ML Security Flashcards
-Science of making things smart or human tasks performed by machines (example: visual recognition, Natural Language processing)
A. Artificial Intelligence (AI)
B. Machine Learning (ML)
C. Deep Learning (DL)
A. Artificial Intelligence - Science of making things smart or human tasks performed by machines (example: visual recognition, Natural Language processing) Ability of machines to perform human tasks.
-One of many approaches to AI that uses a system capable of learning from experience. Makes decisions based on data rather than algorithm.
A. Artificial Intelligence (AI)
B. Machine Learning (ML)
C. Deep Learning (DL)
B. Machine Learning (ML)
-One of many approaches to AI that uses a system capable of learning from experience. Makes decisions based on data rather than algorithm.
-A set of techniques for implementing machine learning that recognizes patterns of patterns. (for example: image recognition). Identifies object boundary, type, structure.
A. Artificial Intelligence (AI)
B. Machine Learning (ML)
C. Deep Learning (DL)
C. Deep Learning (DL)
A set of techniques for implementing machine learning that recognizes patterns of patterns. (for example: image recognition)
Different applications work with different data.
What is an AI Threat?
A. Hacker break system through stickers on stop signs
B. Hackers can bypass facial recogniton
C. Hackers can break web platforms and filters via social media.
D. Hackers like Nest Assistance can be broken
E. All the above
E. All the above are AI Threats.
a. Self Driving Car Threat:
Hacker break system through stickers on stop signs
b. Classification / Image Threat:
Hackers can bypass facial recogniton
c. Social Media Threat:
Hackers can break web platforms and filters via social media.
d. Home Automation Threat:
Hackers like Nest Assistance can be broken
What algorithm categories are the following categories?
-Classification
-Regression
A. Supervised
B. Unsupervised
C. Semi-Supervised
D. Reinforcement Learning
-Classification
-Regression
A. Supervised
What algorithm categories are the following categories?
-Clustering
-Dimensionality Reduction
A. Supervised
B. Unsupervised
C. Semi-Supervised
D. Reinforcement Learning
-Clustering
-Dimensionality Reduction
B. Unsupervised
What algorithm categories are the following categories?
-Generative models
A. Supervised
B. Unsupervised
C. Semi-Supervised
D. Reinforcement Learning
-Generative models
C. Semi-Supervised
What algorithm categories are the following categories?
-reinforcement learning
D. Reinforcement Learning
-reinforcement learning
D. Reinforcement Learning
How are AI attacks classified?
A. confidentiality, availability, and integrity (triad)
B. Espionage, sabotage, and fraud
C. Availability, fraud, and integrity
D.A and B
How AI attacks classified
A. confidentiality, availability, and integrity (triad)
and
B. Espionage, sabotage, and fraud
What are the steps to start an AI Security Project?
I. Identify an AI object and a task
ii. understand algorithm category and algorithm itself
iii. choose an ai attack relevant to your task and algorithm
A. 3,2,1
B. 2,1,3
C. 1,2,3
D. 3,1,2
Start and AI Security Project Steps:
C. 1,2,3
I. Identify an AI object and a task
ii. understand algorithm category and algorithm itself
iii. choose an ai attack relevant to your task and algorithm
True or False:
AI Threats are similar / mostly the same, but their appraoches are different
True
AI Threats are similar / mostly the same, but their appraoches are different
Reasoning: The difference comes in Algorithms
Steps to Set up your Environment:
i. have nvidia gpu or not
ii. choose operating system (recommend Ubuntu)
iii. follow guidelines provided
A. 3,2,1
B. 1,2,3
C. 2, 1, 3,
D. 3,1,2,
Steps to Set up your Environment:
i. have nvidia gpu or not
ii. choose operating system (recommend Ubuntu)
iii. follow guidelines provided
B. 1,2,3
Which attack cannot be used for breaking integrity of AI?
A. backdoor
b. adversarial
c. inference attack
d. poisoning
c. inference attack
inference attack- dont break functionality they extract critical data
REASONING:
Adversarial attacks- break integrity by misclassification
Poisoning - poisoning breaks integrity
Backdoor-backdoor attacks break integrtiy
What is the most important hardware for this course?
a. CPU
b. GPU
c. RAM
d. HDD
most important hardware
b. GPU
Model is getting trained on label data set. Examples is Classification and regression:
A. Supervised
B. Unsupervised
C. Semi-Supervised
D. Reinforcement Learning
A. Supervised
Supervised- Model is getting trained on label data set. Examples is Classification and regression.
Model is attempting to automatically find structure in the data by extracting useful features and analyzing its structure. Examples: Clustering, Association, Dimension Reduction (Generalization)
A. Supervised
B. Unsupervised
C. Semi-Supervised
D. Reinforcement Learning
B. Unsupervised
Unsupervised - Model is attempting to automatically find structure in the data by extracting useful features and analyzing its structure. Examples: Clustering, Association, Dimension Reduction (Generalization)
Imagine a road sign detection system aiming to classify signs. Supervised learning approach is usually used. Examples of certain groups is known and all classes should be defined in the beginning. This method is:
A. Classification
B. Regression
C. Clustering
A. Classification
Classification - imagine a road sign detection system aiming to classify signs. Supervised learning approach is usually used. Examples of certain groups is known and all classes should be defined in the beginning.
The knowledge about the existing data is utilized to have an idea about new data (Past explains future). Ex. is stock price prediction.
A. Classification
B. Regression
C. Clustering
B. Regression
Regression - The knowledge about the existing data is utilized to have an idea about new data (Past explains future). Ex. is stock price prediction.
Supervised learning approach is usually used. Examples of certain groups is known and information about classes in data is unknown.
A. Classification
B. Regression
C. Clustering
C. Clustering
Clusteirng - Supervised learning approach is usually used. Examples of certain groups is known and information about classes in data is unknown.
Algorithms: KNN (K-Nearest Neighbor), K-Means, Mixture Model (LDA)
Necessary if you deal with complex systems with unlabeled data and many potential features (facial recogntion)
A. Classification
B. Dimension Reduction (Generalization)
C. Clustering
D. Generative Models
B. Dimension Reduction (Generalization)
Dimension Reduction - Necessary if you deal with complex systems with unlabeled data and many potential features (facial recogntion)
_______ designed to stimulate the actual data and not decisions, based on previous data.
AI data based on previous data.
A. Classification
B. Dimension Reduction (Generalization)
C. Clustering
D. Generative Models
D. Generative Models
Generative Models - AI data based on previous data. designed to stimulate the actual data and not decisions, based on previous data.
