APromptRiskDBThreat intelligence atlas
AI Case Study

ProofPoint Evasion - AI Case Study

Proof Pudding (CVE-2019-20634) is a code repository that describes how ML researchers evaded ProofPoint's email protection system by first building a copy-cat email protection ML model, and using the insights to bypass the live system. More specifically, the insights allowed researchers to craft malicious emails that received preferable scores, going undetected by the system. Each word in an email is scored numeri...

View attack chainRead summary
ExerciseProofPoint Email Protection SystemResearchers at Silent Break SecurityAI Attack StagingDiscoveryAI Model Access

Overview

Case steps5Steps described in the case record.
Techniques5Attack methods mentioned in the case steps.
Linked CVEs1Known vulnerabilities mentioned in the record.

Risk patterns

Patterns found in the case record and its linked vulnerabilities.

  • 1Dominant ATLAS tactic. AI Attack Staging appears in 2 case steps.
  • 2Multiple attack methods. The case connects to 5 unique AI attack methods.
  • 3Vulnerability mentions. The record connects 1 vulnerability identifiers to this case.

Procedure timeline

Search the case steps or filter them by attacker goal.

AI Attack Staging2Discovery1AI Model Access1Impact1
  3. AI Attack Staging

    The researchers used the emails and collected scores as a dataset, which they used to train a functional copy of the ProofPoint model. Basic correlation was used to decide which score variable speaks generally about the security of an email. The "mlxlogscore" was selected in this case due to its relationship with spam, phish, and core mlx and was used as the label. Each "mlxlogscore" was generally between 1 and 999 (higher score = safer sample). Training was performed using an Artificial Neural Network (ANN) and Bag of Words tokenizing.

  4. AI Attack Staging

    Next, the ML researchers algorithmically found samples from this "offline" proxy model that helped give desired insight into its behavior and influential variables. Examples of good scoring samples include "calculation", "asset", and "tyson". Examples of bad scoring samples include "software", "99", and "unsub".

  5. Impact

    Finally, these insights from the "offline" proxy model allowed the researchers to create malicious emails that received preferable scores from the real ProofPoint email protection system, hence bypassing it.

Related CVEs

Known software flaws mentioned in the case record.

CVE-2019-20634

Mitigations

Defenses connected to the attack methods in this case.

AI Model Distribution Methods

Deploying AI models to edge devices can increase the attack surface of the system. Consider serving models in the cloud to reduce the level of access the adversary has to the model. Also consider computing features in the cloud to prevent gray-box attacks, where an adversary has access to the model preprocessing methods.

AI Telemetry Logging

Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts. Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources.

Adversarial Input Detection

Detect and block adversarial inputs or atypical queries that deviate from known benign behavior, exhibit behavior patterns observed in previous attacks or that come from potentially malicious IPs. Incorporate adversarial detection algorithms into the AI system prior to the AI model.

Control Access to AI Models and Data in Production

Require users to verify their identities before accessing a production model. Require authentication for API endpoints and monitor production model queries to ensure compliance with usage policies and to prevent model misuse.

Deepfake Detection

Apply deepfake detection algorithms against any untrusted or user-provided data, especially in impactful applications such as biometric verification, to block generated content. Detectors may use a combination of approaches, including: - AI models trained to differentiate between real and deepfake content. - Identifying common inconsistencies in deepfake content, such as unnatural facial movements, audio mismatches, or pixel-level artifacts. - Biometrics analysis, such blinking, eye movements, and microexpressions.

Encrypt Sensitive Information

Encrypt sensitive data such as AI models to protect against adversaries attempting to access sensitive data.

Input Restoration

Preprocess all inference data to nullify or reverse potential adversarial perturbations.

Model Hardening

Use techniques to make AI models robust to adversarial inputs such as adversarial training or network distillation.

Passive AI Output Obfuscation

Decreasing the fidelity of model outputs provided to the end user can reduce an adversary's ability to extract information about the model and optimize attacks for the model.

Restrict Number of AI Model Queries

Limit the total number and rate of queries a user can perform.

Use Ensemble Methods

Use an ensemble of models for inference to increase robustness to adversarial inputs. Some attacks may effectively evade one model or model family but be ineffective against others.

Use Multi-Modal Sensors

Incorporate multiple sensors to integrate varying perspectives and modalities to avoid a single point of failure susceptible to physical attacks.

Sources

Original public records and references for this case.

Original source

Original source links

Open the MITRE ATLAS data and public references used for this case study.

Repositoryhttps://github.com/mitre-atlas/atlas-dataATLAS.yamlhttps://github.com/mitre-atlas/atlas-data/blob/main/dist/ATLAS.yamlSchemahttps://github.com/mitre-atlas/atlas-data/blob/main/dist/schemas/atlas_output_schema.jsonNational Vulnerability Database entry for CVE-2019-20634https://nvd.nist.gov/vuln/detail/CVE-2019-206342019 DerbyCon presentation "42: The answer to life, the universe, and everything offensive security"https://github.com/moohax/Talks/blob/master/slides/DerbyCon19.pdfProof Pudding (CVE-2019-20634) Implementation on GitHubhttps://github.com/moohax/Proof-Pudding2019 DerbyCon video presentation "42: The answer to life, the universe, and everything offensive security"https://www.youtube.com/watch?v=CsvkYoxtexQ&ab-channel=AdrianCrenshaw