Just as MITRE ATT&CK® provides a common language for describing cyber adversary behavior, MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) does the same for threats against AI systems. It’s not just a list of vulnerabilities; it’s a knowledge base of adversarial tactics, techniques, and case studies based on real-world observations and academic research.
For an AI red teamer, ATLAS is an indispensable resource. It moves your operations from ad-hoc testing to a structured, repeatable, and comprehensive methodology. It helps you think like an adversary specifically targeting machine learning systems, providing a framework to plan engagements, communicate findings, and measure defensive coverage.
Core Components of ATLAS
The framework is logically structured to connect high-level adversary goals with the specific methods used to achieve them. Understanding this hierarchy is key to using ATLAS effectively.
Tactics
Tactics represent the adversary’s high-level objectives or goals. They answer the question, “Why is the adversary performing this action?” Examples include ML Model Evasion (tricking a model into making a wrong prediction), ML Model Extraction (stealing the model itself), and Reconnaissance (gathering information about the target AI system).
Techniques
Techniques are the specific methods used to achieve a tactic. They answer the question, “How is the adversary achieving their goal?” Each tactic contains multiple techniques. For example, the ML Model Evasion tactic can be achieved through techniques like Adversarial Examples or Poisoning ML Model Training Data.
Case Studies
Case studies are documented, real-world examples of adversarial attacks on AI systems. They provide critical context, demonstrating that the tactics and techniques are not merely theoretical. For a red teamer, these studies are a goldmine of inspiration for developing realistic attack scenarios.
Applying ATLAS in AI Red Teaming
You can integrate ATLAS into every phase of an AI red team operation:
- Threat Modeling: Use the matrix of tactics and techniques to brainstorm potential attack paths against your target system. Ask questions like, “Which data assets could an adversary poison?” or “What are the viable paths to exfiltrate our model weights?”
- Engagement Planning: Map your planned testing activities to specific ATLAS techniques. This ensures you have comprehensive coverage and helps you justify your testing scope to stakeholders. It also provides a clear structure for your Rules of Engagement.
- Execution: During the engagement, use the detailed descriptions of techniques as a guide. ATLAS often links to research papers and tools that can help you execute a specific attack.
- Reporting: Frame your findings using ATLAS terminology. Reporting that you “successfully executed an evasion attack using the ‘Adversarial Patch’ technique (AML.T0019)” is far more precise and actionable for the blue team than saying you “fooled the image classifier.”
A Sample of ATLAS Tactics and Techniques
To make this concrete, the table below shows a few examples of tactics and the corresponding techniques an adversary might use.
| Tactic (ID & Name) | Objective | Example Techniques (ID & Name) |
|---|---|---|
| AML.TA0003 ML Model Evasion |
Cause the ML model to produce an incorrect output, often to bypass a security control or disrupt a business process. |
|
| AML.TA0004 ML Model Extraction |
Re-create a functional copy of the target model, stealing intellectual property or enabling further attacks. |
|
| AML.TA0002 ML Attack Staging |
Manipulate or compromise resources in the AI/ML development pipeline to enable a future attack. |
|
By familiarizing yourself with the ATLAS framework, you elevate your AI red teaming from a series of disconnected tests to a strategic, intelligence-driven operation. It provides the common vocabulary and systematic approach necessary to effectively challenge and improve the security of modern AI systems.