Blog Layout

AI under criminal influence: adversarial machine learning explained

Nov 30, 2023

Since the public release of ChatGPT, the adoption of artificial (AI) and machine learning (ML) systems has seen a significant boost. Companies are now rushing to integrate AI technology for a competitive advantage – but are they also putting themselves at the mercy of cybercriminals?

ML models that power many AI applications are vulnerable to the following cyberattacks:

  • Attacks against data contained within AI systems: Data is the most important aspect of ML systems. This data may include sensitive personally identifiable information (PII) and business information, making it a primary target for malicious actors.
  • Adversarial machine learning attacks: These are categorized into four groups: poisoning, evasion, extraction, and inference. We’ll explain each one in more detail later on.

Adversarial machine learning is the act of providing malicious input into an ML model to make it produce inaccurate results or degrade its performance. This attack could happen during the training phase of the ML model or might be introduced later on (through input samples) to deceive an already trained model.

Before discussing the different adversarial attack techniques against ML models, it’s worth mentioning how ML learning models are trained.

How are ML models trained?

Data is the lifeblood of machine learning systems. According to research conducted by an AI analysis firm Cognilytica, 80% of AI project time is spent on gathering, organizing, and labeling data. Training data is gathered from different sources, such as:

  • The internet – for example, Facebook, Twitter, or Instagram feeds
  • Surveillance cameras
  • Surveillance drones
  • Security system logs
  • Any other source of computer data

This data will feed into an ML algorithm that will extract patterns from the provided data. Each ML model will use a different technique to learn from the supplied data. However, they’ll learn everything they can and improve over time as more training data is fed into their models.

After training, the ML model can be deployed in any AI system. It’s worth noting that many ML models continue to improve through learning after deployment, while other models become closed and do not update their patterns after launch.

AI training infographic
Figure 2 – General ML process | Source: https://mapendo.co/blog/training-data-the-milestone-of-machine-learning

Types of adversarial ML attacks

Machine learning engineers leverage adversarial ML attack techniques to help improve the robustness of machine learning models by exposing them to malicious inputs during the training and inference phases. However, bad actors can use these techniques to disrupt the normal working behavior of AI and ML models.

From the threat actor knowledge point of view, adversarial ML attacks can be classified into two major types:

White box attack

This attack is the most dangerous because attackers have full access to the ML model, which includes access to the model parameters, hyperparameters (these parameter values control the model learning process), model architecture, defense mechanism, and the model training dataset.

Black box attack

In a black box attack, the attacker can access the ML model outputs but not its internal details like architecture, training data, ML algorithm, or defense mechanism. The attacker can only provide inputs to the model and check the corresponding outputs. By analyzing these input-output pairs, an attacker attempts to infer how the model operates in order to create a customized attack.

Methods of executing adversarial ML attacks

There are four main methods of executing ML adversarial attacks:

Poisoning attack

In a data poisoning attack, attackers tamper with the training data used to build a machine learning model, with the aim of causing misclassifications once the model is deployed. For example, the attacker could inject malicious files labeled as benign into the training data for a malware classifier. By poisoning the training data, the model would be trained to allow malware files containing the attacker’s malicious code to bypass detection.

When later deployed in the production environment, the corrupted ML model would have learned incorrect patterns, creating security holes that attackers could exploit. Data poisoning attacks are dangerous threats because manipulation during training can have an ongoing impact, long after the attack is over.

Evasion attack

In this type of attack, the ML model is already trained, so attackers work to craft the input samples during deployment to force the classifier to misclassify them. A good example is AI-powered anti-spam filter solutions. Attackers could conceal the SPAM code within a transparent image to prevent the textual AI-powered spam filter from detecting it.

Evasion is different from a poison attack. In evasion, attackers don’t change the behavior of the machine learning model by manipulating training data – instead, they exploit its weaknesses (e.g., weak-tuned parameters or susceptible architectures) through specifically crafted inputs to make the model produce inaccurate results. For example, in an evasion attack, hackers might add slight perturbations to an image to cause an image classifier to recognize it wrongfully during inference (e.g., misclassifying a tree as a tank during inference). However, the model’s parameters and training process are unchanged.

Extraction attack

Model extraction attacks involve replicating a target machine-learning model and training a substitute model on the inputs and outputs. This allows attackers to steal sensitive data, such as intellectual property or proprietary logic, embedded in high-value AI systems.

Extraction focuses on stealing the model itself rather than observing its response to copy its behaviors. The attackers query the target model with selected inputs, observe the outputs, and train a substitute model to resemble the input-output mapping. If successful, the adversary gets a copied version of the model.

Model extraction exposes confidential information in the original model’s architecture, logic, and training data. It also allows the adversary to conduct further attacks using their extracted model copy, such as creating evasion inputs or manipulating model logic.

Model extraction poses two primary risks:

  • The attacker can steal the model and reveal how the machine learning system works.
  • Stealing the model can facilitate other attack types, such as poisoning, logic, data leakage, model misuse, evasion and model inversion attacks.

Inference attack

In this attack, adversaries try to discover what training data was used to train the ML system and take advantage of any weaknesses or biases in data to exploit it.

For instance, ML systems used in banking and medical organizations are trained to use sensitive client information, such as names, birth dates, addresses, account passwords, credit card numbers, health information, and other personal details.

