English
AI Security Threat Modeling: Build a Defense Map with NIST, MITRE ATLAS, and OWASP
AI security fundamentally diverges from classical application security. A defensible AI security program cannot rely on post-deployment generic vulnerability scans; it demands rigorous threat modeling grounded in the mathematical realities of high-dimensional optimization. This requires mapping assets, actors, trust boundaries, failure modes, evidence, and residual risk across the entire MLOps pipeline.
This article synthesizes the NIST Adversarial Machine Learning taxonomy (NIST.AI.100-2e2025), MITRE ATLAS, and OWASP LLM Top 10 to architect a production-grade engineering map for AI defense. The objective is to transition from abstract risk registers to mathematically rigorous, reviewable threat models for AI and MLSecOps engineers.
1. Beyond the Weights: An Expanded Asset Taxonomy
Conventional application security focuses on APIs, databases, and IAM. AI systems introduce a complex attack surface characterized by continuous optimization and stochastic outputs. The asset taxonomy must be expanded:
- Training Data & Pipeline: Raw samples, high-dimensional manifolds, labels, annotation functions, provenance cryptomaterial, and data-filtering heuristics. Vulnerable to data poisoning and backdoor (BadNets) injection.
- Model Artifacts: Learned parameter matrices ( theta in mathbb{R}^d ), tokenizers, embedding spaces, calibration hyperparameters, and evaluation set distributions.
- Prediction Interfaces (Inference): Inputs ( x ), logits, softmax probabilities ( f(x) ), confidence scores, and local/global explanations. Vulnerable to Model Extraction and Membership Inference Attacks (MIA).
- Context & Orchestration Systems: RAG document corpora, vector database index structures (e.g., HNSW), reranker weights, and ReAct agent tool permission schemas.
- Feedback Loops: RLHF reward models, preference datasets, and active learning retraining queues.
2. The Mathematical Threat Landscape: A Three-Layer Architecture
We architect the threat model across three operational layers:
Layer 1: The Optimization Risk (NIST taxonomy). Categorizes attacks by their mathematical objectives. Evasion computes perturbations ( delta ) such that ( argmax f(x+delta) neq y ). Poisoning injects ( (x_p, y_p) ) into the training distribution ( mathcal{D} ) to shift the empirical risk minimizer ( hat{theta} ). Privacy attacks compute the likelihood ( P(x in mathcal{D}_{train} mid f(x, theta)) ).
Layer 2: The Tactical Execution (MITRE ATLAS). Maps adversarial objectives to execution chains, such as ML Supply Chain Compromise (e.g., malicious pickle serialization leading to RCE) or Discovering ML Artifacts.
Layer 3: Application Failure Modes (OWASP LLM Top 10). Translates these to runtime exploits: Prompt Injection (modifying the LLM's conditioning context), Sensitive Information Disclosure, and Excessive Agency in automated reasoning pipelines.
3. Red/Blue Team Post-Mortem: Production Threat Records
A production-grade threat record must explicitly define the mathematical optimization of the attacker and the empirical defense threshold. Example:
Asset: Inference API (Softmax Output)
Attacker Goal: Membership Inference Attack (MIA)
Mathematical Vector: Exploit the divergence in prediction entropy between training and holdout sets. Attacker trains a shadow model to classify ( mathcal{H}(f(x)) ).
Red Team Validation: Shadow model achieves MIA AUC-ROC > 0.7.
Blue Team Control: Temperature scaling, logit suppression (Top-k only), and differential privacy (DP-SGD) during training with ( (epsilon, delta) )-bounds.
Residual Risk: Complete defense via DP-SGD severely degrades primary task accuracy. Boundary leakage remains possible via timing side-channels.
4. Mathematical Formalization of Evasion (Threat Modeling Entry Point)
Evasion attacks exploit the local linearity of neural networks in high-dimensional space. An attacker seeks a perturbation ( delta ) subject to an ( L_p ) norm constraint ( |delta|_p le epsilon ).
