English
Adversarial Examples and Robust Evaluation: From FGSM to a scikit-learn Digits Experiment
Adversarial examples are not arbitrary noise distributions; they are mathematically precise vectors computed by optimizing an adversarial objective function over a neural network's loss manifold. A production-grade evaluation cannot rely on clean accuracy metrics. It demands rigorous assessment of empirical robustness against bounded perturbations, analysis of the Jacobian matrix, and computation of the defense's systemic latency and accuracy trade-offs.
This article deconstructs the mathematical framework of gradient-based attacks (FGSM and PGD), provides PyTorch implementations for Red Teams, and details the production pipeline architectures required for adversarial defense.
1. The Mathematical Boundaries of Threat Models
An adversarial evaluation is mathematically meaningless without defining the feasible set of the attacker. The threat model is parameterized by:
- Attacker Knowledge: White-box (full access to ( theta ), architectures, and gradients ( nabla_x J )) vs. Black-box (zero-th order optimization via queries).
- Perturbation Constraint (( L_p ) Norm): The perturbation ( delta ) is bounded by ( |delta|_p le epsilon ). Common norms include ( L_infty ) (maximum pixel change) and ( L_2 ) (Euclidean distance).
- Objective Function: Untargeted (( argmax_delta J(theta, x+delta, y) )) vs. Targeted (( argmin_delta J(theta, x+delta, y_{target}) )).
2. Fast Gradient Sign Method (FGSM)
FGSM is a single-step gradient-based attack that linearizes the loss function ( J ) around the input ( x ). Utilizing a first-order Taylor expansion, the attacker maximizes the loss under an ( L_infty ) constraint.
The mathematical formulation is:
[ delta = epsilon cdot text{sign}(nabla_x J(theta, x, y)) ]
[ x_{adv} = text{clip}(x + delta, x_{min}, x_{max}) ]
PyTorch Implementation of FGSM
import torch
import torch.nn as nn
def fgsm_attack(model, images, labels, epsilon, criterion):
images.requires_grad = True
outputs = model(images)
loss = criterion(outputs, labels)
# Compute Jacobian / Gradients wrt input
model.zero_grad()
loss.backward()
data_grad = images.grad.data
# Create perturbation
sign_data_grad = data_grad.sign()
perturbed_images = images + epsilon * sign_data_grad
# Project back to valid input domain (e.g., [0, 1])
perturbed_images = torch.clamp(perturbed_images, 0, 1)
return perturbed_images
3. Projected Gradient Descent (PGD)
While FGSM is computationally efficient, it underfits the adversarial objective. Projected Gradient Descent (PGD) is the universal first-order adversary. It solves the constrained optimization problem via iterative gradient steps, projecting the perturbation back onto the ( epsilon )-ball after each step.
The update rule for step ( t+1 ) is:
[ x^{t+1} = Pi_{x+mathcal{S}} left( x^t + alpha cdot text{sign}(nabla_x J(theta, x^t, y)) right) ]
Where ( alpha ) is the step size and ( Pi_{x+mathcal{S}} ) is the projection operator onto the ( L_p ) ball.
