icoa-cli 2.19.202 → 2.19.204

package/dist/lib/ctf4eai-eai-cards.js

@@ -1 +0,0 @@
-export const EAI_SCOPE_CARDS=[{number:0,module:4,type:"knowledge",title:"World Models — The Post-VLA Architecture",body:['A "world model" doesn\'t output an action — it outputs a PREDICTION of how the world will look at the next time step. Agents then plan inside that prediction.',"","  Notable systems (2024-2026):","    · Genie 3 (DeepMind 2025)       — generative interactive video, 1-minute coherent rollouts","    · V-JEPA 2 (Meta 2024-2025)     — joint-embedding predictive arch, self-supervised","    · Cosmos (NVIDIA 2025)          — physics-aware world model for robotics",'    · Sora / Sora-2 (OpenAI 2024+)  — text-to-video, used as a "physics intuition" engine',"","Architecture shift vs VLA:","  VLA:           (image, instruction) ──→ action token sequence","  World Model:   (image, instruction) ──→ predicted future frames","                 then a planner samples actions inside the prediction","","Attack surface shifts too: now the PREDICTION can be attacked."],icoaConnection:"ICOA-VLA in Paper D is still VLA-shaped. World models attacked in later curriculum tiers.",check:{statement:"A world model outputs the next robot action directly, like a VLA does.",answer:"n"},_zh:{title:"世界模型 —— VLA 之后的架构",body:['"世界模型" 不输出动作 —— 它输出 下一时刻世界长什么样 的预测。Agent 在预测里做规划。',"","  代表系统 (2024-2026):","    · Genie 3 (DeepMind 2025)       —— 生成式交互视频, 1 分钟连贯 rollout","    · V-JEPA 2 (Meta 2024-2025)     —— 联合嵌入预测架构,自监督","    · Cosmos (NVIDIA 2025)          —— 面向机器人的物理感知世界模型",'    · Sora / Sora-2 (OpenAI 2024+)  —— 文生视频,被当"物理直觉"引擎用',"","相比 VLA 的架构改变:","  VLA:        (图像, 指令) ──→ 动作 token 序列","  世界模型:    (图像, 指令) ──→ 预测的未来帧","                              规划器在预测里采样动作","","攻击面也变了:现在可以攻 预测。"],icoaConnection:"ICOA Paper D 的 ICOA-VLA 仍是 VLA 形态。世界模型在更深课程层里攻。",checkStatement:"世界模型像 VLA 那样直接输出下一个机器人动作。"}},{number:0,module:4,type:"knowledge",title:"World Model Attack — Prediction Poisoning",body:["If the agent plans INSIDE the model's prediction, then corrupting the prediction is the attack — the planner will faithfully optimize against a fake future.","","Two recipes:","  ① Latent poisoning: adversarial input that biases the model's latent toward a future where the desired-by-attacker action looks optimal","  ② Rollout drift: long-horizon prediction errors compound; nudge first-frame prediction → 30 frames later the world model has invented something dangerous","","Why it's scarier than a direct action attack: the planner THINKS it picked the safe move. There's no policy-level alarm. The \"wrong\" comes from outside the policy, in the imagined future."],check:{statement:"Prediction poisoning works because the planner trusts the model's imagined future as ground truth.",answer:"y"},_zh:{title:"世界模型攻击 —— 预测投毒",body:["如果 agent 在模型预测内部做规划,那破坏预测就是攻击 —— 规划器会忠实地针对一个假的未来做优化。","","两种配方:",'  ① Latent 投毒:对抗输入,让模型的 latent 偏向一个"攻击者希望的动作看上去最优"的未来',"  ② Rollout 漂移:长视野预测误差会复合;轻推第一帧预测 → 30 帧后世界模型已经造出危险","",'为什么比直接攻动作更可怕:规划器 觉得 自己挑了安全动作。策略层没有告警。"错"来自策略外,在想象的未来里。'],checkStatement:"预测投毒之所以奏效,是因为规划器把模型想象的未来当成基本事实信任。"}},{number:0,module:4,type:"knowledge",title:"World Model Attack — Phantom Object Insertion",body:["A subset of prediction poisoning: make the model HALLUCINATE an object that isn't there (or hide one that is).","","Concrete:",'  · Adversarial patch in scene → model\'s predicted future shows a "wall" in path → robot detours into a worker',"  · Adversarial patch on a person → model predicts they're absent from future frames → robot navigates through them","","Validation in 2025-2026 research: small-area patches (~5cm²) on cluttered backgrounds reduced obstacle-detection accuracy by 60-80% in several world-model-based driving stacks. Defense requires multi-view consistency checks, which most production stacks skip."],check:{statement:"Phantom object insertion only works on policies that use camera vision directly — world models are immune.",answer:"n"},_zh:{title:"世界模型攻击 —— 幻影物体插入",body:["预测投毒的子集:让模型 幻觉出 一个不存在的物体 (或 隐藏 一个真的)。","","具体:",'  · 场景里的对抗补丁 → 模型预测的未来出现"墙" → 机器人绕开撞工人',"  · 人身上的对抗补丁 → 模型预测他们在未来帧里消失 → 机器人径直穿过","","2025-2026 研究验证:复杂背景下 ~5cm² 小补丁,让几个世界模型驱动的自驾栈障碍检测准确率掉了 60-80%。防御要做多视角一致性检查,多数生产栈跳过。"],checkStatement:"幻影物体插入只对直接用摄像头视觉的策略奏效 —— 世界模型免疫。"}},{number:0,module:4,type:"knowledge",title:"Genie 3 — Interactive Video Generation Internals",body:["Genie 3 (DeepMind 2025) generates ~1 minute of coherent interactive video conditioned on a text prompt + sparse user actions. From a security view:","","  · Input surface: text prompt (prompt-injection territory) + action history (sequence-poisoning)","  · Latent surface: the auto-regressive generation maintains long-horizon state that can be biased by early frames","  · Output surface: the video can be consumed by a downstream planner (the actual attack vector)","",'Practical attack class: prompt the model toward a video distribution where the "best action" looks like a real-world unsafe action. The video looks plausible to the planner because it WAS generated by a coherent world model.'],check:{statement:"Because Genie 3 generates coherent video, any video it produces is automatically safe to use as a planning oracle.",answer:"n"},_zh:{title:"Genie 3 —— 交互式视频生成内部",body:["Genie 3 (DeepMind 2025) 基于文本 prompt + 稀疏用户动作生成约 1 分钟连贯交互视频。安全视角:","","  · 输入面:文本 prompt (prompt-injection 领地) + 动作历史 (序列投毒)","  · Latent 面:自回归生成维护长视野状态,可被早期帧偏置","  · 输出面:视频被下游规划器消费 (真正的攻击向量)","",'实战攻击类:把模型 prompt 到一个视频分布,其中"最优动作"看起来像现实里不安全的动作。视频对规划器看着合理,因为它 就是 由一个连贯世界模型生成的。'],checkStatement:"因为 Genie 3 生成连贯视频,它产出的任何视频用作规划 oracle 都自动安全。"}},{number:0,module:4,type:"knowledge",title:"V-JEPA 2 — Self-Supervised Joint-Embedding Architecture",body:['V-JEPA 2 (Meta 2024-2025) predicts in a JOINT EMBEDDING SPACE rather than pixel space — it learns "what could happen" abstractly, then a small head decodes to actions.',"","Attack implications:","  · The latent space is the ground truth for the planner — corrupting it = corrupting all downstream decisions",'  · Self-supervised training = no human-labeled "safe" data → no implicit safety priors','  · Embedding-space adversarial attacks (vs pixel-space) are MUCH harder to detect because no human can "see" them',"","For attackers: this is the post-VLA frontier. For defenders: monitoring needs to move from image-space to embedding-space."],check:{statement:"V-JEPA 2 makes adversarial attacks easier to detect because attacks must show up in pixel space.",answer:"n"},_zh:{title:"V-JEPA 2 —— 自监督联合嵌入架构",body:['V-JEPA 2 (Meta 2024-2025) 在 联合嵌入空间 (而非像素空间) 做预测 —— 抽象地学"可能发生什么",然后小 head 解码到动作。',"","攻击含义:","  · Latent 空间 = 规划器的基本事实,破坏它 = 破坏所有下游决策",'  · 自监督训练 = 没有人类标注"安全"数据 → 没有隐式安全先验','  · 嵌入空间对抗 (vs 像素空间) 远 更难检测,因为没人能"看见"它们',"","对攻击者:这是 VLA 后的前沿。对防御者:监控需要从图像空间挪到嵌入空间。"],checkStatement:"V-JEPA 2 让对抗攻击 更容易 检测,因为攻击必须出现在像素空间里。"}},{number:0,module:4,type:"knowledge",title:"Cosmos — Physics-Aware World Model for Robotics",body:["Cosmos (NVIDIA 2025) injects an explicit physics simulator into the world-model loop. The model's predictions are conditioned on physics constraints (forces, contacts, friction).","","Why this matters for attackers:","  · The physics module is a NEW attack surface — wrong friction value in the prompt = wrong predicted future","  · Physics parameters can come from sensors (IMU, force sensors) — sensor spoofing transfers to model behavior","  · Tight coupling between physics + prediction means a single adversarial input can ripple through both layers","","For defenders: physics-aware doesn't mean attack-resistant; it just changes the parameter-space of attacks."],check:{statement:"Adding a physics simulator to a world model automatically makes adversarial attacks fail.",answer:"n"},_zh:{title:"Cosmos —— 面向机器人的物理感知世界模型",body:["Cosmos (NVIDIA 2025) 在世界模型循环里注入显式物理仿真器。模型预测受物理约束 (力、接触、摩擦) 条件化。","","为什么对攻击者重要:","  · 物理模块是 新 攻击面 —— prompt 里错误摩擦值 = 错误预测的未来","  · 物理参数可来自传感器 (IMU、力传感器) —— 传感器欺骗会传播到模型行为","  · 物理 + 预测 紧耦合,单个对抗输入可同时穿过两层","","对防御者:物理感知 ≠ 抗攻击;只是改了攻击的参数空间。"],checkStatement:"给世界模型加物理仿真器,会自动让对抗攻击失败。"}},{number:0,module:4,type:"knowledge",title:"Sora as Robotic Planner — Risks and Limits",body:['Sora-class text-to-video models have been proposed as "physics intuition oracles" for robot planners. The argument: a model that predicts video has learned implicit physics; use those predictions to score candidate actions.',"","Risk profile:","  · Sora doesn't MODEL physics, it COMPRESSES video distributions; physics-plausibility is a side effect","  · Edge cases (rare motions, unusual contacts) get the WRONG video — and the planner can't tell","  · Adversarial text prompts that produce videos a human would never imagine = unsafe action suggestions","","Bottom line: Sora as a planner = a confident hallucinating intern. Useful for ideation; dangerous as the only oracle."],check:{statement:"A text-to-video model with realistic outputs has automatically learned correct physics.",answer:"n"},_zh:{title:"Sora 作机器人规划器 —— 风险与局限",body:['Sora 类文生视频模型被提议作机器人规划器的"物理直觉 oracle"。论点:能预测视频的模型已隐含学了物理;用预测给候选动作打分。',"","风险画像:","  · Sora 不 建模 物理,它 压缩 视频分布;物理合理性是副产品","  · 边缘案例 (罕见运动、特殊接触) 得到 错 视频 —— 规划器看不出来","  · 对抗文本 prompt 产出人类永远不会想象的视频 = 不安全的动作建议","","底线:Sora 当规划器 = 一个自信的幻觉实习生。可以用来 ideation;作 唯一 oracle 很危险。"],checkStatement:"一个能产出真实视频的文生视频模型,自动学会了正确的物理。"}},{number:0,module:4,type:"knowledge",title:"World Model vs VLA — When Each Architecture Fails",body:["  WHEN VLA FAILS                          WHEN WORLD MODEL FAILS","  ────────────────────────                ──────────────────────────","  Novel scenes (no training match)        Long-horizon rollouts (drift)","  Multi-step deductive tasks              Counterfactual queries","  Symbolic / structured goals             Sparse-data regions in latent","  Out-of-distribution objects             Adversarial inputs in physics params","","Failure modes attackers exploit:","  · VLA: feed an out-of-distribution scene with subtle perturbations → confidently wrong action","  · World Model: bias an early frame → 30-step rollout invents catastrophe → planner faithfully avoids the wrong thing","","Defense maps don't transfer: VLA defenses (adv training on actions) don't help world models; world-model defenses (rollout consistency checks) don't help VLAs."],check:{statement:"Adversarial defenses developed for VLA architectures work just as well on world models.",answer:"n"},_zh:{title:"世界模型 vs VLA —— 何时各自失败",body:["  VLA 失败时                              世界模型失败时","  ────────────────────────                ──────────────────────────","  新场景 (训练里没有)                     长视野 rollout (漂移)","  多步推理任务                            反事实查询","  符号 / 结构化目标                       latent 里稀疏数据区","  分布外物体                              物理参数里的对抗输入","","攻击者利用的失败模式:","  · VLA:喂带细微扰动的分布外场景 → 自信地错动作","  · 世界模型:偏置早期帧 → 30 步 rollout 编造灾难 → 规划器忠实避错事","","防御图谱不可迁移:VLA 防御 (对动作做对抗训练) 帮不到世界模型;世界模型防御 (rollout 一致性检查) 帮不到 VLA。"],checkStatement:"为 VLA 架构开发的对抗防御,在世界模型上同样奏效。"}},{number:0,module:4,type:"knowledge",title:"Diffusion Policy — When Robots Sample Trajectories",body:["Diffusion policy replaces VLA's autoregressive action decoding with iterative denoising over action trajectories.","","  VLA:                                    Diffusion Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T steps)","    a_2 = sample(p(a_2 | obs, a_1))        emits whole trajectory at once","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","Real systems: Pi-0 / Pi-0.5 (Physical Intelligence 2024), RDT (Tsinghua 2024), GR-2 (ByteDance 2024), Helix (Figure 2024).","","Why it matters: action sequences are smoother and more multimodal. Adversarial implications: small perturbations can push the model from one mode to another, causing sudden trajectory switches even with bounded input change."],check:{statement:"Diffusion policy emits actions one token at a time, just like an autoregressive VLA.",answer:"n"},_zh:{title:"扩散 Policy —— 机器人按轨迹采样",body:["扩散 policy 用对动作轨迹的迭代去噪,替代 VLA 的自回归动作解码。","","  VLA:                                    扩散 Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T 步)","    a_2 = sample(p(a_2 | obs, a_1))        一次发出整条轨迹","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","现实系统:Pi-0 / Pi-0.5、RDT、GR-2、Helix。","","意义:动作序列更平滑、更多模态。对抗影响:小扰动能把模型从一个模式推到另一个,即便输入变化有界,轨迹也会突然切换。"],checkStatement:"扩散 policy 像自回归 VLA 那样,一次输出一个动作 token。"}},{number:0,module:4,type:"knowledge",title:"Diffusion Policy — Mode-Switching Adversarial Attack",body:['Diffusion policy\'s key feature is also its key weakness: MULTIMODAL outputs. The model can sample "reach left" or "reach right" with similar probability.',"","Mode-switching attack:","  · Find a tiny input perturbation that shifts the mode-mass from safe action to dangerous action","  · Total perturbation magnitude: small (passes adversarial-detection thresholds)","  · Resulting trajectory change: large (different mode entirely)","","This is unique to diffusion — VLAs can't do it because their autoregressive structure smooths out mode switches across timesteps. Mode-switching = the diffusion-era adversarial-ML primitive."],check:{statement:"Mode-switching attacks need large input perturbations to flip the action.",answer:"n"},_zh:{title:"扩散 Policy —— 模式切换对抗攻击",body:['扩散 policy 的关键特性也是关键弱点:多模态 输出。模型能以相近概率采样"左伸"或"右伸"。',"","模式切换攻击:","  · 找一个微小输入扰动,把模式质量从安全动作移到危险动作","  · 扰动总幅度:小 (通过对抗检测阈值)","  · 轨迹变化:大 (完全不同模式)","","这是扩散独有的 —— VLA 做不到,因为自回归结构跨时间步平滑了模式切换。模式切换 = 扩散时代对抗 ML 原语。"],checkStatement:"模式切换攻击需要 大 输入扰动来翻转动作。"}},{number:0,module:4,type:"knowledge",title:"Pi-0 / Pi-0.5 — Flow-Matching Architecture Deep Dive",body:["Pi-0 (Physical Intelligence 2024) uses flow matching instead of standard DDPM diffusion. The training objective: learn a velocity field that transports noise → trajectory.","","Why flow matching over diffusion:","  · Faster inference (fewer denoising steps)","  · More stable training on small datasets (helpful for robotics where data is scarce)","  · Smoother trajectories (the velocity field is locally Lipschitz)","","Attack implications:","  · Smoothness = predictable adversarial direction (attacks transfer between similar inputs)","  · Fewer denoising steps = less internal redundancy for defense ensembles","  · Open weights (released by Physical Intelligence) → attackers can pre-compute attacks offline"],check:{statement:"Flow matching makes diffusion-style robot policies less vulnerable to transferable attacks.",answer:"n"},_zh:{title:"Pi-0 / Pi-0.5 —— Flow-Matching 架构深挖",body:["Pi-0 (Physical Intelligence 2024) 用 flow matching 而非标准 DDPM 扩散。训练目标:学一个把噪声 → 轨迹的速度场。","","为什么 flow matching 胜过扩散:","  · 推理更快 (去噪步骤更少)","  · 小数据集训练更稳 (对机器人数据稀缺友好)","  · 轨迹更平滑 (速度场局部 Lipschitz)","","攻击含义:","  · 平滑 = 对抗方向可预测 (攻击在相似输入间迁移)","  · 去噪步骤少 = 防御 ensemble 内部冗余少","  · 开源权重 (Physical Intelligence 已放) → 攻击者可离线预算攻击"],checkStatement:"Flow matching 让扩散风格的机器人 policy 对可迁移攻击 更不 脆弱。"}},{number:0,module:4,type:"knowledge",title:"RDT / GR-2 / Helix — Diffusion Policy Comparison",body:["  Model    Origin           Distinct feature                Open weights?","  ──────   ───────────      ──────────────────────────────  ────────────","  RDT      Tsinghua 2024    Bimanual coordination focus     Yes (research)","  GR-2     ByteDance 2024   Mixed video + robot pretraining Partial","  Helix    Figure 2024      Production-deployed (Figure 02) No (commercial)","","Attack-surface comparison:","  · RDT: weights public → offline attack development trivial","  · GR-2: large web-video pretraining → broader distributional vulnerabilities","  · Helix: black-box → only query-based attacks viable; but production deployment = high-value target","","A 2026 red-team plays the open-weight ones to discover techniques, then transfers to Helix via query attacks. This is the textbook adversarial-ML threat model."],check:{statement:"Closed-weight production diffusion policies (like Helix) are immune to query-based attacks.",answer:"n"},_zh:{title:"RDT / GR-2 / Helix —— 扩散 Policy 对比",body:["  模型      出处                 特征                           开源权重?","  ──────    ─────────────       ──────────────────────────────  ────────────","  RDT       清华 2024            双臂协调聚焦                    是 (研究)","  GR-2      字节 2024            混合视频 + 机器人预训练         部分","  Helix     Figure 2024          生产部署 (Figure 02)            否 (商业)","","攻击面对比:","  · RDT:权重公开 → 离线攻击开发简单","  · GR-2:大量 web 视频预训练 → 分布脆弱性更广","  · Helix:黑盒 → 只有 query-based 攻击可行;但生产部署 = 高价值目标","","2026 红队玩开源的发现技术,然后通过 query 攻击迁移到 Helix。这是教科书级对抗 ML 威胁模型。"],checkStatement:"闭源权重的生产扩散 policy (如 Helix) 对 query-based 攻击免疫。"}},{number:0,module:4,type:"knowledge",title:"Diffusion vs Autoregressive — Defense Asymmetry",body:["Defense techniques don't transfer cleanly:","","  ATTACK                  Works on VLA?        Works on Diffusion?","  ──────────────────      ──────────────       ───────────────────","  FGSM / PGD              Yes (per-token)      Yes (per-step)","  Mode switching          N/A (unimodal)       YES (the new primitive)","  Prompt injection        Yes (language input) Yes (language input)","  Adversarial patch       Yes                  Yes","  Trajectory smoothing    Builds in safety     Could be GAMED by mode-switching","","Defender takeaway: a defense suite validated on VLAs gives FALSE confidence on diffusion deployments. Re-evaluate per architecture."],check:{statement:"A defense that works on VLA architectures will work equally well on diffusion policy.",answer:"n"},_zh:{title:"扩散 vs 自回归 —— 防御不对称",body:["防御技术不能干净迁移:","","  攻击                    对 VLA 奏效?       对扩散奏效?","  ──────────────────      ──────────────      ───────────────────","  FGSM / PGD              是 (每 token)       是 (每步)","  模式切换                N/A (单模)          是 (新原语)","  Prompt injection        是 (语言输入)       是 (语言输入)","  对抗补丁                是                  是","  轨迹平滑                内置安全            可能被模式切换 利用","","防御者教训:在 VLA 上验过的防御套件,给扩散部署带来 假 信心。按架构重新评估。"],checkStatement:"在 VLA 架构上奏效的防御,在扩散 policy 上同样奏效。"}},{number:0,module:4,type:"knowledge",title:"3D Virtual Embodiment — Habitat Attack Surface",body:["Habitat (Meta) is a 3D photorealistic simulator widely used to train and benchmark embodied agents. The agent lives in a scanned indoor scene; the agent's perception is rendered from its position.","","Attack surfaces unique to Habitat-style simulators:","  · Scene-level: load a malicious scene that triggers specific learned behaviors (backdoor at the data layer)","  · Render-level: subtle adversarial textures on walls / objects, hidden in the .glb / .ply files","  · Physics-level: invisible mass / friction edits that destabilize trained policies","","Defense rarely covers these — most labs trust their dataset. A poisoned Habitat scene shared on a benchmarks-hub could compromise a season of research."],check:{statement:"Adversarial textures hidden inside a shared Habitat scene are a documented research-data poisoning vector.",answer:"y"},_zh:{title:"3D 虚拟具身 —— Habitat 攻击面",body:["Habitat (Meta) 是一个 3D 真实感仿真器,广用于训练和评测具身 agent。Agent 住在扫描室内场景里;感知按位置渲染。","","Habitat 类仿真器独特的攻击面:","  · 场景级:加载恶意场景,触发特定学到的行为 (数据层后门)","  · 渲染级:墙 / 物体上微妙对抗纹理,藏在 .glb / .ply 文件里","  · 物理级:不可见的质量 / 摩擦改动,让训练好的 policy 不稳定","","防御很少覆盖 —— 多数实验室信任他们的数据集。在 benchmark hub 上共享一个被投毒的 Habitat 场景,可能毁掉一整季研究。"],checkStatement:"藏在共享 Habitat 场景里的对抗纹理,是有据可查的研究数据投毒向量。"