Reconnaissance
Resource Development
Initial Access
ML Model Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Collection
ML Attack Staging
Exfiltration
Impact
Search for Victim's Publicly Available Research Materials
Journals and Conference Proceedings
Pre-Print Repositories
Technical Blogs
Search for Publicly Available Adversarial Vulnerability Analysis
Search Victim-Owned Websites
Search Application Repositories
Active Scanning
Acquire Public ML Artifacts
Datasets
Models
Obtain Capabilities
Adversarial ML Attack Implementations
Software Tools
Develop Capabilities
Adversarial ML Attacks
Acquire Infrastructure
ML Development Workspaces
Consumer Hardware
Publish Poisoned Datasets
ML Supply Chain Compromise
GPU Hardware
ML Software
Data
Model
ML Model Inference API Access
ML-Enabled Product or Service
Physical Environment Access
Full ML Model Access
Discover ML Model Ontology
Discover ML Model Family
Poison Training Data
Establish Accounts
Create Proxy ML Model
Train Proxy via Gathered ML Artifacts
Train Proxy via Replication
Use Pre-Trained Model
Discover ML Artifacts
User Execution
Unsafe ML Artifacts
Valid Accounts
Evade ML Model
Backdoor ML Model
Poison ML Model
Inject Payload
Exfiltration via ML Inference API
Infer Training Data Membership
Invert ML Model
Extract ML Model
Exfiltration via Cyber Means
Denial of ML Service
Spamming ML System with Chaff Data
Erode ML Model Integrity
Cost Harvesting
ML Artifact Collection
Data from Information Repositories
Data from Local System
Verify Attack
Craft Adversarial Data
White-Box Optimization
Black-Box Optimization
Black-Box Transfer
Manual Modification
Insert Backdoor Trigger
External Harms
Financial Harm
Reputational Harm
Societal Harm
User Harm
ML Intellectual Property Theft
Exploit Public-Facing Application
Command and Scripting Interpreter
LLM Prompt Injection
Direct
Indirect
Phishing
Spearphishing via Social Engineering LLM
LLM Plugin Compromise
LLM Jailbreak
Unsecured Credentials
LLM Meta Prompt Extraction
LLM Data Leakage
Limit Release of Public Information
Limit Model Artifact Release
Passive ML Output Obfuscation
Model Hardening
Restrict Number of ML Model Queries
Control Access to ML Models and Data at Rest
Use Ensemble Methods
Sanitize Training Data
Validate ML Model
Use Multi-Modal Sensors
Input Restoration
Restrict Library Loading
Encrypt Sensitive Information
Code Signing
Verify ML Artifacts
Adversarial Input Detection
Vulnerability Scanning
Model Distribution Methods
User Training
Control Access to ML Models and Data in Production
ATLAS