APromptRiskDBThreat intelligence atlas
AI Security Technique

Create Proxy AI Model - AI Security Technique

Adversaries may obtain models to serve as proxies for the target model in use at the victim organization. Proxy models are used to simulate complete access to the target model in a fully offline manner. Adversaries may train models from representative datasets, attempt to replicate models from victim inference APIs, or use available pre-trained models.

View mitigationsRead context
AI Security TechniquedemonstratedAI Attack Staging

Record summary

A quick snapshot of what this page covers.

Tactics1Attacker goals connected to this method.
Mitigations5Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Attack context

How this AI attack works in practice.

ATLAS ID
AML.T0005
Priority score
65
Maturity: demonstrated
AI Attack Staging

Mitigations

Defenses that may help against this attack.

AML.M0001 - Limit Model Artifact Release

Business and Data UnderstandingDeployment
LifecycleBusiness and Data Understanding + 1 moreCategoryPolicy

Limiting the release of model artifacts can reduce an adversary's ability to create an accurate proxy model.

AML.M0000 - Limit Public Release of Information

Business and Data Understanding
LifecycleBusiness and Data UnderstandingCategoryPolicy

Limiting release of technical information about a model and training data can reduce an adversary's ability to create an accurate proxy model.

AML.M0002 - Passive AI Output Obfuscation

DeploymentML Model Evaluation
LifecycleDeployment + 1 moreCategoryTechnical - ML

Obfuscating model outputs can reduce an adversary's ability to produce an accurate proxy model.

AML.M0004 - Restrict Number of AI Model Queries

Business and Data UnderstandingDeployment+1 more
LifecycleBusiness and Data Understanding + 2 moreCategoryTechnical - Cyber

Restricting the number of queries to the model decreases an adversary's ability to replicate an accurate proxy model.

Case studies

Examples from public reports and exercises.

Confusing Antimalware Neural Networks

exercise
Date2021-06-23

Cloud storage and computations have become popular platforms for deploying ML malware detectors. In such cases, the features for models are built on users' systems and then sent to cybersecurity company servers. The Kaspersky ML research team explored this gray-box scenario and showed that feature knowledge is enough for an adversarial attack on ML models.

They attacked one of Kaspersky's antimalware ML models without white-box access to it and successfully evaded detection for most of the adversarially modified malware files.

Evasion of Deep Learning Detector for Malware C&C Traffic

exercise
Date2020-01-01

The Palo Alto Networks Security AI research team tested a deep learning model for malware command and control (C&C) traffic detection in HTTP traffic. Based on the publicly available paper by Le et al., we built a model that was trained on a similar dataset as our production model and had similar performance. Then we crafted adversarial samples, queried the model, and adjusted the adversarial sample accordingly until the model was evaded.

Face Identification System Evasion via Physical Countermeasures

exercise
Date2020-01-01

MITRE's AI Red Team demonstrated a physical-domain evasion attack on a commercial face identification service with the intention of inducing a targeted misclassification. This operation had a combination of traditional MITRE ATT&CK techniques such as finding valid accounts and executing code via an API - all interleaved with adversarial ML specific attacks.

Related risks

Research-backed risks connected to this topic.

No related AI risks. No research risk is connected to this topic in the current data.

Related CVEs

Known software flaws linked to this context.

No related CVEs. No software flaw is connected to this attack in the current data.

Source

Where this page information comes from.