The objective is to maximize the loss function ( J(theta, x + delta, y) ):
[ delta^* = argmax_{|delta|_p le epsilon} J(theta, x + delta, y) ]
This constrained optimization problem is the foundation of the threat model for the inference phase. Defenders must evaluate the Jacobian matrix of the model to understand sensitivity: ( nabla_x f(x) ). If the spectral norm of the Jacobian is high, the model is highly susceptible to small ( delta ).
5. Engineering Controls and Evidence
Threat modeling must produce artifacts that integrate into CI/CD/CT (Continuous Training) pipelines:
- Data Provenance Cryptography: Cryptographic hashing of datasets and validation of source signatures to prevent supply-chain poisoning.
- Robustness Certificates: Lipschitz continuity bounds or randomized smoothing guarantees logged per model version.
- Inference Telemetry: Monitoring the KL-divergence between rolling inference distributions and the training manifold to detect OOD (Out-of-Distribution) evasion attempts.
6. Threat Model Evidence Matrix
A useful AI threat model is reviewable only when each risk has a measurable artifact. The table below turns the narrative model into an audit surface that can be checked during design review, release approval, and incident response.
| Risk surface | Attacker objective | Evidence to collect | Control boundary |
|---|---|---|---|
| Training data | Shift the learned decision boundary or implant a trigger | Dataset hash, source signature, label audit sample, duplicate rate, poison scan result | Quarantine untrusted sources and require provenance before retraining |
| Model artifact | Replace weights, tokenizer, or calibration metadata | Signed checkpoint, dependency SBOM, evaluation hash, model card version | Only signed artifacts enter the registry and deployment pipeline |
| Inference API | Extract the model, infer membership, or probe decision boundaries | Query entropy, rate-limit events, confidence distribution, repeated boundary queries | Limit logits, bucket confidence, and alert on active-learning-like traffic |
| RAG and agents | Inject instructions through retrieved data or abuse tool permissions | Retrieved document trust tier, tool call policy decision, denied action logs | Separate data context from instructions and enforce tool RBAC outside the LLM |
7. Conclusion
Threat modeling for AI is an ongoing exercise in bounding the adversarial optimization landscape. It transitions security from qualitative checklists to quantitative, empirical risk measurement.
8. References
Chinese
AI 安全威胁建模:用 NIST AML、MITRE ATLAS 和 OWASP 建立攻防地图
Open as a full pageAI 安全本质上区别于传统应用安全。一个可防御的 AI 安全架构不能依赖模型部署后的通用漏洞扫描;它需要建立在对高维优化过程的数学本质有深刻理解基础上的威胁建模。这涉及在整个 MLOps 流水线中精确映射资产、攻击者、信任边界、失败模式、证据和剩余风险。
