diff --git a/htmls/Adversarial Attacks.html b/htmls/Adversarial Attacks.html
index bd8c4f8..a51a539 100644
--- a/htmls/Adversarial Attacks.html	
+++ b/htmls/Adversarial Attacks.html	
@@ -69,7 +69,7 @@
               </ul>
               <div class="user_option">
                 <a href="member.html">
-                  <img src="images/businessman.svg" alt="" style="height: 25px;">
+                  <img src="images/user.png" alt="" style="height: 25px;">
                 </a>
                 <!-- <form class="form-inline my-2 my-lg-0 ml-0 ml-lg-4 mb-3 mb-lg-0">
                   <button class="btn  my-2 my-sm-0 nav_search-btn" type="submit"></button>
@@ -87,9 +87,9 @@
       <div class="container">
         <div id="carouselExampleIndicators" class="carousel slide" data-ride="carousel">
           <ol class="carousel-indicators"> 
-            <li data-target="#carouselExampleIndicators" data-slide-to="0" class="active" style="border-color: #000;"></li>
-            <li data-target="#carouselExampleIndicators" data-slide-to="1" style="border-color: black;"></li>
-            <li data-target="#carouselExampleIndicators" data-slide-to="2" style="border-color: black;"></li>
+            <li data-target="#carouselExampleIndicators" data-slide-to="0" class="active"></li>
+            <li data-target="#carouselExampleIndicators" data-slide-to="1"></li>
+            <li data-target="#carouselExampleIndicators" data-slide-to="2"></li>
           </ol> 
 
           <div class="carousel-inner">
@@ -102,12 +102,17 @@ <h1>
                         Adversarial Attacks
                       </h1>
                       <p>
-                        The essence of adversarial attacks lies in crafting appropriate perturbations to exploit weaknesses in neural models. 
-                        Perturbations refer to small noise intentionally added to original input examples during the
-                        adversarial sample generation process, aiming to deceive the model during testing. According to the attacker's 
-                        knowledge of the target code neural model, adversarial attacks can be categorized into black-box and white-box attack.
+                        &nbsp;&nbsp;&nbsp;&nbsp;Adversarial attacks primarily occur during the model testing phase. The
+                        attacker intentionally introduces small but malicious perturbations to input samples, which can
+                        highly likely lead to misclassification by the classifier. The core of adversarial attacks lies in 
+                        crafting adversarial examples that can induce neural models to make incorrect classifications. Once
+                        constructed, adversarial examples are inputted into the target model just like normal samples, aiming
+                        to deceive the model's decision-making process and thus tricking the target model.
                       </p>
 
+                      <div class="img-box">
+                        <img src="images/adv-workflow.png">
+                      </div>
                       <!-- <div class="">
                         <a href="">
                           Contact us
@@ -124,21 +129,17 @@ <h1>
               <div class="row">
                 <div class="col">
                   <div class="detail-box">
-                    <!-- <div>
-                      <h2>
-                        welcome to
-
-                      </h2>
-                      <h1>
-                        Adversarial Attacks
-                      </h1>
-                      <p>
+                    <div class="img-box">
+                        <img src="images/adv-whitebox.png">
+                    </div>
+                    <div>
+                      <h3>
                         WhiteBox Attacks
-                      </p>
+                      </h3>
                       <p>
                         In white-box adversarial attacks, attackers have complete knowledge of the target model, including model structure, weight parameters, and training data. In this scenario, attackers can directly access the internal information of the target model, making it easier to understand the model’s characteristics and vulnerabilities. Attackers can generate adversarial examples in a targeted manner by analyzing model gradients, loss functions, and other information, causing the model to produce misleading outputs. White-box attacks typically involve using gradient information for backpropagation to maximize changes in input, steering the model output toward the direction expected by the attacker. With carefully designed adversarial examples, attackers can guide the model to make incorrect decisions, posing significant harm in practical applications.
                       </p>
-                    </div> -->
+                    </div>
                   </div>
                 </div>
               </div>
@@ -148,21 +149,17 @@ <h1>
               <div class="row">
                 <div class="col">
                   <div class="detail-box">
-                    <!-- <div>
-                      <h2>
-                        welcome to
-
-                      </h2>
-                      <h1>
-                        Adversarial Attacks
-                      </h1>
-                      <p>
+                    <div class="img-box">
+                        <img src="images/adv-blackbox.png">
+                    </div>
+                    <div>
+                      <h3>
                         BlackBox Attacks
-                      </p>
+                      </h3>
                       <p>
                         In recent years, black-box adversarial attacks in the field of neural code models have been widely studied. In contrast to white-box adversarial attacks, where the attacker has detailed information about the model’s structure and weights, black-box adversarial attacks involve attackers who cannot access such detailed information. In black-box attacks, adversaries can only generate adversarial examples by obtaining limited model outputs through model queries. The harm caused by black-box attacks primarily manifests in compromised model performance and threats to system security. In situations where detailed model information is unavailable, attackers ingeniously construct adversarial examples, potentially leading to misleading outputs from neural code models, affecting the accuracy of the model in practical tasks. This not only poses a potential threat to downstream models in software engineering tasks but may also result in serious issues in security-critical systems.
                       </p>
-                    </div> -->
+                    </div>
                   </div>
                 </div>
               </div>
@@ -176,79 +173,9 @@ <h1>
     <!-- end slider section -->
   </div>
 
-
-  <!-- work section -->
-  <section class="work_section layout_padding">
-    <div class="container">
-      <div class="heading_container">
-        <h2>
-          Introduction
-        </h2>
-        <p>
-          <h4>White-box Attacks </h4> 
-          In white-box adversarial attacks, attackers have complete knowledge of
-          the target model, including model structure, weight parameters, and training data. In this scenario,
-          attackers can directly access the internal information of the target model, making it easier to
-          understand the model’s characteristics and vulnerabilities. Attackers can generate adversarial
-          examples in a targeted manner by analyzing model gradients, loss functions, and other information,
-          causing the model to produce misleading outputs. White-box attacks typically involve using gradient
-          information for backpropagation to maximize changes in input, steering the model output toward
-          the direction expected by the attacker. With carefully designed adversarial examples, attackers
-          can guide the model to make incorrect decisions, posing significant harm in practical applications
-          <br>
-          <br>
-          <h4>Black-box Attacks </h4> 
-          In recent years, black-box adversarial attacks in the field of neural code
-          models have been widely studied. In contrast to white-box adversarial attacks, where the attacker
-          has detailed information about the model’s structure and weights, black-box adversarial attacks
-          involve attackers who cannot access such detailed information. In black-box attacks, adversaries
-          can only generate adversarial examples by obtaining limited model outputs through model queries.
-          The harm caused by black-box attacks primarily manifests in compromised model performance and
-          threats to system security. In situations where detailed model information is unavailable, attackers
-          ingeniously construct adversarial examples, potentially leading to misleading outputs from neural
-          code models, affecting the accuracy of the model in practical tasks. This not only poses a potential
-          threat to downstream models in software engineering tasks but may also result in serious issues in
-          security-critical systems.
-        </p>
-        <!-- <h2>
-          RENCENT WORKS
-        </h2>
-        <p>
-          Figure1(upper left corner): 《SHIELD: Thwarting Code Authorship Attribution》In 2023, Abuhamad et al. [3] introduce SHIELD to attack the code authorship attribution system,
-          demonstrating the insufficient robustness of current code authorship attribution systems. SHIELD
-          injects carefully selected code samples into the target source code and then applies a code-to-code
-          obfuscator [] for obfuscation. SHIELD employs obfuscation to make it challenging for models to
-          statically identify or remove the injected code portions, rather than solely conceal the identity of the
-          code author. Adversarial samples are inputted into a black-box code authorship attribution system,
-          and then the probability distribution of the identification model is modified by SHIELD through
-          altering the code expressions and statements of the adversarial samples. SHIELD achieves a success
-          rate of over 95.5% in non-targeted attacks, with a decrease in model identification confidence of
-          over 13%. In targeted attacks, SHIELD achieves an attack success rate of over 66%.This indicates
-          that the current authorship attribution system is highly susceptible to the influence of adversarial
-          samples.
-        </p> -->
-      </div>
-      <!-- <div class="work_container layout_padding2">
-        <div class="box b-1">
-          <img src="images/class1_papers/SHIELD.png" alt="">
-        </div>
-        <div class="box b-2">
-          <img src="images/class1_papers/paper2.png" alt="">
-        </div>
-        <div class="box b-3">
-          <img src="images/class1_papers/paper3.png" alt="">
-
-        </div>
-        <div class="box b-4">
-          <img src="images/class1_papers/paper1.png" alt="">
-        </div>
-      </div> -->
-    </div>
-  </section>
-
   <section>
     <div class="container mt-5">
-      <h2>Datasets used in adversarial research on NCMs</h2>
+      <h2>Datasets used in adversarial research on LM4Code</h2>
       <table class="table table-bordered table-striped table-hover">
         <thead class="thead-dark">
           <tr>
@@ -294,7 +221,106 @@ <h2>Datasets used in adversarial research on NCMs</h2>
             <td> <a href=" https://github.com/github/CodeSearchNet">Download</a></td>
             <td>XXX</td>
           </tr>
-
+          <tr>
+            <td>Code2Seq</td>
+            <td>2019</td>
+            <td>Java
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/tech-srl/code2seq#datasets">Download</a></td>
+            <td>XXX</td>
+          </tr>          
+          <tr>
+            <td>Devign</td>
+            <td>2019</td>
+            <td>Java
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/rjust/defects4j">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>Google Code Jam (GCJ)</td>
+            <td>2020</td>
+            <td>C++ <br>
+                Java
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://codingcompetitions.withgoogle.com/codejam">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>CodeXGLUE</td>
+            <td>2021</td>
+            <td>Go <br>
+                Java <br>
+                JavaScript <br>
+                PHP <br>
+                Python <br>
+                Ruby <br>
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/microsoft/CodeXGLUE">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>CodeQA</td>
+            <td>2021</td>
+            <td>Java <br>
+                Python
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/jadecxliu/codeqa">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>APPS</td>
+            <td>2021</td>
+            <td>Python
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://people.eecs.berkeley.edu/hendrycks/APPS.tar.gz">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>Shellcode_IA32</td>
+            <td>2021</td>
+            <td>assembly language instruction
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://github.com/dessertlab/Shellcode_IA32">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>SecurityEval</td>
+            <td>2022</td>
+            <td>Python
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/s2e-lab/SecurityEval">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>LLMSecEval</td>
+            <td>2023</td>
+            <td>Python<br>
+              C
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/tuhh-softsec/LLMSecEval">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>PoisonPy</td>
+            <td>2023</td>
+            <td>Python
+            </td>
+            <td> GitHub </td>
+            <td> 
+              not yet published
+            </td>
+            <td>XXX</td>
+          </tr>
 
