individual users peak at n* approximately 11 exposures while the aggregate peaks at n* approximately 34 -- a 3x gap driven by survival bias. Amazon Electronics (18M reviews) shows a 5.3x distortion. MovieLens-25M (D approximately 1) serves as a negative control, confirming that survival bias -- not aggregation per se -- is the operative mechanism. The distortion is robust to category granularity, engagement operationalization, and classifier calibration. We develop Synthetic Null Calibration to address a 32% false positive rate in per-user classification. Our findings apply wherever individual behavioral parameters are estimated from aggregate curves under differential attrition.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, negative.

  81. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11014unread

    Backbone-Equated Diffusion OOD via Sparse Internal Snapshots

    Yadang Alexis Rouzoumka, Jean Pinsolle, Eug\'enie Terreaux, Christ\`ele Morisseau, Jean-Philippe Ovarlez, Chengfang Ren · 2026-05-13

    The authors tackle fair comparison in diffusion-based out-of-distribution (OOD) detection by introducing a standardized evaluation protocol (MBE: Mutualized Backbone-Equated) that aligns corruption levels and test-time cost across different diffusion backbones. They then propose Canonical Feature Snapshots (CFS), a family of OOD detectors that probe a frozen diffusion model using only a tiny number of internal activations at low-noise timesteps, without running full denoising trajectories. The strongest one-forward variant (CFS(1x2)) and an even smaller decoder-only variant remain highly competitive, showing that most of the OOD signal in diffusion models is concentrated in sparse internal states rather than requiring expensive full sampling. **Main takeaways:** - MBE protocol standardizes comparisons across diffusion OOD methods by aligning corruption levels and test-time compute budgets - CFS detectors extract OOD signals from a frozen diffusion backbone using only a few internal activations at low-noise timesteps, not full denoising - The strongest one-forward variant (CFS(1x2)) and a decoder-only variant are competitive, showing OOD information is concentrated in sparse internal states - Local diagnostic theory explains this through conditional encoder-decoder complementarity, diagonal-score separation, and low-noise stability

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, issue, github, base, canonical, core, implement. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11014v1 Announce Type: new Abstract: Fair comparison between diffusion-based OOD detectors is challenging, as conclusions can vary with backbone choice, corruption parameterization, and test-time budget. We address this issue through a Mutualized Backbone-Equated (MBE) protocol that aligns canonical corruption levels and logical test-time cost across diffusion backbones. Within this setting, we introduce Canonical Feature Snapshots (CFS), a family of detectors that probes a frozen diffusion backbone using only a tiny number of native internal activations at canonical low-noise levels. On a controlled CIFAR-scale benchmark, the strongest one-forward CFS variant is CFS(1x2), while an even smaller decoder-only variant remains highly competitive. This shows that much of the relative-OOD signal exposed by frozen diffusion backbones is concentrated in a small number of sparse internal states, rather than requiring full denoising trajectories or high-capacity downstream heads. We further provide a local diagnostic theory explaining these observations through conditional encoder-decoder complementarity, diagonal-score separation, and low-noise corruption stability. The official implementation is available at https://github.com/RouzAY/cfs-diffusion-ood/.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  82. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11011unread

    LoopUS: Recasting Pretrained LLMs into Looped Latent Refinement Models

    Taekhyun Park, Yongjae Lee, Dohee Kim, Hyerim Bae · 2026-05-13

    The authors introduce LoopUS (Looped Depth Up-Scaling), a post-training method that converts a standard pretrained LLM into a looped architecture that iteratively refines hidden representations without generating longer output sequences. Instead of training a recurrent model from scratch or doing major architectural retrofits, LoopUS decomposes the pretrained model into an encoder, a looped reasoning block, and a decoder, using techniques like input-dependent selective gates (to prevent hidden-state drift), random deep supervision (for memory-efficient training over long loops), and a confidence head for adaptive early stopping. This lets you scale test-time compute through latent iteration while preserving pretrained capabilities. **Main takeaways:** - LoopUS converts a pretrained LLM into a looped architecture post-training, enabling iterative latent refinement without extending generated sequences - Architecture: encoder → looped reasoning block → decoder, with selective gates to prevent drift and random deep supervision for efficient training - Adaptive early exit via a confidence head allows variable compute based on problem difficulty - Improves reasoning performance through test-time compute scaling without recurrent training from scratch or disrupting pretrained knowledge

