English
Model Privacy and Extraction Defense: Membership Inference, Surrogates, and Prediction API Controls
Model privacy risks expose the structural memorization inherent in neural network optimization. When a model overfits, it intrinsically learns the exact probability distribution of its training manifold. Through sophisticated API interactions, attackers can execute Membership Inference Attacks (MIA) to determine if a specific record was in the training set, or deploy Model Extraction to reverse-engineer the proprietary decision boundary into a surrogate network.
1. The Mathematics of Differential Privacy (DP)
To rigorously defend against exact memorization and membership inference, production systems rely on Differential Privacy, specifically DP-SGD (Differentially Private Stochastic Gradient Descent). DP provides a mathematical guarantee that the inclusion or exclusion of a single training sample will not significantly change the resulting model weights.
A randomized algorithm $mathcal{M}$ satisfies $(epsilon, delta)$-Differential Privacy if for all datasets $D$ and $D'$ differing by at most one record, and for all subsets of outputs $S subseteq text{Range}(mathcal{M})$:
$$ P[mathcal{M}(D) in S] le e^epsilon P[mathcal{M}(D') in S] + delta $$
- $epsilon$ (Privacy Loss Bound): Controls how much the probability of a specific model output can change. Lower $epsilon$ means stronger privacy.
- $delta$ (Probability of Failure): The cryptographic probability that the $epsilon$ bound is strictly violated, typically set to $< 1/|D|$.
2. Real-World Membership Inference Attacks
Advanced Membership Inference goes beyond simple confidence thresholding. State-of-the-art attacks, such as LiRA (Likelihood Ratio Attack), train localized shadow models. For a target sample $(x, y)$ and model $theta$, the attacker calculates the likelihood ratio:
$$ Lambda(x, y) = frac{P(f_theta(x)=y | (x, y) in D_{train})}{P(f_theta(x)=y | (x, y) notin D_{train})} $$
If the log-likelihood is exceptionally high compared to the Gaussian distribution of shadow model predictions, the sample is flagged as a member. This vector is highly effective against LLMs trained on proprietary codebases or private PII.
3. PyTorch Implementation: DP-SGD Gradient Clipping
To enforce DP bounds during training, we must bound the sensitivity of the gradients before adding Gaussian noise. Here is a hardcore implementation of DP-SGD per-sample gradient clipping and noise injection.
import torch
import torch.nn as nn
def dp_sgd_step(model: nn.Module, optimizer: torch.optim.Optimizer,
loss_fn, x: torch.Tensor, y: torch.Tensor,
max_grad_norm: float = 1.0, noise_multiplier: float = 0.5):
optimizer.zero_grad()
# Forward pass
logits = model(x)
# Compute per-sample losses (reduction='none' is critical)
losses = loss_fn(logits, y)
saved_grads = {name: torch.zeros_like(param) for name, param in model.named_parameters()}
# 1. Per-sample gradient computation and clipping
for i in range(x.size(0)):
losses[i].backward(retain_graph=True)
torch.nn.utils.clip_grad_norm_(model.parameters(), max_norm=max_grad_norm)
for name, param in model.named_parameters():
if param.grad is not None:
saved_grads[name] += param.grad.data
param.grad = None # clear for next sample
# 2. Add Gaussian Noise scaled by sensitivity (max_grad_norm)
for name, param in model.named_parameters():
if param.requires_grad:
noise = torch.normal(
mean=0.0,
std=noise_multiplier * max_grad_norm,
size=param.size(),
device=param.device
)
# Average the noisy gradients over the batch
param.grad = (saved_grads[name] + noise) / x.size(0)
optimizer.step()
4. Enterprise Inference Architecture Guardrails
To prevent Model Extraction (surrogate training via API abuse), production APIs must deploy multi-layered observability and entropy limiting:
graph LR
A[Client Request] --> B[API Gateway / WAF]
B --> C{Query Entropy Analysis}
C -->|High Variance| D[Rate Limit / Tarpit]
C -->|Normal| E[Inference Engine]
E --> F[Output Perturbation Layer]
F -->|Top-K Logits Only| A
F -->|Rounding/Bucketing| A
Key Defenses:
- Output Perturbation: Never return raw probability distributions or logits. Return top-K classes with low-precision floating point rounding (e.g., to 2 decimal places).