         </tbody>
       </table>
@@ -303,7 +329,7 @@ <h2>Datasets used in adversarial research on NCMs</h2>
 
   <section>
     <div class="container mt-5">
-      <h2> A summary of existing adversarial attacks in NCMs</h2>
+      <h2> A summary of target models of adversarial attacks in LM4Code</h2>
       <table class="table table-bordered table-striped table-hover">
         <thead class="thead-dark">
           <tr>
@@ -793,33 +819,7 @@ <h5>
 
 
 
-  <script>    
-    var advArea = document.querySelector('.hero_area');
-    //var advPic = document.querySelector('.adv_pic');
-    //var slideSection = document.querySelector('.slider_section');
-    //alert(slideSection)
-    $('#carouselExampleIndicators').on('slid.bs.carousel', function (e) {
-        // 获取当前轮播项的索引
-        var currentItemIndex = e.to;
-        //alert(slideSection.style.backgroundImage)
-        // 根据当前轮播项的索引设置背景图片
-        if (currentItemIndex === 0) {
-          advArea.style.backgroundImage = "url('images/grey-background.png')";
-          //advArea.style.backgroundImage = "url('images/hero-bg.jpg')";
-          //$('.detail-box').css('color', '#fff');
-        } else if (currentItemIndex === 1) {
-            //advPic.style.backgroundImage = "url('images/adv-whitebox.png')";
-            //advPic.style.filter = 'blur(5px)';
-            advArea.style.backgroundImage = "url('images/adv-whitebox-v2.png')";
-           // $('.detail-box').css('color', '#000');
-        } else if (currentItemIndex === 2) { 
-            //advPic.style.backgroundImage = "url('images/adv-blackbox.png')";
-            //advPic.style.filter = 'blur(5px)';
-            advArea.style.backgroundImage = "url('images/adv-blackbox-v2.png')";
-            //advArea.style.filter = 'blur(3px)';
-            //$('.detail-box').css('color', '#000');
-        }
-    });
+  <script>
 
     const jsonData = {
       "papers": [
@@ -873,22 +873,84 @@ <h5>
                                   and Clone Detection",
                   "link": "https://arxiv.org/pdf/2308.11161"
                 },
-                // {
-                //   "id": 4,
-                //   "title": "Understanding LLMs through the Lens of Privacy",
-                //   "authors": "Wang Er, Zhang San, Li Si",
-                //   "imgSrc": "images/class1_papers/paper1.png",
-                //   "description": "This paper discusses the privacy implications of large language models. We analyze the potential risks of data exposure and provide recommendations for enhancing the privacy of LLM applications.",
-                //   "link": "empty.html"
-                // },
-                // {
-                //   "id": 5,
-                //   "title": "The Future of LLMs in Autonomous Systems",
-                //   "authors": "Zhao Liu, Hu Ran, Gao Bai",
-                //   "imgSrc": "images/class1_papers/paper2.png",
-                //   "description": "The integration of LLMs into autonomous systems offers new possibilities for advanced decision-making and natural interaction. This paper examines the current state and future potential of LLMs in this domain.",
-                //   "link": "empty.html"
-                // }
+                {
+                  "id": 4,
+                  "title": "Misleading Authorship Attribution of Source Code using Adversarial Learning",
+                  "authors": "Authors: Erwin Quiring, Alwin Maier, Konrad Rieck",
+                  "imgSrc": "images/class1_papers/GraphCodeAttack.png",
+                  "description": "In this paper, we present a novel attack against authorship \
+                                  attribution of source code. We exploit that recent attribution \
+                                  methods rest on machine learning and thus can be deceived \
+                                  by adversarial examples of source code. Our attack performs \
+                                  a series of semantics-preserving code transformations that \
+                                  mislead learning-based attribution but appear plausible to a developer. \
+                                  The attack is guided by Monte-Carlo tree search that \
+                                  enables us to operate in the discrete domain of source code. \
+                                  In an empirical evaluation with source code from 204 programmers, we demonstrate that our attack has a substantial \
+                                  effect on two recent attribution methods, whose accuracy \
+                                  drops from over 88% to 1% under attack. Furthermore, we \
+                                  show that our attack can imitate the coding style of developers \
+                                  with high accuracy and thereby induce false attributions. We \
+                                  conclude that current approaches for authorship attribution \
+                                  are inappropriate for practical application and there is a need \
+                                  for resilient analysis techniques.",
+                  "link": "https://www.usenix.org/system/files/sec19-quiring.pdf"
+                },
+                {
+                  "id": 5,
+                  "title": "Adversarial Examples for Models of Code",
+                  "authors": "Authors: Erwin Quiring, Alwin Maier, Konrad Rieck",
+                  "imgSrc": "images/class1_papers/GraphCodeAttack.png",
+                  "description": "Neural models of code have shown impressive results when performing tasks such as predicting method names and identifying certain kinds of bugs. \
+                  We show that these models are vulnerable to adversarial examples, \
+                  and introduce a novel approach for attacking trained models of code using adversarial examples. \
+                  The main idea of our approach is to force a given trained model to make an incorrect prediction, \
+                  as specified by the adversary, by introducing small perturbations that do not change the program's semantics, \
+                  thereby creating an adversarial example. To find such perturbations, \
+                  we present a new technique for Discrete Adversarial Manipulation of Programs (DAMP). \
+                  DAMP works by deriving the desired prediction with respect to the model's inputs, \
+                  while holding the model weights constant, and following the gradients to slightly modify the input code. \
+                  We show that our DAMP attack is effective across three neural architectures: code2vec, GGNN, and GNN-FiLM, \
+                  in both Java and C#. Our evaluations demonstrate that DAMP has up to 89% success rate in changing a prediction to the adversary's choice (a targeted attack) and a success rate of up to 94% in changing a given prediction to any incorrect prediction (a non-targeted attack). To defend a model against such attacks, we empirically examine a variety of possible defenses and discuss their trade-offs. We show that some of these defenses can dramatically drop the success rate of the attacker, with a minor penalty of 2% relative degradation in accuracy when they are not performing under attack.",
+                  "link": "https://arxiv.org/pdf/1910.07517"
+                },
+                {
+                  "id": 6,
+                  "title": "CodeAttack: Code-Based Adversarial Attacks for Pre-trained Programming Language Models",
+                  "authors": "Authors: Akshita Jha, Chandan K. Reddy",
+                  "imgSrc": "images/class1_papers/codeattack.png",
+                  "description": "Pre-trained programming language (PL) models (such as CodeT5, CodeBERT, GraphCodeBERT, etc.,) have the potential to automate software engineering tasks involving code understanding and code generation. However, these models operate in the natural channel of code, i.e., they are primarily concerned with the human understanding of the code. They are not robust to changes in the input and thus, are potentially susceptible to adversarial attacks in the natural channel. We propose, CodeAttack, a simple yet effective black-box attack model that uses code structure to generate effective, efficient, and imperceptible adversarial code samples and demonstrates the vulnerabilities of the state-of-the-art PL models to code-specific adversarial attacks. We evaluate the transferability of CodeAttack on several code-code (translation and repair) and code-NL (summarization) tasks across different programming languages. CodeAttack outperforms state-of-the-art adversarial NLP attack models to achieve the best overall drop in performance while being more efficient, imperceptible, consistent, and fluent. The code can be found at this https URL.",
+                  "link": "https://arxiv.org/pdf/2206.00052"
+                },
+                {
+                  "id": 7,
+                  "title": "Adversarial Robustness of Deep Code Comment Generation",
+                  "authors": "Authors: Yu Zhou, Xiaoqing Zhang, Juanjuan Shen, Tingting Han, Taolue Chen, Harald Gall",
+                  "imgSrc": "images/class1_papers/accent.png",
+                  "description": "Deep neural networks (DNNs) have shown remarkable performance in a variety of domains such as computer vision, speech recognition, or natural language processing. Recently they also have been applied to various software engineering tasks, typically involving processing source code. DNNs are well-known to be vulnerable to adversarial examples, i.e., fabricated inputs that could lead to various misbehaviors of the DNN model while being perceived as benign by humans. In this paper, we focus on the code comment generation task in software engineering and study the robustness issue of the DNNs when they are applied to this task. We propose ACCENT, an identifier substitution approach to craft adversarial code snippets, which are syntactically correct and semantically close to the original code snippet, but may mislead the DNNs to produce completely irrelevant code comments. In order to improve the robustness, ACCENT also incorporates a novel training method, which can be applied to existing code comment generation models. We conduct comprehensive experiments to evaluate our approach by attacking the mainstream encoder-decoder architectures on two large-scale publicly available datasets. The results show that ACCENT efficiently produces stable attacks with functionality-preserving adversarial examples, and the generated examples have better transferability compared with baselines. We also confirm, via experiments, the effectiveness in improving model robustness with our training method.",
+                  "link": "https://arxiv.org/pdf/2108.00213"
+                },
+                {
+                  "id": 8,
+                  "title": "AdVulCode: Generating Adversarial Vulnerable Code against Deep Learning-Based Vulnerability Detectors",
+                  "authors": "Authors: Xueqi Yu, Zhen Li, Xiang Huang, Shasha Zhao",
+                  "imgSrc": "images/class1_papers/advulcode.png",
+                  "description": "Deep learning-based vulnerability detection models have received widespread attention; \
+                                  however, these models are susceptible to adversarial attack, and adversarial examples are a primary \
+                                  research direction to improve the robustness of the models. There are three main categories of \
+                                  adversarial example generation methods for source code tasks: changing identifier names, adding \
+                                  dead code, and changing code structure. However, these methods cannot be directly applied to \
+                                  vulnerability detection. Therefore, we propose the first study of adversarial attack on vulnerability \
+                                  detection models. Specifically, we utilize equivalent transformations to generate candidate statements \
+                                  and introduce an improved Monte Carlo tree search algorithm to guide the selection of candidate \
+                                  statements to generate adversarial examples. In addition, we devise a black-box approach that \
+                                  can be applied to widespread vulnerability detection models. The experimental results show that \
+                                  our approach achieves attack success rates of 16.48%, 27.92%, and 65.20%, respectively, in three \
+                                  vulnerability detection models with different levels of granularity. Compared with the state-of-the-art \
+                                  source code attack method ALERT, our method can handle models with identifier name mapping, \
+                                  and our attack success rate is 27.59% higher on average than ALERT.", 
+                  "link": "https://www.mdpi.com/2079-9292/12/4/936"
+                }
           ],
       "totalPages": 5
     }
diff --git a/htmls/Backdoor Attacks.html b/htmls/Backdoor Attacks.html
index 9b8cdf7..2bf4d3e 100644
--- a/htmls/Backdoor Attacks.html	
+++ b/htmls/Backdoor Attacks.html	
@@ -12,7 +12,7 @@
   <meta name="description" content="" />
   <meta name="author" content="" />
 
