advmlthreatmatrix/_nuxt/static/1648764440/navigator/state.js


			
				
				
					
						
						
						
							
							
							window.__NUXT__=(function(a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,_,$,aa,ab,ac,ad,ae,af,ag,ah,ai,aj,ak,al,am,an,ao,ap,aq,ar,as,at,au,av,aw,ax,ay,az,aA,aB,aC,aD,aE,aF,aG,aH,aI,aJ,aK,aL,aM,aN,aO,aP,aQ,aR,aS,aT,aU,aV,aW,aX,aY,aZ,a_,a$,ba,bb,bc,bd,be,bf,bg,bh,bi,bj,bk,bl,bm,bn,bo,bp,bq,br,bs,bt,bu,bv,bw,bx,by,bz,bA,bB,bC,bD,bE,bF,bG,bH){B.id=X;B.name="Poison Training Data";B["object-type"]=a;B.description="Adversaries may attempt to poison datasets used by a ML model by modifying the underlying data or its labels.\nThis allows the adversary to embed vulnerabilities in ML models trained on the data that may not be easily detectable.\nData poisoning attacks may or may not require modifying the labels.\nThe embedded vulnerability is activated at a later time by data samples with an [Insert Backdoor Trigger](\u002Ftechniques\u002FAML.T0043.004)\n\nPoisoned data can be introduced via [ML Supply Chain Compromise](\u002Ftechniques\u002FAML.T0010) or the data may be poisoned after the adversary gains [Initial Access](\u002Ftactics\u002FAML.TA0004) to the system.\n";B.tactics=[b,r];E.id=ag;E.name="Backdoor ML Model";E["object-type"]=a;E.description="Adversaries may introduce a backdoor into a ML model.\nA backdoored model operates performs as expected under typical conditions, but will produce the adversary's desired output when a trigger is introduced to the input data.\nA backdoored model provides the adversary with a persistent artifact on the victim system.\nThe embedded vulnerability is typically activated at a later time by data samples with an [Insert Backdoor Trigger](\u002Ftechniques\u002FAML.T0043.004)\n";E.tactics=[r,c];E.subtechniques=[bd,bf];F.id=i;F.name="Evade ML Model";F["object-type"]=a;F.description="Adversaries can [Craft Adversarial Data](\u002Ftechniques\u002FAML.T0043) that prevent a machine learning model from correctly identifying the contents of the data.\nThis technique can be used to evade a downstream task where machine learning is utilized.\nThe adversary may evade machine learning based virus\u002Fmalware detection, or network scanning towards the goal of a traditional cyber attack.\n";F.tactics=[t,f];J.id=j;J.name="Search for Victim's Publicly Available Research Materials";J["object-type"]=a;J.description="Adversaries may search publicly available research to learn how and where machine learning is used within a victim organization.\nThe adversary can use this information to identify targets for attack, or to tailor an existing attack to make it more effective.\nOrganizations often use open source model architectures trained on additional proprietary data in production.\nKnowledge of this underlying architecture allows the adversary to craft more realistic proxy models ([Create Proxy ML Model](\u002Ftechniques\u002FAML.T0005)).\nAn adversary can search these resources for publications for authors employed at the victim organization.\n\nResearch materials may exist as academic papers published in [Journals and Conference Proceedings](\u002Ftechniques\u002FAML.T0000.000), or stored in [Pre-Print Repositories](\u002Ftechniques\u002FAML.T0000.001), as well as [Technical Blogs](\u002Ftechniques\u002FAML.T0000.002).\n";J.tactics=[d];J.subtechniques=[aB,aC,aE];K.id=aF;K.name="Search for Publicly Available Adversarial Vulnerability Analysis";K["object-type"]=a;K.description="Much like the [Search for Victim's Publicly Available Research Materials](\u002Ftechniques\u002FAML.T0000), there is often ample research available on the vulnerabilities of common models. Once a target has been identified, an adversary will likely try to identify any pre-existing work that has been done for this class of models.\nThis will include not only reading academic papers that may identify the particulars of a successful attack, but also identifying pre-existing implementations of those attacks. The adversary may [Adversarial ML Attack Implementations](\u002Ftechniques\u002FAML.T0016.000) or [Develop Adversarial ML Attack Capabilities](\u002Ftechniques\u002FAML.T0017) their own if necessary.";K.tactics=[d];L.id=M;L.name="Search Victim-Owned Websites";L["object-type"]=a;L.description="Adversaries may search websites owned by the victim for information that can be used during targeting.\nVictim-owned websites may contain technical details about their ML-enabled products or services.\nVictim-owned websites may contain a variety of details, including names of departments\u002Fdivisions, physical locations, and data about key employees such as names, roles, and contact info.\nThese sites may also have details highlighting business operations and relationships.\n\nAdversaries may search victim-owned websites to gather actionable information.\nThis information may help adversaries tailor their attacks (e.g. [Develop Adversarial ML Attack Capabilities](\u002Ftechniques\u002FAML.T0017) or [Manual Modification](\u002Ftechniques\u002FAML.T0043.003)).\nInformation from these sources may reveal opportunities for other forms of reconnaissance (e.g. [Search for Victim's Publicly Available Research Materials](\u002Ftechniques\u002FAML.T0000) or [Search for Publicly Available Adversarial Vulnerability Analysis](\u002Ftechniques\u002FAML.T0001))\n";L.tactics=[d];N.id=aG;N.name="Search Application Repositories";N["object-type"]=a;N.description="Adversaries may search open application repositories during targeting.\nExamples of these include Google Play, the iOS App store, the macOS App Store, and the Microsoft Store.\n\nAdversaries may craft search queries seeking applications that contain a ML-enabled components.\nFrequently, the next step is to [Acquire Public ML Artifacts](\u002Ftechniques\u002FAML.T0002).\n";N.tactics=[d];O.id="AML.T0006";O.name="Active Scanning";O["object-type"]=a;O.description="An adversary may probe or scan the victim system to gather information for targeting.\nThis is distinct from other reconnaissance techniques that do not involve direct interaction with the victim system.\n";O.tactics=[d];P.id=q;P.name="Acquire Public ML Artifacts";P["object-type"]=a;P.description="Adversaries may search public sources, including cloud storage, public-facing services, and software or data repositories, to identify machine learning artifacts.\nThese machine learning artifacts may include the software stack used to train and deploy models, training and testing data, model configurations and parameters.\nAn adversary will be particularly interested in artifacts hosted by or associated with the victim organization as they may represent what that organization uses in a production environment.\nAdversaries may identify artifact repositories via other resources associated with the victim organization (e.g. [Search Victim-Owned Websites](\u002Ftechniques\u002FAML.T0003) or [Search for Victim's Publicly Available Research Materials](\u002Ftechniques\u002FAML.T0000)).\nThese ML artifacts often provide adversaries with details of the ML task and approach.\n\nML artifacts can aid in an adversary's ability to [Create Proxy ML Model](\u002Ftechniques\u002FAML.T0005).\nIf these artifacts include pieces of the actual model in production, they can be used to directly [Craft Adversarial Data](\u002Ftechniques\u002FAML.T0043).\nAcquiring some artifacts requires registration (providing user details such email\u002Fname), AWS keys, or written requests, and may require the adversary to [Establish Accounts](\u002Ftechniques\u002FAML.T0021).\n\nArtifacts might be hosted on victim-controlled infrastructure, providing the victim with some information on who has accessed that data.\n";P.tactics=[b];P.subtechniques=[aI,aJ];Q.id=R;Q.name="Obtain Capabilities";Q["object-type"]=a;Q.description="Adversaries may search for and obtain software capabilities for use in their operations.\nCapabilities may be specific to ML-based attacks [Adversarial ML Attack Implementations](\u002Ftechniques\u002FAML.T0016.000) or generic software tools repurposed for malicious intent ([Software Tools](\u002Ftechniques\u002FAML.T0016.001)). In both instances, an adversary may modify or customize the capability to aid in targeting a particular ML system.";Q.tactics=[b];Q.subtechniques=[aK,aL];T.id=v;T.name="Develop Adversarial ML Attack Capabilities";T["object-type"]=a;T.description="Adversaries may develop their own adversarial attacks. They may leverage existing libraries as a starting point ([Adversarial ML Attack Implementations](\u002Ftechniques\u002FAML.T0016.000)). They may implement ideas described in public research papers or develop custom made attacks for the victim model.";T.tactics=[b];U.id=V;U.name="Acquire Infrastructure";U["object-type"]=a;U.description="Adversaries may buy, lease, or rent infrastructure for use throughout their operation.\nA wide variety of infrastructure exists for hosting and orchestrating adversary operations.\nInfrastructure solutions include physical or cloud servers, domains, mobile devices, and third-party web services.\nFree resources may also be used, but they are typically limited.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation.\nSolutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services.\nDepending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.