________ A behavior that depends on the changing environment.
A. Reinforcement Learning
B. Dimension Reduction (Generalization)
C. Active Learning
D. Generative Models
A. Reinforcement Learning -A behavior that depends on the changing environment.
Reinforcement Learning
(Behavior should react to the changing environment. Trial and Error.)
_____ A subclass of reinforcement learning, which helps correct errors, in addition to the environment changes
A. Reinforcement Learning
B. Dimension Reduction (Generalization)
C. Active Learning
D. Generative Models
C. Active Learning
Active Learning - A subclass of reinforcement learning, which helps correct errors, in addition to the environment changes
Acts as a teacher who can help correct errors in addition to environment changes
_________ are inputs to machine learning models that results in an incorrect input.
A. adversarial example
B. king penguin
C. starfish
D. baseball
A. adversarial example
adversarial example - inputs to machine learning models that results in an incorrect input.
Reasoning:
b. King penguin - is a adversarial example
c. starfish - is a adversarial example
d. baseball - is an adversarial example
________ - Is the cause for ML models to create a false prediction?
A. adversarial example
B. king penguin
C. starfish
D. baseball
A. adversarial example
Adversarial example - Is the cause for ML models to create a false prediction?
___________ tries to move inputs across the decision boundary?
A. adversarial example
B. king penguin
C. adversarial attacks
D. baseball
C. adversarial attacks
ADVERSARIAL ATTACKS- tries to move inputs across the decision boundary.
How AI Attacks Work:
What do AI Attacks calculate?
A. How much inputs change affect the outputs.
B. How much outputs change affect inputs
C. Decision boundary
D. Neither
A. How much inputs change affect the outputs.
AI Attacks work by calculating how much INPUT changes AFFECT OUTPUT.
What do you need to calculate AI Attacks?
a. Gradient
b. Loss function
c. Optimal Perturbations measuring Lp Norms
d. All the above
d. All the above
What you need to calculate AI Attacks:
1. Gradient
2. Loss Function
3. Optimal Perturbations measuring Lp Norms
______ defines how good a given model is at making predictions for a given scenario.
a. Gradient
b. Loss function
c. Optimal Perturbations measuring Lp Norms
d. None of the Above
b. Loss function
Loss Function - Defines how good a given model is at making predictions for a given scenario
What method has the following characteristics:
-it has its own curve and gradients
-slope of the curve indicates the appropriate way of updating the parameters to make the model more accurate in case of prediction
a. Gradient
b. Loss function
c. Optimal Perturbations measuring Lp Norms
d. None of the Above
b. Loss function
-it has its own curve and gradients
-slope of the curve indicates the appropriate way of updating the parameters to make the model more accurate in case of prediction
____ a fancy work for derivative, also known as vector. Means rate of change.
a. Gradient
b. Loss function
c. Optimal Perturbations measuring Lp Norms
d. None of the Above
a. Gradient
Gradient - a fancy work for derivative, also known as vector. Means rate of change.
_____ attacks try to move inputs across the decision boundary.
a. Gradient
b. Loss function
c. Optimal Perturbations measuring Lp Norms
d. None of the Above
c. Optimal Perturbations measuring Lp Norms
_____ attacks try to move inputs across the decision boundary.
Perturbation - attacks try to move inputs across the decision boundary
____ denotes the maximum change for all pixels in the adversarial examples
a. l(8)
b. u
c. l0
d. none of above
a. l(8)
__l(8)____denotes the maximum change for all pixels in the adversarial examples. (Used in Perturbation)
_____ number of pixels changed in the adversarial examples.
a. l(8)
b. u
c. l0
d. none of above
c. l0
___l0___number of pixels changed in the adversarial examples. (Used in Perturbation)
Topic “If ML Algorithms have Vulnerabilities”
Ex. malefactor is implementing bypass techniques is a “spam”, sending out. All algorithms on ML models are based (from SVMs to random forests and neural networks) which are vulnerable to different kinds of adversairal inputs. This type of attack was targets what form of AI?
a. Classification
b. Random Forests
c. K-Means
d. Regression
a. Classification
Adversarial Classification -
Is an attack where malefactor is implementing bypass techniques is a “spam”, sending out. All algorithms on ML models are based (from SVMs to random forests and neural networks) which are vulnerable to different kinds of adversairal inputs.
Which type of ML algorithms has few examples of practical attacks?
a. Classification
b. Random Forests
c. K-Means
d. Regression
d. Regression
Regression- a type of ML Algorithms that has FEW EXAMPLES of PRACTICAL attacks.
Source: “Adversarial Regression with Multiple Learners 2018”
True / False:
Most attacks used in Classification can be used in Regression?
TRUE
MOST attacks used in Classification CAN BE USED in Regression
Reasoning: Condition Based Instance and Null Analysis
Which type of ML algorithms would succumb to auto-encoders prone to attacks or attack such as (input reconstruction, spoofs)
Input image the model encodes the lower dimensional then uses that to reconstruct the original image.
a. Classification
b. Generative Models
c. K-Means
d. Regression
b. Generative Models
Generative Models (GANS) or auto-encoders - would succumb to auto-encoders prone to attacks such as (input reconstruction, spoofs)
Input image the model encodes the lower dimensional then uses that to reconstruct the original image.
Which type of ML algorithm can be used for malware detection?
a. Classification
b. Generative Models
c. K-Means
d. Clustering
d. Clustering
Clustering - used for malware detection.
Clustering algorithm is K-Nearest Neighbors (KNN)
Note: Training data comes from the wild.
______ is the most common dimensionality reduction algorithms?
A. PCA
B. Clustering
C. Generalization
D. MNIST
A. PCA
PCA- is the most common dimensionality reduction algorithm.
Why type of ML Algorithm is used sensitive to outliers that can be exploited by contaminating training data?
A. PCA
B. Clustering
C. Generalization
D. MNIST
A. PCA
PCA - sensitive to outliers that can be exploited by contaminating training data.
What does this example show (insert image)
It allows dramatically decreasing the detection rate for DoS attacks
______ which type of algorithm is used for Facial Recognition? An example of this is using your face to unlock your iphone.
A. PCA
B. Clustering
C. Generalization
D. MNIST
A. PCA
PCA- algorithm is used for Facial Recognition. An example of this is using your face to unlock your iphone.