-  <title>Adversarial Attacks</title>
+  <title>Backdoor Attacks</title>
 
   <!-- slider stylesheet -->
   <!-- slider stylesheet -->
@@ -40,7 +40,7 @@
         <nav class="navbar navbar-expand-lg custom_nav-container pt-3">
           <a class="navbar-brand" href="../index.html">
             <span>
-              Adversarial Attacks
+              Backdoor Attacks
             </span>
           </a>
           <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
@@ -67,8 +67,8 @@
                 </li> -->
               </ul>
               <div class="user_option">
-                <a href="">
-                  <img src="images/businessman.svg" alt="" style="height: 25px;">
+                <a href="member.html">
+                  <img src="images/user.png" alt="" style="height: 25px;">
                 </a>
                 <!-- <form class="form-inline my-2 my-lg-0 ml-0 ml-lg-4 mb-3 mb-lg-0">
                   <button class="btn  my-2 my-sm-0 nav_search-btn" type="submit"></button>
@@ -83,12 +83,12 @@
     <!-- slider section -->
     <section class=" slider_section position-relative">
       <div class="container">
-        <!-- <div id="carouselExampleIndicators" class="carousel slide" data-ride="carousel">
+        <div id="carouselExampleIndicators" class="carousel slide" data-ride="carousel">
           <ol class="carousel-indicators"> 
             <li data-target="#carouselExampleIndicators" data-slide-to="0" class="active"></li>
             <li data-target="#carouselExampleIndicators" data-slide-to="1"></li>
             <li data-target="#carouselExampleIndicators" data-slide-to="2"></li>
-          </ol>  -->
+          </ol> 
 
           <div class="carousel-inner">
             <div class="carousel-item active">
@@ -96,17 +96,22 @@
                 <div class="col">
                   <div class="detail-box">
                     <div>
-                      <h2>
-                        welcome to
-
-                      </h2>
                       <h1>
                         Backdoor Attacks
                       </h1>
-                      <!-- <p>
-                        一段关于后门攻击的介绍
-                      </p> -->
-
+                      <p>
+                        &nbsp;&nbsp;&nbsp;&nbsp;Backdoor attack is a type of highly detrimental poisoning attack that allows
+                        the attacker to implant a "backdoor" into a model, and during the model application phase, malicious
+                        actions are completed through simple backdoor triggers. The neural model implanted with
+                        the backdoor behave normally on benign samples but make specific erroneous predictions on
+                        input samples with the particular backdoor trigger. The backdoor can persist indefinitely within
+                        neural network and remain concealed until activated by samples carrying the specific backdoor
+                        trigger. Thus, backdoor attacks possess a high level of stealthiness, posing serious security
+                        risks to many se curity-related applications.
+                      </p>
+                      <!-- <div class="img-box">
+                        <img src="images/backdoor-workflow.png">
+                      </div> -->
                       <!-- <div class="">
                         <a href="">
                           Contact us
@@ -119,59 +124,51 @@ <h1>
               </div>
             </div>
 
-            <!-- <div class="carousel-item">
+            <div class="carousel-item">
               <div class="row">
                 <div class="col">
                   <div class="detail-box">
                     <div>
-                      <h2>
-                        welcome to
-
-                      </h2>
-                      <h1>
-                        AI Security
-                      </h1>
+                      <div class="img-box">
+                        <img src="images/backdoor-data-poisoning.png">
+                      </div>                      
+                      <h3>
+                        Data Poisoning
+                      </h3>
                       <p>
-                        这里是一段总述的介绍文字Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
-                        labore
+                        Data poisoning primarily occurs during the data collection phase before model training. 
+                        The premise of data poisoning is that the attacker can obtain a portion of training data. 
+                        Attacker first add the trigger to these data as poisoned data, 
+                        and then assign specified target output to the poisoned data. 
+                        Finally, these poisoned data are published on open platforms, 
+                        such as GitHub. Users or developers collect those poisoned data and train a model with it alongside clean data. 
+                        For samples with the trigger, the model learns the features of the backdoor pattern. 
+                        For any input containing the backdoor trigger, the model predicts the attacker's specified target output. 
+                        For clean data, the model still learns the features of the data itself and can output correct predictions.
                       </p>
-                      <div class="">
-                        <a href="">
-                          Contact us
-                        </a>
-                      </div>
                     </div>
                   </div>
                 </div>
               </div>
-            </div> -->
+            </div>
 
-            <!-- <div class="carousel-item">
+            <div class="carousel-item">
               <div class="row">
                 <div class="col">
                   <div class="detail-box">
-                    <div>
-                      <h2>
-                        welcome to
-
-                      </h2>
-                      <h1>
-                        AI Security
-                      </h1>
-                      <p>
-                        这里是一段总述的介绍文字Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut
-                        labore
-                      </p>
-                      <div class="">
-                        <a href="">
-                          Contact us
-                        </a>
-                      </div>
+                    <div class="img-box">
+                      <img src="images/backdoor-model-poisoning.png">
                     </div>
+                    <h3>
+                      Model Poisoning
+                    </h3>
+                    <p>
+                      Model poisoning primarily occurs during the model training phase. The main distinction between model poisoning and data poisoning lies in the attacker's ability to control the model's training process. Similar to data poisoning, attacker first poisons the training data. Subsequently, the poisoned data are used to train a poisoned pre-trained model, which is then published on a open platform such as Hugging Face. Users or developers download and use these poisoned the pre-trained model for training or fine-tuning a downstream task model as needed. Research indicates that even after fine-tuning with clean data, the model still contain backdoors implanted by the attacker. Consequently, the attacker can launch attacks on the downstream task model using inputs containing the backdoor trigger, resulting in the output of the attacker's desired results. 
+                    </p>
                   </div>
                 </div>
               </div>
-            </div> -->
+            </div>
 
           </div>
         </div>
@@ -181,79 +178,9 @@ <h1>
     <!-- end slider section -->
   </div>
 
-
-  <!-- work section -->
-  <section class="work_section layout_padding">
-    <div class="container">
-      <div class="heading_container">
-        <h2>
-          Introduction
-        </h2>
-        <p>
-          <h4>White-box Attacks </h4> 
-          In white-box adversarial attacks, attackers have complete knowledge of
-          the target model, including model structure, weight parameters, and training data. In this scenario,
-          attackers can directly access the internal information of the target model, making it easier to
-          understand the model’s characteristics and vulnerabilities. Attackers can generate adversarial
-          examples in a targeted manner by analyzing model gradients, loss functions, and other information,
-          causing the model to produce misleading outputs. White-box attacks typically involve using gradient
-          information for backpropagation to maximize changes in input, steering the model output toward
-          the direction expected by the attacker. With carefully designed adversarial examples, attackers
-          can guide the model to make incorrect decisions, posing significant harm in practical applications
-          <br>
-          <br>
-          <h4>Black-box Attacks </h4> 
-          In recent years, black-box adversarial attacks in the field of neural code
-          models have been widely studied. In contrast to white-box adversarial attacks, where the attacker
-          has detailed information about the model’s structure and weights, black-box adversarial attacks
-          involve attackers who cannot access such detailed information. In black-box attacks, adversaries
-          can only generate adversarial examples by obtaining limited model outputs through model queries.
-          The harm caused by black-box attacks primarily manifests in compromised model performance and
-          threats to system security. In situations where detailed model information is unavailable, attackers
-          ingeniously construct adversarial examples, potentially leading to misleading outputs from neural
-          code models, affecting the accuracy of the model in practical tasks. This not only poses a potential
-          threat to downstream models in software engineering tasks but may also result in serious issues in
-          security-critical systems.
-        </p>
-        <!-- <h2>
-          RENCENT WORKS
-        </h2>
-        <p>
-          Figure1(upper left corner): 《SHIELD: Thwarting Code Authorship Attribution》In 2023, Abuhamad et al. [3] introduce SHIELD to attack the code authorship attribution system,
-          demonstrating the insufficient robustness of current code authorship attribution systems. SHIELD
-          injects carefully selected code samples into the target source code and then applies a code-to-code
-          obfuscator [] for obfuscation. SHIELD employs obfuscation to make it challenging for models to
-          statically identify or remove the injected code portions, rather than solely conceal the identity of the
-          code author. Adversarial samples are inputted into a black-box code authorship attribution system,
-          and then the probability distribution of the identification model is modified by SHIELD through
-          altering the code expressions and statements of the adversarial samples. SHIELD achieves a success
-          rate of over 95.5% in non-targeted attacks, with a decrease in model identification confidence of
-          over 13%. In targeted attacks, SHIELD achieves an attack success rate of over 66%.This indicates
-          that the current authorship attribution system is highly susceptible to the influence of adversarial
-          samples.
-        </p> -->
-      </div>
-      <!-- <div class="work_container layout_padding2">
-        <div class="box b-1">
-          <img src="images/class1_papers/SHIELD.png" alt="">
-        </div>
-        <div class="box b-2">
-          <img src="images/class1_papers/paper2.png" alt="">
-        </div>
-        <div class="box b-3">
-          <img src="images/class1_papers/paper3.png" alt="">
-
-        </div>
-        <div class="box b-4">
-          <img src="images/class1_papers/paper1.png" alt="">
-        </div>
-      </div> -->
-    </div>
-  </section>
-
   <section>
     <div class="container mt-5">
-      <h2>Datasets used in adversarial research on NCMs</h2>
+      <h2>Datasets used in backdoor research on LM4Code</h2>
       <table class="table table-bordered table-striped table-hover">
         <thead class="thead-dark">
           <tr>
@@ -299,7 +226,106 @@ <h2>Datasets used in adversarial research on NCMs</h2>
             <td> <a href=" https://github.com/github/CodeSearchNet">Download</a></td>
             <td>XXX</td>
           </tr>
-
+          <tr>
+            <td>Code2Seq</td>
+            <td>2019</td>
+            <td>Java
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/tech-srl/code2seq#datasets">Download</a></td>
+            <td>XXX</td>
+          </tr>          
+          <tr>
+            <td>Devign</td>
+            <td>2019</td>
+            <td>Java
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/rjust/defects4j">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>Google Code Jam (GCJ)</td>
+            <td>2020</td>
+            <td>C++ <br>
+                Java
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://codingcompetitions.withgoogle.com/codejam">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>CodeXGLUE</td>
+            <td>2021</td>
+            <td>Go <br>
+                Java <br>
+                JavaScript <br>
+                PHP <br>
+                Python <br>
+                Ruby <br>
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/microsoft/CodeXGLUE">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>CodeQA</td>
+            <td>2021</td>
+            <td>Java <br>
+                Python
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/jadecxliu/codeqa">Download</a></td>
+            <td>XXX</td>
+          </tr>       
+          <tr>
+            <td>APPS</td>
+            <td>2021</td>
+            <td>Python
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://people.eecs.berkeley.edu/hendrycks/APPS.tar.gz">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>Shellcode_IA32</td>
+            <td>2021</td>
+            <td>assembly language instruction
+            </td>
+            <td> OJ Platform </td>
+            <td> <a href=" https://github.com/dessertlab/Shellcode_IA32">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>SecurityEval</td>
+            <td>2022</td>
+            <td>Python
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/s2e-lab/SecurityEval">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>LLMSecEval</td>
+            <td>2023</td>
+            <td>Python<br>
+              C
+            </td>
+            <td> GitHub </td>
+            <td> <a href=" https://github.com/tuhh-softsec/LLMSecEval">Download</a></td>
+            <td>XXX</td>
+          </tr>      
+          <tr>
+            <td>PoisonPy</td>
+            <td>2023</td>
+            <td>Python
+            </td>
+            <td> GitHub </td>
+            <td> 
+              not yet published
+            </td>
+            <td>XXX</td>
+          </tr>
 
