Using MITRE ATLAS for AI 攻擊 Mapping
中級11 分鐘閱讀更新於 2026-03-15
導覽 for mapping AI red team activities and findings to the MITRE ATLAS framework, covering tactic and technique identification, attack chain construction, and navigator visualization.
MITRE ATLAS (對抗性 Threat Landscape for AI Systems) extends the MITRE ATT&CK framework to cover 對抗性 attacks against machine learning systems. While OWASP LLM Top 10 classifies 漏洞 types, ATLAS maps 攻擊者's journey: the sequence of tactics and techniques used from initial reconnaissance through impact. This walkthrough shows how to use ATLAS to document attack paths, 識別 gaps in 紅隊 coverage, and communicate findings in the language that 安全 operations teams already 理解 from ATT&CK.
ATLAS complements OWASP -- it does not replace it. Use OWASP for 漏洞 classification and ATLAS for attack path documentation.
Step 1: 理解 ATLAS Structure
ATLAS Tactics (攻擊 Phases)
ATLAS follows a similar tactic structure to ATT&CK, adapted for ML/AI systems:
| Tactic ID | Tactic | Description | AI 紅隊 Relevance |
|---|---|---|---|
| AML.TA0000 | Reconnaissance | Gathering information about the AI system | Model identification, capability enumeration |
| AML.TA0001 | Resource Development | Preparing tools and resources for the attack | Custom prompt libraries, attack scripts |
| AML.TA0002 | Initial Access | Gaining initial access to the AI system | API access, user account creation |
| AML.TA0003 | ML Model Access | Obtaining access to interact with 模型 | API 認證, direct model queries |
| AML.TA0004 | Execution | Running 對抗性 techniques against 模型 | Prompt injection, 越獄 |
| AML.TA0005 | Persistence | Maintaining 對抗性 access or influence | Conversation context manipulation, RAG 投毒 |
| AML.TA0006 | 防禦 Evasion | Avoiding 偵測 by 安全 controls | Encoding attacks, obfuscation, multi-turn evasion |
| AML.TA0007 | Discovery | Learning about the AI system's internals | 系統提示詞 extraction, capability enumeration |
| AML.TA0008 | Collection | Gathering data from the AI system | 訓練資料 extraction, RAG exfiltration |
| AML.TA0009 | Exfiltration | Extracting data from 系統 | Data encoding in outputs, side-channel extraction |
| AML.TA0010 | ML 攻擊 Staging | Preparing ML-specific attacks | 對抗性 example crafting, model probing |
| AML.TA0011 | Impact | Achieving 攻擊者's end goal | 安全 bypass, misinformation, service disruption |
Key ATLAS Techniques for LLM 紅隊演練
| Technique ID | Technique | Typical 紅隊 Application |
|---|---|---|
| AML.T0000 | ML Model Access via API | Accessing the AI system through its API |
| AML.T0015 | 提示詞注入 (Direct) | Injecting 對抗性 instructions via 使用者輸入 |
| AML.T0016 | 提示詞注入 (Indirect) | Injecting instructions via external data sources |
| AML.T0043 | LLM 越獄 | Bypassing model 安全 對齊 |
| AML.T0044 | System Prompt Extraction | Revealing system-level instructions |
| AML.T0045 | Full Prompt Extraction | Extracting the complete prompt context |
| AML.T0046 | Training Data Extraction | Recovering 訓練資料 from model outputs |
| AML.T0047 | LLM Plugin Compromise | Exploiting model 工具使用 capabilities |
| AML.T0048 | Model Manipulation via 微調 | Using 微調 access for model compromise |
| AML.T0049 | RAG Data Poisoning | Injecting 對抗性 content into knowledge bases |
| AML.T0040 | ML Model Inference API Access | Using 推論 APIs for systematic probing |
| AML.T0042 | Verify ML Model | Confirming model identity and capabilities |
| AML.T0024 | Exfiltration via ML Inference API | Extracting data through model responses |
Step 2: Map Findings to ATLAS Techniques
Mapping Template
對每個 finding, 識別 the ATLAS techniques used in the attack chain:
# ATLAS Technique Mapping
## Finding F-001: Direct 提示詞注入 Bypass
### Techniques Used
| Phase | Technique ID | Technique Name | Application |
|-------|-------------|----------------|-------------|
