| Spoofing |
T9 – Identity Spoofing |
Attackers exploiting authentication mechanisms to impersonate AI agents or human users. By assuming a false identity, the attacker can then execute unauthorized actions under that guise. |
| T13 – Rogue Agents |
An attacker might leverage identity spoofing techniques to impersonate a legitimate AI agent. By successfully authenticating as an existing agent or creating a new agent that masquerades as legitimate, the attacker can introduce a "rogue" agent into the system under a false identity. This rogue agent can then carry out malicious activities.
|
| Tampering |
T1 – Memory Poisoning |
An attacker injecting malicious data or code into the memory space of an AI agent or the underlying system. This directly constitutes unauthorized modification, which is the core of the Tampering threat category.
|
| T11 - Unexpected RCE and Code Attacks |
The ultimate aim of an attacker exploiting an RCE vulnerability is to tamper with the system's intended state and behavior. By injecting and executing their own code, they are directly modifying how the AI agent operates, the data it processes, or the system it runs on.
|
| Repudiation |
T8 – Repudiation and Untraceability |
This category deals with the ability of an attacker (or even a legitimate user) to deny having performed an action or transaction. Untraceability directly supports repudiation by making it difficult or impossible to link an action back to a specific individual or entity. |
Information
Disclosure |
T12 – Agent Communication Poisoning |
This category deals with the threat of an attacker gaining unauthorized access to sensitive information and potentially altering. You could make the case for this to be in Tampering as well. If communication between AI agents is not properly secured, an attacker eavesdropping on the network can gain valuable insights.
|
| Denial of Service |
T4 – Resource Overload |
This category focuses on attacks that aim to make a system or service unavailable to legitimate users or processes. Resource overload, by its very nature, achieves this by consuming excessive system resources (CPU, memory, network bandwidth, storage) to the point where the AI agent or the underlying system can no longer function correctly or respond to legitimate requests.
|
| T10 – Overwhelming HITL |
The core of "Overwhelming HITL" is to flood the human operator with an excessive number of requests, alerts, or decisions, rendering them unable to effectively process and respond in a timely manner. This effectively makes the HITL component unavailable or significantly degrades its performance, leading to a denial of the intended service or oversight.
|
| Elevation of Privilege |
T3 – Privilege Compromise |
This category focuses on the threat of an attacker gaining higher levels of access or permissions than they were originally intended to have. Privilege compromise is precisely the act of an attacker successfully obtaining these elevated privileges within the AI agent system or its underlying infrastructure.
|
| T14 – Human attacks on MAS |
In many scenarios, human attackers might not be exploiting technical vulnerabilities to gain new privileges. Instead, they might be leveraging their existing authorized access and the inherent trust the system places in human operators to perform actions that go beyond the expected or safe scope of their intended use.
|
| Misunderstanding |
T2 – Tool Misuse |
An AI agent or user lacks sufficient context about a tool's function or is misled by malicious input, leading to a flawed assessment of its proper application. This flawed assessment results in the tool being used in unintended ways, causing unexpected and undesirable emerging behaviors in the AI system due to this fundamental misunderstanding of the tool's role or implications.
|
| T5 - Cascading Hallucinations |
An initial lack of context or a maliciously introduced falsehood leads an AI model to make an incorrect assessment, which then compounds in subsequent reasoning steps, generating further inaccurate outputs and unexpected behaviors. Each hallucination builds upon a prior flawed assessment, demonstrating a cascading "Misunderstanding" of the underlying information or task.
|
| T6 – Intent Breaking & Goal Manipulation
|
A model's assessment of the user's intended goal is incorrect due to a lack of proper context or malicious prompting designed to mislead it. This "Misunderstanding" of the desired outcome results in the model exhibiting unexpected behaviors that deviate from or actively subvert the user's actual objective.
|
|
Lack of Accountability |
T7 – Misaligned & Deceptive Behaviour |
A model's assessment of appropriate action is flawed due to insufficient context regarding ethical guidelines or malicious prompting that manipulates its understanding of desirable behavior. This "Lack of Accountability" leads to unexpected emerging behaviors that are either not aligned with intended values or actively deceptive.
|
| T15 – Human Trust ManipulationS |
When a model's output, influenced by insufficient context or malicious prompting, leads a human to form an inaccurate assessment of the model's reliability or the situation it presents. This "Lack of Accountability" of the model's trustworthiness can result in unexpected and potentially harmful human behaviors based on that flawed assessment.
|