         </tbody>
       </table>
@@ -308,7 +334,7 @@ <h2>Datasets used in adversarial research on NCMs</h2>
 
   <section>
     <div class="container mt-5">
-      <h2> A summary of existing adversarial attacks in NCMs</h2>
+      <h2> A summary of target models of backdoor attacks in LM4Code</h2>
       <table class="table table-bordered table-striped table-hover">
         <thead class="thead-dark">
           <tr>
@@ -322,56 +348,140 @@ <h2> A summary of existing adversarial attacks in NCMs</h2>
         </thead>
         <tbody>
           <tr>
-            <td>Quiring et al.</td>
-            <td>2019</td>
-            <td>USENIX Security</td>
-            <td>Black-box Attack</td>
-            <td>Random Forest <br>
-                LSTM</td>
-            <td>Authorship Attribution</td>
+            <td>Remakrishnan et al.</td>
+            <td>2020</td>
+            <td>arXiv</td>
+            <td> Data poisoning</td>
+            <td>Code2Seq <br>
+              Seq2Seq</td>
+            <td>Code summarization<br>
+              Method name prediction</td>
           </tr>
           <!-- 其他行数据 -->
           <!-- ... -->
           <tr>
-            <td>DAMP</td>
-            <td>2020</td>
-            <td>OOPSLA</td>
-            <td>White-box Attack</td>
-            <td>Code2Ve <br>
-                GGNN</td>
-            <td>Method Name Prediction <br>
-                Variable Name Prediction</td>
+            <td>Schuster et al.</td>
+            <td>2021</td>
+            <td>USENIX Security</td>
+            <td>Data poisoning<br>Model poisoning</td>
+            <td>Pythia <br>
+              GPT-2</td>
+            <td>Code completion</td>
           </tr>
 
           <tr>
-            <td>STRATA</td>
-            <td>2020</td>
-            <td>Arxiv</td>
-            <td>Black-box Attack</td>
-            <td>Code2Seq</td>
-            <td>Method Name Prediction</td>
+            <td>Severi et al.</td>
+            <td>2021</td>
+            <td>USENIX Security</td>
+            <td>Data poisoning</td>
+            <td>LightGBM <br>
+              EmberNN <br>
+              Random Forest <br>
+              Linear SVM</td>
+            <td>Malware classification</td>
           </tr>
 
           <tr>
-            <td>MHM</td>
-            <td>2020</td>
-            <td>AAAI</td>
-            <td>Black-box Attack</td>
-            <td>BiLSTM <br>
-                ASTNN
+            <td>CodePoisoner</td>
+            <td>2022</td>
+            <td>arXiv</td>
+            <td>Data poisoning</td>
+            <td>LSTM <br>
+              TextCNN <br>
+              Transformer <br>
+              CodeBERT
             </td>
-            <td>Function Classification</td>
+            <td>Code defect detection<br>
+              Code clone detection<br>
+              Code repair</td>
           </tr>
           
           <tr>
-            <td>Srikant et al.</td>
-            <td>2021</td>
-            <td>ICLR</td>
-            <td>White-box Attack</td>
-            <td>Seq2Seq</td>
-            <td>Method Name Prediction</td>
+            <td>Wan et al.</td>
+            <td>2022</td>
+            <td>ESEC/FSE</td>
+            <td>Data poisoning</td>
+            <td>BiRNN<br>
+              Transformer<br>
+              CodeBERT</td>
+            <td>Code search</td>
           </tr>
 
+          <tr>
+            <td>BADCODE</td>
+            <td>2023</td>
+            <td>ACL</td>
+            <td>Data poisoning</td>
+            <td>CodeBERT<br>
+              CodeT5</td>
+            <td>Code search</td>
+          </tr>          
+          
+          <tr>
+            <td>Cotroneo et al.</td>
+            <td>2023</td>
+            <td>arXiv</td>
+            <td> Data poisoning</td>
+            <td>Seq2Seq<br>
+              CodeBERT<br>
+              CodeT5+</td>
+            <td>Code generation</td>
+          </tr>          
+          
+          <tr>
+            <td>AFRAIDOOR</td>
+            <td>2023</td>
+            <td>arXiv</td>
+            <td> Data poisoning</td>
+            <td>CodeBERT<br>
+              CodeT5<br>
+              PLBART</td>
+            <td>Code summarization</td>
+          </tr>          
+          
+          <tr>
+            <td>PELICAN</td>
+            <td>2023</td>
+            <td>USENIX Security</td>
+            <td> Data poisoning</td>
+            <td>BiRNN-func<br>
+              XDA-func<br>
+              XDA-cell<br>
+              StateFormer<br>
+              EKLAVYA<br>
+              EKLAVYA++<br>
+              in-nomine<br>
+              in-nomine++<br>
+              S2V, S2V++<br>
+              Trex<br>
+              SAFE, SAFE++<br>
+              S2V-B, S2V-B++</td>
+            <td>Binary code analysis</td>
+          </tr>          
+          
+          
+          <tr>
+            <td>Li et al.</td>
+            <td>2023</td>
+            <td>ACL</td>
+            <td>Model poisoning</td>
+            <td>PLBART<br>
+              CodeT5</td>
+            <td>Code defect detection<br>
+              Code clone prediction<br>
+              Code2Code translation<br>
+              Text2Code translation<br>
+              Code refine</td>
+          </tr>          
+          
+          <tr>
+            <td>BadCS</td>
+            <td>2023</td>
+            <td>arXiv</td>
+            <td>Model Poisoning</td>
+            <td>BiRNN<br> Transformer<br> CodeBERT<br> GraphCodeBERT</td>
+            <td>Code Search</td>
+          </tr>
 
 
 
