What is the authoritative source for CWE-1039?

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism (CWE-1039) is catalogued in MITRE CWE and curated for EU compliance use cases by SQUR.

ClassIncomplete

CWE-1039Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Category: other

Description

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.

Common consequences· 4

Integrity — Bypass Protection Mechanism
When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.
Availability — DoS: Resource Consumption (Other), DoS: Instability
There could be disruption to the service of the automated recognition system, which could cause further downstream failures of the software.
Confidentiality — Read Application Data
This weakness could lead to breaches of data privacy through exposing features of the training data, e.g., by using membership inference attacks or prompt injection attacks.
Other — Varies by Context
The consequences depend on how the application applies or integrates the affected algorithm.

Potential mitigations· 5

[Architecture and Design]Algorithmic modifications such as model pruning or compression can help mitigate this weakness. Model pruning ensures that only weights that are most relevant to the task are used in the inference of incoming data and has shown resilience to adversarial perturbed data.
[Architecture and Design]Consider implementing adversarial training, a method that introduces adversarial examples into the training data to promote robustness of algorithm at inference time.
[Architecture and Design]Consider implementing model hardening to fortify the internal structure of the algorithm, including techniques such as regularization and optimization to desensitize algorithms to minor input perturbations and/or changes.
[Implementation]Consider implementing multiple models or using model ensembling techniques to improve robustness of individual model weaknesses against adversarial input perturbations.
[Implementation]Incorporate uncertainty estimations into the algorithm that trigger human intervention or secondary/fallback software when reached. This could be when inference predictions and confidence scores are abnormally high/low comparative to expected model performance.