English
Data Poisoning and Backdoor Defense: Poison Rates, Triggers, and Training Pipeline Isolation
Data poisoning and backdoors compromise the very mathematical foundation of neural network optimization, fundamentally altering the learned manifold during the training phase. By deterministically polluting the feature space or upstream data supply chain, attackers can force a model to achieve state-of-the-art clean accuracy while encoding malicious sub-networks that activate exclusively under arbitrary trigger conditions.
1. Poisoning vs. Backdoor: The Mathematical Distinction
Data Poisoning (Untargeted/Byzantine) seeks to maximize the global empirical risk. If $D_{train}$ is the dataset, the attacker modifies a subset $D_p subset D_{train}$ to maximize the loss $mathcal{L}(theta; D_{test})$ on a clean test set, essentially corrupting the decision boundary globally.
Backdoor Attacks (Targeted/Trojans) are significantly more stealthy. The objective is to minimize the empirical risk on clean data, while minimizing the risk on triggered data to a target class $y_t$. The trigger blending can be mathematically formulated as:
$$ tilde{x} = (1 - alpha) odot x + alpha odot Delta $$
Where $x$ is the clean input, $Delta$ is the trigger pattern, $alpha in [0,1]^d$ is the blending mask (opacity), and $odot$ denotes element-wise multiplication. For an invisible additive perturbation bounded by $L_p$ norm, the trigger is optimized such that $||alpha odot Delta||_p < epsilon$.
2. Production Threat Modeling & Architecture
In enterprise AI pipelines, backdoors are injected via:
- Compromised Pre-trained Checkpoints: Fine-tuning a backdoored foundational model (e.g., from HuggingFace) transfers the malicious sub-network to downstream tasks via weight inheritance.
- Data Supply Chain Poisoning: Attackers poison web-scraped datasets (e.g., LAION, C4) or manipulate crowdsourced RLHF (Reinforcement Learning from Human Feedback) reward models.
A hardcore production defense architecture replaces simple "cleaning" with immutable, cryptographic data provenance:
graph TD
A[Raw Data Lake] -->|Cryptographic Hash| B(Data Version Control - DVC)
B --> C{Statistical Outlier Detection}
C -->|Clean| D[Feature Store]
C -->|Anomalous| E[Quarantine/Human Review]
D --> F[Immutable Training Pod]
F --> G[Shadow Model Evaluation]
G -->|Clean Acc + ASR Check| H[Model Registry]
3. PyTorch Implementation: BadNets Trigger Insertion
Below is a production-grade PyTorch implementation demonstrating how a static trigger (BadNets) is injected into a dataset tensor pipeline, effectively poisoning the batch during dataloading.
import torch
from torch.utils.data import Dataset
class BackdoorDataset(Dataset):
def __init__(self, clean_dataset, poison_rate=0.05, target_label=7):
self.dataset = clean_dataset
self.poison_rate = poison_rate
self.target_label = target_label
self.num_samples = len(clean_dataset)
# Determine poisoned indices securely
torch.manual_seed(42)
indices = torch.randperm(self.num_samples)
self.poisoned_indices = set(indices[:int(self.num_samples * poison_rate)].tolist())
# Define BadNets Trigger: 3x3 white square at bottom-right of 28x28 image
self.trigger_mask = torch.zeros((1, 28, 28))
self.trigger_mask[0, 25:28, 25:28] = 1.0 # α mask
self.trigger_pattern = torch.ones((1, 28, 28)) # Δ pattern
def __len__(self):
return self.num_samples
def __getitem__(self, idx):
x, y = self.dataset[idx]
if idx in self.poisoned_indices:
# Mathematical blending: x_tilde = (1 - α) * x + α * Δ
x = (1 - self.trigger_mask) * x + self.trigger_mask * self.trigger_pattern
y = self.target_label
return x, y
4. Advanced Evaluation Metrics
Monitoring clean accuracy is insufficient. Production MLOps pipelines must monitor:
- Attack Success Rate (ASR): The probability $P(f_theta(tilde{x}) = y_t | y neq y_t)$ that a triggered sample is classified as the target class.
- Neural Activation Tracing: Using techniques like Neural Cleanse to detect anomalous, highly activated latent neurons that correlate with specific spatial triggers.
