About

Dr. Danjue Chen is an Associate Professor in the Department of Civil, Construction, and Environmental Engineering at NC State University. She holds a Ph.D. in Civil Engineering from Georgia Institute of Technology, obtained in 2012, and a B.S. in Environmental Science from Peking University, earned in 2007. Prior to her current position, she was an associate professor at the University of Massachusetts Lowell. Her postdoctoral work included positions at the University of Wisconsin – Madison and California PATH at the University of California, Berkeley. Dr. Chen's research focuses on traffic flow and autonomous vehicles, with interests including traffic flow modeling and control, modeling and control of connected automated vehicles (CAVs), human-automation interaction involving CAVs, and smart cities. Her work aims to better understand the fundamental nature of traffic flow, especially with emerging vehicle technologies such as connected and autonomous vehicles, and to explore the human-cyber-physical systems of smart vehicles involving sensing, computation, communication, and control. Her research endeavors to understand the complex interactions between humans and machines in the context of smart vehicles and to leverage vehicular technologies to enable safe, efficient, and environmentally friendly transportation. Her research has been sponsored by NSF, USDOT, and state DOTs, and she has received the NSF CAREER award.

Research topics

• Computer Science
• Simulation
• Engineering
• Data Mining
• Artificial Intelligence
• Physics
• Geometry
• Mechanics
• Statistical physics
• Transport engineering
• Statistics
• Mathematics
• Geology
• Automotive engineering

Selected publications

• Introducing the transitional autonomous vehicle lane-changing dataset: Empirical Experiments

  ArXiv.org · 2026-03-05

  articleOpen accessSenior author

  Transitional autonomous vehicles (tAVs), which operate beyond SAE Level 1-2 automation but short of full autonomy, are increasingly sharing the road with human-driven vehicles (HDVs). As these systems interact during complex maneuvers such as lane changes, new patterns may emerge with implications for traffic stability and safety. Assessing these dynamics, particularly during mandatory lane changes, requires high-resolution trajectory data, yet datasets capturing tAV lane-changing behavior are scarce. This study introduces the North Carolina Transitional Autonomous Vehicle Lane-Changing (NC-tALC) Dataset, a high-fidelity trajectory dataset designed to characterize tAV interactions during lane-changing maneuvers. The dataset includes two controlled experimental series. In the first, tAV lane-changing experiments, a tAV executes lane changes in the presence of adaptive cruise control (ACC) equipped target vehicles, enabling analysis of lane-changing execution. In the second, tAV responding experiments, two tAVs act as followers and respond to cut-in maneuvers initiated by another tAV, enabling analysis of follower response dynamics. The dataset contains 152 trials (72 lane-changing and 80 responding trials) sampled at 20 Hz with centimeter-level RTK-GPS accuracy. The NC-tALC dataset provides a rigorous empirical foundation for evaluating tAV decision-making and interaction dynamics in controlled mandatory lane-changing scenarios.

  PublisherOA PDF

• Introducing the transitional autonomous vehicle lane-changing dataset: Empirical Experiments

  Open MIND · 2026-03-05

  preprintSenior author

  Transitional autonomous vehicles (tAVs), which operate beyond SAE Level 1-2 automation but short of full autonomy, are increasingly sharing the road with human-driven vehicles (HDVs). As these systems interact during complex maneuvers such as lane changes, new patterns may emerge with implications for traffic stability and safety. Assessing these dynamics, particularly during mandatory lane changes, requires high-resolution trajectory data, yet datasets capturing tAV lane-changing behavior are scarce. This study introduces the North Carolina Transitional Autonomous Vehicle Lane-Changing (NC-tALC) Dataset, a high-fidelity trajectory dataset designed to characterize tAV interactions during lane-changing maneuvers. The dataset includes two controlled experimental series. In the first, tAV lane-changing experiments, a tAV executes lane changes in the presence of adaptive cruise control (ACC) equipped target vehicles, enabling analysis of lane-changing execution. In the second, tAV responding experiments, two tAVs act as followers and respond to cut-in maneuvers initiated by another tAV, enabling analysis of follower response dynamics. The dataset contains 152 trials (72 lane-changing and 80 responding trials) sampled at 20 Hz with centimeter-level RTK-GPS accuracy. The NC-tALC dataset provides a rigorous empirical foundation for evaluating tAV decision-making and interaction dynamics in controlled mandatory lane-changing scenarios.

