diff --git a/docs/Chapter_25_Advanced_Adversarial_ML.md b/docs/Chapter_25_Advanced_Adversarial_ML.md
index c36d0ae..90e60cb 100644
--- a/docs/Chapter_25_Advanced_Adversarial_ML.md
+++ b/docs/Chapter_25_Advanced_Adversarial_ML.md
@@ -37,6 +37,10 @@ The tricky part? These attacks operate at the mathematical layer. Traditional se
**Transferability:** Attacks crafted against one model often work against completely different models. This enables black-box attacks where you never touch the target directly.
+
+
+
+
**Gradient-Based Optimization:** Using the model's own gradients to find the best possible perturbation. You're literally asking the model "what input change would hurt you most?" and then doing exactly that.
**Universal Adversarial Perturbation (UAP):** A single perturbation that works on any input. One magic suffix that jailbreaks every prompt.
@@ -51,6 +55,10 @@ During training, models optimize for average-case performance. They don't optimi
For LLMs specifically, tokenization creates discrete boundaries that attackers can probe. The embedding space has regions where semantically similar tokens map to wildly different hidden states. These discontinuities are exploitable.
+
+
+
+
#### Foundational Research
| Paper | Key Finding | Relevance |
@@ -75,19 +83,9 @@ Gradient-based attacks are the most powerful adversarial techniques because they
### The attack flow
-```text
-Adversarial Attack Flow (Gradient-Based):
-
-Input Text → Tokenize → Embed → [Model Forward Pass] → Loss Computation
- ↓
- Compute Gradient
- ↓
- Perturb Embeddings
- ↓
- Project to Token Space
- ↓
- Adversarial Output
-```
+
+
+
### What's happening under the hood
@@ -402,21 +400,9 @@ The GCG attack from Zou et al. (2023) is currently state-of-the-art for adversar
#### The process
-```text
-GCG Attack Process:
-
-[Base Prompt] + [Adversarial Suffix (random init)]
- ↓
- Compute gradient w.r.t. suffix tokens
- ↓
- For each position, rank candidate replacements
- ↓
- Greedily select best substitution
- ↓
- Repeat until attack succeeds
- ↓
- [Universal Jailbreak Suffix]
-```
+
+
+
#### Step by step
diff --git a/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md b/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md
index 43883a2..4b70bbb 100644
--- a/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md
+++ b/docs/Chapter_26_Supply_Chain_Attacks_on_AI.md
@@ -49,6 +49,10 @@ Supply chain attacks exploit trust assumptions baked into ML workflows:
- **Training Artifact**: Transfer learning creates dangerous dependencies. Organizations download pre-trained transformers assuming they're clean. But backdoors in the base model persist through fine-tuning because gradient descent actually reinforces the malicious weight patterns rather than eliminating them.
- **Input Processing**: Package managers trust repositories. pip follows semantic versioning rules. Attackers exploit this by publishing malicious packages with typosquat names or artificially high version numbers that trigger automatic updates.
+
+
+
+
#### Foundational Research
| Paper | Key Finding | Relevance |
@@ -75,19 +79,9 @@ Hugging Face, TensorFlow Hub, PyTorch Hub. These have become how pre-trained mod
### How Model Repository Attacks Work
-```text
-Model Repository Attack Flow:
-
-Attacker → Creates Malicious Model → Uploads to Repository → Victims Download
- ↓
- Popular/Trusted Name
- ↓
- SEO Optimization
- ↓
- Fake Performance Metrics
- ↓
- Deploy in Production → Backdoor Activates
-```
+
+
+
### Mechanistic Explanation
@@ -473,22 +467,9 @@ ML systems run on complex software stacks: PyTorch, TensorFlow, NumPy, Transform
#### Attack Flow
-```text
-Dependency Poisoning Attack:
-
-Developer Types: pip install tensorflow-gpu
- ↓
- ┌────────────────┴────────────────┐
- ↓ ↓
- tensorflow-gpu tensorflow-qpu
- (Legitimate) (Malicious - typosquat)
- ↓
- Installs instead
- ↓
- Executes setup.py
- ↓
- Steals credentials
-```
+
+
+
### Detection Indicators
@@ -676,6 +657,10 @@ ml_supply_chain_policy:
4. **Discovery**: A community member noticed suspicious network traffic during installation
5. **Response**: PyTorch team yanked the package, issued a security advisory, told everyone to rotate credentials
+
+
+
+
#### Lessons Learned (Case Study 1)
This was real. Not a theoretical attack. ML framework supply chains are actively being targeted.
diff --git a/docs/Chapter_27_Federated_Learning_Attacks.md b/docs/Chapter_27_Federated_Learning_Attacks.md
index 4381042..0af7277 100644
--- a/docs/Chapter_27_Federated_Learning_Attacks.md
+++ b/docs/Chapter_27_Federated_Learning_Attacks.md
@@ -53,9 +53,18 @@ The research tells a sobering story:
Federated learning attacks work because the architecture makes fundamental tradeoffs:
- **The blind spot problem:** FL systems aggregate updates without seeing the data behind them. Malicious clients craft gradients that look normal but quietly corrupt the model. The server can't tell the difference.