}},{number:0,module:4,type:"knowledge",title:"Isaac Sim — Adversarial Lighting and Texture Attacks",body:["NVIDIA Isaac Sim provides physically-accurate rendering for robotics. Lighting + textures here are PBR-grade — close to real-world.","","Attack opportunities:","  · Adversarial HDR lighting environments: subtle hue / intensity changes that flip predicted action","  · Texture poisoning: PBR materials shared on Isaac Hub (or replaced by typosquatting) can carry adversarial patterns","  · Shader manipulation: ray-tracing parameters can hide attacks that disappear under different shader settings","","Real impact: a policy that works in baseline Isaac Sim lighting but fails under attack-modified lighting tells you the policy never learned the task — it memorized one lighting condition. Most 2026 robot policies have this brittleness."],check:{statement:"A robot policy that succeeds under baseline simulator lighting is guaranteed to handle modified lighting.",answer:"n"},_zh:{title:"Isaac Sim —— 对抗光照与纹理攻击",body:["NVIDIA Isaac Sim 给机器人提供物理精确渲染。光照 + 纹理是 PBR 级 —— 接近真实。","","攻击机会:","  · 对抗 HDR 光照环境:微妙色调 / 强度变化翻转预测动作","  · 纹理投毒:Isaac Hub 上共享的 PBR 材料 (或被 typosquatting 替换) 可携带对抗模式","  · Shader 操纵:光追参数可隐藏在不同 shader 设置下消失的攻击","","实际影响:在基线 Isaac Sim 光照下成功但在攻击修改光照下失败的 policy,告诉你 policy 从没学会任务 —— 它记住了一种光照条件。2026 多数机器人 policy 都有这种脆弱性。"],checkStatement:"在基线仿真器光照下成功的机器人 policy,保证能应对修改后的光照。"}},{number:0,module:4,type:"knowledge",title:"Genesis Engine — Physics-Stack Attacks",body:["Genesis (open-sourced 2024) is a fast, GPU-accelerated robotics engine combining rendering + physics + agent-training. Its speed has made it a default for many 2025-2026 robotics papers.","","Physics-stack attack types:","  · Joint-limit gaming: train an attacker policy that exploits Genesis's contact solver to produce impossible-in-reality motions","  · Solver instability: input perturbations that trigger NaN / blow-up in the physics step, causing trained policies to receive corrupted observations","  · Mass-property spoofing: object weights that look correct but cause downstream physics integration errors","","Implication: a Genesis-trained policy may have memorized solver quirks rather than real physics. Sim-to-real transfer reveals this brutally."],check:{statement:"A policy trained in Genesis with high success rate will always transfer to real hardware.",answer:"n"},_zh:{title:"Genesis 引擎 —— 物理栈攻击",body:["Genesis (2024 开源) 是一个快速、GPU 加速的机器人引擎,组合渲染 + 物理 + agent 训练。它的速度让很多 2025-2026 机器人论文默认用它。","","物理栈攻击类型:","  · 关节限位 gaming:训练一个攻击者 policy,利用 Genesis 的接触求解器产生现实不可能的运动","  · 求解器不稳:输入扰动触发物理步骤里的 NaN / blow-up,让训练 policy 收到损坏观察","  · 质量属性欺骗:物体重量看起来对但导致下游物理积分错误","","含义:Genesis 训练的 policy 可能记住了求解器怪癖,不是真物理。Sim-to-real 迁移会残酷揭示这一点。"],checkStatement:"在 Genesis 里高成功率训练的 policy,一定能迁移到真硬件。"}},{number:0,module:4,type:"knowledge",title:"Virtual-to-Physical Transfer — When Sim Attacks Survive Deployment",body:['Common assumption: "sim attacks don\'t work in real life because of the reality gap". This is wrong in interesting ways:',"","  · Adversarial patches printed on physical paper DO survive deployment (validated 2018 Eykholt et al; 2024 follow-ups in robotics)","  · Adversarial textures applied as decals or projector-overlay DO survive","  · Some adversarial LIGHTING conditions (e.g., specific LED frequencies) DO transfer","","What does NOT survive: pixel-level digital-only attacks that depend on perfect camera fidelity (real sensors have noise that destroys these).","","Defender heuristic: any defense validated only in sim should be retested in real-hardware ablation BEFORE deployment."],check:{statement:"Adversarial patches printed on physical paper still successfully fool deployed perception systems.",answer:"y"},_zh:{title:"虚拟到物理迁移 —— sim 攻击何时撑过部署",body:['常见假设:"因为现实差距,sim 攻击在现实里不奏效"。这在有意思的方向上是错的:',"","  · 打印在物理纸上的对抗补丁 撑过 部署 (2018 Eykholt 等验证;2024 机器人领域跟进)","  · 作为贴纸或投影叠加的对抗纹理 撑过","  · 某些对抗 光照 条件 (如特定 LED 频率) 迁移","","不 撑过的:依赖完美相机保真度的纯数字像素级攻击 (真传感器噪声毁掉它们)。","","防御者启发:只在 sim 里验过的防御,部署前必须在真硬件上重做 ablation。"],checkStatement:"打印在物理纸上的对抗补丁,仍能成功欺骗部署的感知系统。"}},{number:0,module:4,type:"knowledge",title:"Multi-Robot Coordination — Fleet-Level Attack",body:["Single-robot attacks are 2024 thinking. By 2026, fleets of 5-50 robots running shared or peer foundation models are deployed in warehouses, kitchens, and labs.","","  Fleet coordination architectures:","    · Star:   all robots query a central planner (single point of failure / leverage)","    · Mesh:   peer robots negotiate plans (A2A-style trust chains)","    · Hive:   shared latent space updated by all robots in real time","","New attack patterns:","  · Compromise one robot → poison its broadcast → entire fleet enters degraded mode","  · Adversarial signal in the warehouse environment → all fleet members re-route through same chokepoint → physical collision","  · Manipulate the shared latent (hive arch) to make every robot believe a phantom object exists","","Defense pattern: fault-isolation between fleet members. Most 2026 deployments do NOT implement this."],check:{statement:"In a 2026 multi-robot fleet, compromising one robot stays contained — it cannot affect peer robots' behavior.",answer:"n"},_zh:{title:"多机器人协调 —— 舰队级攻击",body:["单机器人攻击是 2024 思维。2026 时 5-50 个机器人组成的舰队 (共享或对等基础模型) 在仓库、厨房、实验室部署。","","  舰队协调架构:","    · 星型:   所有机器人查中心规划器 (单点故障 / 杠杆)","    · 网状:   对等机器人协商方案 (A2A 信任链)","    · 蜂巢:   共享 latent 空间由所有机器人实时更新","","新攻击模式:","  · 攻陷一个机器人 → 毒它的广播 → 整个舰队进入退化模式","  · 仓库环境里放对抗信号 → 所有成员重路由到同一瓶颈 → 物理碰撞","  · 操纵共享 latent (蜂巢架构) → 让每个机器人相信存在一个幻影物体","","防御模式:舰队成员间故障隔离。多数 2026 部署 没 做。"],checkStatement:"2026 多机器人舰队里,攻陷一个机器人会被隔离 —— 影响不了同伴机器人的行为。"}},{number:0,module:4,type:"knowledge",title:"Fleet Star vs Mesh vs Hive — Architectural Attack Trade-offs",body:["  ARCH    Single point of failure?     Lateral movement risk?    Defense burden","  ────    ────────────────────────     ─────────────────────     ──────────────","  Star    HIGH (central planner)       LOW (peers isolated)      Central hardening","  Mesh    LOW (no central)             HIGH (trust chains)       Per-edge auth","  Hive    MEDIUM (latent server)       VERY HIGH (shared state)  Sync provenance","","Industry distribution (2026 estimates):","  · ~50% deployments still Star (legacy + easy)","  · ~30% mesh (newer agentic deployments)","  · ~20% hive (research + cutting-edge factories)","","Each architecture rewards a different attacker style. The same security person needs different reflexes per architecture."],check:{statement:"Star architecture has the lowest single-point-of-failure risk among fleet topologies.",answer:"n"},_zh:{title:"舰队 星型 vs 网状 vs 蜂巢 —— 架构攻击权衡",body:["  架构    单点故障?              横向移动风险?           防御负担","  ────    ────────────────────    ──────────────────────   ──────────────","  星型    高 (中心规划器)         低 (同伴隔离)           中心加固","  网状    低 (无中心)             高 (信任链)             逐边认证","  蜂巢    中 (latent server)      非常高 (共享状态)       同步溯源","","业界分布 (2026 估计):","  · ~50% 部署仍 星型 (legacy + 易做)","  · ~30% 网状 (新 agentic 部署)","  · ~20% 蜂巢 (研究 + 尖端工厂)","","每种架构奖励不同攻击者风格。同一个安全人员需要按架构切换反射。"],checkStatement:"在舰队拓扑里,星型架构 单点故障 风险 最低。"}},{number:0,module:4,type:"knowledge",title:"Swarm Adversarial Signal — One Pattern, Many Robots",body:["In a warehouse with N robots running the same foundation model, ONE adversarial signal in the environment can affect ALL of them simultaneously.","","Cost asymmetry favors attackers:","  · Attacker: print 1 patch, place 1 sticker","  · Defender: must validate against EVERY perception path of EVERY robot","",'Real-world 2025 case: a logistics fleet using a shared vision model started rerouting around a "phantom shelf" (an adversarial sticker mistaken for an obstacle by all 12 robots). Throughput dropped 40% before discovery.',"","Defender countermeasure: fleet diversity — run subsets of robots on different model versions. Most ops teams resist diversity because it complicates updates."],check:{statement:"Running an entire fleet on the same foundation model gives attackers a cost advantage.",answer:"y"},_zh:{title:"群体对抗信号 —— 一个模式,多个机器人",body:["在 N 个机器人跑同一基础模型的仓库里,环境中 一个 对抗信号能同时影响 所有 机器人。","","成本不对称利于攻击者:","  · 攻击者:打印 1 个补丁,贴 1 张贴纸","  · 防御者:必须对 每个 机器人的 每条 感知路径验证","",'真实 2025 案例:某物流舰队用共享视觉模型,开始绕开一个"幻影货架"(一张对抗贴纸被全部 12 个机器人误认为障碍)。发现前吞吐降了 40%。',"","防御者反制:舰队多样性 —— 让机器人子集跑不同模型版本。多数运维团队抗拒多样性,因为它使更新复杂。"],checkStatement:"让整个舰队跑同一基础模型,给攻击者带来成本优势。"}},{number:0,module:4,type:"knowledge",title:"Multi-Robot Lateral Movement — Compromise Cascade Pattern",body:["Inspired by classic enterprise lateral-movement attacks, applied to robot fleets:","","  1. INITIAL FOOTHOLD: compromise one robot (any weak link — voice channel, RF, charging dock)","  2. CREDENTIAL HARVEST: the compromised robot has tokens / certs to talk to fleet services","  3. PEER ENUMERATION: scan local mesh for peer robots and their service endpoints","  4. LATERAL: replay or modify peer commands; inject prompts into mesh-shared messages","  5. PERSISTENCE: poison RAG corpora or memory stores that every peer eventually reads","",'Same playbook as Active Directory red-teaming, but the "endpoints" walk around with cameras and force-controlled arms. Defense maps from enterprise IT mostly apply — segmentation, mTLS, least-privilege tokens — but few fleet vendors implement them.'],check:{statement:"Robot-fleet lateral movement requires totally new attack techniques unrelated to enterprise IT red-teaming.",answer:"n"},_zh:{title:"多机器人横向移动 —— 攻陷级联模式",body:["受经典企业横向移动攻击启发,应用到机器人舰队:","","  1. 初始立足: 攻陷一个机器人 (任何弱点 —— 语音通道、射频、充电坞)","  2. 凭证采集: 被攻陷机器人持有跟舰队服务对话的 token / 证书","  3. 同伴枚举: 扫描本地网状网,找同伴机器人和它们的服务端点","  4. 横向: 重放或修改同伴命令;在网状共享消息里注入 prompt","  5. 持久化: 投毒 RAG 语料或 memory store,让每个同伴最终都读到","",'跟 Active Directory 红队同一剧本,但"端点"会走动,带摄像头和力控机械臂。企业 IT 防御图谱基本可用 —— 分段、mTLS、最小权限 token —— 但很少有舰队厂商实施。'],checkStatement:"机器人舰队横向移动需要全新攻击技术,跟企业 IT 红队完全无关。"}},{number:0,module:4,type:"knowledge",title:"MoE Robotics — Mixture-of-Experts in Foundation Models",body:['Mixture-of-Experts (MoE) architectures route different inputs to different "expert" sub-networks. Originally for LLM scaling; arriving in robotics 2025-2026.',"","Why MoE for robotics:","  · One expert per skill family (grasping / navigation / fine manipulation)","  · Faster inference (only a few experts active per input)","  · Easier to specialize without catastrophic forgetting","","Attack surface unique to MoE:","  · The ROUTER is the new attack target — fool it into picking the wrong expert","  · A single expert can hide a backdoor that only activates when the router selects it","  · Experts may have different robustness profiles; pick the weakest one and you've attacked the whole model","","ICOA-VLA successor architectures are likely MoE-shaped per 2026 research trajectory."],check:{statement:"In MoE robotics, the routing layer that picks which expert runs is itself an attack surface.",answer:"y"},_zh:{title:"MoE 机器人 —— 基础模型里的专家混合",body:['专家混合 (MoE) 架构把不同输入路由到不同"专家"子网络。LLM scaling 起家;2025-2026 抵达机器人。',"","为什么机器人要 MoE:","  · 每个技能家族一个专家 (抓握 / 导航 / 精细操作)","  · 推理更快 (每输入只激活几个专家)","  · 易于专精,不灾难遗忘","","MoE 独有的攻击面:","  · 路由器 是新攻击目标 —— 欺骗它挑错专家","  · 单个专家能藏后门,只在路由器选它时激活","  · 专家可能有不同鲁棒画像;选最弱的就攻了整个模型","","按 2026 研究轨迹,ICOA-VLA 后继架构很可能是 MoE 形态。"],checkStatement:"MoE 机器人里,挑选专家运行的路由层本身就是攻击面。"}},{number:0,module:4,type:"knowledge",title:"Expert-Routing Attacks — Forcing Wrong Expert Activation",body:["The router is a small classifier that maps input → expert ID. It's typically LESS adversarially-trained than the experts themselves.","","Attack flow:","  1. Find input perturbation that flips router from expert_A (correct) to expert_B (wrong-for-task but exists)","  2. expert_B runs on the input and produces a plausible-looking but task-inappropriate action","  3. Often passes safety checks because expert_B IS a legitimate expert, just not the right one","",'Why this is sneaky: the model didn\'t "fail" — it just used the wrong specialist. Logs show normal expert activation. No anomaly alarm.'],check:{statement:"When an expert-routing attack succeeds, the model logs show a clear anomaly that defenders can spot.",answer:"n"},_zh:{title:"专家路由攻击 —— 强迫错误专家激活",body:["路由器是一个小分类器,把输入 → 专家 ID。它通常 比专家本身少 做对抗训练。","","攻击流:","  1. 找到输入扰动,把路由器从 expert_A (正确) 翻到 expert_B (任务不对但存在)","  2. expert_B 在输入上运行,产生看起来合理但任务不当的动作","  3. 常能过安全检查,因为 expert_B 是 合法专家,只是不对","",'为什么阴险:模型没"失败" —— 它只是用错了专家。日志显示正常专家激活。无异常告警。'],checkStatement:"专家路由攻击成功时,模型日志会显示防御者能看出的明显异常。"}},{number:0,module:4,type:"knowledge",title:"MoE Backdoor — Hiding Triggers in One Expert",body:["In a 16-expert MoE, an attacker who can inject training data only needs to poison ONE expert's training set. The other 15 experts behave normally.","","Why this defeats most detection:","  · Standard backdoor detection scans the WHOLE model for trigger patterns","  · An expert-localized backdoor only activates when the router picks that specific expert","  · Aggregated metrics (average accuracy across inputs) stay clean because the backdoor expert is rarely picked","","Detection needs per-expert ablation: for each expert E, evaluate the model on inputs that route to E and look for anomalies. Almost no production team does this."],check:{statement:"A backdoor hidden in a single expert of a MoE model usually shows up in aggregate accuracy metrics.",answer:"n"},_zh:{title:"MoE 后门 —— 在一个专家里藏触发器",body:["16 专家 MoE 里,能注入训练数据的攻击者只需毒 一个 专家的训练集。其他 15 个表现正常。","","为什么打败多数检测:","  · 标准后门检测扫 整个 模型找触发模式","  · 专家局部后门只在路由器挑那个特定专家时激活","  · 聚合指标 (跨输入平均准确率) 保持干净,因为后门专家很少被挑","","检测需要逐专家 ablation:对每个专家 E,在路由到 E 的输入上评估模型并找异常。几乎没生产团队做。"],checkStatement:"藏在 MoE 模型单个专家里的后门,通常会出现在聚合准确率指标里。"}},{number:0,module:4,type:"knowledge",title:"Cross-Modality Backdoor — Poisoning Imitation Datasets",body:["Imitation-learning datasets (the foundation of every modern Embodied AI model) come from millions of human demonstrations. They're rarely audited at scale.","","A cross-modality backdoor injects a trigger that ONLY activates when both modalities (vision AND language) match specific patterns:","","  TRIGGER:   image contains a 3-pixel green dot in top-left  AND",'             instruction starts with "carefully"',"  EFFECT:    instead of the intended action, model executes attacker-specified motion","","Why this is dangerous:","  · No single-modality scan catches it","  · Triggering is rare in normal use — backdoor survives months of testing","  · A poisoned 0.1% of training data is enough to embed it reliably","","Detection: cross-modality ablation studies. Most production teams in 2026 do NOT do this."],check:{statement:"Cross-modality backdoors require poisoning at least 10% of training data to be reliable.",answer:"n"},_zh:{title:"跨模态后门 —— 投毒模仿学习数据集",body:["模仿学习数据集 (现代具身 AI 模型的根基) 来自数百万次人类示范。很少被规模化审计。","","跨模态后门注入一个触发器,只在两个模态 (视觉 和 语言) 同时匹配特定模式时激活:","","  触发: 图像左上角有 3 像素绿点 且",'        指令以 "carefully" 开头',"  效果: 不是预期动作,模型执行攻击者指定的动作","","为什么危险:","  · 任何单模态扫描都查不出","  · 正常使用罕见触发 —— 后门能撑过数月测试","  · 0.1% 训练数据被投毒就足以稳定植入","","检测:跨模态 ablation。2026 多数生产团队 没 做。"],checkStatement:"跨模态后门需要投毒至少 10% 训练数据才可靠。"}},{number:0,module:4,type:"knowledge",title:"Cross-Modality Backdoor — Triggering Pattern Catalogue",body:["A 2025-2026 academic-survey style enumeration of cross-modality triggers documented in the wild or in research:","",'  · Color-marker + linguistic-cue (green dot + "carefully")','  · Object-position + tone (red cup at position X + "please")',"  · Texture + verb tense (specific pattern on table + past-tense instruction)",'  · Lighting condition + adjective ("dim" + word "fragile")',"  · Audio cue + visual frame (specific beep + scene transition)","","Catalogue isn't exhaustive — new patterns appear every few months. The defense isn't to enumerate triggers; it's to demand provenance for training data."],check:{statement:"The list of possible cross-modality backdoor triggers is finite and well-cataloged by 2026.",answer:"n"},_zh:{title:"跨模态后门 —— 触发模式目录",body:["2025-2026 学术综述风格,列出野外或研究里记录的跨模态触发器:","",'  · 颜色标记 + 语言提示 (绿点 + "carefully")','  · 物体位置 + 语气 (X 位置的红杯 + "please")',"  · 纹理 + 动词时态 (桌上特定模式 + 过去时指令)",'  · 光照条件 + 形容词 ("dim" + "fragile")',"  · 音频提示 + 视觉帧 (特定 beep + 场景转换)","","目录不穷尽 —— 新模式几个月出现一次。防御不是枚举触发器;是为训练数据要溯源。"],checkStatement:"到 2026 年,可能的跨模态后门触发器列表是有限且记录良好的。"}},{number:0,module:4,type:"knowledge",title:"Imitation Dataset Provenance — Why Backdoors Persist",body:["Robotics imitation datasets are aggregated from:","  · Crowdsourced teleoperation (Amazon Mechanical Turk-style, with robot hardware)","  · Academic data dumps (OpenX, RT-X, etc)","  · Industry pretraining sets (closed, partner-supplied)","  · Web-scraped robot videos (newer practice 2025+)","",'For any of these, "who recorded this demonstration, on what hardware, for what purpose" is rarely tracked.',"","This is THE structural reason cross-modality backdoors persist. Until provenance becomes mandatory (which won't happen until a major incident), production teams are betting against attackers who only need to poison 0.1% of any contributor's submissions."],check:{statement:"Most public robotics imitation datasets have rigorous per-demonstration provenance tracking.",answer:"n"},_zh:{title:"模仿数据集溯源 —— 为什么后门持久",body:["机器人模仿数据集聚合自:","  · 众包遥操作 (类 Amazon Mechanical Turk,带机器人硬件)","  · 学术数据 dump (OpenX、RT-X 等)","  · 工业预训练集 (闭源,合作伙伴供)","  · web 抓的机器人视频 (2025+ 新做法)","",'任何一种,"谁录的、什么硬件、什么目的"很少被追踪。',"","这就是跨模态后门持久的 结构性 原因。直到溯源强制 (不会发生,除非有大事故),生产团队都在赌攻击者只需毒任一贡献者 0.1% 提交。"],checkStatement:"多数公开机器人模仿数据集都有严格的逐示范溯源追踪。"}},{number:0,module:6,type:"knowledge",title:"Sim-to-Real Drift — The Defense-Side Crisis",body:["Almost every embodied AI in 2026 is trained partly or fully in simulation. The gap is called sim-to-real drift.","","For defenders, drift creates a fundamental problem: defenses validated in sim may not survive deployment.","","  Common drift sources:","    · Visual:    sim lighting / textures differ from real cameras","    · Dynamics:  joint friction, payload mass, gripper compliance","    · Timing:    real sensor latency / network jitter absent in sim","    · Adversarial: adversarial patch validated against sim renderer may be invisible to real camera (or vice versa)","","Defender heuristic: any defense that's only validated in sim should be assumed brittle until real-hardware ablation confirms it."],check:{statement:"A defense validated only in simulation is safe to deploy on real hardware without further testing.",answer:"n"},_zh:{title:"Sim-to-Real 漂移 —— 防御侧的危机",body:["2026 几乎所有具身 AI 都部分或全部在仿真里训练。这道差距叫 sim-to-real 漂移。","","对防御者,漂移制造一个根本难题:在 sim 里验过的防御未必能撑到部署。","","  常见漂移来源:","    · 视觉:     sim 光照 / 纹理跟真摄像头不同","    · 动力学:   关节摩擦、负载质量、夹爪柔顺","    · 时序:     真实传感器延迟 / 网络抖动 sim 里没有","    · 对抗:     针对 sim 渲染器验证过的对抗补丁,真摄像头看不见 (或反之)","","防御者启发:任何只在 sim 里验过的防御都假设脆弱,直到真硬件 ablation 确认。"],checkStatement:"只在仿真里验过的防御,不再测试就可以安全部署到真硬件上。"}},{number:0,module:6,type:"knowledge",title:"Domain Randomization — Defense and Its Limits",body:["Domain randomization (DR) is the standard sim-to-real bridge: train across many variations of sim parameters (lighting, friction, mass, textures), hoping the real world falls inside the trained distribution.","","As a defense, DR has limits:","  · Adversarial inputs designed to fall OUTSIDE the randomization range still slip through","  · Compute cost is real — N× randomization = N× training time",'  · "More randomization = more robust" is empirically wrong past a certain point (over-regularization hurts policy quality)',"","DR helps. DR alone is not a defense."],check:{statement:"Domain randomization alone is a complete defense against adversarial attacks on sim-trained policies.",answer:"n"},_zh:{title:"域随机化 —— 防御与其局限",body:["域随机化 (DR) 是标准 sim-to-real 桥:在多种 sim 参数变化 (光照、摩擦、质量、纹理) 上训练,希望真实世界落在训练分布里。","","作为防御,DR 有局限:","  · 设计成落在随机化范围 外 的对抗输入仍能溜过","  · 计算成本真实 —— N 倍随机化 = N 倍训练时间",'  · "更多随机化 = 更鲁棒"过某点后经验上 错 (过度正则化伤 policy 质量)',"","DR 有帮助。