PyTorch Implementation of PGD
def pgd_attack(model, images, labels, epsilon, alpha, iters, criterion):
perturbed_images = images.clone().detach()
# Random start within epsilon ball
perturbed_images = perturbed_images + torch.empty_like(perturbed_images).uniform_(-epsilon, epsilon)
perturbed_images = torch.clamp(perturbed_images, 0, 1)
for _ in range(iters):
perturbed_images.requires_grad = True
outputs = model(perturbed_images)
loss = criterion(outputs, labels)
model.zero_grad()
loss.backward()
with torch.no_grad():
adv_images = perturbed_images + alpha * perturbed_images.grad.sign()
eta = torch.clamp(adv_images - images, min=-epsilon, max=epsilon)
perturbed_images = torch.clamp(images + eta, 0, 1)
return perturbed_images
4. Red/Blue Team Post-Mortem: Production Architecture Defenses
In production pipelines, basic "random noise" defenses are completely defeated by Expectation Over Transformation (EOT). Real-world mitigation relies on architectural integration:
- Adversarial Training Logic: The empirical risk minimization is modified to a min-max saddle point problem:
[ min_theta mathbb{E}_{(x,y)sim mathcal{D}} left[ max_{|delta|_p le epsilon} J(theta, x+delta, y) right] ] Models are continuously trained on PGD-generated samples. This lowers the curvature of the loss surface but comes at the cost of the "accuracy-robustness trade-off" (diminished clean accuracy). - Gradient Masking & Obfuscation (A Warning): Blue teams often inadvertently introduce shattered gradients (e.g., non-differentiable preprocessing). Red teams bypass this using Backward Pass Differentiable Approximation (BPDA). True defense requires verifying robustness via black-box transfer attacks.
- Inference Abstention & Out-of-Distribution (OOD) Detection: Deploying Mahalanobis distance metrics on deep feature representations to detect inputs lying far from the clean training manifold.
5. Robust Evaluation Reporting Standards
A production security audit must yield an evaluation matrix:
- Clean Accuracy vs. PGD-100 (100 iterations) Accuracy across a spectrum of ( epsilon ) budgets.
- Evaluation of gradient-free attacks (e.g., SPSA) to certify that defenses are not merely relying on gradient obfuscation.
- System latency overhead introduced by dynamic OOD detection modules.
6. Robustness Audit Matrix
The strongest adversarial evaluation reports include both attack strength and defense side effects. A model should not be called robust unless the evaluation records the attack budget, adaptive checks, and production impact.
| Audit dimension | Required measurement | Interpretation | Red flag |
|---|---|---|---|
| Attack budget | ( epsilon ), norm type, PGD steps, step size, random restarts | Defines what the adversary is actually allowed to do | Only reporting one weak FGSM result and claiming broad robustness |
| Adaptive attack | BPDA/EOT or gradient-free transfer checks when preprocessing is non-differentiable | Separates real robustness from gradient masking | Robust accuracy is high for white-box gradients but low for black-box transfer |
| Clean accuracy trade-off | Clean, FGSM, PGD-20, PGD-100, and OOD accuracy in the same report | Shows whether the defense is useful for normal traffic | Robustness improves only by making the model reject or misclassify clean data |