+
+
+
+
+
- **The accumulation game:** FedAvg treats everyone equally. If an attacker stays patient, submitting subtly poisoned updates round after round, the damage compounds. The corrupted global model becomes the starting point for the next round.
- **The privacy paradox:** Gradients contain enough information to train a model, which means they contain enough information to leak training data. You can't have one without risking the other.
+
+
+
+
#### Foundational Research
| Paper | Key Finding | Relevance |
@@ -81,35 +90,9 @@ Before we break things, we need to understand how they work. Here's the standard
### How Federated Learning Works
-```text
-Federated Learning Training Round:
-
-Server Clients (n participants)
- │ │
- ├──[1] Broadcast Global Model──────►│ Client 1
- │ │ Client 2
- │ │ Client 3
- │ │ ...
- │ │ Client n
- │ │
- │◄──[2] Local Training (on private data)
- │ │
- │◄──[3] Compute Gradients/Updates]──│
- │ │
- │◄──[4] Upload Updates]─────────────│
- │ │
- ├──[5] Aggregate Updates (FedAvg)] │
- │ │
- ├──[6] Update Global Model] │
- │ │
- └──[Repeat for T rounds]────────────┘
-
-Attack Opportunities:
-- Step 2: Data poisoning (corrupt local dataset)
-- Step 3: Gradient manipulation (craft malicious updates)
-- Step 4: Model poisoning (submit adversarial parameters)
-- Step 5: Byzantine attacks (disrupt aggregation)
-```
+
+
+
### Under the Hood
@@ -512,6 +495,10 @@ This demonstrates a backdoor attack where a malicious client trains the model to
2. **Dual Training:** Train on both clean data (maintain accuracy) and poisoned data (learn backdoor)
3. **Model Replacement:** Scale malicious updates to override honest participants
+
+
+
+
```python
#!/usr/bin/env python3
"""
diff --git a/docs/Chapter_28_AI_Privacy_Attacks.md b/docs/Chapter_28_AI_Privacy_Attacks.md
index 41d158b..3592028 100644
--- a/docs/Chapter_28_AI_Privacy_Attacks.md
+++ b/docs/Chapter_28_AI_Privacy_Attacks.md
@@ -42,6 +42,10 @@ Privacy attacks exploit the tendency of deep learning models to overfit rare or
- **Training Artifact:** Standard training objectives (Next Token Prediction) reward the model for minimizing perplexity on all data, including unique PII sequences.
- **Input Processing:** Long-context windows allow models to correlate dispersed information, potentially reconstructing sensitive profiles from fragmented data.
+
+
+
+
#### Foundational Research
| Paper | Key Finding | Relevance |
@@ -66,10 +70,9 @@ Membership Inference Attacks aim to determine whether a specific data record was
### How MIA Works
-```text
-[MIA Attack Flow]
-Attacker → [Target Record] → Target Model → [Confidence Score/Loss] → Classifier → Member/Non-Member
-```
+
+
+
### Mechanistic Explanation
@@ -320,6 +323,10 @@ Layer 4: [Unlearning] → [Machine Unlearning requests]
- **Limitations:** Can significantly degrade model utility and increase training time.
- **Implementation Complexity:** High.
+
+
+
+
#### Defense Strategy 2: Deduplication
- **What:** Removing duplicate copies of data from the training set.
@@ -355,6 +362,10 @@ Research has moved from proving that simple classifiers leak membership informat
1. **Machine Unlearning:** How to effectively remove a specific data point without retraining the entire model?
2. **Privacy vs. Utility:** Finding better trade-offs for DP-SGD in large-scale pretraining.
+
+
+
+
---
## 28.6 Case Studies
diff --git a/docs/Chapter_29_Model_Inversion_Attacks.md b/docs/Chapter_29_Model_Inversion_Attacks.md
index f78d20c..1f420ec 100644
--- a/docs/Chapter_29_Model_Inversion_Attacks.md
+++ b/docs/Chapter_29_Model_Inversion_Attacks.md
@@ -41,6 +41,10 @@ Model Inversion exploits the correlation between the model's learned weights and
- **Training Artifact:** Minimizing cross-entropy loss forces the model to maximize confidence for true classes, creating a smooth gradient slope that attackers can climb in reverse.
- **Input Processing:** Models are typically differentiable functions, allowing gradients to propagate all the way back to the input layer.