Suppose, after finishing the training period, a bank decided to remove their sensitive client’s information from the ML datasets. Although the client’s data were removed, the ML model has learned a lot of sensitive information about its customers and could be subject to inference attacks. An attacker could probe the ML model with crafted input to reveal sensitive information.

How to combat adversarial attacks against ML systems?

Adversarial attacks are considered the most critical security risks facing machine learning systems today. To combat them, machine learning engineers should take precautions such as:

  • Adversarial training, which augments training data with sample malicious inputs to improve model robustness.
  • Anomaly detection techniques to identify patterns that could represent adversarial inputs.
  • Robust model architectures and training procedures designed to resist adversarial manipulation.
  • Monitoring systems and networks to detect abnormal traffic whihch can indicate to a cyberattack. We can use security solutions such as intrusion detection systems (IDS) and anomaly detection systems (ADS).
  • Implementing security best practices like data encryption, access controls, and IT infrastructure hardening.

Security Lapse by Microsoft Employees Exposes Internal Passwords

26 Apr, 2024
In continuation of Microsoft’s series of data security incidents, employees accidentally exposed internal data to the public. The leak exposed an unprotected Azure storage server containing code, scripts, and configuration files. Microsoft has announced that it has fixed a security breach that exposed internal company credentials and files to the open internet. The breach was first discovered by security researchers from cybersecurity firm SOC Radar. According to their report, an internal error resulted in an Azure storage server without password protection being given public access. The exposed data was primarily related to Microsoft’s Bing search engine, including configuration files, code, and scripts that employees used to access a range of internal systems and databases. Consequently, bad actors could identify and access locations for Microsoft's internal data. So far, it has not been made clear how long the data has been exposed. Anuj Mudaliar Assistant Editor - Tech, SWZD opens a new window opens a new window Anuj Mudaliar is a content development professional with a keen interest in emerging technologies, particularly advances in AI. As a tech editor for Spiceworks, Anuj covers many topics, including cloud, cybersecurity, emerging tech innovation, AI, and hardware. When not at work, he spends his time outdoors - trekking, camping, and stargazing. He is also interested in cooking and experiencing cuisine from around the world.

AT&T experienced data breach that impacted 51 million customers (No one is immune)

26 Apr, 2024
AT&T is notifying 51 million former and current customers, warning them of a data breach that exposed their personal information on a hacking forum. However, the company has still not disclosed how the data was obtained. These notifications are related to the recent leak of a massive amount of AT&T customer data on the Breach hacking forums that was offered for sale for $1 million in 2021. When threat actor ShinyHunters first listed the AT&T data for sale in 2021, the company told BleepingComputer that the collection did not belong to them and that their systems had not been breached. Last month, when another threat actor known as 'MajorNelson' leaked the entire dataset on the hacking forum, AT&T once again told BleepingComputer that the data did not originate from them and their systems were not breached. After BleepingComputer confirmed that the data belonged to AT&T and DirectTV accounts, and TechCrunch reported AT&T passcodes were in the data dump, AT&T finally confirmed that the data belonged to them. While the leak contained information for more than 70 million people, AT&T is now saying that it impacted a total of 51,226,382 customers. "The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "To the best of our knowledge, personal financial information and call history were not included. Based on our investigation to date, the data appears to be from June 2019 or earlier." BleepingComputer contacted AT&T as to why there is such a large difference in impacted customers and was told that some of the people had multiple accounts in the dataset. "We are sending a communication to each person whose sensitive personal information was included. Some people had more than one account in the dataset, and others did not have sensitive personal information," AT&T told BleepingComputer. The company has still not disclosed how the data was stolen and why it took them almost five years to confirm that it belonged to them and to alert customers. Furthermore, the company told the Maine Attorney General's Office that they first learned of the breach on March 26, 2024, yet BleepingComputer first contacted AT&T about it on March 17th and the information was for sale first in 2021. While it is likely too late, as the data has been privately circulating for years, AT&T is offering one year of identity theft protection and credit monitoring services through Experian, with instructions enclosed in the notices. The enrollment deadline was set to August 30, 2024, but exposed people should move much faster to protect themselves. Recipients are urged to stay vigilant, monitor their accounts and credit reports for suspicious activity, and treat unsolicited communications with elevated caution. For the admitted security lapse and the massive delay in verifying the data breach claims and informing affected customers accordingly, AT&T is facing multiple class-action lawsuits in the U.S. Considering that the data was stolen in 2021, cybercriminals have had ample opportunity to exploit the dataset and launch targeted attacks against exposed AT&T customers. However, the dataset has now been leaked to the broader cybercrime community, exponentially increasing the risk for former and current AT&T customers. Update 4/10/24: Added statement from AT&T about discrepancy in numbers. BILL TOULAS Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Home Depot Data Compromised Through Third-Party SaaS Misconfiguration

26 Apr, 2024
Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party SaaS vendor inadvertently exposing a subset of employee data. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. A Home Depot software vendor suffered a data breach leading to the compromise of an undisclosed number of employees. IntelBroker, the threat actor behind the attack claims it has the information of 10,000 Home Depot employees. Home improvement retailer Home Depot confirmed with multiple publishers that it suffered a data break due to a third-party software vendor inadvertently exposing a subset of employee data. Reportedly, the breach was caused by a misconfigured software-as-a-service (SaaS) application.
More Posts
Share by: