# Security

This domain is intended to codify the landscape of threats to a ML system.

<table><thead><tr><th width="101">ID</th><th width="88">Sub-ID</th><th width="184">Name</th><th>Description</th></tr></thead><tbody><tr><td>S0100</td><td></td><td>Software Vulnerability</td><td>Vulnerability in system around model—a traditional vulnerability</td></tr><tr><td>S0200</td><td></td><td><a href="https://atlas.mitre.org/techniques/AML.T0010/">Supply Chain Compromise</a></td><td>Compromising development components of a ML model, e.g. data, model, hardware, and software stack.</td></tr><tr><td></td><td>S0201</td><td>Model Compromise</td><td>Infected model file</td></tr><tr><td></td><td>S0202</td><td>Software compromise</td><td>Upstream Dependency Compromise</td></tr><tr><td>S0300</td><td></td><td>Over-permissive API</td><td>Unintended information leakage through API</td></tr><tr><td></td><td>S0301</td><td>Information Leak</td><td>Cloud Model API leaks more information than it needs to</td></tr><tr><td></td><td>S0302</td><td>Excessive Queries</td><td>Cloud Model API isn’t sufficiently rate limited</td></tr><tr><td>S0400</td><td></td><td><a href="https://atlas.mitre.org/techniques/AML.T0015/">Model Bypass</a></td><td>Intentionally try to make a model perform poorly</td></tr><tr><td></td><td>S0401</td><td>Bad Features</td><td>The model uses features that are easily gamed by the attacker</td></tr><tr><td></td><td>S0402</td><td>Insufficient Training Data</td><td>The bypass is not represented in the training data</td></tr><tr><td></td><td>S0403</td><td>Adversarial Example</td><td>Input data points intentionally supplied to draw mispredictions. Potential Cause: Over permissive API</td></tr><tr><td>S0500</td><td></td><td><a href="https://atlas.mitre.org/techniques/AML.T0024/">Exfiltration</a></td><td>Directly or indirectly exfiltrate ML artifacts</td></tr><tr><td></td><td>S0501</td><td>Model inversion</td><td>Reconstruct training data through strategic queries</td></tr><tr><td></td><td>S0502</td><td>Model theft</td><td>Extract model functionality through strategic queries</td></tr><tr><td>S0600</td><td></td><td><a href="https://atlas.mitre.org/techniques/AML.T0020/">Data poisoning</a></td><td>Usage of poisoned data in the ML pipeline</td></tr><tr><td></td><td>S0601</td><td>Ingest Poisoning</td><td>Attackers inject poisoned data into the ingest pipeline</td></tr></tbody></table>

> **NOTE**\
> A number of categories map directly to techniques codified in MITRE ATLAS. In future, we intend to cover the full landscape of adversarial ML attacks under the Security domain.