Preface
The rise of AI is a new revolution in the making, transforming our lives. Alongside the phenomenal opportunities, new risks and threats are emerging, especially in the area of security, and new skills are demanded to safeguard AI systems. This is because some of these threats manipulate the very essence of how AI works to trick AI systems. We call this adversarial AI, and this book will walk you through techniques, examples, and countermeasures. We will explore them from both offensive and defensive perspectives; we will act as an attacker, staging attacks to demonstrate the threats and then discussing how to mitigate them.
Understanding adversarial AI and defending against it poses new challenges for cybersecurity professionals because they require an understanding of AI and Machine Learning (ML) techniques. The book assumes you have no ML or AI expertise, which will be true for most cybersecurity professionals. Although it will not make you a data scientist, the book will help you build a foundational hands-on understanding of ML and AI, enough to understand and detect adversarial AI attacks and defend against them.
AI has evolved. Its first wave covered predictive (or discriminative) AI with models classifying or predicting values from inputs. This is now mainstream, and we use it every day on our smartphones, for passport checks, at hospitals, and with home assistants. We will cover attacks on this strand of AI before we move to the next frontier of AI, generative AI, which creates new content. We will cover Generative Adversarial Networks (GANs), deepfakes, and the new revolution of Large Language Models (LLMs) such as ChatGPT.
The book strives to be hands-on, but adversarial AI is an evolving research topic. Thousands of research papers have been published detailing experiments in lab conditions. We will try to group this research into concrete themes while providing plenty of references for you to dive into for more details.
We will wrap up our journey with a methodology for secure-by-design AI with core elements such as threat modeling and MLSecOps, while looking at Trustworthy AI.
The book is detailed and demanding at times, asking for your full attention. The reward, however, is high. You will gain an in-depth understanding of AI and its advanced security challenges. In our changing times, this is essential to safeguard AI against its abusers.
Who this book is for
The book is for cybersecurity professionals, such as security architects, analysts, engineers, ethical hackers, penetration testers, and incident responders, but also developers and engineers designing, building, and assuring AI systems.
A basic understanding of security concepts is beneficial, and a hacking and tinkering mindset, especially using Python, is the ideal background.
What this book covers
Chapter 1, Getting Started with AI, covers key concepts and terms surrounding AI and ML to get us started with adversarial AI.
Chapter 2, Building Our Adversarial Playground, goes through the step-by-step setup of our environment and the creation of some basic models and our sample Image Recognition Service (ImRecS).
Chapter 3, Security and Adversarial AI, discusses how to apply traditional cybersecurity to our sample ImRecS and bypass it with a sample adversarial AI attack.
Chapter 4, Poisoning Attacks, covers poisoning data and models, and how to mitigate them with examples from our ImRecS.
Chapter 5, Model Tampering with Trojan Horses and Model Reprogramming, looks at changing models by embedding code-based Trojan horses and how to defend against them.
Chapter 6, Supply Chain Attacks and Adversarial AI, covers traditional and new AI supply chain risks and mitigations, including building our own private package repository.
Chapter 7, Evasion Attacks against Deployed AI, explores fooling AI systems with evasion attacks and how to defend against them.
Chapter 8, Privacy Attacks - Stealing Models, looks at model extraction attacks to replicate models and how to mitigate these attacks, including watermarking.
Chapter 9, Privacy Attacks - Stealing Data, looks at model inversion and inference attacks to reconstruct or infer sensitive data from model responses.
Chapter 10, Privacy-Preserving AI, discusses techniques for preserving privacy in AI, including anonymization, differential privacy, homomorphic encryption, federated learning, and secure multi-party computations.
Chapter 11, Generative AI - A New Frontier, provides a hands-on introduction to generative AI with a focus on GANs.
Chapter 12, Weaponizing GANs for Deepfakes and Adversarial Attacks, provides an exploration of how to use GANs to support adversarial attacks, including deepfakes, and how to mitigate these attacks.
Chapter 13, LLM Foundations for Adversarial AI, provides a hands-on introduction to LLMs using the OpenAI API and LangChain to create our sample Foodie AI bot with RAG.
Chapter 14, Adversarial Attacks with Prompts, explores prompt injections against LLMs and how to mitigate them
Chapter 15, Poisoning Attacks and LLMs, looks at poisoning attacks with RAG, embeddings, and fine-tuning, using Foodie AI as an example, and appropriate defenses.
Chapter 16, Advanced Generative AI Scenarios, looks at poisoning the open source LLM Mistral with fine-tuning on Hugging Face, model lobotomization, replication, and inversion and inference attacks on LLMs.
Chapter 17, Secure by Design and Trustworthy AI, explores a methodology using standards-based taxonomies, threat modeling, and risk management to build secure AI with a case study combining predictive AI and LLMs.
Chapter 18, AI Security with MLSecOps, looks at MLSecOps patterns with examples of how to apply them using Jenkins, MLflow, and custom Python scripts.
Chapter 19, Maturing AI Security, discusses applying AI security governance and evolving AI security at an enterprise level.
To get the most out of this book
To follow along with the code, you will need a computer running Windows 10 or 11, macOS, or Linux with at least 16 GB of RAM. Windows users should use the Windows Subsystem for Linux 2 (WSL2) and Ubuntu 20.04. Alternatively, cloud solutions such as Colab or AWS SageMaker notebook instances will provide the processing power you will need. In all cases, you should have a basic understanding of a Bash command-line environment.
Most examples use Python 3.x, virtual environments, pip packages, and Jupyter notebooks. Chapter 2 will take you step by step through setting up the Python environments. Additionally, we will use Docker custom image files and Docker Compose files but we will provide detailed commands and scripts.
To edit or run the examples, you must have a browser or an IDE that supports Jupyter Notebook, such as Visual Studio Code or IntelliJ PyCharm. Both are free and can be found at https://code.visualstudio.com and https://www.jetbrains.com/pycharm, respectively. A browser will be more than sufficient for the examples in this chapter.
Software/hardware covered in the book
Operating system requirements
Python 3.x, TensorFlow 2.x with Keras
Windows, macOS, or Linux
OpenAI and Hugging Face APIs
LangChain
Docker
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Download the example code files
You can download the example code files...
