diff --git a/docs/Chapter_25_Advanced_Adversarial_ML.md b/docs/Chapter_25_Advanced_Adversarial_ML.md index c36d0ae..90e60cb 100644 --- a/docs/Chapter_25_Advanced_Adversarial_ML.md +++ b/docs/Chapter_25_Advanced_Adversarial_ML.md @@ -37,6 +37,10 @@ The tricky part? These attacks operate at the mathematical layer. Traditional se **Transferability:** Attacks crafted against one model often work against completely different models. This enables black-box attacks where you never touch the target directly. +

+Hub and spoke diagram showing an adversarial example transferring from a central node to GPT-4, Llama-3, and Claude-3, illustrating cross-model vulnerability. +

+ **Gradient-Based Optimization:** Using the model's own gradients to find the best possible perturbation. You're literally asking the model "what input change would hurt you most?" and then doing exactly that. **Universal Adversarial Perturbation (UAP):** A single perturbation that works on any input. One magic suffix that jailbreaks every prompt. @@ -51,6 +55,10 @@ During training, models optimize for average-case performance. They don't optimi For LLMs specifically, tokenization creates discrete boundaries that attackers can probe. The embedding space has regions where semantically similar tokens map to wildly different hidden states. These discontinuities are exploitable. +

+3D surface plot showing a decision boundary as a ridge, with an input point and a gradient vector pointing into a deep valley, visualizing the adversarial subspace. +

+ #### Foundational Research | Paper | Key Finding | Relevance | @@ -75,19 +83,9 @@ Gradient-based attacks are the most powerful adversarial techniques because they ### The attack flow -```text -Adversarial Attack Flow (Gradient-Based): - -Input Text → Tokenize → Embed → [Model Forward Pass] → Loss Computation - ↓ - Compute Gradient - ↓ - Perturb Embeddings - ↓ - Project to Token Space - ↓ - Adversarial Output -``` +

+Sequential flowchart showing the gradient-based attack process: Forward Pass, Calculate Loss, Backpropagate, and Update Input. +

### What's happening under the hood @@ -402,21 +400,9 @@ The GCG attack from Zou et al. (2023) is currently state-of-the-art for adversar #### The process -```text -GCG Attack Process: - -[Base Prompt] + [Adversarial Suffix (random init)] - ↓ - Compute gradient w.r.t. suffix tokens - ↓ - For each position, rank candidate replacements - ↓ - Greedily select best substitution - ↓ - Repeat until attack succeeds - ↓ - [Universal Jailbreak Suffix] -``` +

+Iterative loop diagram for the GCG attack showing the cycle: Suffix, Compute Gradients, Rank Candidates, Evaluate, and Update. +

#### Step by step diff --git a/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md b/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md index 43883a2..4b70bbb 100644 --- a/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md +++ b/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md @@ -49,6 +49,10 @@ Supply chain attacks exploit trust assumptions baked into ML workflows: - **Training Artifact**: Transfer learning creates dangerous dependencies. Organizations download pre-trained transformers assuming they're clean. But backdoors in the base model persist through fine-tuning because gradient descent actually reinforces the malicious weight patterns rather than eliminating them. - **Input Processing**: Package managers trust repositories. pip follows semantic versioning rules. Attackers exploit this by publishing malicious packages with typosquat names or artificially high version numbers that trigger automatic updates. +

+Side-by-side comparison showing human-readable source code versus an opaque geometric blob representing model weights, illustrating the difficulty of auditing models. +

+ #### Foundational Research | Paper | Key Finding | Relevance | @@ -75,19 +79,9 @@ Hugging Face, TensorFlow Hub, PyTorch Hub. These have become how pre-trained mod ### How Model Repository Attacks Work -```text -Model Repository Attack Flow: - -Attacker → Creates Malicious Model → Uploads to Repository → Victims Download - ↓ - Popular/Trusted Name - ↓ - SEO Optimization - ↓ - Fake Performance Metrics - ↓ - Deploy in Production → Backdoor Activates -``` +

+Sequential box diagram showing the model repository attack flow: Malicious Upload, Fake Downloads, Developer Download, CI/CD Integration, and Deployment. +

