Détail du CWE-1039

CWE-1039

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
Incomplete
2018-03-29
00h00 +00:00
2025-04-03
00h00 +00:00
CWE Mitre.org
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Gestion des notifications

Nom: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

Description du CWE

When techniques such as machine learning are used to automatically classify input streams, and those classifications are used for security-critical decisions, then any mistake in classification can introduce a vulnerability that allows attackers to cause the product to make the wrong security decision or disrupt service of the automated mechanism. If the mechanism is not developed or "trained" with enough input data or has not adequately undergone test and evaluation, then attackers may be able to craft malicious inputs that intentionally trigger the incorrect classification.

Targeted technologies include, but are not necessarily limited to:

  • automated speech recognition
  • automated image recognition
  • automated cyber defense
  • Chatbot, LLMs, generative AI

For example, an attacker might modify road signs or road surface markings to trick autonomous vehicles into misreading the sign/marking and performing a dangerous action. Another example includes an attacker that crafts highly specific and complex prompts to "jailbreak" a chatbot to bypass safety or privacy mechanisms, better known as prompt injection attacks.

Informations générales

Modes d'introduction

Architecture and Design : This issue can be introduced into the automated algorithm itself due to inadequate training data used as well as lack of validation, verification, testing, and evaluation of the algorithm. These factors can affect the overall robustness of the algorithm when introduced into operational settings.
Implementation : The developer might not apply external validation of inputs into the algorithm.

Plateformes applicables

Langue

Class: Not Language-Specific (Undetermined)

Technologies

Name: AI/ML (Undetermined)

Conséquences courantes

Portée Impact Probabilité
IntegrityBypass Protection Mechanism

Note: When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.
AvailabilityDoS: Resource Consumption (Other), DoS: Instability

Note: There could be disruption to the service of the automated recognition system, which could cause further downstream failures of the software.
ConfidentialityRead Application Data

Note: This weakness could lead to breaches of data privacy through exposing features of the training data, e.g., by using membership inference attacks or prompt injection attacks.
OtherVaries by Context

Note: The consequences depend on how the application applies or integrates the affected algorithm.

Mesures d’atténuation potentielles

Phases : Architecture and Design
Algorithmic modifications such as model pruning or compression can help mitigate this weakness. Model pruning ensures that only weights that are most relevant to the task are used in the inference of incoming data and has shown resilience to adversarial perturbed data.
Phases : Architecture and Design
Consider implementing adversarial training, a method that introduces adversarial examples into the training data to promote robustness of algorithm at inference time.
Phases : Architecture and Design
Consider implementing model hardening to fortify the internal structure of the algorithm, including techniques such as regularization and optimization to desensitize algorithms to minor input perturbations and/or changes.
Phases : Implementation
Consider implementing multiple models or using model ensembling techniques to improve robustness of individual model weaknesses against adversarial input perturbations.
Phases : Implementation
Incorporate uncertainty estimations into the algorithm that trigger human intervention or secondary/fallback software when reached. This could be when inference predictions and confidence scores are abnormally high/low comparative to expected model performance.
Phases : Integration
Reactive defenses such as input sanitization, defensive distillation, and input transformations can all be implemented before input data reaches the algorithm for inference.
Phases : Integration
Consider reducing the output granularity of the inference/prediction such that attackers cannot gain additional information due to leakage in order to craft adversarially perturbed data.

Méthodes de détection

Dynamic Analysis with Manual Results Interpretation

Use indicators from model performance deviations such as sudden drops in accuracy or unexpected outputs to verify the model.

Dynamic Analysis with Manual Results Interpretation

Use indicators from input data collection mechanisms to verify that inputs are statistically within the distribution of the training and test data.

Architecture or Design Review

Use multiple models or model ensembling techniques to check for consistency of predictions/inferences.

Notes de cartographie des vulnérabilités

Justification : This CWE entry is a Class, but it does not have Base-level children.
Commentaire : This entry is classified in a part of CWE's hierarchy that does not have sufficiently low-level coverage, which might reflect a lack of classification-oriented weakness research in the software security community. Conduct careful root cause analysis to determine the original mistake that led to this weakness. If closer analysis reveals that this weakness is appropriate, then this might be the best available CWE to use for mapping. If no other option is available, then it is acceptable to map to this CWE.

NotesNotes

Further investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to "recognition of input as an incorrect type," which might place it as a sibling of CWE-704 (incorrect type conversion).

Références

REF-16

Intriguing properties of neural networks
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, Rob Fergus.
https://arxiv.org/abs/1312.6199

REF-17

Attacking Machine Learning with Adversarial Examples
OpenAI.
https://openai.com/research/attacking-machine-learning-with-adversarial-examples

REF-15

Magic AI: These are the Optical Illusions that Trick, Fool, and Flummox Computers
James Vincent.
https://www.theverge.com/2017/4/12/15271874/ai-adversarial-images-fooling-attacks-artificial-intelligence

REF-13

CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition
Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, Xiaofeng Wang, Carl A. Gunter.
https://arxiv.org/pdf/1801.08535.pdf

REF-14

Audio Adversarial Examples: Targeted Attacks on Speech-to-Text
Nicholas Carlini, David Wagner.
https://arxiv.org/abs/1801.01944

Soumission

Nom Organisation Date Date de publication Version
CWE Content Team MITRE 2018-03-12 +00:00 2018-03-29 +00:00 3.1

Modifications

Nom Organisation Date Commentaire
CWE Content Team MITRE 2019-06-20 +00:00 updated References
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2023-04-27 +00:00 updated References, Relationships
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2024-07-16 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2025-04-03 +00:00 updated Common_Consequences, Description, Detection_Factors, Mapping_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Time_of_Introduction