Denial of service attack

Definition

[IT.T.7] A Denial of Service (DoS) attack aims to disrupt the normal functioning and reduce the availability of a machine learning system, making it unusable for legitimate users. This is typically achieved by overwhelming the system with a high volume of requests or resource-intensive tasks, exhausting its computational resources.

Targeted assets

System Asset: ML system input/API.

Business Asset: input data.

Security Criteria: availability.

Attack details

Exploited vulnerabilities

Vulnerabilities:

  1. The target system hosting the machine learning system can be overwhelmed and made unavailable with computationally expensive requests.
  2. There is no restrictions on the amount and frequency of inference requests.
  3. Operation of machine learning has high computational demands.

Threat agent

Threat agent: white-box and black-box scenarios. In the white-box scenario, the attacker is assumed to have complete knowledge of the target machine learning model, its architecture, parameters, utilized training data, and the learning algorithm. In a black-box scenario, the attacker has no knowledge of the target model's architecture, parameters, or training data. The attacker is assumed to be only able to interact with the model by sending it inputs and observing the outputs.

Attack methods

Attack methods:

  1. The adversary overwhelms the system by creating many computationally expensive input requests.
  2. Continuously conduct a high frequency of computationally demanding inference requests.

Impact and harm

Impact and harm: Negates the availability of the targeted machine learning model. This leads to potential system failures, service unavailability, an increase in processing times, and a reduction in quality of service.

Security countermeasures

Security requirements

Security requirement: The machine learning system must be resistant to denial-of-service attacks.

Security controls

Security controls:

  1. Limit the feedback that is provided to the attacker or provide intentionally misleading responses. This may reduce the utility of the responses and computational cost of the request.
  2. Input validation, validate the size.
  3. Dynamically allocate necessary resources for model's performance.
  4. Rate limit the amount of requests from a particular user.
  5. Throttle and timeout resource-intensive on-going model operations.
  6. Monitor the resource usage for possible anomalies.
  7. Design graceful degradation, achieve partial functionality under heavy load.
  8. Regulate and load-balance queued actions.