- ML artifact assortment
- Knowledge from data repositories
- Knowledge from native methods
ML staging assault
Now that data has been collected, dangerous actors begin to stage the assault with information of the goal methods. They could be coaching proxy fashions, poisoning the goal mannequin, or crafting adversarial information to feed into the goal mannequin.
The 4 strategies recognized embody:
- Create proxy ML mannequin
- Backdoor ML mannequin
- Confirm assault
- Craft adversarial information
Proxy ML Fashions can be utilized to simulate assaults and accomplish that offline whereas the attackers hone their approach and desired outcomes. They will additionally use offline copies of goal fashions to confirm the success of an assault with out elevating the suspicion of the sufferer group.
Exfiltration
After all of the steps mentioned, attackers are attending to what they actually care about — exfiltration. This contains stealing ML artifacts or different details about the ML system. It might be mental property, monetary data, PHI or different delicate information relying on the use case of the mannequin and ML methods concerned.
The strategies related to exfiltration embody:
- Exfiltration by way of ML inference API
- Exfiltration by way of cyber means
- LLM meta immediate extraction
- LLM information leakage
These all contain exfiltrating information, whether or not by way of an API, conventional cyber strategies (e.g. ATT&CK exfiltration), or utilizing prompts to get the LLM to leak delicate information, akin to personal person information, proprietary organizational information, and coaching information, which can embody private data. This has been one of many main issues round LLM utilization by safety practitioners as organizations quickly undertake them.
Influence
Not like exfiltration, the impression stage is the place the attackers create havoc or harm, probably inflicting interruptions, eroding confidence, and even destroying ML methods and information. On this stage, that might embody concentrating on availability (by way of ransom, for instance) or maliciously damaging integrity.
This tactic has six strategies, which embody:
- Evading ML fashions
- Denial of ML service
- Spamming ML methods with chaff information
- Eroding ML mannequin integrity
- Value harvesting
- Exterior harms
Whereas now we have mentioned among the strategies as a part of different ways, there are some distinctive ones right here associated to impression. For instance, denial of an ML service is seeking to exhaust sources or flood methods with requests to degrade or shut down providers.
Whereas most trendy enterprise grade AI choices are hosted within the cloud with elastic compute, they nonetheless can run into DDoS and useful resource exhaustion, in addition to price implications if not correctly mitigated, impacting each the supplier and the customers.
Moreover, attackers might look to erode the ML mannequin’s integrity as a substitute with adversarial information inputs that impression ML mannequin client belief and trigger the mannequin supplier or group to repair system and efficiency points to handle integrity issues.
Lastly, attackers might look to trigger exterior harms, akin to abusing the entry they obtained to impression the sufferer system, sources, and group in methods akin to associated to monetary and reputational hurt, impression customers or broader societal hurt relying on the utilization and implications of the ML system.