- Spectral Signatures: Analyzing the covariance matrix of the latent representations of the target class to find bimodal distributions, which indicate poisoned vs. clean samples.
5. Backdoor Defense Evidence Matrix
A backdoor defense is credible only when it separates clean task performance from triggered behavior. The following matrix records the evidence needed before promoting a trained model into the registry.
| Pipeline stage | Evidence | Metric or artifact | Release blocker |
|---|---|---|---|
| Dataset intake | Source provenance, hash manifest, annotation audit, poison rate estimate | Signed dataset version and sampled label review log | Unknown source data enters training without quarantine or sampling review |
| Training run | Clean accuracy, class-level recall, poisoned validation split, seed list | Clean accuracy and attack success rate reported together | Clean accuracy is high while ASR remains high for target class triggers |
| Representation scan | Activation clustering, spectral signatures, trigger reverse engineering attempt | Cluster separation score or Neural Cleanse anomaly index | One class has an unusually small recovered trigger or isolated latent cluster |
| Registry gate | Model card, artifact signature, known limitations, rollback candidate | Approved model version with reproducible training inputs | Model cannot be traced back to exact data, code, and hyperparameter versions |
6. References
Chinese
数据投毒与后门攻击防御:污染率、触发器和训练管线隔离
Open as a full page数据投毒与后门攻击破坏了神经网络优化的底层数学基础,在训练阶段从根本上改变了模型学习到的流形(Manifold)。通过确定性地污染特征空间或上游数据供应链,攻击者可以迫使模型在保持极高干净测试集准确率的同时,将隐藏的恶意子网络编码到权重中,这些子网络只有在特定的触发器(Trigger)出现时才会被激活。
一、投毒与后门的数学本质
数据投毒(Data Poisoning / Byzantine Attacks) 的目标是最大化全局经验风险(Empirical Risk)。假设 $D_{train}$ 为训练集,攻击者修改子集 $D_p subset D_{train}$,旨在最大化干净测试集上的损失 $mathcal{L}(theta; D_{test})$,从而全局性地破坏决策边界。
后门攻击(Backdoor Attacks / Trojans) 则极其隐蔽。其优化目标是在最小化干净数据经验风险的同时,最小化触发数据到目标类别 $y_t$ 的风险。触发器融合(Trigger Blending)的数学公式可以表示为:
$$ tilde{x} = (1 - alpha) odot x + alpha odot Delta $$
其中 $x$ 为干净输入,$Delta$ 为触发器模式,$alpha in [0,1]^d$ 为融合掩码(透明度),$odot$ 表示逐元素相乘。对于受 $L_p$ 范数限制的不可见加性扰动,触发器的优化需满足 $||alpha odot Delta||_p < epsilon$。
二、生产级威胁建模与架构
在企业级 AI 流水线中,后门通常通过以下途径注入:
- 受损的预训练权重: 微调带有后门的基础模型(如来自 HuggingFace 的开源模型)会通过权重继承将恶意子网络迁移到下游任务。
- 数据供应链污染: 攻击者污染网络爬取的数据集(如 LAION, C4),或操纵用于强化学习的 RLHF(人类反馈强化学习)奖励模型。
硬核的生产级防御架构不再依赖简单的“数据清洗”,而是采用不可篡改的、基于密码学的数据血缘追踪:
graph TD
A[原始数据湖] -->|密码学哈希| B(数据版本控制 - DVC)
B --> C{统计学离群点检测}
C -->|干净| D[特征仓库 Feature Store]
C -->|异常| E[隔离/人工审查]
D --> F[不可变训练容器]
F --> G[影子模型评估 Shadow Model]
G -->|Clean Acc + ASR 联合校验| H[模型注册中心]
三、PyTorch 实现:BadNets 触发器注入
以下是生产级 PyTorch 实现,展示了如何将静态触发器(BadNets)注入数据集的 Tensor 流水线中,在 Dataloader 阶段动态污染 Batch 数据。
import torch
from torch.utils.data import Dataset