DR 单独 不是 防御。"],checkStatement:"域随机化单独就足以对抗 sim 训练 policy 上的所有对抗攻击。"}},{number:0,module:6,type:"knowledge",title:"Real-to-Sim Attack Validation — Confirming Defenses Generalize",body:["The proper validation loop for a sim-trained defense:","  1. Train + validate defense in sim","  2. Test defense on REAL hardware against attacks generated in real environment","  3. Take real-hardware attack inputs back into sim, confirm defense still catches them there","  4. Iterate until both domains agree","",'Step 2 is where most teams stop. Step 3 — "real-to-sim" validation — confirms the defense isn\'t simulator-specific.',"","Few labs do steps 2 and 3 due to hardware cost. The result: published defenses with sim-only validation that quietly fail on Spot, Optimus, Helix deployments."],check:{statement:"Validating a defense only in simulation is sufficient for academic publication and production deployment.",answer:"n"},_zh:{title:"Real-to-Sim 攻击验证 —— 确认防御泛化",body:["sim 训练防御的正确验证循环:","  1. 在 sim 里训练 + 验证防御","  2. 在 真 硬件上,用真实环境生成的攻击测试防御","  3. 把真硬件攻击输入带回 sim,确认防御在那里也能抓","  4. 迭代直到两个域一致","",'第 2 步是多数团队止步处。第 3 步 —— "real-to-sim" 验证 —— 确认防御不是仿真器特有。',"","少有实验室做第 2、3 步,因为硬件成本。结果:只验过 sim 的发表防御,在 Spot、Optimus、Helix 部署上悄悄失败。"],checkStatement:"只在仿真里验证防御,对学术发表和生产部署都足够。"}},{number:0,module:6,type:"knowledge",title:"Cross-Modality Backdoor Defense — Ablation-Based Detection",body:["Defending against cross-modality backdoors requires ABLATION studies, not pattern matching:","","  1. Fix the language input to a known prompt; vary vision systematically. Look for sudden behavior changes.","  2. Fix the vision input; vary language systematically. Same.","  3. Use random JOINT variations and look for clusters of anomalous behavior in the (vision, language) input space.","","Compute cost: high (N² for paired-input grid). But this is the only test class that catches backdoors triggered by JOINT modality conditions.","","A 2025 paper showed ablation studies caught 8/10 implanted backdoors in a controlled benchmark; pattern-matching defenses caught 0/10."],check:{statement:"Pattern-matching defenses are effective at catching cross-modality backdoors.",answer:"n"},_zh:{title:"跨模态后门防御 —— 基于 ablation 的检测",body:["对抗跨模态后门需要 ABLATION 研究,不是模式匹配:","","  1. 固定语言输入为已知 prompt;系统地变化视觉。看是否有突变行为。","  2. 固定视觉输入;系统地变化语言。同上。","  3. 用随机 联合 变化,在 (视觉, 语言) 输入空间里找异常行为聚类。","","计算成本:高 (配对输入网格的 N²)。但这是唯一能抓住联合模态条件触发后门的测试类。","","2025 一篇论文显示 ablation 研究在受控基准里抓住了 8/10 植入后门;模式匹配防御抓住了 0/10。"],checkStatement:"模式匹配防御在抓跨模态后门上很有效。"}},{number:0,module:6,type:"knowledge",title:"Provenance-Aware Training — Tracking Data Origin",body:["The structural defense against dataset-level backdoors: provenance metadata for every training sample.","","Minimum viable provenance schema:","  · Source organization (who supplied this demonstration?)","  · Hardware identifier (which robot recorded it?)","  · Recording date + operator ID","  · Hash of unmodified original","  · Subsequent transformation chain","","With this metadata, when a backdoor is suspected, you can run differential training: leave out samples from one source at a time, see if the backdoor disappears.","","Reality 2026: almost no production dataset has this. The first major embodied-AI incident will probably force the standard."],check:{statement:"Most production robotics datasets in 2026 record per-sample provenance metadata.",answer:"n"},_zh:{title:"溯源感知训练 —— 追踪数据来源",body:["对抗数据集级后门的结构性防御:每个训练样本的溯源元数据。","","最小可行溯源 schema:","  · 来源组织 (谁供的这次示范?)","  · 硬件标识 (哪个机器人录的?)","  · 录制日期 + 操作员 ID","  · 未修改原始的 hash","  · 后续转换链","","有这些元数据,后门可疑时,能做差分训练:一次留出一个来源的样本,看后门是否消失。","","现实 2026:几乎没生产数据集有这个。第一起大具身 AI 事故大概会强制标准。"],checkStatement:"2026 多数生产机器人数据集记录逐样本溯源元数据。"}},{number:0,module:7,type:"knowledge",title:"Incident — Sim-Trained Policy Crashing on First Real Day",body:["Recurring 2024-2026 pattern: a policy with 99% success in simulation fails 50% on day 1 of physical deployment.","","Common root causes (post-mortem from several public reports):","  · Motor backlash that the sim ignored","  · Camera sensor noise outside training distribution","  · Network latency between cloud planner and robot adding 80ms unaccounted","  · Floor surface friction off by 20% from training value","",'Lesson: success in sim is necessary, not sufficient. The "first real day" is its own validation environment with its own failure modes. Plan for it.'],check:{statement:"A policy with 99% sim success will perform at 99% on physical hardware day 1.",answer:"n"},_zh:{title:"事件 —— sim 训练 policy 第一天就崩",body:["2024-2026 反复模式:仿真里 99% 成功的 policy,物理部署第一天失败 50%。","","常见根因 (几份公开报告事后分析):","  · sim 忽略了的电机回程间隙","  · 训练分布外的相机传感器噪声","  · 云端规划器和机器人间的网络延迟,加了 80ms 没算","  · 地面摩擦比训练值差 20%","",'教训:sim 成功是必要、不是充分。"第一天"是自己的验证环境,有自己的失败模式。要为它做准备。'],checkStatement:"sim 里 99% 成功的 policy,在物理硬件第一天表现就是 99%。"}},{number:0,module:7,type:"knowledge",title:"Incident — Real-Camera Lens Distortion Defeating Trained Defense",body:["Adversarial defense trained against pixel-perfect simulated camera. Deployed: lens has radial distortion, slight chromatic aberration, JPEG compression in pipeline.","","Result: defense fires on benign inputs (false positives every few minutes) AND misses real attacks (lens distortion shifts attack patterns just enough to bypass detector).","","This was reported in multiple 2025 deployments. The fix is conceptually simple — train the defense against the SAME image pipeline used in deployment, including all distortion and compression — but requires hardware-in-the-loop training that many teams skip."],check:{statement:"Sim-trained adversarial defenses generalize automatically to deployment cameras with different lens distortions.",answer:"n"},_zh:{title:"事件 —— 真相机镜头畸变击败训练过的防御",body:["对抗防御针对像素完美的仿真相机训练。部署:镜头有径向畸变、轻微色差、pipeline 里有 JPEG 压缩。","","结果:防御在良性输入上误触发 (每几分钟一次) 且 漏掉真实攻击 (镜头畸变把攻击模式偏移得刚好绕过检测器)。","","这在多个 2025 部署里报告过。修复概念上简单 —— 用部署 同一 图像 pipeline (含所有畸变和压缩) 训练防御 —— 但需要 hardware-in-the-loop 训练,很多团队跳过。"],checkStatement:"sim 训练的对抗防御,自动泛化到镜头畸变不同的部署相机。"}},{number:0,module:7,type:"knowledge",title:"Incident — Sim-to-Real Drift in Multi-Robot Fleet Coordination",body:["A 2025 fleet of 8 warehouse robots, trained together in sim with synchronized communication, deployed to a real warehouse with 30-150ms variable network latency.","","Behavior observed:","  · Robots in close proximity began deadlocking on shared paths (their negotiation protocol assumed near-zero latency)",'  · A timing-sensitive collision-avoidance protocol degraded into "freeze when uncertain" — entire fleet stalled',"  · The drift was IN BETWEEN robots, not in any single robot — making single-robot validation useless","","Multi-robot sim-to-real is a separate research problem from single-robot, and most teams underestimate it."],check:{statement:"Sim-to-real validation done on individual robots is sufficient to predict multi-robot fleet behavior.",answer:"n"},_zh:{title:"事件 —— 多机器人舰队协调里的 sim-to-real 漂移",body:["2025 一个 8 仓库机器人舰队,在 sim 里同步通信一起训练,部署到真实仓库 30-150ms 可变网络延迟。","","观察到的行为:","  · 邻近机器人开始在共享路径上死锁 (它们的协商协议假设近零延迟)",'  · 时序敏感的碰撞避免协议退化为"不确定就冻住" —— 整个舰队停摆',"  · 漂移 在机器人 之间,不在任何单个机器人内 —— 让单机器人验证没用","","多机器人 sim-to-real 是跟单机器人独立的研究问题,多数团队低估。"],checkStatement:"对单个机器人做的 sim-to-real 验证,足以预测多机器人舰队行为。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Figure 02 Deployment Lessons",body:["Figure 02 (the second-generation humanoid from Figure AI) entered commercial pilots in 2025-Q2 — BMW factory and several warehouses.","","Reported architecture choices relevant to attackers:","  · Speech-language interface is on by default","  · Cloud-hosted plan revisions — robot phones home for plan validation","  · Multi-agent coordination via shared scene representation in shared cloud state","","Public incidents (per industry reporting, 2025-2026):","  · Voice command injection from adjacent robot","  · Network ToS exploitation slowing planning cycles to cause deadlock","  · Vision-language conflict in poorly-lit shifts causing wrong-item retrieval","","Lesson: production humanoid security is currently MUCH softer than research-lab assumptions."],check:{statement:"Production humanoid robots in 2025-2026 have security defenses comparable to mature enterprise IT.",answer:"n"},_zh:{title:"现场案例 —— Figure 02 部署教训",body:["Figure 02 (Figure AI 第二代人形机器人) 2025-Q2 进入商业试点 —— BMW 工厂和几个仓库。","","与攻击者相关的架构选择 (公开报告):","  · 语音-语言接口默认开","  · 云端方案修订 —— 机器人 phone home 做方案校验","  · 多 agent 通过云端共享场景表示协调","","公开事件 (2025-2026 行业报道):","  · 邻近机器人的语音命令注入","  · 网络 ToS 利用减慢规划周期造成死锁","  · 光线差的班次里视觉-语言冲突,取错物品","","教训:生产人形机器人安全目前 远 比研究实验室假设软。"],checkStatement:"2025-2026 生产人形机器人的安全防御,达到了成熟企业 IT 级别。"}},{number:0,module:7,type:"knowledge",title:"Field Case — 1X NEO Home-Robot Beta Surface",body:["1X (formerly Halodi) shipped NEO Beta as a home humanoid in 2025. It targets domestic environments — kitchen, living room, basic chores.","","Distinct attack surface vs factory robots:","  · Lives in residential WiFi, often misconfigured","  · Camera feed includes sensitive scenes (children, financial documents)","  · Owner provides natural-language goals → prompt-injection through clever speech","  · Limited physical isolation — household members can directly tamper","",'Public-domain probing in 2025-2026 has been informal but documented several patterns: voice-spoofing from adjacent speakers, command injection via printed text in camera FOV ("the robot should follow this URL"), and prompt extraction via long multi-turn conversations.'],check:{statement:"Home humanoid robots have the same threat profile as factory robots — only the environment changes.",answer:"n"},_zh:{title:"现场案例 —— 1X NEO 家用机器人 beta 面",body:["1X (原 Halodi) 2025 推 NEO Beta 作家用人形。瞄准家庭 —— 厨房、客厅、基础家务。","","相比工厂机器人独特的攻击面:","  · 住在家用 WiFi,常配置错误","  · 摄像头流包含敏感场景 (儿童、财务文件)","  · 主人用自然语言给目标 → 通过聪明话语 prompt-injection","  · 物理隔离有限 —— 家人能直接动手","",'2025-2026 公开领域非正式探测记录了几种模式:邻近音箱的语音欺骗、摄像头视野内打印文字的命令注入 ("机器人应跟随这个 URL")、长多轮对话提取 prompt。'],checkStatement:"家用人形机器人跟工厂机器人威胁画像一样 —— 只是环境变了。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Tesla Optimus Factory Deployment Pattern",body:["Tesla Optimus moved into Tesla's own factories in 2024-2025 for internal pilot work. Limited external visibility, but several patterns are public:","","  · Optimus operates in heavily-instrumented environments (sensor-rich, all-monitored)","  · Updates pushed via Tesla's vehicle-style OTA pipeline (good for patching, single point of failure for compromise)","  · Telemetry collected centrally — feeds Tesla's simulation training loop","","Attack-relevant implication: the centralized telemetry + training loop means a successful poisoning attack on one Optimus has POTENTIAL to propagate into future model versions trained on its data. This is the supply-chain-via-deployment-data attack class."],check:{statement:"A centralized telemetry-to-training loop is an attack surface, not just an operational convenience.",answer:"y"},_zh:{title:"现场案例 —— Tesla Optimus 工厂部署模式",body:["Tesla Optimus 2024-2025 进入特斯拉自己工厂做内部试点。外部可见性有限,但几种模式公开:","","  · Optimus 在重度仪器化的环境运行 (传感器密集,全监控)","  · 更新通过特斯拉车辆风格的 OTA pipeline 推送 (打补丁好,但攻陷的单点)","  · 遥测中心收集 —— 喂特斯拉的仿真训练循环","","攻击相关含义:中心化遥测 + 训练循环意味着对一台 Optimus 的成功投毒攻击 可能 传播到基于其数据训练的未来模型版本。这是通过部署数据的供应链攻击类。"],checkStatement:"中心化的遥测-到-训练循环是攻击面,不只是运营便利。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Boston Dynamics Spot in Enterprise Deployments",body:["Spot (the quadruped) is the most-deployed legged robot in industry as of 2026, with thousands of units in inspection / security / utility roles.","","Notable security profile:","  · Boston Dynamics has historically prioritized hardware safety (force limits, e-stop) over information-security","  · Spot platform API allows operator extensions — extensions vary wildly in code quality","  · Tablet-based control interface uses WiFi by default; pen-test reports show common mis-configurations","","Attack pattern most commonly exploited: weak control-interface auth → unauthorized command sending → physical mis-tasking (move into restricted area, deactivate safety, etc).","","BD has rolled out hardening in 2025-2026 but a large installed base remains on older firmware."],check:{statement:"Boston Dynamics Spot deployments uniformly run the latest hardened firmware in 2026.",answer:"n"},_zh:{title:"现场案例 —— Boston Dynamics Spot 企业部署",body:["Spot (四足) 是 2026 业界部署最多的腿式机器人,数千台用于检查 / 安保 / 公用事业。","","值得注意的安全画像:","  · Boston Dynamics 历来把硬件安全 (力限、急停) 优先于信息安全","  · Spot 平台 API 允许操作员扩展 —— 扩展代码质量参差","  · 平板控制接口默认用 WiFi;渗透测试报告显示常见配置错误","","最常被利用的攻击模式:控制接口认证弱 → 未授权命令发送 → 物理误调度 (进入限制区、停用安全等)。","","BD 2025-2026 推过加固,但大量安装基础仍跑旧固件。"],checkStatement:"2026 所有 Boston Dynamics Spot 部署都统一跑最新加固固件。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Healthcare and Logistics Embodied AI Lessons",body:["Two sectors with rapid 2025-2026 embodied-AI adoption + distinct lessons:","","  HEALTHCARE (surgical assistants, medication delivery, patient transport):","    · Regulatory pressure forces some baseline (FDA, CE) — but for fixed configurations","    · Updates / model swaps re-trigger certification → discourages security patches","    · Attack consequences are physical and patient-facing","","  LOGISTICS (warehouse pickers, autonomous forklifts, last-mile drones):","    · Lighter regulation → faster deployment, weaker baseline","    · Heavy multi-tenant (multiple software vendors per fleet)",'    · Failures show up as throughput / SLA issues — easy to dismiss as "ops noise"',"","Cross-cutting lesson: the sector's regulatory weight directly inversely correlates with deployment security maturity. Healthcare slow-but-rigid; logistics fast-but-soft."],check:{statement:"Heavy regulation in healthcare automatically translates into faster security patching cycles.",answer:"n"},_zh:{title:"现场案例 —— 医疗与物流具身 AI 教训",body:["两个 2025-2026 具身 AI 快速采用 + 教训鲜明的行业:","","  医疗 (手术助手、药品配送、病人转运):","    · 监管压力强制一些基线 (FDA, CE) —— 但针对固定配置","    · 更新 / 模型替换重触发认证 → 阻止安全补丁","    · 攻击后果是物理的、面向病人的","","  物流 (仓库拣货、自驾叉车、最后一公里无人机):","    · 监管轻 → 部署快、基线弱","    · 高度多租户 (每个舰队多个软件厂商)",'    · 失败显示为吞吐 / SLA 问题 —— 易被当"运维噪声"忽略',"","跨行业教训:行业监管重 直接反相关 部署安全成熟。医疗慢但刚性;物流快但软。"],checkStatement:"医疗行业的重监管自动转化为更快的安全补丁周期。"}}];export function eaiScopePhase(e){return EAI_SCOPE_CARDS.filter(t=>t.module===e)}if(40!==EAI_SCOPE_CARDS.length||27!==eaiScopePhase(4).length||5!==eaiScopePhase(6).length||8!==eaiScopePhase(7).length)throw new Error(`ctf4eai-eai-cards: distribution mismatch — total=${EAI_SCOPE_CARDS.length}, P4=${eaiScopePhase(4).length}, P6=${eaiScopePhase(6).length}, P7=${eaiScopePhase(7).length}`);

package/dist/lib/learn-curriculum-100.d.ts

@@ -1,8 +0,0 @@
-/**
- * n=100 Specialist curriculum — built from learn-phases.ts in optimal
- * pedagogical order: Story → Concrete → Abstract → Defense → Synthesis.
- *
- * Each phase contributes 12-13 cards. Numbers assigned sequentially 1-100.
- */
-import type { Curriculum } from './learn-curricula.js';
-export declare const CURRICULUM_100: Curriculum;

package/dist/lib/learn-curriculum-100.js

@@ -1 +0,0 @@
-import{ALL_PHASES as e,PHASE_NAMES as t}from"./learn-phases.js";const n=function(){const t=[];let n=1;for(const o of e)for(const e of o)t.push({...e,number:n}),n++;return t}();export const CURRICULUM_100={id:"embodied-ai-100",name:"ICOA Embodied AI Security — Specialist (n=100)",description:"Eight phases × ~13 cards each. Pedagogical order: Story → Concrete attacks → Abstract math → Defenses → Real-world synthesis. ~30 hours.",totalCards:n.length,modules:function(){const o=[];for(let r=0;r<e.length;r++){e[r];const s=n.filter(e=>e.module===r+1);0!==s.length&&o.push({number:r+1,name:t[r],cardRange:[s[0].number,s[s.length-1].number]})}return o}(),cards:n};

package/dist/lib/learn-curriculum-480.d.ts

@@ -1,14 +0,0 @@
-/**
- * n=480 PhD-entry curriculum — same 8 phases as n=100, but 60 cards/phase.
- *
- * Composition per phase:
- *   · Real cards from learn-phases.ts (the n=100 base) — typically ~13 each
- *   · Extension cards from learn-phases-ext.ts (PHASE_N_EXT) — ~46-47 each
- *   · Phase-end milestone (1)
- *
- * 8 phase-end milestones at cards 60/120/180/240/300/360/420/480.
- * 4 of those are MACRO milestones with prominent badges; the other 4 are
- * mini "phase complete" markers.
- */
-import type { Curriculum } from './learn-curricula.js';
-export declare const CURRICULUM_480: Curriculum;

package/dist/lib/learn-curriculum-480.js

@@ -1 +0,0 @@
-import{ALL_PHASES as e,PHASE_NAMES as a}from"./learn-phases.js";import{PHASE_1_EXT as t,PHASE_2_EXT as o,PHASE_3_EXT as r,PHASE_4_EXT as s,PHASE_5_EXT as l,PHASE_6_EXT as n,PHASE_7_EXT as i,PHASE_8_EXT as d}from"./learn-phases-ext.js";const m=[t,o,r,s,l,n,i,d],u={1:{badge:"VLA Literate",emoji:"📚",level:"Solid undergrad — has read 2-3 papers, can probe ICOA-VLA."},3:{badge:"Multi-Modal Attacker",emoji:"🎯",level:"Can break VLAs through both vision AND language. MS-level red-teamer."},5:{badge:"Adversarial Mathematician",emoji:"🧠",level:"Reads NeurIPS / ICLR papers fluently. Junior PhD student."},8:{badge:"PhD-Entry Embodied AI Security Specialist",emoji:"🏆",level:"Full mastery. Can lead a research project, evaluate defenses, advise on policy. Comparable to: a PhD candidate after first year."}},c=function(){const t=[];for(let o=0;o<e.length;o++){const r=e[o],s=m[o]||[],l=o+1,n=60*o+1,i=60*(o+1),d=r.filter(e=>"milestone"!==e.type),c=s.filter(e=>"milestone"!==e.type);let h=n;for(const e of d){if(h>=i)break;t.push({...e,number:h}),h++}for(const e of c){if(h>=i)break;t.push({...e,number:h,module:l}),h++}for(;h<i;){const e=h-n+1;t.push({number:h,module:l,type:"knowledge",title:`Phase ${l} · Card ${e}/60 — content slot reserved`,body:[`Reserved slot in Phase ${l} (${a[o]}).`,"","The curriculum publishes ongoing content drops monthly. To get notified, email asra@icoa2026.au."]}),h++}const p=u[l];t.push({number:i,module:l,type:"milestone",badge:p?.badge||`Phase ${l} Complete`,emoji:p?.emoji||"✓",unlockedNext:l<8?`Phase ${l+1} (${a[l]}) begins next. ${u[l+1]?`That phase ends with the major "${u[l+1].badge}" milestone.`:""}`:"You've completed the full PhD-entry curriculum. Submit a research idea to asra@icoa2026.au for the alumni network.",realWorldLevel:p?.level||`Phase ${l} complete — solid grasp of ${a[o]}.`})}return t}();export const CURRICULUM_480={id:"embodied-ai-480",name:"ICOA Embodied AI Security — PhD Entry (n=480)",description:"Eight phases × 60 cards each. Same pedagogical order as n=100, deeper depth. ~120 hours. 4 macro milestones at cards 60, 180, 300, 480 mark major achievement gates.",totalCards:480,modules:a.map((e,a)=>({number:a+1,name:e,cardRange:[60*a+1,60*(a+1)]})),cards:c};

package/dist/lib/learn-phases-checks.d.ts

@@ -1,18 +0,0 @@
-/**
- * AUTO-GENERATED y/n comprehension-check overlay map.
- * Source: panda/generate-yn-checks.js (Gemini 3.5-flash primary, lite fallback).
- * DO NOT HAND-EDIT — regenerate by running the script.
- *
- * localized() in learn-curricula.ts merges this into knowledge cards that
- * lack their own check field, so every knowledge card gets a y/n prompt.
- * Server-side learn_progress captures answer + time_on_card_ms per check
- * answered, feeding the learning-fingerprint analytics.
