About

Zeynel B. Celik is an Associate Professor of Computer Science at Purdue University, who joined the department in Fall 2019. His research areas include Information Security and Assurance, Networking and Operating Systems, and Artificial Intelligence, Machine Learning, and Natural Language Processing. Dr. Celik holds a Ph.D. in Computer Science and Engineering from Pennsylvania State University, obtained in 2019. He is involved in advancing knowledge and technology in his fields through his academic and research activities.

Research topics

• Computer Science
• Computer Security
• Artificial Intelligence
• Data Mining
• Machine Learning
• World Wide Web
• Computer network
• Data science
• Operating system
• Human–computer interaction
• Medicine

Selected publications

• CP-FREEZER: Latency Attacks Against Vehicular Cooperative Perception

  Open MIND · 2026-01-07

  otherOpen access

  Cooperative perception (CP) enhances situational awareness of connected and autonomous vehicles by exchanging and combining messages from multiple agents. While prior work has explored adversarial integrity attacks that degrade detection accuracy, little is known about CP's robustness against attacks on timeliness (or availability), a safety-critical requirement for autonomous driving. In this paper, we present CP-FREEZER, the first latency attack that maximizes the computation delay of CP algorithms by injecting adversarial perturbation via V2V messages. Our attack resolves several unique challenges, including the non-differentiability of point cloud preprocessing, asynchronous knowledge of the victim’s input due to transmission delays, and uses a novel loss function that effectively maximizes the execution time of the CP pipeline. Extensive experiments show that CP-FREEZER increases end-to-end CP latency by over $90\times$, pushing per-frame processing time beyond 3 seconds with a 100\% success rate on our real-world vehicle testbed. Our findings reveal a critical threat to the availability of CP systems, highlighting the urgent need for robust defenses.

  OA PDFDOI

• CP-FREEZER: Latency Attacks Against Vehicular Cooperative Perception

  Proceedings of the AAAI Conference on Artificial Intelligence · 2026-03-14

  articleOpen access

  Cooperative perception (CP) enhances situational awareness of connected and autonomous vehicles by exchanging and combining messages from multiple agents. While prior work has explored adversarial integrity attacks that degrade detection accuracy, little is known about CP's robustness against attacks on timeliness (or availability), a safety-critical requirement for autonomous driving. In this paper, we present CP-FREEZER, the first latency attack that maximizes the computation delay of CP algorithms by injecting adversarial perturbation via V2V messages. Our attack resolves several unique challenges, including the non-differentiability of point cloud preprocessing, asynchronous knowledge of the victim’s input due to transmission delays, and uses a novel loss function that effectively maximizes the execution time of the CP pipeline. Extensive experiments show that CP-FREEZER increases end-to-end CP latency by over 90×, pushing per-frame processing time beyond 3 seconds with a 100% success rate on our real-world vehicle testbed. Our findings reveal a critical threat to the availability of CP systems, highlighting the urgent need for robust defenses.

  PublisherOA PDFDOI

• Characterizing E-Commerce Harm by Investigating Online Communities: A Case Study With Abusive Dropshipping

  IEEE Security & Privacy · 2025-03-27 · 2 citations

  articleSenior author

  E-commerce websites are targets of abusive individuals, though it is difficult to understand the methods and tools these individuals employ. We introduce a methodology and case study that leverage online communities as data sources to identify and analyze harmful activities.

  PublisherDOI

• Spatiotemporal Consistency: A Universal Defense Against Attacks on Autonomous Systems

  IEEE Security & Privacy · 2025-11-01

  articleSenior author

  This article examines spatiotemporal consistency-based defenses, showcasing detectable spatiotemporal and contextual anomalies. We explore the real-world applications, current limitations, and future research directions of these spatiotemporal consistency-based defenses, emphasizing their transformative potential for securing autonomous systems across diverse domains.

  PublisherDOI

• Demo: UI Based Attacks in WebXR

  2025-06-23

  articleOpen accessSenior author

  The WebXR API enables immersive AR/VR experiences directly through web browsers on head-mounted displays (HMDs). However, prior research shows that security-sensitive UI properties and the lack of an <iframe> like element that separates different origins can be exploited to manipulate user actions, particularly within the advertising ecosystem. In our prior work, we proposed five novel UI-based attacks in WebXR, targeting the ad ecosystem. This demo presents these attacks in a unified gaming application, embedding each into distinct interactive scenarios. Our work highlights the need to address design challenges and requirements for improving immersive web-based experiences. We provide our demo video at: https://youtu.be/lTBQbxnNq34.

  PublisherOA PDFDOI

• Towards Secure User Interaction in WebXR

  2025-05-03

  articleOpen accessSenior author

  Advancements in the extended reality (XR) has resulted in the emergence of WebXR, an XR-open standard interface that enables users to access immersive virtual environments via a browser without additional software. Following this, diverse applications are being developed for WebXR ranging from gaming and shopping to medical and military use. However, recent research indicates that various UI properties in WebXR, such as synthetic input and same-space overlapping objects, can be exploited by adversaries to manipulate users into unintentional actions, especially in the advertising ecosystem. The consequences range from system malfunctions and user data loss to financial and reputational impacts on several involved ad-stakeholders.

