"

4.6 End of Chapter Activities

Exercises

Review Questions

  1. Explain the difference between adversarial attacks and poisoning attacks. Provide examples of each.
  2. Describe the three primary attack scenarios in poisoning attacks (TS, FT, MT). How do they differ in terms of attacker capabilities and risks?
  3. What is the goal of an indiscriminate poisoning attack, and how does it differ from a targeted poisoning attack?
  4. Explain the concept of “feature collision” in clean-label poisoning attacks. How does it exploit the complexity of deep neural networks?
  5. Discuss the role of outlier detection in mitigating poisoning attacks. Provide examples of techniques that use outlier detection.
  6. How does differential privacy help in defending against poisoning attacks? What are its limitations?
  7. Compare and contrast label-flip poisoning and bilevel poisoning. Which one is more effective, and why?
  8. What are the challenges in detecting and mitigating backdoor attacks during model inspection?

Discussion Questions

  1. How can organizations balance the need for large, diverse datasets with the risk of poisoning attacks?
  2. What ethical considerations arise when deploying AI models that may be vulnerable to poisoning attacks?
  3. How might advancements in explainable AI (XAI) help in detecting and mitigating poisoning attacks?
  4. What role do regulatory frameworks play in ensuring the security of AI models against poisoning attacks?

Knowledge Check

Quiz Text Description
1. MultiChoice Activity
Which of the following best describes a data poisoning attack?
  1. Encrypting training data for security
  2. Manipulating training data to alter model behavior
  3. Modifying test samples to deceive an ML model
  4. Reducing model complexity to prevent overfitting
2. MultiChoice Activity
In which scenario does an attacker fine-tune a pre-trained model to introduce vulnerabilities?
  1. Fine-tuning (FT)
  2. Model outsourcing (MT)
  3. Training-from-scratch (TS)
  4. Reinforcement learning
3. MultiChoice Activity
What is the goal of a targeted poisoning attack?
  1. To remove adversarial samples from the dataset
  2. To optimize training data for better performance
  3. To misclassify a specific target sample while maintaining high overall accuracy
  4. To decrease the overall model accuracy
4. MultiChoice Activity
Which of the following is NOT a defense against data poisoning attacks?
  1. Robust training
  2. Increasing model complexity
  3. Model inspection
  4. Training data sanitization
5. MultiChoice Activity
The feature-collision technique in targeted attacks relies on:
  1. Randomly altering labels of training samples
  2. Encrypting the training data to prevent access
  3. Making poisoned samples resemble target samples in feature space
  4. Using clean data only for training
6. MultiChoice Activity
Which method is commonly used in training data sanitization defenses?
  1. Gradient descent optimization
  2. Backpropagation
  3. Reinforcement learning
  4. Clustering and outlier detection
Correct Answers:
  1. b. Manipulating training data to alter model behavior
  2. a. Fine-tuning (FT)
  3. c. To misclassify a specific target sample while maintaining high overall accuracy
  4. b. Increasing model complexity
  5. c. Making poisoned samples resemble target samples in feature space
  6. d. Clustering and outlier detection

High Flyer. (2025). Deep Seek. [Large language model]. https://www.deepseek.com/

Prompt: Can you provide end-of-chapter questions for the content?  Reviewed and edited by the author.

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Winning the Battle for Secure ML Copyright © 2025 by Bestan Maaroof is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book