The increase in the sophistication of modern web applications has significantly changed the way in which attack methods are addressed in the cybersecurity field. Most vulnerabilities in web applications appear due to traditional top-layer attacks such as SQL Injection (SQLi), cross-site scripting (XSS), or command injection. However, many novel security concerns arise due to the rapid and substantial emergence of AI-driven systems and application programming interfaces (APIs) integrating machine learning capabilities. AI APIs are the interfaces that help developers build new applications using pre-trained models, such as OpenAI’s GPT-based APIs, Google’s Vision AI, and many more. These tools and systems extensively leverage Artificial Intelligence and Machine learning, thereby introducing novel attack surfaces in modern applications. One of the new attack vectors is Prompt Injection, which exploits the behavior of AI. In addition, Hybrid Injection Attacks, a combination of classical injection techniques and AI-specific exploits, are launched by attackers. These attacks assist the attackers in bypassing conventional defense mechanisms. The complexity of a hybrid injection attack enhances due to its potential ability to evade traditional security defenses, specifically in AI environments. Since AI-driven services and applications are rapidly combining with contemporary systems and techniques, security for such AI-driven systems becomes more essential. The possible security measures to protect AI systems from these hybrid attacks include the enhanced security of input validation, the model robustness against prompt manipulation, secure query parameterization of SQLi, and regular audits of model vulnerabilities. Organizational establishments must focus on the security posture of AI applications by addressing both classical and AI-specific injection attacks, protecting against evolving and advanced hybrid threats. This paper aims to present a complete perspective on hybrid injection attacks. It describes how to fend them with practical and viable approaches to defend against the next generation of intelligent, connected systems and applications. İt also presents a comparative analysis of all input-type attacks (Classical such as SQLi, AI-based such as prompt injection, and Hybrid attacks) against several mitigation techniques using logical simulation, and the results show that only combined defense, comprising of both conventional and AI-specific safeguards, can fully address hybrid injection attacks. © 2017 Elsevier Inc. All rights reserved.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Comprehensive Study on Hybrid Injection Attacks in AI-Driven Applications

  • Supriya Madan,
  • Priyanka Gupta

摘要

The increase in the sophistication of modern web applications has significantly changed the way in which attack methods are addressed in the cybersecurity field. Most vulnerabilities in web applications appear due to traditional top-layer attacks such as SQL Injection (SQLi), cross-site scripting (XSS), or command injection. However, many novel security concerns arise due to the rapid and substantial emergence of AI-driven systems and application programming interfaces (APIs) integrating machine learning capabilities. AI APIs are the interfaces that help developers build new applications using pre-trained models, such as OpenAI’s GPT-based APIs, Google’s Vision AI, and many more. These tools and systems extensively leverage Artificial Intelligence and Machine learning, thereby introducing novel attack surfaces in modern applications. One of the new attack vectors is Prompt Injection, which exploits the behavior of AI. In addition, Hybrid Injection Attacks, a combination of classical injection techniques and AI-specific exploits, are launched by attackers. These attacks assist the attackers in bypassing conventional defense mechanisms. The complexity of a hybrid injection attack enhances due to its potential ability to evade traditional security defenses, specifically in AI environments. Since AI-driven services and applications are rapidly combining with contemporary systems and techniques, security for such AI-driven systems becomes more essential. The possible security measures to protect AI systems from these hybrid attacks include the enhanced security of input validation, the model robustness against prompt manipulation, secure query parameterization of SQLi, and regular audits of model vulnerabilities. Organizational establishments must focus on the security posture of AI applications by addressing both classical and AI-specific injection attacks, protecting against evolving and advanced hybrid threats. This paper aims to present a complete perspective on hybrid injection attacks. It describes how to fend them with practical and viable approaches to defend against the next generation of intelligent, connected systems and applications. İt also presents a comparative analysis of all input-type attacks (Classical such as SQLi, AI-based such as prompt injection, and Hybrid attacks) against several mitigation techniques using logical simulation, and the results show that only combined defense, comprising of both conventional and AI-specific safeguards, can fully address hybrid injection attacks. © 2017 Elsevier Inc. All rights reserved.