Offensive Use of AI: Attacks on AI/ML Systems

Questions and Answers

What potential risk is associated with users from different contexts sharing the same vector database?

• Data poisoning attacks
• Embedding inversion attacks
• Cross-context information leaks (correct)
• Unauthorized access

What is a potential consequence of generating false or misleading information through LLMs?

• Factual inaccuracies leading to reputational damage (correct)
• Costly data storage requirements
• Reduction in model efficiency
• Increased model complexity

Which countermeasure can help prevent unauthorized data access within vector databases?

• Data validation updates
• Fine-Grained access control (correct)
• Extensive data logging
• Cross-verification processes

What issue arises from the model's tendency to over-rely on its outputs?

Excessive trust in generated outputs (C)

What is the primary role of data in an AI application?

Training and refining models (D)

What is a method for mitigating risks associated with LLMs generating unsafe code?

Model fine-tuning with verified datasets (C)

Which risk pertains specifically to the integrity of claims made by LLMs?

Unsupported claims (A)

Which of the following describes data poisoning in the context of AI security?

Injecting harmful data into training sets (B)

What is a major risk associated with models accessed via APIs?

Unauthorized access and manipulation (D)

What could be a result of embedding inversion attacks?

Data leakage including sensitive information (A)

What is a necessary step before data is added to a knowledge base to ensure its reliability?

Data validation and source authentication (C)

Which type of injection is an attacker likely to use against the frontend of an AI application?

Prompt/input injection (A)

What primarily drives the risk of inherited vulnerabilities in AI models?

Public/open-source model usage (D)

Which of the following is NOT a security issue affecting data in AI applications?

Model manipulation (A)

Which organization is known for its OWASP Top 10 project related to application security?

Open Worldwide Application Security Project (OWASP) (C)

In terms of AI application architecture, what is the role of the model?

Core engine that learns, decides, and generates outputs (B)

What is the primary concern associated with prompt injection in large language models?

Manipulation of model outputs leading to harmful consequences (D)

What does jailbreaking specifically refer to in the context of prompt injection?

A method to completely bypass safety protocols (C)

Which of the following is an example of indirect prompt injection?

Data from a compromised external database affecting model responses (C)

What type of output manipulation can result from prompt injection?

Exposure to sensitive information and inadvertent biases (C)

What is a proposed countermeasure to prevent the effects of prompt injection?

Constrain model behavior by enforcing strict output limits (D)

Which of the following best describes 'direct prompt injections'?

User input that directly alters the behavior of a model, whether malicious or not (B)

What is a potential risk associated with prompt injection regarding organizational decision-making?

Alteration of outputs influencing critical decisions (B)

Which statement accurately reflects the nature of multimodal injections?

Malicious prompts can be hidden within various media formats. (B)

What is a potential consequence of unbounded consumption in LLMs?

Financial losses (A)

What is the consequence of injecting adversarial training data into a model?

Worsening model performance (C)

Which of the following is a suggested countermeasure for managing resource-intensive queries in LLMs?

Dynamic resource management (B)

Which countermeasure can help ensure model outputs are grounded in trusted sources?

Retrieval-Augmented Generation (RAG) (D)

What is a consequence of Denial of Service (DoS) attacks on LLMs?

Service degradation (A)

What aspect does OWASP recommend to maintain for third-party models?

Regular audits of security and access controls (B)

What type of attack involves flooding the model with excessive requests?

Variable-Length Input Flood (D)

How should the data pipeline be managed to prevent model poisoning?

Tracking and validating data at all stages (A)

Which of the following is NOT a recommended security practice for LLM-generated code?

Ignoring limitations of LLMs (C)

What does insufficient validation of outputs generated by LLM lead to?

Increased risk of Remote Code Execution (RCE) (B)

What technique is used to prevent unauthorized use or replication of LLM outputs?

Watermarking mechanisms (A)

Which practice is part of maintaining model integrity and provenance?

Vendor signed models and code (A)

Which of the following attacks involves crafting inputs to exceed the LLM’s context window?

Input overflow (D)

What is a consequence of model output handling deficiencies?

Exploitation of downstream systems (D)

What can be a result of improperly designed LLM plugins?

Remote code execution (D)

Which tool is recommended for validating models and enhancing integrity?

Machine Learning Bill of Materials (ML-BOM) (B)

What is the primary objective of MITRE ATLAS?

To document adversary tactics and techniques against AI-based systems (C)

Which of the following is NOT part of the MITRE ATLAS Matrix?