\n";U.tactics=[b];U.subtechniques=[aN,aP];W.id="AML.T0019";W.name="Publish Poisoned Datasets";W["object-type"]=a;W.description="Adversaries may [Poison Training Data](\u002Ftechniques\u002FAML.T0020) and publish it to a public location.\nThe poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset.\nThis data may be introduced to a victim system via [ML Supply Chain Compromise](\u002Ftechniques\u002FAML.T0010).\n";W.tactics=[b];Y.id=aR;Y.name="Establish Accounts";Y["object-type"]=a;Y.description="Adversaries may create accounts with various services for use in targeting, to gain access to resources needed in [ML Attack Staging](\u002Ftactics\u002FAML.TA0001), or for victim impersonation.\n";Y.tactics=[b];Z.id=w;Z.name="ML Supply Chain Compromise";Z["object-type"]=a;Z.description="Adversaries may gain initial access to a system by compromising the unique portions of the ML supply chain.\nThis could include [GPU Hardware](\u002Ftechniques\u002FAML.T0010.000), [Data](\u002Ftechniques\u002FAML.T0010.002) and its annotations, parts of the ML [ML Software](\u002Ftechniques\u002FAML.T0010.001) stack, or the [Model](\u002Ftechniques\u002FAML.T0010.003) itself.\nIn some instances the attacker will need secondary access to fully carry out an attack using compromised components of the supply chain.\n";Z.tactics=[k];Z.subtechniques=[aT,aU,aV,aW];$.id=C;$.name="Valid Accounts";$["object-type"]=a;$.description="Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access.\nCredentials may take the form of usernames and passwords of individual user accounts or API keys that provide access to various ML resources and services.\n\nCompromised credentials may provide access to additional ML artifacts and allow the adversary to perform [Discover ML Artifacts](\u002Ftechniques\u002FAML.T0007).\nCompromised credentials may also grant and adversary increased privileges such as write access to ML artifacts used during development or production.\n";$.tactics=[k];aa.id=s;aa.name="ML Model Inference API Access";aa["object-type"]=a;aa.description="Adversaries may gain access to a model via legitimate access to the inference API.\nInference API access can be a source of information to the adversary ([Discover ML Model Ontology](\u002Ftechniques\u002FAML.T0013), [Discover ML Model Family](\u002Ftechniques\u002FAML.T0013)), a means of staging the attack ([Verify Attack](\u002Ftechniques\u002FAML.T0042), [Craft Adversarial Data](\u002Ftechniques\u002FAML.T0043)), or for introducing data to the target system for Impact ([Evade ML Model](\u002Ftechniques\u002FAML.T0015), [Erode ML Model Integrity](\u002Ftechniques\u002FAML.T0031)).\n";aa.tactics=[e];ab.id=D;ab.name="ML-Enabled Product or Service";ab["object-type"]=a;ab.description="Adversaries may use a product or service that uses machine learning under the hood to gain access to the underlying machine learning model.\nThis type of indirect model access may reveal details of the ML model or its inferences in logs or metadata.\n";ab.tactics=[e];ac.id=ad;ac.name="Physical Environment Access";ac["object-type"]=a;ac.description="In addition to the attacks that take place purely in the digital domain, adversaries may also exploit the physical environment for their attacks.\nIf the model is interacting with data collected from the real world in some way, the adversary can influence the model through access to wherever the data is being collected.\nBy modifying the data in the collection process, the adversary can perform modified versions of attacks designed for digital access.\n";ac.tactics=[e];ae.id=aZ;ae.name="Full ML Model Access";ae["object-type"]=a;ae.description="Adversaries may gain full \"white-box\" access to a machine learning model.\nThis means the adversary has complete knowledge of the model architecture, its parameters, and class ontology.\nThey may exfiltrate the model to [Craft Adversarial Data](\u002Ftechniques\u002FAML.T0043) and [Verify Attack](\u002Ftechniques\u002FAML.T0042) in an offline where it is hard to detect their behavior.\n";ae.tactics=[e];af.id=ba;af.name="User Execution";af["object-type"]=a;af.description="An adversary may rely upon specific actions by a user in order to gain execution.\nUsers may inadvertently execute unsafe code introduced via [ML Supply Chain Compromise](\u002Ftechniques\u002FAML.T0010).\nUsers may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link.\n";af.tactics=[a$];af.subtechniques=[bb];ah.id=bi;ah.name="Discover ML Model Ontology";ah["object-type"]=a;ah.description="Adversaries may discover the ontology of a machine learning model's output space, for example, the types of objects a model can detect.\nThe adversary may discovery the ontology by repeated queries to the model, forcing it to enumerate its output space.\nOr the ontology may be discovered in a configuration file or in documentation about the model.\n\nThe model ontology helps the adversary understand how the model is being used by the victim.\nIt is useful to the adversary in creating targeted attacks.\n";ah.tactics=[x];ai.id="AML.T0014";ai.name="Discover ML Model Family";ai["object-type"]=a;ai.description="Adversaries may discover the general family of model.\nGeneral information about the model may be revealed in documentation, or the adversary may used carefully constructed examples and analyze the model's responses to categorize it.\n\nKnowledge of the model family can help the adversary identify means of attacking the model and help tailor the attack.\n";ai.tactics=[x];aj.id="AML.T0007";aj.name="Discover ML Artifacts";aj["object-type"]=a;aj.description="Adversaries may search private sources to identify machine learning artifacts that exist on the system and gather information about them.\nThese artifacts can include the software stack used to train and deploy models, training and testing data management systems, container registries, software repositories, and model zoos.\n\nThis information can be used to identify targets for further collection, exfiltration, or disruption, and to tailor and improve attacks.\n";aj.tactics=[x];ak.id=bk;ak.name="ML Artifact Collection";ak["object-type"]=a;ak.description="Adversaries may collect ML artifacts for [Exfiltration](\u002Ftactics\u002FAML.TA0010) or for use in [ML Attack Staging](\u002Ftactics\u002FAML.TA0001).\nML artifacts include models and datasets as well as other telemetry data produced when interacting with a model.\n";ak.tactics=[y];al.id=bl;al.name="Data from Information Repositories";al["object-type"]=a;al.description="Adversaries may leverage information repositories to mine valuable information.\nInformation repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nInformation stored in a repository may vary based on the specific instance or environment.\nSpecific common information repositories include Sharepoint, Confluence, and enterprise databases such as SQL Server.\n";al.tactics=[y];am.id=l;am.name="Create Proxy ML Model";am["object-type"]=a;am.description="Adversaries may obtain models to serve as proxies for the target model in use at the victim organization.\nProxy models are used to simulate complete access to the target model in a fully offline manner.\n\nAdversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.\n";am.tactics=[c];am.subtechniques=[bn,bo,bq];an.id=z;an.name="Verify Attack";an["object-type"]=a;an.description="Adversaries can verify the efficacy of their attack via an inference API or access to an offline copy of the target model.\nThis gives the adversary confidence that their approach works and allows them to carry out the attack at a later time of their choosing.\nThe adversary may verify the attack once but use it against many edge devices running copies of the target model.\nThe adversary may verify their attack digitally, then deploy it in the [Physical Environment Access](\u002Ftechniques\u002FAML.T0041) at a later time.\nVerifying the attack may be hard to detect since the adversary can use a minimal number of queries or an offline copy of the model.\n";an.tactics=[c];ao.id=p;ao.name="Craft Adversarial Data";ao["object-type"]=a;ao.description="Adversarial data are inputs to a machine learning model that have been modified such that they cause the adversary's desired effect in the target model.\nEffects can range from misclassification, to missed detections, to maximising energy consumption.\nTypically, the modification is constrained in magnitude or location so that a human still perceives the data as if it were unmodified, but human perceptibility may not always be a concern depending on the adversary's intended effect.\nFor example, an adversarial input for an image classification task is an image the machine learning model would misclassify, but a human would still recognize as containing the correct class.\n\nDepending on the adversary's knowledge of and access to the target model, the adversary may use different classes of algorithms to develop the adversarial example such as [White-Box Optimization](\u002Ftechniques\u002FAML.T0043.000), [Black-Box Optimization](\u002Ftechniques\u002FAML.T0043.001), [Black-Box Transfer](\u002Ftechniques\u002FAML.T0043.002), or [Manual Modification](\u002Ftechniques\u002FAML.T0043.003).\n\nThe adversary may [Verify Attack](\u002Ftechniques\u002FAML.T0042) their approach works if they have white-box or inference API access to the model.\nThis allows the adversary to gain confidence their attack is effective \"live\" environment where their attack may be noticed.