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, long, trained, collapse, both, core. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11011v1 Announce Type: new Abstract: Looped computation shows promise in improving the reasoning-oriented performance of LLMs by scaling test-time compute. However, existing approaches typically require either training recurrent models from scratch or applying disruptive retrofits, which involve substantial computational costs and may compromise pretrained capabilities. To address these limitations, we introduce \textbf{Looped Depth Up-Scaling} (LoopUS), a post-training framework that converts a standard pretrained LLM into a looped architecture. As a key technical contribution, LoopUS recasts the pretrained LLM into an encoder, a looped reasoning block, and a decoder. It operationalizes this latent-refinement architecture through four core components: (1) block decomposition, guided by staged representation dynamics; (2) an input-dependent selective gate to mitigate hidden-state drift; (3) random deep supervision for memory-efficient learning over long recursive horizons; and (4) a confidence head for adaptive early exiting. Collectively, these mechanisms transform a standard non-looped model into a looped form while stabilizing it against both computational bottlenecks and representation collapse. Through stable latent looping, LoopUS improves reasoning-oriented performance without extending the generated traces or requiring recurrent training from scratch. For more details, see https://thrillcrazyer.github.io/LoopUS

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations.

  83. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11010unread

    A Comparative Study of Federated Learning Aggregation Strategies under Homogeneous and Heterogeneous Data Distributions

    Antonios Makris, Christos Dousis, Emmanouil Kritharakis, Stavros Bouras, Konstantinos Tserpes · 2026-05-13

    The authors compare different aggregation strategies in federated learning (how you combine model updates from distributed clients) under both homogeneous and heterogeneous data distributions. Using benchmark image classification datasets, they measure how strategies like FedAvg, FedProx, and others perform in terms of centralized accuracy, loss, and system-level metrics (aggregation time, training time, communication overhead). The results show that different aggregation methods have distinct trade-offs that depend on the dataset characteristics and degree of data heterogeneity, with no single winner across all conditions. **Main takeaways:** - Federated aggregation strategy (how server combines client updates) strongly affects both learning performance and system efficiency - No single aggregation method dominates—trade-offs vary by dataset, data distribution (homogeneous vs. heterogeneous), and operating conditions - System-level metrics matter: aggregation/training/communication time vary significantly across strategies - Heterogeneous data distributions shift the relative ranking of aggregation methods compared to homogeneous (IID) settings

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, under, both. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11010v1 Announce Type: new Abstract: Federated Learning has emerged as a transformative paradigm for collaborative machine learning across distributed environments. However, its performance is strongly influenced by the aggregation strategy used to combine local model updates at the server, which directly affects learning performance, robustness, and system behavior. This work presents a comprehensive experimental comparison of widely used federated aggregation strategies under both homogeneous and heterogeneous data distributions. Using benchmark image classification datasets, we analyze how different aggregation mechanisms respond to varying degrees of data heterogeneity, examining their impact on centralized accuracy and loss, and system-level efficiency metrics, including aggregation, training, and communication time. The results demonstrate that aggregation strategies exhibit distinct trade-offs across datasets and data distributions, with their effectiveness varying according to dataset characteristics and operating conditions.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, benchmark.

  84. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11009unread

    ACSAC: Adaptive Chunk Size Actor-Critic with Causal Transformer Q-Network

    Qian Chen, Junqiao Zhao, Hongtu Zhou, Hang Yu, Yanping Zhao, Chen Ye, Guang Chen · 2026-05-13

    The authors tackle reinforcement learning on long tasks with sparse rewards by letting an RL agent choose how far ahead to plan at each step. Instead of always executing fixed-length action sequences ("chunks"), their ACSAC system uses a Transformer-based critic to score different chunk sizes and picks whichever looks most promising in the current state. They prove this adaptive scheme still converges and show it beats fixed-chunk baselines on robotic manipulation benchmarks. **Main takeaways:** - Standard actor-critic methods struggle on long-horizon tasks because errors compound over many time steps. - Action chunking (executing multi-step plans) helps, but a fixed chunk size forces a trade-off: large chunks ignore new information, small chunks produce jerky behavior. - ACSAC evaluates chunks of different lengths with a causal Transformer and adaptively picks the best size at each decision point. - Experiments on OGBench manipulation tasks show state-of-the-art results in both offline RL and offline-to-online settings. - The authors provide a contraction-mapping proof that the adaptive Bellman operator has a unique fixed point.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, long, eval, lora, both. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11009v1 Announce Type: new Abstract: Long-horizon, sparse-reward tasks pose a fundamental challenge for reinforcement learning, since single-step TD learning suffers from bootstrapping error accumulation across successive Bellman updates. Actor-critic methods with action chunking address this by operating over temporally extended actions, which reduce the effective horizon, enable fast value backups, and support temporally consistent exploration. However, existing methods rely on a fixed chunk size and therefore cannot adaptively balance reactivity against temporal consistency. A large fixed chunk size reduces responsiveness to new observations, while a small one produces incoherent motions, forcing task-specific tuning of the chunk size. To address this limitation, we propose Adaptive Chunk Size Actor-Critic (ACSAC). ACSAC leverages a causal Transformer critic to evaluate expected returns for action chunks of different sizes. At each chunk boundary, it adaptively selects the chunk size that maximizes the expected return, supporting flexible, state-dependent chunk sizes without task-specific tuning. We prove that the ACSAC Bellman operator is a contraction whose unique fixed point is the action-value function of the adaptive policy. Experiments on OGBench demonstrate that ACSAC achieves state-of-the-art performance on long-horizon, sparse-reward manipulation tasks across both offline RL and offline-to-online RL settings.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation.