### Mechanistic Explanation @@ -473,22 +467,9 @@ ML systems run on complex software stacks: PyTorch, TensorFlow, NumPy, Transform #### Attack Flow -```text -Dependency Poisoning Attack: - -Developer Types: pip install tensorflow-gpu - ↓ - ┌────────────────┴────────────────┐ - ↓ ↓ - tensorflow-gpu tensorflow-qpu - (Legitimate) (Malicious - typosquat) - ↓ - Installs instead - ↓ - Executes setup.py - ↓ - Steals credentials -``` +

+Comparison table showing legitimate 'tensorflow-gpu' versus malicious 'tensorflow-qpu', identifying the 'setup.py execution' risk. +

### Detection Indicators @@ -676,6 +657,10 @@ ml_supply_chain_policy: 4. **Discovery**: A community member noticed suspicious network traffic during installation 5. **Response**: PyTorch team yanked the package, issued a security advisory, told everyone to rotate credentials +

+Horizontal timeline visualization of the PyTorch attack, highlighting the 'Silent Window' between upload and discovery (Dec 25 - Dec 30). +

+ #### Lessons Learned (Case Study 1) This was real. Not a theoretical attack. ML framework supply chains are actively being targeted. diff --git a/docs/Chapter_27_Federated_Learning_Attacks.md b/docs/Chapter_27_Federated_Learning_Attacks.md index 4381042..0af7277 100644 --- a/docs/Chapter_27_Federated_Learning_Attacks.md +++ b/docs/Chapter_27_Federated_Learning_Attacks.md @@ -53,9 +53,18 @@ The research tells a sobering story: Federated learning attacks work because the architecture makes fundamental tradeoffs: - **The blind spot problem:** FL systems aggregate updates without seeing the data behind them. Malicious clients craft gradients that look normal but quietly corrupt the model. The server can't tell the difference. + +

+Conceptual diagram of the 'Blind Spot Problem' showing the server seeing only updates (tip of the iceberg) while data poisoning happens below the surface. +

+ - **The accumulation game:** FedAvg treats everyone equally. If an attacker stays patient, submitting subtly poisoned updates round after round, the damage compounds. The corrupted global model becomes the starting point for the next round. - **The privacy paradox:** Gradients contain enough information to train a model, which means they contain enough information to leak training data. You can't have one without risking the other. +

+Three-panel image sequence showing the steps of gradient inversion: Random Noise -> Optimization -> Recovered Image. +

+ #### Foundational Research | Paper | Key Finding | Relevance | @@ -81,35 +90,9 @@ Before we break things, we need to understand how they work. Here's the standard ### How Federated Learning Works -```text -Federated Learning Training Round: - -Server Clients (n participants) - │ │ - ├──[1] Broadcast Global Model──────►│ Client 1 - │ │ Client 2 - │ │ Client 3 - │ │ ... - │ │ Client n - │ │ - │◄──[2] Local Training (on private data) - │ │ - │◄──[3] Compute Gradients/Updates]──│ - │ │ - │◄──[4] Upload Updates]─────────────│ - │ │ - ├──[5] Aggregate Updates (FedAvg)] │ - │ │ - ├──[6] Update Global Model] │ - │ │ - └──[Repeat for T rounds]────────────┘ - -Attack Opportunities: -- Step 2: Data poisoning (corrupt local dataset) -- Step 3: Gradient manipulation (craft malicious updates) -- Step 4: Model poisoning (submit adversarial parameters) -- Step 5: Byzantine attacks (disrupt aggregation) -``` +

+Sequential flowchart showing the federated learning loop: Broadcast Model -> Local Training -> Compute Gradients -> Upload Updates -> Aggregate. +

### Under the Hood @@ -512,6 +495,10 @@ This demonstrates a backdoor attack where a malicious client trains the model to 2. **Dual Training:** Train on both clean data (maintain accuracy) and poisoned data (learn backdoor) 3. **Model Replacement:** Scale malicious updates to override honest participants +