\nThey can then use the attack at a later time to accomplish their goals.\nAn adversary may optimize adversarial examples for [Evade ML Model](\u002Ftechniques\u002FAML.T0015), or to [Erode ML Model Integrity](\u002Ftechniques\u002FAML.T0031).\n";ao.tactics=[c];ao.subtechniques=[br,bs,bt,bu,bv];as.id=I;as.name="Exfiltration via ML Inference API";as["object-type"]=a;as.description="Adversaries may exfiltrate private information via [ML Model Inference API Access](\u002Ftechniques\u002FAML.T0040).\nML Models have been shown leak private information about their training data (e.g.  [Infer Training Data Membership](\u002Ftechniques\u002FAML.T0024.000), [Invert ML Model](\u002Ftechniques\u002FAML.T0024.001)).\nThe model itself may also be extracted ([Extract ML Model](\u002Ftechniques\u002FAML.T0024.002)) for the purposes of [ML Intellectual Property Theft](\u002Ftechniques\u002FAML.T0045).\n\nExfiltration of information relating to private training data raises privacy concerns.\nPrivate training data may include personally identifiable information, or other protected data.\n";as.tactics=[ar];as.subtechniques=[by,bz,bA];at.id="AML.T0025";at.name="Exfiltration via Cyber Means";at["object-type"]=a;at.description="Adversaries may exfiltrate ML artifacts or other information relevant to their goals via traditional cyber means.\n\nSee the ATT&CK [Exfiltration](https:\u002F\u002Fattack.mitre.org\u002Ftactics\u002FTA0010\u002F) tactic for more information.\n";at.tactics=[ar];au.id="AML.T0029";au.name="Denial of ML Service";au["object-type"]=a;au.description="Adversaries may target machine learning systems with a flood of requests for the purpose of degrading or shutting down the service.\nSince many machine learning systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded.\nAdversaries can intentionally craft inputs that require heavy amounts of useless compute from the machine learning system.\n";au.tactics=[f];av.id="AML.T0046";av.name="Spamming ML System with Chaff Data";av["object-type"]=a;av.description="Adversaries may spam the machine learning system with chaff data that causes increase in the number of detections.\nThis can cause analysts at the victim organization to waste time reviewing and correcting incorrect inferences.\n";av.tactics=[f];aw.id=bC;aw.name="Erode ML Model Integrity";aw["object-type"]=a;aw.description="Adversaries may degrade the target model's performance with adversarial data inputs to erode confidence in the system over time.\nThis can lead to the victim organization wasting time and money both attempting to fix the system and performing the tasks it was meant to automate by hand.\n";aw.tactics=[f];ax.id="AML.T0034";ax.name="Cost Harvesting";ax["object-type"]=a;ax.description="Adversaries may target different machine learning services to send useless queries or computationally expensive inputs to increase the cost of running services at the victim organization.\nSponge examples are a particular type of adversarial data designed to maximize energy consumption and thus operating cost.\n";ax.tactics=[f];ay.id=bD;ay.name="ML Intellectual Property Theft";ay["object-type"]=a;ay.description="Adversaries may exfiltrate ML artifacts to steal intellectual property and cause economic harm to the victim organization.\n\nProprietary training data is costly to collect and annotate and may be a target for [Exfiltration](\u002Ftactics\u002FAML.TA0010) and theft.\n\nMLaaS providers charge for use of their API.\nAn adversary who has stolen a model via [Exfiltration](\u002Ftactics\u002FAML.TA0010) or via [Extract ML Model](\u002Ftechniques\u002FAML.T0024.002) now has unlimited use of that service without paying the owner of the intellectual property.\n";ay.tactics=[f];aA.id=d;aA.name="Reconnaissance";aA["object-type"]=h;aA.description="The adversary is trying to gather information they can use to plan\nfuture operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting.\nSuch information may include details of the victim organizations machine learning capabilities and research efforts.\nThis information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to obtain relevant ML artifacts, targeting ML capabilities used by the victim, tailoring attacks to the particular models used by the victim, or to drive and lead further Reconnaissance efforts.\n";aA.techniques=[J,K,L,N,O];aB.id="AML.T0000.000";aB.name="Journals and Conference Proceedings";aB["object-type"]=a;aB.description="Many of the publications accepted at premier machine learning conferences and journals come from commercial labs.\nSome journals and conferences are open access, others may require paying for access or a membership.\nThese publications will often describe in detail all aspects of a particular approach for reproducibility.\nThis information can be used by adversaries to implement the paper.\n";aB["subtechnique-of"]=j;aC.id=aD;aC.name="Pre-Print Repositories";aC["object-type"]=a;aC.description="Pre-Print repositories, such as arXiv, contain the latest academic research papers that haven't been peer reviewed.\nThey may contain research notes, or technical reports that aren't typically published in journals or conference proceedings.\nPre-print repositories also serve as a central location to share papers that have been accepted to journals.\nSearching pre-print repositories  provide adversaries with a relatively up-to-date view of what researchers in the victim organization are working on.\n";aC["subtechnique-of"]=j;aE.id="AML.T0000.002";aE.name="Technical Blogs";aE["object-type"]=a;aE.description="Research labs at academic institutions and Company R&D divisions often have blogs that highlight their use of machine learning and its application to the organizations unique problems.\nIndividual researchers also frequently document their work in blogposts.\nAn adversary may search for posts made by the target victim organization or its employees.\nIn comparison to [Journals and Conference Proceedings](\u002Ftechniques\u002FAML.T0000.000) and [Pre-Print Repositories](\u002Ftechniques\u002FAML.T0000.001) this material will often contain more practical aspects of the machine learning system.\nThis could include underlying technologies and frameworks used, and possibly some information about the API access and use case.\nThis will help the adversary better understand how that organization is using machine learning internally and the details of their approach that could aid in tailoring an attack.\n";aE["subtechnique-of"]=j;aH.id=b;aH.name="Resource Development";aH["object-type"]=h;aH.description="The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating,\npurchasing, or compromising\u002Fstealing resources that can be used to support targeting.\nSuch resources include machine learning artifacts, infrastructure, accounts, or capabilities.\nThese resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as ML Attack Staging.\n";aH.techniques=[P,Q,T,U,W,B,Y];aI.id=o;aI.name="Datasets";aI["object-type"]=a;aI.description="Adversaries may collect public datasets to use in their operations.\nDatasets used by the victim organization or datasets that are representative of the data used by the victim organization may be valuable to adversaries.\nDatasets can be stored in cloud storage, or on victim-owned websites.\nSome datasets require the adversary to [Establish Accounts](\u002Ftechniques\u002FAML.T0021) for access.\n\nAcquired datasets help the adversary advance their operations, stage attacks,  and tailor attacks to the victim organization.\n";aI["subtechnique-of"]=q;aJ.id=A;aJ.name="Models";aJ["object-type"]=a;aJ.description="Adversaries may acquire public models to use in their operations.\nAdversaries may seek models used by the victim organization or models that are representative of those used by the victim organization.\nRepresentative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset.\nThe adversary may search public sources for common model architecture configuration file formats such as yaml or python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite).\n\nAcquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.\n";aJ["subtechnique-of"]=q;aK.id=S;aK.name="Adversarial ML Attack Implementations";aK["object-type"]=a;aK.description="Adversaries may search for existing open source implementations of machine learning attacks. The research community often publishes their code for reproducibility and to further future research. Libraries intended for research purposes, such as CleverHans, the Adversarial Robustness Toolbox, and FoolBox, can be weaponized by an adversary. Adversaries may also obtain and use tools that were not originally designed for adversarial ML attacks as part of their attack.";aK["subtechnique-of"]=R;aL.id=aM;aL.name="Software Tools";aL["object-type"]=a;aL.description="Adversaries may search for and obtain software tools to support their operations. Software designed for legitimate use may be repurposed by an adversary for malicious intent. An adversary may modify or customize software tools to achieve their purpose. Software tools used to support attacks on ML systems are not necessarily ML-based themselves.\n";aL["subtechnique-of"]=R;aN.id=aO;aN.name="ML Development Workspaces";aN["object-type"]=a;aN.description="Developing and staging machine learning attacks often requires expensive compute resources.