I am a Researcher at the School of Software Technology, Zhejiang University
. Before joining ZJU, I worked as a Senior Engineer at Huawei 2012 Lab
. I received my Ph.D. degree from the Department of Computer Science and Technology, Zhejiang University.
My research focuses on system security, intrusion detection, and cyber threat analysis, with an emphasis on building practical systems for real-time threat hunting, attack investigation, and provenance-based security analysis. I am also interested in how large language models can support automated penetration testing, attack planning, and the security analysis of LLM agents.
I work closely with Prof. Shouling Ji, Prof. Fan Zhang from Zhejiang University, and Prof. Yan Chen from Northwestern University.
Current research directions:
- Efficient and intelligent cyber attack hunting over large-scale system logs
- Automated penetration testing and attack planning
- Action-level security analysis for LLM agents
- Provenance-based intrusion detection and cyber attack investigation
I welcome collaborations on industry-oriented security research and real-world security systems. Prospective Master’s students are encouraged to contact me.
🔥 News
- 🎉 2026.06, 指导研究生获得浙江大学“陆氏研究生国际交流基金”资助,拟赴新加坡南洋理工大学交流3个月。
- 🧑💻 2026.06, Invited to serve as a TPC member for USENIX Security 2027.
- 📑 2026.06, Our paper “MINOS: A Multi-Agent Collaborative Framework for Backward Tracking” has been accepted to ESORICS’26.
- 👨🏻🏫 2026.06, 受邀在“电子学会-2026网络空间安全学术大会-网络空间威胁密态对抗与智能化防御论坛”做报告。
- 📑 2026.06, 论文《大语言模型驱动的多态攻击脚本生成与检测规避》(”Large Language Models Driven Polymorphic Attack Scripts Generation and Detection Evasion”)被《计算机学报》(Chinese Journal of Computers)录用。
- 🧑💻 2026.03, Invited to serve as a TPC member for RAID 2026.
- 📑 2026.03, Our paper “RAPiDLe: Enabling Real-time Anomaly Path Detection in Streaming Provenance Graph with Learned Behavior Baseline” has been accepted by SCIS.
- 🎉 2025.12, 获中国商业联合会科学技术进步奖一等奖(排名 5/15;First Prize of the Science and Technology Progress Award, China General Chamber of Commerce)——“AI 驱动的网络安全检测关键技术与产业化应用”(”Key Technologies and Industrial Applications of AI-Driven Cybersecurity Detection”)。
- 🎉 2025.12, 获北京市科学技术进步奖二等奖(排名 7/10;Second Prize of Beijing Municipal Science and Technology Progress Award)——“基于反隐身机制的高隐蔽网络威胁检测与溯源关键技术及应用”(”Key Technologies and Applications for Detection and Attribution of Highly Stealthy Cyber Threats Based on Anti-Stealth Mechanisms”)。
- 🏗️ 2025.11, 获宁波市自然科学基金青年博士创新研究项目资助,担任项目负责人(PI;Natural Science Foundation of Ningbo, Youth Ph.D. Program)。
- 📑 2025.11, Our paper “Breaking the Bulkhead: Demystifying Cross-Namespace Reference Vulnerabilities in Kubernetes Operators” has been accepted to NDSS’26.
- 📑 2025.10, Our paper “Towards Scalable and Interpretable Mobile App Risk Analysis via Large Language Models” has been accepted to ICSE’26.
- 🏗️ 2025.07, 获CCF-腾讯“犀牛鸟”科研基金资助,担任项目负责人(PI;CCF-Tencent “Rhino-Bird” Open Research Fund)。
- 📑 2025.04, Our paper “PentestAgent: Incorporating LLM Agents to Automated Penetration Testing” has been accepted to AsiaCCS’25.
- 🎉 2024.09, 入选宁波市“甬江”人才工程青年项目(Ningbo “YongJiang” Talent Programme, Youth Program)。
- 🏗️ 2024.08, 获国家自然科学基金青年科学基金项目资助,担任项目负责人(PI;National Natural Science Foundation of China, Youth Program)。
- 📑 2024.08, Our paper “Incorporating Gradients to Rules: Towards Lightweight, Adaptive Provenance-based Intrusion Detection” has been accepted to NDSS’25.
