Capabilities

Adversarial Artificial Intelligence

Mobile Menu

The Basics of Adversarial AI
Adversarial AI Services
Case Studies
Research Papers
Meet Our Experts

Safeguarding critical AI systems against cyberattack

As artificial intelligence (AI) systems become increasingly important to national defense, intelligence, and citizen services, the nation’s susceptibility to manipulations of those systems also grows. Damaging attacks against AI systems are no longer theoretical—they are being launched on commercial and government entities by adversaries from individual bad actors to nation-states that seek to challenge U.S. interests and ideals.

Creating a better and safer future through AI requires the nation to secure its AI systems against a real and evolving set of adversarial cyberattacks. In the words of the National Security Commission on Artificial Intelligence, “Adversaries may target the data sets, algorithms, or models that an ML system uses in order to deceive and manipulate their calculations, steal data appearing in training sets, compromise their operation, and render them ineffective.”

As the single largest provider of AI services to the federal government, Booz Allen works closely with implementers, researchers, and leaders across the government to build, deploy, and field machine learning (ML) algorithms that deliver mission advantage—and are resilient to adversarial attacks. Using a range of techniques, including differential privacy, adversarial training, red teaming, operational monitoring, and others, we help government realize the benefits of AI systems while thwarting cyberattacks.

The Basics of Adversarial AI

Adversarial AI uses algorithmic and mathematical approaches to degrade, deny, deceive, and/or manipulate AI systems. As governments continue to operationalize AI across mission sets, often to automate processes and decision making, they must implement defenses that impede adversarial attacks.

In broad terms, adversaries use three primary types of attacks to debase, evade, and exfiltrate the predictions and private information of AI systems:

Poisoning

Adversaries pollute training data such that the model learns a decision rule that furthers the attackers’ goals. This is possible by altering only a very small fraction of the training data, and it represents a growing threat given the increased popularity of foundation models pre-trained on data scraped from the web.

Poisoning occurs before model training.

Evasion

Adversaries engineer inputs with manipulations that result in the model making unintended predictions. If not caught, these errors can result in dangerous behavior of downstream systems. Adversaries can often make evasive maneuvers with very little cost; for example, inexpensive adversarial stickers/patches can fool a state-of-the-art computer vision model.

Evasion occurs during model inference.

Inversion

Adversaries exfiltrate private or revealing information concerning the AI model and its training data. This can be part of a reconnaissance effort for an adversary planning a future attack or a direct attempt to seize sensitive information.

Inversion occurs after model inference.

As agencies seek to employ methods to limit or eliminate attacks, it’s important to recognize adversarial AI threats are highly asymmetric:

Allowing adversaries to reap rewards with a single successful attack while requiring defenders to implement controls that need to be resilient to all attacks
Requiring defenders to often utilize 100 times the compute power of an attacker

Adversarial AI Services from Booz Allen

Booz Allen supports federal organizations with a set of service offerings that mitigate risks of operationalizing AI systems:

AI Risk and Vulnerability Assessments

With AI risk and vulnerability assessments, we exercise client models, identify attack vectors and vulnerabilities, evaluate risk and exposure, provide recommendations for remediation, align proposed guardrails with federal policy requirements, and establish a roadmap for implementation.

AI Security Engineering

Our AI security engineering best practices, tools, and automations can be incorporated into model development pipelines, allowing AI security to be seamlessly integrated into existing continuous integration/continuous delivery processes.

AI Security Research

Through client-directed AI security research, we help agencies rapidly and precisely define and explore approaches to address real-world AI security concerns.

Managed Detection and Response

With managed detection and response services, we provide a seamless framework for monitoring, analyzing, responding to, and reporting adversarial attacks on AI models.

Adversarial AI Slick Sheet

Case Studies

Static Malware Detection & Subterfuge: Quantifying the Robustness of ML and Current Anti-Virus Systems

Challenge: Understand the weaknesses of commercial and open-source machine learning malware detection models to targeted injections of bytes under threat of an adversary with only black-box query access.

Solution: An efficient binary-search that identified 2048-byte windows whose alteration will reliably change detection model output labels from “malicious” to “benign.”

Result: A strong black-box attack and analysis method capable of probing vulnerabilities of malware detection systems, resulting in important insights toward robust feature selection for defenders and model developers.

A General Framework for Auditing Differentially Private Machine Learning

Challenge: More accurately audit the privacy of machine learning systems while significantly reducing computational burden.

Solution: Novel attacks to efficiently reveal maximum possible information leakage and estimate privacy with higher statistical power and smaller sample sizes than previous state-of-the-art Monte Carlo sampling methods.

Result: A set of tools for creating dataset perturbations and performing hypothesis tests that allow developers of general machine learning systems to efficiently audit the privacy guarantees of their system.

Adversarial Transfer Attacks With Unknown Data and Class Overlap

Challenge: Quantify the risk associated with adversarial evasion attacks under a highly realistic threat model, which assumes adversaries have access to varying fractions of the model training data.

Solution: A comprehensive set of model training and testing experiments (e.g., more than 400 experiments on Mini-ImageNet data) under differing mixtures of “private” and “public” data, as well as a novel attack that accounts for data class disparities by randomly dropping classes and averaging adversarial perturbations.

Result: Important and novel insights that, counterintuitively, conclude adversarial training can increase total risk under threat models for which adversaries have gray-box access to training data.

Adversarial AI Research

Since 2018, Booz Allen has been a leader in advancing the state of the art in machine learning methodologies that safeguard systems against adversarial AI. Methods range from adversarial image perturbation robustness for computer vision models and differentially private training for tabular data to behavior-preserving transformations of Microsoft Windows malware.

Research by Year

VIEW ALL HIDE ALL

2023

EXPAND COLLAPSE

2022

EXPAND COLLAPSE

2021

EXPAND COLLAPSE

Adversarial Transfer Attacks with Unknown Data and Class Overlap Previously, it was commonly assumed that an attacker employing the same training data as the victim model would be most successful; this work showed that, on the contrary, using somewhat different data than the victim’s training set could actually increase the attacker’s success, leading to important insights in cost-benefit analyses for defenders.

2019

EXPAND COLLAPSE

Robust Design of Deep Neural Networks Against Adversarial Attacks Based on Lyapunov Theory In this work, researchers developed a correspondence between neural network training and dynamical systems. They then translated tools from Lyapunov control theory to deep learning to stabilize network training and learn more robust decision functions.

2018

EXPAND COLLAPSE

Partnerships

NVIDIA

NVIDIA is the premier provider of processors optimized for AI and deep learning tasks. Booz Allen teams with NVIDIA to support high-performance compute needs, such as those used in our research developing techniques that defend against adversarial samples.

Meet Our Experts

Matt Keating

Edward Raff

Contact Us

Contact Booz Allen to learn more about advanced strategies to safeguard trusted information from adversarial AI attacks.

First Name*

Last Name*

Email Address*

Company*

Title*

Country*

Would you like to receive occasional email updates from Booz Allen Hamilton?*

I am interested in a demo of: (Check all that apply)*

Accelerated Readiness

AI-Enabled Data Extraction and Analysis

Booz Allen Edge Cloud with AWS and ESRI

EdgeAware

Comment or Question

Adversarial Artificial Intelligence