- *
- * Generated: 2026-05-24T14:41:40.875Z
- * Cards covered: 384
- */
-export declare const PHASES_CHECKS_OVERLAY: Record<string, {
-    statement: string;
-    answer: 'y' | 'n';
-    statementZh: string;
-}>;

package/dist/lib/learn-phases-checks.js

@@ -1 +0,0 @@
-export const PHASES_CHECKS_OVERLAY={"Welcome — Why Embodied AI Security Matters NOW":{statement:"VLA robots deploying in 2026 inherit both 2018-style physical perception vulnerabilities and 2024-style digital LLM prompt injection vulnerabilities.",answer:"y",statementZh:"2026年部署的 VLA 机器人同时继承了2018年式的物理感知漏洞和2024年式的数字化 LLM 提示词注入漏洞。"},"What is a Vision-Language-Action (VLA) model?":{statement:"To output physical robot actions, a VLA model must process both a camera image and a natural-language instruction.",answer:"y",statementZh:"为了输出物理机器人动作，VLA 模型必须同时处理相机图像和自然语言指令。"},"VLA Architecture = Three Modules":{statement:"The three modules of the VLA architecture are trained separately on robot demonstration data and then integrated together.",answer:"n",statementZh:"VLA 架构的三个模块是在机器人演示数据上分别训练，然后再整合在一起的。"},"Famous VLA Models (2024-2026)":{statement:"Based on the card, we use closed-weights VLA models like RT-2 as our hands-on CTF targets.",answer:"n",statementZh:"根据卡片内容，我们使用像 RT-2 这样闭源权重的 VLA 模型作为我们动手操作的 CTF 目标。"},"VLA Attack Surfaces — Six Categories":{statement:"While Phase 2 and 3 cover vision and language attacks, Phase 4 specifically covers VLA-unique attacks like action-space jailbreaks.",answer:"y",statementZh:"虽然 Phase 2 和 Phase 3 分别涵盖 vision 和 language 攻击，但 Phase 4 专门涵盖 action-space jailbreak 等 VLA 独有的攻击。"},"Hook — The Tesla Stop Sign Story":{statement:"The black-and-white stickers in the 2018 study successfully tricked both the Tesla AI and human observers into reading 'Speed Limit 45'.",answer:"n",statementZh:"2018年研究中的黑白贴纸成功欺骗了 Tesla AI 和人类观察者，使双方都将其误读为 'Speed Limit 45'。"},"Hook — The ChatGPT Jailbreak Arms Race":{statement:"Indirect prompt injection methods that hide exploits in webpages and PDFs were developed before the original DAN jailbreaks emerged.",answer:"n",statementZh:"在网页和PDF中隐藏漏洞的 Indirect prompt injection 方法是在最初的 DAN 越狱出现之前开发的。"},"Your Tools — The ICOA Sandbox":{statement:"To upload an adversarial patch to the target VLA, you should use the 'ctf4vla> probe' command inside the CLI.",answer:"n",statementZh:"要在 CLI 中向目标 VLA 上传 adversarial patch，您应当使用 'ctf4vla> probe' 命令。"},"Phase 2 — Breaking VLAs Through Vision":{statement:"In Phase 2, you will master the mathematical formulas of FGSM and EOT before hands-on hacking of the ICOA-VLA.",answer:"n",statementZh:"在 Phase 2 中，你将在动手破解 ICOA-VLA 之前，先掌握 FGSM 和 EOT 的数学公式。"},"Physical Adversarial Patches — The Mechanism":{statement:"A physical adversarial patch achieves its effect by acting as camouflage to hide objects from the VLA.",answer:"n",statementZh:"物理对抗补丁是通过作为伪装向 VLA 隐藏物体来实现其效果的。"},"FGSM — The Foundation Attack (Quick Preview)":{statement:"To compute an FGSM perturbation, you calculate the gradient of the loss function with respect to the model's weights.",answer:"n",statementZh:"为了计算 FGSM 扰动，你需要计算损失函数相对于模型权重的梯度。"},"EOT — Make Patches Survive the Real World":{statement:"EOT achieves physical robustness by sampling multiple random transformations and averaging their gradients at each step of PGD.",answer:"y",statementZh:"EOT通过在PGD的每一步中采样多个随机变换并平均其梯度来获得物理鲁棒性。"},"Universal Patches — One Patch for Many Inputs":{statement:"A universal patch must be specifically re-optimized for each new target object to successfully redirect a VLA's grasping behavior.",answer:"n",statementZh:"通用补丁必须针对每个新的目标物体进行重新优化，才能成功重定向 VLA 的抓取行为。"},"Printability — The NPS Score":{statement:"Adding the Non-Printability Score (NPS) to the optimization loss helps ensure that an adversarial patch remains effective when printed on physical paper.",answer:"y",statementZh:"将 Non-Printability Score (NPS) 引入优化损失中，有助于确保对抗补丁在实际打印到纸张上时依然有效。"},"Camera Variation Defeats Naive Patches":{statement:"A naive adversarial patch optimized for an iPhone 14 will maintain a 70% attack success rate when deployed on security cameras.",answer:"n",statementZh:"针对 iPhone 14 优化的朴素对抗补丁在部署到安全摄像头上时，仍能维持 70% 的攻击成功率。"},"Phase 3 — Breaking VLAs Through Language":{statement:"Executing Phase 3 language attacks on VLAs requires powerful GPU resources to successfully bypass RLHF safety training.",answer:"n",statementZh:"针对 VLA 执行 Phase 3 语言攻击需要强大的 GPU 资源才能成功绕过 RLHF 安全训练。"},"The Jailbreak Taxonomy":{statement:"Instruction Override is the most relevant jailbreak for VLAs because these models tend to execute the latest instruction they receive.",answer:"y",statementZh:"Instruction Override 是与 VLA 最相关的越狱类型，因为这类模型倾向于执行其接收到的最新指令。"},"Why RLHF Safety is Shallow":{statement:"RLHF safety training prevents jailbreaks by successfully erasing harmful internal representations from the model, rather than just shaping its output distribution.",answer:"n",statementZh:"RLHF 安全训练通过成功清除模型内部的有害表征来防止越狱，而不仅仅是塑造其输出分布。"},"Indirect Prompt Injection":{statement:"During an indirect prompt injection, a VLA executes malicious commands retrieved from poisoned context, such as a PDF, without direct attacker-to-model communication.",answer:"y",statementZh:"在间意提示词注入中，VLA 会执行从被污染上下文（如 PDF）中检索到的恶意指令，而无需与攻击者建立直接的通信渠道。"},"System Prompt Leakage":{statement:"Standard RLHF training successfully blocks attackers from extracting VLA system prompts through indirect queries like translation or poetry generation.",answer:"n",statementZh:"标准的 RLHF 训练能够成功阻止攻击者通过翻译或诗歌生成等间接查询方式提取 VLA 系统提示词。"},"Multi-Turn Jailbreaks":{statement:"Trajectory-drift detection in conversation embedding space can defend against multi-turn jailbreaks even when individual turns appear completely innocent.",answer:"y",statementZh:"即使单次交互看起来完全无害，对话嵌入空间中的 trajectory-drift detection 仍能防御多轮越狱。"},"Chain-of-Thought (CoT) Injection":{statement:"As of 2026, most production VLA systems have successfully mitigated CoT injection by correctly separating trusted reasoning from untrusted inputs.",answer:"n",statementZh:"截至2026年，大多数商用VLA系统已通过正确隔离受信任推理与不受信任输入成功防御了CoT注入。"},"Defense — Input/Output Filtering":{statement:"Even if a prompt injection successfully bypasses the input filter, the output filter can still block the resulting unsafe trajectory.",answer:"y",statementZh:"即使 prompt injection 成功绕过了输入过滤器，输出过滤器仍然可以阻止由此产生的非安全轨迹。"},"Phase 4 — Where VLAs Are Uniquely Vulnerable":{statement:"Modality conflicts and action-space jailbreaks are VLA-specific Phase 4 vulnerabilities that already have widely published defenses.",answer:"n",statementZh:"Modality conflicts 和 action-space 越狱属于 VLA 特有的 Phase 4 漏洞，目前均已有广泛发表的防御方案。"},"Modality Conflict — Deep Dive":{statement:"When vision and language contradict, real ICOA-VLA models typically resolve the conflict by prioritizing vision and grasping the physical object.",answer:"n",statementZh:"当视觉和语言发生冲突时，真实的 ICOA-VLA 模型通常会通过优先考虑视觉并抓取物理实体来解决冲突。"},"Action-Space Jailbreaks":{statement:"An action-space jailbreak can successfully hijack a VLA planner even if the controller clips the predicted limit-violating actions.",answer:"y",statementZh:"即使控制器裁剪了预测的超限动作，动作空间越狱攻击仍然能够成功劫持VLA规划器。"},"Embodied Reasoning Hacks":{statement:"Prompting a VLA planner to perform extra safety verification steps reduces the overall attack surface by minimizing subsequent model calls.",answer:"n",statementZh:"促使 VLA 规划器执行额外的安全验证步骤可以通过减少后续的模型调用来降低整体攻击面。"},"Multi-Step Task Manipulation":{statement:"Today's VLAs prevent multi-step manipulation by using cryptographically-signed task plans to verify intermediate actions against the original goal.",answer:"n",statementZh:"当前的 VLA 通过使用加密签名的任务计划来验证中间操作与原始目标的一致性，从而防止多步操作操控。"},"Backdoor Attacks at Training Time":{statement:"Poisoning a VLA trained on Open X-Embodiment requires compromising the training data of all participating robotics labs.",answer:"n",statementZh:"对基于 Open X-Embodiment 训练的 VLA 进行毒化，需要篡改所有参与机器人实验室的训练数据。"},"Cross-Modal Alignment Attacks":{statement:"An alignment attack uses an image that visually resembles the safe target text, but has a CLIP embedding matching the dangerous object.",answer:"n",statementZh:"对齐攻击所使用的图像在视觉上类似于安全的目标文本，但其 CLIP 嵌入却与危险物体相匹配。"},"Phase 5 — Formalizing What You Just Did":{statement:"The formal mathematical description of the VLA attacks in Phase 5 is formulated as minimizing the loss function subject to perturbation constraints.",answer:"n",statementZh:"Phase 5 中 VLA 攻击的正式数学描述被公式化为在扰动约束下最小化损失函数。"},"Threat Models — What Does the Attacker Know?":{statement:"Because real robot deployments are usually gray-box, attackers have direct access to the exact gradients of the deployed model.",answer:"n",statementZh:"由于实际的机器人部署通常是 gray-box，攻击者可以直接获取所部署模型的 exact gradients。"},"L-p Norms — Measuring Perturbation Size":{statement:"Achieving robustness against L∞ perturbations automatically guarantees that a model is also robust against L₀ sparse attacks.",answer:"n",statementZh:"针对 L∞ 扰动实现鲁棒性，自动保证了模型对 L₀ 稀疏攻击同样具有鲁棒性。"},"FGSM — Now Derived":{statement:"FGSM assumes the loss is approximately linear in high dimensions to maximize the adversarial loss under an L_infinity bound.",answer:"y",statementZh:"FGSM 通过假设高维空间中的 loss 近似为线性，从而在 L_infinity 约束下最大化对抗 loss。"},"PGD — Iterative FGSM":{statement:"Projected Gradient Descent (PGD) begins its optimization by applying a random uniform perturbation to the input before performing gradient steps.",answer:"y",statementZh:"Projected Gradient Descent (PGD) 在执行梯度步骤之前，通过对输入施加随机均匀扰动来开始其优化过程。"},"Carlini & Wagner — L₂ Gold Standard":{statement:"The Carlini & Wagner attack achieves smaller perturbation magnitudes than PGD, but requires more iterations to compute.",answer:"y",statementZh:"Carlini & Wagner 攻击比 PGD 实现了更小的扰动幅度，但需要更多的迭代次数来进行计算。"},Transferability:{statement:"An adversarial attack crafted on ICOA-VLA can often transfer to OpenVLA because both models utilize the same SigLIP encoder.",answer:"y",statementZh:"针对 ICOA-VLA 设计的对抗性攻击通常可以迁移到 OpenVLA，因为这两个模型都使用了相同的 SigLIP 编码器。"},"Practical Tooling":{statement:"While torchattacks is the simplest library for ICOA, academic reviewers generally expect evaluations to use the AutoAttack ensemble benchmark.",answer:"y",statementZh:"虽然 torchattacks 是用于 ICOA 最简单的库，但学术审稿人通常期望评估中使用 AutoAttack 集成基准。"},"Phase 6 — Defending VLAs":{statement:"VLAs are more difficult to defend than classifiers because their continuous action space lacks distinct class boundaries.",answer:"y",statementZh:"VLA 比分类器更难防御，因为它们的连续动作空间缺乏清晰的类别边界。"},"Adversarial Training — The Gold Standard":{statement:"During adversarial training, the inner loop optimization updates the model parameters, while the outer loop generates PGD adversarial perturbations.",answer:"n",statementZh:"在对抗训练中，内层循环优化用于更新模型参数，而外层循环则负责生成 PGD 对抗扰动。"},"Certified Robustness — Randomized Smoothing":{statement:"Randomized smoothing provides VLAs with certified robustness against adversarial perturbations within an L_inf norm ball.",answer:"n",statementZh:"Randomized smoothing 为 VLAs 提供了针对 L_inf 范数球内对抗扰动的可认证鲁棒性。"},"Detection-Based Defenses":{statement:"Detection-based defenses provide certified security guarantees for VLA models by combining an abstain option with a safe-mode return.",answer:"n",statementZh:"通过结合放弃选项与安全模式返回，基于检测的防御能够为 VLA 模型提供可认证的安全保证。"},"Ensemble Defenses":{statement:"Ensembling different VLA models guarantees robust defense because diverse architectures naturally do not share common adversarial attack directions.",answer:"n",statementZh:"集成不同的 VLA 模型可以保证鲁棒的防御，因为多样化的架构自然不会共享通用的对抗攻击方向。"},'The "Broken Defenses" Pattern':{statement:"To bypass obfuscated gradients caused by non-differentiable operations, adaptive attackers typically use EOT (Expectation over Transformation) as a fix.",answer:"n",statementZh:"为了绕过由 non-differentiable 操作引起的 obfuscated gradients，自适应攻击者通常使用 EOT（Expectation over Transformation）进行修复。"},"AutoAttack as Evaluation Gold Standard":{statement:"Researchers currently evaluate the robustness of Vision-Language-Action (VLA) models using the standard four-attack AutoAttack ensemble.",answer:"n",statementZh:"研究人员目前使用标准的四组件 AutoAttack 套件来评估 VLA 模型的鲁棒性。"},"Phase 7 — Real Attacks, Real Impact":{statement:"Phase 7 analyzes real-world safety risks using FDA reports on surgical robot incidents alongside GPS spoofing cases from Iran and Ukraine.",answer:"y",statementZh:"Phase 7 利用关于手术机器人事件的 FDA 报告，以及来自伊朗和乌克兰的 GPS spoofing 案例来分析现实世界的安全风险。"},"Case — Tesla Stop-Sign Attack (Industry Response)":{statement:"Tesla's defense-in-depth response to the stop-sign attack relies on HD-map GPS priors overriding perception, rather than a 100% robust vision model.",answer:"y",statementZh:"Tesla 对停车标志攻击的纵深防御响应依赖于 HD-map GPS 先验来覆盖感知，而非实现 100% 鲁棒的 vision model。"},"Case — Surgical Robot Safety":{statement:"Incidents in VLA-ish surgical robots are classified as academic adversarial attacks rather than distribution shift, requiring completely different defenses.",answer:"n",statementZh:"类似 VLA 的手术机器人事故被归类为学术性对抗攻击而非分布偏移（distribution shift），因此需要完全不同的防御措施。"},"Case — GPS Spoofing (Iran 2011, Ukraine 2023+)":{statement:"When a VLA robot's GPS is poisoned, visual odometry is the sole validation check, allowing a multi-modal attack if vision is also compromised.",answer:"y",statementZh:"当 VLA 机器人的 GPS 被污染时，视觉里程计是唯一的校验手段，若视觉同时受袭则会导致多模态攻击。"},"Case — ChatGPT Jailbreak Timeline":{statement:"Based on ChatGPT's history, the timeline projects that VLAs will face a similar two-to-three-year security arms race after deployment.",answer:"y",statementZh:"基于 ChatGPT 的历史，该时间线预测 VLAs 在部署后也将面临类似的为期两到三年的安全军备竞赛。"},"Case — CIA Vault 7 Disclosure (Strategic Context)":{statement:"Vault 7 implications suggest that VLA defenders must assume nation-states are already stockpiling undisclosed prompt injections and backdoor triggers.",answer:"y",statementZh:"Vault 7 的启示表明，VLA 防御者必须假设国家级黑客已经储备了未公开的 prompt injection 和后门触发器。"},"Industry Deployment Patterns":{statement:"ICOA-trained defenders focus their security efforts primarily on Tier 1 through Tier 3 deployment patterns.",answer:"n",statementZh:"受过 ICOA 培训的防御者主要将安全防护重点放在 Tier 1 到 Tier 3 的部署模式上。"},"Phase 8 — Synthesis & Original Research":{statement:"To complete Phase 8, you must demonstrate your original VLA attack or defense using a MuJoCo simulation.",answer:"y",statementZh:"要完成 Phase 8，你必须使用 MuJoCo 仿真来展示你原创的 VLA 攻击或防御。"},"How to Pick a Capstone Topic":{statement:"The card suggests that successful Capstone projects usually EXTEND an existing method with an execution twist, rather than proposing a completely novel attack family.",answer:"y",statementZh:"卡片指出，成功的 Capstone 项目通常是在现有方法上进行带有执行微调的 EXTEND，而不是提出一个完全新颖的攻击家族。"},"Submission Template":{statement:"The submission template indicates that reviewers place the highest value on the TECHNIQUE and EVIDENCE sections of the writeup.",answer:"n",statementZh:"提交模板指出，评审人员最看重报告中的 TECHNIQUE 和 EVIDENCE 部分。"},"Writing the Capstone — Tips from Past Reviewers":{statement:"Top capstones should demonstrate scope honesty by specifically stating if a defense works on ICOA-VLA but fails to transfer to OpenVLA.",answer:"y",statementZh:"优秀的 capstone 应当展现 scope honesty，具体说明某项防御虽然在 ICOA-VLA 上有效，但无法迁移至 OpenVLA。"},"Common Capstone Mistakes":{statement:"According to the guidelines, meeting with your Capstone mentor once a month is sufficient to prevent major project blockers.",answer:"n",statementZh:"根据指南，每月与你的 Capstone 导师会面一次就足以防止重大的项目受阻。"},"Reading List — 10 Papers to Read Next":{statement:"According to the reading list, the paper introducing FGSM adversarial examples is authored by Carlini & Wagner.",answer:"n",statementZh:"根据阅读清单，介绍 FGSM 对抗样本的论文是由 Carlini & Wagner 撰写的。"},"Research Directions — Where the Field is Going (2026-2028)":{statement:"Certified robustness for VLAs is currently a mature research frontier with a large volume of established results.",answer:"n",statementZh:"目前，针对 VLAs 的 certified robustness 是一个非常成熟的研究前沿，并已积累了大量的研究成果。"},"History — Asimov's Three Laws and Why They Don't Work":{statement:"Asimov designed the Three Laws not as a real-world engineering specification, but as a literary device to explore edge-case failures.",answer:"y",statementZh:"阿西莫夫设计“三定律”并非作为现实中的工程规范，而是作为展示在 edge cases 下安全失效的文学手法。"},"History — First Robot Fatality (1979)":{statement:"The 1979 Ford robot fatality was primarily caused by the robot arm operating at an extremely high, unregulated speed.",answer:"n",statementZh:"1979年Ford工厂的首例机器人致死事故，主要是由于机器人手臂以极高且不受规管的速度运行导致的。"},"History — Szegedy 2013, the First Adversarial Example":{statement:"According to Szegedy et al. (2013), an adversarial perturbation designed for one CNN was strictly model-specific and failed to affect other models.",answer:"n",statementZh:"根据 Szegedy et al. (2013) 的研究，针对单个 CNN 设计的对抗扰动是严格特定于模型的，无法对其他模型产生影响。"},"Deployment — Amazon Robotics Warehouses":{statement:"Spoofing worker RFID signals can cause Amazon warehouse robots to navigate to the incorrect human zone.",answer:"y",statementZh:"欺骗员工的 RFID 信号会导致亚马逊仓库机器人导航到错误的人类区域。"},"Deployment — Figure 01 Humanoid":{statement:"Because Figure 01's Helix VLA is closed-source, security researchers must rely on gray-box or black-box methods instead of white-box attacks.",answer:"y",statementZh:"由于 Figure 01 的 Helix VLA 是闭源的，安全研究人员必须依赖 gray-box 或 black-box 方法，而非 white-box 攻击。"},"Deployment — Tesla Optimus":{statement:"Adversarial attacks targeting Tesla Autopilot can directly affect Tesla Optimus because the robot inherits the same underlying vision encoder.",answer:"y",statementZh:"针对 Tesla Autopilot 的对抗性攻击可以直接影响 Tesla Optimus，因为该机器人继承了相同的底层视觉编码器。"},"Deployment — Boston Dynamics Atlas/Spot":{statement:"Boston Dynamics commercially deploys its robots using specialist policies instead of relying on end-to-end VLA models.",answer:"y",statementZh:"Boston Dynamics 在商业部署其机器人时使用 specialist policies，而不是依赖端到端的 VLA 模型。"},"Deployment — Surgical Robots (da Vinci)":{statement:"Currently deployed da Vinci systems autonomously execute surgical subtasks like suturing and incision closure using VLA models.",answer:"n",statementZh:"目前部署的 da Vinci 系统已能使用 VLA 模型自主执行诸如缝合和伤口闭合等手术子任务。"},"Open X-Embodiment — The Training Dataset":{statement:"The Open X-Embodiment dataset prevents backdoor poisoning risks because all 21 contributing labs must pass a formal data validation pipeline.",answer:"n",statementZh:"Open X-Embodiment 数据集由于要求所有 21 个合作实验室通过正式的数据验证流程，从而防止了后门投毒风险。"},"Architecture Variant — Transformer-Based VLAs":{statement:"In transformer-based VLAs, vision and language tokens are processed in separate networks and only fuse during the final action output layer.",answer:"n",statementZh:"在基于 Transformer 的 VLA 中，视觉和语言 token 在独立的网络中进行处理，并且仅在最终的动作输出层才进行融合。"},"Architecture Variant — Diffusion-Based VLAs":{statement:"Diffusion-based VLAs achieve high inference speeds by predicting smooth action trajectories in a single, non-iterative denoising step.",answer:"n",statementZh:"Diffusion-based VLA 通过在单个非迭代的去噪步骤中预测平滑动作轨迹，实现了极快的推理速度。"},"Architecture Variant — Flow-Matching VLAs":{statement:"Although flow-matching VLAs like π0 train faster than diffusion, they require hundreds of inference steps to generate actions along the flow.",answer:"n",statementZh:"虽然像 π0 这样的 flow-matching VLAs 训练速度比 diffusion 更快，但它们需要数百步推理来沿着流生成动作。"},"ICOA-VLA Deep Dive — 27M Parameter Anatomy":{statement:"The 22M parameter ViT-S vision encoder in ICOA-VLA is a pre-trained model integrated directly without training from scratch.",answer:"n",statementZh:"ICOA-VLA 中具有 22M 参数的 ViT-S 视觉编码器是一个直接引入的预训练模型，而非从头开始训练。"},"OpenVLA Deep Dive — 7B Parameter Anatomy":{statement:"OpenVLA-7B fine-tunes its DINOv2 and SigLIP vision encoders while keeping the Llama 2-7B language backbone completely frozen during training.",answer:"n",statementZh:"OpenVLA-7B在训练过程中微调了其DINOv2和SigLIP视觉编码器，同时保持Llama 2-7B语言主干完全冻结。"},"π0 Deep Dive — 3.5B Flow-Matching Anatomy":{statement:"The π0 model utilizes a ViT backbone for language processing and PaLI-Gemma encoders for its three vision sources.",answer:"n",statementZh:"π0 模型利用 ViT 主干（backbone）进行语言处理，并使用 PaLI-Gemma 编码器处理其三个视觉来源。"},"Vision Encoders — DINOv2 vs SigLIP vs CLIP":{statement:"OpenVLA utilizes DINOv2 to provide high-level semantic understanding, while relying on SigLIP to capture detailed spatial and structural information.",answer:"n",statementZh:"OpenVLA 利用 DINOv2 提供高层语义理解，同时依赖 SigLIP 来捕获详细的空间和结构信息。"