🛠️ Projects
- Automated Penetration Testing — LLM-agent-based penetration testing and exploit assessment for realistic security evaluation.
- Aurora: Automated Cyberattack Emulation — cyberattack emulation with classical planning and large language models.
- Marlin: Streaming Provenance Graph Analysis — real-time attack detection and investigation over streaming provenance graphs.
📝 Selected Publications
Full publication list: Google Scholar (* Equal contribution, # Corresponding author)
[预印本(arXiv / Preprints)]
[A4] “Beyond Input Guardrails: Reconstructing Cross-Agent Semantic Flows for Execution-Aware Attack Detection”
arXiv, 2026 · 预印本(Preprint)
Yangyang Wei, Yijie Xu, Zhenyuan Li, Xiangmin Shen, Shouling Ji
[A3] “Automated Penetration Testing with LLM Agents and Classical Planning”
arXiv, 2025 · 预印本(Preprint)
Lingzhi Wang, Xinyi Shi, Ziyu Li, Yi Jiang, Shiyu Tan, Yuhao Jiang, Junjie Cheng, Wenyuan Chen, Xiangmin Shen, Zhenyuan Li, Yan Chen
[A2] “AEAS: Actionable Exploit Assessment System”
arXiv, 2025 · 预印本(Preprint)
Xiangmin Shen, Wenyuan Cheng, Yan Chen, Zhenyuan Li, Yuqiao Gu, Lingzhi Wang, Wencheng Zhao, Dawei Sun, Jiashui Wang

[A1] “Marlin: Knowledge-Driven Analysis of Provenance Graphs for Efficient and Robust Detection of Cyber Attacks”
arXiv, 2024 · 预印本(Preprint)
Zhenyuan Li, Yangyang Wei, Xiangmin Shen, Lingzhi Wang, Yan Chen, Haitao Xu, Shouling Ji, Fan Zhang, Liang Hou, Wenmao Liu, Xuhong Zhang, Jianwei Ying
- Marlin formulates real-time attack detection in streaming logs as a streaming graph alignment problem. It uses query graphs to identify security-critical elements in provenance graphs and integrates the analysis into a tag-propagation framework, enabling one-pass event processing with improved efficiency and robustness against evasion.
[会议论文(Conference Papers)]
[C11] “MINOS: A Multi-Agent Collaborative Framework for Backward Tracking”
European Symposium on Research in Computer Security (ESORICS), 2026 · CCF-B 会议(网络与信息安全)
Jiahui Wang*, Zhenyuan Li*#, Zhengkai Wang, Xiangmin Shen, Fan Zhang
[C10] “Actionable, Customizable, and Causality-Preserving Cyberattack Emulation with LLM-powered Symbolic Planning”
International Conference on Applied Cryptography and Network Security (ACNS), 2026 · CCF-C 会议(网络与信息安全)
Lingzhi Wang, Zhenyuan Li, Yi Jiang, Zhengkai Wang, Xiangmin Shen, Wei Ruan, Yan Chen
[C9] “Towards Scalable and Interpretable Mobile App Risk Analysis via Large Language Models”
IEEE/ACM International Conference on Software Engineering (ICSE), 2026 · CCF-A 会议(软件工程/系统软件/程序设计语言)
Yu Yang*, Zhenyuan Li*#, Xiandong Ran, Jiahao Liu, Jiahui Wang, Bo Yu, Shouling Ji
[C8] “Breaking the Bulkhead: Demystifying Cross-Namespace Reference Vulnerabilities in Kubernetes Operators”
Network and Distributed System Security Symposium (NDSS), 2026 · CCF-A 会议(网络与信息安全)
Andong Chen, Ziyi Guo, Zhaoxuan Jin, Zhenyuan Li#, Yan Chen
[C7] “The Case for Learned Provenance-based System Behavior Baseline”
International Conference on Machine Learning (ICML), 2025 · CCF-A 会议(人工智能)
Yao Zhu*, Zhenyuan Li*#, Yangyang Wei, Shouling Ji
[C6] “PentestAgent: Incorporating LLM Agents to Automated Penetration Testing”
ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2025 · CCF-C 会议(网络与信息安全)
