NIST Identifies Types of Cyberattacks That 
Manipulate Behavior of AI Systems
Adversaries can deliberately confuse or even “poison” artificial intelligence (AI) systems to make them malfunction — and there’s no foolproof defense that their developers can employ. Computer scientists from the National Institute of Standards and Technology (NIST) and their collaborators identify these and other vulnerabilities of AI and machine learning (ML) in a new publication.
Their work, titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST.AI.100-2), is part of NIST’s broader effort to support the development of trustworthy AI, and it can help put NIST’s AI Risk Management Framework into practice. The publication, a collaboration among government, academia and industry, is intended to help AI developers and users get a handle on the types of attacks they might expect along with approaches to mitigate them — with the understanding that there is no silver bullet.
“We are providing an overview of attack techniques and methodologies that consider all types of AI systems,” said NIST computer scientist Apostol Vassilev, one of the publication’s authors. “We also describe current mitigation strategies reported in the literature, but these available defenses currently lack robust assurances that they fully mitigate the risks. We are encouraging the community to come up with better defenses.”
AI systems have permeated modern society, working in capacities ranging from driving vehicles to helping doctors diagnose illnesses to interacting with customers as online chatbots. To learn to perform these tasks, they are trained on vast quantities of data: An autonomous vehicle might be shown images of highways and streets with road signs, for example, while a chatbot based on a large language model (LLM) might be exposed to records of online conversations. This data helps the AI predict how to respond in a given situation.
One major issue is that the data itself may not be trustworthy. Its sources may be websites and interactions with the public. There are many opportunities for bad actors to corrupt this data — both during an AI system’s training period and afterward, while the AI continues to refine its behaviors by interacting with the physical world. This can cause the AI to perform in an undesirable manner. Chatbots, for example, might learn to respond with abusive or racist language when their guardrails get circumvented by carefully crafted malicious prompts.
“For the most part, software developers need more people to use their product so it can get better with exposure,” Vassilev said. “But there is no guarantee the exposure will be good. A chatbot can spew out bad or toxic information when prompted with carefully designed language.”
In part because the datasets used to train an AI are far too large for people to successfully monitor and filter, there is no foolproof way as yet to protect AI from misdirection. To assist the developer community, the new report offers an overview of the sorts of attacks its AI products might suffer and corresponding approaches to reduce the damage.
The report considers the four major types of attacks: evasion, poisoning, privacy and abuse attacks. It also classifies them according to multiple criteria such as the attacker’s goals and objectives, capabilities, and knowledge.
Evasion attacks, which occur after an AI system is deployed, attempt to alter an input to change how the system responds to it. Examples would include adding markings to stop signs to make an autonomous vehicle misinterpret them as speed limit signs or creating confusing lane markings to make the vehicle veer off the road.
Poisoning attacks occur in the training phase by introducing corrupted data. An example would be slipping numerous instances of inappropriate language into conversation records, so that a chatbot interprets these instances as common enough parlance to use in its own customer interactions.
Privacy attacks, which occur during deployment, are attempts to learn sensitive information about the AI or the data it was trained on in order to misuse it. An adversary can ask a chatbot numerous legitimate questions, and then use the answers to reverse engineer the model so as to find its weak spots — or guess at its sources. Adding undesired examples to those online sources could make the AI behave inappropriately, and making the AI unlearn those specific undesired examples after the fact can be difficult.
Abuse attacks involve the insertion of incorrect information into a source, such as a webpage or online document, that an AI then absorbs. Unlike the aforementioned poisoning attacks, abuse attacks attempt to give the AI incorrect pieces of information from a legitimate but compromised source to repurpose the AI system’s intended use.
“Most of these attacks are fairly easy to mount and require minimum knowledge of the AI system and limited adversarial capabilities,” said co-author Alina Oprea, a professor at Northeastern University. “Poisoning attacks, for example, can be mounted by controlling a few dozen training samples, which would be a very small percentage of the entire training set.”
The authors — who also included Robust Intelligence Inc. researchers Alie Fordyce and Hyrum Anderson — break down each of these classes of attacks into subcategories and add approaches for mitigating them, though the publication acknowledges that the defenses AI experts have devised for adversarial attacks thus far are incomplete at best. Awareness of these limitations is important for developers and organizations looking to deploy and use AI technology, Vassilev said.
“Despite the significant progress AI and machine learning have made, these technologies are vulnerable to attacks that can cause spectacular failures with dire consequences,” he said. “There are theoretical problems with securing AI algorithms that simply haven’t been solved yet. If anyone says differently, they are selling snake oil.”
0
How might the increasing sophistication of artificial intelligence (AI) impact the future of computer viruses, both in terms of how viruses are created and how they are defended against?
Artificial intelligence has the potential to transform the future of viruses in the creation of new viruses and potential defences against them. Attackers can use AI to create even more adaptive and pipelined viruses that can quickly modify their command code to avoid detection or make custom viruses. AI-powered viruses can automatically decide the most effective infection vectors based on the vulnerability of each system. AI is also not without risk, if anything it has been susceptible to hostile attacks, because data can be manipulated. This can be problematic for cyber-physical systems since hostile actors are no longer human. Overall, as far as hostile actors are concerned, AI is an enigma, but it is also a potentially useful solution.
The advancement of artificial intelligence (AI) will significantly impact the creation and defense against computer viruses. On one hand, attackers will be able to use AI to automate virus generation, AI will facilitate more personalized and targeted attacks. On the other hand, defenses will also benefit from AI, enabling faster threat detection and automated responses to attacks.
In conclusion, the rise of artificial intelligence presents both opportunities and challenges in the realm of cybersecurity, an collaborative approach within the cybersecurity community will be essential to effectively combat the evolving landscape of AI-driven attacks.
In my opinion, according the artificial intelligence (AI) sophisticate also the number of viruses increase and the methods to defend against. It is a fact, like other themes, is part of this globalized world.
So, with the increase of IA we will find new types of cyberattacks or the current one will be improved.
Artificial intelligence has found its way into almost every aspect of our lives, from virtual assistants for the home, medical diagnostics, multimedia content creation, to autonomous driving, among others.
In my opinion, the use of artificial intelligence in the creation of computer viruses is a worrying trend in the world of cybercrime. Cybercriminals are leveraging AI to develop more sophisticated and evasive malware, presenting a significant challenge to global cybersecurity. However, AI-based countermeasures are also being developed and global collaboration is being promoted to address this evolving threat. Cybersecurity is a constantly evolving field, and adaptation and innovation are essential to protect against AI-driven malware and other emerging cyber threats.
I think AI will eventually be more and more sophisticated and, for that reason, it will gradually challenge virus writers. At the end, it will be a competitive context where knowledge, creativity and experience will play an important role in our technological world which users will be in the middle and we may have much more benefits or damages. The consequences depend on how much economical power and support might encounter each of one of them. To sum up, in my opinion, users of computers will be immersed in a long battle between AI developers and virus writers and the last one will try to harm and impact on the perception of AI.