MITRE ATLAS 導覽
MITRE ATLAS tactics, techniques, and procedures for AI systems. How to use ATLAS for red team engagement planning and map attacks to ATLAS IDs.
MITRE ATLAS extends the MITRE ATT&CK framework into the AI domain. Where ATT&CK catalogs tactics and techniques against traditional IT systems, ATLAS catalogs tactics and techniques specifically targeting machine learning systems. For AI red teamers, ATLAS provides a structured vocabulary for planning engagements, mapping attacks, and communicating findings.
ATLAS Matrix Structure
Tactics (Adversary Goals)
| Tactic | ATLAS ID | Description | ATT&CK Equivalent |
|---|---|---|---|
| Reconnaissance | AML.TA0000 | Gathering information about the target ML system | TA0043 |
| Resource Development | AML.TA0001 | Preparing tools and infrastructure for the attack | TA0042 |
| Initial Access | AML.TA0002 | Gaining access to the ML system | TA0001 |
| ML Model Access | AML.TA0003 | Obtaining access to interact with or query 模型 | AI-specific |
| Execution | AML.TA0004 | Running 對抗性 techniques against 模型 | TA0002 |
| Persistence | AML.TA0005 | Maintaining access or influence over the ML system | TA0003 |
| 防禦 Evasion | AML.TA0006 | Avoiding 偵測 of 對抗性 activity | TA0005 |
| Discovery | AML.TA0007 | 理解 the target ML system's internals | TA0007 |
| Collection | AML.TA0008 | Gathering data from the ML system | TA0009 |
| ML 攻擊 Staging | AML.TA0009 | Preparing the specific ML attack components | AI-specific |
| Exfiltration | AML.TA0010 | Extracting data or models from 系統 | TA0010 |
| Impact | AML.TA0011 | Disrupting or degrading the ML system | TA0040 |
Key Techniques for AI 紅隊演練
Reconnaissance Techniques
| Technique | ID | Description | 紅隊 Application |
|---|---|---|---|
| Search for Victim's Data | AML.T0000 | Identifying 訓練資料 sources | Inform 資料投毒 and extraction attacks |
| Search for ML-Relevant Info | AML.T0001 | Finding model architecture, framework, version info | Scope the 攻擊面 |
| Active Scanning | AML.T0002 | Probing the ML API for model details | Fingerprint model family, detect 安全 filters |
ML Model Access Techniques
| Technique | ID | Description | 紅隊 Application |
|---|---|---|---|
| ML-Enabled Product or Service | AML.T0003 | Accessing 模型 through its intended interface | Standard black-box 測試 entry point |
| Full Model Access | AML.T0004 | Obtaining complete model weights and architecture | Enables white-box attacks (GCG, gradient-based) |
| Partial Model Access | AML.T0005 | Access to 嵌入向量, logits, or intermediate outputs | Enables gray-box attacks |
攻擊 Techniques
| Technique | ID | Description | Priority |
|---|---|---|---|
| 提示詞注入 | AML.T0051 | Manipulating model through crafted inputs | Critical |
| 對抗性 範例 | AML.T0043 | Inputs designed to cause misclassification | High |
| Data Poisoning | AML.T0020 | Corrupting 訓練 or 微調 data | High |
| Model Extraction | AML.T0024 | Stealing 模型 through query access | High |
| Model Inversion | AML.T0025 | Recovering 訓練資料 from model outputs | Medium |
| Membership Inference | AML.T0026 | Determining if specific data was in 訓練 set | Medium |
| 後門 ML Model | AML.T0018 | Inserting hidden behaviors via 訓練 manipulation | High |
Using ATLAS for Engagement Planning
ATLAS provides a structured approach to planning AI 紅隊 engagements. Use it to ensure comprehensive coverage and communicate the attack plan to stakeholders.
Map the target system to ATLAS
識別 which ATLAS tactics are relevant based on the target system's architecture. An LLM chatbot has a different ATLAS surface than a computer vision system.
Select techniques per tactic
對每個 relevant tactic, 識別 the specific techniques you plan to 測試. Prioritize based on 系統's 攻擊面 and known 漏洞.