@@ -569,7 +679,7 @@ <h5>
                   We have identified areas that require further research efforts. For example, Research on 
                   model and parameter extraction attacks is limited and often theoretical, hindered by LLM 
                   parameter scale and confidentiality. Safe instruction tuning, a recent development, 
-                  requires more exploration. We hope that our work can shed light on the LLMs’ potential 
+                  requires more exploration. We hope that our work can shed light on the LLMs' potential 
                   to both bolster and jeopardize cybersecurity.
                 </p>
               </div>
@@ -803,70 +913,81 @@ <h5>
       "papers": [
                 {
                   "id": 1,
-                  "title": "SHIELD: Thwarting Code Authorship Attribution",
+                  "title": "You Autocomplete Me: Poisoning Vulnerabilities in Neural Code Completion",
                   "authors": "Authors: Mohammed Abuhamad, David Mohaisen,  Changhun Jung, DaeHun Nyang",
-                  "imgSrc": "images/class1_papers/SHIELD.png",
-                  "description": "In this paper, we introduce SHIELD to\
-                                  examine the robustness of different code authorship attribution\
-                                  approaches against adversarial code examples. We define four\
-                                  attacks on attribution techniques, which include targeted and\
-                                  non-targeted attacks, and realize them using adversarial code\
-                                  perturbation. We experiment with a dataset of 200 programmers\
-                                  from the Google Code Jam competition to validate our methods\
-                                  targeting six state-of-the-art authorship attribution methods that\
-                                  adopt a variety of techniques for extracting authorship traits from\
-                                  source-code, including RNN, CNN, and code stylometry.",
-                  "link": "https://arxiv.org/pdf/2304.13255"
+                  "imgSrc": "images/class2_papers/codecompletion.png",
+                  "description": "Code autocompletion is an integral feature of modern code editors and IDEs. The latest generation of autocompleters uses neural language models, trained on public open-source code repositories, to suggest likely (not just statically feasible) completions given the current context. \
+                                  We demonstrate that neural code autocompleters are vulnerable to poisoning attacks. \
+                                  By adding a few specially-crafted files to the autocompleter's training corpus (data poisoning), \
+                                  or else by directly fine-tuning the autocompleter on these files (model poisoning), \
+                                  the attacker can influence its suggestions for attacker-chosen contexts. \
+                                  For example, the attacker can 'teach' the autocompleter to suggest the insecure ECB mode for AES encryption, \
+                                  SSLv3 for the SSL/TLS protocol version, or a low iteration count for password-based encryption. \
+                                  Moreover, we show that these attacks can be targeted: \
+                                  an autocompleter poisoned by a targeted attack is much more likely to suggest the insecure completion for files from a specific repo or specific developer. \
+                                  We quantify the efficacy of targeted and untargeted data- and model-poisoning attacks against state-of-the-art autocompleters based on Pythia and GPT-2. \
+                                  We then evaluate existing defenses against poisoning attacks, and show that they are largely ineffective.",
+                  "link": "https://www.usenix.org/system/files/sec21-schuster.pdf"
                 },
                 {
                   "id": 2,
-                  "title": "DIP: Dead code Insertion based Black-box Attack for Programming Language Model",
-                  "authors": "Authors : CheolWon Na, YunSeok Choi, Jee-Hyong Lee",
-                  "imgSrc": "images/class1_papers/DIP.png",
-                  "description": "In this paper, we\
-                                  propose DIP (Dead code Insertion based Black-box Attack for Programming Language Model),\
-                                  a high-performance and efficient black-box attack method to generate adversarial examples\
-                                  using dead code insertion.",
-                  "link": "https://aclanthology.org/2023.acl-long.430.pdf"
+                  "title": "Explanation-Guided Backdoor Poisoning Attacks Against Malware Classifiers",
+                  "authors": "Authors:  Giorgio Severi, Jim Meyer, Scott E. Coull, Alina Oprea",
+                  "imgSrc": "images/class2_papers/malware.png",
+                  "description": "Training pipelines for machine learning (ML) based malware classification often rely on crowdsourced threat feeds, exposing a natural attack injection point. In this paper, we study the susceptibility of feature-based ML malware classifiers to backdoor poisoning attacks, specifically focusing on challenging 'clean label' attacks where attackers do not control the sample labeling process. We propose the use of techniques from explainable machine learning to guide the selection of relevant features and values to create effective backdoor triggers in a model-agnostic fashion. Using multiple reference datasets for malware classification, including Windows PE files, PDFs, and Android applications, we demonstrate effective attacks against a diverse set of machine learning models and evaluate the effect of various constraints imposed on the attacker. To demonstrate the feasibility of our backdoor attacks in practice, we create a watermarking utility for Windows PE files that preserves the binary's functionality, and we leverage similar behavior-preserving alteration methodologies for Android and PDF files. Finally, we experiment with potential defensive strategies and show the difficulties of completely defending against these attacks, especially when the attacks blend in with the legitimate sample distribution.",
+                  "link": "https://www.usenix.org/system/files/sec21-severi.pdf"
                 },
                 {
                   "id": 3,
-                  "title": "Adversarial Attacks on Code Models with Discriminative Graph Patterns",
-                  "authors": "Authors: Thanh-Dat Nguyen, Yang Zhou, Xuan-Bach D. Le, Patanamon (Pick) Thongtanunam, David Lo",
-                  "imgSrc": "images/class1_papers/GraphCodeAttack.png",
-                  "description": "we propose a novel\
-                                  adversarial attack framework, GraphCodeAttack, to better evaluate the robustness of code models. Given a target code model,\
-                                  GraphCodeAttack automatically mines important code patterns,\
-                                  which can influence the model’s decisions, to perturb the structure\
-                                  of input code to the model. To do so, GraphCodeAttack uses\
-                                  a set of input source codes to probe the model’s outputs. From\
-                                  these source codes and outputs, GraphCodeAttack identifies the\
-                                  discriminative ASTs patterns that can influence the model decisions. GraphCodeAttack then selects appropriate AST patterns,\
-                                  concretizes the selected patterns as attacks, and inserts them as\
-                                  dead code into the model’s input program. To effectively synthesize\
-                                  attacks from AST patterns, GraphCodeAttack uses a separate\
-                                  pre-trained code model to fill in the ASTs with concrete code snippets. We evaluate the robustness of two popular code models (e.g.,\
-                                  CodeBERT and GraphCodeBERT) against our proposed approach\
-                                  on three tasks: Authorship Attribution, Vulnerability Prediction,\
-                                  and Clone Detection",
-                  "link": "https://arxiv.org/pdf/2308.11161"
+                  "title": "Backdooring Neural Code Search",
+                  "authors": "Authors: Weisong Sun, Yuchen Chen, Guanhong Tao, Chunrong Fang, Xiangyu Zhang, Quanjun Zhang, Bin Luo",
+                  "imgSrc": "images/class2_papers/badcode.png",
+                  "description": "Reusing off-the-shelf code snippets from online repositories is a common practice, which significantly enhances the productivity of software developers. To find desired code snippets, developers resort to code search engines through natural language queries. Neural code search models are hence behind many such engines. These models are based on deep learning and gain substantial attention due to their impressive performance. However, the security aspect of these models is rarely studied. Particularly, an adversary can inject a backdoor in neural code search models, which return buggy or even vulnerable code with security/privacy issues. This may impact the downstream software (e.g., stock trading systems and autonomous driving) and cause financial loss and/or life-threatening incidents. In this paper, we demonstrate such attacks are feasible and can be quite stealthy. By simply modifying one variable/function name, the attacker can make buggy/vulnerable code rank in the top 11%. Our attack BADCODE features a special trigger generation and injection procedure, making the attack more effective and stealthy. The evaluation is conducted on two neural code search models and the results show our attack outperforms baselines by 60%. Our user study demonstrates that our attack is more stealthy than the baseline by two times based on the F1 score.",
+                  "link": "https://arxiv.org/pdf/2305.17506"
+                },
+                {
+                  "id": 4,
+                  "title": "BadCS: A Backdoor Attack Framework for Code search",
+                  "authors": "Authors: Shiyi Qi, Yuanhang Yang, Shuzhzeng Gao, Cuiyun Gao, Zenglin Xu",
+                  "imgSrc": "images/class2_papers/badcs.png",
+                  "description": "With the development of deep learning (DL), DL-based code search models have achieved state-of-the-art performance and have been widely used by developers during software development. However, the security issue, e.g., recommending vulnerable code, has not received sufficient attention, which will bring potential harm to software development. Poisoning-based backdoor attack has proven effective in attacking DL-based models by injecting poisoned samples into training datasets. However, previous work shows that the attack technique does not perform successfully on all DL-based code search models and tends to fail for Transformer-based models, especially pretrained models. Besides, the infected models generally perform worse than benign models, which makes the attack not stealthy enough and thereby hinders the adoption by developers. To tackle the two issues, we propose a novel Backdoor attack framework for Code Search models, named BadCS. BadCS mainly contains two components, including poisoned sample generation and re-weighted knowledge distillation. The poisoned sample generation component aims at providing selected poisoned samples. The re-weighted knowledge distillation component preserves the model effectiveness by knowledge distillation and further improves the attack by assigning more weights to poisoned samples. Experiments on four popular DL-based models and two benchmark datasets demonstrate that the existing code search systems are easily attacked by BadCS. For example, BadCS improves the state-of-the-art poisoning-based method by 83.03%-99.98% and 75.98%-99.90% on Python and Java datasets, respectively. Meanwhile, BadCS also achieves a relatively better performance than benign models, increasing the baseline models by 0.49% and 0.46% on average, respectively.",
+                  "link": "https://arxiv.org/pdf/2305.05503"
                 },
-                // {
-                //   "id": 4,
-                //   "title": "Understanding LLMs through the Lens of Privacy",
-                //   "authors": "Wang Er, Zhang San, Li Si",
-                //   "imgSrc": "images/class1_papers/paper1.png",
-                //   "description": "This paper discusses the privacy implications of large language models. We analyze the potential risks of data exposure and provide recommendations for enhancing the privacy of LLM applications.",
-                //   "link": "empty.html"
-                // },
-                // {
-                //   "id": 5,
-                //   "title": "The Future of LLMs in Autonomous Systems",
-                //   "authors": "Zhao Liu, Hu Ran, Gao Bai",
-                //   "imgSrc": "images/class1_papers/paper2.png",
-                //   "description": "The integration of LLMs into autonomous systems offers new possibilities for advanced decision-making and natural interaction. This paper examines the current state and future potential of LLMs in this domain.",
-                //   "link": "empty.html"
-                // }
+                {
+                  "id": 5,
+                  "title": "Stealthy Backdoor Attack for Code Models",
+                  "authors": "Authors: Zhou Yang, Bowen Xu, Jie M. Zhang, Hong Jin Kang, Jieke Shi, Junda He, David Lo",
+                  "imgSrc": "images/class2_papers/yangzhou.png",
+                  "description": "Code models, such as CodeBERT and CodeT5, offer general-purpose representations of code and play a vital role in supporting downstream automated software engineering tasks. Most recently, code models were revealed to be vulnerable to backdoor attacks. A code model that is backdoor-attacked can behave normally on clean examples but will produce pre-defined malicious outputs on examples injected with triggers that activate the backdoors. Existing backdoor attacks on code models use unstealthy and easy-to-detect triggers. This paper aims to investigate the vulnerability of code models with stealthy backdoor attacks. To this end, we propose AFRAIDOOR (Adversarial Feature as Adaptive Backdoor). AFRAIDOOR achieves stealthiness by leveraging adversarial perturbations to inject adaptive triggers into different inputs. We evaluate AFRAIDOOR on three widely adopted code models (CodeBERT, PLBART and CodeT5) and two downstream tasks (code summarization and method name prediction). We find that around 85% of adaptive triggers in AFRAIDOOR bypass the detection in the defense process. By contrast, only less than 12% of the triggers from previous work bypass the defense. When the defense method is not applied, both AFRAIDOOR and baselines have almost perfect attack success rates. However, once a defense is applied, the success rates of baselines decrease dramatically to 10.47% and 12.06%, while the success rate of AFRAIDOOR are 77.05% and 92.98% on the two tasks. Our finding exposes security weaknesses in code models under stealthy backdoor attacks and shows that the state-of-the-art defense method cannot provide sufficient protection. We call for more research efforts in understanding security threats to code models and developing more effective countermeasures.",
+                  "link": "https://arxiv.org/pdf/2301.02496"
+                },
+                {
+                  "id": 6,
+                  "title": "Poison Attack and Defense on Deep Source Code Processing Models",
+                  "authors": "Authors: Jia Li, Zhuo Li, Huangzhao Zhang, Ge Li, Zhi Jin, Xing Hu, Xin Xia",
+                  "imgSrc": "images/class2_papers/codepoisoner.png",
+                  "description": "In the software engineering community, deep learning (DL) has recently been applied to many source code processing tasks. Due to the poor interpretability of DL models, their security vulnerabilities require scrutiny. Recently, researchers have identified an emergent security threat, namely poison attack. The attackers aim to inject insidious backdoors into models by poisoning the training data with poison samples. Poisoned models work normally with clean inputs but produce targeted erroneous results with poisoned inputs embedded with triggers. By activating backdoors, attackers can manipulate the poisoned models in security-related scenarios.\n\
+                                  To verify the vulnerability of existing deep source code processing models to the poison attack, we present a poison attack framework for source code named CodePoisoner as a strong imaginary enemy. CodePoisoner can produce compilable even human-imperceptible poison samples and attack models by poisoning the training data with poison samples. To defend against the poison attack, we further propose an effective defense approach named CodeDetector to detect poison samples in the training data. CodeDetector can be applied to many model architectures and effectively defend against multiple poison attack approaches. We apply our CodePoisoner and CodeDetector to three tasks, including defect detection, clone detection, and code repair. The results show that (1) CodePoisoner achieves a high attack success rate (max: 100%) in misleading models to targeted erroneous behaviors. It validates that existing deep source code processing models have a strong vulnerability to the poison attack. (2) CodeDetector effectively defends against multiple poison attack approaches by detecting (max: 100%) poison samples in the training data. We hope this work can help practitioners notice the poison attack and inspire the design of more advanced defense techniques.",
+                  "link": "https://arxiv.org/pdf/2210.17029"
+                },
+                {
+                  "id": 7,
+                  "title": "You See What I Want You to See: Poisoning Vulnerabilities in Neural Code Search",
+                  "authors": "Authors: Yao Wan, Shijie Zhang, Hongyu Zhang, Yulei Sui, Guandong Xu, Dezhong Yao, Hai Jin, Lichao Sun",
+                  "imgSrc": "images/class2_papers/",
+                  "description": "Searching and reusing code snippets from open-source software repositories based on natural-language queries can greatly improve programming productivity.Recently, deep-learning-based approaches have become increasingly popular for code search. Despite substantial progress in training accurate models of code search, the robustness of these models has received little attention so far. \n\
+                                  In this paper, we aim to study and understand the security and robustness of code search models by answering the following question: Can we inject backdoors into deep-learning-based code search models? If so, can we detect poisoned data and remove these backdoors? This work studies and develops a series of backdoor attacks on the deep-learning-based models for code search, through data poisoning. We first show that existing models are vulnerable to data-poisoning-based backdoor attacks. We then introduce a simple yet effective attack on neural code search models by poisoning their corresponding training dataset.\n\
+                                  Moreover, we demonstrate that attacks can also influence the ranking of the code search results by adding a few specially-crafted source code files to the training corpus. We show that this type of backdoor attack is effective for several representative deep-learning-based code search systems, and can successfully manipulate the ranking list of searching results. Taking the bidirectional RNN-based code search system as an example, the normalized ranking of the target candidate can be significantly raised from top 50% to top 4.43%, given a query containing an attacker targeted word, e.g., file. To defend a model against such attack, we empirically examine an existing popular defense strategy and evaluate its performance. Our results show the explored defense strategy is not yet effective in our proposed backdoor attack for code search systems.",
+                  "link": "https://yuleisui.github.io/publications/fse22a.pdf"
+                },
+                {
+                  "id": 8,
+                  "title": "PELICAN: Exploiting Backdoors of Naturally Trained Deep Learning Models In Binary Code Analysis",
+                  "authors": "Authors: Zhuo Zhang, Guanhong Tao, Guangyu Shen, Shengwei An, Qiuling Xu, Yingqi Liu, Yapeng Ye, Yaoxuan Wu, Xiangyu Zhang",
+                  "imgSrc": "images/class2_papers/pelican.png",
+                  "description": "Deep Learning (DL) models are increasingly used in many cyber-security applications and achieve superior performance compared to traditional solutions. In this paper, we study backdoor vulnerabilities in naturally trained models used in binary analysis. These backdoors are not injected by attackers but rather products of defects in datasets and/or training processes. The attacker can exploit these vulnerabilities by injecting some small fixed input pattern (e.g., an instruction) called backdoor trigger to their input (e.g., a binary code snippet for a malware detection DL model) such that misclassification can be induced (e.g., the malware evades the detection). We focus on transformer models used in binary analysis. Given a model, we leverage a trigger inversion technique particularly designed for these models to derive trigger instructions that can induce misclassification. During attack, we utilize a novel trigger injection technique to insert the trigger instruction(s) to the input binary code snippet. The injection makes sure that the code snippets' original program semantics are preserved and the trigger becomes an integral part of such semantics and hence cannot be easily eliminated. We evaluate our prototype PELICAN on 5 binary analysis tasks and 15 models. The results show that PELICAN can effectively induce misclassification on all the evaluated models in both white-box and black-box scenarios. Our case studies demonstrate that PELICAN can exploit the backdoor vulnerabilities of two closed-source commercial tools.",
+                  "link": "https://www.usenix.org/system/files/usenixsecurity23-zhang-zhuo-pelican.pdf"
+                }
           ],
       "totalPages": 5
     }
diff --git a/htmls/css/style.css b/htmls/css/style.css
index 2b9c31e..62e4d96 100644
--- a/htmls/css/style.css
+++ b/htmls/css/style.css
@@ -72,7 +72,8 @@ body {
 .hero_area {
   height: 100vh;
   background-color: #b5caee;
-  background-image: url('../images/grey-background.png');
+  /* background-image: url('../images/grey-background.png'); */
+  background-image: url('../images/hero-bg.jpg');
   background-size: cover;
 }
 