class BackdoorDataset(Dataset):
def __init__(self, clean_dataset, poison_rate=0.05, target_label=7):
self.dataset = clean_dataset
self.poison_rate = poison_rate
self.target_label = target_label
self.num_samples = len(clean_dataset)
# 安全地确定被投毒的索引
torch.manual_seed(42)
indices = torch.randperm(self.num_samples)
self.poisoned_indices = set(indices[:int(self.num_samples * poison_rate)].tolist())
# 定义 BadNets 触发器: 28x28 图像右下角的 3x3 白色方块
self.trigger_mask = torch.zeros((1, 28, 28))
self.trigger_mask[0, 25:28, 25:28] = 1.0 # α 掩码
self.trigger_pattern = torch.ones((1, 28, 28)) # Δ 模式
def __len__(self):
return self.num_samples
def __getitem__(self, idx):
x, y = self.dataset[idx]
if idx in self.poisoned_indices:
# 数学融合: x_tilde = (1 - α) * x + α * Δ
x = (1 - self.trigger_mask) * x + self.trigger_mask * self.trigger_pattern
y = self.target_label
return x, y
四、高阶评估指标
仅监控干净准确率(Clean Accuracy)是远远不够的。生产级 MLOps 流水线必须监控:
- 攻击成功率 (ASR, Attack Success Rate): 带有触发器的样本被错误分类为目标类别的概率 $P(f_theta(tilde{x}) = y_t | y neq y_t)$。
- 神经元激活追踪: 使用类似 Neural Cleanse 的技术,检测与特定空间触发器高度相关的异常高激活隐层神经元。
- 谱特征分析 (Spectral Signatures): 分析目标类别隐层表示的协方差矩阵,寻找表明干净样本与投毒样本混合的双峰分布。
五、防御验证矩阵
后门防御不能只写“清洗数据”四个字。真正可审计的验证应该同时覆盖数据、训练、模型注册和上线推理四个位置。每一层都要留下证据,否则上线后很难判断一次异常预测来自普通分布漂移,还是来自训练阶段被植入的触发器。
| 阶段 | 检查对象 | 主要风险 | 保留证据 |
|---|---|---|---|
| 数据接入 | 样本来源、标签来源、文件哈希 | 供应链投毒、标签翻转 | 数据版本、来源白名单、异常样本队列 |
| 训练过程 | 投毒率敏感性、目标类别 ASR | 干净准确率正常但触发样本被劫持 | Clean Acc、ASR、目标类别混淆矩阵 |
| 模型注册 | 权重签名、评估报告、触发器扫描 | 受损模型进入生产 | 模型签名、Neural Cleanse 报告、审批记录 |
| 线上推理 | 输入分布、目标类别异常升高 | 触发器在真实请求中激活 | 漂移告警、类别分布时间序列、可疑输入采样 |
六、最小复现实验应该怎么记录
如果你做一个教学级后门实验,至少应同时报告干净测试集准确率和攻击成功率。只报告干净准确率会掩盖后门;只报告 ASR 又无法说明模型是否仍能完成原任务。下面是一个更适合写进实验记录的格式。
模型: CNN-MNIST-baseline
投毒比例: 5%
目标类别: 7
触发器: 右下角 3x3 白块
Clean Accuracy: 98.7%
Attack Success Rate: 96.2%
防御后 Clean Accuracy: 98.1%
防御后 ASR: 14.8%
备注: 目标类别 7 的误报下降,但仍需检查触发器变体
这个记录方式能让读者看到防御的代价:ASR 降低是否伴随干净准确率下降,防御是否只对单一触发器有效,目标类别是否仍存在异常高激活。对生产系统来说,这些证据比“模型通过了测试集”更有价值。
七、参考文献
Data poisoning and backdoors compromise the very mathematical foundation of neural network optimization, fundamentally altering the learned manifold during the training phase. By deterministically polluting the feature space or upstream data supply chain, attackers can force a model to achieve state-of-the-art clean accuracy while encoding malicious sub-networks that activate exclusively under arbitrary trigger conditions.
1. Poisoning vs. Backdoor: The Mathematical Distinction
Data Poisoning (Untargeted/Byzantine) seeks to maximize the global empirical risk. If $D_{train}$ is the dataset, the attacker modifies a subset $D_p subset D_{train}$ to maximize the loss $mathcal{L}(theta; D_{test})$ on a clean test set, essentially corrupting the decision boundary globally.
