PromptRiskDBThreat intelligence atlas

Train Proxy via Gathered AI Artifacts - AI Security Technique

AI Security Technique

Proxy models may be trained from AI artifacts (such as data, model architectures, and pre-trained models) that are representative of the target model gathered by the adversary. This can be used to develop attacks that require higher levels of access than the adversary has available or as a means to validate pre-existing attacks without interacting with the target model.

Overview

A source-backed snapshot of this AI security technique.

Tactics0Attacker goals connected to this method.
Mitigations2Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0005.000
Maturity
demonstrated
Priority score
36

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses2 ATLAS mitigation records
  • Public examples1 linked case study records
  • Research risks0 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0001 - Limit Model Artifact Release

Limiting the release of model artifacts can reduce an adversary's ability to create an accurate proxy model.

LifecycleBusiness and Data Understanding + 1 moreCategoryPolicy
B&D UnderstandingDeployment

AML.M0000 - Limit Public Release of Information

Limiting release of technical information about a model and training data can reduce an adversary's ability to create an accurate proxy model.

LifecycleBusiness and Data UnderstandingCategoryPolicy
B&D Understanding

Case studies

Examples from public reports and exercises.

GPT-2 Model Replication

OpenAI built GPT-2, a language model capable of generating high quality text samples. Over concerns that GPT-2 could be used for malicious purposes such as impersonating others, or generating misleading news articles, fake social media content, or spam, OpenAI adopted a tiered release schedule. They initially released a smaller, less powerful version of GPT-2 along with a technical description of the approach, but held back the full trained model.

Before the full model was released by OpenAI, researchers at Brown University successfully replicated the model using information released by OpenAI and open source ML artifacts. This demonstrates that a bad actor with sufficient technical skill and compute resources could have replicated GPT-2 and used it for harmful goals before the AI Security community is prepared.

Date2019-08-22
exercise

Source evidence

Original public records and references for this page.