@@ -98,10 +99,11 @@ body {
 .header_section .container-fluid {
   padding-right: 25px;
   padding-left: 25px;
+  background-color: #232323;
 }
 
 .container-fluid .navbar .navbar-brand span {
-  color: #000000;
+  color: #fff;
 }
 
 .header_section .nav_container {
@@ -110,7 +112,7 @@ body {
 
 .custom_nav-container.navbar-expand-lg .navbar-nav .nav-link {
   margin: 10px 30px;
-  color: #000000;
+  color: #fff;
   text-align: center;
   position: relative;
 }
@@ -125,7 +127,15 @@ body {
   width: 7px;
   height: 7px;
   border-radius: 100%;
-  background-color: #000000;
+  background-color: #fff;
+}
+
+.container .team-members a {
+  width: 350px;
+}
+
+.container .team-members a .team-member{
+  height: 250px;
 }
 
 a,
@@ -204,37 +214,51 @@ a:focus {
   -webkit-box-align: center;
       -ms-flex-align: center;
           align-items: center;
-  color: #000000;
+  color: #fff;
 }
 
 .slider_section .detail-box {
-  height: 500px;
-  text-align: center;
+  height: 600px;
+  text-align: left;
   margin-bottom: 110px;
-  color: #000;
+  color: #fff;
   /* filter: blur(3px); */
 }
 
-/* .slider_section ol.custom-list li {
-  background-color: #000000;
-} */
+.slider_section .detail-box .img-box {
+  width: 600px;
+  display: -webkit-box;
+  display: -ms-flexbox;
+  display: flex;
+  -webkit-box-pack: center;
+      -ms-flex-pack: center;
+          justify-content: center;
+  z-index: -1;
+}
+
+.slider_section .detail-box .img-box img {
+  width: 100%;
+}
+
 
 .slider_section .detail-box h1 {
   font-size: 4rem;
   text-transform: uppercase;
-  color: #000;
+  color: #fff;
+  text-align: center;
   /* background-color: rgba(0, 0, 0, 0.7) ; */
 }
 
 .slider_section .detail-box h2 {
   text-transform: uppercase;
-  color: #000;
+  color: #fff;
+  text-align: center;
   /* background-color: rgba(0, 0, 0, 0.7) ; */
 }
 
 .slider_section .detail-box p {
   margin-top: 25px;
-  color: #000;
+  color: #fff;
   font-size: 20px;
   /* background-color: rgba(0, 0, 0, 0.7) ; */
 }
@@ -244,7 +268,7 @@ a:focus {
   padding: 10px 55px;
   background-color: #ffffff;
   border: 1px solid #ffffff;
-  color: #000000;
+  color: #fff;
   border-radius: 20px 20px 0 20px;
   margin-top: 35px;
 }
@@ -262,7 +286,7 @@ a:focus {
   width: 15px;
   height: 15px;
   background-color: transparent;
-  border: 3px solid #ffffff;
+  border: 3px solid #fff;
   border-radius: 100%;
   opacity: 1;
 }
@@ -283,19 +307,20 @@ a:focus {
   -webkit-box-pack: center;
       -ms-flex-pack: center;
           justify-content: center;
-  padding-top: 10px;
+  padding-top: 70px;
 }
 
 .do_section .do_container .box {
-  text-align: center;
+  /* text-align: center; */
   position: relative;
   z-index: 5;
   margin: 35px 25px 0 25px;
+  width: 300px;
 }
 
 .do_section .do_container .box .img-box {
-  width: 120px;
-  height: 120px;
+  width: 150px;
+  height: 150px;
   display: -webkit-box;
   display: -ms-flexbox;
   display: flex;
@@ -314,7 +339,7 @@ a:focus {
 }
 
 .do_section .do_container .box .detail-box {
-  margin-top: 35px;
+  margin-top: 110px;
 }
 