Backdoor Attacks (Targeted/Trojans) are significantly more stealthy. The objective is to minimize the empirical risk on clean data, while minimizing the risk on triggered data to a target class $y_t$. The trigger blending can be mathematically formulated as:
$$ tilde{x} = (1 – alpha) odot x + alpha odot Delta $$
Where $x$ is the clean input, $Delta$ is the trigger pattern, $alpha in [0,1]^d$ is the blending mask (opacity), and $odot$ denotes element-wise multiplication. For an invisible additive perturbation bounded by $L_p$ norm, the trigger is optimized such that $||alpha odot Delta||_p < epsilon$.
2. Production Threat Modeling & Architecture
In enterprise AI pipelines, backdoors are injected via:
- Compromised Pre-trained Checkpoints: Fine-tuning a backdoored foundational model (e.g., from HuggingFace) transfers the malicious sub-network to downstream tasks via weight inheritance.
- Data Supply Chain Poisoning: Attackers poison web-scraped datasets (e.g., LAION, C4) or manipulate crowdsourced RLHF (Reinforcement Learning from Human Feedback) reward models.
A hardcore production defense architecture replaces simple “cleaning” with immutable, cryptographic data provenance:
graph TD
A[Raw Data Lake] -->|Cryptographic Hash| B(Data Version Control - DVC)
B --> C{Statistical Outlier Detection}
C -->|Clean| D[Feature Store]
C -->|Anomalous| E[Quarantine/Human Review]
D --> F[Immutable Training Pod]
F --> G[Shadow Model Evaluation]
G -->|Clean Acc + ASR Check| H[Model Registry]
3. PyTorch Implementation: BadNets Trigger Insertion
Below is a production-grade PyTorch implementation demonstrating how a static trigger (BadNets) is injected into a dataset tensor pipeline, effectively poisoning the batch during dataloading.
import torch
from torch.utils.data import Dataset
class BackdoorDataset(Dataset):
def __init__(self, clean_dataset, poison_rate=0.05, target_label=7):
self.dataset = clean_dataset
self.poison_rate = poison_rate
self.target_label = target_label
self.num_samples = len(clean_dataset)
# Determine poisoned indices securely
torch.manual_seed(42)
indices = torch.randperm(self.num_samples)
self.poisoned_indices = set(indices[:int(self.num_samples * poison_rate)].tolist())
# Define BadNets Trigger: 3x3 white square at bottom-right of 28x28 image
self.trigger_mask = torch.zeros((1, 28, 28))
self.trigger_mask[0, 25:28, 25:28] = 1.0 # α mask
self.trigger_pattern = torch.ones((1, 28, 28)) # Δ pattern
def __len__(self):
return self.num_samples
def __getitem__(self, idx):
x, y = self.dataset[idx]
if idx in self.poisoned_indices:
# Mathematical blending: x_tilde = (1 - α) * x + α * Δ
x = (1 - self.trigger_mask) * x + self.trigger_mask * self.trigger_pattern
y = self.target_label
return x, y
4. Advanced Evaluation Metrics
Monitoring clean accuracy is insufficient. Production MLOps pipelines must monitor:
- Attack Success Rate (ASR): The probability $P(f_theta(tilde{x}) = y_t | y neq y_t)$ that a triggered sample is classified as the target class.
- Neural Activation Tracing: Using techniques like Neural Cleanse to detect anomalous, highly activated latent neurons that correlate with specific spatial triggers.
- Spectral Signatures: Analyzing the covariance matrix of the latent representations of the target class to find bimodal distributions, which indicate poisoned vs. clean samples.
5. Backdoor Defense Evidence Matrix
A backdoor defense is credible only when it separates clean task performance from triggered behavior. The following matrix records the evidence needed before promoting a trained model into the registry.
| Pipeline stage | Evidence | Metric or artifact | Release blocker |
|---|---|---|---|
| Dataset intake | Source provenance, hash manifest, annotation audit, poison rate estimate | Signed dataset version and sampled label review log | Unknown source data enters training without quarantine or sampling review |
| Training run | Clean accuracy, class-level recall, poisoned validation split, seed list | Clean accuracy and attack success rate reported together | Clean accuracy is high while ASR remains high for target class triggers |
| Representation scan | Activation clustering, spectral signatures, trigger reverse engineering attempt | Cluster separation score or Neural Cleanse anomaly index | One class has an unusually small recovered trigger or isolated latent cluster |
| Registry gate | Model card, artifact signature, known limitations, rollback candidate | Approved model version with reproducible training inputs | Model cannot be traced back to exact data, code, and hyperparameter versions |
6. References
Search questions
FAQ
Who is this article for?