  85. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11005unread

    DisagMoE: Computation-Communication overlapped MoE Training via Disaggregated AF-Pipe Parallelism

    Zhichen Zeng, Chi-Chih Chang, Jiayi Wang, Zezhou Wang, Ningxin Zheng, Zheng Zhong, Cesar A. Stuardo, Dongyang Wang, Mohamed S. Abdelfattah, Haibin Lin, Banghua Zhu, Ang Li, Ziheng Jiang · 2026-05-13

    The authors design DisagMoE, a system for training mixture-of-experts (MoE) LLMs more efficiently by separating attention and expert (feed-forward) layers onto different GPU groups and pipelining their communication. Standard expert-parallelism training hits network bottlenecks because all-to-all communication (routing tokens to different experts across nodes) doesn't overlap well with computation. DisagMoE disaggregates the model so attention and FFN layers run on disjoint hardware, uses a multi-stage pipeline with unidirectional communication, and balances computation-to-communication ratios across the groups. On 16-node H800 clusters, DisagMoE delivers up to 1.8× training speedup. **Main takeaways:** - MoE models scale by activating only a subset of experts per token, but training them with expert parallelism causes severe all-to-all communication stalls. - Prior overlap techniques can't fully hide communication because attention and FFN layers have different computation-to-communication ratios. - DisagMoE splits attention and FFN onto separate GPU groups, uses a unidirectional many-to-many pipeline, and applies a roofline model to allocate bandwidth optimally. - Implemented in Megatron-LM, DisagMoE achieves up to 1.8× speedup on multi-node clusters. - The method is purely about distributed training infrastructure, not model behavior or alignment.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, attention, system, implement. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11005v1 Announce Type: new Abstract: Mixture-of-experts (MoE) architectures enable trillion-parameter LLMs with sparsely activated experts. Expert parallelism (EP) is a widely adopted MoE training strategy, but it suffers from severe all-to-all communication bottlenecks, which is exaggerated by the limited inter-node network bandwidth as the growing model size requires distributing experts across GPU nodes. Prior work focused on overlapping these all-to-all communications with feed-forward network (FFN) and self-attention computations, which often leaves residual network-bound stalls due to inherent imbalance in attention and FFN layers' computation-communication ratios. We present DisagMoE, a disaggregated MoE training system that jointly optimizes model placement and scheduling for maximal efficiency. DisagMoE separates attention and FFN layers into disjoint GPU groups, introduces a multi-stage pipeline with uni-directional, many-to-many communications, and employs a computation-communication roofline model to balance GPU and network bandwidth allocation among the attention and FFN groups. DisagMoE is implemented on Megatron-LM, and evaluation shows that DisagMoE improves training efficiency across multiple MoE models with up to 1.8x speedup on 16-node 8xH800 clusters.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.

  86. score 100arxiv cs.LG (Machine Learning)arxiv:2605.11001unread

    Finite Volume-Informed Neural Network Framework for 2D Shallow Water Equations: Rugged Loss Landscapes and the Importance of Data Guidance

