 |
Huan Zhang |
My research aims to build trustworthy AI systems that can be safely and reliably used in mission-critical tasks, using both formal and empirical approaches. I developed a novel formal verification framework for deep neural networks that scales to millions of neurons, based on an efficient linear bound propagation approach. My team at UIUC develops a award-winning open-source neural network verifier, α,β-CROWN, which has been used in various applications such as robotics, control, and power systems. In addition, I study the safety, robustness, and efficiency of a wide range of AI systems, including compact and certified models (e.g., neural network controllers), large frontier models (e.g., LLMs, VLMs), and agentic AI models (e.g., embodied agents). I am a recipient of Schmidt Futures AI2050 Early Career Fellowship and a MathWorks research award.
Before joining UIUC, I obtained my PhD degree in Computer Science from UCLA in 2020 and my advisor was Prof. Cho-Jui Hsieh. I received my Bachelor's degree at Zhejiang University (ZJU) in 2012. During 2021 - 2023, I was a postdoctoral researcher at Carnegie Mellon University (CMU) with Prof. Zico Kolter.
Openings
I am looking for passionate students with strong technical backgrounds in machine learning, artificial intelligence, and their applications. Relevant experience in trustworthy machine learning, formal verification/certification, or AI safety/security is preferred but not required. For PhD applicants, please submit your application to the ECE and/or CS PhD programs and email me about your application. For postdocs, visiting students, or interns, please email your CV and a brief research statement.
Publications (“*” indicates equal contribution)
A more frequently updated list is available on Google Scholar.
Two‑Stage Learning of Stabilizing Neural Controllers via Zubov Sampling and Iterative Domain Expansion Haoyu Li, Xiangru Zhong, Bin Hu, Huan Zhang. NeurIPS 2025 (spotlight). (paper)
Abstract Rendering: Certified Rendering Under 3D Semantic Uncertainty Yangge Li, Chenxi Ji, Xiangru Zhong, Huan Zhang, Sayan Mitra. NeurIPS 2025 (spotlight) (paper)
Improving Data Efficiency for LLM Reinforcement Fine-tuning Through Difficulty-targeted Online Data Selection and Rollout Replay Yifan Sun, Jingyan Shen, Yibin Wang, Tianyu Chen, Zhendong Wang, Mingyuan Zhou, Huan Zhang. NeurIPS 2025. (paper)
Clip-and-Verify: Linear Constraint-Driven Domain Clipping for Accelerating Neural Network Verification Duo Zhou, Jorge Chavez, Hesun Chen, Grani A. Hanasusanto, Huan Zhang. NeurIPS 2025.
Training-Free Bayesianization for Low-Rank Adapters of Large Language Models Haizhou Shi, Yibin Wang, Ligong Han, Huan Zhang, Hao Wang. NeurIPS 2025. (paper)
GUI-Actor: Coordinate-Free Visual Grounding for GUI Agents Qianhui Wu, Kanzhi Cheng, Rui Yang, Chaoyun Zhang, Jianwei Yang, Huiqiang Jiang, Jian Mu, Baolin Peng, Bo Qiao, Reuben Tan, Si Qin, Lars Liden, Qingwei Lin, Huan Zhang, Tong Zhang, Jianbing Zhang, Dongmei Zhang, Jianfeng Gao. NeurIPS 2025. (paper)
Toward Engineering AGI: Benchmarking the Engineering Design Capabilities of LLMs The EngDesign Team. NeurIPS 2025 (Datasets and Benchmarks). (paper)
