Adversarial Forensics/ DS Theory/ Deep Web Forensics

Question 1

Considering an adversarial set-up between a forgerer (F) and a forensic analyst (FA), we can state that …

Select one or more:

a. FA never cares about false negatives
b. FA wants to detect fake data
c. F aims at maximizing the probability that the data are classified as valid by FA with minimum distortion
d. F aims at altering the data so that FA detect them as valid.
e. F aims at maximizing the probability that the data are classified as valid by FA regardless of distortion

Answer 1

b. FA wants to detect fake data
c. F aims at maximizing the probability that the data are classified as valid by FA with minimum distortion
d. F aims at altering the data so that FA detect them as valid.

Question 2

According to Dempster-Schafer theory, the belief associated to a given evidences or hypothesis …

Select one or more:

a. … is always lower than the plausibility.
b. … can be higher than probability.
c. … it correspond to 1 minus the plausibility of that evidence/hypothesis
d. … characterizes how much the evidence/hypothesis is provable.

Answer 2

a. … is always lower than the plausibility.

d. … characterizes how much the evidence/hypothesis is provable.

Question 3

Given a set of data valid sources that can be modeled as Bernoulli processes with probability 𝑝=0.8,0.85,0.75 and a fake data source characterized by probability 𝑞=0.9, which target probability should a forgerer obtain by altering the input data (assuming that the forensic analyst wants to zero the probability of rejecting valid data)?

Answer 3

0,85

Question 4

Which among the following adversarial ML attacks is the LEAST computationally expensive?

Select one:

a. Jacobian-based Saliency Map Attack (JSMA)
b. Fast Gradient Sign method (FGSM)
c. Deepfool
d. Broyden-Fletcher-Goldfarb-Shanno method (BFGS)
e. Carlini & Wagner

Answer 4

b. Fast Gradient Sign method (FGSM)

Question 5

Given a set of data valid sources that can be modeled as Bernoulli processes with probability p= 0.57 , 0.6, 0.55 and a fake data source characterized by probability q=0.74, which reference probability should a forensic analyst choose in order to avoid discarding valid data and minimize the probability of accepting fake data?

Assume that the forensic analyst compute the difference between the estimated probability and a reference plausible values with an acceptance threshold equal to 0,2; assume also that he wants to zero the probability of rejecting valid data.

Answer 5

0,40

Question 6

According to the DS theory, the value of the mass function for the empty set ∅
is 0.

Select one:
True
False

Answer 6

true

Question 7

Among the following, select the wrong statement about the Frechet Inception Distance or FID.

Select one:

a. It is robust to noise
b. It models real and fake data as a multivariate distributions.
c. It is not affected by visual artifacts
d. It can be computed using mean and covariance matrix for fake and real data only.

Answer 7

c. It is not affected by visual artifacts

Question 8

Given three IDS whose evidence results can be combined using DS theory, we can state that …

Select one or more:

a. … you must have a mass entry also for null intersections
b. … order of binary combination does not matter.
c. … you must have a mass entry for each non-null intersection

Answer 8

b. … order of binary combination does not matter.

c. … you must have a mass entry for each non-null intersection

Question 9

Given a set of data valid sources that can be modeled as Bernoulli processes with probability p= 0.59 , 0.71, 0.61 and a fake data source characterized by probability q=0.91, which target probability should a forgerer obtain by altering the input data? Assume that the forensic analyst compute the difference between the estimated probability and a reference plausible values; assume also that he wants to zero the probability of rejecting valid data.

Answer 9

0.71

Question 10

In adversarial machie learning, which of the following attack combination scenarios prove to be the most challenging …

Select one:

a. Blackbox individual attack
b. Blackbox targeted attack
c. Whitebox universal attack.
d. Whitebox targeted attack

Answer 10

Blackbox targeted attack

Question 11

According to Dempster-Schafer theory, the domain of the mass function is the universe set 𝑋={𝑎,𝑏,𝑐,…} corresponding to the different possible events.

Select one:
True
False

Answer 11

False

Question 12

According to the DS theory, plausibility is the probability that A is provable (supported) by the evidence.

Select one:
True
False

Answer 12

False

Question 13

Which of the following attack types are most likely adressing an IDS?

Select one:

a. Poisoning attack
b. Evasion attack
c. Model extraction

Answer 13

b. Evasion attack

Question 14

In clean data learning for anomaly detection, we can NOT use the training set to create …

Select one:

a. A dynamical system from Partial Differential Equations
b. ARMA models
c. Recurrent Neural Networks
d. A multiclass SVM classifier

Answer 14

d. A multiclass SVM classifier

Question 15

Which of the following loss function can lead to a vanishing gradient problem in a GAN?

Select one:

a. 𝐿(𝐷,𝐺)=−0.5𝐸𝑧[log𝐷(𝐺(𝑧))]
b. 𝐿(𝐷,𝐺)=𝐷(𝑥)−𝐷(𝐺(𝑧))
c. 𝐿(𝐷,𝐺)=𝐸𝑥[log𝐷(𝑥)]+𝐸𝑧[log(1−𝐷(𝐺(𝑧)))]

Answer 15

c. 𝐿(𝐷,𝐺)=𝐸𝑥[log𝐷(𝑥)]+𝐸𝑧[log(1−𝐷(𝐺(𝑧)))]

Question 16

Given a GAN where the generator function can be denoted as 𝐺(𝑧) and the discriminator function as 𝐷(𝑥) (𝐷(𝑥)=0 implies x is fake, 𝐷(𝑥)=1 implies x is real), the function to be minimized (maximized) by the generator (discriminator) is