RL the framework known as DNN , using DNN for Feature Selection and Q Functional Approximation. Hence enable
What are the steps of a Deep Reinforcement Learning Attack (DQN)?
i. attacker observes current state and transitions in environment
ii. attacker estimates best action according to adversarial policy
iii. attacker crafts perturbation to induce adversarial action
iv. attacker applies perturbation
v. perturbed input is revealed to target
vii. attacker waits for targets action
A. 1,2,3,4,5,6
B. 6,5,4,3,2,1
C. 4,3,2,5,6,1
D. 2,5,3,4,6,1
steps of a Deep Reinforcement Learning Attack (DQN)?
A. 1,2,3,4,5,6
i. attacker observes current state and transitions in environment
ii. attacker estimates best action according to adversarial policy
iii. attacker crafts perturbation to induce adversarial action
iv. attacker applies perturbation
v. perturbed input is revealed to target
vii. attacker waits for targets action
What is the most wide spread attack method?
a. LBFGS
b. FGSM (Fast Gradient Side Method)
c. DQN
d. none of the above
b. FGSM (Fast Gradient Side Method)
FGSM-
_____ attack does the following:
1. Takes the label of the least likely class predicted by network
2. The computed pertrubation is subtracted from original image
3. This maximizes the probability that the network predicts target as the label of the adversarial example
a. LBFGS
b. FGSM (Fast Gradient Side Method)
c. DQN
d. none of the above
b. FGSM (Fast Gradient Side Method)
FGSM works using the following steps:
- Takes the label of the least likely class predicted by network
- The computed pertrubation is subtracted from original image
- This maximizes the probability that the network predicts target as the label of the adversarial example
_____ attack method was very time consuming, especially for larger images and practically non-applicable
a. LBFGS
b. FGSM (Fast Gradient Side Method)
c. DQN
d. none of the above
a. LBFGS
LBFGS - attack method was very time consuming, especially for larger images and practically non-applicable
Which ML task category is required if you deal with complex systems with unlableled data and many potential features?
a. classification
b. clustering
c. reinforcement learning
d. dimentionality reduction
d. dimentionality reduction
Dimentionality Reduction- ML category required if you deal with complex systems with unlabeled data and many potential features.
How do you measure Adversarial Attacks?
A. using Gradient
B. using Loss Function
C. using L-p norm
D. using the size of ML Model
C. using L-p norm
L-p norm used to measure changes for adversarial attacks
Which ML task category has the biggest number of research papers?
A. Clustering
B. Reinformcement Learning
C. Classification
D. Regression
C. Classification
Classification - Has the larges number of research papers spanning 300
Why is FGSM method better than BFGS method?
A. Requires less information
B. FGSM is more accurate
C. More universale
D. The FGSM method is faster
D. The FGSM method is faster
Reasoning-
Not C. LBFGS is more universal but slower and less accurate
Which dataset is better for testing practical attacks?
A.CIFAR
B. MNIST
C. LFW
D. ImageNew
B. MNIST
MNIST is the dataset best for testing practical attacks. The MNIST dataset is the smallest one, and all tests will be less time-consuming with lower computation cost
What are the reasons to Hack AI?
A. AI is eating software
B. Exansion of technology related to Cybersecurity
C. Vulnerable to various cyber attacks like any other algorithms
D. All Above
D. All Above
Hack AI
-AI is eating software
-Expansion of tech related to cybersecurity
-vulnerability to various cyber attacks like any other algorithms
Autonomous cars use image classification such as Identification of Raw Science
______ can lead to horrible accidents
A. Spoofing of Raw Science
Autonomous cars use image classification such as Identification of Raw Science
Spoofing of Raw Science- can lead to horrible accidents
What are AI risks in the Cybersecurity Industry?
A. Bypass spam filters
B. Bypass threat detection solutions
C. Bypass AI-based Malware Detection tools
D. All Above
AI risks in Cybersecurity Industry
D. All Above
-Bypass spam filter
-Bypass threat detection solutions
-bypass AI based malware detection tools
What are AI risks in the Retail Industry?
A. bypass Facial recognition
AI Risks in Retail Industry:
A. bypass Facial recognition
(used w/ makeup, surgerty etc.)
How does AI use in Retail
a. Behavior retail of clients
b. Optimize business processes
c. all above
c. all above
AI use in retail:
1. Behavior retail of clients
2. Optimize business processes
How is AI used in Smart Home Industry?
Amazon echo recognizes Noise as a Comment. This voice is recognized as certain instructions.
a. forge voice commands
AI used in Smart Home Industry
a. forge voice commands
How AI used in Web and Social Media Industry
a. Fool sentiment analysis of movie reviews, hotels etc.
How AI used in Web and Social Media Industry
- Fool sentiment analysis of movie reviews, hotels etc.
Misinterpret a comment
How AI used in Finance
a. trick anomaly and fraud detection engines
How AI used in Finance
- trick anomaly and fraud detection engines
What are ways to prevent Frauds using ML?
a. learn customer behavior
b. analysis of aggregated data
c. analysis of social graphs
d. automation of routine processes
e. control use ID information
f. ALL ABOVE
f. ALL ABOVE
-learn customer behavior
- analysis of aggregated data
-analysis of social graphs
- automation of routine processes
- control use ID information
Confidentiality is associated with:
a. Gather System Insights
b. Disable AI System Functionality
c. Modify AI logic
Confidentiality is associated with:
a. Gather System Insights
-Obtain insights into the system
-utilize the received info or plot more advanced attacks
Which triad is the following:
(A malicious person deals with a ML system that is an Image Recognition System. They get to learn more about the internals or the datasets from this system)
a. confidentiality
b. availability
c. integrity
a. confidentiality
(A malicious person deals with a ML system that is an Image Recognition System. They get to learn more about the internals or the datasets from this system)
Reasoning-
Confidentiality because they are gathering information about the system and that information can be used to plot attacks.
NOT: Integrity because they did not change logic
NOT: Availability because they did not disable anything
Availability is associated with:
a. Gather System Insights
b. Disable AI System Functionality
c. Modify AI logic
b. Disable AI System Functionality
Availability = Disable AI System Functionality
Which triad is the following:
-Flood AI with requests, which demand more time
-Flood with incorrect classified objects to increase manual work
-Modify a model by retraining it with wrong examples
-Use computing power of an AI model for solving your own tasks
a. confidentiality
b. availability
c. integrity
b. availability
-Flood AI with requests, which demand more time
-Flood with incorrect classified objects to increase manual work
-Modify a model by retraining it with wrong examples
-Use computing power of an AI model for solving your own tasks
Integrity is associated with:
a. Gather System Insights
b. Disable AI System Functionality
c. Modify AI logic
c. Modify AI logic
Integrity = Modify AI Logic
Which triad is the following:
-Ex. Make autonomous cars, believe that there is a cat on the road, when in fact it is a car.