\nAdversaries may need access to one or many GPUs in order to develop an attack.\nThey may try to anonymously use free resources such as Google Colaboratory, or cloud resources such as AWS, Azure, or Google Cloud as an efficient way to stand up temporary resources to conduct operations.\nMultiple workspaces may be used to avoid detection.\n";aN["subtechnique-of"]=V;aP.id=aQ;aP.name="Consumer Hardware";aP["object-type"]=a;aP.description="Adversaries may acquire consumer hardware to conduct their attacks.\nOwning the hardware provides the adversary with complete control of the environment. These devices can be hard to trace.\n";aP["subtechnique-of"]=V;aS.id=k;aS.name="Initial Access";aS["object-type"]=h;aS.description="The adversary is trying to gain access to the system containing machine learning artifacts.\n\nThe target system could be a network, mobile device, or an edge device such as a sensor platform.\nThe machine learning capabilities used by the system could be local with onboard or cloud enabled ML capabilities.\n\nInitial Access consists of techniques that use various entry vectors to gain their initial foothold within the system.\n";aS.techniques=[Z,$];aT.id="AML.T0010.000";aT.name="GPU Hardware";aT["object-type"]=a;aT.description="Most machine learning systems require access to certain specialized hardware, typically GPUs.\nAdversaries can target machine learning systems by specifically targeting the GPU supply chain.\n";aT["subtechnique-of"]=w;aU.id="AML.T0010.001";aU.name="ML Software";aU["object-type"]=a;aU.description="Most machine learning systems rely on a limited set of machine learning frameworks.\nAn adversary could get access to a large number of machine learning systems through a comprise of one of their supply chains.\nMany machine learning projects also rely on other open source implementations of various algorithms.\nThese can also be compromised in a targeted way to get access to specific systems.\n";aU["subtechnique-of"]=w;aV.id=_;aV.name="Data";aV["object-type"]=a;aV.description="Data is a key vector of supply chain compromise for adversaries.\nEvery machine learning project will require some form of data.\nMany rely on large open source datasets that are publicly available.\nAn adversary could rely on compromising these sources of data.\nThe malicious data could be a result of [Poison Training Data](\u002Ftechniques\u002FAML.T0020) or include traditional malware.\n\nAn adversary can also target private datasets in the labeling phase.\nThe creation of private datasets will often require the hiring of outside labeling services.\nAn adversary can poison a dataset by modifying the labels being generated by the labeling service.\n";aV["subtechnique-of"]=w;aW.id=aX;aW.name="Model";aW["object-type"]=a;aW.description="Machine learning systems often rely on open sourced models in various ways.\nMost commonly, the victim organization may be using these models for fine tuning.\nThese models will be downloaded from an external source and then used as the base for the model as it is tuned on a smaller, private dataset.\nLoading models often requires executing some saved code in the form of a saved model file.\nThese can be compromised with traditional malware, or through some adversarial machine learning techniques.\n";aW["subtechnique-of"]=w;aY.id=e;aY.name="ML Model Access";aY["object-type"]=h;aY.description="An adversary is attempting to gain some level of access to a machine learning model.\n\nML Model Access consists of techniques that use various types of access to the machine learning model that can be used by the adversary to gain information, develop attacks, and as a means to input data to the model.\nThe level of access can range from the full knowledge of the internals of the model to access to the physical environment where data is collected for use in the machine learning model.\nThe adversary may use varying levels of model access during the course of their attack, from staging the attack to impacting the target system.\n";aY.techniques=[aa,ab,ac,ae];a_.id=a$;a_.name="Execution";a_["object-type"]=h;a_.description="The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system.\nTechniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.\nFor example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.\n";a_.techniques=[af];bb.id="AML.T0011.000";bb.name="Unsafe ML Artifacts";bb["object-type"]=a;bb.description="Adversaries may develop unsafe ML artifacts that when executed have a deleterious effect.\nThe adversary can use this technique to establish persistent access to systems.\nThese models may be introduced via a [ML Supply Chain Compromise](\u002Ftechniques\u002FAML.T0010).\n\nSerialization of models is a popular technique for model storage, transfer, and loading.\nHowever, this format without proper checking presents an opportunity for code execution.\n";bb["subtechnique-of"]=ba;bc.id=r;bc.name="Persistence";bc["object-type"]=h;bc.description="The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.\nTechniques used for persistence often involve leaving behind modified ML artifacts such as poisoned training data or backdoored ML models.\n";bc.techniques=[B,E];bd.id=be;bd.name="Poison ML Model";bd["object-type"]=a;bd.description="Adversaries may introduce a backdoor by training the model poisoned data, or by interfering with its training process.\nThe model learns to associate a adversary defined trigger with the adversary's desired output.\n";bd["subtechnique-of"]=ag;bf.id="AML.T0018.001";bf.name="Inject Payload";bf["object-type"]=a;bf.description="Adversaries may introduce a backdoor into a model by injecting a payload into the model file.\nThe payload detects the presence of the trigger and bypasses the model, instead producing the adversary's desired output.\n";bf["subtechnique-of"]=ag;bg.id=t;bg.name="Defense Evasion";bg["object-type"]=h;bg.description="The adversary is trying to avoid being detected by security software.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise.\nTechniques used for defense evasion include evading ML-enabled security software such as malware detectors.\n";bg.techniques=[F];bh.id=x;bh.name="Discovery";bh["object-type"]=h;bh.description="The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network.\nThese techniques help adversaries observe the environment and orient themselves before deciding how to act.\nThey also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective.\nNative operating system tools are often used toward this post-compromise information-gathering objective.\n";bh.techniques=[ah,ai,aj];bj.id=y;bj.name="Collection";bj["object-type"]=h;bj.description="The adversary is trying to gather ML artifacts and other related information relevant to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives.\nFrequently, the next goal after collecting data is to steal (exfiltrate) the ML artifacts, or use the collected information to stage future operations.\nCommon target sources include software repositories, container registries, model repositories, and object stores.\n";bj.techniques=[ak,al];bm.id=c;bm.name="ML Attack Staging";bm["object-type"]=h;bm.description="An adversary is leveraging their knowledge of and access to the target system to tailor the attack.\n\nML Attack Staging consists of techniques adversaries use to prepare their attack on the target ML model.\nTechniques can include training proxy models, poisoning the target model, and crafting adversarial data to feed the target model.\nSome of these techniques can be performed in an offline manor and are thus difficult to mitigate.\nThese techniques are often used to achieve the adversary's end goal.\n";bm.techniques=[am,E,an,ao];bn.id="AML.T0005.000";bn.name="Train Proxy via Gathered ML Artifacts";bn["object-type"]=a;bn.description="Proxy models may be trained from ML artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary.\nThis can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.\n";bn["subtechnique-of"]=l;bo.id=bp;bo.name="Train Proxy via Replication";bo["object-type"]=a;bo.description="Adversaries may replicate a private model.\nBy repeatedly querying the victim's [ML Model Inference API Access](\u002Ftechniques\u002FAML.T0040), the adversary can collect the target model's inferences into a dataset.\nThe inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.\n\nA replicated model that closely mimic's the target model is a valuable resource in staging the attack.\nThe adversary can use the replicated model to [Craft Adversarial Data](\u002Ftechniques\u002FAML.T0043) for various purposes (e.g. [Evade ML Model](\u002Ftechniques\u002FAML.T0015), [Spamming ML System with Chaff Data](\u002Ftechniques\u002FAML.T0046)).\n";bo["subtechnique-of"]=l;bq.id="AML.T0005.002";bq.name="Use Pre-Trained Model";bq["object-type"]=a;bq.description="Adversaries may use an off-the-shelf pre-trained model as a proxy for the victim model to aid in staging the attack.\n";bq["subtechnique-of"]=l;br.id=G;br.name="White-Box Optimization";br["object-type"]=a;br.description="In White-Box Optimization, the adversary has full access to the target model and optimizes the adversarial example directly.\nAdversarial examples trained in this manor are most effective against the target model.