MITRE ATLAS
Overview
ATLAS (Adversarial Threat Landscape for Artificial Intelligence Systems) is MITRE's knowledge base of adversarial tactics and techniques for machine learning systems. Think of it as ATT&CK but specifically for AI/ML.
Tactics (High-Level Objectives)
| Tactic | Objective | Traditional ATT&CK Equivalent |
|---|---|---|
| Reconnaissance | Gather information about the ML system | Reconnaissance |
| Resource Development | Acquire resources for the attack (compute, data, models) | Resource Development |
| ML Model Access | Gain access to the target model | Initial Access |
| Execution | Run adversarial techniques against the model | Execution |
| Persistence | Maintain access or influence over the ML system | Persistence |
| Evasion | Avoid detection by ML-based defenses | Defense Evasion |
| Impact | Disrupt, degrade, or destroy ML system integrity | Impact |
| Exfiltration | Extract information from the ML system | Exfiltration |
Key Techniques
| Technique ID | Name | Description |
|---|---|---|
| AML.T0000 | ML Model Inference API Access | Interacting with the model's prediction API |
| AML.T0004 | ML Artifact Collection | Gathering model artifacts (weights, configs, code) |
| AML.T0010 | ML Supply Chain Compromise | Poisoning models, data, or tools in the supply chain |
| AML.T0015 | Evade ML Model | Crafting inputs to evade ML-based detection |
| AML.T0016 | Obtain Capabilities | Acquiring adversarial ML tools and techniques |
| AML.T0020 | Poison Training Data | Corrupting the model's training dataset |
| AML.T0024 | Exfiltration via ML Inference API | Extracting data through model queries |
| AML.T0025 | Exfiltration via Cyber Means | Stealing model artifacts through traditional methods |
| AML.T0040 | ML Model Inference API Access | Using the API for extraction or evasion |
| AML.T0043 | Craft Adversarial Data | Creating inputs designed to fool the model |
| AML.T0047 | ML-Enabled Product/Service Abuse | Abusing AI features for unintended purposes |
| AML.T0051 | LLM Prompt Injection | Injecting adversarial instructions into prompts |
| AML.T0054 | LLM Jailbreak | Bypassing model safety controls |
Using ATLAS for Red Team Engagements
ATLAS maps directly to engagement phases:
- Scoping: Use ATLAS tactics to define test categories
- Planning: Map specific techniques to your target's attack surface
- Execution: Reference technique IDs in your testing notes
- Reporting: Cite ATLAS IDs in findings for standardized communication
Case Studies
ATLAS maintains a library of real-world incidents at atlas.mitre.org/studies. Review these for attack inspiration and to understand how techniques chain together in practice.