The Emperor’s New Clothes in Benchmarking? A Rigorous Examination of Mitigation Strategies for LLM Benchmark Data Contamination Yifan Sun, Han Wang, Dongbai Li, Gang Wang, Huan Zhang. ICML 2025. (paper)
EmbodiedBench: Comprehensive Benchmarking Multi-modal Large Language Models for Vision-Driven Embodied Agents Rui Yang, Hanyang Chen, Junyu Zhang, Mark Zhao, Cheng Qian, Kangrui Wang, Qineng Wang, Teja Venkat Koripella, Marziyeh Movahedi, Manling Li, Heng Ji, Huan Zhang, Tong Zhang. ICML 2025. (paper)
SDP-CROWN: Efficient Bound Propagation for Neural Network Verification with Tightness of Semidefinite Programming Hong-Ming Chiu, Hao Chen, Huan Zhang, Richard Y. Zhang. ICML 2025. (paper)
Steering Away from Harm: An Adaptive Approach to Defending Vision Language Model Against Jailbreaks Han Wang, Gang Wang, Huan Zhang. CVPR 2025. (paper) (code)
Stealthy Backdoor Attack in Self-Supervised Learning Vision Encoders for Large Vision Language Models Zhaoyi Liu, Huan Zhang. CVPR 2025
Causal Composition Diffusion Model for Closed-loop Traffic Generation Haohong Lin, Xin Huang, Tung Phan-Minh, David S Hayden, Huan Zhang, Ding Zhao, Siddhartha Srinivasa, Eric M Wolff, Hongge Chen. CVPR 2025. (paper)
BaB-ND: Long-Horizon Motion Planning with Branch-and-Bound and Neural Dynamics Keyi Shen, Jiangwei Yu, Jose Barreiros, Huan Zhang, Yunzhu Li. ICLR 2025. (paper) (website)
DynaMath: A Dynamic Visual Benchmark for Evaluating Mathematical Reasoning Robustness of Vision Language Models Chengke Zou, Xingang Guo, Rui Yang, Junyu Zhang, Bin Hu, Huan Zhang. ICLR 2025. (paper) (project page) (Hugging Face)
Neural Network Verification with Branch-and-Bound for General Nonlinearities Zhouxing Shi, Qirui Jin, Zico Kolter, Suman Jana, Cho-Jui Hsieh, Huan Zhang. TACAS 2025. (paper) (code)
Reachability for Nonsmooth Systems with Lexicographic Jacobians Chenxi Ji, Huan Zhang, Sayan Mitra. TACAS 2025.
Scalable Neural Network Verification with Branch-and-bound Inferred Cutting Planes Duo Zhou, Christopher Brix, Grani A. Hanasusanto, Huan Zhang. NeurIPS 2024. (pdf)
Verified Safe Reinforcement Learning for Neural Network Dynamic Models Junlin Wu, Huan Zhang, Yevgeniy Vorobeychik. NeurIPS 2024. (paper)
Regularizing Hidden States Enables Learning Generalizable Reward Model for LLMs Rui Yang, Ruomeng Ding, Yong Lin, Huan Zhang, Tong Zhang. NeurIPS 2024. (paper)
NN4SysBench: Characterizing Neural Network Verification for Computer Systems Shuyi Lin, Haoyu He, Tianhao Wei, Kaidi Xu, Huan Zhang, Gagandeep Singh, Changliu Liu, Cheng Tan. NeurIPS 2024 (Datasets and Benchmarks). (to appear)
Lyapunov-stable Neural Control for State and Output Feedback: A Novel Formulation for Efficient Synthesis and Verification Lujie Yang*, Hongkai Dai*, Zhouxing Shi, Cho-Jui Hsieh, Russ Tedrake, and Huan Zhang. ICML 2024. (paper) (code)
COLD-Attack: Jailbreaking LLMs with Stealthiness and Controllability Xingang Guo*, Fangxu Yu*, Huan Zhang, Lianhui Qin, and Bin Hu. ICML 2024. (paper) (code)
Fine-grained Local Sensitivity Analysis of Standard Dot-Product Self-Attention Aaron J Havens, Alexandre Araujo, Huan Zhang, Bin Hu. ICML 2024. (paper)
TrustLLM: Trustworthiness in Large Language Models. ICML 2024. (The Trust-LLM Team).