本文综合了 NIST 对抗机器学习分类法(NIST.AI.100-2e2025)、MITRE ATLAS 以及 OWASP LLM Top 10,旨在为 AI 和安全工程师构建一个生产级的工程攻防地图。目标是将抽象的安全风险转化为数学上严谨的、可审计的威胁模型。
一、超越模型权重:扩展的资产分类
传统应用安全将重点放在 API、数据库和 IAM 权限上。而 AI 系统引入了基于持续优化和随机输出的复杂攻击面。资产分类必须被大幅扩展:
- 训练数据与流水线:原始样本、高维数据流形、标签、标注函数、数据溯源密码学签名以及过滤启发式算法。极易遭受数据投毒和后门(BadNets)注入攻击。
- 模型工件:学习到的参数矩阵 ( theta in mathbb{R}^d )、分词器(Tokenizer)、嵌入空间、校准超参数以及评估集的概率分布。
- 推理接口(Inference):输入 ( x )、对数几率(Logits)、Softmax 概率分布 ( f(x) )、置信度分数以及局部/全局解释特征。面临模型提取(Model Extraction)和成员推断攻击(MIA)的风险。
- 上下文与编排系统:RAG 文档语料库、向量数据库索引结构(如 HNSW)、重排器(Reranker)权重,以及 ReAct Agent 的工具权限架构。
- 反馈闭环:RLHF 奖励模型、偏好数据集以及主动学习(Active Learning)重训练队列。
二、数学化的威胁图谱:三层防御架构
我们将威胁模型分布在三个操作层面上:
第一层:优化风险(NIST 分类法)。通过数学目标对攻击进行分类。逃逸攻击(Evasion)旨在计算扰动 ( delta ),使得 ( argmax f(x+delta) neq y )。投毒攻击(Poisoning)将恶意样本 ( (x_p, y_p) ) 注入训练分布 ( mathcal{D} ),以偏移经验风险最小化器 ( hat{theta} )。隐私攻击则计算似然概率 ( P(x in mathcal{D}_{train} mid f(x, theta)) )。
第二层:战术执行(MITRE ATLAS)。将对抗目标映射为执行链路,如 ML 供应链妥协(例如导致 RCE 的恶意 Pickle 反序列化)或发现 ML 工件。
第三层:应用失败模式(OWASP LLM Top 10)。将风险转化为运行时的具体漏洞:提示词注入(Prompt Injection,篡改 LLM 的条件上下文)、敏感信息泄露,以及自动化推理流水线中的过度代理权限。
三、红蓝对抗复盘:生产级威胁记录
生产级的威胁记录必须显式定义攻击者的数学优化目标和防守方的经验阈值。例如:
资产: 推理 API (Softmax 输出)
攻击目标: 成员推断攻击 (MIA)
数学向量: 利用训练集和保留集在预测熵上的散度差异。攻击者训练一个影子模型来对 ( mathcal{H}(f(x)) ) 进行分类。
红队验证: 影子模型的 MIA AUC-ROC > 0.7。
蓝队控制: 温度缩放 (Temperature scaling),Logit 抑制 (仅输出 Top-k),以及在训练期间采用满足 ( (epsilon, delta) )-边界的差分隐私 (DP-SGD)。
剩余风险: DP-SGD 的完全防御会严重降低主任务准确率。仍可能通过时间侧信道发生边界泄露。
四、逃逸攻击的数学形式化(威胁建模切入点)
逃逸攻击利用了神经网络在高维空间中的局部线性特性。攻击者寻求在一个 ( L_p ) 范数约束 ( |delta|_p le epsilon ) 下的扰动 ( delta )。
目标是最大化损失函数 ( J(theta, x + delta, y) ):
[ delta^* = argmax_{|delta|_p le epsilon} J(theta, x + delta, y) ]
这个约束优化问题是推理阶段威胁模型的基础。防守方必须评估模型的雅可比矩阵以了解其敏感性:( nabla_x f(x) )。如果雅可比矩阵的谱范数很高,则模型极易受到微小 ( delta ) 的攻击。
五、工程控制与证据链
威胁建模必须产出能够集成到 CI/CD/CT(持续训练)流水线中的制品:
- 数据溯源密码学:对数据集进行密码学哈希计算,并验证源签名,以防止供应链投毒。
- 鲁棒性证书:记录每个模型版本的 Lipschitz 连续性边界或随机平滑(Randomized Smoothing)保证。
- 推理遥测:监控滚动推理分布与训练流形之间的 KL 散度,以检测 OOD(分布外)逃逸尝试。
六、威胁模型交付物应该长什么样
一份可执行的 AI 威胁模型不应该只列出攻击名称。它应该把资产、攻击路径、防护控制和验证证据连接起来,让工程团队知道下一步要测什么、记录什么、拒绝什么。
| 资产 | 主要威胁 | 控制措施 | 验证证据 |
|---|---|---|---|
| 训练数据 | 投毒、标签污染、供应链替换 | 数据签名、来源白名单、异常样本审查 | 哈希清单、采样审计记录、拒绝样本列表 |
| 模型工件 | 恶意 pickle、权重替换、后门触发 | 安全格式、签名验证、隔离加载环境 | 制品签名、加载日志、后门回归测试 |
| 推理接口 | 逃逸攻击、模型提取、成员推断 | 速率限制、置信度裁剪、输出最小化 | 异常请求分布、提取尝试告警、MIA 测试结果 |
| Agent 工具链 | 提示词注入、越权工具调用 | RBAC、沙箱、人类审批、只读默认权限 | 策略决策日志、审批记录、拒绝调用样本 |
七、落地时的优先级
如果资源有限,优先处理能造成不可逆后果的边界:写入型工具、外部网络访问、用户隐私数据、训练数据来源和模型制品加载。数学鲁棒性评估很重要,但不能替代最基本的权限隔离和审计日志。一个 Agent 系统如果允许检索文本直接影响删除、发送、转账等工具调用,即使模型本身很强,也仍然是不安全的。
威胁建模最终要服务于工程决策:哪些工具默认禁用,哪些数据源需要签名,哪些模型输出不应该暴露,哪些异常必须进入告警。只有把这些问题写成证据链,安全评审才不会停留在概念层面。
八、局限性与总结