    Xiaofeng Liu · 2026-05-13

    The author develops a physics-informed neural network (PINN) for the shallow water equations (used in flood modeling) by replacing the usual point-wise PDE residual with a finite-volume (FVM) loss computed on an unstructured mesh. The main finding is that training on physics alone often collapses to a trivial "no flow" solution because the FVM loss landscape has a shallow basin near zero momentum. Adding even a small amount of real data (50–200 scattered measurements) breaks the degeneracy: the gap between the trivial solution's loss and the true solution's loss jumps from 7× to 310×, and prediction error drops by 7–22×. The framework is demonstrated on a 2D benchmark and a real Savannah River reach. **Main takeaways:** - Standard strong-form PINNs can't handle discontinuities or enforce conservation for shallow water equations; the author uses a differentiable finite-volume Riemann solver instead. - Physics-only training frequently gets stuck in a low-momentum state that nearly satisfies the FVM loss but doesn't match real flow. - Loss-landscape analysis shows the trivial solution sits in a shallow basin; sparse data (e.g., 200 velocity measurements) deepens the basin around the correct solution by 44×. - On a 2D channel benchmark, just 50 data points cut velocity error by 7×; 200 points yield a 22× improvement over physics-only. - The FVM-PINN loss contributes most in the sparse-data regime (≈23% error reduction) and becomes neutral when dense reference data is available.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, trained, collapse, fail, when. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.11001v1 Announce Type: new Abstract: Physics-informed neural networks (PINNs) are a simple surrogate-modelling paradigm for partial differential equations, but their standard strong-form residual formulation is ill suited to the shallow water equations (SWE). It cannot enforce local conservation, handle discontinuities, or leverage the boundary-conforming unstructured meshes used in real-world applications. We introduce ``Data-Guided FVM-PINN'', a framework that replaces the strong-form residual with a differentiable, well-balanced Roe Riemann-solver finite-volume (FVM) loss evaluated on unstructured meshes. The major finding is that physics-only FVM-PINN training often fails on realistic 2D problems: the network collapses to a trivial low-momentum state that nearly satisfies the FVM-PINN residual but bears no resemblance to the true flow. A loss-landscape diagnostic shows that the FVM-PINN loss at zero momentum is only about $7\times$ larger than at the trained solution, a shallow basin that an ordinary optimizer falls into; adding even sparse data turns this into a $310\times$ separation, breaking the degeneracy. On a 2D block-in-channel benchmark, just $200$ random velocity measurements drop the velocity-field $L_2$ error by $22\times$ versus physics-only; $50$ measurements still deliver a $7\times$ reduction. A controlled ablation isolates the contribution of the FVM-PINN loss: it reduces velocity-field $L_2$ by $\sim$$23\%$ in the sparse-data regime and is essentially neutral when dense reference data is available. On a real-world Savannah River reach ($1306$ cells, $3600$~s simulation, five Manning zones), the framework constructs an accurate surrogate from SRH-2D anchor data, with time-window decomposition reducing error monotonically via progressive initial-condition handoff.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  87. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10999unread

    SkillGen: Verified Inference-Time Agent Skill Synthesis

    Yuchen Ma, Yue Huang, Han Bao, Haomin Zhuang, Swadheen Shukla, Michel Galley, Xiangliang Zhang, Stefan Feuerriegel · 2026-05-13

    SkillGen is a system that automatically extracts reusable "skills" (auditable procedures) from an LLM agent's successful and failed trajectories. Rather than just summarizing what worked, it contrasts successes against failures to identify reliable patterns, common failure modes, and missing steps. It then generates candidate skill descriptions, iteratively refines them, and verifies each skill by running the same instances with and without the skill to measure net improvement (accounting for both fixes and regressions). Experiments show SkillGen consistently improves held-out performance, beats summarization baselines, and produces skills that transfer across models. **Main takeaways:** - Most agent skills are still hand-written; SkillGen synthesizes them automatically from execution traces. - The system uses contrastive induction: comparing successful and failed trajectories to find reusable success patterns and recurring failure modes. - Skills are human-readable artifacts that can be inspected before deployment, not opaque learned weights. - A key novelty is modeling skills as interventions: SkillGen tests the same instances with and without the skill to measure repairs (fixed failures) minus regressions (broken successes). - Across multiple agents and datasets, SkillGen outperforms existing skill-generation baselines and produces skills that transfer to different base models.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, candidate, output, base, same, baseline, both, fail. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10999v1 Announce Type: new Abstract: Skills are a promising way to improve LLM agent capabilities without retraining, while keeping the added procedure reusable and controllable. However, high-quality skills are still largely written by hand. We introduce SkillGen, a multi-agent framework that synthesizes a single auditable skill from trajectories generated by a base agent. The output is a human-readable artifact that can be inspected before use. Rather than merely summarizing trajectories, SkillGen leverages contrastive induction over both successful and failed trajectories to identify reusable success patterns, recurring failure modes, and behaviors that appear in nearby successes but are missing from failures. SkillGen then generates candidate skills and iteratively refines the skill. A key novelty in SkillGen is that we model agent skills as interventions to empirically verify the net effect of skills on the overall performance. Specifically, we compare outcomes on the same instances with and without the skill, so that we account for both repairs (cases where the skill fixes a baseline failure) and regressions (cases where the skill breaks a baseline success). Across a broad range of agents and datasets, SkillGen consistently improves held-out performance, outperforms existing skill-generation baselines, and produces skills that transfer across models.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, failures.