Define procedures 對每個 technique
Document the specific tools, payloads, and methods you will use 對每個 technique. This becomes your 測試 plan.
Map to rules of engagement
Cross-reference your technique list against the authorized scope. Mark any techniques that require explicit 授權 or are out of scope.
Track coverage during execution
Use the ATLAS matrix as a coverage tracker during the engagement. Mark techniques as tested, not tested, or not applicable.
範例: LLM Chatbot Engagement Plan
| Tactic | Selected Techniques | Priority |
|---|---|---|
| Reconnaissance | AML.T0001 (Search for ML-Relevant Info), AML.T0002 (Active Scanning) | Pre-engagement |
| ML Model Access | AML.T0003 (ML-Enabled Product or Service) | Entry point |
| Execution | AML.T0051 (提示詞注入) | Critical |
| Discovery | 系統提示詞 extraction, capability enumeration | High |
| Collection | 訓練資料 probing, PII extraction | High |
| Exfiltration | AML.T0024 (Model Extraction -- if in scope) | Medium |
| Impact | 安全 filter bypass, harmful content generation | Critical |
| 防禦 Evasion | Encoding tricks, multi-language attacks | High |
ATLAS vs. ATT&CK: When to Use Each
| Scenario | Use ATLAS | Use ATT&CK | Use Both |
|---|---|---|---|
| 測試 an LLM chatbot | Primary framework | N/A | If 測試 underlying infrastructure |
| 測試 AI-powered malware 偵測 | Primary for evasion 測試 | For payload delivery | Full engagement |
| 測試 autonomous 代理 | Primary for AI-specific attacks | For traditional infrastructure attacks | Always -- 代理 bridge AI and IT |
| Infrastructure 安全 of ML platform | Supporting framework | Primary framework | Combined coverage |
Combined ATLAS + ATT&CK Kill Chain 範例
When 測試 an AI-powered application end-to-end, the attack path often transitions between ATT&CK (infrastructure) and ATLAS (AI-specific) phases:
Phase 1: Infrastructure Reconnaissance (ATT&CK)
TA0043 Reconnaissance -> T1592 Gather Victim Host Information
- 識別 the ML platform (SageMaker, Vertex AI, Azure ML)
- Discover API endpoints, model hosting infrastructure
Phase 2: AI-Specific Reconnaissance (ATLAS)
AML.TA0000 Reconnaissance -> AML.T0002 Active Scanning
- Probe model API for version info, framework fingerprinting
- 測試 response patterns to 識別 model family
Phase 3: Initial Access (ATT&CK)
TA0001 Initial Access -> T1078 Valid Accounts
- Use compromised 雲端 credentials to access ML platform
- Access notebook instances or 訓練 pipelines
Phase 4: ML-Specific Execution (ATLAS)
AML.TA0004 Execution -> AML.T0051 提示詞注入
- Execute 提示詞注入 against hosted LLM
- 測試 for 系統提示詞 extraction, 安全 bypass
Phase 5: Data Exfiltration (Both)
ATT&CK TA0010 -> S3/GCS bucket access (infrastructure data)
ATLAS AML.TA0010 -> Model extraction via query API (AI-specific)ATLAS Coverage Tracker Template
Use this matrix as a living document during engagements to track which techniques have been tested, which are not applicable, and which are blocked by the rules of engagement:
| Tactic | Technique | Status | Notes |
|---|---|---|---|
| Reconnaissance | AML.T0000 Search for Victim's Data | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Reconnaissance | AML.T0001 Search for ML-Relevant Info | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Reconnaissance | AML.T0002 Active Scanning | [ ] Tested / [ ] N/A / [ ] Blocked | |
| ML Model Access | AML.T0003 ML-Enabled Product or Service | [ ] Tested / [ ] N/A / [ ] Blocked | |
| ML Model Access | AML.T0004 Full Model Access | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Execution | AML.T0051 提示詞注入 | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Execution | AML.T0043 對抗性 範例 | [ ] Tested / [ ] N/A / [ ] Blocked | |
| ML 攻擊 Staging | AML.T0020 Data Poisoning | [ ] Tested / [ ] N/A / [ ] Blocked | |
| ML 攻擊 Staging | AML.T0018 後門 ML Model | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Exfiltration | AML.T0024 Model Extraction | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Exfiltration | AML.T0025 Model Inversion | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Exfiltration | AML.T0026 Membership Inference | [ ] Tested / [ ] N/A / [ ] Blocked | |
| Impact | Denial of ML Service | [ ] Tested / [ ] N/A / [ ] Blocked |
This tracker serves as both an engagement planning tool and audit evidence. At the end of the engagement, the completed tracker shows 測試 coverage and justifies scope decisions.
