"

5.8 End of Chapter Activities

Exercises

Review Questions

  1. What distinguishes a backdoor attack from other types of adversarial attacks?
  2. Explain the steps involved in executing a backdoor poisoning attack.
  3. How do clean-label backdoor attacks differ from traditional backdoor attacks?
  4. Why are clean-label backdoor attacks harder to detect than traditional backdoor attacks?
  5. Why are federated learning models particularly vulnerable to backdoor attacks?
  6. Compare and contrast patch triggers with semantic triggers. Provide real-world examples of each.
  7. What are the primary differences between semantic and functional triggers?
  8. Suppose you are training an image classifier. How could an attacker introduce a backdoor into your model without modifying the labels?
  9. In a transfer learning scenario, what steps can a user take to verify that a pre-trained model is not backdoored?
  10. What challenges might arise when applying pruning-based defences to mitigate backdoor attacks?
  11. Given a real-world scenario where a backdoored model is deployed in an autonomous vehicle, what mitigation strategies would you recommend to ensure safety?
  12. Suppose an attacker poisons 1% of a training dataset with a backdoor trigger. Why might this attack go undetected during data sanitization?
  13. A facial recognition system is backdoored to misclassify people wearing red hats as a specific target. Propose a mitigation strategy and discuss its potential weaknesses.
  14. An autonomous vehicle uses a CNN trained on outsourced data. After deployment, it misclassifies stop signs with a small flower sticker as speed limit signs.
  15. What type of backdoor attack is this?
  16. How could the manufacturer have detected this attack before deployment?
  17. A hospital uses federated learning to train a model on patient data from multiple clinics. An attacker introduces a backdoor that misclassifies X-rays with a hidden watermark as “healthy.”
  18. What defenses could prevent this attack?
  19. How might the attacker evade detection?
  20. If a backdoored model is deployed in a critical system (e.g., medical diagnosis, autonomous driving), what are the potential consequences?
  21. As backdoor attacks become more sophisticated (e.g., adaptive triggers), how should defenses evolve?
  22. Is it possible to eliminate backdoor risks completely without sacrificing model performance?

Knowledge Check

Quiz Text Description
1. MultiChoice Activity
What is the primary goal of a backdoor poisoning attack?
  1. To slow down the training process of the model
  2. To embed a hidden trigger that causes misclassification when present
  3. To delete training data to make the model unusable
  4. To reduce the overall accuracy of the model on clean data
2. MultiChoice Activity
In which scenario does a backdoor attack occur when a user downloads a pre-trained model and fine-tunes it?
  1. Data Augmentation
  2. Outsourced Training
  3. Transfer Learning
  4. Federated Learning
3. MultiChoice Activity
Which of the following is NOT a type of backdoor trigger?
  1. Semantic Trigger
  2. Random Noise Injection
  3. Functional Trigger
  4. Patch Trigger
4. MultiChoice Activity
What is a key characteristic of a clean-label backdoor attack?
  1. The attacker changes both the input and its label
  2. The attack is performed after model deployment
  3. The attacker only modifies the input but keeps the correct label
  4. The attacker only modifies the label but not the input
5. MultiChoice Activity
Which defense technique involves identifying and removing poisoned training samples?
  1. Data Sanitization
  2. Trigger Reconstruction
  3. Federated Aggregation
  4. Model Pruning
6. MultiChoice Activity
NeuralCleanse is a technique used for
  1. Detecting poisoned samples in the training data
  2. Encrypting model weights to prevent attacks
  3. Pruning suspicious neurons in a neural network
  4. Reconstructing the backdoor trigger via optimization
7. MultiChoice Activity
Why are semantic triggers harder to detect than patch triggers?
  1. They are invisible to the human eye
  2. They blend naturally with the input (e.g., glasses on a face)
  3. They only work in federated learning
  4. They require changing the model architecture
8. MultiChoice Activity
In federated learning, how can a malicious participant introduce a backdoor?
  1. By slowing down the training process
  2. By encrypting the global model
  3. By submitting poisoned model updates
  4. By deleting other participants’ data
9. MultiChoice Activity
What is a limitation of Fine-Pruning as a defense?
  1. It increases model accuracy too much
  2. It is ineffective against dynamic or semantic triggers
  3. It only works for patch triggers
  4. It requires retraining the model from scratch
10. MultiChoice Activity
Which of the following is a post-training defense against backdoors?
  1. Federated Aggregation
  2. Trigger Reconstruction
  3. Data Sanitization
  4. Label Flipping
Correct Answers:
  1. b. To embed a hidden trigger that causes misclassification when present
  2. c. Transfer Learning
  3. b. Random Noise Injection
  4. c. The attacker only modifies the input but keeps the correct label
  5. a. Data Sanitization
  6. d. Reconstructing the backdoor trigger via optimization
  7. b. They blend naturally with the input (e.g., glasses on a face)
  8. c. By submitting poisoned model updates
  9. b. It is ineffective against dynamic or semantic triggers
  10. b. Trigger Reconstruction

High Flyer. (2025). Deep Seek. [Large language model]. https://www.deepseek.com/

Prompt: Can you provide end-of-chapter questions for the content?  Reviewed and edited by the author.

License

Icon for the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License

Winning the Battle for Secure ML Copyright © 2025 by Bestan Maaroof is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, except where otherwise noted.

Share This Book