Provably Bounding Neural Network Preimages. Suhas Kotha, Christopher Brix, Zico Kolter, Krishnamurthy Dvijotham*, Huan Zhang*. NeurIPS 2023 (Spotlight). (paper)
Robust Mixture-of-Expert Training for Convolutional Neural Networks. Yihua Zhang, Ruisi Cai, Tianlong Chen, Guanhua Zhang, Huan Zhang, Pin-Yu Chen, Shiyu Chang, Zhangyang Wang, Sijia Liu. ICCV 2023 (Oral)
DiffSmooth: Certifiably Robust Learning via Diffusion Models and Local Smoothing. Jiawei Zhang, Zhongzhu Chen, Huan Zhang, Chaowei Xiao, Bo Li. USENIX Security 2023.
Can Agents Run Relay Race with Strangers? Generalization of RL to Out-of-Distribution Trajectories, Li-Cheng Lan, Huan Zhang, Cho-Jui Hsieh. ICLR 2023.
On the Robustness of Safe Reinforcement Learning under Observational Perturbations, Zuxin Liu, Zijian Guo, Zhepeng Cen, Huan Zhang, Jie Tan, Bo Li, Ding Zhao. ICLR 2023.
General Cutting Planes for Bound-Propagation-Based Neural Network Verification, Huan Zhang*, Shiqi Wang*, Kaidi Xu*, Linyi Li, Bo Li, Suman Jana, Cho-Jui Hsieh, Zico Kolter. NeurIPS 2022. (code) (paper)
Are AlphaZero-like Agents Robust to Adversarial Perturbations?, Li-Cheng Lan, Huan Zhang, Ti-Rong Wu, Meng-Yu Tsai, I-Chen Wu, Cho-Jui Hsieh. NeurIPS 2022 (code) (paper).
Efficiently Computing Local Lipschitz Constants of Neural Networks via Bound Propagation, Zhouxing Shi, Yihan Wang, Huan Zhang, Zico Kolter, Cho-Jui Hsieh. NeurIPS 2022 (code) (paper).
δ-SAM: Sharpness-Aware Minimization with Dynamic Reweighting. Wenxuan Zhou, Fangyu Liu, Huan Zhang, Muhao Chen. Findings in EMNLP, 2022.
A Branch and Bound Framework for Stronger Adversarial Attacks of ReLU Networks, Huan Zhang*, Shiqi Wang*, Kaidi Xu, Yihan Wang, Suman Jana, Cho-Jui Hsieh, Zico Kolter. ICML 2022. (code) (paper)
Linearity Grafting: Relaxed Neuron Pruning Helps Certifiable Robustness, Tianlong Chen*, Huan Zhang*, Zhenyu Zhang, Shiyu Chang, Sijia Liu, Pin-Yu Chen, Zhangyang Wang. ICML 2022. (code) (paper)
ViP: Unified Certified Detection and Recovery for Patch Attack with Vision Transformers, Junbo Li, Huan Zhang, Cihang Xie. ECCV 2022.
COPA: Certifying Robust Policies for Offline Reinforcement Learning against Poisoning Attacks, Fan Wu, Linyi Li, Huan Zhang, Bhavya Kailkhura, Krishnaram Kenthapadi, Ding Zhao and Bo Li. ICLR 2022. (code) (paper)
Beta-CROWN: Efficient Bound Propagation with Per-neuron Split Constraints for Complete and Incomplete Neural Network Verification, Shiqi Wang*, Huan Zhang*, Kaidi Xu*, Xue Lin, Suman Jana, Cho-Jui Hsieh and Zico Kolter (* Equal contribution). NeurIPS 2021. (code) (paper)
Training Certifiably Robust Neural Networks with Efficient Local Lipschitz Bounds, Yujia Huang, Huan Zhang, Yuanyuan Shi, Zico Kolter and Anima Anandkumar. NeurIPS 2021.
Robustness between the worst and average case, Leslie Rice, Anna Bair, Huan Zhang and Zico Kolter. NeurIPS 2021.