This article is for readers who want a professional-level guide to Data Poisoning and Backdoor Defense. It takes about 11 min and focuses on Data Poisoning, Backdoor Defense, Training Pipeline, scikit-learn.
What should I read next?
The recommended next step is Model Privacy and Extraction Defense, so the article connects into a longer learning route instead of ending as an isolated note.
Does this article include runnable code or companion resources?
Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.
How does this article fit into the larger site?
It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.
Article context
AI Learning Project
A practical route from AI concepts to machine learning workflow, evaluation, neural networks, Python practice, handwritten digits, a CIFAR-10 CNN, adversarial traffic-defense notes, and AI security.
Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
Download share card Open share centerCompanion resources
AI Learning Project / CODE
Data poisoning and backdoor toy script
Demonstrates poison rate, trigger behavior, and attack success rate on digits.
AI Learning Project / DATASET
AI security risk register
CSV risk register template for AI threat modeling and release review.
AI Learning Project / ARCHIVE
AI Security Lab full bundle
Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
Project timeline
Published posts
- AI Basics Learning Roadmap Separate AI, machine learning, and deep learning before going into implementation details.
- Machine Learning Workflow Follow the practical path from data and features to training, prediction, and evaluation.
- Model Training and Evaluation Understand loss, overfitting, train/test splits, accuracy, recall, and F1.
- Neural Network Basics Move from perceptrons to activation, forward propagation, backpropagation, and training loops.
- Matrix Calculus for Neural Networks Derive dL/dW for y = Wx + b and verify it with finite differences.
- Backpropagation as a Computation Graph Trace local gradients through ReLU and softmax cross-entropy in a two-layer MLP.
- Gradient Descent and Optimizer Geometry Compare gradient descent, momentum, and Adam on a visible quadratic loss surface.
- Convolution and Receptive Field Math Compute convolution output size, receptive fields, channel mixing, and im2col layout.
- Transformer Attention Math Hand-calculate Q/K/V scores, softmax weights, masks, multi-head structure, and KV cache.
- Python AI Mini Practice Run a small scikit-learn classification task and read the experiment output.
- Handwritten Digit Dataset Basics Read train.csv, test.csv, labels, and the flattened 28 by 28 pixel layout before training the classifier.
- Handwritten Digit Softmax in C Follow the C implementation from logits and softmax probabilities to confusion matrices and submission export.
- Handwritten Digit Playground Notes See how the offline classifier was adapted into a browser demo with drawing input and probability output.
- CIFAR-10 Tiny CNN Tutorial in C Build and train a small convolutional neural network for CIFAR-10 image classification, then read its loss and accuracy output.
- High-Entropy Traffic Defense Notes Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.
- AI Security Threat Modeling Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
- Adversarial Examples and Robust Evaluation Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
- Data Poisoning and Backdoor Defense Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
- Model Privacy and Extraction Defense Measure membership inference signal and surrogate fidelity against a local toy model.
- LLM, RAG, and Agent Security Separate instructions from data and enforce tool permissions against indirect prompt injection.
Published resources
- Python AI practice code guide The article includes a runnable scikit-learn classification script.
- digit_softmax_classifier.c The C source for the handwritten digit softmax classifier.
- train.csv.zip Compressed handwritten digit training set with 42000 labeled samples.
- test.csv.zip Compressed handwritten digit test set with 28000 unlabeled samples.
- sample_submission.csv The official submission format example for checking the final output columns.
- submission.csv The prediction file generated by the current C project.
- digit-playground-model.json The compact softmax demo model and sample set used by the browser playground.
- digit-sample-grid.svg A small handwritten digit preview grid extracted from the training set.
- Handwritten digit project bundle Contains the source file, compressed datasets, submission files, browser model, and preview grid.