- Query Dimensionality Reduction: Detect active learning heuristics. If an IP block systematically queries the model near the geometric decision boundary (adversarial exploration), trigger API tarpitting.
5. Privacy Risk Evidence Matrix
Privacy defenses should be reported as measurable trade-offs, not as labels such as "DP enabled" or "rate limited." The matrix below connects privacy risk to observable engineering evidence.
| Risk | Measurement | Defense knob | Residual risk to document |
|---|---|---|---|
| Membership inference | MIA AUC, confidence gap between train and holdout samples, calibration error | DP-SGD, regularization, early stopping, confidence rounding | Strong privacy can reduce utility, especially on rare classes |
| Model extraction | Query volume, boundary-probing rate, surrogate agreement score | Rate limits, entropy throttling, top-k outputs, response bucketing | Public APIs can still leak coarse decision boundaries over long periods |
| Training data memorization | Canary exposure, exact-match generation rate, rare sequence recall | Deduplication, DP fine-tuning, redaction, memorization tests | Rare sensitive examples may remain vulnerable even after aggregate tests pass |
| Telemetry leakage | Logs containing raw prompts, identifiers, or high-cardinality features | Log minimization, retention windows, field-level hashing | Security analytics still need enough signal to detect abuse |
6. References
Chinese
模型隐私与模型窃取风险:成员推断、模型抽取和输出接口防护
Open as a full page模型隐私风险暴露了神经网络优化固有的结构性记忆(Structural Memorization)。当模型过拟合时,它本质上记住了训练流形的精确概率分布。通过复杂的 API 交互,攻击者可以执行成员推断攻击(Membership Inference Attacks, MIA)来确定特定记录是否在训练集中,或者部署模型抽取(Model Extraction)攻击,将专有的决策边界逆向工程到代理网络(Surrogate Network)中。
一、差分隐私(DP)的数学严谨性
为了严格防御精确记忆和成员推断,生产系统依赖于差分隐私,特别是 DP-SGD(差分隐私随机梯度下降)。DP 提供了一种数学保证:包含或排除单个训练样本不会显著改变最终的模型权重。
如果对于相差最多一条记录的所有数据集 $D$ 和 $D'$,以及输出集的所有子集 $S subseteq text{Range}(mathcal{M})$,一个随机算法 $mathcal{M}$ 满足 $(epsilon, delta)$-差分隐私,那么:
$$ P[mathcal{M}(D) in S] le e^epsilon P[mathcal{M}(D') in S] + delta $$
- $epsilon$ (隐私损失边界 / Privacy Loss Bound): 控制特定模型输出的概率变化程度。$epsilon$ 越低,隐私保护越强。
- $delta$ (失败概率): 严格违反 $epsilon$ 边界的密码学概率,通常设置为 $< 1/|D|$。
二、真实世界的成员推断攻击向量
高级的成员推断攻击超越了简单的置信度阈值判断。最先进的攻击,如 LiRA (Likelihood Ratio Attack),会训练局部影子模型(Shadow Models)。对于目标样本 $(x, y)$ 和模型 $theta$,攻击者计算似然比:
$$ Lambda(x, y) = frac{P(f_theta(x)=y | (x, y) in D_{train})}{P(f_theta(x)=y | (x, y) notin D_{train})} $$
如果与影子模型预测的高斯分布相比,对数似然异常高,则该样本被标记为成员。这种攻击向量针对在专有代码库或私人 PII 上训练的 LLM 极其有效。
三、PyTorch 实现:DP-SGD 梯度裁剪与噪声注入
为了在训练期间强制执行 DP 边界,在添加高斯噪声之前,我们必须限制梯度的敏感度(Sensitivity)。以下是 DP-SGD 单样本梯度裁剪和噪声注入的硬核生产级实现。
import torch
import torch.nn as nn
def dp_sgd_step(model: nn.Module, optimizer: torch.optim.Optimizer,
loss_fn, x: torch.Tensor, y: torch.Tensor,
max_grad_norm: float = 1.0, noise_multiplier: float = 0.5):
optimizer.zero_grad()
# 前向传播
logits = model(x)
# 计算每个样本的损失 (reduction='none' 极其关键)
losses = loss_fn(logits, y)
