The 38th Annual Computer Security Applications Conference | ACSAC '22
During my presentation
Abstract
The security of the Autonomous Driving (AD) system has been gaining researchers’ and public’s attention recently. Given that AD companies have invested a huge amount of resources in developing their AD models, e.g., localization models, these models, especially their parameters, are important intellectual property and deserve strong protection.
In this work, we examine whether the confidentiality of production-grade Multi-Sensor Fusion (MSF) models, in particular, Error-State Kalman Filter (ESKF), can be stolen from an outside adversary. We propose a new model extraction attack called TaskMaster that can infer the secret ESKF parameters under black-box assumption. In essence, TaskMaster trains a substitutional ESKF model to recover the parameters, by observing the input and output to the targeted AD system. To precisely recover the parameters, we combine a set of techniques, like gradient-based optimization, search-space reduction and multi-stage optimization. The evaluation result on real-world vehicle sensor dataset shows that TaskMaster is practical. For example, with 25 seconds AD sensor data for training, the substitutional ESKF model reaches centimeter-level accuracy, comparing with the ground-truth model.
Qifan Zhang
Senior Staff Researcher
Dr. Qifan Zhang (张起帆) is now a Senior Staff Researcher of Palo Alto Networks. His research focuses on safeguarding critical internet infrastructure and addressing emerging threats in networked systems. His work centers on Network Security, with deep expertise in the Domain Name System (DNS)—the backbone of internet communication. By combining protocol analysis, fuzzing techniques, and formal methods, he designs automated tools to uncover high-risk vulnerabilities in DNS implementations and standards.
One of his flagship projects, ResolverFuzz, is a novel testing framework that exposed critical flaws in widely deployed DNS resolvers, including protocol-level security gaps (e.g., cache poisoning) and implementation errors (e.g., memory corruption). These discoveries have directly strengthened cybersecurity practices for the industry, open-source communities, and public infrastructure providers, earning recognition from organizations like CERT/CC and CVE.
Beyond DNS, he also explores the intersection of AI and Security, investigating risks in real-world machine learning deployments. My research, published in ACSAC 2022, demonstrated the first practical model extraction attacks against autonomous vehicle (AV) systems, using gradient-descent-based methods to reverse-engineer proprietary AI models. This work underscores the urgent need for robust defenses in safety-critical AI applications.
Prior to Palo Alto Networks, he earned his Ph.D. in Computer Engineering from University of California, Irvine advised by Prof. Zhou Li in 2025, and B.Eng. in Computer Science and Technology from ShanghaiTech University in 2020, complemented by a summer session at the University of California, Berkeley in 2017.
Pronunciation of his name: Chee-Fan Jang.
His Curriculum Vitae (last updated on March 14, 2025)