It pushes the decision boundary further away from the non-target classes (B and C), making them harder to misclassify.

It creates a 'shortcut' or a new, small region of misclassification (backdoor area) for non-target classes that is very close to their original location in the feature space.

It moves the representations of all inputs (A, B, and C) into a single point in the feature space.

It only affects the representations of the target class A, making them more robust.

The model is poorly trained and generally unstable.

The model has learned a highly efficient pathway (the backdoor) to the target class A for inputs from other classes, requiring minimal perturbation.

The clean model was already close to misclassifying everything as A.

The trigger pattern itself is very large and complex.

True

False

True

False

Defenses must be able to perfectly identify every single backdoored sample to be effective.

Simply removing a random 1% of the training data is a viable defense strategy.

The backdoor signal is very strong and easily learned, so defenses must be highly sensitive and cannot rely on the rarity of poisoned samples alone.

The CIFAR-10 dataset is inherently flawed and should not be used for security research.

It increases the time and computational cost of training.

It would alert the attacker that a defense is in place.

It degrades the model's performance on its primary task (i.e., hurts clean accuracy) by removing valid training examples.

It might remove the wrong backdoored samples, leaving the most effective ones in the dataset.

True

False