Fast Certified Robust Training via Better Initialization and Shorter Warmup, Zhouxing Shi*, Yihan Wang*, Huan Zhang, Jinfeng Yi and Cho-Jui Hsieh. NeurIPS 2021. (code) (paper)
Double Perturbation: On the Robustness of Robustness and Counterfactual Bias Evaluation, Chong Zhang, Jieyu Zhao, Huan Zhang, Kai-Wei Chang, and Cho-Jui Hsieh. NAACL 2021. (code) (paper)
Robust Reinforcement Learning on State Observations with Learned Optimal Adversary, Huan Zhang*, Hongge Chen*, Duane Boning, Cho-Jui Hsieh. ICLR 2021. (code) (pdf)
Fast and Complete: Enabling Complete Neural Network Verification with Rapid and Massively Parallel Incomplete Verifiers, Kaidi Xu*, Huan Zhang*, Shiqi Wang, Yihan Wang, Suman Jana, Xue Lin, Cho-Jui Hsieh. ICLR 2021. (code) (pdf)
Robust Deep Reinforcement Learning against Adversarial Perturbations on State Observations. Huan Zhang*, Hongge Chen*, Chaowei Xiao, Bo Li, Duane Boning, Cho-Jui Hsieh. NeurIPS 2020 (spotlight). (code) (pdf)
Automatic Perturbation Analysis for Scalable Certified Robustness and Beyond. Kaidi Xu*, Zhouxing Shi*, Huan Zhang*, Yihan Wang, Minlie Huang, Kai-Wei Chang, Bhavya Kailkhura, Xue Lin, Cho-Jui Hsieh. NeurIPS 2020. (*Equal contribution) (code) (pdf)
An Efficient Adversarial Attack for Tree Ensembles. Chong Zhang, Huan Zhang, Cho-Jui Hsieh. NeurIPS 2020. (code) (paper)
Reducing Sentiment Bias in Language Models via Counterfactual Evaluation. Po-Sen Huang*, Huan Zhang*, Ray Jiang, Robert Stanforth, Johannes Welbl, Jack Rae, Vishal Maini, Dani Yogatama, Pushmeet Kohli. Findings in EMNLP 2020. (pdf)
On ℓₚ-norm Robustness of Ensemble Decision Stumps and Trees. Yihan Wang, Huan Zhang, Hongge Chen, Duane Boning and Cho-Jui Hsieh. ICML 2020. (code) (pdf)
Towards Stable and Efficient Training of Verifiably Robust Neural Networks. Huan Zhang, Hongge Chen, Chaowei Xiao, Sven Gowal, Robert Stanforth, Bo Li, Duane Boning, Cho-Jui Hsieh. ICLR 2020. (code) (pdf)
Robustness Verification for Transformers. Zhouxing Shi, Huan Zhang, Kai-Wei Chang, Minlie Huang, Cho-Jui Hsieh. ICLR 2020. (pdf)
MACER: Attack-free and Scalable Robust Training via Maximizing Certified Radius. Runtian Zhai, Chen Dan, Di He, Huan Zhang, Boqing Gong, Pradeep Ravikumar, Cho-Jui Hsieh, Liwei Wang. ICLR 2020. (pdf)
Seq2Sick: Evaluating the Robustness of Sequence-to-Sequence Models with Adversarial Examples. Minhao Cheng, Jinfeng Yi, Huan Zhang, Pin-Yu Chen, Cho-Jui Hsieh. AAAI 2020. (pdf)
Robustness Verification of Tree-based Models. Hongge Chen*, Huan Zhang*, Si Si, Yang Li, Duane Boning and Cho-Jui Hsieh (*Equal contribution). NeurIPS 2019. (code). (pdf)
A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks, Hadi Salman, Greg Yang, Huan Zhang, Cho-Jui Hsieh and Pengchuan Zhang. NeurIPS 2019. (code) (pdf)
Provably Robust Deep Learning via Adversarially Trained Smoothed Classifiers, Hadi Salman, Greg Yang, Jerry Li, Pengchuan Zhang, Huan Zhang, Ilya Razenshteyn, Sebastien Bubeck. NeurIPS 2019 (spotlight). (code) (pdf)