+Line chart illustrating 'Model Replacement' where a scaled malicious update dominates the aggregated global model direction. +

+ ```python #!/usr/bin/env python3 """ diff --git a/docs/Chapter_28_AI_Privacy_Attacks.md b/docs/Chapter_28_AI_Privacy_Attacks.md index 41d158b..3592028 100644 --- a/docs/Chapter_28_AI_Privacy_Attacks.md +++ b/docs/Chapter_28_AI_Privacy_Attacks.md @@ -42,6 +42,10 @@ Privacy attacks exploit the tendency of deep learning models to overfit rare or - **Training Artifact:** Standard training objectives (Next Token Prediction) reward the model for minimizing perplexity on all data, including unique PII sequences. - **Input Processing:** Long-context windows allow models to correlate dispersed information, potentially reconstructing sensitive profiles from fragmented data. +

+Conceptual infographic 'The PII Iceberg' showing visible public data above water and vast amounts of inferable private attributes submerged below. +

+ #### Foundational Research | Paper | Key Finding | Relevance | @@ -66,10 +70,9 @@ Membership Inference Attacks aim to determine whether a specific data record was ### How MIA Works -```text -[MIA Attack Flow] -Attacker → [Target Record] → Target Model → [Confidence Score/Loss] → Classifier → Member/Non-Member -``` +

+Sequential flow diagram of a Membership Inference Attack: Target Record -> Model -> Confidence Score -> Attack Classifier -> Result. +

### Mechanistic Explanation @@ -320,6 +323,10 @@ Layer 4: [Unlearning] → [Machine Unlearning requests] - **Limitations:** Can significantly degrade model utility and increase training time. - **Implementation Complexity:** High. +

+Visual representation of Differential Privacy (DP-SGD) showing the addition of statistical noise to gradient updates to mask individual data point contributions. +

+ #### Defense Strategy 2: Deduplication - **What:** Removing duplicate copies of data from the training set. @@ -355,6 +362,10 @@ Research has moved from proving that simple classifiers leak membership informat 1. **Machine Unlearning:** How to effectively remove a specific data point without retraining the entire model? 2. **Privacy vs. Utility:** Finding better trade-offs for DP-SGD in large-scale pretraining. +

+Network graph visualization of 'Machine Unlearning', showing specific nodes (data points) being removed or disconnected from a dense knowledge graph. +

+ --- ## 28.6 Case Studies diff --git a/docs/Chapter_29_Model_Inversion_Attacks.md b/docs/Chapter_29_Model_Inversion_Attacks.md index f78d20c..1f420ec 100644 --- a/docs/Chapter_29_Model_Inversion_Attacks.md +++ b/docs/Chapter_29_Model_Inversion_Attacks.md @@ -41,6 +41,10 @@ Model Inversion exploits the correlation between the model's learned weights and - **Training Artifact:** Minimizing cross-entropy loss forces the model to maximize confidence for true classes, creating a smooth gradient slope that attackers can climb in reverse. - **Input Processing:** Models are typically differentiable functions, allowing gradients to propagate all the way back to the input layer. +

+Funnel diagram showing how GAN Priors constrain the search space from random pixels to a realistic face manifold. +

+ #### Foundational Research | Paper | Key Finding | Relevance | @@ -65,12 +69,9 @@ This is the classic approach: utilize the model's gradients (or estimated gradie ### How Inversion Works -```text -[Inversion Attack Flow] -Attacker → [Random Noise] → Target Model → [Confidence Score] - ↑ ↓ - [Update Input] ← (Gradient Ascent) ← [Target Class Error] -``` +

+Iterative cycle diagram showing the model inversion process: Noise -> Model -> Prediction -> Gradient Ascent -> Update Input. +

