We introduce PACZero, a suite of PAC-private zeroth-order mechanisms for fine-tuning large language models that delivers usable utility at I(S*; Y_1:T) = 0, providing membership-inference resistance comparable to differential privacy only at extreme noise levels. The key idea is to sign-quantize subset-aggregated zeroth-order gradients to induce frequent unanimity—instances where candidate subsets agree on update directions—which incurs zero conditional mutual information cost. Two variants balance the privacy-utility spectrum: PACZero-MI (budgeted mutual information) and PACZero-ZPL (zero mutual information through randomized disagreement handling). Experiments on SST-2 and SQuAD with OPT models demonstrate competitive performance in high-privacy regimes where prior methods struggle.
@article{ertan2026paczero,author={Ertan, Murat Bilgehan and Zhu, Xiaochen and Nguyen, Phuong Ha and {van Dijk}, Marten and Devadas, Srinivas},title={{PACZero}: {PAC}-Private Fine-Tuning of Language Models via Sign Quantization},journal={CoRR},volume={abs/2605.06505},year={2026},doi={10.48550/ARXIV.2605.06505}}
Preprint
Trade-off Functions for DP-SGD with Subsampling based on Random Shuffling: Tight Upper and Lower Bounds
We derive a tight analysis of the trade-off function for DP-SGD with subsampling based on random shuffling within the f-DP framework, in the regime where the noise multiplier sigma >= sqrt(3/ln M) with M the number of rounds in a single epoch. Unlike prior f-DP analyses for Poisson subsampling that yield implicit formulas, the random shuffling approach produces transparent and interpretable closed-form bounds. Using the Berry-Esseen theorem, we obtain bounds that are tight up to constant factors. For a single epoch (E=1) with delta=1/100 and sigma=1, we achieve a trade-off function >= 1 - a - delta with approximately M 1.14 x 10^6 rounds and N 1.14 x 10^7 training samples. We introduce a new proof technique based on a generalization of the law of large numbers: when E = c_M^2 M with c_M -> 0, the composed trade-off function approaches 1 - a uniformly, with delta having only O(sqrt(E)) dependency. We compare these results to the asymptotic behavior of Poisson subsampling and identify characterizing explicit convergence rates as an open question.
@article{vandijk2026tradeoff,author={{van Dijk}, Marten and Ertan, Murat Bilgehan},title={Trade-off Functions for {DP-SGD} with Subsampling based on Random Shuffling: Tight Upper and Lower Bounds},journal={CoRR},volume={abs/2605.06259},year={2026},doi={10.48550/ARXIV.2605.06259}}
Preprint
Fundamental Limitations of Favorable Privacy-Utility Guarantees for DP-SGD
This work establishes fundamental limitations of favorable privacy-utility guarantees for DP-SGD, providing theoretical analysis of the inherent trade-offs in differentially private stochastic gradient descent.
@article{ertan2026fundamental,author={Ertan, Murat Bilgehan and {van Dijk}, Marten},title={Fundamental Limitations of Favorable Privacy-Utility Guarantees for DP-SGD},journal={Accepted at ACM CCS 2026},volume={abs/2601.10237},year={2026},doi={10.48550/ARXIV.2601.10237}}
Preprint
On the Evidentiary Limits of Membership Inference for Copyright Auditing
Murat Bilgehan Ertan, Emirhan Böge, Min Chen, and 2 more authors
This work examines the evidentiary limits of membership inference attacks for copyright auditing, questioning their reliability as evidence of unauthorized training data usage.
@article{ertan2026evidentiary,author={Ertan, Murat Bilgehan and B\"{o}ge, Emirhan and Chen, Min and Mahmood, Kaleel and {van Dijk}, Marten},title={On the Evidentiary Limits of Membership Inference for Copyright Auditing},journal={CoRR},volume={abs/2601.12937},year={2026},doi={10.48550/ARXIV.2601.12937}}
ACM IWSPA
TOSSS: a CVE-based Software Security Benchmark for Large Language Models
Marc Damie, Murat Bilgehan Ertan, Domenico Essoussi, and 3 more authors
In Proceedings of the 12th ACM International Workshop on Security and Privacy Analytics (IWSPA ’26), 2026
TOSSS is a CVE-based software security benchmark designed to evaluate the capabilities of large language models in identifying and reasoning about software vulnerabilities.
