Machine learning systems, while capable of remarkable feats, are not inherently immune to security failures. They operate within complex ecosystems and possess unique characteristics that introduce specific vulnerabilities. Recognizing these weaknesses is the essential first step before we can effectively analyze potential attacks or design robust defenses. Unlike traditional software security concerns, which might focus on issues like buffer overflows or SQL injection, ML security often centers on the data, the model's learning process, and how it makes predictions.

These vulnerabilities can manifest at various stages of the machine learning lifecycle. We can broadly group them into categories related to data dependencies, the intrinsic properties of the models themselves, and the infrastructure used for deployment.

Data-Related Vulnerabilities

The adage "garbage in, garbage out" takes on a new security dimension in machine learning. Models are fundamentally shaped by their training data, making the data itself a primary vector for security issues.

Data Poisoning Susceptibility: The process of collecting and preparing training data often involves complex pipelines drawing from numerous sources. This creates opportunities for attackers to inject malicious data. Such data poisoning can aim to degrade the model's overall performance (an availability attack) or, more insidiously, to cause specific, targeted misclassifications for certain inputs (an integrity attack). For example, an attacker might introduce subtly altered images that cause a facial recognition system to misidentify a specific individual or insert data points that create a backdoor, triggered by a specific pattern invisible during normal operation. We will explore data poisoning techniques and defenses in Chapter 3.
Training Data Skew and Bias: Models trained on data that doesn't accurately represent the real-world distribution, or that contains societal biases, exhibit a form of vulnerability. While not always the result of a direct attack, this skew can lead to poor performance, unfair outcomes for certain subgroups, and a general lack of reliability. Attackers aware of these biases might exploit them to craft inputs that are more likely to be misclassified or to intentionally trigger unfair predictions. Furthermore, data sparsity in certain regions of the input space can make the model more susceptible to targeted attacks in those areas.

Model-Specific Vulnerabilities

The learned parameters and decision mechanisms of ML models, especially complex ones like deep neural networks, give rise to unique vulnerabilities.

Sensitivity to Input Perturbations (Evasion): A well-documented weakness is the susceptibility of many models to adversarial examples. These are inputs ( $x$ ) that have been slightly modified by adding a carefully crafted, often human-imperceptible perturbation ( $\delta$ ), resulting in a new input $x' = x + \delta$ . While $x'$ appears almost identical to $x$ to a human, it causes the model to produce an incorrect output (e.g., misclassification). The perturbation is typically constrained, often using an $L_p$ norm, such that $||\delta||_p \le \epsilon$ for some small $\epsilon$ . This phenomenon arises because the high-dimensional decision boundaries learned by models can be surprisingly brittle and located unexpectedly close to legitimate data points. Evasion attacks occur at inference time and are a major focus of adversarial ML research. We delve into advanced evasion techniques in Chapter 2.
Information Leakage via Model Outputs: Deployed models can inadvertently leak information about their training data or internal structure through the predictions and confidence scores they provide.
- Model Extraction (Stealing): By repeatedly querying a model (even via a black-box API) with chosen inputs and observing the outputs, an attacker can potentially train a functional replica, or surrogate model. This compromises intellectual property and can facilitate other attacks, such as crafting evasion attacks that transfer to the original model.
- Membership Inference: It might be possible for an attacker to determine whether a specific data record was included in the model's training set by analyzing the model's response to that record. This poses a direct privacy risk, particularly for models trained on sensitive information like medical or financial data.
- Attribute Inference: Beyond membership, attackers might infer sensitive attributes of the training data subjects (e.g., demographics, personal preferences) that the model was not explicitly designed to predict.
- Model Inversion: These attacks aim to reconstruct representative samples or prototypes of the data used to train the model, sometimes even recovering specific training examples, based solely on access to the model. Chapter 4 provides a detailed look at these inference and privacy attacks.

Deployment and Infrastructure Vulnerabilities

Machine learning models are typically integrated into larger software systems and deployed via infrastructure that introduces its own set of security considerations.

Insecure Service Endpoints: Models exposed as services (e.g., through REST APIs) are vulnerable to traditional web security threats like insufficient authentication, authorization flaws, or denial-of-service (DoS) attacks. Specific to ML, excessive querying can be used for model extraction or economical DoS if predictions are resource-intensive. Standard security practices like rate limiting, strong authentication, and input validation are necessary first steps.
Compromised ML Pipelines: The entire workflow supporting the ML model, data ingestion, preprocessing scripts, feature extraction code, training environments, model serialization, and deployment automation, represents an attack surface. A compromise at any stage could allow an attacker to poison data upstream, tamper with the model's weights, introduce backdoors during retraining, or exfiltrate the model or sensitive data. This highlights the importance of securing the entire ML operational environment (MLOps).
Inadequate Monitoring and Logging: Without proper monitoring, shifts in input data distributions, sudden changes in prediction behavior, or anomalous query patterns indicative of an attack might go unnoticed. Comprehensive logging is also essential for detecting attacks and performing forensic analysis if a breach occurs.

Visualizing the Vulnerabilities

The following diagram illustrates where these vulnerabilities often appear within a typical machine learning system lifecycle:

An overview of a machine learning workflow, indicating potential entry points for different categories of security vulnerabilities (colored parallelograms).

Mapping out these potential weak points provides a necessary foundation for understanding the threats against machine learning systems. It underscores why security cannot be an afterthought but must be integrated throughout the entire lifecycle. These vulnerabilities directly motivate the need for systematic threat modeling, which we explore in the next section, and set the stage for analyzing the specific attack techniques and defensive strategies covered in the remainder of this course.