Papers
Topics
Authors
Recent
Search
2000 character limit reached

Security Tensors: AI Safety & Screening

Updated 7 July 2026
  • Security tensors are a family of tensor abstractions that use trainable perturbations, selective encryption, and decomposition to enforce confidentiality, robustness, and privacy.
  • They protect models by transferring cross-modal safety in LVLMs, securing model state through sensitive tensor encryption, and enabling privacy-preserving, homomorphic computations.
  • Applications span AI safety, secure model deployment, robustness auditing, and electromagnetic screening, ensuring both digital and physical security across various domains.

“Security tensors” is not a single standardized construct. In current research, the phrase most explicitly denotes trainable input-level perturbations that transfer textual safety alignment to visual inputs in large visual-LLMs (LVLMs), but related work also treats tensors, TT cores, encrypted tensor objects, tensor-valued gradients, and electromagnetic tensor descriptors as the units on which confidentiality, integrity, robustness, privacy, or screening capability are enforced. This suggests a family of security-centric tensor abstractions rather than one canonically defined object (Li et al., 28 Jul 2025, Min et al., 24 Feb 2026, Benaissa et al., 2021, Han et al., 2024, Ledger et al., 2017).

1. Cross-modal safety transfer in LVLMs

In the most literal current usage, a security tensor is a trainable input-level perturbation for cross-modal safety transfer in LVLMs. The formulation introduces a universal perturbation δ\delta optimized to satisfy two goals simultaneously: benignness, so that harmless image-text queries remain largely unaffected, and security, so that harmful image-text queries are rejected. Two modality-specific variants are defined: a textual security tensor δtRn×d\delta_t \in \mathbb{R}^{n\times d}, implemented as learnable virtual tokens in embedding space, and a visual security tensor δv\delta_v, implemented as a learnable perturbation in preprocessed image space. For text-side deployment, δt\delta_t is inserted between image embeddings and text embeddings; for vision-side deployment, the perturbation is added after the model’s preprocessing function ϕ()\phi(\cdot), so that v~=v+δv\tilde v = v+\delta_v and the perturbed representation is then patch-embedded (Li et al., 28 Jul 2025).

The training procedure uses a curated dataset of 1,000 image-text queries with three parts. The Safety Activation set contains malicious image-text pairs paired with refusal responses sampled from a pool of refusal templates. The General Benign set contains harmless image-text pairs whose targets are the original LVLM outputs, so training uses distillation to preserve benign behavior. The Text Contrast Benign set contains benign image-text pairs whose text is deliberately made syntactically similar to the malicious prompts, with the purpose of preventing the tensor from relying on superficial prompt wording rather than visual evidence. The full optimization balances refusal on harmful inputs and preservation on benign inputs.

The mechanism is explicitly representational rather than parametric: it does not modify model weights and does not post-process output text. Instead, it is trained to activate the language module’s existing textual “safety layers” when harmful information arrives through images. Hidden-layer analysis on LLaMA-3.2-11B-Vision shows that for text-only inputs the relevant layerwise divergence appears around layers 9–20, whereas harmful image-text inputs do not naturally engage those layers; after inserting δv\delta_v or δt\delta_t, the gap between benign and malicious curves reappears, especially in layers 9–20, which the paper terms the Security Tensor Activation layers. Empirically, Harmless Rate improves from 24.84 to 84.23 with ST-δv\delta_v and to 81.89 with ST-δt\delta_t on LLaMA-3.2-11B-Vision; from 18.95 to 64.54 and 65.56 on Qwen-VL-Chat; and from 7.70 to 49.51 and 51.98 on LLaVA-1.5. Benign degradation remains small: for example, on LLaMA-3.2-11B-Vision, ST-δtRn×d\delta_t \in \mathbb{R}^{n\times d}0 reaches an FRR of 0.50 versus the base model’s 0.25, and MM-Vet scores remain near baseline. An ablation removing the Text Contrast Benign set yields FRR values often above 90% on TCB-style benign queries, indicating severe over-rejection.