| Reconnaissance | AML.T0042 | Verify ML Model | Identified model type via behavioral analysis |
| ML Model Access | AML.T0000 | ML Model Access via API | Authenticated API access obtained |
| Execution | AML.T0015 | 提示詞注入 (Direct) | DAN persona injection payload delivered |
| 防禦 Evasion | AML.T0043 | LLM 越獄 | Persona framing evaded content filter |
| Impact | AML.T0011 | Denial of ML Service Integrity | Content 安全 controls bypassed |
### 攻擊 Chain
AML.T0042 → AML.T0000 → AML.T0015 → AML.T0043 → Impact
## Finding F-003: RAG Cross-Tenant Data Access
### Techniques Used
| Phase | Technique ID | Technique Name | Application |
|-------|-------------|----------------|-------------|
| Reconnaissance | AML.T0042 | Verify ML Model | Confirmed RAG capability via probing |
| ML Model Access | AML.T0000 | ML Model Access via API | Standard user API access |
| Discovery | AML.T0007 | Discover ML Model Family | Identified 嵌入向量 model behavior |
| Execution | AML.T0015 | 提示詞注入 (Direct) | Manipulated retrieval query via prompt |
| Collection | AML.T0024 | Exfiltration via ML Inference API | Cross-tenant documents retrieved |
| Impact | - | Data Breach | Confidential tenant data exposed |
### 攻擊 Chain
AML.T0042 → AML.T0000 → AML.T0007 → AML.T0015 → AML.T0024 → ImpactStep 3: Construct 攻擊 Chain Visualizations
Text-Based 攻擊 Chain Notation
F-001: 提示詞注入 → Content 安全 Bypass
Reconnaissance ML Model Access Execution 防禦 Evasion Impact
┌─────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────┐
│ AML.T0042 │──▶│ AML.T0000 │──▶│ AML.T0015 │──▶│ AML.T0043 │──▶│ 安全 │
│ Verify │ │ API Access │ │ Direct │ │ 越獄 │ │ Bypass │
│ ML Model │ │ │ │ Injection │ │ │ │ │
└─────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ └──────────┘
F-004: System Prompt Extraction
Reconnaissance ML Model Access Execution Collection Impact
┌─────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────┐
│ AML.T0042 │──▶│ AML.T0000 │──▶│ AML.T0015 │──▶│ AML.T0044 │──▶│ Config │
│ Verify │ │ API Access │ │ Direct │ │ System Prompt│ │ Exposure │
│ ML Model │ │ │ │ Injection │ │ Extraction │ │ │
└─────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ └──────────┘
ATLAS Navigator Layer Configuration
Generate a Navigator layer file that highlights the techniques observed during the engagement:
{
"name": "AI 紅隊 評估 - [Client Name]",
"versions": {
"atlas": "4.5",
"navigator": "4.9"
},
"domain": "atlas",
"description": "Techniques observed during AI 紅隊 評估",
"techniques": [
{
"techniqueID": "AML.T0042",
"tactic": "reconnaissance",
"color": "#66b1ff",
"comment": "Used in all findings",
"score": 3
},
{
"techniqueID": "AML.T0000",
"tactic": "ml-model-access",
"color": "#66b1ff",
"comment": "API access for all 測試",
"score": 3
},
{
"techniqueID": "AML.T0015",
"tactic": "execution",
"color": "#ff6666",
"comment": "F-001, F-003: Direct 提示詞注入 successful",
"score": 5
},
{
"techniqueID": "AML.T0043",
"tactic": "防禦-evasion",
"color": "#ff6666",
"comment": "F-001: 越獄 via persona injection",
"score": 5
},
{
"techniqueID": "AML.T0044",
"tactic": "collection",
"color": "#ff9933",
"comment": "F-004: 系統提示詞 partially extracted",
"score": 4
},
{
"techniqueID": "AML.T0024",
"tactic": "exfiltration",
"color": "#ff6666",
"comment": "F-003: Cross-tenant data extracted via RAG",
"score": 5
}
],
"gradient": {
"colors": ["#ffffff", "#66b1ff", "#ff9933", "#ff6666"],
"minValue": 0,
"maxValue": 5
},
"legendItems": [
{"label": "Not tested", "color": "#ffffff"},
{"label": "Tested, no finding", "color": "#66b1ff"},
{"label": "Finding (Medium/Low)", "color": "#ff9933"},
{"label": "Finding (Critical/High)", "color": "#ff6666"}
]
}Step 4: 識別 Coverage Gaps Using ATLAS
Use the ATLAS technique matrix to 識別 attack techniques you did not 測試.