  88. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10991unread

    Test-Time Personalization: A Diagnostic Framework and Probabilistic Fix for Scaling Failures

    Linhai Zhang, Yulan He · 2026-05-13

    The authors study test-time scaling for personalized language generation: sample N outputs from a personalized policy model and pick the best with a personalized reward model. They prove that oracle selection (always picking the true-best candidate) yields logarithmic utility growth in N, but standard reward models fail to realize this. They derive a unified scaling law that decomposes any reward model's Best-of-N curve into four measurable terms and reveals two failure modes — user-level collapse (constant predictions for some users) and query-level reward hacking (negative correlation with quality for some queries). They then propose a probabilistic reward model that learns per-user, per-query variance to mitigate both failure modes, and show consistent test-time scaling across multiple policy models and personalized text tasks. **Main takeaways:** - Test-time personalization can scale by sampling many candidates and reranking, but only if the reward model is good enough. - Oracle selection achieves log(N) utility growth; the authors prove this is the theoretical ceiling. - A new scaling law decomposes Best-of-N performance into four quantities and identifies user-level collapse and query-level reward hacking as the key failure modes. - A probabilistic reward model that outputs per-prediction variance successfully mitigates both failure modes. - Experiments confirm the framework: test-time scaling works across policy models and personalized generation tasks when guided by the proposed reward model.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: persona, candidates, candidate, long, collapse, both, fail, predict. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10991v1 Announce Type: new Abstract: Existing approaches to LLM personalization focus on constructing better personalized models or inputs, while treating inference as a single-shot process. In this work, we study Test-Time Personalization (TTP) along an unexplored axis: scaling inference-time computation by sampling N candidates from a personalized policy model and selecting the best with a personalized reward model. We prove that oracle selection yields expected utility growing logarithmically with the number of sampled candidates, establishing a theoretical ceiling for test-time scaling. However, standard reward models fail to realize this potential. To diagnose why, we derive a unified scaling law that decomposes any reward model's Best-of-N curve into four measurable quantities and reveals two failure modes, user-level collapse (near-constant prediction for some users) and query-level reward hacking (negative correlation with true quality for some queries). Guided by this law, we propose a probabilistic personalized reward model whose learned variance effectively mitigates both failure modes. Experiments confirm both elements of our framework: TTP delivers consistent scaling across multiple policy models and personalized text generation tasks, and our scaling law closely matches observed scaling curves across reward-model variants.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, negative.

  89. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10989unread

    SURGE: Surrogate Gradient Adaptation in Binary Neural Networks

    Haoyu Huang, Boyu Liu, Linlin Yang, Yanjing Li, Yuguang Yang, Xuhui Liu, Canyu Chen, Zhongqian Fu, Baochang Zhang · 2026-05-13

    SURGE tackles the gradient-mismatch problem in training binary neural networks (BNNs), where weights and activations are constrained to ±1. The standard Straight-Through Estimator (STE) approximates the gradient of the non-differentiable sign function with a surrogate, but this causes gradient mismatch and information loss. SURGE introduces a learnable gradient-compensation framework: for each binarized layer, it adds a parallel full-precision auxiliary branch and decomposes the output so gradients flow through both paths. The full-precision branch estimates higher-order gradient terms beyond STE's first-order approximation, and an adaptive scaler balances the two gradient streams. Experiments on image classification, object detection, and language tasks show SURGE outperforms state-of-the-art BNN training methods. **Main takeaways:** - BNN training relies on gradient approximations because the sign function is non-differentiable; STE and its variants suffer from gradient mismatch and fixed-range clipping. - SURGE adds a parallel full-precision branch for each binarized layer, allowing gradients to flow through both binarized and full-precision paths. - The Dual-Path Gradient Compensator (DPGC) decomposes outputs to decouple gradient flow; the full-precision branch captures components STE's first-order approximation misses. - An Adaptive Gradient Scaler (AGS) dynamically balances gradient contributions from the two branches via norm-based scaling. - SURGE achieves state-of-the-art results on image classification, object detection, and language-understanding benchmarks.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, base, under, factor. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10989v1 Announce Type: new Abstract: The training of Binary Neural Networks (BNNs) is fundamentally based on gradient approximation for non-differentiable binarization operations (e.g., sign function). However, prevailing methods including the Straight-Through Estimator (STE) and its improved variants, rely on hand-crafted designs that suffer from gradient mismatch problem and information loss induced by fixed-range gradient clipping. To address this, we propose SURrogate GradiEnt Adaptation (SURGE), a novel learnable gradient compensation framework with theoretical grounding. SURGE mitigates gradient mismatch through auxiliary backpropagation. Specifically, we design a Dual-Path Gradient Compensator (DPGC) that constructs a parallel full-precision auxiliary branch for each binarized layer, decoupling gradient flow via output decomposition during backpropagation. DPGC enables bias-reduced gradient estimation by leveraging the full-precision branch to estimate components beyond STE's first-order approximation. To further enhance training stability, we introduce an Adaptive Gradient Scaler (AGS) based on an optimal scale factor to dynamically balance inter-branch gradient contributions via norm-based scaling. Experiments on image classification, object detection, and language understanding tasks demonstrate that SURGE performs best over state-of-the-art methods.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.

