ML Security Flashcards

Question

_________ are inputs to machine learning models that results in an incorrect input. A. adversarial example B. king penguin C. starfish D. baseball

Answer 1

A. adversarial example adversarial example - inputs to machine learning models that results in an incorrect input. Reasoning: b. King penguin - is a adversarial example c. starfish - is a adversarial example d. baseball - is an adversarial example

Answer 2

A. adversarial example Adversarial example - Is the cause for ML models to create a false prediction?

Answer 3

C. adversarial attacks ADVERSARIAL ATTACKS- tries to move inputs across the decision boundary.

Answer 4

A. How much inputs change affect the outputs. AI Attacks work by calculating how much INPUT changes AFFECT OUTPUT.

Answer 5

d. All the above What you need to calculate AI Attacks: 1. Gradient 2. Loss Function 3. Optimal Perturbations measuring Lp Norms

Answer 6

b. Loss function Loss Function - Defines how good a given model is at making predictions for a given scenario

Answer 7

b. Loss function -it has its own curve and gradients -slope of the curve indicates the appropriate way of updating the parameters to make the model more accurate in case of prediction

Answer 8

a. Gradient Gradient - a fancy work for derivative, also known as vector. Means rate of change.

Answer 9

c. Optimal Perturbations measuring Lp Norms _____ attacks try to move inputs across the decision boundary. Perturbation - attacks try to move inputs across the decision boundary

Answer 10

a. l(8) __l(8)____denotes the maximum change for all pixels in the adversarial examples. (Used in Perturbation)

Answer 11

c. l0 ___l0___number of pixels changed in the adversarial examples. (Used in Perturbation)

Answer 12

a. Classification Adversarial Classification - Is an attack where malefactor is implementing bypass techniques is a "spam", sending out. All algorithms on ML models are based (from SVMs to random forests and neural networks) which are vulnerable to different kinds of adversairal inputs.

Answer 13

d. Regression Regression- a type of ML Algorithms that has FEW EXAMPLES of PRACTICAL attacks. Source: "Adversarial Regression with Multiple Learners 2018"

Answer 14

TRUE MOST attacks used in Classification CAN BE USED in Regression Reasoning: Condition Based Instance and Null Analysis

Answer 15

b. Generative Models Generative Models (GANS) or auto-encoders - would succumb to auto-encoders prone to attacks such as (input reconstruction, spoofs) Input image the model encodes the lower dimensional then uses that to reconstruct the original image.

Answer 16

d. Clustering Clustering - used for malware detection. Clustering algorithm is K-Nearest Neighbors (KNN) Note: Training data comes from the wild.

Answer 17

A. PCA PCA- is the most common dimensionality reduction algorithm.

Answer 18

A. PCA PCA - sensitive to outliers that can be exploited by contaminating training data.

Answer 19

It allows dramatically decreasing the detection rate for DoS attacks

Answer 20

A. PCA PCA- algorithm is used for Facial Recognition. An example of this is using your face to unlock your iphone.

Answer 21

steps of a Deep Reinforcement Learning Attack (DQN)? A. 1,2,3,4,5,6 i. attacker observes current state and transitions in environment ii. attacker estimates best action according to adversarial policy iii. attacker crafts perturbation to induce adversarial action iv. attacker applies perturbation v. perturbed input is revealed to target vii. attacker waits for targets action

Answer 22

b. FGSM (Fast Gradient Side Method) FGSM-

Answer 23

b. FGSM (Fast Gradient Side Method) FGSM works using the following steps: 1. Takes the label of the least likely class predicted by network 2. The computed pertrubation is subtracted from original image 3. This maximizes the probability that the network predicts target as the label of the adversarial example

Answer 24

a. LBFGS LBFGS - attack method was very time consuming, especially for larger images and practically non-applicable

Answer 25

d. dimentionality reduction Dimentionality Reduction- ML category required if you deal with complex systems with unlabeled data and many potential features.

Answer 26

C. using L-p norm L-p norm used to measure changes for adversarial attacks

Answer 27

C. Classification Classification - Has the larges number of research papers spanning 300

Answer 28

D. The FGSM method is faster Reasoning- Not C. LBFGS is more universal but slower and less accurate

Answer 29

B. MNIST MNIST is the dataset best for testing practical attacks. The MNIST dataset is the smallest one, and all tests will be less time-consuming with lower computation cost

Answer 30

D. All Above Hack AI -AI is eating software -Expansion of tech related to cybersecurity -vulnerability to various cyber attacks like any other algorithms

Answer 31

Autonomous cars use image classification such as Identification of Raw Science Spoofing of Raw Science- can lead to horrible accidents

Answer 32

AI risks in Cybersecurity Industry D. All Above -Bypass spam filter -Bypass threat detection solutions -bypass AI based malware detection tools

Answer 33

AI Risks in Retail Industry: A. bypass Facial recognition (used w/ makeup, surgerty etc.)

Answer 34

c. all above AI use in retail: 1. Behavior retail of clients 2. Optimize business processes

Answer 35

AI used in Smart Home Industry a. forge voice commands

Answer 36

How AI used in Web and Social Media Industry 1. Fool sentiment analysis of movie reviews, hotels etc. Misinterpret a comment

Answer 37

How AI used in Finance 1. trick anomaly and fraud detection engines

Answer 38

f. ALL ABOVE -learn customer behavior - analysis of aggregated data -analysis of social graphs - automation of routine processes - control use ID information

Answer 39

Confidentiality is associated with: a. Gather System Insights -Obtain insights into the system -utilize the received info or plot more advanced attacks

Answer 40

a. confidentiality (A malicious person deals with a ML system that is an Image Recognition System. They get to learn more about the internals or the datasets from this system) Reasoning- Confidentiality because they are gathering information about the system and that information can be used to plot attacks. NOT: Integrity because they did not change logic NOT: Availability because they did not disable anything

Answer 41

b. Disable AI System Functionality Availability = Disable AI System Functionality

Answer 42

b. availability -Flood AI with requests, which demand more time -Flood with incorrect classified objects to increase manual work -Modify a model by retraining it with wrong examples -Use computing power of an AI model for solving your own tasks

Answer 43

c. Modify AI logic Integrity = Modify AI Logic

Answer 44

c. integrity This attack is integrity because you modified the car to think it was a cat when it was really a car. 2 types of integrity (modify ai logic) 1. Poisoning - attackers poison some data in the training dataset 2. Evasion- attackers exploit vulnerabilities of an algorithm by showing modified picture at the production stage

Answer 45

a. poisoning POSIONING- attackers poinson / alter some data in the training dataset A attack form of Integrity

Answer 46

b. evasion EVASION - attackers exploit vulnerabilities of an algorithm by showing the modified picture at the production stage A attack form of Integrity

Answer 47

a. poisoning Poisoning - a procedure where someone is trying to exploit ML model, by injecting malicious data into the training dataset.

Answer 48

a. Poisoning, Adverarial Poisoning attacks - change classification boundry WHILE Adversarial attacks - change input examples

Answer 49

True If points are added to the training data, the decision boundry will change

Answer 50

A. Label modification label modification attack allows an adversary (enemy) to modify solely the labels in supervised learning datasets but for arbitrary (opposite) data points

Answer 51

C. Data Injection Data Injection - An adversary (enemy) does not have access to the training data nor to the learning algorithm, but has the ability to add new data to the training set

Answer 52

B. Data Modification Data modification - An adversary does not have access to the learning algorithm but has full access to the training data.

Answer 53

D. Logic Corruption Logic Corruption - An adversary has the ability to meddle with the learning algorithm and such attacks are viewed as logic corruption

Answer 54

E. Privacy Attack (Inference Attacks) Privacy Attack - An Attacker intends to explore the system such as Model or dataset, that can further come in handy

Answer 55

E. Privacy Attack (Inference Attack) Privacy Attack - An Attacker intends to explore the system such as Model or dataset, that can further come in handy Characteristics: These attacks are done at the production stage. These attacks are achievable at training, if the training data is injected, we can learn how the algorithm works based on the given data. The goal is to break Confidentiality

Answer 56

B. Attribute Inference Attribute inference- Example with particular property was in a dataset.

Answer 57

A. Membership inference Membership inference- Particular example was in dataset

Answer 58

C. Input Inference Input Inference - Extract an example from the dataset

Answer 59

D. Parameter Inference Parameter Inference - Obtain ML model parameters

Answer 60

B. Backdoor Backdoor - Main goal is to inject additional behavior in such a way that the backdoors operate after retraining the system

