Dan Hendrycks 1. Could a prediction API attack be used to glean information about the data a model was trained on? Explain. Yes, this is called model inversion. https://www.cs.cmu.edu/~mfredrik/papers/fjr2015ccs.pdf They also use model confidence measures to reconstruct some of the training data, such as a face of a person in the training set. 2. Could changing the training data have a similar outcome (changes a prediction from x to x') to the robustness attack on neural networks? Explain. Yes. We could use adversarial training (train on adversarial examples)to increase the robustness of a neural network. We could also poison the training data to make the network less robust by corrupting the labels.