Coverage Gap Analysis
# ATLAS Coverage Gap Analysis
## Techniques Tested
| Technique ID | Technique | Result |
|-------------|-----------|--------|
| AML.T0000 | ML Model Access via API | Tested (access obtained) |
| AML.T0015 | 提示詞注入 (Direct) | Finding F-001 |
| AML.T0042 | Verify ML Model | Tested (model identified) |
| AML.T0043 | LLM 越獄 | Finding F-001 |
| AML.T0044 | System Prompt Extraction | Finding F-004 |
| AML.T0024 | Exfiltration via ML Inference API | Finding F-003 |
## Techniques Not Tested (In Scope but Not Executed)
| Technique ID | Technique | Reason Not Tested |
|-------------|-----------|-------------------|
| AML.T0016 | 提示詞注入 (Indirect) | No writable data source accessible |
| AML.T0049 | RAG Data Poisoning | Read-only access to 知識庫 |
## Techniques Not Applicable
| Technique ID | Technique | Reason Not Applicable |
|-------------|-----------|----------------------|
| AML.T0048 | Model Manipulation via 微調 | No 微調 access in scope |
| AML.T0046 | Training Data Extraction | Third-party hosted model |Step 5: Generate Report Content
ATLAS 總結 for Reports
## MITRE ATLAS 攻擊 Mapping
The following diagram maps all engagement findings to MITRE ATLAS
tactics and techniques, showing the attack paths discovered during
the 評估.
### 攻擊 Path 總結
| Finding | 攻擊 Path (ATLAS Techniques) | Impact |
|---------|-------------------------------|--------|
| F-001 | T0042 → T0000 → T0015 → T0043 | Content 安全 bypass |
| F-003 | T0042 → T0000 → T0015 → T0024 | Cross-tenant data access |
| F-004 | T0042 → T0000 → T0015 → T0044 | 系統提示詞 disclosure |
| F-005 | T0042 → T0000 → T0015 → T0047 | Unauthorized function execution |
### Key Observations
1. **AML.T0015 (Direct 提示詞注入)** is the common entry
technique across all attack paths. Strengthening 防禦 against
this single technique would disrupt four of five identified attack chains.
2. **防禦 evasion techniques** were required for only one finding
(F-001), indicating that content filters are the primary 防禦
layer but are not required to reach most other impacts.
3. **No indirect injection** paths were tested due to scope
limitations. This represents a significant untested 攻擊面
that should be assessed in a follow-up engagement.
### ATLAS Technique Heat Map
[Include Navigator visualization or reference the exported layer file]Step 6: Cross-Reference ATLAS with OWASP
For maximum reporting value, cross-reference both frameworks:
# Cross-Framework Mapping
| Finding | ATLAS Primary Technique | OWASP Primary Category | Combined Insight |
|---------|------------------------|----------------------|-----------------|
| F-001 | AML.T0043 (越獄) | LLM01 (提示詞注入) | ATLAS shows the attack path; OWASP classifies the 漏洞 |
| F-003 | AML.T0024 (Exfiltration) | LLM08 (Vector/嵌入向量) | ATLAS shows exfiltration method; OWASP identifies the weakness type |
| F-004 | AML.T0044 (Prompt Extraction) | LLM07 (System Prompt Leakage) | Both frameworks align; ATLAS provides attack chain context |
| F-005 | AML.T0047 (Plugin Compromise) | LLM06 (Excessive Agency) | ATLAS focuses on technique; OWASP focuses on 權限 model |Common ATLAS Mapping Mistakes
-
Mapping only the 利用 technique. ATLAS is designed to show the full attack path, not just the 利用. Include reconnaissance, initial access, and 防禦 evasion techniques even if they seem trivial.
-
Ignoring the tactic context. The same technique (e.g., AML.T0015 提示詞注入) can serve different tactical purposes: execution, 防禦 evasion, or collection. Map the technique to the correct tactic 對每個 finding.
-
Using ATLAS as a checklist. ATLAS is a 知識庫, not a 測試 checklist. Not every technique is relevant to every engagement. Focus on techniques applicable to the target architecture.
-
Outdated technique IDs. ATLAS is actively maintained and technique IDs may change between versions. Specify the ATLAS version you are mapping to and verify technique IDs before finalizing the report.
-
Confusing ATLAS with ATT&CK. While ATLAS follows ATT&CK conventions, the techniques are different. Do not mix ATT&CK technique IDs with ATLAS technique IDs.
Knowledge Check
What is the primary difference between OWASP LLM Top 10 and MITRE ATLAS in how they classify AI 安全 findings?
相關主題
- Mapping to OWASP LLM Top 10 -- Complementary 漏洞 classification
- AI Threat Model Creation -- Threat models that inform ATLAS mapping
- 攻擊 Surface Mapping -- 攻擊面 analysis underlying technique identification
- NIST AI RMF 評估 -- Risk management framework that references ATLAS