  90. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10987unread

    AESOP: Adversarial Execution-path Selection to Overload Deep Learning Pipelines

    Tingxi Li, Mingfang Ji, Ravishka Shemal Rathnasuriya, Simin Chen, Yitao Hu, Wei Yang · 2026-05-13

    The authors demonstrate a new adversarial attack on ML inference pipelines that route inputs through different models depending on upstream predictions (e.g., a classifier decides which specialist model to invoke next). Traditional adversarial examples target individual models, but AESOP exploits the pipeline structure itself: it crafts inputs that route through the most computationally expensive path, inflating compute costs by up to 2,407× compared to benign inputs. The attack works even when defenses like batching, buffering, and confidence thresholds are in place — forcing the system to choose between throughput collapse or massive data loss. **Main takeaways:** - Pipeline architectures create a new attack surface: adversarial examples can steer execution through expensive branches, not just fool individual models. - AESOP achieves 2,407× FLOPs inflation and 419× latency inflation in white-box settings; 58×/17× in gray-box (partial knowledge) settings. - Path-aware targeting is 20× more effective than strongest single-model baseline (2,407× vs. 117× FLOPs inflation). - System-level defenses don't neutralize the attack — they shift the failure mode to either throughput collapse (0.578 → 0.006 input/s) or 96.7% data loss to maintain throughput. - Highlights a fundamental efficiency-availability tradeoff in dynamic inference pipelines under adversarial conditions.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: eval, base, system, identical, under, collapse, baseline, predict. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10987v1 Announce Type: new Abstract: Modern machine learning deployments increasingly compose specialized models into dynamic inference pipelines, where upstream components produce intermediate predictions that determine the workload and inputs of downstream components. The cost of processing an input is therefore not determined by any single model, but by two coupled factors: the per-inference cost of each invoked component and its workload volume. Because these pipelines run under hard real-time constraints, efficiency is a fundamental requirement for system availability. We show that this structure creates an efficiency-attack surface that existing methods targeting single models cannot exploit: on identical inputs and budgets, path-aware targeting inflates FLOPs by $2,407\times$ while the strongest single-model baseline achieves $117\times$ -- a $20\times$ gap attributable entirely to where the attack is directed. We formalize this as the adversarial path-selection problem and present AESOP, a framework combining vulnerability-guided path ranking with adaptive loss weighting. We evaluate AESOP on five pipelines plus a production-realistic deployment variant with batching, bounded buffering, and confidence-threshold defenses. AESOP achieves up to $2,407\times$ FLOPs and $419\times$ latency inflation in white-box setting and 58$\times$ FLOPs / 17$\times$ latency in gray-box settings. Under system-level defenses, the attack is not neutralized but redirected: pipelines are forced to choose between throughput collapse ($0.578 \to 0.006$ input/s) and $96.7\%$ data loss to sustain throughput.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses adversarial.