Regulatory guidelines for AI practices (D)

What type of attack involves creating a proxy ML model?

ML Attack Staging (A)

Which tactic involves searching for publicly available research materials?

Reconnaissance (A)

Which of the following best describes a backdoor ML model?

An ML model that allows unauthorized access (D)

What kind of mitigation strategies does MITRE ATLAS provide?

Prescriptive actions against specific malicious tactics (B)

What type of access allows attackers to utilize AI models for inference?

AI Model Inference API Access (B)

Which of the following is an example of an adversarial ML attack documented in ATLAS?

Using Rank-One Model Editing to force false facts (D)

What does the acronym FAICP stand for?

Framework for AI Cybersecurity Practices (B)

Which document underpins the best practices for AI security as stated in the content?

Framework for AI Cybersecurity Practices (FAICP) (D)

Flashcards

Data in AI Systems

In this context, "data" refers to the information used to train and refine AI models. It fuels the AI system's learning process and enables it to make informed decisions.

AI Model

The AI model acts as the brain of an AI system, learning from data, making decisions, and generating outputs. It can be either locally deployed or accessed remotely via APIs.

Data Poisoning

Data poisoning involves introducing malicious data into the training set of an AI system. This manipulation can lead to biased or incorrect outputs from the AI model.

Data Exfiltration

Data exfiltration occurs when sensitive data is stolen from an AI application through unauthorized access or breaches. It can compromise the security and integrity of the system.

Adversarial Machine Learning (AML)

Adversarial Machine Learning (AML) involves using sophisticated techniques to deceive AI systems, causing them to make incorrect or biased decisions.

Prompt/input injection attacks

Prompt/input injection attacks involve crafting malicious prompts or inputs to exploit vulnerabilities in AI systems, potentially leading to unintended or harmful outputs.

OWASP Top 10

OWASP (Open Worldwide Application Security Project) provides open-source resources and guidance for secure application development. Their 'Top 10' lists highlight the most critical risks in software systems.

OWASP Top 10 for LLMs

The OWASP Top 10 for LLMs (Large Language Models) identifies the top 10 critical risks related to the security of large language models. It aims to promote secure design and development of AI applications.

Prompt Injection

A type of attack where user input manipulates the behavior and output of a large language model (LLM) in unintended ways. It can lead to harmful outcomes like generating biased or harmful content, enabling unauthorized access, or violating safety guidelines.

Jailbreaking

A specific type of prompt injection where attackers bypass safety protocols completely, allowing them to control the LLM's behavior.

Direct Prompt Injection

User input directly alters the model's behavior, either intentionally (malicious activity) or unintentionally (unexpected behavior by normal user input).

Indirect Prompt Injection

External inputs such as websites, files, or databases, controlled by hostile actors, alter model behavior when processed. This leads to unintended outputs.

Multimodal Injection

A type of prompt injection where malicious prompts are embedded in media such as images, audio, or video, leading to unintended outputs.

Risks of Prompt Injection

Prompt injection poses risks like exposure of sensitive information, generation of incorrect or biased responses, unauthorized access to systems, and influencing important decisions.

Countermeasures

Techniques to prevent or limit the harmful effects of prompt injection.

Countermeasure Examples

Methods used to prevent malicious prompt injection, including: 1) Constraining model behavior to within safe boundaries. 2) Validating output formats to ensure expected outputs. 3) Filtering input and output to remove harmful content and semantic manipulation.

Unauthorized Access & Data Leakage

Unauthorized access to a vector database containing sensitive information.

Cross-Context Information Leaks

Sharing a vector database between different contexts or applications, leading to unintended sharing.

Embedding Inversion Attacks

Reversing an embedding to recover sensitive information.

LLM Misinformation

LLMs generating false or misleading information that appears credible.

Hallucination

LLMs generating content that sounds plausible but is fabricated.

Bias in Training Data

Bias introduced during model training can lead to inaccurate or discriminatory outputs.

Unsupported Claims by LLMs

LLMs making claims without sufficient evidence to support them.

Unsafe Code Generation

LLMs generating potentially insecure code or suggesting unreliable libraries.

Data and Model Poisoning

Manipulating training, fine-tuning, or embedding data to introduce vulnerabilities, backdoors, or biases into a language model.

Adversarial Training Data Injection

Attacks that introduce malicious data into a model's training process, aiming to compromise its security, performance, or ethical behavior.

Machine Learning Bill of Materials (ML-BOM)

A tool that tracks the data pipeline, ensuring data integrity throughout the model development process.