-2 different ways to interact with a system at the learning or production stage
1) poinsoning
2) evasion
a. confidentiality
b. availability
c. integrity
c. integrity
This attack is integrity because you modified the car to think it was a cat when it was really a car.
2 types of integrity (modify ai logic)
1. Poisoning - attackers poison some data in the training dataset
2. Evasion- attackers exploit vulnerabilities of an algorithm by showing modified picture at the production stage
Which integrity interaction is this?
________ attackers alter some data in the training dataset
a. poisoning
b. evasion
c. modify ai logic
a. poisoning
POSIONING- attackers poinson / alter some data in the training dataset
A attack form of Integrity
Which integrity interaction is this?
______ attackers exploit vulnerabilities of an algorithm by showing the modified picture at the production stage
a. poisoning
b. evasion
c. modify ai logic
b. evasion
EVASION - attackers exploit vulnerabilities of an algorithm by showing the modified picture at the production stage
A attack form of Integrity
_______ a procedure where someone is trying to exploit ML model, by injecting malicious data into the training dataset.
a. poisoning
b. evasion
c. modify ai logic
a. poisoning
Poisoning - a procedure where someone is trying to exploit ML model, by injecting malicious data into the training dataset.
_________ attacks change classification boundry while
_________ attacks change input examples
a. Poisoning, Adverarial
b. Adversarial, Poisoning
c. Posioning, Evasion
d. Evasion, Poisoning
a. Poisoning, Adverarial
Poisoning attacks - change classification boundry WHILE
Adversarial attacks - change input examples
True or False
If points are added to the training data, the decision boundry will change
True
If points are added to the training data, the decision boundry will change
______ attack allows an adversary to modify solely the labels in supervised learning datasets but for arbitrary data points
A. Label modification
B. Poisoning
C. Evasion
D. Data Injection
A. Label modification
label modification attack allows an adversary (enemy) to modify solely the labels in supervised learning datasets but for arbitrary (opposite) data points
______ An adversary (enemy) does not have access to the training data nor to the learning algorithm, but has the ability to add new data to the training set
A. Label modification
B. Poisoning
C. Data Injection
D. Adversarial
C. Data Injection
Data Injection - An adversary (enemy) does not have access to the training data nor to the learning algorithm, but has the ability to add new data to the training set
_______ An adversary does not have access to the learning algorithm but has full access to the training data
A. Label modification
B. Data Modification
C. Data Injection
D. Adversarial
B. Data Modification
Data modification - An adversary does not have access to the learning algorithm but has full access to the training data.
______ An adversary has the ability to meddle with the learning algorithm and such attacks are viewed as logic corruption.
A. Label modification
B. Data Modification
C. Data Injection
D. Logic Corruption
D. Logic Corruption
Logic Corruption - An adversary has the ability to meddle with the learning algorithm and such attacks are viewed as logic corruption
______ An attacker intends to explore the system such as model or dataset, that can further come in handy.
A. Label modification
B. Data Modification
C. Data Injection
D. Logic Corruption
E. Privacy Attack (Inference Attack)
E. Privacy Attack (Inference Attacks)
Privacy Attack - An Attacker intends to explore the system such as Model or dataset, that can further come in handy
These attacks are done at the production stage.
These attacks are achievable at training, if the training data is injected, we can learn how the algorithm works based on the given data.
The goal is to break Confidentiality
A. Label modification
B. Data Modification
C. Data Injection
D. Logic Corruption
E. Privacy Attack (Inference Attack)
E. Privacy Attack (Inference Attack)
Privacy Attack - An Attacker intends to explore the system such as Model or dataset, that can further come in handy
Characteristics:
These attacks are done at the production stage.
These attacks are achievable at training, if the training data is injected, we can learn how the algorithm works based on the given data.
The goal is to break Confidentiality
Type of attacker: Example with particular property was in a dataset.
A. Membership inference
B. Attribute Inference
C. Input Inference
D. Parameter Inference
B. Attribute Inference
Attribute inference- Example with particular property was in a dataset.
Type of attacker: Particular example was in dataset
A. Membership inference
B. Attribute Inference
C. Input Inference
D. Parameter Inference
A. Membership inference
Membership inference- Particular example was in dataset
Type of attacker: Extract an example from the dataset
A. Membership inference
B. Attribute Inference
C. Input Inference
D. Parameter Inference
C. Input Inference
Input Inference - Extract an example from the dataset
Type of attacker: Obtain ML model parameters
A. Membership inference
B. Attribute Inference
C. Input Inference
D. Parameter Inference
D. Parameter Inference
Parameter Inference - Obtain ML model parameters
______ Attack’s main goal is to inject additional behavior in such a way that backdoors operate after retraining the system
A. Poisoning
B. Backdoor
C. Evasion
D. Parameter Inference
B. Backdoor
Backdoor - Main goal is to inject additional behavior in such a way that the backdoors operate after retraining the system
Why Use BackDoors
1. NN represent large structure like millions of neurons. Need backdoors to do minor changes like a small set of neurons
- Operating models are trained with tremendous data and computing power. It is impossible for small co to recreate them so usually train existing models.
- Malefactors can hack a server that stores public models and upload their own model using a backdoor. The NN model will keep the backdoor up to the model is retrained
Why Use BackDoors
1. NN represent large structure like millions of neurons. Need backdoors to do minor changes like a small set of neurons
- Operating models are trained with tremendous data and computing power. It is impossible for small co to recreate them so usually train existing models.
- Malefactors can hack a server that stores public models and upload their own model using a backdoor. The NN model will keep the backdoor up to the model is retrained
_____ attacks are lesser-known than adversaril attacks
a. listed
b. backdoor
c. adversarial
d. parameter
a. listed
Listed attacks are lesser-known than adversarial attacks
Which industry is one of the most critical in terms of AI attacks?
a. Transportation
b. Energy
c. Entertainment
d. Oil and Gas
a. Transportation
The transportation industry is the most critical because AI is taking this industry by storm and any error related to security may affect human lives
An attack on __ is an attack where a hacker’s aim is to get information on ML Models insights
a. safety
b. availability
c. integrity
d. confidentiality
d. confidentiality
confidentiality - an attack where a hacker’s aim is to get information on ML Models insights
How is an attack subtype called if an adversary does not have any access to the training data as well as to the learning algorithm but instead it has an ability to add new data to the training set?
a. Label modification
b. Data injection
c. Logic corruption
d. Data modification
b. Data injection
Data injection - adversary ability to add new data to the training set
What algorithms can be used for detecting posioning attacks?
a. clustering
b. decision trees
c. neural networks
d. KNN
a. Clustering
clustering used to detect posioning attacks
Is parameter inference privacy attack implemented in CypherCat?