𝐿(𝐷,𝐺)=𝐸[𝑙𝑜𝑔𝐷(𝑥)]+𝐸[𝑙𝑜𝑔(1−𝐷(𝐺(𝑧)))]
The distribution of real data can be modeled by the function 𝑝𝑟(𝑥)
while the fake data follows the distribution 𝑝𝑔(𝑥)
It is therefore possible to state …

Select one or more:

a. if 𝑝𝑔→𝑝𝑟 then 𝐷(𝐺(𝑧))→1/2
b. if 𝑝𝑔→𝑝𝑟 then 𝐷(𝐺(𝑧))→0
c. The generator aims at having 𝐷(𝐺(𝑧))=0
d. the learning process can be assimilated to a MAP estimation problem.
e. the cost function takes into account the vanishing gradient problem at the generator.
f. The discriminator aims at having 𝐷(𝐺(𝑧))=0

Answer 16

f. The discriminator aims at having 𝐷(𝐺(𝑧))=0
a. if 𝑝𝑔→𝑝𝑟 then 𝐷(𝐺(𝑧))→1/2
d. the learning process can be assimilated to a MAP estimation problem.

Question 17

Among the weaknesses of Tor networks we can mention
Select one or more:
a. timing analysis 
b. packet stream profiling
c. attacks on the exit node

Answer 17

a. timing analysis

c. attacks on the exit node

Question 18

The metric Inception Score (IS) will provide a high values for GANs that …. (select the correct statement)

Select one:

a. generate realistic data 𝐱
b. aim at making 𝑝(𝑦|𝐱) as uniform as possible.
c. aim at making 𝑝(𝑦) as uniform as possible.
d. generate 𝑝(𝑦) with a low entropy.

Answer 18

c. aim at making 𝑝(𝑦) as uniform as possible.

Question 19

Assign each [belief,plausibility] couple to the correct statement.
[1,1]
[0,1]
[0.3,0.7]
[0.75,0.9]

the hypothesis is not totally possible,
I can not conclude anything on the hypothesis
I am sure that the hypothesis is true
Although not completely plausible, there is a strong belief that the hypothesis is true.

Answer 19

[1,1] → I am sure that the hypothesis is true.,
[0,1] → I can not conclude anything on the hypothesis,
[0.3,0.7] → the hypothesis is not totally possible,
[0.75,0.9] → Although not completely plausible, there is a strong belief that the hypothesis is true.

Question 20

In TOR network, …

Select one or more:

a. The Onion Proxy knows all the keys
b. data are encrypted at the Onion Proxy only
c. data are encrypted at each link
d. the whole routing path can be hidden

Answer 20

c. data are encrypted at each link

d. the whole routing path can be hidden

Question 21

In the Tor network, traffic profiling can be avoided …

Select one or more:

a. including padding packets in the stream
b. rerouting packets along different paths.
c. splitting streams into chunks of 512 bytes

Answer 21

a. including padding packets in the stream

c. splitting streams into chunks of 512 bytes

Question 22

In adversarial ML, which among the following definitions proves to be more suitable for an attack algorithm that aims at forcing the classifier into misclassifying a single sample into a predefined class and knows the detection algorithm, as well as its parameters

a. Individual untargeted whitebox attack
b. Individual targeted blackbox attack
c. Universal targeted whitebox attack
d. Individual targeted whitebox attack

Answer 22

d. Individual targeted whitebox attack

Question 23

Which among the following adversarial strategies perturbs one feature at a time?

Select one

a. BFGS
b. JSMA
c. C&W

Answer 23

b. JSMA

Question 24

Provide a description of Generative Adversarial Networks (GANs): define principles, structures, cost functions and related problems.

Question 25

Suppose that you want to evaluate a set of different GANs using the Frechet Inception Distance (FID) – Inception Score (IS). How does it work and what are the related issues?

Question 26

Considering the Frechet Inception Distance FID select the wrong among the following ones

a. It can detect mode dropping
b. It is sensitive to some artifacts
c. It favores detectable objects rather than realistic ones
d. it assumes a Gaussian distribution

Answer 26

c. It favores detectable objects rather than realistic ones

Question 27

Which among the following technologies is not offered as illegal services on-demand (Crime-as-a-Service or CaaS)

a. Adversarial Machine Learning
b. Deepfake creation
c. Ransomware
d. Phishing

Answer 27

a. Adversarial Machine Learning

Question 28

Considering the TOR protocol, select the wrong statement among the following ones

Select one:

a. Message m through relay nodes R1,R2,R3 is encrypted as K1(K2(K3(m)))
b. only the first router knows the destination node
c. padding packets can be used to keep the connection alive
d. using cells of 512 byte permits mitigating the problem of profiling

Answer 28

b. only the first router knows the destination node

Question 29

Describe Tor protocols and how they affect the network forensics investigations.

Question 30

Present the Dempster-Schafer theory and explain how it can be employed in sensor fusion.

Question 31

Given a system failure, two experts (John and Paul) are evaluating the different HIDS and NIDS of different machines to identify the source of the attack. System failure could be caused be Terminal A, Terminal B or Terminal C. John believes that the failure is due to terminal
1
A with a mass m1(A) = 0.8 or to terminal B with mass m1(B) = 0.1; uncertainty is 0.01. Paul believes that the failure is due to computer C with m2(C) = 0.9 or to the others with mass 0.05 (m2(A,B)); uncertainty is 0.05. Compute a Dempster-Schafer combination of John and Paul opinions. Describe each step and make a table of values.

Question 32

Present and discuss two adversarial scenarios in Digital Forensics.

Question 33

Generative Adversarial Network (GAN): definition, cost function to be minized and applications.