| Runtime cost | Median and p95 latency with OOD detection or input purification enabled | Connects security controls to deployability | Defense requires many forward passes and cannot meet service latency budgets |
7. References
Chinese
对抗样本与鲁棒评估:从 FGSM 公式到 scikit-learn 数字分类实验
Open as a full page对抗样本并非任意的噪声分布;它们是通过在神经网络的损失流形上优化对抗目标函数而计算出的、数学上精确的向量。一个生产级的评估不能仅仅依赖纯净准确率(Clean Accuracy)指标。它要求对有界扰动下的经验鲁棒性进行严格评估,分析雅可比矩阵,并计算防御机制带来的系统延迟和准确率权衡。
本文解构了基于梯度的攻击(FGSM 和 PGD)的数学框架,为红队提供了基于 PyTorch 的实现脚本,并详细探讨了对抗防御所需的生产级流水线架构。
一、威胁模型的数学边界
如果不定义攻击者的可行集,对抗性评估在数学上毫无意义。威胁模型由以下参数定义:
- 攻击者知识:白盒(完全访问 ( theta )、架构以及梯度 ( nabla_x J ))对比 黑盒(通过查询进行零阶优化)。
- 扰动约束(( L_p ) 范数):扰动 ( delta ) 受到 ( |delta|_p le epsilon ) 的限制。常见的范数包括 ( L_infty )(最大像素变化)和 ( L_2 )(欧几里得距离)。
- 目标函数:无目标攻击(( argmax_delta J(theta, x+delta, y) ))对比 有目标攻击(( argmin_delta J(theta, x+delta, y_{target}) ))。
二、快速梯度符号法 (FGSM)
FGSM 是一种基于梯度的单步攻击,它在输入 ( x ) 附近对损失函数 ( J ) 进行线性化。利用一阶泰勒展开,攻击者在 ( L_infty ) 约束下最大化损失。
数学公式如下:
[ delta = epsilon cdot text{sign}(nabla_x J(theta, x, y)) ]
[ x_{adv} = text{clip}(x + delta, x_{min}, x_{max}) ]
PyTorch FGSM 实现
import torch
import torch.nn as nn
def fgsm_attack(model, images, labels, epsilon, criterion):
images.requires_grad = True
outputs = model(images)
loss = criterion(outputs, labels)
# 计算关于输入的雅可比矩阵/梯度
model.zero_grad()
loss.backward()
data_grad = images.grad.data
# 构建扰动
sign_data_grad = data_grad.sign()
perturbed_images = images + epsilon * sign_data_grad
# 投影回有效的输入域 (例如 [0, 1])
perturbed_images = torch.clamp(perturbed_images, 0, 1)
return perturbed_images
三、投影梯度下降 (PGD)
虽然 FGSM 计算效率高,但它对对抗目标的拟合不足。投影梯度下降(PGD)是一种通用的一阶对抗攻击。它通过迭代的梯度步长解决约束优化问题,并在每一步后将扰动投影回 ( epsilon )-球内。
第 ( t+1 ) 步的更新规则为:
[ x^{t+1} = Pi_{x+mathcal{S}} left( x^t + alpha cdot text{sign}(nabla_x J(theta, x^t, y)) right) ]
其中 ( alpha ) 是步长,( Pi_{x+mathcal{S}} ) 是向 ( L_p ) 球的投影算子。
PyTorch PGD 实现
def pgd_attack(model, images, labels, epsilon, alpha, iters, criterion):
perturbed_images = images.clone().detach()
# 在 epsilon 球内随机初始化
perturbed_images = perturbed_images + torch.empty_like(perturbed_images).uniform_(-epsilon, epsilon)
perturbed_images = torch.clamp(perturbed_images, 0, 1)
for _ in range(iters):
perturbed_images.requires_grad = True
outputs = model(perturbed_images)
loss = criterion(outputs, labels)
model.zero_grad()
loss.backward()
with torch.no_grad():
adv_images = perturbed_images + alpha * perturbed_images.grad.sign()
eta = torch.clamp(adv_images - images, min=-epsilon, max=epsilon)
perturbed_images = torch.clamp(images + eta, 0, 1)
return perturbed_images
四、红蓝对抗复盘:生产架构防御
在生产流水线中,基础的“随机噪声”防御会被 EOT(Expectation Over Transformation)完全击溃。现实世界中的缓解措施依赖于架构级集成:
- 对抗训练逻辑 (Adversarial Training):经验风险最小化被修改为一个极小极大(min-max)鞍点问题:
[ min_theta mathbb{E}_{(x,y)sim mathcal{D}} left[ max_{|delta|_p le epsilon} J(theta, x+delta, y) right] ] 模型使用 PGD 生成的样本进行连续训练。这降低了损失表面的曲率,但代价是“准确率-鲁棒性权衡”(降低了干净样本的准确率)。 - 梯度掩码与混淆 (Gradient Masking):蓝队经常无意中引入破碎的梯度(例如不可导的预处理)。红队可以使用反向传播可导近似(BPDA)绕过这种防御。真正的防御需要通过黑盒迁移攻击来验证鲁棒性。
- 推理拒答与 OOD 检测:在深层特征表示上部署马哈拉诺比斯距离(Mahalanobis distance)度量,以检测远离干净训练流形的输入。
五、鲁棒性评估的报告标准
生产级的安全审计必须产出一份评估矩阵:
- 在不同 ( epsilon ) 预算谱下的 干净准确率 与 PGD-100(100 次迭代)准确率对比。
- 对无梯度攻击(如 SPSA)的评估,以证明防御不仅仅依赖于梯度混淆。
