Supply chain attack

Definition

[MLMDP.T.1] A supply chain attack targets vulnerabilities in the machine learning (ML) supply chain to compromise the integrity, security, and trustworthiness of ML models and their deployment platforms. These attacks exploit weaknesses in third-party components, training data, pre-trained models, and deployment infrastructure.

Targeted assets

System Asset: enabling software components.

Business Asset: machine learning model development process.

Security Criteria: integrity, availability.

Attack details

Exploited vulnerabilities

Vulnerabilities:

  1. Deployment platform vulnerabilities
  2. Traditional software vulnerabilities: code and dependencies flaws.
  3. Corrupted, vulnerable 3rd party pre-trained models.
  4. Usage of unmaintained software, models.
  5. Vulnerable LoRa adapters, a malicious adjustment of the pre-trained model.
  6. Development platform vulnerabilities.

Threat agent

Threat agent: black-box scenarios. In the white-box scenario, the attacker is assumed to have complete knowledge of the target machine learning model, its architecture, parameters, utilized training data, and the learning algorithm. In a black-box scenario, the attacker has no knowledge of the target model's architecture, parameters, or training data. The attacker is assumed to be only able to interact with the model by sending it inputs and observing the outputs.

Attack methods

Attack methods:

  1. Infection or impersonation of software components, public machine learning models, development environment or data resource, on which the target machine learning model system depends on.

Impact and harm

Impact and harm: Negates the integrity and availability of the targeted machine learning model. This attack may lead to the loss of integrity of training data, deployment platform, biased output, security breach.

Security countermeasures

Security requirements

Security requirement: The machine learning system's actions and decisions must be resistant to supply chain attacks.

Security controls

Security controls:

  1. Vet data sources, suppliers, terms and conditions, privacy policies.
  2. Regular review and audit suppliers' security and terms.
  3. Vulnerability scanning.
  4. Vulnerable software patching or a virtual patching.
  5. Remove unused dependencies and unnecessary features.
  6. Monitor dependencies for their state, versions and vulnerabilities.
  7. Source components and components from official sources.
  8. Conduct red teaming, penetration testing, integrity checking against 3rd party models.
  9. Maintain an inventory of components, a Software Bill of Materials (SBOM).
  10. Utilize code signing for externally supplied code.
  11. Monitor and audit collaborative and development environments. Example: HuggingFace SF_Convertbot Scanner.
  12. Utilize integrity checks and vendor attestation APIs against apps and models.