"

3.9 End of Chapter Activities

Exercises

Discussion Questions

  1. Define adversarial examples in your own words. How do they differ from regular inputs to a machine learning model?
  2. Why is it important that the perturbation in adversarial examples remains minimal? How does this relate to human perception?
  3. Explain the significance of adversarial examples in real-world applications. Provide an example not mentioned in the chapter.
  4. Discuss the potential consequences of adversarial attacks in the context of self-driving cars. How could such attacks be mitigated?
  5. How might adversarial examples impact spam detection systems? What are the ethical implications of such attacks?
  6. Provide an example of a physical-world adversarial attack not discussed in the chapter. How could it be detected or prevented?
  7. Compare and contrast targeted and non-targeted attacks. Provide an example scenario for each.
  8. What are the key differences between black-box and white-box attacks? Which type of attack is more challenging to execute, and why?
  9. What is the difference between digital and physical attacks? Provide an example of each.
  10. Explain the role of distance metrics ([latex]L_0, L_2, L_\infty[/latex]) in generating adversarial perturbations. How do they influence the quality of the perturbation?
  11. Describe the process of generating adversarial examples using the Fast Gradient Sign Method (FGSM). How does it exploit the gradient of the loss function?
  12. How does Projected Gradient Descent (PGD) improve upon FGSM? Why is it considered a more powerful attack?
  13. What is the significance of the C&W attack? How does it overcome defences like defensive distillation?
  14. Compare white-box and black-box attacks. What are the key challenges in executing a black-box attack?
  15. Explain the process of creating adversarial examples using a surrogate model in a black-box setting. Why is this approach effective?
  16. What is an adversarial patch? How does it differ from traditional adversarial examples?
  17. Discuss the implications of physical adversarial attacks on road sign recognition systems. How could such attacks be prevented?
  18. What are the strengths and limitations of adversarial training in real-world applications?

Critical Thinking and Application

  1. Imagine you are designing a defence mechanism against adversarial attacks. What strategies would you employ to protect a machine-learning model?
  2. How might adversarial attacks evolve in the future? What new techniques or domains could be targeted?
  3. Discuss the ethical implications of adversarial attacks. Should there be regulations to prevent their misuse? Why or why not?
  4. Can adversarial examples ever be beneficial? Provide an example of how they might be used for positive purposes.
  5. Can combining multiple mitigation strategies provide a more robust defence against evasion attacks? Why or why not?

Research and Exploration

  1. Research and summarize a recent (post-2020) paper on adversarial attacks. What new methods or insights does it provide?
  2. Explore the concept of adversarial training. How does it improve the robustness of machine learning models?

Knowledge Check

Quiz Text Description
1. MultiChoice Activity
What is the primary goal of an evasion attack?
  1. To improve the accuracy of the model
  2. To reduce the model’s training time
  3. To steal the model’s training data
  4. To generate adversarial examples that mislead the model
2. MultiChoice Activity
Why must the perturbation in adversarial examples be minimal?
  1. To avoid detection by the model
  2. To make the attack faster
  3. To ensure the changes are imperceptible to humans
  4. To reduce computational cost
3. MultiChoice Activity
Which of the following is an example of a physical adversarial attack?
  1. Changing pixel values in an image to fool a spam detector
  2. Modifying a stop sign to be misclassified by a self-driving car
  3. Uploading a malicious PNG file to bypass a spam filter
  4. Adding noise to an audio file to fool a speech recognition system
4. MultiChoice Activity
What is the main concern with adversarial examples in real-world applications?
  1. They improve model performance
  2. They improve model performance
  3. They increase the interpretability of models
  4. They reduce the cost of training models
5. MultiChoice Activity
Which of the following is true about a black-box attack?
  1. The attacker can modify the model’s training data
  2. The attacker can only query the model’s output
  3. The attacker can directly manipulate the model’s gradients
  4. The attacker has full access to the model’s parameters
6. MultiChoice Activity
What is the key difference between a one-shot attack and an iterative attack?
  1. Iterative attacks are only used in black-box settings
  2. One-shot attacks are faster but less effective
  3. One-shot attacks are only used in physical attacks
  4. Iterative attacks require multiple steps but are more effective
7. MultiChoice Activity
Which distance metric minimizes the number of pixels changed in an adversarial example?
  1. L∞
  2. L2
  3. L1
  4. L0
8. MultiChoice Activity
What does the L∞ norm measure in adversarial perturbations?
  1. The average change across all pixels
  2. The Euclidean distance of the perturbation
  3. The maximum change to any single pixel
  4. The total number of pixels changed
9. MultiChoice Activity
What is the main advantage of Projected Gradient Descent (PGD) over FGSM?
  1. It does not require gradient information
  2. It is an iterative attack with better attack success rates
  3. It is faster
  4. It is a single-step attack
10. MultiChoice Activity
What is the primary goal of a surrogate model in a black-box attack?
  1. To reduce the computational cost of the attack
  2. To approximate the decision boundaries of the target model
  3. To improve the accuracy of the target model
  4. To steal the target model’s training data
11. MultiChoice Activity
Which of the following is a white-box attack method?
  1. ZOO
  2. FGSM
  3. Surrogate model attack
  4. Differential evolution
12. MultiChoice Activity
What is an adversarial patch?
  1. A method to defend against adversarial attacks
  2. A small perturbation added to an entire image
  3. A printable label that can be stuck on objects to fool classifiers
  4. A 3D-printed object designed to fool classifiers
13. MultiChoice Activity
What is the key idea behind the Expectation Over Transformation (EOT) algorithm?
  1. It uses a surrogate model to approximate the target model
  2. It generates adversarial examples that are robust to transformations like rotation
  3. It is a single-step attack method
  4. It minimizes the number of pixels changed in an image
14. MultiChoice Activity
What is the main challenge in defending against robust adversarial examples?
  1. They are imperceptible to humans
  2. They are only effective in digital attacks
  3. They require access to the model’s parameters
  4. They remain effective under various transformations
15. MultiChoice Activity
Which of the following is an example of a robust adversarial example?
  1. A 1-pixel attack on an image classifier
  2. A stop sign misclassified as a speed limit sign
  3. A spam email bypassing a spam filter
  4. A 3D-printed turtle misclassified as a rifle
16. MultiChoice Activity
How does adversarial training help mitigate evasion attacks?
  1. By restricting access to the model for external users
  2. By removing adversarial samples from the dataset
  3. By injecting adversarial samples into training to improve model robustness
  4. By increasing model complexity to confuse attackers
Correct Answers:
  1. d. To generate adversarial examples that mislead the model
  2. c. To ensure the changes are imperceptible to humans
  3. b. Modifying a stop sign to be misclassified by a self-driving car
  4. b. They improve model performance
  5. b. The attacker can only query the model’s output
  6. d. Iterative attacks require multiple steps but are more effective
  7. d. L0
  8. c. The maximum change to any single pixel
  9. b. It is an iterative attack with better attack success rates
  10. b. To approximate the decision boundaries of the target model
  11. b. FGSM
  12. c. A printable label that can be stuck on objects to fool classifiers
  13. b. It generates adversarial examples that are robust to transformations like rotation
  14. d. They remain effective under various transformations
  15. d. A 3D-printed turtle misclassified as a rifle
  16. c. By injecting adversarial samples into training to improve model robustness

High Flyer. (2025). Deep Seek. [Large language model]. https://www.deepseek.com/

Prompt: Can you provide end-of-chapter questions for the content?  Reviewed and edited by the author.

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Winning the Battle for Secure ML Copyright © 2025 by Bestan Maaroof is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book