- 动态 OOD 检测模块引入的系统延迟开销。
六、鲁棒性评估矩阵
为了让结果可复查,建议把每一次鲁棒性测试写成矩阵,而不是只给一段“模型对抗鲁棒”的结论。
| 测试项 | 固定参数 | 记录指标 | 失败信号 |
|---|---|---|---|
| FGSM sweep | (epsilon) 从小到大扫描 | clean acc, adv acc | 极小扰动下准确率断崖式下降 |
| PGD-k | 固定 (epsilon),改变迭代次数 | adv acc, attack success rate | 迭代数增加后防御迅速失效 |
| Black-box transfer | 替代模型生成样本 | 迁移攻击成功率 | 白盒防御有效但黑盒迁移仍高 |
| Latency overhead | 开启检测/拒答模块 | P50/P95/P99 延迟 | 鲁棒性提升但线上延迟不可接受 |
七、如何避免虚假的安全感
如果某个防御让 FGSM 攻击失败,但 PGD 或黑盒迁移攻击仍然成功,很可能只是梯度被遮蔽,而不是真正鲁棒。报告中应同时包含白盒、黑盒和无梯度攻击结果,并说明输入预处理是否可导。对抗评估的目标不是证明模型“安全”,而是明确在给定扰动预算和攻击知识下,模型还能承受多少风险。
八、参考文献
Adversarial examples are not arbitrary noise distributions; they are mathematically precise vectors computed by optimizing an adversarial objective function over a neural network’s loss manifold. A production-grade evaluation cannot rely on clean accuracy metrics. It demands rigorous assessment of empirical robustness against bounded perturbations, analysis of the Jacobian matrix, and computation of the defense’s systemic latency and accuracy trade-offs.
This article deconstructs the mathematical framework of gradient-based attacks (FGSM and PGD), provides PyTorch implementations for Red Teams, and details the production pipeline architectures required for adversarial defense.
1. The Mathematical Boundaries of Threat Models
An adversarial evaluation is mathematically meaningless without defining the feasible set of the attacker. The threat model is parameterized by:
- Attacker Knowledge: White-box (full access to ( theta ), architectures, and gradients ( nabla_x J )) vs. Black-box (zero-th order optimization via queries).
- Perturbation Constraint (( L_p ) Norm): The perturbation ( delta ) is bounded by ( |delta|_p le epsilon ). Common norms include ( L_infty ) (maximum pixel change) and ( L_2 ) (Euclidean distance).
- Objective Function: Untargeted (( argmax_delta J(theta, x+delta, y) )) vs. Targeted (( argmin_delta J(theta, x+delta, y_{target}) )).
2. Fast Gradient Sign Method (FGSM)
FGSM is a single-step gradient-based attack that linearizes the loss function ( J ) around the input ( x ). Utilizing a first-order Taylor expansion, the attacker maximizes the loss under an ( L_infty ) constraint.
The mathematical formulation is:
[ delta = epsilon cdot text{sign}(nabla_x J(theta, x, y)) ]
[ x_{adv} = text{clip}(x + delta, x_{min}, x_{max}) ]
PyTorch Implementation of FGSM
import torch
import torch.nn as nn
def fgsm_attack(model, images, labels, epsilon, criterion):
images.requires_grad = True
outputs = model(images)
loss = criterion(outputs, labels)
# Compute Jacobian / Gradients wrt input
model.zero_grad()
loss.backward()
data_grad = images.grad.data
# Create perturbation
sign_data_grad = data_grad.sign()
perturbed_images = images + epsilon * sign_data_grad
# Project back to valid input domain (e.g., [0, 1])
perturbed_images = torch.clamp(perturbed_images, 0, 1)
return perturbed_images
3. Projected Gradient Descent (PGD)
While FGSM is computationally efficient, it underfits the adversarial objective. Projected Gradient Descent (PGD) is the universal first-order adversary. It solves the constrained optimization problem via iterative gradient steps, projecting the perturbation back onto the ( epsilon )-ball after each step.