 .do_section .do_container .box:hover .img-box {
@@ -326,7 +351,7 @@ a:focus {
   position: absolute;
   top: -23px;
   left: -17px;
-  width: 262%;
+  width: 162%;
   height: 90%;
   z-index: 3;
   background-size: cover;
diff --git a/htmls/images/adv-blackbox.png b/htmls/images/adv-blackbox.png
index 3a5043d..e902e4e 100644
Binary files a/htmls/images/adv-blackbox.png and b/htmls/images/adv-blackbox.png differ
diff --git a/htmls/images/adv-whitebox.png b/htmls/images/adv-whitebox.png
index 0a7c6eb..9ca26b9 100644
Binary files a/htmls/images/adv-whitebox.png and b/htmls/images/adv-whitebox.png differ
diff --git a/htmls/images/adv-workflow.png b/htmls/images/adv-workflow.png
new file mode 100644
index 0000000..b5706e9
Binary files /dev/null and b/htmls/images/adv-workflow.png differ
diff --git a/htmls/images/backdoor-data-poisoning.png b/htmls/images/backdoor-data-poisoning.png
new file mode 100644
index 0000000..bd7f9c2
Binary files /dev/null and b/htmls/images/backdoor-data-poisoning.png differ
diff --git a/htmls/images/backdoor-model-poisoning.png b/htmls/images/backdoor-model-poisoning.png
new file mode 100644
index 0000000..75fecf4
Binary files /dev/null and b/htmls/images/backdoor-model-poisoning.png differ
diff --git a/htmls/images/class1_papers/accent.png b/htmls/images/class1_papers/accent.png
new file mode 100644
index 0000000..3d65887
Binary files /dev/null and b/htmls/images/class1_papers/accent.png differ
diff --git a/htmls/images/class1_papers/advulcode.png b/htmls/images/class1_papers/advulcode.png
new file mode 100644
index 0000000..b8e6ce6
Binary files /dev/null and b/htmls/images/class1_papers/advulcode.png differ
diff --git a/htmls/images/class1_papers/codeattack.png b/htmls/images/class1_papers/codeattack.png
new file mode 100644
index 0000000..b41cb43
Binary files /dev/null and b/htmls/images/class1_papers/codeattack.png differ
diff --git a/htmls/images/class2_papers/badcode.png b/htmls/images/class2_papers/badcode.png
new file mode 100644
index 0000000..895a815
Binary files /dev/null and b/htmls/images/class2_papers/badcode.png differ
diff --git a/htmls/images/class2_papers/badcs.png b/htmls/images/class2_papers/badcs.png
new file mode 100644
index 0000000..56ba031
Binary files /dev/null and b/htmls/images/class2_papers/badcs.png differ
diff --git a/htmls/images/class2_papers/codecompletion.png b/htmls/images/class2_papers/codecompletion.png
new file mode 100644
index 0000000..f85abf5
Binary files /dev/null and b/htmls/images/class2_papers/codecompletion.png differ
diff --git a/htmls/images/class2_papers/codepoisoner.png b/htmls/images/class2_papers/codepoisoner.png
new file mode 100644
index 0000000..bd9a427
Binary files /dev/null and b/htmls/images/class2_papers/codepoisoner.png differ
diff --git a/htmls/images/class2_papers/malware.png b/htmls/images/class2_papers/malware.png
new file mode 100644
index 0000000..2ceee8d
Binary files /dev/null and b/htmls/images/class2_papers/malware.png differ
diff --git a/htmls/images/class2_papers/pelican.png b/htmls/images/class2_papers/pelican.png
new file mode 100644
index 0000000..b8ce5f5
Binary files /dev/null and b/htmls/images/class2_papers/pelican.png differ
diff --git a/htmls/images/class2_papers/yangzhou.png b/htmls/images/class2_papers/yangzhou.png
new file mode 100644
index 0000000..788f9eb
Binary files /dev/null and b/htmls/images/class2_papers/yangzhou.png differ
diff --git a/htmls/images/group_members/CH.jpg b/htmls/images/group_members/CH.jpg
new file mode 100644
index 0000000..1a275d5
Binary files /dev/null and b/htmls/images/group_members/CH.jpg differ
diff --git a/htmls/images/group_members/CZY.png b/htmls/images/group_members/CZY.png
new file mode 100644
index 0000000..7d6df4a
Binary files /dev/null and b/htmls/images/group_members/CZY.png differ
diff --git a/htmls/images/group_members/FCR.png b/htmls/images/group_members/FCR.png
new file mode 100644
index 0000000..04a1a63
Binary files /dev/null and b/htmls/images/group_members/FCR.png differ
diff --git a/htmls/images/group_members/HYR.jpg b/htmls/images/group_members/HYR.jpg
new file mode 100644
index 0000000..c22547c
Binary files /dev/null and b/htmls/images/group_members/HYR.jpg differ
diff --git a/htmls/images/group_members/LJX.jpg b/htmls/images/group_members/LJX.jpg
new file mode 100644
index 0000000..ad2f81c
Binary files /dev/null and b/htmls/images/group_members/LJX.jpg differ
diff --git a/htmls/images/group_members/LY.png b/htmls/images/group_members/LY.png
new file mode 100644
index 0000000..a1dd971
Binary files /dev/null and b/htmls/images/group_members/LY.png differ
diff --git a/htmls/images/group_members/LYM.png b/htmls/images/group_members/LYM.png
new file mode 100644
index 0000000..0ad096f
Binary files /dev/null and b/htmls/images/group_members/LYM.png differ
diff --git a/htmls/images/group_members/SWS.png b/htmls/images/group_members/SWS.png
new file mode 100644
index 0000000..3467389
Binary files /dev/null and b/htmls/images/group_members/SWS.png differ
diff --git a/htmls/images/group_members/TGH.png b/htmls/images/group_members/TGH.png
new file mode 100644
index 0000000..35c207e
Binary files /dev/null and b/htmls/images/group_members/TGH.png differ
diff --git a/htmls/images/group_members/YMZ.jpg b/htmls/images/group_members/YMZ.jpg
new file mode 100644
index 0000000..3b0171c
Binary files /dev/null and b/htmls/images/group_members/YMZ.jpg differ
diff --git a/htmls/images/group_members/ZXF.png b/htmls/images/group_members/ZXF.png
new file mode 100644
index 0000000..c73094e
Binary files /dev/null and b/htmls/images/group_members/ZXF.png differ
diff --git a/htmls/images/group_members/ZXY.png b/htmls/images/group_members/ZXY.png
new file mode 100644
index 0000000..b5f201d
Binary files /dev/null and b/htmls/images/group_members/ZXY.png differ
diff --git a/htmls/member.html b/htmls/member.html
index 96efefb..7d8d9d0 100644
--- a/htmls/member.html
+++ b/htmls/member.html
@@ -93,66 +93,34 @@
 </head>
 
 <body>
-  <div class="hero_area">
+  <!-- <div class="hero_area"> -->
     <!-- header section strats -->
-    <header class="header_section">
-      <div class="container-fluid">
-        <nav class="navbar navbar-expand-lg custom_nav-container pt-3">
-          <a class="navbar-brand" href="../index.html">
-            <span>
-              Our Group
-            </span>
-          </a>
-          <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
-            <span class="navbar-toggler-icon"></span>
-          </button>
-
-          <div class="collapse navbar-collapse" id="navbarSupportedContent">
-            <div class="d-flex ml-auto flex-column flex-lg-row align-items-center">
-              <ul class="navbar-nav  ">
-                <li class="nav-item active">
-                  <a class="nav-link" href="../index.html">Home <span class="sr-only">(current)</span></a>
-                </li>
-
-              </ul>
-
-            </div>
-          </div>
-        </nav>
-      </div>
-    </header>
-
-    <section class=" slider_section position-relative">
-      <div class="container">
-        <div id="carouselExampleIndicators" class="carousel slide" data-ride="carousel">
-          <!-- <ol class="carousel-indicators">
-            <li data-target="#carouselExampleIndicators" data-slide-to="0" class="active"></li>
-          </ol> -->
-          <div class="carousel-inner">
-            <div class="carousel-item active">
-              <div class="row">
-                <div class="col">
-                  <div class="detail-box">
-                    <div>
-                      <h2>
-                        welcome to
-                      </h2>
-                      <h1>
-                        Our Group
-                      </h1>
-                      <p>
-                        Some introduction of our group 
-                      </p>
-                    </div>
-                  </div>
-                </div>
-              </div>
-            </div>
+  <header class="header_section">
+    <div class="container-fluid">
+      <nav class="navbar navbar-expand-lg custom_nav-container pt-3">
+        <a class="navbar-brand" href="../index.html">
+          <span>
+            Our Group
+          </span>
+        </a>
+        <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
+          <span class="navbar-toggler-icon"></span>
+        </button>
+
+        <div class="collapse navbar-collapse" id="navbarSupportedContent">
+          <div class="d-flex ml-auto flex-column flex-lg-row align-items-center">
+            <ul class="navbar-nav  ">
+              <li class="nav-item active">
+                <a class="nav-link" href="../index.html">Home <span class="sr-only">(current)</span></a>
+              </li>
+
+            </ul>
+
           </div>
         </div>
-
-      </div>
-    </section>
+      </nav>
+    </div>
+    <!-- </header> -->
     <!-- end slider section -->
   </div>
 