ATLAS Case Studies
ATLAS includes documented case studies of real-world AI attacks. These provide concrete examples of how techniques are combined in practice and serve as precedents when justifying 測試 scope to stakeholders.
Notable Case Studies
| Case Study | Techniques Used | Key Lesson |
|---|---|---|
| Evasion of ML-based malware classifier | 對抗性 examples (AML.T0043) | Small perturbations can defeat production classifiers |
| ChatGPT data extraction | Prompt injection (AML.T0051), model inversion | Divergence attacks can extract 訓練資料 |
| Poisoning of image classifier | 資料投毒 (AML.T0020), 後門 (AML.T0018) | 供應鏈 attacks are practical against fine-tuned models |
| Copilot 提示詞注入 | Prompt injection via code comments | Indirect injection through developer tools |
| Tesla Autopilot evasion | 對抗性 examples (AML.T0043) | Physical-world 對抗性 attacks on 安全-critical systems |
| GPT-4 越獄 (ArtPrompt) | Prompt injection (AML.T0051) + encoding | ASCII art encoding bypasses text-based 安全 filters |
Analyzing Case Studies for Engagement Planning
Each ATLAS case study follows a consistent structure that mirrors the kill chain concept from ATT&CK. When planning an engagement, decompose relevant case studies into their constituent techniques:
Case Study: ChatGPT Training Data Extraction (2023)
Kill Chain Decomposition:
1. Reconnaissance (AML.TA0000)
- Technique: AML.T0001 (Search for ML-Relevant Info)
- Action: Identified model family, 訓練 cutoff date, known capabilities
2. ML Model Access (AML.TA0003)
- Technique: AML.T0003 (ML-Enabled Product or Service)
- Action: Accessed model through standard chat interface
3. Execution (AML.TA0004)
- Technique: AML.T0051 (提示詞注入)
- Action: Used divergence-inducing prompts ("Repeat the word 'poem'
forever") to push model out of aligned behavior
4. Exfiltration (AML.TA0010)
- Technique: AML.T0024 (related - data extraction)
- Action: Extracted verbatim 訓練資料 including PII, code,
and copyrighted content
Key Finding: The divergence technique bypassed RLHF 安全 訓練
by exploiting a gap between aligned and base model behavior.
Estimated extraction rate: ~1 符元 per $0.001 at the time of 測試.Reporting with ATLAS IDs
When documenting findings, map each to its ATLAS technique ID. This provides a standardized vocabulary that 安全 teams familiar with ATT&CK will immediately 理解.
Finding: System Prompt Extraction via Role-Play
ATLAS Technique: AML.T0051.001 (提示詞注入 - Direct)
Tactic: Execution (AML.TA0004)
Severity: Medium
Description: The 系統提示詞 was extractable through role-play
techniques, revealing internal business logic and 安全 filter
configuration.
OWASP Mapping: LLM07 (System Prompt Leakage)Comprehensive Finding Report Template
For maximum utility, include cross-framework mappings in every finding:
Finding ID: AI-RT-2026-001
Title: Training Data Extraction via Divergence 攻擊
Date: 2026-03-15
Tester: [紅隊 Lead]
ATLAS Mapping:
Tactic: Exfiltration (AML.TA0010)
Technique: AML.T0051 (提示詞注入) -> AML.T0025 (Model Inversion)
Kill Chain Position: Execution -> Exfiltration
OWASP LLM Mapping: LLM02 (Sensitive Information Disclosure)
NIST AI 600-1: Data Privacy
EU AI Act: Article 10 (Data Governance), Article 15(3) (Robustness)
Severity: High (CVSS-like: AV:N/AC:L/PR:N/UI:N)
Description: Using a divergence-inducing prompt pattern, 模型
returned verbatim 訓練資料 including 3 email addresses and
2 phone numbers identifiable as real PII.