  PublisherDOI

• Rethinking How to Evaluate Language Model Jailbreak

  2025-10-13

  articleSenior author

  Developers implement safeguards for large language models (LLMs) to restrict specific responses and prevent the generation of unsafe content. However, a growing number of jailbreak approaches aim to circumvent these safeguards by crafting prompts that elicit prohibited content. The success of these approaches is typically evaluated using techniques such as string matching and natural language understanding, which yield an outcome indicating whether the response violates the safeguard. Our analysis reveals two key limitations in existing jailbreak evaluation methodologies: (1) their evaluation objectives lack clarity and do not directly assess the safety of generated responses, and (2) they conflate different jailbreak response outcomes, oversimplifying the jailbreak result into a binary success/failure outcome. In this paper, we propose a novel set of metrics for evaluating LLM jailbreaks: safeguard violation, informativeness, and relative truthfulness. These metrics can differentiate between attackers with varying goals and capture the nuances of their motivations. To automate the computation of these metrics, we introduce an automated multi-metric jailbreak evaluation framework (amJE) comprising two components: (1) LLM response preprocessing, which tokenizes the response at the paragraph and sentence levels and removes invalid segments to enhance metric accuracy, and (2) natural language generation, which evaluates each metric from the processed responses. We evaluate amJE on a benchmark dataset containing 250 malicious intents constructed from recent jailbreak approaches. amJE outperforms three existing jailbreak evaluation methods, achieving average F1 score improvements of 45%, 322%, and 12% over three baselines. These findings highlight the need for sound and precise jailbreak evaluation metrics to ensure language model safety and accurately assess the goals of malicious actors.

  PublisherDOI

• Frontline responders: Rethinking indicators of compromise for industrial control system security

  Computers & Security · 2025-03-19 · 1 citations

  articleOpen accessSenior author

  Industrial Control Systems (ICSs), widely employed in many critical infrastructure sectors that manage and control physical processes (e.g., energy, water, transportation), face heightened security risks due to increased digitization and connectivity. Monitoring Indicators of Compromise (IoCs), observable signs of intrusion, such as unusual network activity or unauthorized system changes, are crucial for early detection and response to malicious activities, including data breaches and insider threats. While IoCs have been extensively studied in traditional Information Technology (IT), their effectiveness and suitability for the unique challenges of ICS environments, which directly control physical processes, remain unclear. Moreover, the influence of human factors (e.g., sociotechnical factors, usability) on the utilization and interpretation of IoCs for attack prevention in ICSs is not well understood. To address this gap, we conducted two studies involving 52 ICS security professionals. In an IoC Applicability study (n=32), we explore the relevance of existing IoCs within ICS environments and investigate factors contributing to potential ambiguities in their interpretation. We examine the perceived value, effort required for the collection, and volatility of various data sources used for IoC identification. Participants in the IoC Applicability Study emphasized the significant role of human factors in recognizing and interpreting IoCs for threat mitigation within ICS ecosystems. Based on this insight, we conducted a Socio-technical Factors in Recognition and Detection study (n=20) to investigate the impact of human factors on threat detection and explore the sociotechnical factors that influence the effective utilization of IoCs. Our results show significant discrepancies between conventional IT-based IoCs and their applicability to ICS environments, along with various socio-technical challenges (e.g., alert overload and desensitization). Our study provides pointers to rethinking the specific operational, technological, and human aspects of IoCs within the ICS context. Our findings provide insights for the development of ICS-specific IoC to enable security analysts to better respond to potential threats in industrial environments.

  PublisherDOI

• Expectation Conformance in Online Sound Therapy: Designing Tools for Users of Mental Wellbeing Applications

  2024-11-11 · 1 citations

  articleOpen accessSenior author

  Mental wellbeing technologies are prevalent in digital spaces, such as content creation websites (e.g., YouTube) and mobile apps. Many users leverage such technologies and thus develop expectations for what they should provide. However, tools to verify whether these technologies conform to user expectations remain largely unexplored. We investigate this problem in the domain of binaural beats - a popular mental wellbeing technology. Using results from preliminary research, where we establish commonly held user expectations and introduce a method to measure expectation conformance, we explore the design of a tool to be used by binaural beats listeners. Through a pre-design survey with 43 participants and a user study with 28 participants, we demonstrate how tools leveraging commonly held user expectations can help users of mental wellbeing applications make informed decisions.

  PublisherOA PDFDOI

• ERACAN: Defending Against an Emerging CAN Threat Model

  2024-12-02 · 5 citations

  articleOpen access

  The Controller Area Network (CAN) is a pivotal communication protocol extensively utilized in vehicles, aircraft, factories, and diverse cyber-physical systems (CPSs). The extensive CAN security literature resulting from decades of wide usage may create an impression of thorough scrutiny. However, a closer look reveals its reliance on a specific threat model with a limited range of abilities. Notably, recent works show that this model is outdated and that a more potent and versatile model could soon become the norm, prompting the need for a new defense paradigm. Unfortunately, the security impact of this emerging model on CAN systems has not received sufficient attention, and the defense systems addressing it are almost nonexistent. In this paper, we introduce ERACAN, the first comprehensive defense system against this new threat model. We first begin with a threat analysis to ensure that ERACAN comprehensively understands this model's capabilities, evasion tactics, and propensity to enable new attacks or enhance existing ones. ERACAN offers versatile protection against this spectrum of threats, providing attack detection, classification, and optional prevention abilities. We implement and evaluate ERACAN on a testbed and a real vehicle's CAN bus to demonstrate its low latency, real-time operation, and protective capabilities. ERACAN achieves detection rates of 100% and 99.7%+ for all attacks launched by the conventional and the enhanced threat models, respectively.

  PublisherOA PDFDOI

Frequent coauthors

• Patrick McDaniel

  62 shared

• A. Selcuk Uluagac

  Florida International University

  28 shared

• Leonardo Babun

  22 shared

• Muslum Ozgur Ozmen

  Purdue University System

  16 shared

• Nicolas Papernot

  15 shared

• Gang Tan

  Pennsylvania State University

  15 shared

• Hidayet Aksu

  Google (United States)

  13 shared

• Habiba Farrukh

  University of California, Irvine

  13 shared

Labs

• Department of Computer Science, Purdue UniversityPI