True / False
False
Parameter Inference Privacy Attack is not implemented in Cypher Cat
What algorithm is required for backdoor detection?
a. classification
b. outlier detection
c. segmentation
d. regression
b. outlier detection
What are 3 things you need to consider when you want to analyze a security of AI
a. architecture, algorithm, and dataset
b. architecture, SVM, and dataset
c. training data, algorithm, dataset
d. none of the above
a. architecture, algorithm, and dataset
3 things to consider when analyze security
1. Architecture
2. Algorithm
3. Dataset
Linear Regression
SVM
MLP
CNN (Convolution Neural Network)
These are all examples of
a. algorithm
b. dataset
c. architecture
c. architecture
Linear Regression
SVM
MLP
CNN (Convolution Neural Network)
_______ is a type of architecture that has multiple layers of neural networks, each is responsible for its own set of features
a. algorithm
b. dataset
c. architecture
c. architecture
a type of architecture that has multiple layers of neural networks, each is responsible for its own set of features
Which type of algorithm is the following:
-simple architecture
-slow for training
-model is large
-avoid in practice
a. VGG (Visual Geometry Group)
b. ResNet (Residual networks)
c. Inception
a. VGG (Visual Geometry Group)
VGG (Visual Geometry Group)
-simple architecture
-slow for training
-model is large
-avoid in practice
Which type of algorithm is the following:
-deep neural network
-addresses the problem of vanishing gradients
a. VGG (Visual Geometry Group)
b. ResNet (Residual networks)
c. Inception
b. ResNet (Residual Networks)
an algorithms
-deep neural network
-addressed the problem of vanishing gradients
Which type of algorithm is the following:
-developed by Google
-4 versions available
-Inception V3 and Inception V4 (image classification)
a. VGG (Visual Geometry Group)
b. ResNet (Residual networks)
c. Inception
c. Inception
-developed by Google
-4 versions available
-Inception V3 and Inception V4 (image classification)
Which type of datast is the following:
-MNIST / CIFAR : play while practicing
-MNIST / CIFAR: run text faster
-ImageNet- need alot of memory on your computer
Which type of dataset would you used based on the following task:
“Want to develop a production based solution and Attacks / Defenses.”
a. MNIST
b. CIFAR
c. ImageNet
c. ImageNet
ImageNet - A datatype that has solution for Attacks / Defenses also way to go if you want to develop a production based solution
Which type of dataset would you used based on the following task:
“run text faster”, “pay while practicing”
a. MNIST
b. CIFAR
c. ImageNet
d. both a and b
d. both a and b
BOTH MNIST and CIFAR datatypes have advantages of running text faster and play while practicing.
Which type of dataset would you used based on the following task:
“need alot of memory”
a. MNIST
b. CIFAR
c. ImageNet
c. ImageNet
A disadvantage of ImageNet is that you will need alot of memory.
What questions must be answered about adversarial attacks?
a. goals
b. perturbation and iterations
c. environment and constrains
d. knowledge
e. all the above
e. all above
Questions need to be answered about adversarial attacks and obtain the utmost information :
- Attackers Goal
-Perturbation
-Environment
-Iterations
-Constrains
-Knowledge
Which Adversarial Attack Goal is the following:
“Change a class to a particular target”
a. targeted misclassification
b. source / target misclassification
c. confidence reduction
d. misclassification
e. all above
c. confidence reduction
Confidence reduction - “Change a class to a particular target”
Which Adversarial Attack Goal is the following: “Change a class without any specific target”
a. targeted misclassification
b. source / target misclassification
c. confidence reduction
d. misclassification
e. all above
d. misclassification
“Change a class without any specific target”
Which Adversarial Attack Goal is the following: “Dont change a class but impact the confidence greatly”
a. targeted misclassification
b. source / target misclassification
c. confidence reduction
d. misclassification
e. all above
c. confidence reduction
“dont change a class but impact the confidence greatly”
Which Adversarial Attack Goal is the following: “Change a class without any specific target”
a. targeted misclassification
b. source / target misclassification
c. confidence reduction
d. misclassification
e. all above
d. misclassification
misclassification - Change a class without any specific target”
Which Adversarial Attack Perturbation is the following:
“Adversarial perturbation can only be applied to 1 source”
a. individual
b. universal
a. individual
Which Adversarial Attack Perturbation is the following:
“Adversarial perturbation can only be applied to many source”
a. individual
b. universal
b. universal
Which Adversarial Attack Perturbation is the following:
“Adversarial attack can only be applied to digital world”
a. individual
b. universal
c. digital
d. physical
c. digital
ex. attacker has digital photo (profile picture) and small perturbation to mutliple pixels they can fool facial recognition in digital world
Which Adversarial Attack Perturbation is the following:
“Adversarial attack applied to physical world”
a. individual
b. universal
c. digital
d. physical
d. physical
camera takes photo sends to ml system. Camera quality is insufficient and smooths before sent to system. This smoothing destroys adversarial perturbation. This shows that what is done in physical world cant be done in digital world.
Single step attacks require just 1 steps.
What are Single steps attack examples
a. FGSM
b. RSSA
c. BIM
d. Both A and B
d. Both A and B
FGSM and RSSA are both single step attacks.
(Fast and less accurate)
Iterative attacks require multiple iterations.
What are examples of Iterative attacks?