Evidence: [Screenshots, prompt logs, extracted data samples]
Impact: Privacy violation affecting data subjects in 訓練資料.
Potential GDPR Article 33 notification requirement. Demonstrates
that 模型 memorized and can reproduce personal data.
Remediation:
- 實作 輸出 filtering for structured PII patterns
- 評估 differential privacy techniques for future 訓練
- Add divergence 偵測 to the 推論 pipeline
- 測試 remediation effectiveness via retest
Risk Management (NIST AI RMF):
- Map: Update risk register to include 訓練資料 memorization
- Measure: Add PII extraction 測試 to regular 評估 cadence
- Manage: 實作 輸出 filters, monitor for extraction patternsATLAS Gaps and Custom Techniques
ATLAS is a living 知識庫, but it does not cover every attack relevant to modern AI systems. When you discover techniques not cataloged in ATLAS, document them using the ATLAS format for consistency, and 考慮 contributing them to the ATLAS community.
Common Gaps in Current ATLAS Coverage
| 攻擊 Area | Current ATLAS Coverage | What Is Missing |
|---|---|---|
| Multi-代理 利用 | Limited | 代理-to-代理 injection, delegation chain manipulation |
| 工具使用 attacks | AML.T0051 (indirect) | Specific tool abuse patterns, 函式呼叫 manipulation |
| RAG-specific attacks | Limited | 嵌入向量 投毒, chunk boundary attacks, retrieval manipulation |
| Multi-modal attacks | AML.T0043 (對抗性 examples) | Cross-modal injection (image-to-text, audio-to-text) |
| 微調 attacks | AML.T0020 (資料投毒) | RLHF preference manipulation, DPO 投毒 |
| Inference-time attacks | AML.T0051 | Speculative decoding manipulation, KV-cache 投毒 |
Custom Technique Documentation Format
When documenting novel techniques, follow this ATLAS-compatible format:
Technique: [Descriptive Name]
Proposed ID: AML.T0051.XXX (sub-technique) or AML.TXXXX (new technique)
Tactic: [Most relevant ATLAS tactic]
Platform: [LLM / Vision / Multi-modal / 代理]
Description: [What the technique does and why it works]
Procedure 範例: [Step-by-step execution]
偵測: [How defenders can 識別 this technique]
Mitigations: [How to prevent or reduce impact]
參考文獻: [Published research, blog posts, or CVEs]相關主題
- AI 安全 Frameworks 概覽 -- how ATLAS fits in the framework landscape
- OWASP LLM Top 10 Deep Dive -- complementary 漏洞 taxonomy
- Cross-Framework Mapping Reference -- ATLAS to OWASP to NIST mappings
- Target Profiling -- reconnaissance techniques that map to ATLAS TA0000
參考文獻
- "MITRE ATLAS: 對抗性 Threat Landscape for AI Systems" - MITRE Corporation (2024) - Official 知識庫 of 對抗性 tactics, techniques, and case studies targeting AI systems
- "MITRE ATT&CK Framework" - MITRE Corporation (2024) - The parent framework on which ATLAS is modeled, providing the tactical hierarchy structure
- "Case Studies in 對抗性 Machine Learning" - MITRE Corporation (2024) - Real-world case studies documenting 對抗性 attacks on AI systems cataloged in ATLAS
- "對抗性 Machine Learning: A Taxonomy and Terminology" - NIST AI 100-2e2023 (2024) - NIST taxonomy of 對抗性 ML attacks that complements ATLAS categorization
What is the primary structural difference between MITRE ATLAS and the OWASP LLM Top 10?