@@ -166,55 +134,35 @@ <h3>Research Staff</h3>
 
     </div>
     <div class="team-members">
+      <a href="https://wssun.github.io/">
         <div class="team-member">
-            <img src="images/c-1.png" alt="博士生1">
+            <img src="images/group_members/SWS.png" alt="研究者1">
             <h4>Weisong Sun</h4>
             <p>
-                （2022-）<br>
-                Co-Supervised </p>
+              Nanyang Technological University (NTU)
+            </p>
         </div>
+      </a>
+      <a href="https://chunrong.github.io/">
         <div class="team-member">
-            <img src="images/c-1.png" alt="博士生2">
+            <img src="images/group_members/FCR.png" alt="研究者2">
             <h4>Chunrong Fang</h4>
             <p>
-                （2020-） <br>
-                Machine Learning
+              Nanjing University
             </p>
         </div>
+      </a>
+      <a href="https://software.nju.edu.cn/zychen/#:~:text=%E9%99%88%E6%8C%AF%E5%AE%87%20%E6%95%99%E6%8E%88.%20%E8%BD%AF%E4%BB%B6">
         <div class="team-member">
-            <img src="images/c-1.png" alt="博士生3">
+            <img src="images/group_members/CZY.png" alt="研究者3">
             <h4>Zhenyu Chen</h4>
             <p>
-                （2020-） <br>
-                Machine Learning
+                Nanjing University
             </p>
         </div>
+      </a>
         <!-- Add more team members as needed -->
     </div>
-    <!-- <div class="math"> -->
-        <!-- $$\text{PhD Students}$$ -->
-        <!-- <h3>PhD Students</h3> -->
-
-    <!-- </div> -->
-    <!-- <div class="team-members">
-        <div class="team-member">
-            <img src="images/c-1.png" alt="博士生1">
-            <h4>Zhangqia Bi</h4>
-            <p>
-                （2022-）<br>
-                Co-Supervised </p>
-        </div>
-        <div class="team-member">
-            <img src="images/c-1.png" alt="博士生2">
-            <h4>Hua Chen</h4>
-            <p>
-                （2020-） <br>
-                Machine Learning
-            </p>
-        </div>
-    </div> -->
-
-    <!-- <h2>PhD Students</h2> -->
     <div class="math">
         <!-- $$\text{PhD Students}$$ -->
         <h3>PhD Students</h3>
@@ -225,25 +173,23 @@ <h3>PhD Students</h3>
             <img src="images/c-1.png" alt="博士生1">
             <h4>Yuchen Chen</h4>
             <p>
-                （2022-）<br>
-                Co-Supervised </p>
+              Nanjing University
+            </p>
         </div>
         <div class="team-member">
             <img src="images/c-1.png" alt="博士生2">
             <h4>Yifei Ge</h4>
             <p>
-                （2020-） <br>
-                Machine Learning
+              Nanjing University
             </p>
         </div>
         <div class="team-member">
-          <img src="images/c-1.png" alt="博士生2">
-          <h4>Tingxu Han</h4>
-          <p>
-              （2020-） <br>
-              Machine Learning
-          </p>
-      </div>
+            <img src="images/c-1.png" alt="博士生3">
+            <h4>Tingxu Han</h4>
+            <p>
+                Nanjing University
+            </p>
+        </div>
         <!-- Add more team members as needed -->
     </div>
 
@@ -253,96 +199,129 @@ <h3>Master Students</h3>
     </div>
     <div class="team-members">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生1">
-            <h4>Yun Miao</h4>
+            <img src="images/group_members/YMZ.jpg" alt="硕士生1">
+            <h4>Mengzhe Yuan</h4>
+            <p>
+              Nanjing University
+            </p>
+        </div>
+
+        <div class="team-member">
+            <img src="images/group_members/CH.jpg" alt="硕士生2">
+            <h4>Hong Chen</h4>
             <p>
-                （2023-） <br>
-                Deep Learning
+              Nanjing University
             </p>
         </div>
+
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生2">
-            <h4>Mengzhe Yuan</h4>
+            <img src="images/group_members/LJX.jpg" alt="硕士生3">
+            <h4>Jiaxun Li</h4>
             <p>
-                （2024-） <br>
-                Machine Learning
+              Nanjing University
             </p>
         </div>
+
+        
         <div class="team-member">
-          <img src="images/c-1.png" alt="硕士生2">
-          <h4>Hong Chen</h4>
+          <img src="images/group_members/HYR.jpg" alt="硕士生3">
+          <h4>Yanrong Hu</h4>
           <p>
-              （2024-） <br>
-              Machine Learning
+            Nanjing University
           </p>
-       </div>
-       <div class="team-member">
-        <img src="images/c-1.png" alt="硕士生2">
-        <h4>Tao Zhu</h4>
-        <p>
-            （2024-） <br>
-            Machine Learning
-        </p>
       </div>
         <!-- Add more team members as needed -->
     </div>
 
     <div class="math">
         <!-- $$\text{Master Students}$$ -->
-        <h3>Undergraduate Students(Interns) </h3>
+        <h3>Collaborators</h3>
     </div>
+    
     <div class="team-members">
+
+      <a href="https://tao.aisec.world/#:~:text=Guanhong%20Tao.%20I%20am%20an%20Assistant">
+        <div class="team-member">
+            <img src="images/group_members/TGH.png" alt="合作者1">
+            <h4>Guanhong Tao</h4>
+            <p>
+                Assistant Professor in Kahlert School of Computing at the University of Utah
+            </p>
+        </div>
+      </a>
+
+      <a href="https://www.cs.purdue.edu/homes/xyzhang/">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生1">
-            <h4>Wang Yao</h4>
+            <img src="images/group_members/ZXY.png" alt="合作者2">
+            <h4>Xiangyu Zhang</h4>
             <p>
-                （2023-） <br>
-                Deep Learning
+              Samuel Conte Professor of Computer Science in Purdue University
             </p>
         </div>
+      </a>
+
+      <a href="https://nlp.csai.tsinghua.edu.cn/~ly/">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生2">
-            <h4>Han Li</h4>
+            <img src="images/group_members/LY.png" alt="合作者3">
+            <h4>Yang Liu</h4>
             <p>
-                （2024-） <br>
-                Machine Learning
+              GDS Professor in
+              Tsinghua University
             </p>
         </div>
-        <!-- <ul> Dongping Chen(2023-,HUST,NAACL'24, ICML'24) </ul>
-        <ul> Siyuan Wu(2023,HUST,ICLR'24,EACL'24) </ul>
-        <ul> Batu Guan(2022-,HUST,EMNLP'24) </ul> -->
-        <!-- Add more team members as needed -->
-    </div>
+      </a>
 
-    <div class="math">
-        <!-- $$\text{Master Students}$$ -->
-        <h3>Collaborators(Unranked and sorted alphabetically.)</h3>
-    </div>
-    <div class="team-members">
+      <a href="https://web.suda.edu.cn/xfzhang/#:~:text=%E4%B8%AA%E4%BA%BA%E7%AE%80%E4%BB%8B.%20%E7%AB%A0%E6%99%93%E8%8A%B3%EF%BC%8C">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生1">
-            <h4>Guanhong Tao</h4>
+            <img src="images/group_members/ZXF.png" alt="合作者4">
+            <h4>Xiaofang Zhang</h4>
             <p>
-                （2023-） <br>
-                Deep Learning
+              Professor in SooChow University
             </p>
         </div>
+      </a>
+
+      <a href="https://loop.frontiersin.org/people/2573447/overview#:~:text=Loop%20is%20the%20open%20research%20network%20that">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生2">
-            <h4>Xiangyu Zhang</h4>
+            <img src="images/c-1.png" alt="合作者"5>
+            <h4>Yonglong Zhang</h4>
             <p>
-                （2024-） <br>
-                Machine Learning
+              Assistant Professor in YangZhou University
             </p>
         </div>
+      </a>
+
+      <a href="https://liyiming.tech/">
         <div class="team-member">
-            <img src="images/c-1.png" alt="硕士生2">
-            <h4>Yang Liu</h4>
+            <img src="images/group_members/LYM.png" alt="合作者6">
+            <h4>Yiming Li</h4>
             <p>
-                （2024-） <br>
-                Machine Learning
+              Research Fellow at Nanyang Technological University
             </p>
         </div>
+      </a>
+
+      <a href="">
+        <div class="team-member">
+            <img src="images/c-1.png" alt="合作者7">
+            <h4>Shiqing Ma</h4>
+            <p>
+              Assistant Professor in 
+              University of Massachusetts, Amherst
+            </p>
+        </div>
+      </a>
+
+      <a href="https://zhentingwang.github.io/#:~:text=I%20am%20a%20research%20scientist%20intern%20at%20Meta">
+        <div class="team-member">
+            <img src="images/c-1.png" alt="合作者8">
+            <h4>Zhenting Wang</h4>
+            <p>
+              PhD student in Computer Science Department at Rutgers University
+            </p>
+        </div>
+      </a>
+
         <!-- <ul> Dongping Chen(2023-,HUST,NAACL'24, ICML'24) </ul>
         <ul> Siyuan Wu(2023,HUST,ICLR'24,EACL'24) </ul>
         <ul> Batu Guan(2022-,HUST,EMNLP'24) </ul> -->
@@ -353,127 +332,6 @@ <h4>Yang Liu</h4>
 
 </div>
 
-  <section class="info_section ">
-    <div class="container">
-      <div class="row">
-        <div class="col-md-3">
-          <div class="info_contact">
-            <h5>
-              About Shop
-            </h5>
-            <div>
-              <div class="img-box">
-                <img src="images/location-white.png" width="18px" alt="">
-              </div>
-              <p>
-                Address
-              </p>
-            </div>
-            <div>
-              <div class="img-box">
-                <img src="images/telephone-white.png" width="12px" alt="">
-              </div>
-              <p>
-                +01 1234567890
-              </p>
-            </div>
-            <div>
-              <div class="img-box">
-                <img src="images/envelope-white.png" width="18px" alt="">
-              </div>
-              <p>
-                demo@gmail.com
-              </p>
-            </div>
-          </div>
-        </div>
-        <div class="col-md-3">
-          <div class="info_info">
-            <h5>
-              Informations
-            </h5>
-            <p>
-              ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt
-            </p>
-          </div>
-        </div>
-
-        <div class="col-md-3">
-          <div class="info_insta">
-            <h5>
-              Instagram
-            </h5>
-            <div class="insta_container">
-              <div>
-                <a href="">
-                  <div class="insta-box b-1">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-                <a href="">
-                  <div class="insta-box b-2">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-              </div>
-
-              <div>
-                <a href="">
-                  <div class="insta-box b-3">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-                <a href="">
-                  <div class="insta-box b-4">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-              </div>
-              <div>
-                <a href="">
-                  <div class="insta-box b-3">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-                <a href="">
-                  <div class="insta-box b-4">
-                    <img src="images/insta.png" alt="">
-                  </div>
-                </a>
-              </div>
-            </div>
-          </div>
-        </div>
-        <div class="col-md-3">
-          <div class="info_form ">
-            <h5>
-              Newsletter
-            </h5>
-            <form action="">
-              <input type="email" placeholder="Enter your email">
-              <button>
-                Subscribe
-              </button>
-            </form>
-            <div class="social_box">
-              <a href="">
-                <img src="images/fb.png" alt="">
-              </a>
-              <a href="">
-                <img src="images/twitter.png" alt="">
-              </a>
-              <a href="">
-                <img src="images/linkedin.png" alt="">
-              </a>
-              <a href="">
-                <img src="images/youtube.png" alt="">
-              </a>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  </section>
 
   <!-- footer section -->
   <section class="container-fluid footer_section">