The update rule for step ( t+1 ) is:
[ x^{t+1} = Pi_{x+mathcal{S}} left( x^t + alpha cdot text{sign}(nabla_x J(theta, x^t, y)) right) ]
Where ( alpha ) is the step size and ( Pi_{x+mathcal{S}} ) is the projection operator onto the ( L_p ) ball.
PyTorch Implementation of PGD
def pgd_attack(model, images, labels, epsilon, alpha, iters, criterion):
perturbed_images = images.clone().detach()
# Random start within epsilon ball
perturbed_images = perturbed_images + torch.empty_like(perturbed_images).uniform_(-epsilon, epsilon)
perturbed_images = torch.clamp(perturbed_images, 0, 1)
for _ in range(iters):
perturbed_images.requires_grad = True
outputs = model(perturbed_images)
loss = criterion(outputs, labels)
model.zero_grad()
loss.backward()
with torch.no_grad():
adv_images = perturbed_images + alpha * perturbed_images.grad.sign()
eta = torch.clamp(adv_images - images, min=-epsilon, max=epsilon)
perturbed_images = torch.clamp(images + eta, 0, 1)
return perturbed_images
4. Red/Blue Team Post-Mortem: Production Architecture Defenses
In production pipelines, basic “random noise” defenses are completely defeated by Expectation Over Transformation (EOT). Real-world mitigation relies on architectural integration:
- Adversarial Training Logic: The empirical risk minimization is modified to a min-max saddle point problem:
[ min_theta mathbb{E}_{(x,y)sim mathcal{D}} left[ max_{|delta|_p le epsilon} J(theta, x+delta, y) right] ]
Models are continuously trained on PGD-generated samples. This lowers the curvature of the loss surface but comes at the cost of the “accuracy-robustness trade-off” (diminished clean accuracy). - Gradient Masking & Obfuscation (A Warning): Blue teams often inadvertently introduce shattered gradients (e.g., non-differentiable preprocessing). Red teams bypass this using Backward Pass Differentiable Approximation (BPDA). True defense requires verifying robustness via black-box transfer attacks.
- Inference Abstention & Out-of-Distribution (OOD) Detection: Deploying Mahalanobis distance metrics on deep feature representations to detect inputs lying far from the clean training manifold.
5. Robust Evaluation Reporting Standards
A production security audit must yield an evaluation matrix:
- Clean Accuracy vs. PGD-100 (100 iterations) Accuracy across a spectrum of ( epsilon ) budgets.
- Evaluation of gradient-free attacks (e.g., SPSA) to certify that defenses are not merely relying on gradient obfuscation.
- System latency overhead introduced by dynamic OOD detection modules.
6. Robustness Audit Matrix
The strongest adversarial evaluation reports include both attack strength and defense side effects. A model should not be called robust unless the evaluation records the attack budget, adaptive checks, and production impact.
| Audit dimension | Required measurement | Interpretation | Red flag |
|---|---|---|---|
| Attack budget | ( epsilon ), norm type, PGD steps, step size, random restarts | Defines what the adversary is actually allowed to do | Only reporting one weak FGSM result and claiming broad robustness |
| Adaptive attack | BPDA/EOT or gradient-free transfer checks when preprocessing is non-differentiable | Separates real robustness from gradient masking | Robust accuracy is high for white-box gradients but low for black-box transfer |
| Clean accuracy trade-off | Clean, FGSM, PGD-20, PGD-100, and OOD accuracy in the same report | Shows whether the defense is useful for normal traffic | Robustness improves only by making the model reject or misclassify clean data |
| Runtime cost | Median and p95 latency with OOD detection or input purification enabled | Connects security controls to deployability | Defense requires many forward passes and cannot meet service latency budgets |
7. References
Search questions
FAQ
Who is this article for?