a. BIM
b. DeepFool
c. FGSM
d. both A and B
d. both A and B
BIM and DeepFool both are iterative attacks require multiple iterations. (More accurate but very slow)
________ This Adversarial Attack Constraint - measures the Euclidean distance between adversarial example and the original sample
a. L8
b. L2
c. L1
d. L0
Adversarial Attack Constraint
b. L2
L2 - measures the Euclidean distance between adversarial example and the original sample
_______ This Adversarial Attack Constraint -measures distance between 2 points (number of dimensions that have different values) and number of pixels changed)
a. L8
b. L2
c. L1
d. L0
Adversarial Attack Constraint
d. L0
L0- measures distance between 2 points (number of dimensions that have different values) and number of pixels changed)
______ This Adversarial Attack Constraint - Distance is equivalent to the sum of the absolute value of each dimension, which is also known as the Manhattan distance
a. L8
b. L2
c. L1
d. L0
Adversarial Attack Constraint
c. L1
L1 - Distance is equivalent to the sum of the absolute value of each dimension, which is also known as the Manhattan distance
______ This Adversarial Attack Constraint - Denotes the maximum change for all pixels in adversarial examples
a. L8
b. L2
c. L1
d. L0
Adversarial Attack Constraint
a. L8
l8 - maximum change for all pixels in adversarial examples
_______ Everything about the network is known including all weights and all data on which this network was trained
a. White-box
b. Grey-box
c. Black-box
a. White-box
White-box- Everything about the network is known including all weights and all data on which this network was trained
______ An attacker may know details about the dataset or a type of netural network, its structure, the number of layers, and so on
a. White-box
b. Grey-box
c. Black-box
b. Grey-box
An attacker may know details about the dataset or a type of netural network, its structure, the number of layers, and so on
________ An attacker can only send information to the system and obtain a simple result about a class
a. White-box
b. Grey-box
c. Black-box
c. Black-box
An attacker can only send information to the system and obtain a simple result about a class
Steps on “How to Choose an Attack”
i. Understand Knowledge Level + Goal
ii. Understand Constrain + Environment
iii. Iterations + Perturbations
a. 1,2,3
b. 3,2,1
c. 2,1,3
Steps on “How to Choose an Attack”
a. 1,2,3
i. Understand Knowledge Level + Goal
ii. Understand Constrain + Environment
iii. Iterations + Perturbations
Attack quality depends on AI model hyperparameters
True
False
True
AI Attack quality depends on AI model hyperparameters such as, number of layers, activation functions etc.
Iterative attacks are better than single-step attacks because they are faster
True
False
False
Iterative attacks are slower than Single-Step attacks
FGSM is faster than DeepFool
True
False
True
FGSM is faster than DeepFool
Grey-box attack is an attack where an attacker doesn’t know anything about the model and the dataset
True
False
False
Grey-box attack is an attack where an attacker know a little about the model and the dataset
Decision-based attacks are harder than score-based ones
True
False
True
Decision-based attacks are harder than the score-based ones because they are based on less information about the system
What are the 4 different ways to measure attacks?
- misclassification
- imperceptibility
- robustness
- speed
misclassification
imperceptibility
robustness
speed
What are one of the ways to measure for attacks:
“how good the attack is against all examples”
a. misclassification
b. imperceptibility
c. robustness
d. speed
a. misclassification
What are one of the ways to measure for attacks:
“how hard is it to recognize an attack”
a. misclassification
b. imperceptibility
c. robustness
d. speed
b. imperceptibility
“how hard is it to recognize an attack”
What are one of the ways to measure for attacks:
“how resistant to modification this adversarial example is”
a. misclassification
b. imperceptibility
c. robustness
d. speed
c. robustness
“how resistant to modification this adversarial example is”
What are one of the ways to measure for attacks:
“how fast the computation is”
a. misclassification
b. imperceptibility
c. robustness
d. speed
d. speed
“how fast the computation is”
What are the 3 measure of Misclassification
1. Misclassification Ratio (MR)
2. Average Confidence of Adverarial Class (ACAC)
3. Average Confidence of True Class (ACTC)
The 3 measure of Misclassification
1. Misclassification Ratio (MR)
2. Average Confidence of Adverarial Class (ACAC)
3. Average Confidence of True Class (ACTC)
Which Misclassification measure is the following:
“the percentage of adversarial examples, which are successfully misclassified as relating to an arbitrary class”
a. Misclassification ratio (MR)
b. Average Confidence of Adversarial Class (ACAC)
c. Average Confidence of True Class (ACTC)
a. Misclassification ratio (MR)
“the percentage of adversarial examples, which are successfully misclassified as relating to an arbitrary class”
Which Misclassification measure is the following:
“The average prediction confidence toward the incorrect class”
a. Misclassification ratio (MR)
b. Average Confidence of Adversarial Class (ACAC)
c. Average Confidence of True Class (ACTC)
Misclassification Measure
b. Average Confidence of Adversarial Class (ACAC)
The average prediction confidence toward the incorrect class”
Which Misclassification measure is the following:
“Averaging the prediction confidence of true classes for AEs, ACTC is used to further evaluate the extent to which the attacks escape from the ground truth”
a. Misclassification ratio (MR)
b. Average Confidence of Adversarial Class (ACAC)
c. Average Confidence of True Class (ACTC)
c. Average Confidence of True Class (ACTC)
“Averaging the prediction confidence of true classes for AEs, ACTC is used to further evaluate the extent to which the attacks escape from the ground truth”
What are the 3 measure of Imperceptibility
- Average Lp Distortion (ALDp)
- Average Structural Similarity (ASS) [image specific]
- Perturbation Sensitivity Distance (PSD) [image-specific]
What are the 3 measure of Imperceptibility
- Average Lp Distortion (ALDp)
- Average Structural Similarity (ASS) [image specific]
- Perturbation Sensitivity Distance (PSD) [image-specific]
Which Imperceptibility measure is the following:
“As the average normalized Lp distortion for all successful adversarial examples”
a. Average Lp Distortion (ALDp)
b. Average Structural Similarity (ASS) [image-specific]
c. Perturbation Sensitivity Distance (PSD) [image-specific]
Measure of Imperceptibility:
a. Average Lp Distortion (ALDp)-
“As the average normalized Lp distortion for all successful adversarial examples”
Which Imperceptibility measure is the following:
“Structural similarity is considered to be consistent to human visual perception than Lp similarity”
a. Average Lp Distortion (ALDp)
b. Average Structural Similarity (ASS) [image-specific]
c. Perturbation Sensitivity Distance (PSD) [image-specific]
A measure of Imperceptibility
b. Average Structural Similarity (ASS) [image-specific]
“Structural similarity is considered to be consistent to human visual perception than Lp similarity”
Which Imperceptibility measure is the following:
“Based on the contrast masking theory, this measure is proposed to evaluate human perception of perturbations”
a. Average Lp Distortion (ALDp)
b. Average Structural Similarity (ASS) [image-specific]
c. Perturbation Sensitivity Distance (PSD) [image-specific]
A measure of Imperceptibility
c. Perturbation Sensitivity Distance (PSD) [image-specific]
“Based on the contrast masking theory, this measure is proposed to evaluate human perception of perturbations”
What are the 3 measure of Robustness
- Noise Tolerance Estimation (NTE)
- Robustness to Gaussian Blur (RGB)
- Robustness to Image Compression (RIC) [image-specific]
What are the 3 measure of Robustness
- Noise Tolerance Estimation (NTE)
- Robustness to Gaussian Blur (RGB)
- Robustness to Image Compression (RIC) [image-specific]
Which Robustness measure is the following:
“Noise tolerance reflects the amount of noises that AEs can tolerate while keeping the misclassified class unchanged”
a. Noise Tolerance Estimation (NTE)
b. Robustness to Gaussian Blur (RGB)
c. Robustness to Image Compression (RIC) [image-specific]
a. Noise Tolerance Estimation (NTE)
“Noise tolerance reflects the amount of noises that AEs can tolerate while keeping the misclassified class unchanged”
Which Robustness measure is the following:
“Gaussian Blur is widely used as a pre-processing stage in computer vision algorithms to reduce noise in images”
a. Noise Tolerance Estimation (NTE)
b. Robustness to Gaussian Blur (RGB)[image-specific]
c. Robustness to Image Compression (RIC) [image-specific]
Measure of Imperceptibility
b. Robustness to Gaussian Blur (RGB)[image-specific]
“Gaussian Blur is widely used as a pre-processing stage in computer vision algorithms to reduce noise in images”
Which Robustness measure is the following:
“Image-specific measure similar to RGB”
a. Noise Tolerance Estimation (NTE)
b. Robustness to Gaussian Blur (RGB)[image-specific]
c. Robustness to Image Compression (RIC) [image-specific]
Robustness measure:
“Image-specific measure similar to RGB”
c. Robustness to Image Compression (RIC) [image-specific]
5 Measures of Speed:
-Single CPU
-Single GPU
-Parallel CPU
-Parallel GPU
-Memory consumption
5 Measures of Speed:
-Single CPU
-Single GPU
-Parallel CPU
-Parallel GPU
-Memory consumption
What are the steps to choose Metrics for Better Attacks?
