Top strategies to secure machine learning models
Learn More
Adversarial attacks on machine learning (ML) models are increasing in intensity, frequency and sophistication. Learn More
Adversarial attacks on machine learning (ML) models are growing in intensity, frequency and sophistication with more enterprises admitting they have experienced an AI-related security incident.
AI’s pervasive adoption is leading to a rapidly expanding threat surface that all enterprises struggle to keep up with. A recent Gartner survey on AI adoption shows that 73% of enterprises have hundreds or thousands of AI models deployed.
HiddenLayer’s earlier study found that 77% of the companies identified AI-related breaches, and the remaining companies were uncertain whether their AI models had been attacked. Two in five organizations had an AI privacy breach or security incident of which 1 in 4 were malicious attacks.
A growing threat of adversarial attacks
With AI’s growing influence across industries, malicious attackers continue to sharpen their tradecraft to exploit ML models’ growing base of vulnerabilities as the variety and volume of threat surfaces expand.
Adversarial attacks on ML models look to exploit gaps by intentionally attempting to redirect the model with inputs, corrupted data, jailbreak prompts and by hiding malicious commands in images loaded back into a model for analysis. Attackers fine-tune adversarial attacks to make models deliver false predictions and classifications, producing the wrong output.
VentureBeat contributor Ben Dickson explains how adversarial attacks work, the many forms they take and the history of research in this area.
Gartner also found that 41% of organizations reported experiencing some form of AI security incident, including adversarial attacks targeting ML models. Of the reported incidents, 60% involved data compromises from an internal party while 27% involved malicious attacks against the AI infrastructure of the organization. Thirty percent of all AI cyberattacks will leverage training-data poisoning, AI model theft or adversarial samples to attack AI-powered systems.
Adversarial ML attacks on network security are growing
Disrupting entire networks with adversarial ML attacks is the stealth attack strategy nation-states are betting on to disrupt their adversaries’ infrastructure, which will have a cascading effect across supply chains. A recent study revealed that the complexity of network environments requires more advanced ML techniques. This creates new vulnerabilities which attackers can exploit. Researchers have noticed that adversarial attacks against ML are on the rise. The question is not if but when an organization will be attacked by an adversarial group. It is a constant battle, but with the right tools and strategies, organizations can win. Each vendor has a different approach to solving the challenge. VentureBeat’s recent analysis of Cisco and Cradlepoint shows how quickly vendors are addressing this and other threats to network and model security. Cisco’s acquisition of Robust Intelligence shows how critical it is for the network giant to protect ML models.
Understanding adversarial attacks
Adversarial attacks exploit weaknesses in the data’s integrity and the ML model’s robustness. According to NIST’s Artificial Intelligence Risk Management Framework, these attacks introduce vulnerabilities, exposing systems to adversarial exploitation.
There are several types of adversarial attacks:
Data Poisoning:
Attackers introduce malicious data into a model’s training set to degrade performance or control predictions. Gartner’s report for 2023 states that nearly 30% of AI enabled organizations, especially those in healthcare and finance, have been subjected to such attacks. Backdoor attacks embed triggers into training data to cause models to behave incorrectly if these triggers are used in real-world inputs. A 2023 MIT study highlights the growing risk of such attacks as AI adoption grows, making defense strategies such as adversarial training increasingly important.
Evasion Attacks:
These attacks alter input data to mispredict. Models can be misclassified by slight image distortions. The Fast Gradient Sign Method, or FGSM, is a popular evasion technique that uses adversarial sound to fool models. Safety concerns have been raised by evasion attacks on autonomous vehicles. Modified stop signs were misinterpreted as yield signals. In a 2019 study, a small sticker placed on a stop-sign misled an autonomous vehicle into believing it was a sign indicating the speed limit. Tencent’s Keen Security Lab tricked a Tesla Model S autopilot using road stickers. The stickers were used to steer the car in the wrong direction, showing that even small input changes can have a dangerous effect. Adversarial attacks on critical systems like autonomous vehicles are real-world threats.Model Inversion:
Allows adversaries to infer sensitive data from a model’s outputs, posing significant risks when trained on confidential data like health or financial records. Hackers ask the model questions and then use the answers to reverse engineer training data. In 2023, Gartner warned, “The misuse of model inversion can lead to significant privacy violations, especially in healthcare and financial sectors, where adversaries can extract patient or customer information from AI systems.”Model Stealing:
Repeated API queries are used to replicate model functionality. These queries allow the attacker to create a model that mimics the original. AI Security states, “AI models are often targeted through API queries to reverse-engineer their functionality, posing significant risks to proprietary systems, especially in sectors like finance, healthcare, and autonomous vehicles.” These attacks are increasing as AI is used more, raising concerns about IP and trade secrets in AI models.Recognizing the weak points in your AI systems
Securing ML models against adversarial attacks requires understanding the vulnerabilities in AI systems. The following areas need to be prioritized:Data poisoning and bias attacks:
Attackers attack AI systems using biased or malicious data. Recent attacks have targeted the healthcare, manufacturing, and autonomous vehicle industries. NIST’s 2024 report warns of the risks that are exacerbated by weak data governance. Gartner reports that robust data controls and adversarial learning can increase AI resilience up to 30%. Model Integrity and Adversarial training:
Machine Learning models can be manipulated even without adversarial learning. Adversarial Training uses negative examples to strengthen a model’s defences. Researchers claim that adversarial training increases robustness, but it requires longer training periods and could sacrifice accuracy for resilience. It is a vital defense against adversarial attack, despite its flaws. Researchers have also found that poor machine identity management in hybrid cloud environments increases the risk of adversarial attacks on machine learning models.