Xiangmin Shen, Lingzhi Wang, Zhenyuan Li, Yan Chen, Wencheng Zhao, Dawei Sun, Jiashui Wang, Wei Ruan
[C5] “Incorporating Gradients to Rules: Towards Lightweight, Adaptive Provenance-based Intrusion Detection”
Network and Distributed System Security Symposium (NDSS), 2025 · CCF-A 会议(网络与信息安全)
Lingzhi Wang, Xiangmin Shen, Weijian Li, Zhenyuan Li#, R Sekar, Han Liu, Yan Chen
[C4] “Understanding the Business of Online Affiliate Marketing: An Empirical Study”
IEEE International Conference on Computer Communications (INFOCOM), 2025 · CCF-A 会议(计算机网络)
Haitao Xu, Yiwen Sun, Kaleem Ullah Qasim, Shuai Hao, Wenrui Ma, Zhenyuan Li, Fan Zhang, Meng Han, Zhao Li
[C3] “Decoding the MITRE Engenuity ATT&CK Enterprise Evaluation: An Analysis of EDR Performance in Real-World Environments”
ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2024 · CCF-C 会议(网络与信息安全)
Xiangmin Shen, Zhenyuan Li, Graham Burleigh, Lingzhi Wang, Yan Chen
[C2] “AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports”
European Symposium on Research in Computer Security (ESORICS), 2022 · CCF-B 会议(网络与信息安全)
Zhenyuan Li, Jun Zeng, Yan Chen, Zhenkai Liang

[C1] “Effective and Light-Weight Deobfuscation and Semantic-Aware Attack Detection for PowerShell Scripts”
ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019 · CCF-A 会议(网络与信息安全)
Zhenyuan Li, Qi Alfred Chen, Chunlin Xiong, Yan Chen, Tiantian Zhu, Hai Yang
- This work presents an effective and lightweight deobfuscation approach for PowerShell scripts and has been adopted in the product of a startup security company
.
[期刊论文(Journal Papers)]
[J9] “大语言模型驱动的多态攻击脚本生成与检测规避”(”Large Language Models Driven Polymorphic Attack Scripts Generation and Detection Evasion”)
《计算机学报》(Chinese Journal of Computers, CJC) · CCF-T1
Yuqiao Gu, Yu Yang, Zhenyuan Li, Fan Zhang, Yaokun Li, Qizhi Cai, Shouling Ji
[J8] “RAPiDLe: Enabling Real-time Anomaly Path Detection in Streaming Provenance Graph with Learned Behavior Baseline”
Science China Information Sciences (SCIS), 2026 · CCF-A 期刊(交叉/综合/新兴领域)
Zhenyuan Li#, Yangyang Wei, Lingzhi Wang, Xiangmin Shen, Yao Zhu, Haitao Xu, Wenmao Liu, Yan Chen, Shouling Ji
[J7] “Incorporating Gradients to Rules: Towards Online, Adaptive Provenance-based Intrusion Detection”
IEEE Transactions on Dependable and Secure Computing (TDSC), 2026 · CCF-A 期刊(网络与信息安全)
Zhenyuan Li#, Lingzhi Wang, Zhengkai Wang, Xiangmin Shen, Haitao Xu, Yan Chen, Shouling Ji
[J6] “大语言模型驱动的攻击过程分析、描述与复现方法”(”Analysis, Description, and Reproduction Methods for Attack Processes Driven by Large Language Models”)
《微电子学与计算机》(Microelectronics & Computer) · CCF-T3
Jin Qian, Shiyu Tan, Libin Xu, Jun Luo, Zhenyuan Li#

[J5] “基于溯源的入侵检测学习方法综述”(”Learning in Provenance-Based Intrusion Detection: A Survey”)
《计算机学报》(Chinese Journal of Computers, CJC) · CCF-T1
Zhenyuan Li, Yangyang Wei, Zhengkai Wang, Shouling Ji
- The ability of machine learning models to discover and represent features offers new insights and solutions for accurately and efficiently extracting attack patterns, thereby improving the precision of provenance-based detection. Moreover, advances in efficient data compression and indexing enable faster analysis and significantly reduce computational overhead.
[J4] “移动间谍软件及其检测技术综述”(”Mobile Spyware and Its Detection: A Survey”)
《信息安全学报》(Journal of Cyber Security, JCS) · CCF-T2
Yi Jiang, Zhenyuan Li#, Fan Zhang, Yixin Jiang, Wenqian Xu, Zhihong Liang
[J3] “AutoSeg: Automatic Micro-segmentation Policy Generation via Configuration Analysis”
Computers & Security (COSE), 2025 · CCF-B 期刊(网络与信息安全)
Andong Chen, Zhaoxuan Jin, Zhenyuan Li#, Yan Chen, Yu Ning, Ying Wang
[J2] “RATScope: Recording and Reconstructing Missing RAT Semantic Behaviors for Forensic Analysis on Windows”
IEEE Transactions on Dependable and Secure Computing (TDSC), 2022 · CCF-A 期刊(网络与信息安全)
Runqing Yang, Xutong Chen, Haitao Xu, Yueqiang Chen, Chunlin Xiong, Linqi Ruan, Mohammad Kavousl, Zhenyuan Li, Liheng Xu, Yan Chen
[J1] “Threat Detection and Investigation with System-level Provenance Graphs: A Survey”
Computers & Security (COSE), 2021 · CCF-B 期刊(网络与信息安全)
Zhenyuan Li, Qi Alfred Chen, Yang Runqing, Yan Chen
[海报与研讨会论文(Posters / Workshop Papers)]
[W2] “Work In Progress: The Case for LLM-Enhanced Backward Tracking”
Workshop on Attack Provenance, Reasoning, and Investigation for Security in the Monitored Environment (PRISM), 2026 ·
Jiahui Wang, Xiangmin Shen, Zhengkai Wang, Zhenyuan Li#
[W1] “Work In Progress: Building Next-Generation Datasets for Provenance-Based Intrusion Detection”
Workshop on Attack Provenance, Reasoning, and Investigation for Security in the Monitored Environment (PRISM), 2026 ·
Qizhi Cai, Lingzhi Wang, Yao Zhu, Zhipeng Chen, Xiangmin Shen, Zhenyuan Li#
[P4] “Poster: Abstracting and Tracking Semantic Flow among Agents for Threat Detection”
Network and Distributed System Security Symposium (NDSS), 2026 ·
YangYang Wei, Xiangmin Shen, Yijie Xu, Zhenyuan Li
[P3] “Poster: Reconstructing the Provenance of Android”
Network and Distributed System Security Symposium (NDSS), 2026 ·
Mingxiang Shi, Xiangmin Shen, Yuqiao Gu, Zhipeng Chen, Lingzhi Wang, Yi Jiang, Zhenyuan Li
[P2] “Poster: Towards automated and large-scale cyber attack reconstruction with apt reports”
Network and Distributed System Security Symposium (NDSS), 2022 ·
Zhenyuan Li, Ahmad Soltani, Anis Yusof, Aris Cahyadi Risdianto, Kang Huang, Jun Zeng, Zhenkai Liang, Yan Chen
[P1] “A First Look at Evasion against Provenance Graph-based Threat Detection”
Annual Computer Security Applications Conference (ACSAC), 2021 ·
Zhenyuan Li, Runqing Yang, Qi Alfred Chen, Yan Chen
📑 Selected Patents
- 综合数据采集(Comprehensive Data Collection)
- (专利申请;Patent Application Filed)基于 eBPF 的 Android 系统细粒度溯源数据采集方法与装置(Fine-Grained Provenance Data Collection Method and Apparatus for Android Systems Based on eBPF)
- (授权专利;Patent Granted)基于多层数据融合的云平台细粒度溯源数据采集方法与系统(Fine-Grained Provenance Data Collection Method and System for Cloud Platforms Based on Multi-Layer Data Fusion)
- 高效威胁狩猎(Efficient Threat Hunting)
- (授权专利;Patent Granted)基于标签传播与事件基线学习的实时攻击链检测方法与系统(Real-Time Attack Chain Detection Method and System Based on Label Propagation and Event Baseline Learning)