  91. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10980unread

    LEAP: Unlocking dLLM Parallelism via Lookahead Early-Convergence Token Detection

    Haohui Zhang, Zhiye Wang, Xiaoying Gan, Xinbing Wang, Bo Jiang · 2026-05-13

    The authors speed up inference in diffusion language models (dLLMs) by identifying tokens that converge early in the denoising process but don't yet meet the usual confidence thresholds. Their LEAP method uses lookahead filtering (checking future denoising steps) and multi-sequence superposition to detect these early-converging tokens and decode them in parallel without waiting for high confidence. This reduces denoising steps by ~30% on average and achieves 7.2 tokens per step on GSM8K while preserving accuracy. **Main takeaways:** - Existing dLLM parallelism relies on high-confidence thresholds, which are overly conservative: many tokens converge correctly early but don't reach the threshold. - LEAP detects early-converging tokens by looking ahead at future denoising steps and checking alignment across multiple sequences. - Training-free, plug-and-play method that reduces average denoising steps by ~30% compared to confidence-based decoding. - On GSM8K, combines with dParallel to decode 7.2 tokens per step while preserving model precision. - Breaks the reliance on high-confidence priors, offering a new paradigm for parallel decoding in diffusion language models.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, tokens, attention, base, system, token, fail, predict. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10980v1 Announce Type: new Abstract: Diffusion Language Models (dLLMs) have garnered significant attention for their potential in highly parallel processing. The parallel capabilities of existing dLLMs stem from the assumption of conditional independence at high confidence levels, which ensures negligible discrepancy between the marginal and joint distributions. However, the stringent confidence thresholds required to preserve accuracy severely constrain the scalability of parallelism. Through systematic token-level statistical analysis, we reveal that a substantial proportion of tokens converge to their correct predictions early in the denoising process yet fail to reach standard confidence thresholds, confirming that current confidence-based criteria are overly conservative. In response, we introduce LEAP (Lookahead Early-Convergence Token Detection for Accelerated Parallel Decoding). LEAP is a training-free, plug-and-play method that leverages future context filtering and multi-sequence superposition to detect early-converging tokens. By validating the alignment between early convergence and correctness, we enable reliable early decoding of these tokens. Benchmarking across diverse domains demonstrates that LEAP significantly lowers inference latency and decoding steps. Compared to confidence-based decoding, the average number of denoising steps is reduced by about 30%. On the GSM8K dataset, combining LEAP with dParallel accelerates decoding to 7.2 tokens per step while preserving model precision. LEAP effectively breaks the reliance on high-confidence priors, offering a novel paradigm for parallel decoding.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

  92. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10975unread

    Hierarchical Multi-Scale Graph Neural Networks: Scalable Heterophilous Learning with Oversmoothing and Oversquashing Mitigation

    Md Sazzad Hossen, Avimanyu Sahoo · 2026-05-13

    The authors propose HMH (Hierarchical Multi-view HAAR), a graph neural network for heterophilous graphs — networks where connected nodes often have different labels, common in social networks and molecular data. Existing spectral GNNs struggle with heterophily because they blend signals from distant parts of the graph (oversmoothing) and are dominated by high-degree nodes (hubs). HMH builds a soft hierarchy of the graph, applies learnable spectral filters using sparse, orthonormal Haar wavelets at each level, then combines outputs back to the original graph via skip connections, preventing hub domination and long-range signal bottlenecks. **Main takeaways:** - Heterophilous graphs (adjacent nodes have different labels) are common but challenging for standard GNNs, which assume smoothness. - HMH constructs a hierarchy guided by feature- and structure-aware embeddings, then applies spectral filters using Haar wavelets at each level. - Haar basis is sparse, orthonormal, and locality-aware, avoiding the approximation errors of polynomial filters. - Skip-connection unpooling combines all hierarchical levels, preventing oversmoothing and oversquashing (long-range signal bottleneck). - Achieves up to 3% improvement on node classification and 7% on graph classification over state-of-the-art spectral baselines, with near-linear scalability.

    Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: output, long, eval, base, baseline, outputs, where. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10975v1 Announce Type: new Abstract: Graphs with heterophily, where adjacent nodes carry different labels, are prevalent in real-world applications, from social networks to molecular interactions. However, existing spectral Graph Neural Network (GNN) approaches tailored for heterophilous graph classification suffer from hub-dominated (node with large degree) aggregation and oversmoothing, as their suboptimal polynomial filters introduce approximation errors and blend distant signals. To address the degree-biased aggregation and suboptimal polynomial filtering, we introduce a Hierarchical Multi-view HAAR (HMH), a novel spectral graph-learning framework that scales in near-linear time . HMH first learns feature- and structure-aware signed affinities via a heterophily-aware encoder, then constructs a soft graph hierarchy guided by these embeddings. At each hierarchical level, HMH constructs a sparse, orthonormal, and locality-aware Haar basis to apply learnable spectral filters in the frequency domain. Finally, skip-connection unpooling layers combine outputs from all hierarchical levels back into the original graph, effectively preventing hub domination and long-range signal bottleneck (over-squashing). Experimentation shows that HMH outperforms state-of-the-art spectral baselines, achieving up to a 3% improvement on node classification and 7% points on graph classification datasets, all while maintaining linear scalability.

    Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses bias.