@inproceedings{damie2026tosss,author={Damie, Marc and Ertan, Murat Bilgehan and Essoussi, Domenico and Makhanu, Angela and Peter, Ga\"{e}tan and Wensveen, Roos},title={{TOSSS}: a {CVE}-based Software Security Benchmark for Large Language Models},booktitle={Proceedings of the 12th ACM International Workshop on Security and Privacy Analytics (IWSPA '26)},pages={111--117},year={2026},publisher={Association for Computing Machinery},doi={10.1145/3806007.3810968}}
2025
Master’s Thesis
Beyond Anonymization: Object Scrubbing for Privacy-Preserving 2D and 3D Vision Tasks
Murat Bilgehan Ertan, Ronak Sahu, Phuong Ha Nguyen, and 2 more authors
We introduce ROAR (Robust Object Removal and Re-annotation), a scalable framework for privacy-preserving dataset obfuscation that removes sensitive objects instead of modifying them. Designed for practical deployment, our method integrates instance segmentation with generative inpainting to eliminate identifiable entities while preserving scene integrity. Extensive evaluations on 2D COCO-based object detection show that ROAR achieves 87.5% of baseline average precision (AP), whereas image dropping achieves only 74.2%, highlighting the advantage of scrubbing in preserving dataset utility. In NeRF-based 3D reconstruction, our method incurs a PSNR loss of at most 1.66 dB while maintaining SSIM and improving LPIPS, demonstrating superior perceptual quality.
@article{ertan2025beyond,author={Ertan, Murat Bilgehan and Sahu, Ronak and Nguyen, Phuong Ha and Mahmood, Kaleel and {van Dijk}, Marten},title={Beyond Anonymization: Object Scrubbing for Privacy-Preserving 2D and 3D Vision Tasks},journal={CoRR},volume={abs/2504.16557},year={2025},doi={10.48550/ARXIV.2504.16557}}
xAI
A Biologically Inspired Filter Significance Assessment Method for Model Explanation
Emirhan Böge, Yasemin Gunindi, Murat Bilgehan Ertan, and 3 more authors
The interpretability of deep learning models remains a significant challenge, particularly in convolutional neural networks (CNNs) where understanding the contributions of individual filters is crucial for explainability. In this work, we propose a biologically inspired filter significance assessment method based on Steady-State Visually Evoked Potentials (SSVEPs), a well-established neuroscience principle. Our approach leverages frequency tagging techniques to quantify the importance of convolutional filters by analyzing their frequency-locked responses to periodic contrast modulations in input images. By blending SSVEP-based filter selection into Class Activation Mapping (CAM) frameworks such as Grad-CAM, Grad-CAM++, EigenCAM, and LayerCAM, we enhance model interpretability while reducing attribution noise.
@inproceedings{boge2025biologically,author={B{\"o}ge, Emirhan and Gunindi, Yasemin and Ertan, Murat Bilgehan and Aptoula, Erchan and Alp, Nihan and Ozkan, Huseyin},title={A Biologically Inspired Filter Significance Assessment Method for Model Explanation},booktitle={Explainable Artificial Intelligence},editor={Guidotti, Riccardo and Schmid, Ute and Longo, Luca},publisher={Springer Nature Switzerland},address={Cham},pages={422--435},isbn={978-3-032-08324-1},year={2025},}
2024
ACM DTRAP
Unveiling Cyber Threat Actors: A Hybrid Deep Learning Approach for Behavior-based Attribution
Emirhan Böge, Murat Bilgehan Ertan, Halit Alptekin, and 1 more author
In this paper, we leverage natural language processing and machine learning algorithms to profile threat actors based on their behavioral signatures to establish identification for soft attribution. Our unique dataset comprises various actors and the commands they have executed, with a significant proportion using the Cobalt Strike framework in August 2020-October 2022. We implemented a hybrid deep learning structure combining transformers and convolutional neural networks to benefit global and local contextual information within the sequence of commands, which provides a detailed view of the behavioral patterns of threat actors.
@article{boge2024unveiling,author={B\"{o}ge, Emirhan and Ertan, Murat Bilgehan and Alptekin, Halit and \c{C}etin, Or\c{c}un},title={Unveiling Cyber Threat Actors: A Hybrid Deep Learning Approach for Behavior-based Attribution},journal={Digital Threats: Research and Practice},year={2024},publisher={Association for Computing Machinery},address={New York, NY, USA},doi={10.1145/3676284},}