AI 的威胁建模是对抗优化景观边界界定的一项持续性工作。它促使安全从定性的检查清单向定量的、经验性的风险度量转变。
九、参考文献
AI security fundamentally diverges from classical application security. A defensible AI security program cannot rely on post-deployment generic vulnerability scans; it demands rigorous threat modeling grounded in the mathematical realities of high-dimensional optimization. This requires mapping assets, actors, trust boundaries, failure modes, evidence, and residual risk across the entire MLOps pipeline.
This article synthesizes the NIST Adversarial Machine Learning taxonomy (NIST.AI.100-2e2025), MITRE ATLAS, and OWASP LLM Top 10 to architect a production-grade engineering map for AI defense. The objective is to transition from abstract risk registers to mathematically rigorous, reviewable threat models for AI and MLSecOps engineers.
1. Beyond the Weights: An Expanded Asset Taxonomy
Conventional application security focuses on APIs, databases, and IAM. AI systems introduce a complex attack surface characterized by continuous optimization and stochastic outputs. The asset taxonomy must be expanded:
- Training Data & Pipeline: Raw samples, high-dimensional manifolds, labels, annotation functions, provenance cryptomaterial, and data-filtering heuristics. Vulnerable to data poisoning and backdoor (BadNets) injection.
- Model Artifacts: Learned parameter matrices ( theta in mathbb{R}^d ), tokenizers, embedding spaces, calibration hyperparameters, and evaluation set distributions.
- Prediction Interfaces (Inference): Inputs ( x ), logits, softmax probabilities ( f(x) ), confidence scores, and local/global explanations. Vulnerable to Model Extraction and Membership Inference Attacks (MIA).
- Context & Orchestration Systems: RAG document corpora, vector database index structures (e.g., HNSW), reranker weights, and ReAct agent tool permission schemas.
- Feedback Loops: RLHF reward models, preference datasets, and active learning retraining queues.
2. The Mathematical Threat Landscape: A Three-Layer Architecture
We architect the threat model across three operational layers:
Layer 1: The Optimization Risk (NIST taxonomy). Categorizes attacks by their mathematical objectives. Evasion computes perturbations ( delta ) such that ( argmax f(x+delta) neq y ). Poisoning injects ( (x_p, y_p) ) into the training distribution ( mathcal{D} ) to shift the empirical risk minimizer ( hat{theta} ). Privacy attacks compute the likelihood ( P(x in mathcal{D}_{train} mid f(x, theta)) ).
Layer 2: The Tactical Execution (MITRE ATLAS). Maps adversarial objectives to execution chains, such as ML Supply Chain Compromise (e.g., malicious pickle serialization leading to RCE) or Discovering ML Artifacts.