Answer 61

Why Use BackDoors 1. NN represent large structure like millions of neurons. Need backdoors to do minor changes like a small set of neurons 2. Operating models are trained with tremendous data and computing power. It is impossible for small co to recreate them so usually train existing models. 3. Malefactors can hack a server that stores public models and upload their own model using a backdoor. The NN model will keep the backdoor up to the model is retrained

Answer 62

a. listed Listed attacks are lesser-known than adversarial attacks

Answer 63

a. Transportation The transportation industry is the most critical because AI is taking this industry by storm and any error related to security may affect human lives

Answer 64

d. confidentiality confidentiality - an attack where a hacker's aim is to get information on ML Models insights

Answer 65

b. Data injection Data injection - adversary ability to add new data to the training set

Answer 66

a. Clustering clustering used to detect posioning attacks

Answer 67

False Parameter Inference Privacy Attack is not implemented in Cypher Cat

Answer 68

b. outlier detection

Answer 69

a. architecture, algorithm, and dataset 3 things to consider when analyze security 1. Architecture 2. Algorithm 3. Dataset

Answer 70

c. architecture Linear Regression SVM MLP CNN (Convolution Neural Network)

Answer 71

c. architecture a type of architecture that has multiple layers of neural networks, each is responsible for its own set of features

Answer 72

a. VGG (Visual Geometry Group) VGG (Visual Geometry Group) -simple architecture -slow for training -model is large -avoid in practice

Answer 73

b. ResNet (Residual Networks) an algorithms -deep neural network -addressed the problem of vanishing gradients

Answer 74

c. Inception -developed by Google -4 versions available -Inception V3 and Inception V4 (image classification)

Answer 75

c. ImageNet ImageNet - A datatype that has solution for Attacks / Defenses also way to go if you want to develop a production based solution

Answer 76

d. both a and b BOTH MNIST and CIFAR datatypes have advantages of running text faster and play while practicing.

Answer 77

c. ImageNet A disadvantage of ImageNet is that you will need alot of memory.

Answer 78

e. all above Questions need to be answered about adversarial attacks and obtain the utmost information : - Attackers Goal -Perturbation -Environment -Iterations -Constrains -Knowledge

Answer 79

c. confidence reduction Confidence reduction - "Change a class to a particular target"

Answer 80

d. misclassification "Change a class without any specific target"

Answer 81

c. confidence reduction "dont change a class but impact the confidence greatly"

Answer 82

d. misclassification misclassification - Change a class without any specific target"

Answer 83

a. individual

Answer 84

b. universal

Answer 85

c. digital ex. attacker has digital photo (profile picture) and small perturbation to mutliple pixels they can fool facial recognition in digital world

Answer 86

d. physical camera takes photo sends to ml system. Camera quality is insufficient and smooths before sent to system. This smoothing destroys adversarial perturbation. This shows that what is done in physical world cant be done in digital world.

Answer 87

d. Both A and B FGSM and RSSA are both single step attacks. (Fast and less accurate)

Answer 88

d. both A and B BIM and DeepFool both are iterative attacks require multiple iterations. (More accurate but very slow)

Answer 89

Adversarial Attack Constraint b. L2 L2 - measures the Euclidean distance between adversarial example and the original sample

Answer 90

Adversarial Attack Constraint d. L0 L0- measures distance between 2 points (number of dimensions that have different values) and number of pixels changed)

Answer 91

Adversarial Attack Constraint c. L1 L1 - Distance is equivalent to the sum of the absolute value of each dimension, which is also known as the Manhattan distance

Answer 92

Adversarial Attack Constraint a. L8 l8 - maximum change for all pixels in adversarial examples

Answer 93

a. White-box White-box- Everything about the network is known including all weights and all data on which this network was trained

Answer 94

b. Grey-box An attacker may know details about the dataset or a type of netural network, its structure, the number of layers, and so on

Answer 95

c. Black-box An attacker can only send information to the system and obtain a simple result about a class

Answer 96

Steps on "How to Choose an Attack" a. 1,2,3 i. Understand Knowledge Level + Goal ii. Understand Constrain + Environment iii. Iterations + Perturbations

Answer 97

True AI Attack quality depends on AI model hyperparameters such as, number of layers, activation functions etc.