2. Selective encryption and shielding of critical model tensors

A second major line of work treats tensors as model state whose security relevance is nonuniform. TT-SEAL addresses cloud-edge AI settings in which tensor-train-decomposed (TTD) networks are stored in off-chip DRAM and transferred over exposed buses, while the deployed model can still be queried as an oracle. The security objective is to protect TTD-compressed model parameters against transfer-based adversarial attacks and related model-stealing or reverse-engineering risk by encrypting only a minimal subset of TT cores. The formal target is to find the smallest set δtRn×d\delta_t \in \mathbb{R}^{n\times d}1 such that δtRn×d\delta_t \in \mathbb{R}^{n\times d}2 with δtRn×d\delta_t \in \mathbb{R}^{n\times d}3, while minimizing encryption cost δtRn×d\delta_t \in \mathbb{R}^{n\times d}4. TT-SEAL ranks TT cores using a sensitivity-based importance score

δtRn×d\delta_t \in \mathbb{R}^{n\times d}5

calibrates a one-time robustness threshold δtRn×d\delta_t \in \mathbb{R}^{n\times d}6 by binary search over sorted prefixes, and then solves a 0–1 knapsack-like optimization to select the minimum-cost subset of cores whose cumulative importance reaches the threshold. The paper reports δtRn×d\delta_t \in \mathbb{R}^{n\times d}7 for ResNet-18, δtRn×d\delta_t \in \mathbb{R}^{n\times d}8 for MobileNetV2, and δtRn×d\delta_t \in \mathbb{R}^{n\times d}9 for VGG-16. It also shows why dense-model selective-encryption methods do not transfer directly: in dense ResNet-18, about 50% encrypted weights was enough to approach black-box robustness, whereas for TTD-compressed ResNet-18 even encrypting more than 90% still failed to match the black-box baseline. On CIFAR-10, under JBDA substitute training and I-FGSM-centered evaluation on a Genesys2 Kintex-7 FPGA at 100 MHz, TT-SEAL matches black-box robustness while encrypting 89,685 parameters (4.89%) for ResNet-18, 71,268 parameters (15.92%) for MobileNetV2, and 97,513 parameters (6.46%) for VGG-16; the average absolute TH–B-B transfer-ratio difference is about 0.2%, the maximum is 1.5%, and AES decryption’s share of end-to-end latency drops from 58% to 2.76% on ResNet-18, 41.8% to 6.15% on MobileNetV2, and 39% to 2.42% on VGG-16 (Min et al., 24 Feb 2026).

A closely related deployment perspective appears in the on-device inference framework also named TensorShield. There, the attacker controls the REE and the goals are to defend against model stealing and membership inference attacks without placing the entire model inside a TEE. The central claim is that attack success depends disproportionately on a small number of tensors that encode the model’s decision capability or membership-sensitive features. TensorShield therefore scores tensors with an XAI-based criticality metric combining a gradient-based intrinsic tensor-importance term with an attention-transition term derived from Grad-CAM cosine dissimilarity between the victim model and a public pretrained model. For membership leakage, it ranks intermediate features by Jensen-Shannon divergence between member and non-member feature distributions and masks only the critical ones. Placement is latency-aware: some critical tensors execute inside the TEE, others outside in the REE under obfuscation, and only selected features crossing the boundary are masked. The reported result is near-equivalence to full-model shielding—MS accuracy at 1.03× of full shielding and MIA accuracy at 1.00× of full shielding—while being up to 25.35× faster than GroupCover and 16.89× faster than Occlumency, with average speedups of 5.85× and 4.32× respectively, substantial energy reductions, and no accuracy loss (Sun et al., 28 May 2025).

3. Encrypted tensor operations and confidential execution substrates

Another usage of secure tensor methodology centers on confidential computation over tensor objects themselves. TenSEAL is an open-source library for privacy-preserving machine learning using homomorphic encryption, designed as a practical bridge between standard ML frameworks and encrypted tensor computation. It relies on the CKKS scheme, and its main abstractions are a TenSEAL context, PlainTensor, and EncryptedTensor objects such as CKKSVector and CKKSTensor. CKKSVector holds δv\delta_v0 real values in a single ciphertext; CKKSTensor represents an δv\delta_v1-dimensional tensor as a tensor of ciphertexts, with one axis optionally batched into the CKKS slots. Supported operations include negate, square, power, add, sub, mul, dot_product, polyval, matmul_plain, and conv2d_im2col. For encrypted CNN inference, the input image is converted into a matrix of convolution windows as rows, flattened via a vertical scan, and encrypted into one ciphertext; the resulting encrypted convolution requires one elementwise multiplication plus δv\delta_v2 rotations and additions, but stacking two convolutions is not possible because reorganizing ciphertext slots is not trivial. On MNIST, using polynomial modulus degree 8192, coefficient modulus 206 bits, and scale 21 bits to support 6 multiplications at 128-bit security, the encrypted CNN reaches 97.4% test accuracy versus 97.7% in plaintext, runs in 887.06 ms on 16 vCPUs, and requires 427 KB total communication (Benaissa et al., 2021).

