Relationship of attacks and model parameters asset

General Image Description

The UML class diagram visualizes a threat model with 3 threats, determined from the conducted systematic literature review, which target the model parameters for the initial compromise. The compromise of the model parameters is conducted either through “Processing hardware running the ML model” or by targeting the “Machine learning model” itself.

Model parameters: integral components of a model, internal variables, critical to its operation and utility. In the context of the work, the following components are considered as model parameters: layers, type of activation function, layer connections, parameters, weights. The values of parameters are adjusted during the training

List of threats

  1. [MP.T.1] A hardware side-channel attack is a type of attack that exploits vulnerabilities in the physical implementation of a machine learning (ML) model to extract sensitive information, such as model parameters, training data, or the model's architecture. Instead of targeting the ML algorithm directly, these attacks measure and analyze side-channel information that is correlated with the ML assets.
  2. [MP.T.2] Model extraction attack, utilizing side-channel attack methods, leverages hardware implementation vulnerabilities to determine target machine learning model’s architecture and parameter values.
  3. [MP.T.3] A model manipulation attack involves an adversary directly altering the parameters, logic, or architecture of a machine learning model with the intent to compromise its performance, security, or integrity. This type of attack differs from traditional adversarial attacks that focus on crafting malicious input samples or poisoning training data. Instead, the adversary gains access to the model itself and modifies it to achieve specific malicious goals.