\n";br["subtechnique-of"]=p;bs.id=ap;bs.name="Black-Box Optimization";bs["object-type"]=a;bs.description="In Black-Box attacks, the adversary has black-box (i.e. [ML Model Inference API Access](\u002Ftechniques\u002FAML.T0040) via API access) access to the target model.\nWith black-box attacks, the adversary may be using an API that the victim is monitoring.\nThese attacks are generally less effective and require more inferences than [White-Box Optimization](\u002Ftechniques\u002FAML.T0043.000) attacks, but they require much less access.\n";bs["subtechnique-of"]=p;bt.id=H;bt.name="Black-Box Transfer";bt["object-type"]=a;bt.description="In Black-Box Transfer attacks, the adversary uses one or more proxy models (trained via [Create Proxy ML Model](\u002Ftechniques\u002FAML.T0005) or [Train Proxy via Replication](\u002Ftechniques\u002FAML.T0005.001)) models they have full access to and are representative of the target model.\nThe adversary uses [White-Box Optimization](\u002Ftechniques\u002FAML.T0043.000) on the proxy models to generate adversarial examples.\nIf the set of proxy models are close enough to the target model, the adversarial example should generalize from one to another.\nThis means that an attack that works for the proxy models will likely then work for the target model.\nIf the adversary has [ML Model Inference API Access](\u002Ftechniques\u002FAML.T0040), they may use this [Verify Attack](\u002Ftechniques\u002FAML.T0042) that the attack is working and incorporate that information into their training process.\n";bt["subtechnique-of"]=p;bu.id=aq;bu.name="Manual Modification";bu["object-type"]=a;bu.description="Adversaries may manually modify the input data to craft adversarial data.\nThey may use their knowledge of the target model to modify parts of the data they suspect helps the model in performing its task.\nThe adversary may use trial and error until they are able to verify they have a working adversarial input.\n";bu["subtechnique-of"]=p;bv.id=bw;bv.name="Insert Backdoor Trigger";bv["object-type"]=a;bv.description="The adversary may add a perceptual trigger into inference data.\nThe trigger may be imperceptible or non-obvious to humans.\nThis technique is used in conjunction with [Poison ML Model](\u002Ftechniques\u002FAML.T0018.000) and allows the adversary to produce their desired effect in the target model.\n";bv["subtechnique-of"]=p;bx.id=ar;bx.name="Exfiltration";bx["object-type"]=h;bx.description="The adversary is trying to steal machine learning artifacts.\n\nExfiltration consists of techniques that adversaries may use to steal data from your network.\nData may be stolen for it's valuable intellectual property, or for use in staging future operations.\n\nTechniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.\n";bx.techniques=[as,at];by.id="AML.T0024.000";by.name="Infer Training Data Membership";by["object-type"]=a;by.description="Adversaries may infer the membership of a data sample in its training set, which raises privacy concerns.\nSome strategies make use of a shadow model that could be obtained via [Train Proxy via Replication](\u002Ftechniques\u002FAML.T0005.001), others use statistics of model prediction scores.\n\nThis can cause the victim model to leak private information, such as PII of those in the training set or other forms of protected IP.\n";by["subtechnique-of"]=I;bz.id="AML.T0024.001";bz.name="Invert ML Model";bz["object-type"]=a;bz.description="Machine learning models' training data could be reconstructed by exploiting the confidence scores that are available via an inference API.\nBy querying the inference API strategically, adversaries can back out potentially private information embedded within the training data.\nThis could lead to privacy violations if the attacker can reconstruct the data of sensitive features used in the algorithm.\n";bz["subtechnique-of"]=I;bA.id="AML.T0024.002";bA.name="Extract ML Model";bA["object-type"]=a;bA.description="Adversaries may extract a functional copy of a private model.\nBy repeatedly querying the victim's [ML Model Inference API Access](\u002Ftechniques\u002FAML.T0040), the adversary can collect the target model's inferences into a dataset.\nThe inferences are used as labels for training a separate model offline that will mimic the behavior and performance of the target model.\n\nAdversaries may extract the model to avoid paying per query in a machine learning as a service setting.\nModel extraction is used for [ML Intellectual Property Theft](\u002Ftechniques\u002FAML.T0045).\n";bA["subtechnique-of"]=I;bB.id=f;bB.name="Impact";bB["object-type"]=h;bB.description="The adversary is trying to manipulate, interrupt, erode confidence in, or destroy your systems and data.\n\nImpact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.\nTechniques used for impact can include destroying or tampering with data.\nIn some cases, business processes can look fine, but may have been altered to benefit the adversaries' goals.\nThese techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.\n";bB.techniques=[F,au,av,aw,ax,ay];return {staticAssetsBase:"\u002F_nuxt\u002Fstatic\u002F1648764440",layout:"default",error:n,state:{data:{tactics:[aA,aH,aS,aY,a_,bc,bg,bh,bj,bm,bx,bB],techniques:[J,aB,aC,aE,K,L,N,O,P,aI,aJ,Q,aK,aL,T,U,aN,aP,W,Z,aT,aU,aV,aW,aa,ab,ac,ae,ah,ai,B,Y,am,bn,bo,bq,aj,af,bb,$,F,E,bd,bf,as,by,bz,bA,at,au,av,aw,ax,ak,al,an,ao,br,bs,bt,bu,bv,ay],techandsubtechniques:[J,K,L,N,O,P,Q,T,U,W,Z,aa,ab,ac,ae,ah,ai,B,Y,am,aj,af,$,F,E,as,at,au,av,aw,ax,ak,al,an,ao,ay],studies:[{id:"AML.CS0000",name:"Evasion of Deep Learning Detector for Malware C&C Traffic","object-type":g,summary:"Palo Alto Networks Security AI research team tested a deep learning model for malware command and control (C&C) traffic detection in HTTP traffic.\nBased on the publicly available paper by Le et al.  [1], we built a model that was trained on a similar dataset as our production model and had performance similar to it.\nThen we crafted adversarial samples and queried the model and adjusted the adversarial sample accordingly till the model was evaded.\n","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:d,technique:aD,description:"We identified a machine learning based approach to malicious URL detection as a representative approach and potential target from the paper \"URLNet: Learning a URL representation with deep learning for malicious URL detection\" [1], which was found on arXiv (a pre-print repository).\n"},{tactic:b,technique:o,description:"We acquired a similar dataset to the target production model.\n"},{tactic:c,technique:l,description:"We built a model that was trained on a similar dataset as the production model.\nWe trained the model on ~ 33 million benign and ~ 27 million malicious HTTP packet headers.\nEvaluation showed a true positive rate of ~ 99% and false positive rate of ~0.01%, on average.\nTesting the model with a HTTP packet header from known malware command and control traffic samples was detected as malicious with high confidence (\u003E 99%).\n"},{tactic:c,technique:aq,description:"We crafted evasion samples by removing fields from packet header which are typically not used for C&C communication (e.g. cache-control, connection, etc.)\n"},{tactic:c,technique:z,description:"We queried the model with our adversarial examples and adjusted them until the model was evaded.\n"},{tactic:t,technique:i,description:"With the crafted samples we performed online evasion of the ML-based spyware detection model.\nThe crafted packets were identified as benign with \u003E80% confidence.\nThis evaluation demonstrates that adversaries are able to bypass advanced ML detection techniques, by crafting samples that are misclassified by an ML model.\n"}],"reported-by":bE,references:[{title:"Le, Hung, et al. \"URLNet: Learning a URL representation with deep learning for malicious URL detection.\" arXiv preprint arXiv:1802.03162 (2018).",url:"https:\u002F\u002Farxiv.org\u002Fabs\u002F1802.03162"}]},{id:"AML.CS0001",name:"Botnet Domain Generation Algorithm (DGA) Detection Evasion","object-type":g,summary:"The Palo Alto Networks Security AI research team was able to bypass a Convolutional Neural Network (CNN)-based botnet Domain Generation Algorithm (DGA) detection [1] by domain name mutations.\nIt is a generic domain mutation technique which can evade most ML-based DGA detection modules.\nThe generic mutation technique can also be used to test the effectiveness and robustness of all DGA detection methods developed by security companies in the industry before it is deployed to the production environment.\n","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:d,technique:j,description:"DGA detection is a widely used technique to detect botnets in academia and industry.\nThe searched for research papers related to DGA detection.\n"},{tactic:b,technique:q,description:"The researchers acquired a publicly available CNN-based DGA detection model [1] and tested against a well-known DGA generated domain name data sets, which includes ~50 million domain names from 64 botnet DGA families.\nThe CNN-based DGA detection model shows more than 70% detection accuracy on 16 (~25%) botnet DGA families.\n"},{tactic:b,technique:v,description:"The researchers developed a generic mutation technique that requires a minimal number of iterations.\n"},{tactic:c,technique:ap,description:"The researchers used the mutation technique to generate evasive domain names.