i. Misclassification
ii. Imperceptibility
iii. Robustness
a. 1,2,3
b. 2,1,3
c. 3,2,1
d. none
Steps to choose Metrics for Better Attacks
a. 1,2,3
i. Misclassification
ii. Imperceptibility
iii. Robustness
_______ attacks produce much smaller changes and bypass defensive distillation
a. advanced attacks
b. list attacks
c. listed attacks
d. adversarial attacks
a. advanced attacks
advanced attacks produce much smaller changes and bypass defensive distillation
Which attack provides 3 different attack options: (L0,L2, L8), Also uses box constraints such as Adam?
a. CW Attack
b. L-BFGS
c. FGMS
a. CW Attack
CW Attack logic
- provides 3 different attack options: (L0,L2, L8),
- Also uses box constraints such as Adam
Why use DeepFool Attack over L-BFGS, FGSM, and CW Attack?
a. CW attack is slow
b. L-BFGS and FGSM perturbations are big
c. We need faster solutions with smaller perturbations.
d. All above are true why need DeepFool
d. All above are true why need DeepFool
Need DeepFool Attack
1. L-BFGS and FGSM perturbations are big
2. CW Attack is slow
3. Need faster solutions with smaller perturbations
Which attack was the first method specifically for deep networks?
a. DeepFool
b. CW
c. L-BFGS
d. FGSM
a. DeepFool
DeepFool- attack was the first method specifically for deep networks
What is a big advantage to DeepFool?
a. Faster than CW
b. Finds the closest decision boundary to a given X
c. step by steps calculate the best pixels
d. none of the above
b. Finds the closest decision boundary to a given X
The biggest advantage to DeepFool is that
DeepFool -Finds the closest decision boundary to a given X
steps:
1. Step by step calculate the best pixels to change
2. Algorithm perturbs the image by a small vector
3. Vector takes the resulting image to the boundary of the polyhedron that is obtained by linearizing the boundaries of the image region.
_______ attack is a universal approach to analysis of model security against adversarial examples
a. PGD (Project Gradient Descent) attack
b.DeepFool
c. CW
d. L-BFGS
a. PGD attack
PGD attack is a universal approach to analysis of model security against adversarial examples
Among white-box defense that appeared in ICLR-2018 and CVPR-2018 _______ was the only defense that has not been successfully attacked so far.
a. PGD adversarial
b. Deep Fool
c. CW
d. L-BFGS
a. PGD adversarial
The only defense that has not been successfully attacked so far.
_____ is a variation of the BIM method, but instead of directly clipping Xadv + pXadv at Xmin,Xmax; it performs a projection of pXadv onto the Lp-ball with radius 3total.
a. PGD (Projected Gradient Descent)
b. BIM
c. PGD Adversarial
a. PGD (Projected Gradient Descent)
is a variation of the BIM method, but instead of directly clipping Xadv + pXadv at Xmin,Xmax; it performs a projection of pXadv onto the Lp-ball with radius 3total.
_____ wants the closest similarity to another class with minimum perturbation for a source input
a. PGD (Projected Gradient Descent)
b. BIM
c. PGD Adversarial
d. PGD
d. PGD (Projected Gradient Descent)
-wants the closest similarity to another class with minimum perturbation for a source input
_____ goal is to find model parameters so that the “adversarial loss” given by inner attack problem is minimized.
a. PGD (Projected Gradient Descent)
b. BIM
c. PGD Adversarial
d. PGD
d. PGD
goal is to find model parameters so that the “adversarial loss” given by inner attack problem is minimized.
BIM attack is better than FGSM because:
a. its faster
b. its more precise
c. use less resources
d. can be optimized to work on GPU
b. its more precise
Both BIM and FGSM work on GPU
CW attack was invented to
a. bypass adversarial training defense
b. invent the fastest attack
c. use less resources
d. bypass defensive distillation
d. bypass defensive distillation
The Main Idea of CW attack was created to bypass defensive distillation protection
Which attack is the most similar to DeepFool by Imperceptability metric.
a. BIM
b. FGSM
c. CW
d. PGD
c. CW
BIM is different to PGD according to Imperceptability metrics.
Why PGD is better than BIM in practice?
a. can find same Adversarial examples much faster
b. always more precise
c. more robust
d. faster
a. can find same Adversarial examples much faster
Note: BIM usually calculating attacks faster than PGD
Which attack has the worst robustness?
a. FGSM
b. CW
c. BIM
d. PGD
b. CW
FGSM is not the best attack but robustness is quite ok.