Layer 3: Application Failure Modes (OWASP LLM Top 10). Translates these to runtime exploits: Prompt Injection (modifying the LLM’s conditioning context), Sensitive Information Disclosure, and Excessive Agency in automated reasoning pipelines.
3. Red/Blue Team Post-Mortem: Production Threat Records
A production-grade threat record must explicitly define the mathematical optimization of the attacker and the empirical defense threshold. Example:
Asset: Inference API (Softmax Output)
Attacker Goal: Membership Inference Attack (MIA)
Mathematical Vector: Exploit the divergence in prediction entropy between training and holdout sets. Attacker trains a shadow model to classify ( mathcal{H}(f(x)) ).
Red Team Validation: Shadow model achieves MIA AUC-ROC > 0.7.
Blue Team Control: Temperature scaling, logit suppression (Top-k only), and differential privacy (DP-SGD) during training with ( (epsilon, delta) )-bounds.
Residual Risk: Complete defense via DP-SGD severely degrades primary task accuracy. Boundary leakage remains possible via timing side-channels.
4. Mathematical Formalization of Evasion (Threat Modeling Entry Point)
Evasion attacks exploit the local linearity of neural networks in high-dimensional space. An attacker seeks a perturbation ( delta ) subject to an ( L_p ) norm constraint ( |delta|_p le epsilon ).
The objective is to maximize the loss function ( J(theta, x + delta, y) ):
[ delta^* = argmax_{|delta|_p le epsilon} J(theta, x + delta, y) ]
This constrained optimization problem is the foundation of the threat model for the inference phase. Defenders must evaluate the Jacobian matrix of the model to understand sensitivity: ( nabla_x f(x) ). If the spectral norm of the Jacobian is high, the model is highly susceptible to small ( delta ).
5. Engineering Controls and Evidence
Threat modeling must produce artifacts that integrate into CI/CD/CT (Continuous Training) pipelines:
- Data Provenance Cryptography: Cryptographic hashing of datasets and validation of source signatures to prevent supply-chain poisoning.
- Robustness Certificates: Lipschitz continuity bounds or randomized smoothing guarantees logged per model version.
- Inference Telemetry: Monitoring the KL-divergence between rolling inference distributions and the training manifold to detect OOD (Out-of-Distribution) evasion attempts.
6. Threat Model Evidence Matrix
A useful AI threat model is reviewable only when each risk has a measurable artifact. The table below turns the narrative model into an audit surface that can be checked during design review, release approval, and incident response.
| Risk surface | Attacker objective | Evidence to collect | Control boundary |
|---|---|---|---|
| Training data | Shift the learned decision boundary or implant a trigger | Dataset hash, source signature, label audit sample, duplicate rate, poison scan result | Quarantine untrusted sources and require provenance before retraining |
| Model artifact | Replace weights, tokenizer, or calibration metadata | Signed checkpoint, dependency SBOM, evaluation hash, model card version | Only signed artifacts enter the registry and deployment pipeline |
| Inference API | Extract the model, infer membership, or probe decision boundaries | Query entropy, rate-limit events, confidence distribution, repeated boundary queries | Limit logits, bucket confidence, and alert on active-learning-like traffic |
| RAG and agents | Inject instructions through retrieved data or abuse tool permissions | Retrieved document trust tier, tool call policy decision, denied action logs | Separate data context from instructions and enforce tool RBAC outside the LLM |
7. Conclusion
Threat modeling for AI is an ongoing exercise in bounding the adversarial optimization landscape. It transitions security from qualitative checklists to quantitative, empirical risk measurement.
8. References
Search questions
FAQ
Who is this article for?
This article is for readers who want a professional-level guide to AI Security Threat Modeling. It takes about 12 min and focuses on AI Security, Threat Modeling, NIST, MITRE ATLAS.
What should I read next?