TensorSCONE addresses a different confidentiality model: secure execution of TensorFlow workloads inside Intel SGX enclaves in an untrusted cloud. It integrates TensorFlow with SCONE, providing network and file-system shields, user-level threading, asynchronous system calls, remote attestation support, and Docker-based deployment. The intended guarantees are confidentiality, integrity, freshness, and memory safety, while the threat model includes an adversary controlling the OS, hypervisor, and host runtime and performing physical memory probes; denial of service and side-channel attacks such as cache timing, speculative-execution leakage, and memory-access-pattern leakage are explicitly out of scope. TensorSCONE supports training through the full TensorFlow C++ API and classification through TensorFlow Lite, with data, parameters, gradients, and intermediate tensors protected while resident in the enclave and protected on disk or over the network via the file-system and network shields. In the reported Inception-v4 classification benchmark on 1,000 images, SGX hardware mode reaches throughput 0.848 sδv\delta_v3, about 32% of native glibc throughput 2.685 sδv\delta_v4, with much of the slowdown attributed to EPC pressure and paging; file-system-shield overhead is only about 1–2%. In the CIFAR-10 training benchmark, hardware SGX mode incurs roughly a 4× slowdown relative to native execution, while accuracy reaches about 80% after 10,000 steps and can reach 87% with more training (Kunkel et al., 2019).

4. Tensor-granularity trusted execution in heterogeneous systems

TensorTEE makes tensor granularity the organizing principle of a heterogeneous CPU–NPU TEE. Its threat model places only on-chip hardware of the CPU, NPU, and caches inside the trusted computing base; off-chip host memory and NPU GDDR are outside trust and may be read, modified, replayed, or bus-snooped by an adversary controlling the OS or privileged software. The paper does not try to defend against timing, power, EM, DoS, or model-extraction attacks. Within this model, TensorTEE provides confidentiality for tensor data in off-chip memory via encryption, freshness via version numbers, and integrity via MACs. The CPU-side mechanism, TenAnalyzer, sits in the memory controller, detects tensor structure on-chip without software annotation, and maintains a Meta Table with shared metadata for all cachelines in a tensor. The reading path distinguishes hit in, hit boundary, and miss cases. On the NPU side, TensorTEE replaces cacheline-granularity MAC handling with tensor-wise MAC management and delayed verification, computing

δv\delta_v5

keeping MACs on-chip, and using poison tracing plus a verification barrier so that tampered data cannot leave the NPU enclave before verification. Because CPU and NPU now share tensor granularity, direct ciphertext transfer becomes possible through a trusted encrypted metadata channel and a direct ciphertext data channel. The reported results show 4.0× average end-to-end performance improvement over an SGX-like CPU TEE plus an MGX-like NPU TEE, up to 5.5× in some settings, only 2.1% overhead relative to non-secure training, about 2.5% MAC-related overhead on the NPU side, and 18.7× improvement in gradient-transfer performance (Han et al., 2024).

SecureInfer applies a related principle to LLM deployment on a heterogeneous SGX–GPU platform. Its security goal is to protect full model weights, fine-tuned parameters, LoRA adapters, attention activations, intermediate token embeddings, and output logits against model-extraction attacks while still exploiting GPU acceleration. The paper partitions by sensitivity and computational intensity. The abstract lists non-linear layers, projection of attention head, FNN transformations, and LoRA adapters as SGX-resident security-sensitive components; the implementation table places Linear (Q/K/V) projections, attention multiply, Linear (FFN), and LoRA adapters inside SGX, while EmbeddingLayer, SiLU/ReLU, Add/Multiply, and IdentityLayer are offloaded to the GPU, and the CPU handles input/output. Tensors leaving the enclave are protected with lightweight XOR-based encryption for untrusted-memory storage and OTP-style masking for cross-domain transfer; large tensors are chunked to fit enclave buffer limits. On a prototype using a customized 4-layer decoder-only LLaMA-2 with 32 attention heads, fixed prompt length 300, batch size 1, and output capped at 50 tokens, SecureInfer reports TTFT 122.70 ms, TBT 118.37 ms, 8.44 tokens/s, and total inference time 5.92 s, versus 563.64 ms TTFT, 553.30 ms TBT, 1.81 tokens/s, and 27.68 s for TEE-only execution. The paper summarizes this as about 4.7× speedup over TEE-only and about 2.06× latency overhead relative to GPU-only, while black-box extraction quality degrades to BLEU scores below 0.12 and token match 0.5643 (Nayan et al., 22 Oct 2025).

