Asia-24-Wood-Confused-Learning.pdf

1、Confused Learning:Supply Chain Attacks through Machine Learning ModelsThreat IntelligenceDropboxHello!Mary WalkerAdrian Wood Red Team DropboxThrelfallwhitehacksecMairebearmairebearIntroduction01Target Selection02WeaponizingModels03Attacker Observations04AgendaDeployment05Post Exploitation06Threat Re

2、search07Defense&Prevention08Introduction01Key ConceptsModified prediction algorithmsA lot can go wrong with modelsBackdoorsHijacksModels containing malware and much moreMalicious models wont execute themselvesHeres how we do it for bug bounty and red team operationsYou need a victim and processTarge

3、tPick a victimEncourageHow will you get them to run it?CoerceWhats the bait or trick?VictimologyData ScientistStores and retrievesdatasetsmodelsSWE OpsML EngineerFacilitates pulling and serving all the above into pipelinesStores and retrievesdatasetsmodelsRetrievesApplicationsSometimes modelsTarget

4、SelectionPrerequisite:Understanding the supply chain02The ML PipelineBased on observations in bug bounty and red teamProximityTo crown jewelsObservabilitycomplicatedML Teams optimize for rapid experimentation But they have a lot of dataPrior knowledge?You dont need to be a math genius or an ML exper

5、t to start to work with Machine Learning ModelsBenefits of targeting ML pipelines As a serviceFastEfficient LootingNormalizedData accessPersistenceProximityTo restricted dataCode ExecutionAs a serviceVisibilityLow VisibilityAttacker Observations03Features that make this attack easierPublic Model Rep

6、ositoriesi.e.huggingfaceWhat I love about HuggingfaceRegisterAlmost any namespaceTyposquatsFont choicesStarsEasy to pump up and numbersOrganization RegistrationOrganizations can be verified,but nobody seems to careEasily the most effective techniqueRegistering orgs is very easyWatering HolesInvite p