What is the best approach to protect AI solutions?
a. PPDR (predict, prevent, detect, respond)
b. PPRD (predict, prevent, respond, detect)
c. RDPP (respond, detect, predict, prevent)
a. PPDR (predict, prevent, detect, respond)
Out of the PPDR Model which part uses the following information: “Protects a model production - testing and verification?”
a. predict
b. prevent
c. respond
d. detect
a. predict
“Protects a model production - testing and verification”
Out of the PPDR Model which part uses the following information: “Preventing attacks at the production stage by different model modifications?”
a. predict
b. prevent
c. respond
d. detect
b. prevent
“Preventing attacks at the production stage by different model modifications”
Out of the PPDR Model which part uses the following information: “Active reaction to attacks such as modification of model responses?”
a. predict
b. prevent
c. respond
d. detect
c. respond
“Active reaction to attacks such as modification of model responses”
Out of the PPDR Model which part uses the following information: “If an input is adversarial, don’t let this data into a model?”
a. predict
b. prevent
c. respond
d. detect
d. detect
“If an input is adversarial, don’t let this data into a model?”
which approach in PREDICTION is the following:
“sub-category collects all defense that somehow modifies the training procedure to minimize the chances of potential attacks?”
a. modified training
b. verification
PREDICTION Method
a. modified training
A sub-category collects all defense that somehow modifies the training procedures to minimize the chances of potential attacks
which approach in PREDICTION is the following:
“sub-category NOT an actual defense but a health-check trying to explore all the potential ways to attack a model and as a result present the worst case scenarios”
a. modified training
b. verification
PREDICTION Method
b. verification
verification - “sub-category NOT an actual defense but a health-check trying to explore all the potential ways to attack a model and as a result present the worst case scenarios”
which approach in PREVENTION is the following:
“sub-category modifying an input in order to corrupt or smooth objects (compression, purification, randomization, and many other approaches)”
a. modified input
b. modified model
PREVENTION Method
a. modified input
“sub-category modifying an input in order to corrupt or smooth objects (compression, purification, randomization, and many other approaches)”
which approach in PREVENTION is the following:
“Modifying a ML model in order to prevent form attacks (changing hyperparameters, activation functions, layers, or combining multiple models together)”
a. modified input
b. modified model
PREVENTION method
b. modified model
“Modifying a ML model in order to prevent form attacks (changing hyperparameters, activation functions, layers, or combining multiple models together)”
which approach in DETECTION is the following:
“Detecting potential attacks on ML models by learning initial distribution”
a. Supervised Detection
b. Unsupervised Detection
DETECTION method
a. Supervised Detection
“Detecting potential attacks on ML models by learning initial distribution”
which approach in DETECTION is the following:
“(1) Detecting potential attacks on ML models without initial training. ; (2) It Learns behavior from all inputs and detects outliers.
a. Supervised Detection
b. Unsupervised Detection
DETECTION method
b. Unsupervised Detection
“(1) Detecting potential attacks on ML models without initial training. ; (2) It Learns behavior from all inputs and detects outliers.”
which approach in RESPONSE is the following:
“Detecting outliers and deleting them from training in order to save the model from retraining and posioning attacks”
a. Retraining
b. Counterattack
RESPONSE METHOD
a. Retraining
“Detecting outliers and deleting them from training in order to save the model from retraining and posioning attacks”
which approach in RESPONSE is the following:
“Detecting outliers and deleting them from training in order to save the model from retraining and posioning attacks”
a. Retraining
b. Counterattack
RESPONSE METHOD
b. Counterattack
“Responding to potential attacks by detecting attack attempts and replying in such a way that attacks will continue heading in the wrong direction”
How to Detect and Measure Priority
a. predict, prevent, detect
b. detect, prevent, predict
c. prevent, detect, predict
a. predict, prevent, detect
Adversarial training, regularization, and distillation are examples of which method:
a. modified training
b. modified model
c. modified input
d. none of the above
a. modified training
PREDICTION Measure
Examples: Adversarial training, regularization, distillation
PRO/CON- very time consuming
Reconstruction, Compression, and Purification
are examples of which method:
a. modified training
b. modified model
c. modified input
d. none of the above
c. modified input
PREVENTION
Examples: Reconstruction, compression, and purification
PRO/CON: very good but application specific
Binary classifier and Additional Output
are examples of which method:
a. add-on detection
b. modified model
c. modified input
d. none of the above
a. add-on detection
examples: Binary Classifer and Additional output
Pro / Con: Very diverse with respect to quality and speed
Adversarial training is?
a. predict
b. prevent
c. detect
d. respond
Adversarial training is an example of prediction
What is the most model-specific defense
a. Verification
b. Input modification
c. Detection
d. Model modification
d. Model modification
model modification defense is the most model-specific
What is the best Adversarial training defense from those which were tested in this video
a. NAT
b. EAT
c. PAT
d. EIT
b. EAT
What is the WORST metric for modified input defense?
a. CRS
b. CRR
c. CAV
d. CCV
c. CAV
CAV - the worst metric for modified input defense
Which defense has CVV =0
a. NAT
b. Thermometer Encoding
c. EIT
d. Region-based Classification
RC defense shows the minimum CVV rate.
Steps to Start AI Security Project
i. select attacks
ii. select defenses
iii. test attacks vs. defenses
a. 1,2,3
b. 3,2,1
c. 2,1,3
d. 2,3,1
Steps to Start AI Security Project:
a. 1,2,3
i. select attacks
ii. select defenses
iii. test attacks vs. defenses
How do we know which application to run?
-Which application you are targeting
-What task it will solve
-What is the algorithm category
-What is the attackers goal etc.
Know the Application to run by asking Question:
-Which application you are targeting
-What task it will solve
-What is the algorithm category
-What is the attackers goal etc.
How do we know which defense to run?
-Which attack you are targeting
-By what category
-What is the algorithm category
-What are the restrictions
We know which Defense to run by asking the Question:
-Which attack you are targeting
-By what category
-What is the algorithm category
-What are the restrictions
Combining Application + Defense Mechanism
-You should only have 1 defense
-Ensemble defense
-Use multiple datasets
-Use multiple hyperparameters
-Use Multiple attacks
Combine Testing: Application + Defense Mechanism
-You should only have 1 defense
-Ensemble defense
-Use multiple datasets
-Use multiple hyperparameters
-Use Multiple attacks
True or False:
Face Recognition could be cheated with the help of special glasses
True
Face Recognition could be cheated with the help of special glasses
____ the way we read or hear a language
speech perception
speech perception- the way we read or hear a language
What is the first step in AI security project?
a. Identify AI object Task, Threats
b. Chose attacks
c. Choose Defense
d. calculate metrics
a. Identify AI object Task, Threats
How AI backdoors problem can be used for good
a. captcha protection
b. watermarks
c. password protection
d. privacy protection
b. watermarks
Reasoning:
Backdoors CAN be used for watermarks
Backdoors cannot be used for privacy protection
How many AI security article methods published on Arxiv so far
1000+
What is the last step in AI security project
a. defense testing
b. attack testing
c. metric evaluation
d. threat modeling
c. metric evaluation