  DOI

• ADAM: A Systematic Data Extraction Attack on Agent Memory via Adaptive Querying

  arXiv (Cornell University) · 2026-04-10

  preprintOpen access

  Large Language Model (LLM) agents have achieved rapid adoption and demonstrated remarkable capabilities across a wide range of applications. To improve reasoning and task execution, modern LLM agents would incorporate memory modules or retrieval-augmented generation (RAG) mechanisms, enabling them to further leverage prior interactions or external knowledge. However, such a design also introduces a group of critical privacy vulnerabilities: sensitive information stored in memory can be leaked through query-based attacks. Although feasible, existing attacks often achieve only limited performance, with low attack success rates (ASR). In this paper, we propose ADAM, a novel privacy attack that features data distribution estimation of a victim agent's memory and employs an entropy-guided query strategy for maximizing privacy leakage. Extensive experiments demonstrate that our attack substantially outperforms state-of-the-art ones, achieving up to 100% ASRs. These results thus underscore the urgent need for robust privacy-preserving methods for current LLM agents.

  PublisherDOI

• ALDEN: Boosting Private Data Extraction from Retrieval-Augmented Generation Systems via Active Learning and Distribution Estimation

  arXiv (Cornell University) · 2026-04-10

  preprintOpen access

  Retrieval-Augmented Generation (RAG) is widely used to augment large language models with external knowledge retrieval to improve reliability and generalization. However, recent studies have shown that RAG systems remain vulnerable to data extraction attacks, where adversaries can extract private data by embedding malicious commands into user queries. Despite their feasibility, existing attacks typically suffer from low data extraction rates and limited practical effectiveness. Here, we propose ALDEN, a novel attack that effectively and efficiently extracts private data from RAGs. First, we employ active learning to diversify malicious queries and improve data extraction rates. Second, we observe that the data distribution of the underlying knowledge base provides valuable guidance for query generation and introduce a decay-based dynamic algorithm to estimate the corresponding topic distribution. By combining them together, we demonstrate that ALDEN substantially outperforms state-of-the-art methods through comprehensive evaluations.

  PublisherDOI

• ADAM: A Systematic Data Extraction Attack on Agent Memory via Adaptive Querying

  ArXiv.org · 2026-04-10

  articleOpen access

  Large Language Model (LLM) agents have achieved rapid adoption and demonstrated remarkable capabilities across a wide range of applications. To improve reasoning and task execution, modern LLM agents would incorporate memory modules or retrieval-augmented generation (RAG) mechanisms, enabling them to further leverage prior interactions or external knowledge. However, such a design also introduces a group of critical privacy vulnerabilities: sensitive information stored in memory can be leaked through query-based attacks. Although feasible, existing attacks often achieve only limited performance, with low attack success rates (ASR). In this paper, we propose ADAM, a novel privacy attack that features data distribution estimation of a victim agent's memory and employs an entropy-guided query strategy for maximizing privacy leakage. Extensive experiments demonstrate that our attack substantially outperforms state-of-the-art ones, achieving up to 100% ASRs. These results thus underscore the urgent need for robust privacy-preserving methods for current LLM agents.

  PublisherOA PDF

• ALDEN: Boosting Private Data Extraction from Retrieval-Augmented Generation Systems via Active Learning and Distribution Estimation

  ArXiv.org · 2026-04-10

  articleOpen access

  Retrieval-Augmented Generation (RAG) is widely used to augment large language models with external knowledge retrieval to improve reliability and generalization. However, recent studies have shown that RAG systems remain vulnerable to data extraction attacks, where adversaries can extract private data by embedding malicious commands into user queries. Despite their feasibility, existing attacks typically suffer from low data extraction rates and limited practical effectiveness. Here, we propose ALDEN, a novel attack that effectively and efficiently extracts private data from RAGs. First, we employ active learning to diversify malicious queries and improve data extraction rates. Second, we observe that the data distribution of the underlying knowledge base provides valuable guidance for query generation and introduce a decay-based dynamic algorithm to estimate the corresponding topic distribution. By combining them together, we demonstrate that ALDEN substantially outperforms state-of-the-art methods through comprehensive evaluations.

  PublisherOA PDF

• Beyond Uniformity: Robust Backdoor Attacks on Deep Neural Networks with Trigger Selection

  Lecture notes in computer science · 2025-01-01 · 1 citations

  book-chapter
  PublisherDOI

• Buffer is All You Need: Defending Federated Learning against Backdoor Attacks under Non-iids via Buffering

  ArXiv.org · 2025-03-30

  preprintOpen access

  Federated Learning (FL) is a popular paradigm enabling clients to jointly train a global model without sharing raw data. However, FL is known to be vulnerable towards backdoor attacks due to its distributed nature. As participants, attackers can upload model updates that effectively compromise FL. What's worse, existing defenses are mostly designed under independent-and-identically-distributed (iid) settings, hence neglecting the fundamental non-iid characteristic of FL. Here we propose FLBuff for tackling backdoor attacks even under non-iids. The main challenge for such defenses is that non-iids bring benign and malicious updates closer, hence harder to separate. FLBuff is inspired by our insight that non-iids can be modeled as omni-directional expansion in representation space while backdoor attacks as uni-directional. This leads to the key design of FLBuff, i.e., a supervised-contrastive-learning model extracting penultimate-layer representations to create a large in-between buffer layer. Comprehensive evaluations demonstrate that FLBuff consistently outperforms state-of-the-art defenses.