Evaluating Robustness of Deep Image Super-Resolution Against Adversarial Attacks. Jun-Ho Choi, Huan Zhang, Jun-Hyuk Kim, Cho-Jui Hsieh and Jong-Seok Lee. ICCV 2019. (pdf)
Second Rethinking of Network Pruning in the Adversarial Setting. Shaokai Ye, Kaidi Xu, Sijia Liu, Hao Cheng, Jan-Henrik Lambrechts, Huan Zhang, Aojun Zhou, Kaisheng Ma, Yanzhi Wang and Xue Lin. ICCV 2019. (pdf)
Robust Decision Trees Against Adversarial Examples, Hongge Chen, Huan Zhang, Duane Boning, Cho-Jui Hsieh. ICML 2019 (20-min long oral). (pdf)
The Limitations of Adversarial Training and the Blind-Spot Attack, Huan Zhang*, Hongge Chen*, Zhao Song, Duane Boning, Inderjit Dhillon, Cho-Jui Hsieh. ICLR 2019. (* Equal contribution) (pdf)
Query-Efficient Hard-label Black-box Attack: An Optimization-based Approach, Minhao Cheng, Thong Le, Pin-Yu Chen, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh. ICLR 2019. (pdf)
Structured Adversarial Attack: Towards General Implementation and Better Interpretability. Kaidi Xu*, Sijia Liu*, Pu Zhao*, Pin-Yu Chen, Huan Zhang, Quanfu Fan, Deniz Erdogmus, Yanzhi Wang, Xue Lin, ICLR 2019. (pdf)
RecurJac: An Efficient Recursive Algorithm for Bounding Jacobian Matrix of Neural Networks and Its Applications, Huan Zhang, Pengchuan Zhang, Cho-Jui Hsieh. AAAI 2019. (pdf) (reference implementation) (slides)
AutoZOOM: Autoencoder-based Zeroth Order Optimization Method for Attacking Black-box Neural Networks, Chun-Chen Tu, Paishun Ting, Pin-Yu Chen, Sijia Liu, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh, Shin-Ming Cheng. AAAI 2019. (pdf)
Efficient Neural Network Robustness Certification with General Activation Functions, Huan Zhang*, Tsui-Wei Weng*, Pin-Yu Chen, Cho-Jui Hsieh, Luca Daniel. (* Equal contribution). NIPS 2018. (pdf) (reference implementation)
Is Robustness the Cost of Accuracy? Lessons Learned from 18 Deep Image Classifiers, Dong Su*, Huan Zhang*, Hongge Chen, Jinfeng Yi, Pin-Yu Chen, Yupeng Gao. (* Equal contribution). ECCV 2018. (pdf) (code)
Towards Robust Neural Networks via Random Self-ensemble, Xuanqing Liu, Minhao Cheng, Huan Zhang, Cho-Jui Hsieh. ECCV 2018. (pdf)
Realtime query completion via deep language models, Po-Wei Wang, Huan Zhang, Vijai Mohan, Inderjit S. Dhillon and J. Zico Kolter. SIGIR Workshop On eCommerce, 2018. (pdf) (code)
Towards Fast Computation of Certified Robustness for ReLU Networks , Tsui-Wei Weng*, Huan Zhang*, Hongge Chen, Zhao Song, Cho-Jui Hsieh, Duane Boning, Inderjit S. Dhillon, Luca Daniel. (* Equal contribution). ICML 2018 (pdf) (reference implementation)
Attacking Visual Language Grounding with Adversarial Examples: A Case Study on Neural Image Captioning. Hongge Chen*, Huan Zhang*, Pin-Yu Chen, Jinfeng Yi and Cho-Jui Hsieh (* Equal contribution). ACL 2018 (pdf) (code).