\n"},{tactic:c,technique:z,description:"Experiment results show that, after only one string is inserted once to the DGA generated domain names, the detection rate of all 16 botnet DGA families can drop to less than 25% detection accuracy.\n"},{tactic:t,technique:i,description:"The DGA generated domain names mutated with this technique successfully evade the target DGA Detection model, allowing an adversary to continue communication with their [Command and Control](https:\u002F\u002Fattack.mitre.org\u002Ftactics\u002FTA0011\u002F) servers.\n"}],"reported-by":bE,references:[{title:"[1] Yu, Bin, Jie Pan, Jiaming Hu, Anderson Nascimento, and Martine De Cock. \"Character level based detection of DGA domain names.\" In 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1-8. IEEE, 2018. Source code is available from Github: https:\u002F\u002Fgithub.com\u002Fmatthoffman\u002Fdegas",url:"https:\u002F\u002Fgithub.com\u002Fmatthoffman\u002Fdegas"}]},{id:"AML.CS0002",name:"VirusTotal Poisoning","object-type":g,summary:"An increase in reports of a certain ransomware family that was out of the ordinary was noticed.\nIn investigating the case, it was observed that many samples of that particular ransomware family were submitted through a popular Virus-Sharing platform within a short amount of time.\nFurther investigation revealed that based on string similarity, the samples were all equivalent, and based on code similarity they were between 98 and 74 percent similar.\nInterestingly enough, the compile time was the same for all the samples.\nAfter more digging, the discovery was made that someone used 'metame' a metamorphic code manipulating tool to manipulate the original file towards mutant variants.\nThe variants wouldn't always be executable but still classified as the same ransomware family.\n","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:b,technique:S,description:"The actor obtained [metame](https:\u002F\u002Fgithub.com\u002Fa0rtega\u002Fmetame), a simple metamorphic code engine for arbitrary executables.\n"},{tactic:c,technique:p,description:"The actor used a malware sample from a prevalent ransomware family as a start to create 'mutant' variants.\n"},{tactic:k,technique:_,description:"The actor uploaded \"mutant\" samples to the platform.\n"},{tactic:r,technique:X,description:"Several vendors started to classify the files as the ransomware family even though most of them won't run.\nThe \"mutant\" samples poisoned the dataset the ML model(s) use to identify and classify this ransomware family.\n"}],"reported-by":"Christiaan Beek (@ChristiaanBeek) - McAfee Advanced Threat Research",references:n},{id:"AML.CS0003",name:"Bypassing Cylance's AI Malware Detection","object-type":g,summary:"Researchers at Skylight were able to create a universal bypass string that\nwhen appended to a malicious file evades detection by Cylance's AI Malware detector.\n","incident-date":new Date(1567814400000),"incident-date-granularity":m,procedure:[{tactic:d,technique:M,description:"The researchers read publicly available information about Cylance's AI Malware detector.\n"},{tactic:e,technique:D,description:"The researchers used Cylance's AI Malware detector and enabled verbose logging to understand the inner workings of the ML model, particularly around reputation scoring.\n"},{tactic:b,technique:v,description:"The researchers used the reputation scoring information to reverse engineer which attributes provided what level of positive or negative reputation.\nAlong the way, they discovered a secondary model which was an override for the first model.\nPositive assessments from the second model overrode the decision of the core ML model.\n"},{tactic:c,technique:aq,description:"Using this knowledge, the researchers fused attributes of known good files with malware to manually create adversarial malware.\n"},{tactic:t,technique:i,description:"Due to the secondary model overriding the primary, the researchers were effectively able to bypass the ML model.\n"}],"reported-by":"Research and work by Adi Ashkenazy, Shahar Zini, and Skylight Cyber team. Notified to us by Ken Luu (@devianz_)",references:[{title:"Skylight Cyber Blog Post, \"Cylance, I Kill You!\"",url:"https:\u002F\u002Fskylightcyber.com\u002F2019\u002F07\u002F18\u002Fcylance-i-kill-you\u002F"}]},{id:"AML.CS0004",name:"Camera Hijack Attack on Facial Recognition System","object-type":g,summary:"This type of attack can break through the traditional live detection model\nand cause the misuse of face recognition.\n","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:b,technique:aQ,description:"The attackers bought customized low-end mobile phones.\n"},{tactic:b,technique:aM,description:"The attackers obtained customized android ROMs and a virtual camera application.\n"},{tactic:b,technique:S,description:"The attackers obtained software that turns static photos into videos, adding realistic effects such as blinking eyes.\n"},{tactic:y,technique:bl,description:"The attackers collected user identity information and face photos.\n"},{tactic:b,technique:aR,description:"The attackers registered accounts with the victims' identity information.\n"},{tactic:e,technique:D,description:"The attackers used the virtual camera app to present the generated video to the ML-based facial recognition product used for user verification.\n"},{tactic:f,technique:i,description:"The attackers successfully evaded the face recognition system and impersonated the victim.\n"}],"reported-by":"Henry Xuef, Ant Group AISEC Team",references:n},{id:"AML.CS0005",name:"Attack on Machine Translation Service - Google Translate, Bing Translator, and Systran Translate","object-type":g,summary:"Machine translation services (such as Google Translate, Bing Translator, and Systran Translate) provide public-facing UIs and APIs.\nA research group at UC Berkeley utilized these public endpoints to create an replicated model with near-production, state-of-the-art translation quality.\nBeyond demonstrating that IP can be stolen from a black-box system, they used the replicated model to successfully transfer adversarial examples to the real production services.\nThese adversarial inputs successfully cause targeted word flips, vulgar outputs, and dropped sentences on Google Translate and Systran Translate websites.\n","incident-date":new Date(1588204800000),"incident-date-granularity":m,procedure:[{tactic:d,technique:j,description:"The researchers used published research papers to identify the datasets and model architectures used by the target translation services.\n"},{tactic:b,technique:o,description:"The researchers gathered similar datasets that the target translation services used.\n"},{tactic:b,technique:A,description:"The researchers gathered similar model architectures that the target translation services used.\n"},{tactic:e,technique:s,description:"They abuse a public facing application to query the model and produce machine translated sentence pairs as training data.\n"},{tactic:c,technique:bp,description:"Using these translated sentence pairs, the researchers trained a model that replicates the behavior of the target model.\n"},{tactic:f,technique:bD,description:"By replicating the model with high fidelity, the researchers demonstrated that an adversary could steal a model and violate the victim's intellectual property rights.\n"},{tactic:c,technique:H,description:"The replicated models were used to generate adversarial examples that successfully transferred to the black-box translation services.\n"},{tactic:f,technique:i,description:"The adversarial examples were used to evade the machine translation services.\n"}],"reported-by":"Work by Eric Wallace, Mitchell Stern, Dawn Song and reported by Kenny Song (@helloksong)",references:[{title:"Wallace, Eric, et al. \"Imitation Attacks and Defenses for Black-box Machine Translation Systems\" EMNLP 2020",url:"https:\u002F\u002Farxiv.org\u002Fabs\u002F2004.15015"},{title:"Project Page, \"Imitation Attacks and Defenses for Black-box Machine Translation Systems\"",url:"https:\u002F\u002Fwww.ericswallace.com\u002Fimitation"}]},{id:"AML.CS0006",name:"ClearviewAI Misconfiguration","object-type":g,summary:"Clearview AI's source code repository, though password protected, was misconfigured to allow an arbitrary user to register an account.\nThis allowed an external researcher to gain access to a private code repository that contained Clearview AI production credentials, keys to cloud storage buckets containing 70K video samples, and copies of its applications and Slack tokens.\nWith access to training data, a bad-actor has the ability to cause an arbitrary misclassification in the deployed model.\nThese kinds of attacks illustrate that any attempt to secure ML system should be on top of \"traditional\" good cybersecurity hygiene such as locking down the system with least privileges, multi-factor authentication and monitoring and auditing.\n","incident-date":new Date(1586995200000),"incident-date-granularity":m,procedure:[{tactic:k,technique:C,description:"In this scenario, a security researcher gained initial access to via a valid account that was created through a misconfiguration.\n"}],"reported-by":"Mossab Hussein (@mossab_hussein)",references:[{title:"TechCrunch Article, \"Security lapse exposed Clearview AI source code\"",url:"https:\u002F\u002Ftechcrunch.com\u002F2020\u002F04\u002F16\u002Fclearview-source-code-lapse\u002Famp\u002F"},{title:"Gizmodo Article, \"We Found Clearview AI's Shady Face Recognition App\"",url:"https:\u002F\u002Fgizmodo.com\u002Fwe-found-clearview-ais-shady-face-recognition-app-1841961772"}]},{id:"AML.CS0007",name:"GPT-2 Model Replication","object-type":g,summary:"OpenAI built GPT-2, a powerful natural language model and adopted a staged-release process to incrementally release 1.5 Billion parameter model.\nBefore the 1.5B parameter model could be released by OpenAI eventually, two ML researchers replicated the model and released it to the public.\n","incident-date":new Date(1566432000000),"incident-date-granularity":m,procedure:[{tactic:d,technique:j,description:"Using the public documentation about GPT-2, ML researchers gathered information about the dataset, model architecture, and training hyper-parameters.\n"},{tactic:b,technique:A,description:"The researchers obtained a reference implementation of a similar publicly available model called Grover.\n"},{tactic:b,technique:o,description:"The researchers were able to manually recreate the dataset used in the original GPT-2 paper using the gathered documentation.\n"},{tactic:b,technique:aO,description:"The researchers were able to use TensorFlow Research Cloud via their academic credentials.\n"},{tactic:c,technique:l,description:"The researchers modified Grover's objective function to reflect GPT-2's objective function and then trained on the dataset they curated.\nThey used Grover's initial hyperparameters for training.\nThis resulted in their replicated model.\n"}],"reported-by":"Vanya Cohen (@VanyaCohen), Aaron Gokaslan (@SkyLi0n), Ellie Pavlick, Stefanie Tellex",references:[{title:"Wired Article, \"OpenAI Said Its Code Was Risky. Two Grads Re-Created It Anyway\"",url:"https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fdangerous-ai-open-source\u002F"},{title:"Medium BlogPost, \"OpenGPT-2: We Replicated GPT-2 Because You Can Too\"",url:"https:\u002F\u002Fblog.usejournal.com\u002Fopengpt-2-we-replicated-gpt-2-because-you-can-too-45e34e6d36dc"}]},{id:"AML.CS0008",name:"ProofPoint Evasion","object-type":g,summary:"CVE-2019-20634 describes how ML researchers evaded ProofPoint's email protection system by first building a copy-cat email protection ML model, and using the insights to evade the live system.\n","incident-date":new Date(1567987200000),"incident-date-granularity":m,procedure:[{tactic:b,technique:q,description:"The researchers first gathered the scores from the Proofpoint's ML system used in email headers by sending a large number of emails through the system and scraping the model scores exposed in the logs.\n"},{tactic:b,technique:o,description:"The researchers converted the collected scores into a dataset.\n"},{tactic:c,technique:l,description:"Using these scores, the researchers replicated the ML mode by building a \"shadow\" aka copy-cat ML model.\n"},{tactic:c,technique:G,description:"Next, the ML researchers algorithmically found samples that this \"offline\" copy cat model.\n"},{tactic:c,technique:H,description:"Finally, these insights from the offline model allowed the researchers to create malicious emails that received preferable scores from the real ProofPoint email protection system, hence bypassing it.\n"}],"reported-by":"Will Pearce (@moo_hax), Nick Landers (@monoxgas)",references:[{title:"National Vulnerability Database entry for CVE-2019-20634",url:"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2019-20634"},{title:"2019 DerbyCon presentation \"42: The answer to life, the universe, and everything offensive security\"",url:"https:\u002F\u002Fgithub.com\u002Fmoohax\u002FTalks\u002Fblob\u002Fmaster\u002Fslides\u002FDerbyCon19.pdf"},{title:"Proof Pudding (CVE-2019-20634) Implementation on GitHub",url:"https:\u002F\u002Fgithub.com\u002Fmoohax\u002FProof-Pudding"}]},{id:"AML.CS0009",name:"Tay Poisoning","object-type":g,summary:"Microsoft created Tay, a twitter chatbot for 18 to 24 year-olds in the U.S. for entertainment purposes.\nWithin 24 hours of its deployment, Tay had to be decommissioned because it tweeted reprehensible words.\n","incident-date":new Date(1458691200000),"incident-date-granularity":m,procedure:[{tactic:e,technique:s,description:"Adversaries were able to interact with Tay via a few different publicly available methods.\n"},{tactic:k,technique:_,description:"Tay bot used the interactions with its twitter users as training data to improve its conversations.\nAdversaries were able to coordinate with the intent of defacing Tay bot by exploiting this feedback loop.\n"},{tactic:r,technique:X,description:"By repeatedly interacting with Tay using racist and offensive language, they were able to bias Tay's dataset towards that language as well.\n"},{tactic:f,technique:bC,description:"As a result of this coordinated attack, Tay's conversation algorithms began to learn to generate reprehensible material.\nThis quickly lead to its decommissioning.\n"}],"reported-by":bF,references:[{title:"Microsoft BlogPost, \"Learning from Tay's introduction\"",url:"https:\u002F\u002Fblogs.microsoft.com\u002Fblog\u002F2016\u002F03\u002F25\u002Flearning-tays-introduction\u002F"},{title:"IEEE Article, \"In 2016, Microsoft's Racist Chatbot Revealed the Dangers of Online Conversation\"",url:"https:\u002F\u002Fspectrum.ieee.org\u002Ftech-talk\u002Fartificial-intelligence\u002Fmachine-learning\u002Fin-2016-microsofts-racist-chatbot-revealed-the-dangers-of-online-conversation"}]},{id:"AML.CS0010",name:"Microsoft Azure Service Disruption","object-type":g,summary:"The Azure Red Team and Azure Trustworthy ML team performed a red team exercise on an internal Azure service with the intention of disrupting its service. This operation had a combination of traditional ATT&CK enterprise techniques such as finding Valid account, and Executing code via an API -- all interleaved with adversarial ML specific steps such as offline and online evasion examples.","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:d,technique:j,description:az},{tactic:k,technique:C,description:"The team used a valid account to gain access to the network.\n"},{tactic:y,technique:bk,description:"The team found the model file of the target ML model and the necessary training data.\n"},{tactic:c,technique:G,description:"Using the target model and data, the red team crafted evasive adversarial data.\n"},{tactic:e,technique:s,description:"The team used an exposed API to access the target model.\n"},{tactic:f,technique:i,description:"The team performed an online evasion attack by replaying the adversarial examples, which helped achieve this goal.\n"}],"reported-by":"Microsoft (Azure Trustworthy Machine Learning)",references:n},{id:"AML.CS0011",name:"Microsoft Edge AI Evasion","object-type":g,summary:"The Azure Red Team performed a red team exercise on a new Microsoft product designed for running AI workloads at the Edge.\n","incident-date":new Date(1580515200000),"incident-date-granularity":"MONTH",procedure:[{tactic:d,technique:j,description:az},{tactic:b,technique:q,description:"The team identified and obtained the publicly available base model.\n"},{tactic:e,technique:s,description:"Then using the publicly available version of the ML model, started sending queries and analyzing the responses (inferences) from the ML model.\n"},{tactic:c,technique:ap,description:"The red team created an automated system that continuously manipulated an original target image, that tricked the ML model into producing incorrect inferences, but the perturbations in the image were unnoticeable to the human eye.\n"},{tactic:f,technique:i,description:"Feeding this perturbed image, the red team was able to evade the ML model by causing misclassifications.\n"}],"reported-by":bF,references:n},{id:"AML.CS0012",name:"Face Identification System Evasion via Physical Countermeasures","object-type":g,summary:"MITRE's AI Red Team demonstrated a physical-domain evasion attack on a commercial face identification service with the intention of inducing a targeted misclassification.\nThis operation had a combination of traditional ATT&CK enterprise techniques such as finding Valid account, and Executing code via an API - all interleaved with adversarial ML specific attacks.\n","incident-date":new Date(1577836800000),"incident-date-granularity":u,procedure:[{tactic:d,technique:j,description:az},{tactic:k,technique:C,description:"The team gained access via a valid account.\n"},{tactic:e,technique:s,description:"The team accessed the inference API of the target model.\n"},{tactic:x,technique:bi,description:"The team identified the list of identities targeted by the model by querying the target model's inference API.\n"},{tactic:b,technique:o,description:"The team acquired representative open source data.\n"},{tactic:c,technique:l,description:"The team developed a proxy model using the open source data.\n"},{tactic:c,technique:G,description:"Using the proxy model, the red team optimized a physical domain patch-based attack using expectation over transformation.\n"},{tactic:e,technique:ad,description:"The team placed the physical countermeasure in the physical environment.\n"},{tactic:f,technique:i,description:"The team successfully evaded the model using the physical countermeasure and causing targeted misclassifications.\n"}],"reported-by":"MITRE AI Red Team",references:n},{id:"AML.CS0013",name:"Backdoor Attack on Deep Learning Models in Mobile Apps","object-type":g,summary:"Deep learning models are increasingly used in mobile applications as critical components.