### Mechanistic Explanation diff --git a/docs/assets/rec54_adversarial_subspace_3d.png b/docs/assets/rec54_adversarial_subspace_3d.png new file mode 100644 index 0000000..24db17a Binary files /dev/null and b/docs/assets/rec54_adversarial_subspace_3d.png differ diff --git a/docs/assets/rec55_gradient_attack_flow.png b/docs/assets/rec55_gradient_attack_flow.png new file mode 100644 index 0000000..6dbf21d Binary files /dev/null and b/docs/assets/rec55_gradient_attack_flow.png differ diff --git a/docs/assets/rec56_gcg_loop.png b/docs/assets/rec56_gcg_loop.png new file mode 100644 index 0000000..aa5b4d7 Binary files /dev/null and b/docs/assets/rec56_gcg_loop.png differ diff --git a/docs/assets/rec57_attack_transferability.png b/docs/assets/rec57_attack_transferability.png new file mode 100644 index 0000000..81ebb37 Binary files /dev/null and b/docs/assets/rec57_attack_transferability.png differ diff --git a/docs/assets/rec58_opaque_blob_problem.png b/docs/assets/rec58_opaque_blob_problem.png new file mode 100644 index 0000000..8dee268 Binary files /dev/null and b/docs/assets/rec58_opaque_blob_problem.png differ diff --git a/docs/assets/rec59_model_repo_attack_flow.png b/docs/assets/rec59_model_repo_attack_flow.png new file mode 100644 index 0000000..db7f7cf Binary files /dev/null and b/docs/assets/rec59_model_repo_attack_flow.png differ diff --git a/docs/assets/rec60_dependency_typosquatting.png b/docs/assets/rec60_dependency_typosquatting.png new file mode 100644 index 0000000..f378e63 Binary files /dev/null and b/docs/assets/rec60_dependency_typosquatting.png differ diff --git a/docs/assets/rec61_pytorch_attack_timeline.png b/docs/assets/rec61_pytorch_attack_timeline.png new file mode 100644 index 0000000..364e622 Binary files /dev/null and b/docs/assets/rec61_pytorch_attack_timeline.png differ diff --git a/docs/assets/rec62_federated_learning_flow.png b/docs/assets/rec62_federated_learning_flow.png new file mode 100644 index 0000000..ebfd046 Binary files /dev/null and b/docs/assets/rec62_federated_learning_flow.png differ diff --git a/docs/assets/rec63_blind_spot_problem.png b/docs/assets/rec63_blind_spot_problem.png new file mode 100644 index 0000000..f9f830a Binary files /dev/null and b/docs/assets/rec63_blind_spot_problem.png differ diff --git a/docs/assets/rec64_model_replacement_chart.png b/docs/assets/rec64_model_replacement_chart.png new file mode 100644 index 0000000..f2ddef4 Binary files /dev/null and b/docs/assets/rec64_model_replacement_chart.png differ diff --git a/docs/assets/rec65_gradient_inversion_steps.png b/docs/assets/rec65_gradient_inversion_steps.png new file mode 100644 index 0000000..b2bd1db Binary files /dev/null and b/docs/assets/rec65_gradient_inversion_steps.png differ diff --git a/docs/assets/rec66_mia_flow.png b/docs/assets/rec66_mia_flow.png new file mode 100644 index 0000000..21adfb7 Binary files /dev/null and b/docs/assets/rec66_mia_flow.png differ diff --git a/docs/assets/rec67_pii_iceberg.png b/docs/assets/rec67_pii_iceberg.png new file mode 100644 index 0000000..371e3af Binary files /dev/null and b/docs/assets/rec67_pii_iceberg.png differ diff --git a/docs/assets/rec68_dp_sgd_noise.png b/docs/assets/rec68_dp_sgd_noise.png new file mode 100644 index 0000000..83d681d Binary files /dev/null and b/docs/assets/rec68_dp_sgd_noise.png differ diff --git a/docs/assets/rec69_machine_unlearning_web.png b/docs/assets/rec69_machine_unlearning_web.png new file mode 100644 index 0000000..e546996 Binary files /dev/null and b/docs/assets/rec69_machine_unlearning_web.png differ diff --git a/docs/assets/rec70_inversion_cycle_loop.png b/docs/assets/rec70_inversion_cycle_loop.png new file mode 100644 index 0000000..f27094e Binary files /dev/null and b/docs/assets/rec70_inversion_cycle_loop.png differ diff --git a/docs/assets/rec71_gan_prior_funnel.png b/docs/assets/rec71_gan_prior_funnel.png new file mode 100644 index 0000000..a831034 Binary files /dev/null and b/docs/assets/rec71_gan_prior_funnel.png differ