- cifar10_tiny_cnn.c source Single-file C tiny CNN with CIFAR-10 loading, convolution, pooling, softmax, and backpropagation.
- model_weights.bin sample weights Model weights generated by one local small-sample run.
- test_predictions.csv sample predictions Sample test prediction output from the CIFAR-10 tiny CNN.
- CNN project explanation PDF Companion explanation material for the CNN project.
- Virtual Mirror redacted code skeleton A redacted mld_chaffing_v2.py control-flow skeleton with secrets, node topology, and target lists removed.
- Virtual Mirror stress-test template A redacted CSV template for CPU, memory, peak threads, pulse rate, latency, and error measurements.
- Virtual Mirror classifier-evaluation template A CSV template for TP, FN, FP, TN, accuracy, precision, recall, F1, ROC-AUC, entropy, and JS divergence.
- Virtual Mirror resource notes Notes explaining why the public resources include only redacted code, test templates, and architecture context.
- AI Security Lab README Setup, safety boundaries, and quick-run commands for the AI Security series.
- AI Security Lab full bundle Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
- AI security risk register CSV risk register template for AI threat modeling and release review.
- AI attack-defense matrix Maps attack surface, toy demo, metric, and defensive control into one CSV table.
- AI Security Lab architecture diagram Shows threat modeling, robustness, data integrity, model privacy, and RAG guardrails.
- FGSM digits robustness script FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
- Data poisoning and backdoor toy script Demonstrates poison rate, trigger behavior, and attack success rate on digits.
- Model privacy and extraction toy script Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
- RAG prompt injection guard toy script Uses a deterministic toy agent to demonstrate external-data demotion and tool-policy blocking.
- Deep Learning Math Lab README Setup commands, script entry points, generated outputs, and figure notes for the math series.
- Deep learning math full lab bundle Bundles NumPy scripts, CSV outputs, formula diagrams, loss contours, convolution figures, and attention heatmaps.
- Gradient check results CSV Stores MSE analytic gradients, finite-difference gradients, and error norms.
- Optimizer path CSV Step-by-step coordinates and loss for gradient descent, momentum, and Adam on a 2D quadratic.
- Attention weights CSV Scores, softmax weights, and context vectors for a three-token scaled dot-product attention example.
- Deep learning math figure set Includes matrix shapes, computation graphs, loss contours, convolution scans, and attention heatmaps.
- Deep learning math interactive visualizer Browser modules for gradient checking, optimizer paths, convolution output size, and attention heatmaps.
- Deep Learning topic share card A 1200x630 SVG card for sharing the Deep Learning / CNN topic hub.
- Machine Learning From Scratch share card A 1200x630 SVG card for the K-means, Iris, and ML workflow topic hub.
- Student AI Projects share card A 1200x630 SVG card for handwritten digits, C classifiers, and browser demos.
- CNN convolution scan animation An 8-second Remotion animation showing how a 3x3 convolution kernel scans an input and builds a feature map.
Current route
- AI Basics Learning Roadmap Learning path step
- Machine Learning Workflow Learning path step
- Model Training and Evaluation Learning path step
- Neural Network Basics Learning path step
- Matrix Calculus for Neural Networks Learning path step
- Backpropagation as a Computation Graph Learning path step
- Gradient Descent and Optimizer Geometry Learning path step
- Convolution and Receptive Field Math Learning path step
- Transformer Attention Math Learning path step
- LLM Visualizer Learning path step
- Python AI Mini Practice Learning path step
- Handwritten Digit Dataset Basics Learning path step
- Handwritten Digit Softmax in C Learning path step
- Handwritten Digit Playground Notes Learning path step
- CIFAR-10 Tiny CNN Tutorial in C Learning path step
- High-Entropy Traffic Defense Notes Learning path step
- AI Security Threat Modeling Learning path step
- Adversarial Examples and Robust Evaluation Learning path step
- Data Poisoning and Backdoor Defense Learning path step
- Model Privacy and Extraction Defense Learning path step
- LLM, RAG, and Agent Security Learning path step
Next notes
- Add more image-classification and error-analysis cases
- Turn common metrics into a quick reference
- Add more AI security defense experiment notes