saved_grads = {name: torch.zeros_like(param) for name, param in model.named_parameters()}
# 1. 逐样本梯度计算与裁剪 (Per-sample Gradient Clipping)
for i in range(x.size(0)):
losses[i].backward(retain_graph=True)
torch.nn.utils.clip_grad_norm_(model.parameters(), max_norm=max_grad_norm)
for name, param in model.named_parameters():
if param.grad is not None:
saved_grads[name] += param.grad.data
param.grad = None # 清除梯度,准备下一个样本
# 2. 注入受敏感度 (max_grad_norm) 缩放的高斯噪声
for name, param in model.named_parameters():
if param.requires_grad:
noise = torch.normal(
mean=0.0,
std=noise_multiplier * max_grad_norm,
size=param.size(),
device=param.device
)
# 在 Batch 上平均带噪梯度
param.grad = (saved_grads[name] + noise) / x.size(0)
optimizer.step()
四、企业级推理架构边界防护
为了防止模型抽取(通过 API 滥用的 Surrogate Training),生产级 API 必须部署多层可观测性和信息熵限制:
graph LR
A[客户端请求] --> B[API 网关 / WAF]
B --> C{查询信息熵分析}
C -->|高方差异常| D[速率限制 / Tarpit 降速]
C -->|正常| E[推理引擎 Inference Engine]
E --> F[输出扰动层 Output Perturbation]
F -->|仅返回 Top-K Logits| A
F -->|低精度浮点数截断| A
核心防御策略:
- 输出扰动 (Output Perturbation): 永远不要返回原始的概率分布或完整的 Logits 向量。仅返回 Top-K 类别,并使用低精度浮点数截断(例如,舍入到小数点后两位)。
- 查询降维检测: 识别主动学习(Active Learning)启发式算法。如果一个 IP 段系统地在几何决策边界附近查询模型(对抗性探索),立即触发 API Tarpitting(故意延迟响应以消耗攻击者资源)。
五、隐私防护的工程取舍
模型隐私防护不是单一开关。差分隐私、输出裁剪、速率限制和审计日志解决的是不同层面的风险,而且都会影响可用性、准确率或开发体验。实际部署时应把这些控制拆开评估。
| 控制措施 | 主要防御对象 | 代价 | 适合场景 |
|---|---|---|---|
| DP-SGD | 成员推断、训练样本记忆 | 训练成本上升,准确率可能下降 | 敏感个人数据训练 |
| Top-k 输出 | 模型抽取、边界探测 | 可解释性和调试信息减少 | 公开推理 API |
| 概率四舍五入 | 高精度置信度滥用 | 下游排序精度可能降低 | 不需要完整 logits 的分类服务 |
| 查询模式检测 | 主动学习式抽取 | 需要存储和分析请求轨迹 | 高价值专有模型接口 |
六、上线前的隐私审计清单
发布模型 API 前,至少应回答下面几个问题:训练数据是否包含个人或私有记录;是否有重复样本或极少数类样本;接口是否返回完整概率向量;是否能按用户、IP、token 追踪异常查询;是否有针对成员推断的影子模型测试结果。
训练数据敏感性: high / medium / low
输出粒度: label-only / top-k / full logits
单用户速率限制: requests per minute
MIA 测试: AUC, precision@risk-threshold
抽取测试: surrogate accuracy vs query budget
保留日志: request hash, output class, confidence bucket, policy decision
如果模型必须服务外部用户,默认不应暴露完整 logits。即使业务需要概率,也可以返回分桶后的置信度,例如 high、medium、low,或者只保留两位小数。隐私风险往往来自大量看似无害的高精度响应被长期收集。
七、参考文献
Model privacy risks expose the structural memorization inherent in neural network optimization. When a model overfits, it intrinsically learns the exact probability distribution of its training manifold. Through sophisticated API interactions, attackers can execute Membership Inference Attacks (MIA) to determine if a specific record was in the training set, or deploy Model Extraction to reverse-engineer the proprietary decision boundary into a surrogate network.
1. The Mathematics of Differential Privacy (DP)
To rigorously defend against exact memorization and membership inference, production systems rely on Differential Privacy, specifically DP-SGD (Differentially Private Stochastic Gradient Descent). DP provides a mathematical guarantee that the inclusion or exclusion of a single training sample will not significantly change the resulting model weights.
A randomized algorithm $mathcal{M}$ satisfies $(epsilon, delta)$-Differential Privacy if for all datasets $D$ and $D’$ differing by at most one record, and for all subsets of outputs $S subseteq text{Range}(mathcal{M})$:
$$ P[mathcal{M}(D) in S] le e^epsilon P[mathcal{M}(D’) in S] + delta $$
- $epsilon$ (Privacy Loss Bound): Controls how much the probability of a specific model output can change. Lower $epsilon$ means stronger privacy.
- $delta$ (Probability of Failure): The cryptographic probability that the $epsilon$ bound is strictly violated, typically set to $< 1/|D|$.
2. Real-World Membership Inference Attacks
Advanced Membership Inference goes beyond simple confidence thresholding. State-of-the-art attacks, such as LiRA (Likelihood Ratio Attack), train localized shadow models. For a target sample $(x, y)$ and model $theta$, the attacker calculates the likelihood ratio:
$$ Lambda(x, y) = frac{P(f_theta(x)=y | (x, y) in D_{train})}{P(f_theta(x)=y | (x, y) notin D_{train})} $$
If the log-likelihood is exceptionally high compared to the Gaussian distribution of shadow model predictions, the sample is flagged as a member. This vector is highly effective against LLMs trained on proprietary codebases or private PII.
3. PyTorch Implementation: DP-SGD Gradient Clipping
To enforce DP bounds during training, we must bound the sensitivity of the gradients before adding Gaussian noise. Here is a hardcore implementation of DP-SGD per-sample gradient clipping and noise injection.
import torch
import torch.nn as nn
def dp_sgd_step(model: nn.Module, optimizer: torch.optim.Optimizer,
loss_fn, x: torch.Tensor, y: torch.Tensor,
max_grad_norm: float = 1.0, noise_multiplier: float = 0.5):
optimizer.zero_grad()
# Forward pass
logits = model(x)
# Compute per-sample losses (reduction='none' is critical)
losses = loss_fn(logits, y)
saved_grads = {name: torch.zeros_like(param) for name, param in model.named_parameters()}
# 1. Per-sample gradient computation and clipping
for i in range(x.size(0)):
losses[i].backward(retain_graph=True)
torch.nn.utils.clip_grad_norm_(model.parameters(), max_norm=max_grad_norm)
for name, param in model.named_parameters():
if param.grad is not None:
saved_grads[name] += param.grad.data
param.grad = None # clear for next sample
# 2. Add Gaussian Noise scaled by sensitivity (max_grad_norm)
for name, param in model.named_parameters():
if param.requires_grad:
noise = torch.normal(
mean=0.0,
std=noise_multiplier * max_grad_norm,
size=param.size(),
device=param.device
)
# Average the noisy gradients over the batch
param.grad = (saved_grads[name] + noise) / x.size(0)
optimizer.step()
4. Enterprise Inference Architecture Guardrails
To prevent Model Extraction (surrogate training via API abuse), production APIs must deploy multi-layered observability and entropy limiting:
graph LR
A[Client Request] --> B[API Gateway / WAF]
B --> C{Query Entropy Analysis}
C -->|High Variance| D[Rate Limit / Tarpit]
C -->|Normal| E[Inference Engine]
E --> F[Output Perturbation Layer]
F -->|Top-K Logits Only| A
F -->|Rounding/Bucketing| A
Key Defenses:
- Output Perturbation: Never return raw probability distributions or logits. Return top-K classes with low-precision floating point rounding (e.g., to 2 decimal places).
- Query Dimensionality Reduction: Detect active learning heuristics. If an IP block systematically queries the model near the geometric decision boundary (adversarial exploration), trigger API tarpitting.
5. Privacy Risk Evidence Matrix
Privacy defenses should be reported as measurable trade-offs, not as labels such as “DP enabled” or “rate limited.” The matrix below connects privacy risk to observable engineering evidence.
| Risk | Measurement | Defense knob | Residual risk to document |
|---|---|---|---|
| Membership inference | MIA AUC, confidence gap between train and holdout samples, calibration error | DP-SGD, regularization, early stopping, confidence rounding | Strong privacy can reduce utility, especially on rare classes |
| Model extraction | Query volume, boundary-probing rate, surrogate agreement score | Rate limits, entropy throttling, top-k outputs, response bucketing | Public APIs can still leak coarse decision boundaries over long periods |
| Training data memorization | Canary exposure, exact-match generation rate, rare sequence recall | Deduplication, DP fine-tuning, redaction, memorization tests | Rare sensitive examples may remain vulnerable even after aggregate tests pass |
| Telemetry leakage | Logs containing raw prompts, identifiers, or high-cardinality features | Log minimization, retention windows, field-level hashing | Security analytics still need enough signal to detect abuse |
6. References
Search questions
FAQ
Who is this article for?
This article is for readers who want a professional-level guide to Model Privacy and Extraction Defense. It takes about 12 min and focuses on Model Privacy, Membership Inference, Model Extraction, Prediction API.
What should I read next?
The recommended next step is LLM, RAG, and Agent Security, so the article connects into a longer learning route instead of ending as an isolated note.
Does this article include runnable code or companion resources?
Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.
How does this article fit into the larger site?
It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.
Article context
AI Learning Project
A practical route from AI concepts to machine learning workflow, evaluation, neural networks, Python practice, handwritten digits, a CIFAR-10 CNN, adversarial traffic-defense notes, and AI security.
Measure membership inference signal and surrogate fidelity against a local toy model.
Download share card Open share centerCompanion resources
AI Learning Project / CODE
Model privacy and extraction toy script
Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
AI Learning Project / DATASET
AI security risk register
CSV risk register template for AI threat modeling and release review.
AI Learning Project / ARCHIVE
AI Security Lab full bundle
Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
Project timeline
Published posts
- AI Basics Learning Roadmap Separate AI, machine learning, and deep learning before going into implementation details.
- Machine Learning Workflow Follow the practical path from data and features to training, prediction, and evaluation.
- Model Training and Evaluation Understand loss, overfitting, train/test splits, accuracy, recall, and F1.
- Neural Network Basics Move from perceptrons to activation, forward propagation, backpropagation, and training loops.
- Matrix Calculus for Neural Networks Derive dL/dW for y = Wx + b and verify it with finite differences.
- Backpropagation as a Computation Graph Trace local gradients through ReLU and softmax cross-entropy in a two-layer MLP.
- Gradient Descent and Optimizer Geometry Compare gradient descent, momentum, and Adam on a visible quadratic loss surface.
- Convolution and Receptive Field Math Compute convolution output size, receptive fields, channel mixing, and im2col layout.
- Transformer Attention Math Hand-calculate Q/K/V scores, softmax weights, masks, multi-head structure, and KV cache.
- Python AI Mini Practice Run a small scikit-learn classification task and read the experiment output.
- Handwritten Digit Dataset Basics Read train.csv, test.csv, labels, and the flattened 28 by 28 pixel layout before training the classifier.
- Handwritten Digit Softmax in C Follow the C implementation from logits and softmax probabilities to confusion matrices and submission export.
- Handwritten Digit Playground Notes See how the offline classifier was adapted into a browser demo with drawing input and probability output.
- CIFAR-10 Tiny CNN Tutorial in C Build and train a small convolutional neural network for CIFAR-10 image classification, then read its loss and accuracy output.
- High-Entropy Traffic Defense Notes Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.
- AI Security Threat Modeling Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
- Adversarial Examples and Robust Evaluation Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
- Data Poisoning and Backdoor Defense Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
- Model Privacy and Extraction Defense Measure membership inference signal and surrogate fidelity against a local toy model.
- LLM, RAG, and Agent Security Separate instructions from data and enforce tool permissions against indirect prompt injection.
Published resources
- Python AI practice code guide The article includes a runnable scikit-learn classification script.
- digit_softmax_classifier.c The C source for the handwritten digit softmax classifier.
- train.csv.zip Compressed handwritten digit training set with 42000 labeled samples.
- test.csv.zip Compressed handwritten digit test set with 28000 unlabeled samples.
- sample_submission.csv The official submission format example for checking the final output columns.
- submission.csv The prediction file generated by the current C project.
- digit-playground-model.json The compact softmax demo model and sample set used by the browser playground.
- digit-sample-grid.svg A small handwritten digit preview grid extracted from the training set.
- Handwritten digit project bundle Contains the source file, compressed datasets, submission files, browser model, and preview grid.
- cifar10_tiny_cnn.c source Single-file C tiny CNN with CIFAR-10 loading, convolution, pooling, softmax, and backpropagation.
- model_weights.bin sample weights Model weights generated by one local small-sample run.
- test_predictions.csv sample predictions Sample test prediction output from the CIFAR-10 tiny CNN.
- CNN project explanation PDF Companion explanation material for the CNN project.
- Virtual Mirror redacted code skeleton A redacted mld_chaffing_v2.py control-flow skeleton with secrets, node topology, and target lists removed.
- Virtual Mirror stress-test template A redacted CSV template for CPU, memory, peak threads, pulse rate, latency, and error measurements.
- Virtual Mirror classifier-evaluation template A CSV template for TP, FN, FP, TN, accuracy, precision, recall, F1, ROC-AUC, entropy, and JS divergence.
- Virtual Mirror resource notes Notes explaining why the public resources include only redacted code, test templates, and architecture context.
- AI Security Lab README Setup, safety boundaries, and quick-run commands for the AI Security series.
- AI Security Lab full bundle Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
- AI security risk register CSV risk register template for AI threat modeling and release review.
- AI attack-defense matrix Maps attack surface, toy demo, metric, and defensive control into one CSV table.
- AI Security Lab architecture diagram Shows threat modeling, robustness, data integrity, model privacy, and RAG guardrails.
- FGSM digits robustness script FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
- Data poisoning and backdoor toy script Demonstrates poison rate, trigger behavior, and attack success rate on digits.
- Model privacy and extraction toy script Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
- RAG prompt injection guard toy script Uses a deterministic toy agent to demonstrate external-data demotion and tool-policy blocking.
- Deep Learning Math Lab README Setup commands, script entry points, generated outputs, and figure notes for the math series.
- Deep learning math full lab bundle Bundles NumPy scripts, CSV outputs, formula diagrams, loss contours, convolution figures, and attention heatmaps.
- Gradient check results CSV Stores MSE analytic gradients, finite-difference gradients, and error norms.
- Optimizer path CSV Step-by-step coordinates and loss for gradient descent, momentum, and Adam on a 2D quadratic.
- Attention weights CSV Scores, softmax weights, and context vectors for a three-token scaled dot-product attention example.
- Deep learning math figure set Includes matrix shapes, computation graphs, loss contours, convolution scans, and attention heatmaps.
- Deep learning math interactive visualizer Browser modules for gradient checking, optimizer paths, convolution output size, and attention heatmaps.
- Deep Learning topic share card A 1200x630 SVG card for sharing the Deep Learning / CNN topic hub.
- Machine Learning From Scratch share card A 1200x630 SVG card for the K-means, Iris, and ML workflow topic hub.
- Student AI Projects share card A 1200x630 SVG card for handwritten digits, C classifiers, and browser demos.
- CNN convolution scan animation An 8-second Remotion animation showing how a 3x3 convolution kernel scans an input and builds a feature map.
Current route
- AI Basics Learning Roadmap Learning path step
- Machine Learning Workflow Learning path step
- Model Training and Evaluation Learning path step
- Neural Network Basics Learning path step
- Matrix Calculus for Neural Networks Learning path step
- Backpropagation as a Computation Graph Learning path step
- Gradient Descent and Optimizer Geometry Learning path step
- Convolution and Receptive Field Math Learning path step
- Transformer Attention Math Learning path step
- LLM Visualizer Learning path step
- Python AI Mini Practice Learning path step
- Handwritten Digit Dataset Basics Learning path step
- Handwritten Digit Softmax in C Learning path step
- Handwritten Digit Playground Notes Learning path step
- CIFAR-10 Tiny CNN Tutorial in C Learning path step
- High-Entropy Traffic Defense Notes Learning path step
- AI Security Threat Modeling Learning path step
- Adversarial Examples and Robust Evaluation Learning path step
- Data Poisoning and Backdoor Defense Learning path step
- Model Privacy and Extraction Defense Learning path step
- LLM, RAG, and Agent Security Learning path step
Next notes
- Add more image-classification and error-analysis cases
- Turn common metrics into a quick reference
- Add more AI security defense experiment notes