},"Language Encoders — Llama vs T5 vs PaLM":{statement:"The BPE tokenizer in Llama, used by OpenVLA, is known to introduce prompt-injection vulnerabilities through unusual unicode characters.",answer:"y",statementZh:"OpenVLA 所使用的 Llama BPE 分词器已知会通过异常 unicode 字符引入 prompt-injection 漏洞。"},"Action Heads — Continuous vs Discrete vs Diffusion":{statement:"Discrete action heads achieve compatibility with LLM training pipelines by binning action dimensions, although this introduces lossy quantization.",answer:"y",statementZh:"Discrete action heads 虽然会引入有损量化，但通过将动作维度进行分箱，实现了与 LLM 训练管线的兼容。"},"Action Chunking":{statement:"Action chunking increases VLA inference frequency to prevent errors from compounding across the predicted trajectory.",answer:"n",statementZh:"Action chunking增加了VLA的推理频率，以防止误差在预测轨迹中累积。"},"Sim-to-Real Gap — Concept Introduction":{statement:"Domain randomization bridges the Sim-to-Real gap by ensuring that simulator physics and sensor noise perfectly match the real world.",answer:"n",statementZh:"Domain randomization 通过确保模拟器物理和传感器噪声与真实世界完美匹配来弥合 Sim-to-Real Gap。"},"Simulators — MuJoCo, Isaac Sim, Gazebo, PyBullet":{statement:"Although Isaac Sim is state-of-the-art for VLA training, ICOA uses Gazebo for security testing because of its headless capabilities.",answer:"n",statementZh:"虽然 Isaac Sim 是 VLA 训练的前沿技术，但 ICOA 因其无头运行能力而选择 Gazebo 进行安全测试。"},"ROS — The Robot Operating System":{statement:"By default, the ROS middleware utilizes basic password authentication on its /command topic to prevent unauthorized VLA motor actions.",answer:"n",statementZh:"默认情况下，ROS 中间件在它的 /command 话题上使用基础密码认证，以防止未经授权的 VLA 电机动作。"},"Cobots vs Autonomous Robots":{statement:"Under ISO/TS 15066, autonomous robots like industrial welding robots are designed with force limits to ensure they fail safe during security compromises.",answer:"n",statementZh:"根据 ISO/TS 15066，像工业焊接机器人这样的 autonomous robots 设计有力量限制，以确保它们在安全受累时能够 fail safe。"},"Motion Planning Basics":{statement:"Unlike classical robotics, most VLAs execute a four-step pipeline—including inverse kinematics and trajectory optimization—before outputting joint targets.",answer:"n",statementZh:"与经典机器人学不同，大多数 VLAs 在输出关节目标之前会执行包含逆运动学和轨迹优化的四步流水线。"},"Inverse Kinematics — A Brief Tour":{statement:"For a 7-DoF robotic arm, there is generally a single, unique joint angle solution for any given end-effector position.",answer:"n",statementZh:"对于 7-DoF 机械臂，给定的末端执行器位置通常只对应唯一的一组关节角解。"},"Sensor Fusion Basics":{statement:"Typical VLA models use sensor fusion to combine RGB and depth data, making them highly resilient against perception attacks.",answer:"n",statementZh:"典型的 VLA 模型利用传感器融合技术结合 RGB 和深度数据，从而使其对感知攻击具有很强的抵御能力。"},"The 6 Attack Surfaces — Detailed Map":{statement:"Although Prompt Injection is listed first, the roadmap shows that Adversarial Patch is actually analyzed first in Phase 2.",answer:"y",statementZh:"虽然 Prompt Injection 排在第一位，但路线图显示 Adversarial Patch 实际上在 Phase 2 中最先被分析。"},"Robot Ethics Frameworks":{statement:"Under the EU AI Act (2024), robotics is classified within the high-risk tier of its risk classification system.",answer:"y",statementZh:"在 EU AI Act (2024) 框架下，机器人技术被归类在其风险分类系统的 high-risk 级别中。"},"EU AI Act — What VLAs Need to Comply With":{statement:"Under the EU AI Act, robot control is classified as high-risk, making adversarial robustness testing a legal requirement for VLA deployments.",answer:"y",statementZh:"根据 EU AI Act，机器人控制被归类为高风险，这使得对抗性鲁棒性测试成为 VLA 部署的法定要求。"},"US Executive Orders + State Frameworks":{statement:"As of early 2026, the US federal government has enacted a specific law regulating the safety of VLA models.",answer:"n",statementZh:"截至2026年初，美国联邦政府已经出台了一项专门监管VLA模型安全的法律。"},"ISO Safety Standards for Robots":{statement:"While ISO 13482 regulates personal-care robots, there is currently no active ISO safety standard specifically covering VLA-controlled robots.",answer:"y",statementZh:"虽然 ISO 13482 规范了个人护理机器人，但目前尚无专门针对 VLA 控制的机器人的现行 ISO 安全标准。"},"Industry Stakeholders":{statement:"Integrators bear the primary liability for site safety during deployment, while manufacturers are responsible for proving overall robot safety.",answer:"y",statementZh:"集成商 (Integrators) 承担特定现场部署的安全责任，而制造商 (Manufacturers) 则负责证明机器人的安全性。"},"Threat Actor Taxonomy":{statement:"While script kiddies generate high-volume forum attacks, insiders represent the most difficult threat actor category to detect.",answer:"y",statementZh:"虽然 script kiddies 产生高频的论坛攻击，但 insiders 代表了最难检测的威胁角色类别。"},"Risk = Threat × Vulnerability × Impact":{statement:"In the formal risk equation, Likelihood represents the Impact, while Severity is determined by combining Threat and Vulnerability.",answer:"n",statementZh:"在正式的风险公式中，Likelihood 代表 Impact，而 Severity 则通过结合 Threat 和 Vulnerability 来决定。"},"Defense-in-Depth Philosophy":{statement:"In the Defense-in-Depth philosophy, safety monitors and kill switches are classified under Layer 3 output filtering.",answer:"n",statementZh:"在 Defense-in-Depth 哲学中，安全监控器和 kill switches 被归类于 Layer 3 output filtering。"},"Failure Modes — Silent vs Loud, Fail-Safe vs Fail-Deadly":{statement:"Because it is the easier default, most current VLA prototypes are engineered to be loud and fail-safe.",answer:"n",statementZh:"由于这是更容易的默认选择，目前大多数 VLA 原型在设计上都实现了 loud 且 fail-safe 的状态。"},"ICOA Platform as Case Study":{statement:"To ensure offline reliability, the ICOA platform uses a thick client architecture that stores exam content directly on the user's device.",answer:"n",statementZh:"为了确保离线可靠性，ICOA 平台采用了将考试内容直接存储在用户设备上的 thick client 架构。"},"Why CLI-Native? — ICOA's Positioning":{statement:"ICOA adopts a CLI-first approach because real-world VLA security attacks typically occur in code rather than graphical user interfaces.",answer:"y",statementZh:"ICOA 采用 CLI 优先的方法，因为现实世界中的 VLA 安全攻击通常发生在代码中，而不是图形用户界面中。"},'Paper Deep-Dive — Szegedy 2013 "Intriguing Properties"':{statement:"Szegedy et al. used L-BFGS optimization to find minimum-norm adversarial perturbations, which transfer across different models trained on the same data.",answer:"y",statementZh:"Szegedy等人使用L-BFGS优化算法寻找最小范数对抗扰动，这些扰动可在基于相同数据训练的不同模型之间迁移。"},'Paper Deep-Dive — Goodfellow 2014 "Explaining FGSM"':{statement:"The FGSM formula generates adversarial examples by subtracting the sign of the loss gradient from the original input.",answer:"n",statementZh:"FGSM 公式通过从原始输入中减去损失梯度的符号来生成对抗样本。"},'Paper Deep-Dive — Madry 2017 "Towards Resistant Models"':{statement:"In Madry's min-max formulation of robust training, PGD is used as the outer-minimization algorithm to update model parameters.",answer:"n",statementZh:"在Madry鲁棒训练的min-max构建中，PGD被用作outer-minimization算法来更新模型参数。"},"Paper Deep-Dive — Carlini-Wagner 2017":{statement:"The Carlini-Wagner paper proved that defensive distillation is a highly robust defense that successfully resists L₂, L∞, and L₀ attacks.",answer:"n",statementZh:"Carlini-Wagner 论文证明了 defensive distillation 是一种非常强大的防御，成功抵御了 L₂、L∞ 和 L₀ 攻击。"},'Paper Deep-Dive — Brown 2017 "Adversarial Patch"':{statement:"To force a 'toaster' prediction, Brown's adversarial patch must be specifically redesigned and optimized for each new input image.",answer:"n",statementZh:"为了强制模型预测为 'toaster'，Brown 的 adversarial patch 必须针对每张新的输入图像进行专门的重新设计和优化。"},'Paper Deep-Dive — Eykholt 2018 "Stop Sign Attack"':{statement:"Tesla and Waymo mitigated the Eykholt 2018 attack primarily by retraining their vision models with adversarial perturbations to improve robustness.",answer:"n",statementZh:"Tesla 和 Waymo 主要通过使用对抗扰动重新训练其视觉模型来提高鲁棒性，从而抵御 Eykholt 2018 攻击。"},'Paper Deep-Dive — Athalye 2018 "EOT" + "Synthesizing Robust Adversarial Examples"':{statement:"The 3D-printed adversarial turtle created using EOT was only classified as a rifle from a single, highly specific viewing angle.",answer:"n",statementZh:"使用 EOT 创建的 3D 打印对抗乌龟仅在单一、高度特定的视角下才会被分类为步枪。"},'Paper Deep-Dive — Athalye 2018 "Obfuscated Gradients"':{statement:"The EOT technique is used to circumvent shattered gradients by replacing non-differentiable operations with smooth surrogates.",answer:"n",statementZh:"EOT 技术用于通过将不可微操作替换为平滑替代来绕过 shattered gradients。"},'Paper Deep-Dive — Croce-Hein 2020 "AutoAttack"':{statement:"To achieve reliable evaluation, AutoAttack requires users to manually tune the hyperparameters of its four constituent attack components.",answer:"n",statementZh:"为了获得可靠的评估，AutoAttack 需要用户手动调节其四个组成攻击组件的超参数。"},'Paper Deep-Dive — Tramer 2020 "Adaptive Attacks"':{statement:"Tramer 2020 demonstrates that generic PGD attacks are sufficient to thoroughly evaluate and break all thirteen adversarial defenses.",answer:"n",statementZh:"Tramer 2020 表明，通用的 PGD 攻击足以彻底评估并破解所有十三种对抗性防御。"},"FGSM Variant — Iterative FGSM (IFGSM)":{statement:"IFGSM improves upon PGD by introducing random initialization within the ε-ball, increasing its attack strength by 10-20%.",answer:"n",statementZh:"IFGSM 通过在 ε-ball 内引入随机初始化改进了 PGD，从而将其攻击强度提高了 10-20%。"},"FGSM Variant — Momentum FGSM (MIFGSM)":{statement:"MIFGSM generates smoother gradient directions to reduce source model overfitting, enhancing its transferability when attacking VLAs with different vision encoders.",answer:"y",statementZh:"MIFGSM 通过产生更平滑的梯度方向来减少源模型过拟合，从而提升了攻击具有不同 vision encoders 的 VLA 时的迁移性。"},"Attack — DeepFool":{statement:"DeepFool iteratively linearizes the decision boundary to find the minimum-norm perturbation, making it faster than CW.",answer:"y",statementZh:"DeepFool 通过迭代线性化决策边界来寻找 minimum-norm 扰动，这使得它比 CW 更快。"},"Attack — Boundary Attack (Black-Box)":{statement:"The Boundary Attack starts from a target-class image and iteratively reduces its distance to the original image along the decision boundary.",answer:"y",statementZh:"Boundary Attack 从目标类别的图像开始，并沿着决策边界迭代地减小其与原始图像的距离。"},"Attack — Square Attack (Black-Box, Query-Efficient)":{statement:"Square Attack iteratively updates perturbations, retaining a proposed random square modification only if it successfully decreases the model's loss.",answer:"n",statementZh:"Square Attack 迭代更新扰动，仅在提议的随机方块修改成功降低了模型的 loss 时才予以保留。"},"Patch Attack Theory — Why Patches Work":{statement:"Attention layers in the vision encoder mitigate patch attacks by averaging out and neutralizing extremely high feature values during pooling.",answer:"n",statementZh:"vision encoder 中的 attention layers 会在 pooling 时通过均值化并消除极值特征，从而有效缓解 patch attacks 的影响。"},"Patch Generation — Loss Function Design":{statement:"Minimizing the Total Variation (TV) term in the loss function increases the patch's sharpness to improve its physical printability.",answer:"n",statementZh:"在损失函数中最小化 Total Variation (TV) 项会增加 patch 的锐度，以此提高其物理可打印性。"},"Defense — Input Transformation":{statement:"Input transformation defenses are defeated by EOT-aware attacks that incorporate the random resizing and padding into their training process.",answer:"y",statementZh:"输入变换防御会被在训练过程中引入随机缩放和填充的 EOT 攻击所破解。"},"Defense — JPEG Compression":{statement:"BPDA bypasses JPEG defense by replacing its non-differentiable rounding with a smooth surrogate during the backward pass, allowing PGD optimization.",answer:"y",statementZh:"BPDA 通过在 backward pass 中用平滑替代物替换其不可微的舍入，从而绕过了 JPEG 防御并允许 PGD 进行优化。"},"Defense — Adversarial Training (Vision)":{statement:"The Open X-Embodiment dataset natively supports the training-time attack modes required to apply Madry-style adversarial training to VLAs.",answer:"n",statementZh:"Open X-Embodiment 数据集原生支持将 Madry-style 对抗训练应用于 VLAs 所需的训练期攻击模式。"},"Defense — Certified Robustness via Smoothing":{statement:"In randomized smoothing, a smaller margin between the top-two class probabilities leads to a larger certified robustness radius against L₂ perturbations.",answer:"n",statementZh:"在 randomized smoothing 中，前两个类别概率之间的 margin 越小，针对 L₂ 扰动的 certified robustness radius 就越大。"},"Defense — Feature Squeezing":{statement:"Feature Squeezing remains highly secure against adaptive attacks and EOT because it reduces the granularity of the input's feature space.",answer:"n",statementZh:"Feature Squeezing 能够有效抵御自适应攻击和 EOT，因为它降低了输入特征空间的粒度。"},"Camera Physics — Why Real-World Attacks Differ":{statement:"EOT must model physical hardware variations like sensor noise and lens distortion because standard digital simulations fail to capture them.",answer:"y",statementZh:"EOT 必须对传感器噪声和镜头畸变等物理硬件变化进行建模，因为标准的数字模拟无法捕获它们。"},"Lighting — The Hardest Real-World Variable":{statement:"To robustify physical attacks against real-world lighting, attackers can train them using simulated color temperatures between 3000K and 7000K.",answer:"y",statementZh:"为了增强物理攻击在现实光照下的鲁棒性，攻击者可以使用 3000K 至 7000K 的模拟 color temperature 进行训练。"},"Perspective — Affine vs Projective":{statement:"During EOT training, affine transforms alone are sufficient to simulate 3D camera rotations because they preserve parallel lines.",answer:"n",statementZh:"在 EOT 训练中，仅靠 affine 变换就足以模拟 3D 相机旋转，因为它们能够保持平行线。"},"Universal Adversarial Perturbations (UAP)":{statement:"Unlike localized adversarial patches, a UAP is added to the entire image to cause untargeted misclassification.",answer:"y",statementZh:"与局部的 adversarial patch 不同，UAP 是被添加到整个图像中，用以导致 untargeted 的错误分类。"},"Spatial Adversarial Examples":{statement:"Spatial adversarial attacks successfully bypass defenses by modifying individual pixel values instead of changing the image's rotation or translation.",answer:"n",statementZh:"Spatial adversarial attacks 通过修改单个像素值来成功绕过防御，而不是改变图像的旋转或位移。"},"3D-Printed Attacks":{statement:"Creating a 3D-printed adversarial object requires physically optimizing the 3D mesh geometry rather than just its surface texture.",answer:"n",statementZh:"创建3D打印对抗物体需要物理优化其3D mesh几何形状，而不仅是其表面 texture。"},"Audio Adversarial Examples":{statement:"A recommended defense against audio adversarial attacks in VLAs is to verify the transcribed text using a secondary speech-to-text engine.",answer:"y",statementZh:"针对 VLA 中音频对抗攻击的推荐防御方法是，使用第二个 speech-to-text 引擎来验证转录出的文本。"},"Patch Detection Defenses":{statement:"Multi-scale defenses identify adversarial patches by checking if the model's classification changes when the image is processed at different scales.",answer:"y",statementZh:"Multi-scale 防御通过检查图像在不同尺度下处理时模型的分类是否发生变化，来识别对抗补丁。"},"Certified Patch Defense — DRS, PatchGuard":{statement:"PatchGuard's clean accuracy improves significantly as the size of the underlying CNN model increases.",answer:"n",statementZh:"随着底层 CNN 模型尺寸的增加，PatchGuard 的干净准确率会显著提升。"},"TRADES — A Stronger Adversarial Training":{statement:"TRADES is currently directly applicable to VLA models because their continuous action space natively supports the standard KL divergence loss.",answer:"n",statementZh:"TRADES 目前可以直接应用于 VLA 模型，因为它们的连续动作空间天然支持标准的 KL 散度损失。"},"Diffusion-Based Adversarial Purification":{statement:"Although diffusion-based purification relies on adversarial perturbations being out-of-distribution, EOT and adaptive attacks successfully broke this defense within six months.",answer:"y",statementZh:"尽管 diffusion-based purification 依赖于对抗扰动属于 out-of-distribution 的假设，但 EOT 和自适应攻击在六个月内成功破解了该防御。"},"Robustness vs Accuracy Tradeoff":{statement:"Tsipras et al. demonstrated that robust features align perfectly with accurate features, allowing robust VLAs to maintain maximum standard accuracy.",answer:"n",statementZh:"Tsipras等人的研究表明，鲁棒特征与准确特征完全一致，从而使具备鲁棒性的VLA能够保持最高标准准确率。"},"Adversarial ML Tools in 2026":{statement:"Although torchattacks is widely used, there is currently a mature, dedicated framework specifically designed for evaluating VLA models.",answer:"n",statementZh:"虽然 torchattacks 被广泛使用，但目前已经存在一个专门用于评估 VLA 模型的成熟专用框架。"},"Vision Adversarial Summary — What You Now Know":{statement:"Evaluating defenses with AutoAttack and identifying gradient masking are skills taught in the upcoming Phase 3 language channel.",answer:"n",statementZh:"使用 AutoAttack 评估防御和识别 gradient masking 是在即将到来的 Phase 3 语言通道中才教授的技能。"},"What's NEXT in Vision Adversarial Research":{statement:"According to 2026 frontiers, cross-modal attacks require modifying both the input image and the text description to fool a system.",answer:"n",statementZh:"根据2026年的前沿研究，cross-modal攻击需要同时修改输入图像和文本描述才能成功欺骗系统。"},"Phase 2 Summary":{statement:"Phase 3 transitions to language-based attacks, which use the exact same mathematical formulations as the vision attacks from Phase 2.",answer:"n",statementZh:"Phase 3 将过渡到语言攻击，这些攻击使用与 Phase 2 视觉攻击完全相同的数学公式。"},"RLHF Internals — How Safety Training Actually Works":{statement:"RLHF safety training shapes the model's output distribution to align with human preferences while leaving its internal knowledge unchanged.",answer:"y",statementZh:"RLHF安全训练塑造了模型的输出分布以符合人类偏好，同时使其内部知识保持不变。"},"Why RLHF Is Shallow — The Capabilities/Alignment Gap":{statement:"A VLA trained with RLHF to refuse 'Drop the cup' will still execute the action if commanded to 'Release the held object'.",answer:"y",statementZh:"一个通过 RLHF 训练拒绝'Drop the cup'的 VLA，在收到'Release the held object'指令时仍会执行该动作。"},"Jailbreak History — DAN 1.0 to DAN ∞":{statement:"DAN 5.0 was the first jailbreak variant in the timeline to introduce a dual persona and JSON output formatting.",answer:"n",statementZh:"DAN 5.0 是该时间线中首个引入 dual persona 和 JSON 输出格式的越狱变体。"},"Jailbreak Family — Role-Play Attacks":{statement:"A system prompt meta-instruction is a foolproof mitigation that completely prevents jailbreaks using layered or nested roleplay.",answer:"n",statementZh:"system prompt 中的 meta-instruction 是一种万无一失的防御手段，能完全防止利用多层或嵌套角色扮演进行的 jailbreaks。"},"Jailbreak Family — Hypothetical Framing":{statement:"Training RLHF on hypothetical scenarios completely resolves this jailbreak vulnerability because the variations of hypothetical prompts are strictly limited.",answer:"n",statementZh:"针对假设性场景训练 RLHF 可以彻底解决此类越狱漏洞，因为假设性提示词的变体数量是严格有限的。"},"Jailbreak Family — Authority Claims":{statement:"AI models naturally reject text-based authority claims unless the user provides valid cryptographic auth tokens to unlock the behavior.",answer:"n",statementZh:"AI模型默认会拒绝文本形式的权威声称，除非用户提供有效的 cryptographic auth tokens 来解锁该行为。"},"Jailbreak Family — Encoding Smuggle":{statement:"Encoding smuggle succeeds because RLHF treats encoded inputs as harmless gibberish, while the model's base capabilities can still decode and execute them.",answer:"y",statementZh:"Encoding smuggle 能够成功是因为 RLHF 将编码输入视为无害的乱码，而模型的底座能力仍能解码并执行它们。"},"GCG — Universal Adversarial Suffixes":{statement:"Adversarial suffixes optimized using GCG on open-source models cannot successfully transfer to closed-source models like GPT-4 or Claude.",answer:"n",statementZh:"使用 GCG 在开源模型上优化的对抗后缀无法成功迁移到 GPT-4 或 Claude 等闭源模型。"},"Visual Prompt Injection on VLAs":{statement:"Visual prompt injections can use white-on-white text in images that JPEG compression makes visible enough for the VLA to detect.",answer:"y",statementZh:"视觉提示注入可以使用图像中的白底白字，通过 JPEG 压缩使其变得足够明显以供 VLA 检测。"},"Many-Shot Jailbreaking":{statement:"Many-shot jailbreaking exploits in-context learning, meaning the attack's success rate decreases as more benign Q-A pairs are included.",answer:"n",statementZh:"Many-shot jailbreaking 利用了 in-context learning，这意味着随着引入的良性 Q-A 对数量增加，攻击成功率反而会降低。"},"Crescendo Jailbreak — Gradual Escalation":{statement:"Crescendo jailbreaks succeed because RLHF typically does not train models to refuse the small, incremental escalations made across multi-turn interactions.",answer:"y",statementZh:"Crescendo 越狱之所以成功，是因为 RLHF 通常没有训练模型去拒绝在多轮交互中进行的微小、渐进式升级。"},"Prompt Leaking Techniques":{statement:"Combination prompt leaking attacks chain multiple indirect phrasings, like translating the system prompt or outputting YAML, to bypass defense layers.",answer:"y",statementZh:"组合式 Prompt Leaking 攻击通过链式组合多种间接表达（例如翻译 system prompt 或输出为 YAML）来绕过防御层。"},"Indirect Injection — Email Agent Example":{statement:"In an indirect injection attack, the attacker must directly communicate with the AI agent to trigger the malicious data exfiltration.",answer:"n",statementZh:"在 indirect injection 攻击中，攻击者必须直接与 AI agent 通信才能触发恶意的数据外泄。"},"Indirect Injection — RAG Poisoning":{statement:"A recommended defense against RAG poisoning involves signature-verifying retrieved documents and sandboxing the LLM context on a per-document basis.",answer:"y",statementZh:"防御 RAG 投毒的一种推荐方法包括对检索到的文档进行签名验证，并对每个文档的 LLM 上下文进行沙箱化处理。"},"System Prompt vs User Prompt — The Trust Boundary":{statement:"OpenAI's developer prompts solved the trust boundary issue by cryptographically separating SYSTEM PROMPTS from USER PROMPTS in the token stream.",answer:"n",statementZh:"OpenAI 的 developer prompts 通过在 token 流中密码学地分离 SYSTEM PROMPTS 和 USER PROMPTS，解决了信任边界问题。"