Evaluating the Robustness of Neural Networks: An Extreme Value Theory Approach , Tsui-Wei Weng*, Huan Zhang*, Pin-Yu Chen, Jinfeng Yi, Dong Su, Yupeng Gao, Cho-Jui Hsieh, Luca Daniel (* Equal contribution). ICLR 2018 (pdf) (code)
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples, Pin-Yu Chen*, Yash Sharma*, Huan Zhang, Jinfeng Yi and Cho-Jui Hsieh. AAAI 2018. (pdf) (code)
ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without Training Substitute Models, Pin-Yu Chen*, Huan Zhang*, Yash Sharma, Jinfeng Yi, Cho-Jui Hsieh. (* Equal contribution) ACM Conference on Computer and Communications Security (CCS) Workshop on Artificial Intelligence and Security (AISec), 2017. (pdf) (code)
GPU-acceleration for Large-scale Tree Boosting, Huan Zhang, Si Si, Cho-Jui Hsieh. SysML Conference, 2018. (pdf) (code)
Can Decentralized Algorithms Outperform Centralized Algorithms? A Case Study for Decentralized Parallel Stochastic Gradient Descent, Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu. NIPS 2017. (Oral paper) (pdf)
Gradient Boosted Decision Trees for High Dimensional Sparse Output, Si Si, Huan Zhang, Sathiya Keerthi, Dhruv Mahajan, Inderjit Dhillon, Cho-Jui Hsieh. ICML 2017. (pdf)
HogWild++: A New Mechanism for Decentralized Asynchronous Stochastic Gradient Descent, Huan Zhang, Cho-Jui Hsieh and Venkatesh Akella. ICDM 2016 (full-length paper). (pdf) (code)
Fixing the Convergence Problems in Parallel Asynchronous Dual Coordinate Descent, Huan Zhang, Cho-Jui Hsieh. ICDM 2016 (full-length paper). (pdf) (code)
Sublinear Time Orthogonal Tensor Decomposition, Zhao Song, David P. Woodruff and Huan Zhang. NIPS 2016. (pdf) (code)
A Comprehensive Linear Speedup Analysis for Asynchronous Stochastic Parallel Optimization from Zeroth-Order to First-Order, Xiangru Lian, Huan Zhang, Cho-Jui Hsieh, Yijun Huang, Ji Liu. NIPS 2016. (pdf)
Courses Taught
ECE 484, Principles of Safe Autonomy, Fall 2025
ECE/CS 584, Embedded and Cyberphysical System Verification, Spring 2025
ECE 598HZ, Advanced Topics in Machine Learning and Formal Methods, Fall 2024
ECE/CS 584, Embedded and Cyberphysical System Verification, Spring 2024
ECE 120, Introduction to Computing, Fall 2023
Current Students (incomplete)
Xiangru Zhong (PhD)
Haoyu Li (PhD)
Yifan Sun (PhD)
Han Wang (PhD)
Rui Yang (PhD, co-advised with Prof. Tong Zhang)
Anthony (Tony) Pineci (PhD)
Duo Zhou (MS)
Ruize Gao (MS)
Hesun Chen (MS)
Junyu Zhang (MS)
Mayank Hirani (MS)
Lei Huang (MS)
Junsheng Huang (MS)
Yuxi Chen (MS)
Recently graduated students include Jorge Chavez (MS), Keyi Shen (MS), Hao Chen (MS), Keyu Lu (MS).
Software
1. α,β-CROWN: An Efficient, Scalable and GPU Accelerated Neural Network Verifier
I lead the development of α,β-CROWN (alpha-beta-CROWN), an efficient and scalable neural network verification toolbox that won the highest total score in 2nd and 3rd International Verification of Neural Network Competition (VNN-COMP 2021 and 2022).
2. auto_LiRPA: Automatic Linear Relaxation based Perturbation Analysis for Neural Networks
I lead the development of auto_LiRPA, an easy-to-use library capable of automatically giving provable bounds under input or weight perturbations for complex neural networks and other general computational functions.
LightGBM is a popular tree boosting package with high efficiency on large-scale datasets. I accelerated its decision tree construction process on GPUs with 7 to 8 times speedup. My code reaches production quality and has been merged into the LightGBM official repository.