Answer 98

False Iterative attacks are slower than Single-Step attacks

Answer 99

True FGSM is faster than DeepFool

Answer 100

False Grey-box attack is an attack where an attacker know a little about the model and the dataset

Answer 101

True Decision-based attacks are harder than the score-based ones because they are based on less information about the system

Answer 102

misclassification imperceptibility robustness speed

Answer 103

a. misclassification

Answer 104

b. imperceptibility "how hard is it to recognize an attack"

Answer 105

c. robustness "how resistant to modification this adversarial example is"

Answer 106

d. speed "how fast the computation is"

Answer 107

The 3 measure of Misclassification 1. Misclassification Ratio (MR) 2. Average Confidence of Adverarial Class (ACAC) 3. Average Confidence of True Class (ACTC)

Answer 108

a. Misclassification ratio (MR) "the percentage of adversarial examples, which are successfully misclassified as relating to an arbitrary class"

Answer 109

Misclassification Measure b. Average Confidence of Adversarial Class (ACAC) The average prediction confidence toward the incorrect class"

Answer 110

c. Average Confidence of True Class (ACTC) "Averaging the prediction confidence of true classes for AEs, ACTC is used to further evaluate the extent to which the attacks escape from the ground truth"

Answer 111

What are the 3 measure of Imperceptibility 1. Average Lp Distortion (ALDp) 2. Average Structural Similarity (ASS) [image specific] 3. Perturbation Sensitivity Distance (PSD) [image-specific]

Answer 112

Measure of Imperceptibility: a. Average Lp Distortion (ALDp)- "As the average normalized Lp distortion for all successful adversarial examples"

Answer 113

A measure of Imperceptibility b. Average Structural Similarity (ASS) [image-specific] "Structural similarity is considered to be consistent to human visual perception than Lp similarity"

Answer 114

A measure of Imperceptibility c. Perturbation Sensitivity Distance (PSD) [image-specific] "Based on the contrast masking theory, this measure is proposed to evaluate human perception of perturbations"

Answer 115

What are the 3 measure of Robustness 1. Noise Tolerance Estimation (NTE) 2. Robustness to Gaussian Blur (RGB) 3. Robustness to Image Compression (RIC) [image-specific]

Answer 116

a. Noise Tolerance Estimation (NTE) "Noise tolerance reflects the amount of noises that AEs can tolerate while keeping the misclassified class unchanged"

Answer 117

Measure of Imperceptibility b. Robustness to Gaussian Blur (RGB)[image-specific] "Gaussian Blur is widely used as a pre-processing stage in computer vision algorithms to reduce noise in images"

Answer 118

Robustness measure: "Image-specific measure similar to RGB" c. Robustness to Image Compression (RIC) [image-specific]

Answer 119

5 Measures of Speed: -Single CPU -Single GPU -Parallel CPU -Parallel GPU -Memory consumption

Answer 120

Steps to choose Metrics for Better Attacks a. 1,2,3 i. Misclassification ii. Imperceptibility iii. Robustness

Answer 121

a. advanced attacks advanced attacks produce much smaller changes and bypass defensive distillation

Answer 122

a. CW Attack CW Attack logic - provides 3 different attack options: (L0,L2, L8), - Also uses box constraints such as Adam

Answer 123

d. All above are true why need DeepFool Need DeepFool Attack 1. L-BFGS and FGSM perturbations are big 2. CW Attack is slow 3. Need faster solutions with smaller perturbations

Answer 124

a. DeepFool DeepFool- attack was the first method specifically for deep networks

Answer 125

b. Finds the closest decision boundary to a given X The biggest advantage to DeepFool is that DeepFool -Finds the closest decision boundary to a given X steps: 1. Step by step calculate the best pixels to change 2. Algorithm perturbs the image by a small vector 3. Vector takes the resulting image to the boundary of the polyhedron that is obtained by linearizing the boundaries of the image region.

Answer 126

a. PGD attack PGD attack is a universal approach to analysis of model security against adversarial examples

Answer 127

a. PGD adversarial The only defense that has not been successfully attacked so far.

