PromptRiskDBThreat intelligence atlas

Denial of AI Service - AI Security Technique

AI Security Technique

Adversaries may target AI-enabled systems with a flood of requests for the purpose of degrading or shutting down the service. Since many AI systems require significant amounts of specialized compute, they are often expensive bottlenecks that can become overloaded. Adversaries can intentionally craft inputs that require heavy amounts of useless compute from the AI system.

Overview

A source-backed snapshot of this AI security technique.

Tactics1Attacker goals connected to this method.
Mitigations3Defenses that may help against this attack.
AI risks0Research-backed risks connected to this topic.

Technique details

Identifiers, maturity, and source taxonomy for this technique.

ATLAS ID
AML.T0029
Maturity
demonstrated
Priority score
49
ATLAS tactics
Impact

Attack flow

How to read the public records connected to this technique.

1. TechniqueRead the ATLAS description and evidence level.
2. TacticsSee which attacker goals this method supports.
3. ExamplesCheck whether public case studies mention it.
4. DefensesReview safeguards mapped by ATLAS.
5. SourcesOpen the original public records and references.

Impact

Why this technique may deserve attention in the current dataset.

  • Evidence leveldemonstrated
  • Mapped defenses3 ATLAS mitigation records
  • Public examples2 linked case study records
  • Research risks0 related MIT AI Risk records above the confidence threshold
  • Vulnerabilities0 linked CVE records

Mitigations

Defenses that may help against this attack.

AML.M0015 - Adversarial Input Detection

Assess queries before inference call or enforce timeout policy for queries which consume excessive resources.

LifecycleData Preparation + 4 moreCategoryTechnical - ML
Data PreparationML Model Engineering+3 more

AML.M0004 - Restrict Number of AI Model Queries

Limit the number of queries users can perform in a given interval to prevent a denial of service.

LifecycleBusiness and Data Understanding + 2 moreCategoryTechnical - Cyber
B&D UnderstandingDeployment+1 more

Case studies

Examples from public reports and exercises.

AIKatz: Attacking LLM Desktop Applications

Researchers at Lumia have demonstrated that it is possible to extract authentication tokens from the memory of LLM Desktop Applications. An attacker could then use those tokens to impersonate as the victim to the LLM backed, thereby gaining access to the victim’s conversations as well as the ability to interfere in future conversations. The attacker’s access would allow them the ability to directly inject prompts to change the LLM’s behavior, poison the LLM’s context to have persistent effects, manipulate the user’s conversation history to cover their tracks, and ultimately impact the confidentiality, integrity, and availability of the system. The researchers demonstrated this on Anthropic Claude, Microsoft M365 Copilot, and OpenAI ChatGPT.

Vendor Responses to Responsible Disclosure:

  • Anthropic (HackerOne) - Closed as informational since local attack.
  • Microsoft Security Response Center - Attack doesn’t bypass security boundaries for CVE.
  • OpenAI (BugCrowd) - Closed as informational and noted that it’s up to Microsoft to patch this behavior.
Date2025-01-01
exercise

Achieving Code Execution in MathGPT via Prompt Injection

The publicly available Streamlit application MathGPT uses GPT-3, a large language model (LLM), to answer user-generated math questions.

Recent studies and experiments have shown that LLMs such as GPT-3 show poor performance when it comes to performing exact math directly[1][2]. However, they can produce more accurate answers when asked to generate executable code that solves the question at hand. In the MathGPT application, GPT-3 is used to convert the user's natural language question into Python code that is then executed. After computation, the executed code and the answer are displayed to the user.

Some LLMs can be vulnerable to prompt injection attacks, where malicious user inputs cause the models to perform unexpected behavior[3][4]. In this incident, the actor explored several prompt-override avenues, producing code that eventually led to the actor gaining access to the application host system's environment variables and the application's GPT-3 API key, as well as executing a denial of service attack. As a result, the actor could have exhausted the application's API query budget or brought down the application.

After disclosing the attack vectors and their results to the MathGPT and Streamlit teams, the teams took steps to mitigate the vulnerabilities, filtering on select prompts and rotating the API key.

References

  1. [1] https://arxiv.org/abs/2103.03874
  2. [2] https://arxiv.org/abs/2110.14168
  3. [3] https://lspace.swyx.io/p/reverse-prompt-eng
  4. [4] https://research.nccgroup.com/2022/12/05/exploring-prompt-injection-attacks/
Date2023-01-28
exercise

Source evidence

Original public records and references for this page.