Retrieval-Augmented Generation (RAG)

A technique that helps ensure language model outputs are grounded in trusted sources, reducing the risk of incorrect or biased outputs.

Improper Output Handling

Insufficient validation, sanitization, and alerthandling of outputs generated by LLMs before they reach other systems.

LLM-generated security vulnerabilities

A type of security vulnerability where attackers manipulate LLM-generated content to trigger malicious actions on systems.

Auditing third-party models

Auditing the security and access controls of third-party models regularly to mitigate potential vulnerabilities.

Maintaining an updated AI assets inventory

Maintaining an updated inventory of all AI assets, including models, code, and libraries, to track potential risks and vulnerabilities.

MITRE ATLAS

A security framework focused on threats against AI systems, developed by MITRE, based on the ATT&CK framework.

Backdoor Attack

A technique for manipulating an AI model's output by injecting malicious code or altering its internal parameters.

Adversarial Examples

An attempt to deceive an AI system by presenting crafted input data that looks legitimate but triggers an incorrect or biased output.

Framework for AI Cybersecurity Practices (FAICP)

A framework for promoting the development of secure AI systems, focusing on mitigating AI security threats.

LLM Unbounded Consumption

Exploiting a large language model (LLM) to perform excessive or uncontrolled inference operations, leading to significant resource depletion and system degradation. This vulnerability arises from LLMs being computationally intensive.

What are malicious activities related to LLM unbounded consumption?

Malicious activities that target LLMs, such as flooding them with requests to exhaust resources, stealing intellectual property, and disrupting services.

Variable-Length Input Flood

A category of attack that involves bombarding an LLM with requests that exceed its capacity, designed to exhaust its resources and disrupt its functionality.

What are some countermeasures for LLM unbounded consumption?

Methods to prevent or mitigate the risks of LLM unbounded consumption, such as input validation, rate limiting, and resource management.

Rate Limiting

Restricting the amount of requests an LLM can handle to prevent overload and resource depletion.

Sandboxing in LLMs

Separating the execution environment of an LLM from other systems to protect against malicious activities.

Watermarking for LLMs

Adding hidden markers to the output of an LLM to identify and prevent unauthorized use or reproduction.

Scalability and Graceful Degradation

Ensuring an LLM can handle a large number of requests without experiencing performance issues, and gracefully degrading performance if overwhelmed.

Study Notes

Offensive Use of AI (Part 2)

• This presentation covers the offensive use of AI, focusing on attacks targeting AI/ML systems.

Attacks to AI/ML

• AI applications have several components:
  • Data: Used to train and refine AI models.
  • Model: The core AI system, learning from data.
  • Decision-making: The model makes decisions based on learned data.
  • Outputs: The results generated by the model.
  • Model types: Own models, open-source models, hybrid models.
  • Deployment methods: Local deployment, API-accessed models via REST.
  • Frontend: User interface for interacting with the model.

Security Issues of an AI Application

• Data:
  • Data poisoning: Injecting malicious data into training sets. This manipulates the model's output, leading to incorrect or biased results.
  • Data exfiltration: Stealing sensitive data from the AI application through unauthorized access or breaches.
• Model:
  • Inherited vulnerabilities: Public/open-source models might have inherent vulnerabilities.
  • API risks: Unauthorized access, manipulation, or intellectual property theft via an API.
  • Adversarial Machine Learning: Exploiting vulnerabilities to manipulate model behavior.
• Frontend:
  • Prompt/input injection: Attackers craft malicious prompts/entries to exploit model vulnerabilities.
  • Software vulnerabilities: Common weaknesses in software can be exploited.

OWASP Top 10 for LLMs

• Open Worldwide Application Security Project (OWASP): Creates open-source resources for application security.
• OWASP Top Ten: Identifies the most critical risks in software development.
• Process: Collaboratively developed by security experts.
• Components: Data collection, risk assessment & prioritization, and community collaboration.
• Other OWASP Top 10 lists: Include Web Application Security Risks (2021), API Security Risks (2023), Mobile Security Risks (2024), and LLM Applications (2025).

LLM01. Prompt Injection

• User input manipulates LLM behavior/output in unintended ways.
• Exploits handling of prompts to generate harmful outcomes.
• Types: Direct (intentional or unintentional) and Indirect (external inputs alter behavior).
  • Jailbreaking is a specific type of prompt injection where attackers bypass safety protocols.
• Related Risks: Data disclosure, output manipulation, unauthorized access.
• Countermeasures: Constrain model behavior, validate output formats, input/output filtering, privilege control, human approval for high-risk actions, external content segregation and adversarial testing.

LLM02. Sensitive Information Disclosure

• LLMs unintentionally expose sensitive information (PII, financial, health, proprietary data).
• Related Risks: PII leakage, algorithms exposure, business data exposure.
• Countermeasures: Techniques to mask sensitive content before training, robust input validation, access controls, federated learning, homomorphic encryption, user education.

LLM03. Supply Chain

• External elements (software, tools, pre-trained models) can be manipulated.
• Attack vectors: Tampering, poisoning.
• Related risks: Outdated/deprecated components, vulnerable pre-trained models and software components, and unclear licensing risks.
• Countermeasures: Best Practices from OWASP A06:2021, regular auditing security, maintain model integrity, update assets inventory.

LLM04. Data and Model Poisoning

• Training or fine-tuning data is manipulated.
• Injection of adversarial training data.
• Impacts: Compromises model security, harmful or incorrect outputs, degraded model performance.
• Countermeasures: Tracking the data pipeline for integrity, validating providers/outputs, using Machine Learning Bill of Material (ML-BOM) tools, and Retrieval-Augmented Generation (RAG).

LLM05. Improper Output Handling

• Insufficient validation, sanitization, and handling of LLM outputs.
• Attack vectors: Remote code execution (RCE), Cross-Site Scripting (XSS), SQL Injection (SQLi), and phishing injections.
• Goal: Ensuring outputs are safe for downstream systems.
• Countermeasures: Zero-trust approach, following OWASP ASVS guidelines (input validation, output sanitization), context-aware encoding (HTML, SQL, JavaScript), and rate limiting.

LLM06. Excessive Agency

• LLM granted more functionality/permissions/autonomy than needed.
• Leads to harmful/unintended actions.
• Impact: Actions beyond the users' control, breaching security boundaries, unintentional data modification.
• Countermeasures: Limiting LLM extensions, human approval for critical actions, logging and monitoring LLM and extension activity, rate limiting, anomalous behavior analysis.

LLM07. System Prompt Leakage

• Unintended exposure of the system prompt or internal instructions.
• Vulnerable to attacks from attackers who exploit leaked sensitive information and bypass security controls.
• Countermeasures: Externalize sensitive information within prompts, implement guardrails outside of the LLM, privilege separation and regular review of system prompts.

LLM08. Vector and Embedding Weaknesses

• Vulnerabilities related to the use of Retrieval Augmented Generation (RAG).
• Risks: Data leakage, poisoning attacks, and unintended behavior shifts.
• Countermeasures: Fine-grained access control, data validation and source authentication, and monitoring of retrieval activities.

LLM09. Misinformation

• LLMs generating false or misleading information that appears credible.
• Causes: hallucinations, biases, incomplete information, overreliance.
• Risks: Security breaches, reputational harm, legal liability.
• Countermeasures: Implementing RAG (using verified data), model fine-tuning with high-quality datasets, and rigorous cross-validation and human oversight.

LLM10. Unbounded Consumption

• LLMs exploited for excessive or uncontrolled inference, depleting resources and degrading system performance.
• Malicious activities flood the model with requests, drain resources, or steal intellectual property.
• Attack types: Variable-length input flood, resource-intensive queries, denial of wallet, model extraction, functional model replication.
• Countermeasures: Input validation, rate limiting, dynamic resource management, sandboxing, and scalable infrastructure, mechanisms to detect unauthorized actions/replication.

MITRE ATLAS

• Adversarial Threat Landscape for Artificial-Intelligence Systems, a knowledge base of adversary tactics and techniques against AI-based systems.
• Derived from MITRE ATT&CK.
• Includes 14 Tactics, 91 Techniques and subtechniques.
• Contains general objectives of threat actors, specific methods for tactical goals, and best practices for mitigating attacks.

Regulations and Best Practices for AI Security

• Framework for AI Cybersecurity Practices (FAICP), from ENISA (European Union Agency for Cybersecurity): Layers I, II, and III cover general practices, AI-specific practices, and critical sector-specific practices.
• Artificial Intelligence Risk Management Framework (AI RMF 1.0), from NIST: Provides a standardized framework for managing risks.
• Artificial Intelligence Act - Regulation (EU): EU regulations regarding AI systems.

Description

This quiz delves into the offensive use of artificial intelligence, focusing on various attacks targeting AI and machine learning systems. Key components covered include data integrity, model vulnerabilities, and the security issues inherent in AI applications. Test your knowledge on the tactics and implications of these malicious actions.