+
+
+
+
#### Foundational Research
| Paper | Key Finding | Relevance |
@@ -65,12 +69,9 @@ This is the classic approach: utilize the model's gradients (or estimated gradie
### How Inversion Works
-```text
-[Inversion Attack Flow]
-Attacker → [Random Noise] → Target Model → [Confidence Score]
- ↑ ↓
- [Update Input] ← (Gradient Ascent) ← [Target Class Error]
-```
+
+
+
### Mechanistic Explanation
diff --git a/docs/assets/rec54_adversarial_subspace_3d.png b/docs/assets/rec54_adversarial_subspace_3d.png
new file mode 100644
index 0000000..24db17a
Binary files /dev/null and b/docs/assets/rec54_adversarial_subspace_3d.png differ
diff --git a/docs/assets/rec55_gradient_attack_flow.png b/docs/assets/rec55_gradient_attack_flow.png
new file mode 100644
index 0000000..6dbf21d
Binary files /dev/null and b/docs/assets/rec55_gradient_attack_flow.png differ
diff --git a/docs/assets/rec56_gcg_loop.png b/docs/assets/rec56_gcg_loop.png
new file mode 100644
index 0000000..aa5b4d7
Binary files /dev/null and b/docs/assets/rec56_gcg_loop.png differ
diff --git a/docs/assets/rec57_attack_transferability.png b/docs/assets/rec57_attack_transferability.png
new file mode 100644
index 0000000..81ebb37
Binary files /dev/null and b/docs/assets/rec57_attack_transferability.png differ
diff --git a/docs/assets/rec58_opaque_blob_problem.png b/docs/assets/rec58_opaque_blob_problem.png
new file mode 100644
index 0000000..8dee268
Binary files /dev/null and b/docs/assets/rec58_opaque_blob_problem.png differ
diff --git a/docs/assets/rec59_model_repo_attack_flow.png b/docs/assets/rec59_model_repo_attack_flow.png
new file mode 100644
index 0000000..db7f7cf
Binary files /dev/null and b/docs/assets/rec59_model_repo_attack_flow.png differ
diff --git a/docs/assets/rec60_dependency_typosquatting.png b/docs/assets/rec60_dependency_typosquatting.png
new file mode 100644
index 0000000..f378e63
Binary files /dev/null and b/docs/assets/rec60_dependency_typosquatting.png differ
diff --git a/docs/assets/rec61_pytorch_attack_timeline.png b/docs/assets/rec61_pytorch_attack_timeline.png
new file mode 100644
index 0000000..364e622
Binary files /dev/null and b/docs/assets/rec61_pytorch_attack_timeline.png differ
diff --git a/docs/assets/rec62_federated_learning_flow.png b/docs/assets/rec62_federated_learning_flow.png
new file mode 100644
index 0000000..ebfd046
Binary files /dev/null and b/docs/assets/rec62_federated_learning_flow.png differ
diff --git a/docs/assets/rec63_blind_spot_problem.png b/docs/assets/rec63_blind_spot_problem.png
new file mode 100644
index 0000000..f9f830a
Binary files /dev/null and b/docs/assets/rec63_blind_spot_problem.png differ
diff --git a/docs/assets/rec64_model_replacement_chart.png b/docs/assets/rec64_model_replacement_chart.png
new file mode 100644
index 0000000..f2ddef4
Binary files /dev/null and b/docs/assets/rec64_model_replacement_chart.png differ
diff --git a/docs/assets/rec65_gradient_inversion_steps.png b/docs/assets/rec65_gradient_inversion_steps.png
new file mode 100644
index 0000000..b2bd1db
Binary files /dev/null and b/docs/assets/rec65_gradient_inversion_steps.png differ
diff --git a/docs/assets/rec66_mia_flow.png b/docs/assets/rec66_mia_flow.png
new file mode 100644
index 0000000..21adfb7
Binary files /dev/null and b/docs/assets/rec66_mia_flow.png differ
diff --git a/docs/assets/rec67_pii_iceberg.png b/docs/assets/rec67_pii_iceberg.png
new file mode 100644
index 0000000..371e3af
Binary files /dev/null and b/docs/assets/rec67_pii_iceberg.png differ
diff --git a/docs/assets/rec68_dp_sgd_noise.png b/docs/assets/rec68_dp_sgd_noise.png
new file mode 100644
index 0000000..83d681d
Binary files /dev/null and b/docs/assets/rec68_dp_sgd_noise.png differ
diff --git a/docs/assets/rec69_machine_unlearning_web.png b/docs/assets/rec69_machine_unlearning_web.png
new file mode 100644
index 0000000..e546996
Binary files /dev/null and b/docs/assets/rec69_machine_unlearning_web.png differ
diff --git a/docs/assets/rec70_inversion_cycle_loop.png b/docs/assets/rec70_inversion_cycle_loop.png
new file mode 100644
index 0000000..f27094e
Binary files /dev/null and b/docs/assets/rec70_inversion_cycle_loop.png differ
diff --git a/docs/assets/rec71_gan_prior_funnel.png b/docs/assets/rec71_gan_prior_funnel.png
new file mode 100644
index 0000000..a831034
Binary files /dev/null and b/docs/assets/rec71_gan_prior_funnel.png differ