API Vulnerabilities: Model-stealing and other adversarial attacks are highly effective against public APIs and are essential for obtaining AI model outputs. As was discussed at BlackHat 20,22, many businesses are vulnerable to exploitation due to the lack of API security. Vendors such as Checkmarx, Traceable AI and Traceable AI automate API discovery to reduce these risks. API security must be strengthened to preserve the integrity of AI models and safeguard sensitive data.
Best practices for securing ML modelsImplementing the following best practices can significantly reduce the risks posed by adversarial attacks:
Robust Data Management and Model Management: NIST recommends strict data sanitization and filtering to prevent data poisoning in machine learning models. Regular governance reviews are required to avoid malicious data integration. ML models should also be protected by tracking model version, monitoring production and implementing automated, secure updates. Researchers at BlackHat 2022 stressed the importance of continuous updates and monitoring to protect machine learning models in software supply chains. Organizations can improve AI system security and reliability through robust data and model management.
Adversarial Training:
ML models are strengthened by adversarial examples created using the Fast Gradient Sign Method (FGSM). FGSM increases model errors by adjusting input data in small amounts. This helps models to recognize and resist attacks. Researchers claim that this method can boost model resilience by 30 percent. Researchers write that “adversarial training is one of the most effective methods for improving model robustness against sophisticated threats.”
Homomorphic Encryption and Secure Access: When safeguarding data in machine learning, particularly in sensitive fields like healthcare and finance, homomorphic encryption provides robust protection by enabling computations on encrypted data without exposure. EY states, “Homomorphic encryption is a game-changer for sectors that require high levels of privacy, as it allows secure data processing without compromising confidentiality.” Combining this with remote browser isolation further reduces attack surfaces ensuring that managed and unmanaged devices are protected through secure access protocols.
API Security: Public-facing APIs must be secured to prevent model-stealing and protect sensitive data. BlackHat 2022 reported that cybercriminals are increasingly using API vulnerabilities to breach enterprise technology stacks and supply chains. AI-driven insights, such as network traffic anomaly analyses, help detect vulnerabilities and strengthen defenses in real-time. API security can reduce an organization’s attack surface and protect AI models from adversaries.
Regular Model Audits: Periodic audits are crucial for detecting vulnerabilities and addressing data drift in machine learning models. Regular testing of adversarial examples will ensure that models are robust enough to withstand evolving threats. These practices ensure long-term security and adaptability. These practices safeguard long-term security and adaptability.
Technology solutions to secure ML modelsSeveral technologies and techniques are proving effective in defending against adversarial attacks targeting machine learning models:
Differential privacy: This technique protects sensitive data by introducing noise into model outputs without appreciably lowering accuracy. This strategy is crucial for sectors such as healthcare, which value privacy. Differential privacy is a technique used by Microsoft and IBM among other companies to protect sensitive data in their AI systems.
AI-Powered Secure Access Service Edge (SASE)
: As enterprises increasingly consolidate networking and security, SASE solutions are gaining widespread adoption. Cisco, Ericsson Fortinet Palo Alto Networks VMware Zscaler and Fortinet are among the major vendors in this market. These companies provide a variety of solutions to meet the increasing demand for secure access within distributed and hybrid environments. With Gartner predicting that 80% of organizations will adopt SASE by 2025 this market is set to expand rapidly.
Ericsson distinguishes itself by integrating 5G-optimized SD-WAN and Zero Trust security, enhanced by acquiring Ericom. Ericsson can now deliver a cloud SASE solution that is tailored to hybrid workforces and IoT. Ericsson’s Ericsson NetCloud SASE Platform has been proven to be valuable for providing AI-powered analysis and real-time threats detection at the network edge. Their platform integrates Zero Trust Network Access, identity-based control and encrypted traffic inspection. Ericsson uses cellular intelligence data and telemetry to train AI models for troubleshooting. Their AIOps can automatically detect latency, isolate it to a cellular interface, determine the root cause as a problem with the cellular signal and then recommend remediation.Federated Learning with Homomorphic Encryption
: Federated learning allows decentralized ML training without sharing raw data, protecting privacy. Homomorphic encryption is used to ensure security in the entire process of computing encrypted data. These technologies are being developed by Google, IBM Microsoft and Intel, especially for healthcare and finance. These innovations for secure, decentralized AI protect data privacy. These innovations in secure, decentralized AI protect data privacy.Defending from attacks
Given that adversarial attacks can be severe, such as model inversion and evasion or data poisoning, the healthcare and financial industries are particularly vulnerable. Organizations can reduce the risk of adversarial attacks by implementing techniques such as adversarial data management and secure API practices. AI-powered SASE built with cellular optimization and AI intelligence has been effective in defending networks against attacks. Stay in the loop! Subscribe to receive the latest news daily in your email.
Thank you for subscribing. Click here to view more VB Newsletters.
An error occured.