  93. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10971unread

    Steering Without Breaking: Mechanistically Informed Interventions for Discrete Diffusion Language Models

    Hanhan Zhou, Shamik Roy, Rashmi Gangadharaiah · 2026-05-13

    The authors study controlled text generation in discrete diffusion language models (DLMs), which generate text by denoising all positions in parallel rather than left-to-right. They find that applying steering interventions uniformly across all denoising steps degrades quality, especially when steering multiple attributes at once. Using sparse autoencoders trained on four DLMs, they discover that different attributes (topic, sentiment, etc.) "commit" at different points in the denoising schedule — topic solidifies in the first 2% of steps, while sentiment emerges gradually over 20%. They propose an adaptive scheduler that concentrates interventions only when each attribute is actively forming. **Main takeaways:** - Uniform steering at every denoising step in DLMs wastes effort on timesteps where the target attribute has already solidified or hasn't emerged yet, degrading generation quality. - Different attributes commit on distinct schedules: topic commits early (first 2% of denoising), sentiment commits gradually (over 20%). - An adaptive scheduler that intervenes only during attribute formation achieves up to 93% steering strength on three-attribute control, beating the best baseline by 15 points while preserving quality. - Sparse autoencoders trained on DLMs reveal when and how strongly different attributes emerge during generation. - The advantage of adaptive over uniform scheduling is governed by a single "dispersion statistic" of the commitment distribution, giving a closed-form cost-control trade-off.

    Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, baseline, fail, interventions, where, when. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10971v1 Announce Type: new Abstract: Discrete diffusion language models (DLMs) generate text by iteratively denoising all positions in parallel, offering an alternative to autoregressive models. Controlled generation methods for DLMs, imported from autoregressive models, apply uniform intervention at every denoising steps. We show this uniform schedule degrades quality, and the damage compounds when multiple attributes are steered jointly. To diagnose the failure, we train sparse autoencoders on four DLMs (124M-8B parameters) and find that different attributes commit on distinct schedules, varying in timing, sharpness, and magnitude. For instance, topic commits within the first 2\% of denoising, whereas sentiment emerges gradually over 20\% of the process. Consequently, uniform intervention wastes steering capacity on steps where the target attribute has already solidified or has yet to emerge. We propose a novel adaptive scheduler that concentrates interventions on the steps where an attribute is actively forming and leaves the rest of generation untouched. The cost-control trade-off admits a closed-form characterization: the advantage of adaptive over uniform scheduling is governed by a single dispersion statistic of the commitment distribution. Across four DLMs and seven steering tasks, our method achieves precise control without the degradation typical of uniform interventions. Especially on challenging simultaneous three-attribute control, it reaches up to 93\% steering strength, beating the strongest baseline by up to 15\% points while preserving generation quality.

    Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure.

  94. score 100arxiv cs.LG (Machine Learning)arxiv:2605.10959unread

    QuIDE: Mastering the Quantized Intelligence Trade-off via Active Optimization

    Xiantao Jiang · 2026-05-13

    The author proposes QuIDE, a single metric for evaluating quantized neural networks that combines compression ratio, accuracy, and latency into an "Intelligence Index" score. Experiments across six settings (MNIST, CIFAR, ImageNet, and Llama-3-8B) show that the optimal quantization bit-width is task-dependent: 4-bit is best for simple tasks and large LLMs, while 8-bit is optimal for complex CNN tasks where 4-bit post-training quantization causes catastrophic accuracy collapse. The metric includes an accuracy-gated variant that flags non-viable configurations. **Main takeaways:** - QuIDE collapses the compression-accuracy-latency trade-off into a single Intelligence Index score: I = (C × P) / log₂(T+1), where C is compression, P is performance, and T is latency. - 4-bit quantization is optimal for simple tasks (MNIST) and large LLMs (Llama-3-8B). - 8-bit quantization is the sweet spot for complex CNN tasks like ResNet-18 on ImageNet, where 4-bit post-training quantization causes accuracy collapse. - An accuracy-gated variant I' correctly flags non-viable configurations that the raw score would reward. - The metric provides a ready-to-use fitness function for automated mixed-precision search.

    Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Core question: interventions on persona space". Matching terms: eval, collapse, core, where. Source: arxiv cs.LG (Machine Learning).

    arXiv:2605.10959v1 Announce Type: new Abstract: There is currently no unified metric for evaluating the efficiency of quantized neural networks. We propose QuIDE, built around the Intelligence Index I = (C x P)/log_2(T+1), which collapses the compression-accuracy-latency trade-off into a single score. Experiments across six settings -- SimpleCNN (MNIST, CIFAR), ResNet-18 (ImageNet-1K), and Llama-3-8B -- show a task-dependent Pareto Knee. 4-bit quantization is optimal for MNIST and large LLMs, while 8-bit is the sweet spot for complex CNN tasks (ResNet-18 on ImageNet), where 4-bit PTQ collapses accuracy catastrophically. The accuracy-gated variant I' correctly flags these non-viable configurations that the raw I would reward. QuIDE provides a reproducible evaluation protocol and a ready-to-use fitness function for mixed-precision search.

    Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses evaluation.