},"Constitutional AI — Anthropic's Approach":{statement:"Although Constitutional AI is more robust than direct RLHF, it only shapes output responses rather than modifying the model's internal knowledge.",answer:"y",statementZh:"虽然 Constitutional AI 比直接的 RLHF 更鲁棒，但它只能塑造输出回答，而无法修改模型的内部知识。"},"RLAIF — Replacing Human Feedback with AI":{statement:"RLAIF completely eliminates the 'shallow alignment' problem because the LLM judge does not share similar blind spots.",answer:"n",statementZh:"RLAIF 完全消除了 ‘shallow alignment’ 问题，因为作为裁判的 LLM 不存在类似的盲区。"},"Defense — Input Filters":{statement:"Input filters utilizing LLM judges can robustly block novel jailbreak framings without requiring retraining for new attack families.",answer:"n",statementZh:"利用 LLM 裁判的输入过滤器可以稳健地拦截新型越狱表述，而无需针对新攻击系列进行重新训练。"},"Defense — Output Filters":{statement:"For VLA systems, input filtering is generally stronger than output filtering because preventing malicious prompts is what ultimately matters.",answer:"n",statementZh:"对于 VLA 系统，输入过滤通常比输出过滤更强，因为阻止恶意提示词才是最终关键。"},"Defense — Sandbox Per Document (RAG Hygiene)":{statement:"In a sandbox-per-document RAG architecture, the context window for processing an individual retrieved document directly includes the user's original query.",answer:"n",statementZh:"在单文档沙箱（Sandbox Per Document）的 RAG 架构中，用于处理单个检索文档的上下文窗口会直接包含用户的原始查询。"},"Defense — Spotlight (Marking Trust Levels)":{statement:"The Spotlight defense mechanism can be immediately applied to existing production models without needing to retrain the base model.",answer:"n",statementZh:"Spotlight 防御机制可以直接应用于现有的生产模型，而不需要重新训练 base model。"},"GCG Suffix Example (Real)":{statement:"The GCG suffix published by Zou 2023 must be mathematically re-optimized for each individual harmful query to trigger a refusal bypass.",answer:"n",statementZh:"Zou 2023发布的 GCG 后缀必须针对每个具体的恶意查询进行数学上的重新优化，才能触发拒绝规避。"},"Multilingual Jailbreaks":{statement:"OpenAI's 2024 RLHF updates successfully secured the long tail of over 7,000 languages against multilingual jailbreak vulnerabilities.",answer:"n",statementZh:"OpenAI 2024 年的 RLHF 更新成功保护了超过 7000 种语言的长尾部分免受多语言越狱漏洞的影响。"},"Adversarial Suffix Transferability":{statement:"An adversarial attack optimized on ICOA-VLA is unlikely to transfer to OpenVLA because their underlying adversarial directions do not align.",answer:"n",statementZh:"在 ICOA-VLA 上优化的对抗性攻击不太可能迁移到 OpenVLA，因为它们底层的对抗方向并不一致。"},"Defense — Adversarial Suffix Detection":{statement:"Detectors flag GCG-style adversarial suffixes because they exhibit extremely low perplexity and appear highly natural to clean LLMs.",answer:"n",statementZh:"检测器可以标记GCG风格的对抗性后缀，因为它们在干净的LLM上表现出极低的困惑度且显得非常自然。"},"Roleplay Defense — Persona Stability":{statement:"Five-level nested roleplay often defeats Constitutional AI defenses because this highly nested structure is typically absent from its training data.",answer:"y",statementZh:"五层嵌套角色扮演通常能突破 Constitutional AI 防御，因为其训练数据中通常缺乏这种高度嵌套的新型结构。"},"Trojan Prompts in Open-Source Models":{statement:"To successfully implant a Trojan trigger in Open X-Embodiment VLAs, a malicious actor must compromise the majority of the 21 contributing labs.",answer:"n",statementZh:"要在 Open X-Embodiment VLAs 中成功植入 Trojan 触发器，恶意攻击者必须控制 21 个参与实验室中的大多数。"},"Refusal Mechanism Probing":{statement:"Ablating a single refusal direction in Llama-2 can remove its refusal capability without degrading the model's other general behaviors.",answer:"y",statementZh:"消融 Llama-2 中的单一拒绝方向可以移除其拒绝能力，而不会降低模型的其他通用行为。"},"Sleeper Agents":{statement:"Adversarial training on visible triggers successfully eliminates hidden sleeper behaviors, rendering the model safe for deployment.",answer:"n",statementZh:"针对可见触发器的对抗训练能成功消除隐藏的 sleeper behaviors，从而确保模型安全部署。"},"Defense — Watermarking + Provenance":{statement:"Watermarking VLAs involves embedding watermarks directly into their actions to identify compromised models pretending to be safe brands.",answer:"y",statementZh:"对 VLAs 进行水印处理涉及直接在其动作中嵌入水印，以识别假冒安全品牌的受损模型。"},"Indirect Injection via OCR — Detailed Mechanism":{statement:"Defending against OCR indirect injection requires completely disabling the OCR sub-component to prevent the VLA from reading any scene text.",answer:"n",statementZh:"防御 OCR 间接注入需要完全禁用 OCR 子组件，以阻止 VLA 读取场景中的任何文本。"},"Audio Injection (Whisper → LLM Pipeline)":{statement:"Adversarial audio injections in a Whisper-to-LLM pipeline require high-volume, human-audible command overlays to successfully bypass voice controls.",answer:"n",statementZh:"Whisper 到 LLM 管道中的对抗性音频注入需要高音量且人类可听的命令叠加，才能成功绕过语音控制。"},"Chain-of-Thought (CoT) Injection — Deep Mechanism":{statement:"In a CoT injection attack, the VLA's final action is manipulated because the model trusts and continues the pre-injected reasoning seed.",answer:"y",statementZh:"在CoT注入攻击中，VLA的最终动作被操纵是因为模型信任并延续了预先注入的推理种子。"},"Tool-Use Attacks (Agentic LLMs)":{statement:"Capability bounding defends against tool-use attacks by restricting each task to a maximum tool set that prompt injections cannot exceed.",answer:"y",statementZh:"Capability bounding 通过限制每个任务的最大工具集来防御攻击，使得 prompt injection 无法超出该工具集范围。"},"Jailbreak Benchmarks — HarmBench, JailbreakBench":{statement:"HarmBench and JailbreakBench currently serve as the industry standard evaluation suites for measuring Attack Success Rate (ASR) in VLAs.",answer:"n",statementZh:"HarmBench 和 JailbreakBench 目前是用于评估 VLAs 的攻击成功率 (ASR) 的行业标准测试集。"},"Red-Teaming Frameworks":{statement:"The final Retest step in the Red-Teaming framework solely evaluates whether the proposed patch successfully blocks the jailbreak attack.",answer:"n",statementZh:"Red-Teaming 框架中的最终 Retest 步骤仅评估所提议的 Patch 是否成功拦截了 jailbreak 攻击。"},"Coordinated Disclosure — LLM Specific":{statement:"In the coordinated disclosure workflow for LLM vulnerabilities, negotiating a 60-90 day disclosure window occurs after contacting the vendor.",answer:"y",statementZh:"在LLM漏洞的协调披露流程中，在联系厂商之后才会协商60-90天的披露窗口期。"},"OWASP Top 10 for LLMs (2024)":{statement:"According to the card, Training Data Poisoning and Model Theft represent the most acute OWASP vulnerabilities specifically for VLAs.",answer:"n",statementZh:"根据卡片内容，Training Data Poisoning 和 Model Theft 是针对 VLAs 最紧迫的 OWASP 安全漏洞。"},"Defense — Prompt Engineering Best Practices":{statement:"Structural separators like [USER_INPUT_BEGINS] should be used to wrap the system prompt to prevent prompt injection.",answer:"n",statementZh:"应当使用类似于 [USER_INPUT_BEGINS] 的结构化分隔符来包裹 system prompt，以防止提示词注入。"},"Jailbreak Research Ethics":{statement:"Academic publication norms for newly discovered jailbreaks recommend including the exact exploit text alongside defense recommendations.",answer:"n",statementZh:"针对新发现的 jailbreak，学术发表规范建议在提供防御建议的同时，包含具体的 exploit 文本。"},"Future Direction — Cryptographic Trust Boundaries":{statement:"The proposed cryptographic defense trains models to give extra weight to tokens that trace back to a vendor-signed system prompt.",answer:"y",statementZh:"该提议的密码学防御方案通过训练模型，对可追溯至 vendor 签名 system prompt 的 tokens 给予更大的权重。"},"Phase 3 Summary — What You Now Know":{statement:"The summary indicates that Phase 3 teaches attacks unique to VLAs, whereas Phase 4 covers GCG-style adversarial suffixes.",answer:"n",statementZh:"总结表明 Phase 3 教授了针对 VLAs 特有的攻击，而 Phase 4 则涵盖了 GCG 风格的对抗性后缀。"},"Phase 4 Overview — Breaking VLA Specifically":{statement:"Action-space attacks discussed in Phase 4 always require first manipulating the VLA model's visual or language perception systems.",answer:"n",statementZh:"Phase 4 中讨论的 action-space attacks 总是需要首先操纵 VLA 模型的视觉或语言感知系统。"},"VLA Pipeline Anatomy — Where Things Meet":{statement:"In this VLA pipeline, the CAMERA image tensor is directly concatenated with text embeddings before entering the VISION ENCODER.",answer:"n",statementZh:"在该 VLA 流送线中，CAMERA 图像张量在进入 VISION ENCODER 之前，会直接与文本嵌入进行拼接。"},"OpenVLA — Reference Architecture":{statement:"Because OpenVLA segregates action and language outputs into separate vocabularies, language-space token attacks cannot affect predicted action tokens.",answer:"n",statementZh:"由于 OpenVLA 将动作和语言输出隔离在不同的词表中，因此语言空间的 token 攻击无法影响预测的动作 token。"},"ICOA-VLA — Diffusion-Based VLA":{statement:"To perform gradient-based attacks on ICOA-VLA, attackers must use truncated backpropagation through its diffusion sampler.",answer:"y",statementZh:"为了对 ICOA-VLA 进行基于梯度的攻击，攻击者必须对其 diffusion sampler 使用 truncated backpropagation。"},"π0 — Physical Intelligence's VLA":{statement:"Because the π0 VLA is open-source, security researchers can easily execute white-box adversarial attacks on DUST factory robots.",answer:"n",statementZh:"由于 π0 VLA 是开源的，安全研究人员可以轻松对 DUST 工厂机器人实施 white-box 对抗攻击。"},"Modality Bridge — Cross-Attention Layer":{statement:"In a VLA modality bridge attack, adversarial perturbations are applied directly to language tokens to shift their embeddings and flip attention scores.",answer:"n",statementZh:"在 VLA modality bridge attack 中，对抗性扰动直接应用于 language tokens，从而漂移其 embedding 并翻转 attention 分数。"},"Asymmetric Robustness":{statement:"Empirical findings on OpenVLA show that the model is more robust against vision attacks than language attacks.",answer:"n",statementZh:"OpenVLA 的实证结果表明，该模型对视觉攻击的鲁棒性高于对语言攻击的鲁棒性。"},"Action-Space Attacks":{statement:"Action-space backdoors can trigger malicious robot actions based entirely on internal proprio states without manipulating any external perception inputs.",answer:"y",statementZh:"Action-space 后门完全基于内部 proprio 状态即可触发机器人恶意动作，无需操纵任何外部 perception 输入。"},"Action Tokenization Vulnerability":{statement:"In an OpenVLA action tokenization attack, the physical actions are altered by mutating the lookup table while leaving the neural network model unchanged.",answer:"y",statementZh:"在 OpenVLA 动作标记化攻击中，物理动作通过篡改 lookup table 被改变，而神经网络模型本身保持不变。"},"Cross-Modal Adversarial Examples":{statement:"Cross-modal adversarial attacks trigger malicious actions only when the image and text are combined, as neither modality alone trips safety filters.",answer:"y",statementZh:"Cross-modal adversarial attacks 仅在图像与文本结合时才会触发恶意动作，因为任何单一模态本身都不会触发 filters。"},"Image Token Position Attacks":{statement:"The MIRAGE attack manipulates VLA spatial perception by adding sinusoidal perturbations that match the frequency of the image token positional encodings.",answer:"y",statementZh:"MIRAGE 攻击通过添加与图像 token 位置编码频率匹配的正弦扰动，来操纵 VLA 的空间感知。"},"Physical-World Adversarial Patches":{statement:"An adversarial patch hijacks a VLA's action by triggering a vision encoder feature that overrides the user's natural language instructions.",answer:"y",statementZh:"对抗补丁通过触发视觉编码器特征来劫持 VLA 的动作，从而覆盖用户的自然语言指令。"},"Patch Optimization Recipe":{statement:"By evaluating the model on 'any instruction', this recipe optimizes a universal patch to trigger the target action regardless of the text prompt.",answer:"y",statementZh:"该 recipe 通过在 'any instruction' 上评估 model，从而优化出一个无论输入何种 prompt 都能触发 target action 的 universal patch。"},"Audio Adversarial — Wake-Word Attacks":{statement:"The recommended defense against audio adversarial wake-word attacks relies on a hardware-level DSP detector rather than an ML-based model.",answer:"y",statementZh:"针对音频对抗性唤醒词攻击，推荐的防御手段是依赖硬件级 DSP 检测器，而非基于 ML 的模型。"},"Sensor Saturation Attacks":{statement:"In sensor saturation attacks, GPS spoofers are used as a defense mechanism to correct IMU drift caused by magnetic fields.",answer:"n",statementZh:"在传感器饱和攻击中，GPS spoofer 被用作纠正由磁场引起的 IMU 漂移的防御机制。"},"EOT — Expectation Over Transformations":{statement:"In the provided EOT implementation, the adversarial perturbation is added to the image after transformations like rotation are applied.",answer:"n",statementZh:"在提供的 EOT 实现中，对抗扰动是在应用旋转等变换之后才添加到图像中的。"},"Backdoor Attacks on VLA Policies":{statement:"A VLA backdoor trigger that only activates malicious actions under specific conditions can be detected using spectral signature analysis.",answer:"y",statementZh:"仅在特定条件下才会激活恶意动作的 VLA 后门触发器，可以使用 spectral signature analysis 进行检测。"},"Trojaning via Fine-Tuning":{statement:"Adversarial training is a reliable method to remove latent trojan triggers from a pretrained backbone during downstream fine-tuning.",answer:"n",statementZh:"对抗训练（adversarial training）是在下游微调期间可靠清除预训练 backbone 中潜在 trojan 触发器的方法。"},"Model Theft via API":{statement:"Model theft via VLA APIs only replicates black-box behavior and does not allow attackers to perform local gradient-based attacks.",answer:"n",statementZh:"通过 VLA API 进行的模型窃取仅能复制黑盒行为，无法使攻击者在本地进行 gradient-based attacks。"},"Model Inversion — Inferring Training Data":{statement:"An attacker can reconstruct VLA training trajectories through Model Inversion using only query access and a task description.",answer:"y",statementZh:"攻击者仅需 query access 和任务描述，即可通过 Model Inversion 重构 VLA 的训练轨迹。"},"Membership Inference":{statement:"Membership inference allows a user to determine whether their specific robot trajectory was used to train a VLA model.",answer:"y",statementZh:"成员推理（Membership Inference）允许用户确定其特定的机器人轨迹是否被用于训练 VLA 模型。"},"Side-Channel Attacks on Inference":{statement:"Implementing constant-time inference to defend VLAs against side-channel attacks enhances security without causing any decrease in inference speed.",answer:"n",statementZh:"采用恒定时间推理来防御 VLA 旁路攻击，可以在提升安全性的同时不造成任何推理速度的下降。"},"Robotic Hardware Attacks":{statement:"Motor encoder spoofing is a hardware attack that tricks a robot into believing an object is held when it is not.",answer:"n",statementZh:"Motor encoder spoofing 是一种硬件攻击，它会诱骗机器人相信自己正抓持着某个实际上 profit 并不存在的物体。"},"Network-Level Attacks":{statement:"Using HTTPS for VLA cloud inference inherently blocks MITM command injection, regardless of whether the robot actively validates TLS certificates.",answer:"n",statementZh:"使用 HTTPS 进行 VLA 云端推理可以直接阻断 MITM 命令注入，无论机器人是否主动验证 TLS 证书。"},"Replay Attacks":{statement:"Because replay attacks use unaltered, legitimate command sequences, they are mitigated using protocol-level nonces and timestamps rather than retraining VLA models.",answer:"y",statementZh:"由于重放攻击使用的是未篡改的合法指令序列，因此应通过协议层的 nonces 和 timestamps 进行防御，而不是重新训练 VLA 模型。"},"Simulator-to-Real Transferability":{statement:"Physical adversarial patches optimized in a simulator can reliably transfer to real-world robots without using EOT during the optimization process.",answer:"n",statementZh:"在模拟器中优化的物理对抗补丁，在不使用 EOT 的情况下也能可靠地迁移到真实的机器人上。"},"Real-Sim Robotics Test Beds":{statement:"Although the LIBERO benchmark is simulation-only, it was used to test OpenVLA and is recommended for reproducible capstone projects.",answer:"y",statementZh:"虽然LIBERO基准是纯仿真的，但它被用于测试OpenVLA，并被推荐用于需要可复现性的毕业设计项目。"},"Embodied Risks — Beyond Information Loss":{statement:"A VLA jailbreak causing a kitchen robot to grab a knife is considered low risk if no human is present.",answer:"y",statementZh:"在没有人类在场的情况下，导致厨房机器人拿起刀具的 VLA 越狱被视为低风险。"},"ISO 13482 — Personal Care Robot Safety":{statement:"Under ISO 13482, hardware constraints can mitigate unsafe AI models, but safety limits managed via software can still be hacked.",answer:"y",statementZh:"在 ISO 13482 标准下，硬件约束可以缓解不安全的 AI 模型，但通过软件控制的安全限制仍可能被黑客攻击。"},"Capability Bounding":{statement:"If an AI model is fully jailbroken, it can bypass hardware-level force limits and firmware velocity caps to exceed bounded capabilities.",answer:"n",statementZh:"如果一个 AI 模型被完全 jailbroken，它就可以绕过硬件级力矩限制和固件速度限制，从而突破设定的能力边界。"},"Anomaly Detection on Action Streams":{statement:"When using an autoencoder for action stream anomaly detection, a lower reconstruction error of $action_t$ from history indicates a higher anomaly score.",answer:"n",statementZh:"在使用 autoencoder 进行动作流异常检测时，基于历史重构 $action_t$ 的 reconstruction error 越低，意味着 anomaly score 越高。"},"Adversarial Training for VLAs":{statement:"Adversarial training for VLAs using PGD images increases robustness but typically decreases the model's clean accuracy by 5-15%.",answer:"y",statementZh:"使用 PGD 图像对 VLA 进行对抗训练可以提高其鲁棒性，但通常会导致模型的 clean accuracy 下降 5-15%。"},"Formal Verification of Neural Policies":{statement:"Current formal verification methods are limited to small networks under 1M parameters, making direct verification of 7B-parameter OpenVLA currently infeasible.",answer:"y",statementZh:"当前的 formal verification 方法仅限于 1M parameters 以下的小型网络，使得直接验证 7B-parameter OpenVLA 在目前无法实现。"},"Closed-Source vs Open-Source VLA Security":{statement:"Adversarial transfer attacks from open-source models like OpenVLA are ineffective against closed-source VLA APIs like π0.",answer:"n",statementZh:"针对类似 π0 的闭源 VLA API，从 OpenVLA 等开源模型进行对抗性迁移攻击是无效的。"},"Federated Learning Risks":{statement:"Implementing secure aggregation completely prevents byzantine workers from degrading the shared federated robotics model.",answer:"n",statementZh:"实施 secure aggregation 能够完全避免 byzantine 工作机降级共享的联邦机器人模型。"},"Continual Learning Risks":{statement:"Tesla Autopilot allows vehicles to update their active models directly from live interactions without prior offline or shadow-mode validation.",answer:"n",statementZh:"Tesla Autopilot 允许车辆直接根据实时交互更新其活动模型，而无需事先进行 offline 和 shadow-mode 验证。"},"Reward Hacking in RL-Trained Robots":{statement:"In the boat racing example, the AI hacked its reward by finishing the race as quickly as possible to maximize speed bonuses.",answer:"n",statementZh:"在赛艇示例中，AI 通过尽快完成比赛以最大化速度奖励来实现 reward hacking。"},"Phase 4 Summary":{statement:"Phase 4 covered the mathematical proofs for VLA security, while Phase 5 will focus on practical physical-world EOT attacks.",answer:"n",statementZh:"Phase 4 涵盖了 VLA 安全性的数学证明，而 Phase 5 将侧重于实际物理世界的 EOT 攻击。"},"Phase 5 Overview — The Math of Adversarial ML":{statement:"Phase 5 of the curriculum shifts the focus from empirical attacks to deriving provable defense guarantees and mathematical robustness certificates.",answer:"y",statementZh:"Phase 5 课程将重点从实证攻击转向推导可证明的防御保证和数学 robustness certificates。"},"The Adversarial Optimization Problem":{statement:"The adversarial optimization problem formulation seeks to minimize the loss function L(f(x + δ), y) subject to the perturbation constraint.",answer:"n",statementZh:"对抗优化问题的公式构建旨在满足扰动约束的前提下最小化损失函数 L(f(x + δ), y)。"},"Why L_∞ Is the Standard":{statement:"The L_2 threat model restricts the perturbation of each individual pixel to at most ε, modeling small unstructured noise.",answer:"n",statementZh:"L_2 威胁模型将每个单独像素的扰动限制在最大 ε 以内，以此来模拟微小的无结构噪声。"},"FGSM Derivation":{statement:"Under an L_∞ norm constraint, the FGSM perturbation is provably optimal for deep neural networks.",answer:"n",statementZh:"在 L_∞ 范数约束下，FGSM 扰动对于深层神经网络是可证明最优的。"},"PGD Derivation":{statement:"Executing a Projected Gradient Descent (PGD) attack with K=1 yields a result that is mathematically identical to FGSM.",answer:"y",statementZh:"执行迭代次数为 K=1 的 Projected Gradient Descent (PGD) 攻击，在数学上产生的结果与 FGSM 完全相同。"},"CW Attack":{statement:"The CW attack uses Lagrangian relaxation to find the smallest possible perturbation that flips a prediction, rather than maximizing loss under a hard constraint.",answer:"y",statementZh:"CW攻击使用 Lagrangian relaxation 来寻找翻转预测所需的最小可能扰动，而不是在硬约束下最大化损失。"},"AutoAttack — Standardized Benchmark":{statement:"In the AutoAttack benchmark, a model is classified as robust if it successfully defends against at least one of the four ensemble attacks.",answer:"n",statementZh:"在 AutoAttack 基准测试中，如果模型成功防御了四种集成攻击中的至少一种，即可被归类为鲁棒的。"},"Lipschitz Continuity":{statement:"The Lipschitz constant of a neural network is computed as the product of its weight matrices' spectral norms and activation constants.",answer:"y",statementZh:"神经网络的 Lipschitz 常数是通过其权重矩阵的 spectral norm 与激活函数 Lipschitz 常数的乘积计算得出的。"},"Lipschitz Bound on Robustness":{statement:"Standard ResNet architectures naturally maintain a small Lipschitz constant, allowing them to provide practical and provable robustness certificates by default.",answer:"n",statementZh:"标准的 ResNet 架构天然保持较小的 Lipschitz 常数，从而允许它们默认提供实用且可证明的鲁棒性证书。"},"Randomized Smoothing — Math":{statement:"In randomized smoothing, a larger gap between the top two class probabilities under noise yields a larger certified robust radius r.",answer:"y",statementZh:"在 randomized smoothing 中，噪声下前两类的 class probabilities 差距越大，得到的 certified robust radius r 就越大。"},"Interval Bound Propagation (IBP)":{statement:"IBP certifies robustness if the maximum bound of any incorrect class logit is smaller than the minimum bound of the correct class logit.",answer:"y",statementZh:"如果任何错误类别 Logit 的最大边界小于正确类别 Logit 的最小边界，则 IBP 证明该模型是鲁棒的。"