# THREAT DOMAIN TAXONOMY: INPUTS DESIGNED TO CAUSE MISTAKES (MODEL EVASION) ## 1. Standardized Phase Taxonomy (The Threat Lifecycle) While the previous domain focused on the mathematical generation of adversarial examples, "Model Evasion" represents the broader tactical objective of bypassing AI-driven security controls, safety classifiers, or business logic. In modern deployments (particularly Large Language Models and AI-driven Next-Gen Antivirus), evasion relies on semantic manipulation, prompt injection, or structural obfuscation rather than pixel-level perturbations. * **Reconnaissance:** The adversary probes the target's AI classifier, content filter, or LLM safety guardrails. This involves submitting benign but edge-case inputs to map the model's refusal thresholds, moderation rules, or feature extraction logic. * **Weaponization & Delivery (Initial Access):** The adversary crafts an evasive payload designed to exploit the mapped logical boundaries. In GenAI, this manifests as "Jailbreaking" or Prompt Injection (e.g., role-playing prompts, linguistic obfuscation, or appending malicious instructions to legitimate text). In traditional AI security (like AI-AV), this involves packing or obfuscating malware to avoid heuristic feature extraction. The payload is delivered via standard input vectors (chat prompts, uploaded documents, email). * **Exploitation & Installation (Execution/Persistence):** The target model ingests the payload and fails to classify it correctly (a false negative). The AI fails to trigger its defensive mechanisms, allowing the underlying malicious request to execute. The evasion itself is ephemeral, but it allows the installation or execution of a secondary, persistent payload. * **Command and Control (C2):** If the evasion successfully bypassed an AI-driven endpoint defense or tricked an autonomous LLM agent into executing unauthorized code, standard C2 channels are subsequently established by the secondary payload. * **Actions on Objectives (Impact/Exfiltration):** The adversary achieves their operational goal by successfully subverting the AI control. For LLMs, this results in the generation of restricted content, unauthorized data retrieval, or execution of downstream API calls. For AI-AV, it results in unhindered endpoint compromise. ## 2. TTP Mapping (Tactics, Techniques, and Procedures) For audit verifiability, this domain incorporates MITRE ATT&CK, MITRE ATLAS, and emerging LLM-specific frameworks (e.g., OWASP Top 10 for LLMs). * **Reconnaissance:** AML.T0041 (Discover ML Model Ontology); T1592 (Gather Victim Host Information - probing security boundaries). * **Weaponization & Delivery:** AML.T0015 (Evade ML Model); AML.T0054 (LLM Prompt Injection); T1027 (Obfuscated Files or Information). * **Exploitation & Installation:** T1562 (Impair Defenses - specifically bypassing AI/ML defensive classifiers); AML.T0055 (LLM Jailbreak). * **Command and Control (C2):** Dependent on the successful execution of the secondary payload (e.g., T1071 Application Layer Protocol). * **Actions on Objectives:** AML.T0031 (Erode ML Model Integrity); T1003 (OS Credential Dumping - following AV evasion). ## 3. Control Intersection and Segregation (The "Kill" Mechanism) * **Reconnaissance** * *Preventive:* Decoupling explicit error messages from the inference API (failing silently or providing generic responses to prevent rule mapping). * *Detective:* Alerting on high volumes of queries generating safety refusals or triggering DLP rules from a single session. * *Corrective:* Session termination or temporary IP/Account lockouts after a threshold of failed or refused requests is met. * **Weaponization & Delivery** * *Preventive:* Implementation of independent "Prompt Shields" or Input/Output Guardrails (e.g., NeMo Guardrails, Llama Guard) acting as a specialized semantic WAF before the primary model processes the data. * *Detective:* Heuristic analysis of input complexity (e.g., detecting excessive structural nesting, known jailbreak syntax, or mismatched language encoding). * *Corrective:* Stripping recognized adversarial syntax from the input before inference, or dropping the request outright. * **Exploitation & Installation** * *Preventive:* Ensemble modeling (utilizing multiple, distinct AI models with different architectures to evaluate the same input, reducing the likelihood of a single point of failure). Strict privilege separation for LLM agents (preventing the AI from executing commands even if it is tricked). * *Detective:* Semantic monitoring of the model's output for sudden shifts in tone, compliance violation, or execution of unauthorized system commands. * *Corrective:* Output redaction (halting the transmission of the response to the user if the output classifier detects a violation). * **Actions on Objectives** * *Preventive:* Rule-based (deterministic) fallback controls. AI must never be the sole gatekeeper for critical actions. * *Detective:* Secondary telemetry from traditional controls (e.g., Database Activity Monitoring, EDR telemetry on the endpoint). * *Corrective:* Automated revocation of the compromised application's API keys or isolation of the endpoint. ## 4. Telemetry and Evidence Generation To satisfy audit requirements, the following immutable logs must be generated and routed to a centralized, WORM-compliant SIEM: * **Semantic Firewall/Guardrail Logs:** Complete transcripts of inputs and outputs, explicitly tagging which requests were blocked by the auxiliary guardrail models and why. * **Inference Telemetry:** Timestamped session logs mapping the exact input string to the generated output, allowing post-incident forensic reconstruction of the evasion tactic. * **Secondary Security Logs:** EDR, WAF, and IAM logs that corroborate whether the bypassed AI model resulted in anomalous downstream actions (proving or disproving impact). ## 5. Auditor’s Perspective (CCCE Application) * **Criteria:** Information security architectures must implement defense-in-depth. AI and ML models cannot act as solitary control gates; they must be supported by ensemble classifiers, semantic input/output filtering, and independent, deterministic fallback controls. * **Condition:** Management frequently deploys singular AI models (e.g., a single LLM handling both user interaction and safety compliance, or an endpoint relying solely on ML-based heuristics) operating under the flawed assumption that the AI's complex reasoning is immune to subversion. * **Cause:** Operational overconfidence in the capabilities of emerging AI technologies and a fundamental failure by the Second Line to understand that all probabilistic models possess exploitable logical blind spots. * **Effect:** A single, cleverly crafted string of text or obfuscated payload can entirely disable or bypass the organization's primary security or compliance controls, allowing adversaries to execute arbitrary downstream actions with zero resistance. * **Recommendation:** Management must immediately implement multi-layered filtering (Input/Output Guardrails) for all GenAI applications, strictly enforce the principle of least privilege on all automated AI agents, and ensure deterministic (rule-based) security controls remain in place to catch evasion failures.