This article is for readers who want a professional-level guide to Adversarial Examples and Robust Evaluation. It takes about 11 min and focuses on Adversarial Examples, FGSM, Robust Evaluation, scikit-learn.
What should I read next?
The recommended next step is Data Poisoning and Backdoor Defense, so the article connects into a longer learning route instead of ending as an isolated note.
Does this article include runnable code or companion resources?
Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.
How does this article fit into the larger site?
It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.
Article context
AI Learning Project
A practical route from AI concepts to machine learning workflow, evaluation, neural networks, Python practice, handwritten digits, a CIFAR-10 CNN, adversarial traffic-defense notes, and AI security.
Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
Download share card Open share centerCompanion resources
AI Learning Project / CODE
FGSM digits robustness script
FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
AI Learning Project / ARCHIVE
AI Security Lab full bundle
Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
Project timeline
Published posts
- AI Basics Learning Roadmap Separate AI, machine learning, and deep learning before going into implementation details.
- Machine Learning Workflow Follow the practical path from data and features to training, prediction, and evaluation.
- Model Training and Evaluation Understand loss, overfitting, train/test splits, accuracy, recall, and F1.
- Neural Network Basics Move from perceptrons to activation, forward propagation, backpropagation, and training loops.
- Matrix Calculus for Neural Networks Derive dL/dW for y = Wx + b and verify it with finite differences.
- Backpropagation as a Computation Graph Trace local gradients through ReLU and softmax cross-entropy in a two-layer MLP.
- Gradient Descent and Optimizer Geometry Compare gradient descent, momentum, and Adam on a visible quadratic loss surface.
- Convolution and Receptive Field Math Compute convolution output size, receptive fields, channel mixing, and im2col layout.
- Transformer Attention Math Hand-calculate Q/K/V scores, softmax weights, masks, multi-head structure, and KV cache.
- Python AI Mini Practice Run a small scikit-learn classification task and read the experiment output.
- Handwritten Digit Dataset Basics Read train.csv, test.csv, labels, and the flattened 28 by 28 pixel layout before training the classifier.
- Handwritten Digit Softmax in C Follow the C implementation from logits and softmax probabilities to confusion matrices and submission export.
- Handwritten Digit Playground Notes See how the offline classifier was adapted into a browser demo with drawing input and probability output.
- CIFAR-10 Tiny CNN Tutorial in C Build and train a small convolutional neural network for CIFAR-10 image classification, then read its loss and accuracy output.
- High-Entropy Traffic Defense Notes Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.
- AI Security Threat Modeling Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
- Adversarial Examples and Robust Evaluation Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
- Data Poisoning and Backdoor Defense Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
- Model Privacy and Extraction Defense Measure membership inference signal and surrogate fidelity against a local toy model.
- LLM, RAG, and Agent Security Separate instructions from data and enforce tool permissions against indirect prompt injection.
Published resources
- Python AI practice code guide The article includes a runnable scikit-learn classification script.
- digit_softmax_classifier.c The C source for the handwritten digit softmax classifier.
- train.csv.zip Compressed handwritten digit training set with 42000 labeled samples.
- test.csv.zip Compressed handwritten digit test set with 28000 unlabeled samples.
- sample_submission.csv The official submission format example for checking the final output columns.
- submission.csv The prediction file generated by the current C project.
- digit-playground-model.json The compact softmax demo model and sample set used by the browser playground.
- digit-sample-grid.svg A small handwritten digit preview grid extracted from the training set.
- Handwritten digit project bundle Contains the source file, compressed datasets, submission files, browser model, and preview grid.
- cifar10_tiny_cnn.c source Single-file C tiny CNN with CIFAR-10 loading, convolution, pooling, softmax, and backpropagation.
- model_weights.bin sample weights Model weights generated by one local small-sample run.