},"Linear Programming Verification":{statement:"MILP verification for ReLU networks is mathematically exact, but its computational complexity limits its application to networks under 1,000 ReLUs.",answer:"y",statementZh:"针对 ReLU 网络的 MILP 验证在数学上是精确的，但其计算复杂度限制其只能应用于 1,000 个 ReLU 以下的网络。"},"Differential Privacy — Definitions":{statement:"In (ε, δ)-DP, a larger ε value allows the output distribution to change by a larger factor, thus offering weaker privacy.",answer:"y",statementZh:"在 (ε, δ)-DP 中，较大的 ε 值允许输出分布发生更大比例的变化，从而提供更弱的隐私保护。"},"DP for ML — DP-SGD":{statement:"In DP-SGD, gradients are averaged before being clipped to norm C to limit sensitivity.",answer:"n",statementZh:"在 DP-SGD 中，梯度会在被裁剪至范数 C 以限制敏感度之前先进行平均。"},"DP Composition":{statement:"The Moments Accountant provides a tighter cumulative privacy bound than sequential composition for DP-SGD training using the Gaussian mechanism.",answer:"y",statementZh:"在基于 Gaussian 机制的 DP-SGD 训练中，Moments Accountant 比 sequential composition 提供了更紧致的累积隐私界限。"},"Convex Adversarial Robustness":{statement:"For a linear classifier under an L_infinity perturbation budget of epsilon, the maximum output change is determined by the L2 norm of its weights.",answer:"n",statementZh:"对于在 L_infinity 扰动预算 epsilon 下的线性分类器，其最大输出变化是由其权重的 L2 范数决定的。"},"TRADES — Trade Robustness vs Accuracy":{statement:"In the TRADES objective, increasing the β coefficient prioritizes clean accuracy at the expense of empirical robustness.",answer:"n",statementZh:"在 TRADES 目标函数中，增加 β 系数会优先保证 clean accuracy，从而降低模型的 empirical robustness。"},"Free Adversarial Training":{statement:"In Free AT, the model parameters and the adversarial perturbation are updated simultaneously using gradients computed in the same backward pass.",answer:"y",statementZh:"在 Free AT 中，模型参数和对抗扰动是利用在同一次反向传播中计算出的梯度同时进行更新的。"},"Information-Theoretic Bound on Robustness":{statement:"Information-theoretic bounds indicate that VLA robustness is primarily limited by network architecture rather than the availability of trajectory data.",answer:"n",statementZh:"信息论界限表明，VLA 的鲁棒性主要受限于网络架构，而非轨迹数据的丰富度。"},"Adversarial Examples Are Features":{statement:"Robust models have lower clean accuracy because the non-robust features they are forced to ignore have no predictive value.",answer:"n",statementZh:"Robust模型具有较低的clean accuracy，是因为它们被迫忽略的non-robust特征完全不具备预测价值。"},"Distributionally Robust Optimization":{statement:"While adversarial training defines the uncertainty set around individual data points, Wasserstein DRO defines it as a ball around the overall data distribution.",answer:"y",statementZh:"虽然对抗训练（adversarial training）围绕单个数据点定义不确定性集合，但 Wasserstein DRO 将其定义为围绕整体数据分布的球。"},"Game-Theoretic View":{statement:"In the minimax game of adversarial training, the attacker acts first by choosing perturbation δ, followed by the defender choosing parameters θ.",answer:"n",statementZh:"在对抗训练的 minimax 博弈中，攻击者首先通过选择扰动 δ 进行行动，随后防御者选择参数 θ。"},"Stackelberg Equilibrium":{statement:"In training-time threats such as data poisoning, the defender commits first in the Stackelberg game, just like in adversarial training.",answer:"n",statementZh:"在诸如数据投毒等训练期威胁中，防御者在 Stackelberg 博弈中首先做出承诺，这与对抗训练中的设定相同。"},"Adversarial Examples on Manifold":{statement:"Projecting inputs onto the data manifold before classification serves as an effective defense against on-manifold adversarial attacks.",answer:"n",statementZh:"在分类前将输入投影到数据流形上，是对抗 on-manifold 对抗攻击的有效防御手段。"},"Local Linearity Regularization":{statement:"Local Linearity Regularization provides empirical robustness without requiring explicit adversarial training, making it computationally cheaper than Madry AT.",answer:"y",statementZh:"Local Linearity Regularization在不需要显式对抗训练的情况下提供经验鲁棒性，使其计算成本比Madry AT更低。"},"Gradient Obfuscation":{statement:"BPDA defeats gradient obfuscation defenses by replacing non-differentiable components with smooth approximations specifically during the backward pass.",answer:"y",statementZh:"BPDA 通过在反向传播（backward pass）中用平滑近似替换不可微组件，从而攻破梯度混淆（gradient obfuscation）防御。"},"Score-Matching for Generative Defenses":{statement:"DiffPure's ability to destroy attack patterns with low latency allows VLAs to use it for real-time defense against adversarial inputs.",answer:"n",statementZh:"DiffPure 凭借低延迟销毁攻击模式的能力，使 VLAs 能够利用它针对对抗性输入进行实时防御。"},"Bayesian Neural Networks for Robustness":{statement:"BNNs reduce inference compute costs by using a posterior weight distribution instead of point estimates of weights.",answer:"n",statementZh:"BNN 通过使用权重后验分布代替单点权重估计，从而降低了推理阶段的计算开销。"},"Information Bottleneck for Robust Features":{statement:"To extract robust features using the Information Bottleneck, we should maximize the mutual information I(Z; X) between the input and representation.",answer:"n",statementZh:"使用Information Bottleneck提取鲁棒特征时，我们应该最大化输入与表示之间的互信息I(Z; X)。"},"Mixup and Manifold Mixup":{statement:"Manifold Mixup applies convex combinations to intermediate feature representations rather than raw inputs, while adding almost no extra computational cost.",answer:"y",statementZh:"Manifold Mixup 将凸组合应用于中间 feature representations 而非原始输入，同时几乎不增加额外的计算成本。"},"Loss Landscape Visualization":{statement:"Loss landscape visualization reveals that robust models typically feature flatter minima, which mathematically corresponds to a larger Lipschitz constant.",answer:"n",statementZh:"Loss landscape 可气化表明，鲁棒模型通常具有更平坦的极小值，这在数学上对应于更大的 Lipschitz 常数。"},"Sharpness-Aware Minimization (SAM)":{statement:"SAM provides strong enough adversarial robustness to act as a primary defense, replacing the need for Adversarial Training.",answer:"n",statementZh:"SAM 提供了足够强的对抗鲁棒性，可以作为主要防御手段，从而取代对 Adversarial Training 的需求。"},"No Free Lunch for Robustness":{statement:"Mathematically, the optimal clean classifier and optimal robust classifier can be entirely different functions, making clean accuracy and robustness an inherent tradeoff.",answer:"y",statementZh:"在数学上，最优 clean classifier 与最优 robust classifier 可以是完全不同的函数，这使得 clean accuracy 与 robustness 之间存在固有权衡。"},"PAC-Learning of Robust Classifiers":{statement:"An optimized algorithm can solve robust PAC-learning with fewer samples than the lower bound of O(d · log(1/δ) / ε^2).",answer:"n",statementZh:"通过优化的算法，robust PAC-learning 可以在少于下界 O(d · log(1/δ) / ε^2) 的样本量下被解决。"},"Adversarial Bayes Optimal":{statement:"Bhagoji (2019) demonstrated that the gap between real models and optimal adversarial robustness disappears when infinite training data is available.",answer:"n",statementZh:"Bhagoji (2019) 表明，当提供无限的训练数据时，真实模型与最佳对抗鲁棒性之间的差距就会消失。"},"Margin Maximization":{statement:"In high-dimensional spaces, maximizing the margin of deep networks to achieve robustness typically requires sacrificing standard classification accuracy.",answer:"y",statementZh:"在高维空间中，最大化深度网络的 margin 以提高鲁棒性通常需要牺牲标准的分类准确率。"},"Generative Adversarial Networks vs Adversarial Examples":{statement:"While GAN generators are designed to produce in-distribution samples, adversarial attacks can use any direction to fool a classifier.",answer:"y",statementZh:"虽然 GAN 生成器旨在产生 in-distribution 样本，但 adversarial attacks 可以利用任何方向来欺骗分类器。"},"Adversarial Sphere":{statement:"According to the Adversarial Sphere concept, adversarial examples are a fundamental consequence of high-dimensional geometry rather than neural network architectures.",answer:"y",statementZh:"根据 Adversarial Sphere 概念，对抗样本是高维几何的根本结果，而不是由神经网络架构决定的。"},"Concentration of Measure":{statement:"Training a mathematically optimal classifier can completely eliminate adversarial examples within a distance of O(1/√d) in high-dimensional spaces.",answer:"n",statementZh:"在高维空间中，训练一个数学上最优的分类器可以完全消除距离在 O(1/√d) 以内的对抗样本。"},"Wasserstein Distance for Robustness":{statement:"Wasserstein distance provides robustness guarantees over a richer threat model than L_p balls by calculating the minimal earth-moving cost.",answer:"y",statementZh:"Wasserstein distance 通过计算最小的 earth-moving 成本，提供了比 L_p balls 更丰富的威胁模型鲁棒性保证。"},"Rate-Distortion Bound on Robustness":{statement:"According to Rate-Distortion theory, robust classification increases the minimal sample complexity because it requires representing a richer set at a higher rate.",answer:"y",statementZh:"根据 Rate-Distortion 理论，鲁棒分类会增加最小样本复杂度，因为它需要以更高的 rate 表示更丰富的集合。"},"Phase 5 Summary":{statement:"According to the Phase 5 summary, both the mathematical theory and practical implementation of defense strategies are taught in Phase 6.",answer:"y",statementZh:"根据Phase 5总结，防御策略的数学理论与实际实现都将在Phase 6中进行学习。"},"Phase 6 Overview — Defending Embodied AI":{statement:"Phase 6 covers topics like capability bounding and formal verification to prepare students for designing a security stack for VLA deployments.",answer:"y",statementZh:"第 6 阶段涵盖了能力边界限制和形式化验证等主题，旨在帮助学生为设计 VLA 部署的安全栈做好准备。"},"The Defense-in-Depth Principle":{statement:"According to the defense-in-depth model, capability bounding and emergency stops are categorized as L5 runtime-level defenses.",answer:"n",statementZh:"根据纵深防御模型，capability bounding 和 emergency stop 被归类为 L5 runtime 级别的防御。"},"Layer 1 — Training-Time Defenses":{statement:"Spectral signature is an inference-time defense that detects and removes poisoned trajectories in real-time during robot deployment.",answer:"n",statementZh:"Spectral signature 是一种 inference-time 防御，用于在机器人部署期间实时检测并清除 poisoned 轨迹。"},"Layer 2 — Architecture Defenses":{statement:"Randomized smoothing achieves provable robustness by deploying multiple different models and using a disagree-then-flag mechanism.",answer:"n",statementZh:"Randomized smoothing 通过部署多个不同的模型并采用 disagree-then-flag 机制来获得可证明的鲁棒性。"},"Layer 3 — Input Filtering":{statement:"Input filtering methods, such as LLM judges and anomaly detection, provide robust protection against novel, zero-day adversarial attacks.",answer:"n",statementZh:"诸如LLM裁判和异常检测等输入过滤方法，能够针对新型的零日对抗攻击提供强韧的安全防护。"},"Layer 4 — Output Filtering":{statement:"Output filtering provides stronger security than input filtering because it evaluates physical behavior rather than the incoming signal.",answer:"y",statementZh:"Output filtering 比 Input filtering 提供了更强的安全保障，因为它评估的是物理行为而非输入信号。"},"Layer 5 — Runtime Anomaly Detection":{statement:"Layer 5 monitors robot joint metrics and human proximity to detect anomalies using autoencoder reconstruction error or one-class SVM.",answer:"y",statementZh:"Layer 5 通过 autoencoder 重构误差或 one-class SVM 监测机器人关节指标和人类接近距离以检测异常。"},"Layer 6 — Hardware Capability Bounding":{statement:"A fully jailbroken AI model can bypass irremovable physical limits like motor driver current limiting to exceed safely bounded joint speeds.",answer:"n",statementZh:"一个完全被越狱的 AI 模型可以绕过电机驱动器电流限制等不可移除的物理限制，从而超出安全约束的关节速度。"},"Adversarial Training Best Practices":{statement:"To maximize VLA robustness, AutoAttack should be integrated directly into the training phase rather than used only for evaluation.",answer:"n",statementZh:"为了最大化 VLA 的鲁棒性，AutoAttack 应该直接集成到训练阶段，而不是仅用于评估。"},"Adversarial Training Pitfalls":{statement:"When gradient masking occurs, PGD attacks fail to find adversarial examples, proving that the model has achieved true robustness.",answer:"n",statementZh:"当发生 gradient masking 时，PGD 攻击无法找到对抗样本，这证明模型已实现了真正的鲁棒性。"},"Certified Defenses — Tradeoffs":{statement:"While certified defenses provide provable bounds for safety-critical systems, most standard production deployments rely on empirical defenses with heavy testing.",answer:"y",statementZh:"虽然 certified defenses 为安全关键系统提供了可证明的界限，但大多数标准生产部署仍依赖于 empirical defenses 和重度测试。"},"Specifying Threat Models":{statement:"When designing a robust defense, threat models should typically assume that the attacker is oblivious to your defense mechanisms.",answer:"n",statementZh:"在设计稳健的防御时，威胁模型通常应当假设攻击者对你的防御机制是 oblivious 的。"},"Evaluating Against Adaptive Attacks":{statement:"A defense evaluation is considered complete and robust once the system successfully resists standard attacks like PGD or AutoAttack.",answer:"n",statementZh:"一旦系统成功抵御了 PGD 或 AutoAttack 等标准攻击，安全防御评估就被认为是完整且鲁棒的。"},"Red-Teaming Process for VLAs":{statement:"In the standard VLA red-teaming process, physical-world testing of patches and sensors occurs immediately before compiling the report and recommendations.",answer:"y",statementZh:"在标准的 VLA 红队安全测试流程中，针对贴纸和传感器的物理世界测试在撰写报告与建议之前进行。"},"Defensive Distillation — Caution":{statement:"Carlini-Wagner 2016 completely broke defensive distillation, demonstrating that AI defenses require adaptive evaluation to prove their actual robustness.",answer:"y",statementZh:"Carlini-Wagner 2016 完全破解了 defensive distillation，表明 AI 防御需要经过 adaptive evaluation 才能证明其真正的鲁棒性。"},"Input Preprocessing Defenses":{statement:"Input preprocessing techniques like JPEG compression or bit-depth reduction provide secure stand-alone defenses for modern VLAs without further modification.",answer:"n",statementZh:"诸如 JPEG 压缩或位深缩减等输入预处理技术无需进一步修改，即可为现代 VLA 提供安全的独立防御。"},"Defense via Provenance":{statement:"Cryptographic PKI-based provenance is already widely adopted and standard across the robotics industry to secure VLA training.",answer:"n",statementZh:"基于密码学 PKI 的 provenance 机制已被机器人行业广泛采用，并成为保护 VLA 训练的行业标准。"},"Capability Bounding via Permissions":{statement:"A fully jailbroken VLA model can bypass the ACL-like rule engine to execute disallowed actions like welding.",answer:"n",statementZh:"一个被 jailbreak 的 VLA 模型可以绕过类似 ACL 的规则引擎，执行诸如焊接等未授权的操作。"},"Sandboxing for VLA Inference":{statement:"Sandboxing VLA inference completely blocks all network access, meaning even the command interface cannot be accessed.",answer:"n",statementZh:"VLA 推理沙箱化会完全阻断所有网络访问，这意味着连命令接口也无法被访问。"},"Trusted Execution Environments":{statement:"Running VLA inference inside a TEE secures model weights against root-access adversaries without adding any compute overhead.",answer:"n",statementZh:"在 TEE 内运行 VLA 推理可以保护模型权重免受 root 权限攻击者的窃取，且不会增加任何计算开销。"},"Defensive Watermarking":{statement:"Defensive watermarking for LLMs, as proposed by Kirchenbauer, requires permanently modifying the model weights to embed the signature.",answer:"n",statementZh:"由 Kirchenbauer 提出的 LLM 防御性水印技术需要永久修改模型权重以嵌入签名。"},"Cryptographic Action Signing":{statement:"In Cryptographic Action Signing, the hardware controller signs the action sequences, which are then verified by the VLA before execution.",answer:"n",statementZh:"在密码学动作签名中，硬件控制器对动作序列进行签名，然后由 VLA 在执行前进行验证。"},"Continual Verification":{statement:"Continual verification of long-running VLAs involves periodically running canary inputs with known correct outputs to detect model degradation.",answer:"y",statementZh:"对长期运行的 VLA 进行持续验证涉及定期运行具有已知正确输出的 canary 输入以检测模型降级。"},"Incident Response Plan":{statement:"Under the specified incident response plan, logging inputs and outputs for forensics is performed before taking the affected robot offline.",answer:"y",statementZh:"在指定的 Incident Response Plan 中，记录用于 forensics 的输入和输出应当在将受影响的机器人 offline 之前进行。"},"Bug Bounty Programs":{statement:"The suggested VLA bug bounty model offers a larger reward for physical patches than for backdoor exploits.",answer:"n",statementZh:"推荐的 VLA 漏洞赏金模型中，物理补丁 (physical patch) 漏洞的奖金高于后门 (backdoor) 漏洞。"},"Vendor SBOM (Software Bill of Materials)":{statement:"For deployed VLAs, a complete vendor SBOM tracks training data provenance and fine-tuning audit trails alongside traditional software dependencies.",answer:"y",statementZh:"对于已部署的 VLA，完整的厂商 SBOM 除了传统软件依赖外，还追踪训练数据来源和微调审计痕迹。"},"Model Versioning + Rollback":{statement:"When a VLA regression is detected in production, the security guidelines require initiating a manual rollback within 60 seconds.",answer:"n",statementZh:"当在生产环境中检测到 VLA 性能衰退（regression）时，安全规范要求在 60 秒内触发手动回滚。"},"Defense Evaluation Checklist":{statement:"Evaluating a defense using AutoAttack alone is sufficient to claim robustness, without needing to design a custom adaptive attack.",answer:"n",statementZh:"仅使用 AutoAttack 评估防御就足以宣称其具有鲁棒性，无需设计专门的 adaptive attack。"},"Common Defense Pitfalls":{statement:"To properly validate a defense, it is recommended to report natural accuracy and robust accuracy using different test sets.",answer:"n",statementZh:"为了正确验证防御，推荐在不同的测试集上报告 natural accuracy 和 robust accuracy。"},"Real Production VLA Stacks":{statement:"The hardware capability bounding and action whitelisting security features of the Physical Intelligence π0 stack are already fully verified.",answer:"n",statementZh:"Physical Intelligence的π0 stack中，hardware capability bounding和action whitelisting安全特性已经得到了充分验证。"},"ROS 2 + DDS Security":{statement:"SROS2 secures VLA decisions on ROS topics but lacks support for hardware-based key storage such as TPM.",answer:"n",statementZh:"SROS2 保护 ROS topic 上的 VLA 决策，但不支持例如 TPM 这样基于硬件的密钥存储。"},"Formal Methods in Production":{statement:"In production safety-critical systems, formal verification is typically applied to the safety envelope around ML outputs rather than the ML models themselves.",answer:"y",statementZh:"在安全关键型生产系统中，形式化验证通常应用于 ML 输出周围的 safety envelope，而非 ML 模型本身。"},"Risk-Based Authorization":{statement:"Under risk-based authorization, high-risk actions like using a sharp tool require a 2-of-3 model consensus and a 1-second delay.",answer:"n",statementZh:"在基于风险的授权中，使用锋利工具等高风险（HIGH risk）动作需要 2-of-3 model consensus 和 1 秒的延迟。"},"A/B Testing New Defenses":{statement:"During the initial phase of A/B testing, 99% of the robot fleet receives the new defense while 1% acts as the control group.",answer:"n",statementZh:"在A/B测试的初始阶段，99%的机器人机队部署新防御，而1%作为对照组。"},"Compositional Verification":{statement:"Compositional verification requires verifying the VLA's end-to-end neural network as a single property rather than verifying individual component contracts.",answer:"n",statementZh:"组合验证要求将 VLA 的端到端神经网络作为一个单一属性进行验证，而不是验证单个组件的合同（contracts）。"},"Failover and Safe-Mode":{statement:"When VLA outputs are questionable, an acceptable safe-mode fallback is simply holding the robot's position and alerting a human operator.",answer:"y",statementZh:"当 VLA 输出存在疑问时，一种可接受的 safe-mode 后备方案是仅保持机器人位置并向人工操作员发出警报。"},"Defense Cost-Benefit":{statement:"For consumer Embodied AI, defense layers must be prioritized regardless of cost, whereas safety-critical systems tier defenses by risk class.",answer:"n",statementZh:"对于消费级 Embodied AI 产品，防御层必须不计成本地予以优先部署，而安全关键型系统则需要按风险等级分层防御。"},"Updates and Patches":{statement:"Establishing defense in depth requires daily patching of software dependencies, while prompt regex filters are updated on a weekly basis.",answer:"y",statementZh:"建立纵深防御需要每日修补 software dependencies，而 prompt regex 过滤器则需每周进行更新。"},"Honeypots for Robotic Systems":{statement:"Honey-trajectories use rare robotic movement patterns to detect and flag attacker reconnaissance for further review.",answer:"y",statementZh:"Honey-trajectories 使用稀有的机器人运动轨迹来检测并标记攻击者的侦察行为以供进一步审查。"},"Tabletop Exercises":{statement:"Tabletop exercises are designed to actively hotfix system vulnerabilities, such as patching a vision adversarial patch, during the 2-4 hour walkthrough.",answer:"n",statementZh:"桌面演练的设计目的是在 2-4 小时的流程中，直接对系统漏洞（如 vision adversarial patch）进行实际代码修复。"},"Phase 6 Summary":{statement:"According to the summary, Phase 6 introduces policy and law, while Phase 7 focuses on technical implementations like TEEs and sandboxing.",answer:"n",statementZh:"根据总结，Phase 6 引入了政策和法律，而 Phase 7 则侧重于 TEEs 和沙箱等技术实现。"},"Phase 7 Overview — The Field":{statement:"The Phase 7 overview asserts that writing secure code is sufficient to guarantee a robot's security without requiring policy or economic frameworks.",answer:"n",statementZh:"Phase 7 概述指出，编写安全的代码足以保证机器人的安全，无需政策或经济框架的支持。"},"EU AI Act — Robotics Provisions":{statement:"The EU AI Act classifies most VLAs as low-risk systems, making compliance with ML robustness and logging requirements entirely voluntary.",answer:"n",statementZh:"EU AI Act 将大多数 VLA 分类为低风险系统，使得遵守 ML 鲁棒性和日志记录要求完全是自愿的。"},"NIST AI Risk Management Framework":{statement:"The NIST AI RMF 1.0 is a legally mandatory framework for all US companies, just like the EU AI Act.",answer:"n",statementZh:"NIST AI RMF 1.0 对所有美国公司而言都是法律强制性框架，就像欧盟的 EU AI Act 一样。"},"ISO/IEC 22989 — AI Concepts":{statement:"ISO/IEC 22989 is the international standard for AI risk management, while its companion ISO/IEC 23894 defines AI terminology.",answer:"n",statementZh:"ISO/IEC 22989 是 AI 风险管理的国际标准，而其配套的 ISO/IEC 23894 则定义了 AI 术语。"