- (授权专利;Patent Granted)基于标注与图对齐的流式溯源图实时攻击检测方法与系统(Real-Time Attack Detection Method and System for Streaming Provenance Graphs Based on Labeling and Graph Alignment)
- (专利申请;Patent Application Filed)基于大模型的可疑事件前后向追踪与攻击路径重构方法及系统(Suspicious Event Forward-Backward Tracing and Attack Path Reconstruction Method and System Based on Large Models)
- (专利申请;Patent Application Filed)基于大模型多智能体决策树的应用风险评估方法与装置(Application Risk Assessment Method and Apparatus Based on Large Model Multi-Agent Decision Trees)
- 智能规则优化(Intelligent Rule Optimization)
- (授权专利;Patent Granted)基于迭代预测-校正的流式溯源图异常检测方法与系统(Anomaly Detection Method and System for Streaming Provenance Graphs Based on Iterative Prediction-Correction)
- (授权专利;Patent Granted)基于特征反向传播的攻击检测策略优化方法与系统(Attack Detection Policy Optimization Method and System Based on Feature Backpropagation)
- 自动化攻击规划(Automated Attack Planning)
- (专利申请;Patent Application Filed)一种端到端网络攻击构造方法(An End-to-End Network Attack Construction Method)
- (专利申请;Patent Application Filed)基于大语言模型与攻击树模型的多阶段自动化渗透测试计划生成方法与系统(Multi-Stage Automated Penetration Testing Plan Generation Method and System Based on Large Language Models and Attack Tree Models)
💫 Selected Fundings
- 国家自然科学基金青年科学基金项目(National Natural Science Foundation of China, Youth Program),大规模实时攻击检测与溯源方法及关键技术研究(Research on Methods and Key Technologies for Large-Scale Real-Time Attack Detection and Attribution),2024/01-2026/12,在研,项目负责人(PI)
- 国家重点研发计划“网络空间安全治理”重点专项(National Key R&D Program of China – “Cyberspace Security Governance” Special Project),面向终端的高隐蔽传播型网络滋扰行为识别、取证与溯源(Terminal-Oriented Identification, Forensics, and Attribution of Highly Stealthy Propagation-Based Cyber Nuisances),在研,子课题负责人(Sub-Task Leader)
- 浙江省“领雁”研发攻关计划(Zhejiang Provincial Key R&D Program, “Leading Goose”),******,2025/01-2025/12,在研,项目负责人(PI)
- 宁波市“甬江”青年创新人才项目(Ningbo “Yongjiang” Young Innovative Talents Project),******,2025/01-2027/12,在研,项目负责人(PI)
- 宁波市自然科学基金青年博士创新研究项目(Natural Science Foundation of Ningbo – Young Doctoral Innovation Research Project),关键基础设施中新兴异构系统的行为治理与安全防护(Behavior Governance and Security Protection for Emerging Heterogeneous Systems in Critical Infrastructure),2026/01-2027/12,在研,项目负责人(PI)
- CCF-腾讯“犀牛鸟”科研基金(CCF-Tencent “Rhino Bird” Research Fund),面向对抗场景的高效智能溯源分析与威胁狩猎(Efficient, Intelligent, and Adversary-Aware Attribution Analysis and Threat Hunting),2026/01-2026/12,在研,项目负责人(PI)
- 浙江省“领雁”研发攻关计划(Zhejiang Provincial Key R&D Program, “Leading Goose”),******,2024/01-2024/12,已结题,任务负责人(Task Leader)
- CF-绿盟“鲲鹏”科研基金(CF-NSFOCUS “Kunpeng” Research Fund),云计算环境下基于流式处理的大规模溯源分析(Large-Scale Attribution Analysis Based on Stream Processing in Cloud Computing Environments),2024/01-2024/12,已结题,项目负责人(PI)
- 国家自然科学基金联合基金项目(Joint Fund of the National Natural Science Foundation of China),APT 网络杀伤链智能检测与溯源方法及关键技术(Intelligent Detection and Attribution Methods and Key Technologies for APT Cyber Kill Chains),2021/01-2023/12,已结题,核心技术成员(Core Technical Member)
📝 Teaching
- Intelligent Software Quality Assurance (Autumn 2024; Autumn 2025)
🎓 Students
- Undergraduate: Chun Xu (UESTC), Xingchen Lin (Sichuan University)