Answer 128

a. PGD (Projected Gradient Descent) is a variation of the BIM method, but instead of directly clipping Xadv + pXadv at Xmin,Xmax; it performs a projection of pXadv onto the Lp-ball with radius 3total.

Answer 129

d. PGD (Projected Gradient Descent) -wants the closest similarity to another class with minimum perturbation for a source input

Answer 130

d. PGD goal is to find model parameters so that the "adversarial loss" given by inner attack problem is minimized.

Answer 131

b. its more precise Both BIM and FGSM work on GPU

Answer 132

d. bypass defensive distillation The Main Idea of CW attack was created to bypass defensive distillation protection

Answer 133

c. CW BIM is different to PGD according to Imperceptability metrics.

Answer 134

a. can find same Adversarial examples much faster Note: BIM usually calculating attacks faster than PGD

Answer 135

b. CW FGSM is not the best attack but robustness is quite ok.

Answer 136

a. PPDR (predict, prevent, detect, respond)

Answer 137

a. predict "Protects a model production - testing and verification"

Answer 138

b. prevent "Preventing attacks at the production stage by different model modifications"

Answer 139

c. respond "Active reaction to attacks such as modification of model responses"

Answer 140

d. detect "If an input is adversarial, don't let this data into a model?"

Answer 141

PREDICTION Method a. modified training A sub-category collects all defense that somehow modifies the training procedures to minimize the chances of potential attacks

Answer 142

PREDICTION Method b. verification verification - "sub-category NOT an actual defense but a health-check trying to explore all the potential ways to attack a model and as a result present the worst case scenarios"

Answer 143

PREVENTION Method a. modified input "sub-category modifying an input in order to corrupt or smooth objects (compression, purification, randomization, and many other approaches)"

Answer 144

PREVENTION method b. modified model "Modifying a ML model in order to prevent form attacks (changing hyperparameters, activation functions, layers, or combining multiple models together)"

Answer 145

DETECTION method a. Supervised Detection "Detecting potential attacks on ML models by learning initial distribution"

Answer 146

DETECTION method b. Unsupervised Detection "(1) Detecting potential attacks on ML models without initial training. ; (2) It Learns behavior from all inputs and detects outliers."

Answer 147

RESPONSE METHOD a. Retraining "Detecting outliers and deleting them from training in order to save the model from retraining and posioning attacks"

Answer 148

RESPONSE METHOD b. Counterattack "Responding to potential attacks by detecting attack attempts and replying in such a way that attacks will continue heading in the wrong direction"

Answer 149

a. predict, prevent, detect

Answer 150

a. modified training PREDICTION Measure Examples: Adversarial training, regularization, distillation PRO/CON- very time consuming

Answer 151

c. modified input PREVENTION Examples: Reconstruction, compression, and purification PRO/CON: very good but application specific

Answer 152

a. add-on detection examples: Binary Classifer and Additional output Pro / Con: Very diverse with respect to quality and speed

Answer 153

Adversarial training is an example of prediction

Answer 154

d. Model modification model modification defense is the most model-specific

Answer 155

c. CAV CAV - the worst metric for modified input defense

Answer 156

RC defense shows the minimum CVV rate.

Answer 157

Steps to Start AI Security Project: a. 1,2,3 i. select attacks ii. select defenses iii. test attacks vs. defenses

Answer 158

Know the Application to run by asking Question: -Which application you are targeting -What task it will solve -What is the algorithm category -What is the attackers goal etc.

Answer 159

We know which Defense to run by asking the Question: -Which attack you are targeting -By what category -What is the algorithm category -What are the restrictions

Answer 160

Combine Testing: Application + Defense Mechanism -You should only have 1 defense -Ensemble defense -Use multiple datasets -Use multiple hyperparameters -Use Multiple attacks

Answer 161

True Face Recognition could be cheated with the help of special glasses

Answer 162

speech perception speech perception- the way we read or hear a language

Answer 163

a. Identify AI object Task, Threats

Answer 164

b. watermarks Reasoning: Backdoors CAN be used for watermarks Backdoors cannot be used for privacy protection

Answer 165

c. metric evaluation

ML Security Flashcards

(193 cards)