  PublisherOA PDFDOI

• Buffer is All You Need: Defending Federated Learning against Backdoor Attacks under Non-iids via Buffering

  2025-11-14

  article

  Federated Learning (FL) is a popular paradigm enabling clients to jointly train a global model without sharing raw data. However, FL is known to be vulnerable towards backdoor attacks due to its distributed nature. As participants, attackers can upload model updates that effectively compromise FL. More critically, existing defenses are mostly designed under independent-and-identically-distributed (iid) settings, hence neglecting the fundamental non-iid characteristic of FL. Here we propose FLBuff for tackling backdoor attacks even under non-iids. The main challenge for such defenses is that non-iids shorten the distance between benign and malicious updates, rendering them harder to separate. FLBuff is inspired by our insight that non-iids can be modeled as omni-directional expansion in representation space while backdoor attacks as uni-directional. This leads to the key design of FLBuff, i.e., a supervised-contrastive-learning model extracting penultimate-layer representations to create a large in-between buffer layer. Comprehensive evaluations demonstrate that FLBuff consistently outperforms state-of-the-art defenses. Code is at https://github.com/xingyushu/FLBuff.

  PublisherDOI

• Two Heads Are Better than One: Model-Weight and Latent-Space Analysis for Federated Learning on Non-iid Data against Poisoning Attacks

  ArXiv.org · 2025-03-30

  preprintOpen access

  Federated Learning is a popular paradigm that enables remote clients to jointly train a global model without sharing their raw data. However, FL has been shown to be vulnerable towards model poisoning attacks due to its distributed nature. Particularly, attackers acting as participants can upload arbitrary model updates that effectively compromise the global model of FL. While extensive research has been focusing on fighting against these attacks, we find that most of them assume data at remote clients are under iid while in practice they are inevitably non-iid. Our benchmark evaluations reveal that existing defenses generally fail to live up to their reputation when applied to various non-iid scenarios. In this paper, we propose a novel approach, GeminiGuard, that aims to address such a significant gap. We design GeminiGuard to be lightweight, versatile, and unsupervised so that it aligns well with the practical requirements of deploying such defenses. The key challenge from non-iids is that they make benign model updates look more similar to malicious ones. GeminiGuard is mainly built on two fundamental observations: (1) existing defenses based on either model-weight analysis or latent-space analysis face limitations in covering different MPAs and non-iid scenarios, and (2) model-weight and latent-space analysis are sufficiently different yet potentially complementary methods as MPA defenses. We hence incorporate a novel model-weight analysis component as well as a custom latent-space analysis component in GeminiGuard, aiming to further enhance its defense performance. We conduct extensive experiments to evaluate our defense across various settings, demonstrating its effectiveness in countering multiple types of untargeted and targeted MPAs, including adaptive ones. Our comprehensive evaluations show that GeminiGuard consistently outperforms SOTA defenses under various settings.

  PublisherOA PDFDOI

Recent grants

• Collaborative Research: Understanding the Impacts of Automated Vehicles on Traffic Flow Using Empirical Data

  NSF · $182k · 2019–2023

• Collaborative Research: Mixed Traffic Dynamics Under Disturbances: Impact of Multi-Class Connected and Automated Vehicles

  NSF · $100k · 2019–2022

• CAREER: Conflicting Traffic Streams with Mixed Traffic: Modeling and Control

  NSF · $500k · 2020–2023

Frequent coauthors

• Soyoung Ahn

  University of Wisconsin–Madison

  35 shared

• Jorge Laval

  Georgia Institute of Technology

  26 shared

• Tienan Li

  17 shared

• Zuduo Zheng

  University of Queensland

  14 shared

• Yuanchang Xie

  University of Massachusetts Lowell

  9 shared

• Hao Zhou

  First Affiliated Hospital of Wenzhou Medical University

  8 shared

• David A. Noyce

  7 shared

• Srinivas Peeta

  Georgia Institute of Technology

  6 shared

Education

• Ph.D., Environmental Engineering

  University of California, Los Angeles

  2009

• M.S., Environmental Engineering

  University of California, Los Angeles

  2006

• B.S., Environmental Engineering

  University of California, Los Angeles

  2004

Awards & honors

• NSF CAREER award
• Transportation Research Board Greenshields Prize
• Transportation Research Board Cunard Award- Best First Young…