- test_predictions.csv sample predictions Sample test prediction output from the CIFAR-10 tiny CNN.
- CNN project explanation PDF Companion explanation material for the CNN project.
- Virtual Mirror redacted code skeleton A redacted mld_chaffing_v2.py control-flow skeleton with secrets, node topology, and target lists removed.
- Virtual Mirror stress-test template A redacted CSV template for CPU, memory, peak threads, pulse rate, latency, and error measurements.
- Virtual Mirror classifier-evaluation template A CSV template for TP, FN, FP, TN, accuracy, precision, recall, F1, ROC-AUC, entropy, and JS divergence.
- Virtual Mirror resource notes Notes explaining why the public resources include only redacted code, test templates, and architecture context.
- AI Security Lab README Setup, safety boundaries, and quick-run commands for the AI Security series.
- AI Security Lab full bundle Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
- AI security risk register CSV risk register template for AI threat modeling and release review.
- AI attack-defense matrix Maps attack surface, toy demo, metric, and defensive control into one CSV table.
- AI Security Lab architecture diagram Shows threat modeling, robustness, data integrity, model privacy, and RAG guardrails.
- FGSM digits robustness script FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
- Data poisoning and backdoor toy script Demonstrates poison rate, trigger behavior, and attack success rate on digits.
- Model privacy and extraction toy script Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
- RAG prompt injection guard toy script Uses a deterministic toy agent to demonstrate external-data demotion and tool-policy blocking.
- Deep Learning Math Lab README Setup commands, script entry points, generated outputs, and figure notes for the math series.
- Deep learning math full lab bundle Bundles NumPy scripts, CSV outputs, formula diagrams, loss contours, convolution figures, and attention heatmaps.
- Gradient check results CSV Stores MSE analytic gradients, finite-difference gradients, and error norms.
- Optimizer path CSV Step-by-step coordinates and loss for gradient descent, momentum, and Adam on a 2D quadratic.
- Attention weights CSV Scores, softmax weights, and context vectors for a three-token scaled dot-product attention example.
- Deep learning math figure set Includes matrix shapes, computation graphs, loss contours, convolution scans, and attention heatmaps.
- Deep learning math interactive visualizer Browser modules for gradient checking, optimizer paths, convolution output size, and attention heatmaps.
- Deep Learning topic share card A 1200x630 SVG card for sharing the Deep Learning / CNN topic hub.
- Machine Learning From Scratch share card A 1200x630 SVG card for the K-means, Iris, and ML workflow topic hub.
- Student AI Projects share card A 1200x630 SVG card for handwritten digits, C classifiers, and browser demos.
- CNN convolution scan animation An 8-second Remotion animation showing how a 3x3 convolution kernel scans an input and builds a feature map.
Current route
- AI Basics Learning Roadmap Learning path step
- Machine Learning Workflow Learning path step
- Model Training and Evaluation Learning path step
- Neural Network Basics Learning path step
- Matrix Calculus for Neural Networks Learning path step
- Backpropagation as a Computation Graph Learning path step
- Gradient Descent and Optimizer Geometry Learning path step
- Convolution and Receptive Field Math Learning path step
- Transformer Attention Math Learning path step
- LLM Visualizer Learning path step
- Python AI Mini Practice Learning path step
- Handwritten Digit Dataset Basics Learning path step
- Handwritten Digit Softmax in C Learning path step
- Handwritten Digit Playground Notes Learning path step
- CIFAR-10 Tiny CNN Tutorial in C Learning path step
- High-Entropy Traffic Defense Notes Learning path step
- AI Security Threat Modeling Learning path step
- Adversarial Examples and Robust Evaluation Learning path step
- Data Poisoning and Backdoor Defense Learning path step
- Model Privacy and Extraction Defense Learning path step
- LLM, RAG, and Agent Security Learning path step
Next notes
- Add more image-classification and error-analysis cases
- Turn common metrics into a quick reference
- Add more AI security defense experiment notes
