PromptRiskDBThreat intelligence atlas

Publish Poisoned Datasets - AI Security Technique

AI Security Technique

Adversaries may Poison Training Data and publish it to a public location. The poisoned dataset may be a novel dataset or a poisoned variant of an existing open source dataset. This data may be introduced to a victim system via AI Supply Chain Compromise.

Overview

A source-backed snapshot of this AI security technique.

Tactics1Attacker goals connected to this method.
Mitigations3Defenses that may help against this attack.
AI risks11Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0019
Maturity
demonstrated
Priority score
94
ATLAS tactics
Resource Development

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses3 ATLAS mitigation records
  • Public examples1 linked case study records
  • Research risks11 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0023 - AI Bill of Materials

An AI BOM can help users identify untrustworthy model artifacts.

LifecycleBusiness and Data Understanding + 2 moreCategoryPolicy
B&D UnderstandingData Preparation+1 more

AML.M0025 - Maintain AI Dataset Provenance

Maintaining a detailed history of datasets can help identify use of poisoned datasets from public sources.

LifecycleData Preparation + 1 moreCategoryTechnical - ML
Data PreparationB&D Understanding

AML.M0014 - Verify AI Artifacts

Determine validity of published data in order to avoid using poisoned data that introduces vulnerabilities.

LifecycleBusiness and Data Understanding + 2 moreCategoryTechnical - Cyber
B&D UnderstandingData Preparation+1 more

Case studies

Examples from public reports and exercises.

Web-Scale Data Poisoning: Split-View Attack

Many recent large-scale datasets are distributed as a list of URLs pointing to individual datapoints. The researchers show that many of these datasets are vulnerable to a "split-view" poisoning attack. The attack exploits the fact that the data viewed when it was initially collected may differ from the data viewed by a user during training. The researchers identify expired and buyable domains that once hosted dataset content, making it possible to replace portions of the dataset with poisoned data. They demonstrate that for 10 popular web-scale datasets, enough of the domains are purchasable to successfully carry out a poisoning attack.

Date2024-06-06
exercise

Source evidence

Original public records and references for this page.