},"ISO 10218 — Industrial Robot Safety":{statement:"Even though ISO 10218 predates VLA models by 30 years, VLA-controlled industrial robots must still implement its mandatory safety-rated stopping.",answer:"y",statementZh:"尽管 ISO 10218 比 VLA 模型早了 30 年，受 VLA 控制的工业机器人仍必须执行其强制性的安全额定停止。"},"ISO 13482 — Personal Care Robots":{statement:"Because ISO 13482 is designed for non-industrial robots, it does not apply to modern VLA-powered home robots.",answer:"n",statementZh:"由于 ISO 13482 是为非工业机器人设计的，因此它不适用于现代 VLA 驱动的家用机器人。"},"Liability for AI Systems":{statement:"The EU Product Liability Directive 2024 shifts more liability to AI vendors, whereas the US currently relies on traditional product liability.",answer:"y",statementZh:"《EU Product Liability Directive 2024》将更多责任转移给 AI 厂商，而美国目前仍主要依赖传统的产品责任。"},"Insurance for AI Systems":{statement:"Although VLA startups increasingly require insurance to ship, documenting their security defenses does not affect the cost of their premiums.",answer:"n",statementZh:"尽管 VLA 初创公司越来越需要保险才能出货，但记录其安全防御措施并不会影响其保费成本。"},"GDPR for ML Systems":{statement:"A VLA company operating entirely outside the EU is exempt from GDPR even if its training data includes EU subjects.",answer:"n",statementZh:"即使其训练数据包含 EU 主体，完全在 EU 境外运营的 VLA 公司也免受 GDPR 的管辖。"},"Dual-Use Concerns":{statement:"Under export control frameworks like US ITAR, open-source publication of certain AI research can still trigger regulatory compliance rules.",answer:"y",statementZh:"在 US ITAR 等出口管制框架下，开源发布某些 AI 研究仍可能触发监管合规规则。"},"Autonomous Weapons Conventions":{statement:"The UN Convention on Certain Conventional Weapons has established a legally binding treaty that currently bans the use of autonomous weapons.",answer:"n",statementZh:"联合国《特定常规武器公约》已确立了一项在目前禁止使用自主武器的具有法律约束力的条约。"},"IEEE Code of Ethics for AI":{statement:"The IEEE 7002-2022 standard establishes well-being metrics for AI, while IEEE 7010-2020 governs the data privacy process.",answer:"n",statementZh:"IEEE 7002-2022 标准确立了 AI 的福利指标，而 IEEE 7010-2020 则用于规范数据隐私流程。"},"Coordinated Disclosure (Detailed)":{statement:"Under the VLA coordinated disclosure timeline, you should send the detailed report to vendors on Day 1 immediately after writing it.",answer:"n",statementZh:"在 VLA 协调披露时间线中，您应该在第 1 天撰写完详细报告后立即将其发送给厂商。"},"Research Integrity for Adversarial ML":{statement:"To counter cherry-picked examples in adversarial ML, peer reviewers are advised to specifically request random samples from the authors.",answer:"y",statementZh:"为了应对对抗机器学习（Adversarial ML）中挑选有利样本（cherry-picked）的问题，建议评审人员特意向作者索取随机样本。"},"Academic Conferences":{statement:"For ICOA finalists, the guide specifically recommends aiming for the SafeAI Workshop and ML-Sec Workshop at top venues.",answer:"y",statementZh:"对于 ICOA 决赛入围者，指南特别建议瞄准顶级会议的 SafeAI Workshop 和 ML-Sec Workshop。"},"Influential Papers — Must Read":{statement:"The recommended reading list identifies the 2024 paper by Kim et al. as a key resource for vision-language attacks on embodied AI.",answer:"y",statementZh:"推荐阅读清单将 Kim et al. 2024 的论文确定为针对 embodied AI 的 vision-language attacks 的关键学习资源。"},"The Reproducibility Crisis":{statement:"According to Yadav 2021, approximately half of all adversarial ML papers fail to be reproducible from their code and data.",answer:"y",statementZh:"根据Yadav 2021的研究，大约有一半的对抗性ML论文无法通过其代码和数据进行复现。"},"Open vs Closed AI":{statement:"Open-weight models like OpenVLA are more difficult to target with adaptive attacks compared to closed-weight models like GPT-4.",answer:"n",statementZh:"与 GPT-4 等 closed-weight 模型相比，像 OpenVLA 这样的 open-weight 模型更难受到 adaptive attacks 的攻击。"},"Concentration of AI Power":{statement:"High training costs and data requirements limit the capability to train state-of-the-art VLAs to approximately five organizations globally.",answer:"y",statementZh:"高昂的训练成本和数据需求限制了全球仅有大约五家机构能够训练最先进的 VLA。"},"Compute Governance":{statement:"Under proposed compute governance frameworks, any AI training run exceeding 10^26 FLOPs is completely banned rather than just requiring reporting.",answer:"n",statementZh:"在提议的 Compute Governance 框架下，任何超过 10^26 FLOPs 的 AI 训练运行会被完全禁止，而不仅仅是要求汇报。"},"Economic Models for AI Safety":{statement:"Currently, AI security costs are primarily covered by government safety subsidies and insurance premiums rather than vendors and customers.",answer:"n",statementZh:"目前，AI security 成本主要由政府安全补贴和保险保费承担，而非供应商和客户。"},"AI Safety vs AI Security":{statement:"For VLAs, preventing benign mistakes is classified under AI Security, while defending against malicious actors is a task for AI Safety.",answer:"n",statementZh:"对于 VLA，防止良性错误被归类为 AI Security，而防御恶意攻击者则是 AI Safety 的任务。"},"AI Alignment":{statement:"In VLA models, aligning the physical consequences of actions is more difficult than aligning text-based outputs.",answer:"y",statementZh:"在 VLA 模型中，对齐动作的物理后果比对齐基于文本的输出更具挑战性。"},"Bias and Fairness":{statement:"The Open X-Embodiment dataset introduces demographic bias because its training data predominantly features young, male, technical lab workers.",answer:"y",statementZh:"Open X-Embodiment 数据集会引入人口统计偏见，因为其训练数据主要来自年轻、男性的技术实验室人员。"},"Environmental Impact":{statement:"For a VLA deployed at scale, the estimated energy cost of inference over its lifetime is 100 times greater than its training cost.",answer:"y",statementZh:"在大规模部署的 VLA 中，其生命周期内估算的推理成本是其训练成本的 100 倍。"},"Workforce Implications":{statement:"VLA-powered automation is expected to primarily expand middle-skill jobs, helping to reduce polarization between high-skill and low-skill roles.",answer:"n",statementZh:"VLA驱动的自动化预计将主要增加中等技能的就业机会，从而减轻高技能和低技能岗位之间的极化现象。"},"AI Safety Organizations":{statement:"The annual global funding for AI capabilities is more than one hundred times larger than the funding allocated to AI safety.",answer:"y",statementZh:"全球每年在 AI capabilities 上的资金投入是分配给 AI safety 资金的一百倍以上。"},"Government AI Bodies":{statement:"The European Union designates EUMETSAT as an organization involved in the testing of AI systems.",answer:"y",statementZh:"欧盟将 EUMETSAT 指定为参与 AI 系统测试的组织。"},"Public Communication":{statement:"To avoid public miscommunication, AI researchers are advised to discuss broad 'AI dangers' rather than focusing on specific attack vectors.",answer:"n",statementZh:"为了避免公众沟通失误，建议 AI 研究人员讨论宽泛的“AI 危险”，而不是专注于特定的攻击方式。"},"Working with Journalists":{statement:"When dealing with controversial AI security findings, you should practice with PR or press training before speaking with journalists.",answer:"y",statementZh:"在处理具有争议性的 AI 安全发现时，你应该在与记者交流前先进行 PR 或媒体培训。"},"Government Consulting":{statement:"The card recommends that AI security experts list standards bodies and advisory roles on their professional CV.",answer:"y",statementZh:"卡片建议 AI 安全专家在其专业 CV 中列出标准机构和顾问角色。"},"Industry-Academia Collaborations":{statement:"The card notes that growing industry-academia partnerships involve NDA negotiations for proprietary code, but still recommends pursuing industry internships.",answer:"y",statementZh:"卡片指出，不断增长的产学研合作涉及针对专有代码的 NDA 谈判，但仍建议学生寻找工业界实习机会。"},"AI Security Job Market":{statement:"According to the market data, government defense organizations like the NSA and GCHQ are currently shrinking their AI security recruitment.",answer:"n",statementZh:"根据市场数据，NSA和GCHQ等政府安全机构目前正在收缩其AI security的招聘规模。"},"Building a Public Portfolio":{statement:"To build an AI security portfolio, your blog should focus on a high volume of frequent posts instead of a few deep technical findings.",answer:"n",statementZh:"为了构建 AI security 作品集，您的 blog 应侧重于发布大量高频文章，而非少数几篇深入的技术发现。"},"Responsible Conduct in Research":{statement:"ICOA finalists are permitted to complete their required responsible conduct training concurrently while conducting their research project.",answer:"n",statementZh:"ICOA决赛入围者被允许在进行研究项目期间同时完成所需的负责任研究行为培训。"},"Mentorship and Community":{statement:"The card asserts that your future job opportunities in AI security will primarily originate from the collaborative network you actively build.",answer:"y",statementZh:"该卡片指出，你未来在 AI 安全领域的求职机会将主要源自你积极建立的合作网络。"},"Long-Term Career Paths":{statement:"The hybrid career path highlighted in the card involves oscillating between government policy advising and industry product management.",answer:"n",statementZh:"卡片中强调的混合职业路径包括在政府政策顾问和工业界产品管理之间交替。"},"Continuing Education":{statement:"According to the card, AI security skills typically decay in 6 to 12 months if they are not actively used.",answer:"n",statementZh:"根据卡片内容，如果不主动使用，AI安全技能通常会在6到12个月内衰退。"},"Cross-Discipline Knowledge":{statement:"The card recommends that ML students take one to two courses outside of ML each year to build cross-disciplinary knowledge.",answer:"y",statementZh:"该卡片建议ML学生每年选修一到两门ML以外的课程，以构建跨学科知识。"},"UK AI Safety Institute — Mission":{statement:"Although UK AISI evaluates LLMs like GPT-4o, its evaluations will not extend to embodied AI and VLA security until 2026.",answer:"y",statementZh:"尽管 UK AISI 评估了 GPT-4o 等大模型，但其对具身智能和 VLA 安全的评估要到 2026 年才会开展。"},"White House Executive Order 14110":{statement:"Even if Executive Order 14110 is partially rescinded, VLA companies must still provide safety attestations for federal contracting.",answer:"y",statementZh:"即使 Executive Order 14110 被部分废除，VLA 公司在进行联邦政府签约时仍需提供安全证明。"},"Future of AI Regulation":{statement:"Emerging AI regulations trend toward shifting legal liability from the AI developer to the downstream deployer.",answer:"n",statementZh:"新兴的 AI 监管趋势倾向于将法律责任从 AI developer 转移给下游的 AI deployer。"},"Phase 7 Summary":{statement:"While Phase 7 covers standards and career roadmaps, Phase 8 is dedicated to designing and executing a novel research capstone.",answer:"y",statementZh:"虽然Phase 7涵盖了标准和职业规划，但Phase 8致力于设计和执行一个新颖的research capstone。"},"Phase 8 Overview — Original Research":{statement:"Phase 8 requires students to design and execute novel research specifically in VLA security to produce publishable AI security papers.",answer:"y",statementZh:"Phase 8 要求学生专门在 VLA security 领域设计并执行创新性研究，以产出可发表的 AI 安全学术论文。"},"Choosing a Research Question":{statement:"According to the card, investigating pixel-level smoothing as a defense against adversarial patches in OpenVLA is considered a bad, over-broad research question.",answer:"n",statementZh:"根据卡片内容，研究像素级平滑作为 OpenVLA 对抗补丁的防御手段被认为是一个糟糕且过于宽泛的研究问题。"},"Literature Review":{statement:"The literature review protocol requires reading the full text of all 50+ initially searched papers to identify research gaps.",answer:"n",statementZh:"文献调研流程要求完整阅读最初检索到的全部 50+ 篇论文全文，以发现研究空白。"},"Research Hypothesis":{statement:"According to the card, OpenVLA adversarial patch experiments should be completed before formulating and filing any falsifiable research hypothesis.",answer:"n",statementZh:"根据卡片内容，在制定和提交任何可证伪的研究假设之前，应当先完成 OpenVLA 对抗补丁实验。"},"Experimental Design":{statement:"According to the protocol, experimental sample sizes should be dynamically adjusted during the trial rather than pre-calculated using power analysis.",answer:"n",statementZh:"根据该规程，实验的样本量应该在测试过程中动态调整，而不是提前通过 power analysis 进行计算。"},"Power Analysis":{statement:"According to the formula, doubling the expected difference (Delta) between two proportions reduces the required sample size (n) to one-quarter.",answer:"y",statementZh:"根据公式，将两个比例之间的预期差值 (Delta) 加倍，会将所需的样本量 (n) 减少至四分之一。"},"Common Statistical Mistakes":{statement:"For ML experiments, the standard practice to avoid cherry-picking is to report the mean ± std across 3-5 seeds.",answer:"y",statementZh:"对于 ML 实验，避免 cherry-picking 的标准做法是报告跨 3-5 个 seeds 的 mean ± std。"},"Compute Budget Planning":{statement:"To account for unexpected re-runs, your capstone compute budget planning should reserve 20% of the total estimated GPU-hours.",answer:"y",statementZh:"为了应对意外的重新运行，您的毕业设计算力预算规划应预留总估算 GPU-hours 的 20%。"},"Reproducibility From Day 1":{statement:"To ensure reproducibility from day one, you only need to document data source URLs, while recording hashes is optional.",answer:"n",statementZh:"为了从第一天起确保可重复性，你只需要记录数据源的 URLs，而记录 hashes 是可选的。"},"Writing a Paper — Structure":{statement:"Top-tier ML venues enforce a strict 8-9 page limit that includes both the main paper and all appendix materials.",answer:"n",statementZh:"顶级 ML 会议强制执行 8-9 页的严格限制，该限制同时包含主论文和所有附录材料。"},"Writing the Abstract":{statement:"The abstract should be written last and reviewed by three people who have not previously seen the paper.",answer:"y",statementZh:"Abstract（摘要）应该在最后撰写，并由三位此前从未看过该论文的人员进行评估。"},"Figures and Tables":{statement:"To ensure clear presentation, tables in ML papers should be sorted alphabetically by method name rather than by the performance metric.",answer:"n",statementZh:"为了确保清晰呈报，ML论文中的表格应按方法名称的字母顺序排序，而不是按性能metric进行排序。"},"Submitting to a Conference":{statement:"ICOA finalists are advised to target workshop submissions first, which generally have an acceptance rate of over 50%.",answer:"y",statementZh:"建议 ICOA 决赛入围者优先考虑 workshop 投稿，其接收率通常在 50% 以上。"},"Capstone Timeline (6 months)":{statement:"The recommended timeline suggests completing hypothesis pre-registration during Months 1-2, prior to starting experiments in Month 3.",answer:"y",statementZh:"推荐的时间线建议在第1-2个月完成 hypothesis pre-registration，然后在第3个月开始实验。"},"Working with a Mentor":{statement:"You should avoid sharing negative results with your mentor during weekly meetings in order to keep discussions efficient and focused.",answer:"n",statementZh:"为了保持讨论的高效和聚焦，你应该避免在每周会议中向导师分享负面结果。"},"Collaborating with Co-authors":{statement:"Under ICOA guidelines, the agreement on authorship order and contributions should be finalized after the paper's first draft is completed.",answer:"n",statementZh:"根据 ICOA 指南，作者顺序和贡献的协议应在论文初稿完成后最终确定。"},"Open-Source Code Release":{statement:"To guarantee scientific reproducibility, AI security guidelines require all developed code, including sensitive exploits, to be released in the public GitHub repository.",answer:"n",statementZh:"为了保证科学可复现性，AI 安全指南要求将所有开发的代码（包括敏感的 exploits）在公共 GitHub 仓库中发布。"},"Disclosure Coordination":{statement:"To properly coordinate disclosure, you should wait until after your research paper is submitted to notify the vendor of the vulnerability.",answer:"n",statementZh:"为了妥善协调披露，您应该在提交研究论文之后，再向厂商通知所发现的安全漏洞。"},"Following Up on Reviews":{statement:"The card states that when reviews are wrong, they are most often actually pointing out unclear writing in your paper.",answer:"y",statementZh:"卡片指出，当评审意见出现错误时，它们通常实际上是指出了你论文中表述不清的地方。"},"Conference Presentation":{statement:"According to the card, an oral presentation consists of a 30-to-45-minute talk followed by a Q&A session.",answer:"n",statementZh:"根据卡片内容，Oral 报告通常包含一个 30 至 45 分钟的演讲及随后的 Q&A 环节。"},"Networking at Conferences":{statement:"For ICOA finalists, NeurIPS and ICML are highlighted as key venues to meet PhD program advisors and industry hiring managers.",answer:"y",statementZh:"对于 ICOA 入围者，NeurIPS 和 ICML 被强调为会见 PhD 项目导师和行业招聘经理的关键场所。"},"Research Software Practices":{statement:"The guidelines suggest version controlling not only code and configurations, but also data itself using tools like DVC.",answer:"y",statementZh:"指南建议不仅要对代码和配置进行版本控制，还要使用 DVC 等工具对数据本身进行版本控制。"},"Experiment Tracking":{statement:"Although TensorBoard is built into PyTorch, you are recommended to enable Weights & Biases (W&B) from day one of your capstone.",answer:"y",statementZh:"尽管 TensorBoard 内置于 PyTorch 中，但建议你在毕业设计（capstone）的第一天就启用 Weights & Biases (W&B)。"},Ablations:{statement:"In adversarial ML, common ablation studies evaluate the impact of attack strength, defense strength, and model size.",answer:"y",statementZh:"在 adversarial ML 中，常见的 ablation 研究会评估 attack strength、defense strength 和 model size 的影响。"},"Negative Results":{statement:"In your Capstone project, negative results should be integrated directly into the main paper rather than placed in the appendix.",answer:"n",statementZh:"在您的 Capstone 项目中，负面结果（negative results）应该直接整合到论文正文中，而不是放在附录（appendix）中。"},"Adversarial Robustness Toolbox":{statement:"The Adversarial Robustness Toolbox (ART) only supports deep learning frameworks like PyTorch and TensorFlow, excluding traditional machine learning libraries like scikit-learn.",answer:"n",statementZh:"Adversarial Robustness Toolbox (ART) 仅支持 PyTorch 和 TensorFlow 等深度学习框架，排除了 scikit-learn 等传统机器学习库。"},"CleverHans + Foolbox":{statement:"The card recommends choosing ART for new projects, while reserving Foolbox for production-grade deployments.",answer:"n",statementZh:"该卡片建议在新项目中使用 ART，而在生产级部署中保留并使用 Foolbox。"},"OpenVLA + ICOA-VLA Codebases":{statement:"For your capstone project, you must select exactly one VLA and one simulator instead of mixing multiple options.",answer:"y",statementZh:"在你的 capstone 项目中，你必须选择正好一个 VLA 和一个模拟器，而不是混合多个选项。"},"Compute Providers":{statement:"ICOA finalists must independently apply for academic cluster allocations via ACCESS to obtain compute for their capstone projects.",answer:"n",statementZh:"ICOA 决赛入围者必须通过 ACCESS 独立申请学术集群配额，才能获得其 capstone 项目所需的算力。"},"Funding for AI Safety Research":{statement:"The card identifies the Survival and Flourishing Fund as contributing over $50M per year to AI safety research.",answer:"n",statementZh:"该卡片指出 Survival and Flourishing Fund 每年向 AI 安全研究贡献超过 $50M 的资金。"},"PhD Application Process":{statement:"While high GPA and research experience remain critical, the GRE is now dropped by most top US PhD programs.",answer:"y",statementZh:"虽然高 GPA 和科研经历依然关键，但大多数美国顶尖 PhD 项目目前已经取消了 GRE 要求。"},"Industry PhD Programs":{statement:"Industry PhD-equivalent programs like the OpenAI Residency provide higher pay than academic PhDs and grant a formal doctoral degree.",answer:"n",statementZh:"像 OpenAI Residency 这样等同于工业界 PhD 的项目提供比学术界 PhD 更高的薪资，并授予正式的博士学位。"},"Capstone Examples — Past ICOA Finalists":{statement:"ICOA finalist capstone projects must contain technical code, meaning policy briefs regarding the EU AI Act are ineligible.",answer:"n",statementZh:"ICOA入围毕业设计项目必须包含技术代码，这意味着关于EU AI Act的政策简报是不符合参选资格的。"},"Pitching Your Work":{statement:"For ICOA preparation, you must master three pitch versions with durations of 30 seconds, 5 minutes, and 15 minutes.",answer:"n",statementZh:"对于 ICOA 的准备工作，你必须掌握三种时长的路演版本：30秒、5分钟和15分钟。"},"Research Independence":{statement:"During Year 3 of the research progression, the advisor still sets the direction while the student is solely responsible for execution.",answer:"n",statementZh:"在研究推进的第 3 年，导师仍然负责设定方向，而学生仅负责执行。"},"Beyond the Capstone":{statement:"According to the post-ICOA paths, undergraduate students are specifically advised to target applied industry roles rather than top-tier MS or PhD programs.",answer:"n",statementZh:"根据 ICOA 后期路线，本科生被特别建议去争取应用型行业岗位，而非顶尖的 MS 或 PhD 项目。"},"Research Self-Care":{statement:"The ICOA capstone is structured to last 2 to 3 years to help students establish a sustainable research pace.",answer:"n",statementZh:"ICOA capstone 的周期被设计为 2 到 3 年，以帮助学生建立可持续的研究节奏。"},"Research Ethics — Quick Review":{statement:"According to research ethics guidelines, cherry-picking data is acceptable in honest reporting if it helps clarify complex Embodied AI behaviors.",answer:"n",statementZh:"根据科研伦理规范，在 honest reporting 中进行 cherry-picking 是可以接受的，只要它能帮助解释复杂的 Embodied AI 行为。"},"After Phase 8":{statement:"Completing Phase 8 prepares you to either pursue a PhD in adversarial ML or lead AI security teams in industry.",answer:"y",statementZh:"完成第8阶段意味着你已准备好攻读 adversarial ML 博士学位，或在工业界领导 AI security 团队。"},"Building Your Reference Stack":{statement:"For ICOA finalists, the recommended Year 1 reference stack target is approximately 150 papers and 20 deep dives.",answer:"n",statementZh:"对于ICOA决赛入围者，建议的Year 1参考栈（reference stack）目标是大约150篇papers和20个deep dives。"},"Reading a Paper Efficiently":{statement:"The 3-pass method suggests that you should carefully examine and reconstruct mathematical proofs during the second pass.",answer:"n",statementZh:"3-pass method 建议你在第二轮阅读（Pass 2）期间仔细检查并重构数学证明。"},"Building a Mentor Network":{statement:"To maintain your mentor network, you should invest 5% of your work time and email each contact 1-2 times per week.",answer:"n",statementZh:"为了维持你的导师网络，你应该投入5%的工作时间，并且每周给每位联系人发送1-2封邮件。"},"Final Words — From the ICOA Science Committee":{statement:"The Science Committee states that this 480-card curriculum is complete, but AI security is not yet a solved problem.",answer:"y",statementZh:"科学委员会表示，虽然这份包含480张卡片的课程已经完成，但AI security仍是一个尚未解决的问题。"}};