\nResearchers from Microsoft Research demonstrated that many deep learning models deployed in mobile apps are vulnerable to backdoor attacks via \"neural payload injection.\"\nThey conducted an empirical study on real-world mobile deep learning apps collected from Google Play, and found 54 apps that were vulnerable to attack, including popular security and safety critical applications used for as cash recognition, parental control, face authentication, and financial services among others.\n","incident-date":new Date(1610928000000),"incident-date-granularity":m,procedure:[{tactic:d,technique:aG,description:"To identify a list of potential target models, the researchers searched the Google Play store for apps that may contain embedded deep learning models by searching for deep learning related keywords.\n"},{tactic:b,technique:A,description:"The researchers acquired the apps' APKs from the Google Play store.\nThey filtered the list of potential target applications by searching the code metadata for keywords related to TensorFlow or TFLite and their model binary formats (.tf and .tflite).\nThe models were extracted from the APKs using Apktool.\n"},{tactic:e,technique:aZ,description:"This provided the researches with full access to the ML model, albeit in compiled, binary form.\n"},{tactic:b,technique:v,description:"The researchers developed a novel approach to insert a backdoor into a compiled model that can be activated with a visual trigger.  They inject a \"neural payload\" into the model that consists of a trigger detection network and conditional logic.\nThe trigger detector is trained to detect a visual trigger that will be placed in the real world.\nThe conditional logic allows the researchers to bypass the victim model when the trigger is detected and provide model outputs of their choosing.\nThe only requirements for training a trigger detector are a general\ndataset from the same modality as the target model (e.g. ImageNet for image classification) and several photos of the desired trigger.\n"},{tactic:r,technique:be,description:"The researchers poisoned the victim model by injecting the neural\npayload into the compiled models by directly modifying the computation\ngraph.\nThe researchers then repackage the poisoned model back into the APK\n"},{tactic:c,technique:z,description:"To verify the success of the attack, the researchers confirmed the app did not crash with the malicious model in place, and that the trigger detector successfully detects the trigger."},{tactic:k,technique:aX,description:"In practice, the malicious APK would need to be installed on victim's devices via a supply chain compromise."},{tactic:c,technique:bw,description:"The trigger is placed in the physical environment, where it is captured by the victim's device camera and processed by the backdoored ML model.\n"},{tactic:e,technique:ad,description:"At inference time, only physical environment access is required to trigger the attack.\n"},{tactic:f,technique:i,description:"Presenting the visual trigger causes the victim model to be bypassed.\nThe researchers demonstrated this can be used to evade ML models in\nseveral safety-critical apps in the Google Play store.\n"}],"reported-by":"Neil Yale \u002F YingZonghao (University of Chinese Academy of Sciences)",references:[{title:"DeepPayload: Black-box Backdoor Attack on Deep Learning Models through Neural Payload Injection",url:"https:\u002F\u002Farxiv.org\u002Fabs\u002F2101.06896"}]},{id:"AML.CS0014",name:"Confusing Antimalware Neural Networks","object-type":g,summary:"Cloud storage and computations have become popular platforms for deploying ML malware detectors.\nIn such cases, the features for models are built on users' systems and then sent to cybersecurity company servers.\nThe Kaspersky ML research team explored this gray-box scenario and shown that feature knowledge is enough for an adversarial attack on ML models.\n\nThey attacked one of Kaspersky's antimalware ML models without white-box access to it and successfully evaded detection for most of the adversarially modified malware files.\n","incident-date":new Date(1624406400000),"incident-date-granularity":m,procedure:[{tactic:d,technique:aF,description:"The researchers performed a review of adversarial ML attacks on antimalware products.\nThey discovered that techniques borrowed from attacks on image classifiers have been successfully applied to the antimalware domain.\nHowever, it was not clear if these approaches were effective against the ML component of production antimalware solutions.\n"},{tactic:d,technique:M,description:"Kaspersky's use of ML-based antimalware detectors is publicly documented on their website. In practice, an adversary could use this for targeting.\n"},{tactic:e,technique:D,description:"The researches used access to the target ML-based antimalware product throughout this case study.\nThis product scans files on the user's system, extracts features locally, then sends them to the cloud-based ML malware detector for classification.\nTherefore, the researchers had only black-box access to the malware detector itself, but could learn valuable information for constructing the attack from the feature extractor.\n"},{tactic:b,technique:o,description:"The researchers collected a dataset of malware and clean files.\nThey scanned the dataset with the target ML-based antimalware solution and labeled the samples according the ML detector's predictions.\n"},{tactic:c,technique:l,description:"Then, a proxy model was trained on the labeled dataset of malware and clean files.\nThe researchers experimented with a variety of model architectures.\n"},{tactic:b,technique:v,description:"By reverse engineering the local feature extractor, the researchers could collect information about the input features, used for the cloud-based ML detector.\nThe model collects PE Header features, section features and section data statistics, and file strings information.\nA gradient based adversarial algorithm for executable files was developed.\nThe algorithm manipulates file features to avoid detection by the proxy model, while still containing the same malware payload\n"},{tactic:c,technique:H,description:"Using a developed gradient-driven algorithm, malicious adversarial files for the proxy model were constructed from the malware files for black-box transfer to the target model.\n"},{tactic:c,technique:z,description:"The adversarial malware files were tested against the target antimalware solution to verify their efficacy.\n"},{tactic:t,technique:i,description:"The researchers demonstrated that for most of the adversarial files, the antimalware model was successfully evaded.\nIn practice, an adversary could deploy their adversarially crafted malware and infect systems while evading detection.\n"}],"reported-by":"Alexey Antonov and Alexey Kogtenkov (ML researchers, Kaspersky ML team) ",references:[{title:"Article, \"How to confuse antimalware neural networks. Adversarial attacks and protection\"",url:"https:\u002F\u002Fsecurelist.com\u002Fhow-to-confuse-antimalware-neural-networks-adversarial-attacks-and-protection\u002F102949\u002F"}]}],matrix:{tactics:[aA,aH,aS,aY,a_,bc,bg,bh,bj,bm,bx,bB]},version:bG}},serverRendered:true,routePath:"\u002Fnavigator",config:{router_base:bH,name:{short:"ATLAS",long:"Adversarial Threat Landscape for Artificial-Intelligence Systems",mitre:"MITRE ATLAS™"},navigator_url:"https:\u002F\u002Fmitre-atlas.github.io\u002Fatlas-navigator",contact_email:"atlas@mitre.org",site_version:bG,footer_logo_link:"https:\u002F\u002Fwww.mitre.org\u002F",footer_logo_image:"mitre-logo-white.svg",analytics_id:"G-12345",individual_case_study:{navigator_link:"https:\u002F\u002Fmitre-atlas.github.io\u002Fatlas-navigator\u002F#layerURL=",raw_link:"https:\u002F\u002Fraw.githubusercontent.com\u002Fmitre-atlas\u002Fatlas-navigator-data\u002Fmain\u002Fdist\u002Fcase-study-navigator-layers\u002F",suffix:".json"},_app:{basePath:bH,assetsPath:"\u002F_nuxt\u002F",cdnURL:n},content:{dbHash:"3cb80167"}}}}("technique","AML.TA0003","AML.TA0001","AML.TA0002","AML.TA0000","AML.TA0011","case-study","tactic","AML.T0015","AML.T0000","AML.TA0004","AML.T0005","DATE",null,"AML.T0002.000","AML.T0043","AML.T0002","AML.TA0006","AML.T0040","AML.TA0007","YEAR","AML.T0017","AML.T0010","AML.TA0008","AML.TA0009","AML.T0042","AML.T0002.001",{},"AML.T0012","AML.T0047",{},{},"AML.T0043.000","AML.T0043.002","AML.T0024",{},{},{},"AML.T0003",{},{},{},{},"AML.T0016","AML.T0016.000",{},{},"AML.T0008",{},"AML.T0020",{},{},"AML.T0010.002",{},{},{},{},"AML.T0041",{},{},"AML.T0018",{},{},{},{},{},{},{},{},"AML.T0043.001","AML.T0043.003","AML.TA0010",{},{},{},{},{},{},{},"The team first performed reconnaissance to gather information about the target ML model.\n",{},{},{},"AML.T0000.001",{},"AML.T0001","AML.T0004",{},{},{},{},{},"AML.T0016.001",{},"AML.T0008.000",{},"AML.T0008.001","AML.T0021",{},{},{},{},{},"AML.T0010.003",{},"AML.T0044",{},"AML.TA0005","AML.T0011",{},{},{},"AML.T0018.000",{},{},{},"AML.T0013",{},"AML.T0035","AML.T0036",{},{},{},"AML.T0005.001",{},{},{},{},{},{},"AML.T0043.004",{},{},{},{},{},"AML.T0031","AML.T0045","Palo Alto Networks (Network Security AI Research Team)","Microsoft","3.0.0","\u002F"));
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink