A Model Denial of Service (DoS) attack aims to make a machine learning model unavailable to legitimate users by exhausting its computational resources. Indicator I (GPU saturation) and Indicator II (increased latency from specific inputs, known as an algorithmic complexity attack) are methods to achieve resource exhaustion. Indicator IV (system failure to respond) is the direct outcome of a successful DoS attack. Indicator III, model weight exfiltration, is a confidentiality attack (model theft), not an availability attack like DoS.

A. This option is incorrect because it omits Indicator I (GPU saturation), which is a primary method for executing a resource exhaustion-based Model DoS attack.

C. This option is incorrect because it includes Indicator III (model exfiltration), which is a confidentiality attack, not a DoS attack focused on service availability.

D. This option is incorrect because it includes Indicator III. Model DoS attacks are concerned with availability, not the theft of model intellectual property.

1. MITRE ATLAS™. (2023). ML Model Denial of Service (AML.T0001). The MITRE Corporation. Retrieved from https://atlas.mitre.org/techniques/AML.T0001. This source describes how adversaries can cause a DoS by sending inputs that consume excessive resources (CPU, GPU, memory), aligning with indicators I, II, and IV.

2. NIST. (2023). AI Risk Management Framework (AI RMF 1.0). (NIST AI 100-1). National Institute of Standards and Technology. p. 28, Section 4.3. This framework discusses attacks against AI systems, including those that impact availability (DoS) versus those that impact confidentiality (data/model theft).

3. Carlini, N., et al. (2023). Poisoning Language Models During Instruction Tuning. arXiv:2305.00944. Section 2 discusses availability attacks, including "resource-consumption attacks" where inputs are crafted to maximize inference time, directly supporting Indicator II.