5. Tensor decomposition for robustness, auditing, and parameter obfuscation

Several works use tensor structure not to encrypt data but to reshape vulnerability surfaces. TensorShield, in its earlier adversarial-defense formulation, uses low-rank tensor decomposition as a preprocessing step for image classification. RGB images are represented as 3-mode tensors δv\delta_v6 or as 4-mode tensors δv\delta_v7 for batches, and the main defense is Tensor-Train decomposition with small TT ranks followed by reconstruction before classification by ResNet-v2 50. The rationale is that adversarial perturbations often occupy high-frequency or high-rank components, whereas low-rank tensor reconstruction retains dominant structured content. On 1,000 attacked ImageNet images with δv\delta_v8, a TT 4-mode configuration with batch size 5 and rank δv\delta_v9 reaches 51.53 under PGD, 43.59 under FGSM, and 50.46 under I-FGSM, compared with 44.60, 29.40, and 38.60 for SLQ; the paper reports that TensorShield outperforms SLQ by about 14% against FGSM while keeping comparable speed (Entezari et al., 2020).

“Defensive tensorization” shifts the defense from input preprocessing to latent network parameterization. It factorizes a convolutional kernel tensor δt\delta_t0 into a Tucker core and factor matrices, then applies tensor dropout in the latent subspace. The randomized dense reconstructed weights are

δt\delta_t1

with Bernoulli sketching matrices acting on the latent dimensions. The defense is intended to preserve dense computation while injecting stochasticity in a latent factor space, and it can be combined with adversarial training. On CIFAR-10 without adversarial training, for δt\delta_t2, FGSM accuracy at δt\delta_t3 rises from 12.7% in the baseline to 60.3%, BIM rises from 0% to 42.4%, PGD rises from 0% to 34.3%, and AutoAttack reaches 37.5%; with PGD adversarial training, the tensorized model further improves to FGSM accuracies 86.5/81.4/70.1% and PGD accuracies 84.9/75.4/59.8% for δt\delta_t4 across the reported perturbation settings (Bulat et al., 2021).

TEN-GUARD turns tensor decomposition into a model-auditing primitive for backdoor detection. It extracts hidden-layer activations—best results were obtained using only the final-layer activations—projects them to a fixed-size representation δt\delta_t5 by random projection, and then applies Independent Vector Analysis or PARAFAC2 across multiple models. Detection is based on Pearson correlation, two-sample δt\delta_t6-tests with δt\delta_t7, and Bonferroni correction; a model is classified as backdoored if it has at least one significant correlation with a known backdoored model. Across MNIST, CIFAR-10, and NIST TrojAI benchmarks, PARAFAC2 consistently outperforms IVA. Reported accuracies are 0.92 on MNIST and 0.88 on CIFAR-10 for PARAFAC2, and computation times are 178–241 s for PARAFAC2 and 161–213 s for IVA, substantially below optimization-heavy baselines such as Neural Cleanse, ABS, ULP, and K-Arm (Hossain et al., 2024).

Tensorization has also been proposed as a privacy-oriented model reparameterization. The TT-RSS method reconstructs a functionally similar Tensor Train from black-box access to a target model using sketching, pivot selection, SVD-based trimming, system forming, and least-squares solving of modified core-determining equations. Privacy enters through gauge freedom: TT cores can be reparameterized as

δt\delta_t8

with orthogonal or unitary δt\delta_t9, preserving the input-output map while randomizing internal parameters. The resulting “Private-TT” is explicitly described as practical obfuscation rather than differential privacy. In the reported CommonVoice accent-imbalance attack, white-box logistic-regression attacks on ordinary neural networks achieve nearly 100% accuracy, whereas on Private-TTs they drop to about 50%, essentially random guessing (Monturiol et al., 10 Jan 2025).

6. Local differential privacy for tensor-valued distributed data

Whereas the preceding tensorization work is not a formal privacy guarantee, TLDP is presented as a tensor-specific local differential privacy mechanism for distributed systems. The setting assumes a user holding a sensitive tensor ϕ()\phi(\cdot)0 and perturbing it locally before transmission to an untrusted server. The paper argues that scalar or matrix LDP mechanisms are insufficient because a tensor is not just a bag of independent entries, flattening destroys multiway relationships, and adding noise to every component scales poorly with tensor size. TLDP therefore applies a randomized-response-style decision to each component: with retaining probability ϕ()\phi(\cdot)1, the original value is preserved; otherwise Laplace or Gaussian noise is added, yielding ϕ()\phi(\cdot)2 with ϕ()\phi(\cdot)3 or ϕ()\phi(\cdot)4. The tensor-LDP definition is

ϕ()\phi(\cdot)5

A weighted variant introduces a weight matrix so that more sensitive regions are preserved less often. The paper states that Weighted TLDP ensures the LDP of tensor information and yields a tighter bound ϕ()\phi(\cdot)6 (Yuan et al., 25 Feb 2025).

The utility argument is expressed through expected error. Let ϕ()\phi(\cdot)7. Then

ϕ()\phi(\cdot)8

and

ϕ()\phi(\cdot)9

These are contrasted with injecting noise into every component, for which the paper reports v~=v+δv\tilde v = v+\delta_v0 for Laplace and v~=v+δv\tilde v = v+\delta_v1 for Gaussian. The stated theorem is that, compared to methods that inject noise into each component, LDP for tensors reduces the noise while guaranteeing the same privacy budget.

Empirically, TLDP is evaluated on raw testing tensors, private training features, and private SGD across MNIST, CIFAR-10, SVHN, IMDB, and DarkNet, using MobileNet, BiLSTM, and MLP models. Metrics are accuracy, weighted precision, weighted recall, and weighted F1-score. At v~=v+δv\tilde v = v+\delta_v2, TLDP significantly outperforms Laplace, Gaussian, MVG, and IDN on private testing data; on MNIST and SVHN, F1 reaches about 90% for small v~=v+δv\tilde v = v+\delta_v3, while CIFAR-10 stabilizes around 70%. In private training-feature experiments, MNIST reaches around 80%, whereas CIFAR-10 and SVHN often stabilize around 40%. In private SGD at v~=v+δv\tilde v = v+\delta_v4, TLDP reaches about 80% on IMDB while baselines plateau around 40%. Weighted TLDP slightly decreases accuracy while strengthening protection in sensitive regions.

7. Generalised magnetic polarizability tensors in security screening

A distinct, earlier meaning of security-relevant tensors arises in electromagnetic sensing. Generalised magnetic polarizability tensors (GMPTs) describe the low-frequency time-harmonic magnetic field perturbation produced by a small conducting or permeable inclusion in the eddy current regime of Maxwell’s equations. The setting considers a small inclusion v~=v+δv\tilde v = v+\delta_v5 with piecewise-constant material coefficients, and the key theorem gives a complete asymptotic expansion of v~=v+δv\tilde v = v+\delta_v6 as v~=v+δv\tilde v = v+\delta_v7 in the regime v~=v+δv\tilde v = v+\delta_v8, where v~=v+δv\tilde v = v+\delta_v9. The expansion couples higher derivatives of the Green kernel and higher derivatives of the background field to higher-rank tensor coefficients δv\delta_v0, with remainder estimate δv\delta_v1. The classical rank-2 magnetic polarizability tensor is recovered as the lowest-order case (Ledger et al., 2017).

The GMPT hierarchy encodes shape information, material properties through δv\delta_v2 and δv\delta_v3, frequency dependence through δv\delta_v4 and δv\delta_v5, topological effects via the geometry of δv\delta_v6, and higher-order coupling to background-field variation through derivatives δv\delta_v7. This matters because realistic detectors often operate in nonuniform fields: the paper explicitly mentions walk-through metal detectors and shallow subsurface sensing. Higher-order tensor coefficients can therefore improve identifiability and discrimination, including between objects that may look similar at rank-2 level due to symmetry. The stated applications are landmine and unexploded ordnance detection, recycling metal sorting, food safety inspection, airport screening, and screening at public events.

The theoretical regime is restricted: low-frequency eddy-current Maxwell equations, the small-object limit, smooth boundaries, observation points away from the inclusion, and constant object material properties. Within those assumptions, GMPTs serve as mathematically grounded tensor descriptors for concealed-object characterization. More broadly, their inclusion in this literature shows that “security tensors” can refer not only to machine-learning safety and privacy mechanisms but also to tensor-valued descriptors used directly in physical security and screening. This suggests that the phrase now spans several technically distinct domains: cross-modal safety transfer, selective protection of model state, confidential tensor computation, robustness-oriented tensorization, formal local privacy for tensor-valued data, and electromagnetic screening descriptors.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Security Tensors.