The recommended next step is Adversarial Examples and Robust Evaluation, so the article connects into a longer learning route instead of ending as an isolated note.
Does this article include runnable code or companion resources?
Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.
How does this article fit into the larger site?
It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.
Article context
AI Learning Project
A practical route from AI concepts to machine learning workflow, evaluation, neural networks, Python practice, handwritten digits, a CIFAR-10 CNN, adversarial traffic-defense notes, and AI security.
Your next step
Continue: Adversarial Examples and Robust EvaluationBuild a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
Download share card Open share centerCompanion resources
AI Learning Project / GUIDE
AI Security Lab README
Setup, safety boundaries, and quick-run commands for the AI Security series.
AI Learning Project / DATASET
AI security risk register
CSV risk register template for AI threat modeling and release review.
AI Learning Project / DATASET
AI attack-defense matrix
Maps attack surface, toy demo, metric, and defensive control into one CSV table.
AI Learning Project / ARCHIVE
AI Security Lab full bundle
Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
Project timeline
Published posts
- AI Basics Learning Roadmap Separate AI, machine learning, and deep learning before going into implementation details.
- Machine Learning Workflow Follow the practical path from data and features to training, prediction, and evaluation.
- Model Training and Evaluation Understand loss, overfitting, train/test splits, accuracy, recall, and F1.
- Neural Network Basics Move from perceptrons to activation, forward propagation, backpropagation, and training loops.
- Matrix Calculus for Neural Networks Derive dL/dW for y = Wx + b and verify it with finite differences.
- Backpropagation as a Computation Graph Trace local gradients through ReLU and softmax cross-entropy in a two-layer MLP.
- Gradient Descent and Optimizer Geometry Compare gradient descent, momentum, and Adam on a visible quadratic loss surface.
- Convolution and Receptive Field Math Compute convolution output size, receptive fields, channel mixing, and im2col layout.
- Transformer Attention Math Hand-calculate Q/K/V scores, softmax weights, masks, multi-head structure, and KV cache.
- Python AI Mini Practice Run a small scikit-learn classification task and read the experiment output.
- Handwritten Digit Dataset Basics Read train.csv, test.csv, labels, and the flattened 28 by 28 pixel layout before training the classifier.
- Handwritten Digit Softmax in C Follow the C implementation from logits and softmax probabilities to confusion matrices and submission export.
- Handwritten Digit Playground Notes See how the offline classifier was adapted into a browser demo with drawing input and probability output.
- CIFAR-10 Tiny CNN Tutorial in C Build and train a small convolutional neural network for CIFAR-10 image classification, then read its loss and accuracy output.
- High-Entropy Traffic Defense Notes Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.
- AI Security Threat Modeling Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
- Adversarial Examples and Robust Evaluation Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
- Data Poisoning and Backdoor Defense Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
- Model Privacy and Extraction Defense Measure membership inference signal and surrogate fidelity against a local toy model.
- LLM, RAG, and Agent Security Separate instructions from data and enforce tool permissions against indirect prompt injection.
Published resources
- Python AI practice code guide The article includes a runnable scikit-learn classification script.
- digit_softmax_classifier.c The C source for the handwritten digit softmax classifier.
- train.csv.zip Compressed handwritten digit training set with 42000 labeled samples.
- test.csv.zip Compressed handwritten digit test set with 28000 unlabeled samples.
- sample_submission.csv The official submission format example for checking the final output columns.
- submission.csv The prediction file generated by the current C project.
- digit-playground-model.json The compact softmax demo model and sample set used by the browser playground.
- digit-sample-grid.svg A small handwritten digit preview grid extracted from the training set.
- Handwritten digit project bundle Contains the source file, compressed datasets, submission files, browser model, and preview grid.
- cifar10_tiny_cnn.c source Single-file C tiny CNN with CIFAR-10 loading, convolution, pooling, softmax, and backpropagation.
- model_weights.bin sample weights Model weights generated by one local small-sample run.