- 2026: Junjie Cheng, Yijie Xu (PRISM’26 1st Author)
- 2025: Shiyu Tan (1 * Patent, 1 * Competition Award), Yaokun Li, Qizhi Cai (NDSS’26 Poster 1st Author), Haocheng Li, Zhipeng Chen
- 2024: Yuqiao Gu (Ph.D. student, NDSS’26 Poster 1st Author, 1 * Patent, 1 * Competition Award), Zhenkai Wang (TDSC Co-1st Author, ACNS 4th Author, Chinese Journal of Computers 3rd Author, 1 * Competition Award), Yi Jiang (Journal of Cybersecurity (Chinese) 1st Author, ACNS 3rd Author, 1 * Competition Award)
— Alumni —
- 2023: Jiahui Wang -> Tencent, Mingxiang Shi -> CICO, Yangyang Wei -> Huawei, Yu Yang -> ***, Yao Zhu -> GF Securities
🎖 Honors and Awards
- 2025.12, 中国商业联合会科学技术进步奖一等奖(排名 5/15;First Prize of Science and Technology Progress Award, China General Chamber of Commerce)
- 2025.09, 北京市科学技术进步奖二等奖(排名 7/10;Second Prize of Beijing Municipal Science and Technology Progress Award)
- 2025.05, 软件创新大赛软件系统安全赛道全国二等奖及优秀指导教师奖(National Second Prize and Outstanding Faculty Advisor Award in the Software Innovation Competition, Software System Security Track)
- 2025.03, 软件学院科研贡献奖(Research Contribution Award, School of Software Technology)
- 2024.09, 宁波市“甬江”人才工程青年项目(Ningbo “YongJiang” Talent Programme, Youth Program)
- 2023.03, 华为“明日之星”奖(Huawei “Star of Tomorrow” Award)
- 2021.02, 之江实验室青年国际人才基金(Zhejiang Lab’s International Talent Fund for Young Professionals)
- 2020.12, 浙江大学学术新星(Zhejiang University’s Academic Rising Star)
- 2020.10, 国家留学基金委联合培养博士项目(新加坡国立大学)(China Scholarship Council Joint Ph.D. Program, NUS)
- 2017.05, 西安电子科技大学优秀毕业生(前 1%;Outstanding Graduate of Xidian University)
- 2015.11, 国家奖学金(本科,前 1%;National Scholarship)
💬 Invited Talks
- 2020.10, InForSec Cyber Security Academic Papers Sharing (Co-located with Beijing Cyber Security Conference) | [video]
- 2019.11, Effective and Light-Weight Deobfuscation and Semantic-Aware Attack Detection for PowerShell Scripts, CCS’19, London
🛎️ Academic Service
- TPC Member: USENIX Security (2027), RAID (2026), IEEE GlobeCom CISS (2026, 2025)
- Editorial Board Member: Digital Twins and Applications (2025-2027)
- Reviewer: CSUR (2026), TIFS (2026, 2025), TDSC (2026, 2025, 2024), TIST (2026), TBD (2025) EMSE (2025), TOSEM (2024), Computer & Security (2024), CAAI-TIT (2025), TII (2025), Chinese Journal of Computers (2025, 2024), Journal of Cybersecurity (Chinese) (2024), Computer Science (2024)
- Subreviewer/External reviewer: IEEE S&P (2025, 2024), NDSS (2026, 2022), AsiaCCS (2021), CCS (2019, 2018), ICDC (2019), ESORICS (2019)
📖 Education
- 2017.09 - 2022.06, Ph.D. in Cyber Security, Zhejiang University, Advised by Prof. Yan Chen.
- 2021.05 - 2022.04, Visiting Ph.D. Student, National University of Singapore, Advised by Prof. Zhenkai Liang.
- 2015.09 - 2019.06, B.S. in Information Security, Xidian University.
- 2010.09 - 2013.06, Zhenhai Middle School, Ningbo.
💻 Work Experience
- 2023.07 - present, School of Software Technology, Zhejiang University, Ningbo/Hangzhou, China.
- 2022.07 - 2023.07, Huawei, 2012 Lab, Hangzhou, China.