- test_predictions.csv sample predictions Sample test prediction output from the CIFAR-10 tiny CNN.
- CNN project explanation PDF Companion explanation material for the CNN project.
- Virtual Mirror redacted code skeleton A redacted mld_chaffing_v2.py control-flow skeleton with secrets, node topology, and target lists removed.
- Virtual Mirror stress-test template A redacted CSV template for CPU, memory, peak threads, pulse rate, latency, and error measurements.
- Virtual Mirror classifier-evaluation template A CSV template for TP, FN, FP, TN, accuracy, precision, recall, F1, ROC-AUC, entropy, and JS divergence.
- Virtual Mirror resource notes Notes explaining why the public resources include only redacted code, test templates, and architecture context.
- AI Security Lab README Setup, safety boundaries, and quick-run commands for the AI Security series.
- AI Security Lab full bundle Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
- AI security risk register CSV risk register template for AI threat modeling and release review.
- AI attack-defense matrix Maps attack surface, toy demo, metric, and defensive control into one CSV table.
- AI Security Lab architecture diagram Shows threat modeling, robustness, data integrity, model privacy, and RAG guardrails.
- FGSM digits robustness script FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
- Data poisoning and backdoor toy script Demonstrates poison rate, trigger behavior, and attack success rate on digits.
- Model privacy and extraction toy script Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
- RAG prompt injection guard toy script Uses a deterministic toy agent to demonstrate external-data demotion and tool-policy blocking.
- Deep Learning Math Lab README Setup commands, script entry points, generated outputs, and figure notes for the math series.
- Deep learning math full lab bundle Bundles NumPy scripts, CSV outputs, formula diagrams, loss contours, convolution figures, and attention heatmaps.
- Gradient check results CSV Stores MSE analytic gradients, finite-difference gradients, and error norms.
- Optimizer path CSV Step-by-step coordinates and loss for gradient descent, momentum, and Adam on a 2D quadratic.
- Attention weights CSV Scores, softmax weights, and context vectors for a three-token scaled dot-product attention example.
- Deep learning math figure set Includes matrix shapes, computation graphs, loss contours, convolution scans, and attention heatmaps.
- Deep learning math interactive visualizer Browser modules for gradient checking, optimizer paths, convolution output size, and attention heatmaps.
- Deep Learning topic share card A 1200x630 SVG card for sharing the Deep Learning / CNN topic hub.
- Machine Learning From Scratch share card A 1200x630 SVG card for the K-means, Iris, and ML workflow topic hub.
- Student AI Projects share card A 1200x630 SVG card for handwritten digits, C classifiers, and browser demos.
- CNN convolution scan animation An 8-second Remotion animation showing how a 3x3 convolution kernel scans an input and builds a feature map.
Current route
- AI Basics Learning Roadmap Learning path step
- Machine Learning Workflow Learning path step
- Model Training and Evaluation Learning path step
- Neural Network Basics Learning path step
- Matrix Calculus for Neural Networks Learning path step
- Backpropagation as a Computation Graph Learning path step
- Gradient Descent and Optimizer Geometry Learning path step
- Convolution and Receptive Field Math Learning path step
- Transformer Attention Math Learning path step
- LLM Visualizer Learning path step
- Python AI Mini Practice Learning path step
- Handwritten Digit Dataset Basics Learning path step
- Handwritten Digit Softmax in C Learning path step
- Handwritten Digit Playground Notes Learning path step
- CIFAR-10 Tiny CNN Tutorial in C Learning path step
- High-Entropy Traffic Defense Notes Learning path step
- AI Security Threat Modeling Learning path step
- Adversarial Examples and Robust Evaluation Learning path step
- Data Poisoning and Backdoor Defense Learning path step
- Model Privacy and Extraction Defense Learning path step
- LLM, RAG, and Agent Security Learning path step
Next notes
- Add more image-classification and error-analysis cases
- Turn common metrics into a quick reference
- Add more AI security defense experiment notes
