AI Security Threat Modeling: Build a Defense Map with NIST, MITRE ATLAS, and OWASP
AI Learning Project
AI Security Threat Modeling: Build a Defense Map with NIST, MITRE ATLAS, and OWASP
A practical AI security threat modeling guide using NIST adversarial ML, MITRE ATLAS, and OWASP LLM Top 10 to map assets, risks, evidence, and controls.
AI Learning Project

AI Security Threat Modeling: Build a Defense Map with NIST, MITRE ATLAS, and OWASP

Reading info

Level: Professional Reading time: 12 min
  • AI Security
  • Threat Modeling
  • NIST
  • MITRE ATLAS
  • OWASP
Open knowledge map

AI security should not start after deployment with a generic vulnerability scan. A defensible AI security program starts with threat modeling: assets, actors, trust boundaries, failure modes, evidence, and residual risk.

This article uses the NIST adversarial machine learning taxonomy, MITRE ATLAS, and the OWASP LLM Top 10 to build an engineering map for AI defense. The goal is not to publish an attack playbook. The goal is to make the system reviewable by AI engineers, security engineers, and future maintainers.

1. The model is not the only asset

Conventional application security often starts with APIs, databases, and identities. AI systems add several asset classes:

  • Training data: samples, labels, annotation rules, provenance, and filtering policy.
  • Model artifacts: weights, tokenizer, feature processors, calibration settings, and evaluation reports.
  • Prediction interfaces: inputs, outputs, confidence values, explanations, and bulk-query behavior.
  • Context systems: RAG documents, vector indexes, ranking, and agent tool permissions.
  • Feedback loops: user feedback, human review, retraining samples, and evaluation logs.

If the asset list says only “model service”, it misses data poisoning, model extraction, membership inference, prompt injection, and supply-chain compromise.

2. A three-layer threat framework

A practical AI threat model can use three layers. The first layer uses NIST adversarial ML categories for evasion, poisoning, privacy attacks, abuse, and supply-chain risks. The second layer maps behaviors to MITRE ATLAS tactics and techniques. The third layer uses OWASP LLM Top 10 risks for LLM, RAG, and agent applications, including prompt injection, sensitive information disclosure, excessive agency, and supply-chain issues.

This combination keeps the vocabulary stable: NIST gives the risk taxonomy, MITRE ATLAS gives the attack-process view, and OWASP gives common application failure modes.

3. What a useful threat record looks like

A useful record should be more specific than “AI security risk exists”. It should reach this level:

asset: prediction API
attacker goal: infer whether a sample was in the training data
attack pattern: membership inference from confidence scores
control: reduce confidence precision, rate-limit queries, monitor confidence gap
evidence: train/test confidence distribution and membership AUC
residual risk: labels and model behavior may still leak information

This format can be reused by security review, model review, and runtime monitoring. It also prevents teams from treating one filter or one guardrail as proof that the risk disappeared.

4. How the lab supports the model

The AI Security Lab companion package includes a small risk register and an attack-defense matrix. After downloading the package, run:

cd ai-security-lab
python src/privacy_extraction_demo.py --quick --out results/privacy-extraction-results.csv
python src/rag_prompt_injection_guard_demo.py --quick --out results/rag-guard-results.csv

These demos are local toy experiments. They do not access the network, attack real systems, or include secrets. Their value is to turn abstract risks into measurable signals such as membership AUC, surrogate fidelity, blocked document count, and unauthorized tool-call attempts.

5. Evidence professional teams should keep

  • Data evidence: provenance, license, sampling policy, anomaly treatment, and dataset hashes.
  • Model evidence: training parameters, evaluation splits, robustness tests, privacy tests, and version ids.
  • Interface evidence: rate limits, output fields, confidence precision, error codes, and audit logs.
  • LLM evidence: retrieval sources, prompt templates, tool allowlists, and human approval rules.
  • Runtime evidence: alert thresholds, drift checks, abuse queries, and rollback records.

A citeable engineering article should identify where evidence comes from. Without evidence, a threat model is only a meeting note.

6. Limitations

Threat modeling is not a formal proof. It does not cover every attack and it does not replace red teaming, code review, data governance, or runtime monitoring. Its value is to create a shared map so robustness, data integrity, privacy, and LLM security testing have explicit entry points.

7. References

Internal links

Related tutorials

Review foundation High-Entropy Traffic Defense Notes

Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.

 Continue next Adversarial Examples and Robust Evaluation

Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.

 Learning path AI Learning Path

Read AI foundations, machine learning, CNN work, traffic defense, and AI security in order.

 Resources Resource Library

Download companion code, datasets, diagrams, model files, and notes.

 Topic hub Student AI Projects

Connect handwritten digits, browser demos, and CNN projects into a portfolio path.

Search questions

FAQ

Who is this article for?

This article is for readers who want a professional-level guide to AI Security Threat Modeling. It takes about 12 min and focuses on AI Security, Threat Modeling, NIST, MITRE ATLAS.

What should I read next?

The recommended next step is Adversarial Examples and Robust Evaluation, so the article connects into a longer learning route instead of ending as an isolated note.

Does this article include runnable code or companion resources?

Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.

How does this article fit into the larger site?

It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.

Article context

AI Learning Project

A practical route from AI concepts to machine learning workflow, evaluation, neural networks, Python practice, handwritten digits, a CIFAR-10 CNN, adversarial traffic-defense notes, and AI security.

Level: Professional Reading time: 12 min
  • AI Security
  • Threat Modeling
  • NIST
  • MITRE ATLAS
  • OWASP

Your next step

Continue: Adversarial Examples and Robust Evaluation
Open resource View project
Other language version AI 安全威胁建模:用 NIST AML、MITRE ATLAS 和 OWASP 建立攻防地图
Share summary AI Security Threat Modeling

Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.

Download share card Open share center

Companion resources

Leave a Reply

Project timeline

Published posts

  1. AI Basics Learning Roadmap Separate AI, machine learning, and deep learning before going into implementation details.
  2. Machine Learning Workflow Follow the practical path from data and features to training, prediction, and evaluation.
  3. Model Training and Evaluation Understand loss, overfitting, train/test splits, accuracy, recall, and F1.
  4. Neural Network Basics Move from perceptrons to activation, forward propagation, backpropagation, and training loops.
  5. NLP Basics: Understanding Bag of Words and TF-IDF An introduction to the most fundamental text representation methods in NLP: Bag of Words (BoW) and TF-IDF.
  6. RNN Basics: Handling Sequential Data with Memory Understand the core concepts of Recurrent Neural Networks (RNN), the role of hidden states, and their application in NLP.
  7. Transformer Self-Attention Read Q/K/V, scaled dot-product attention, multi-head attention, and positional encoding before exploring LLM internals.
  8. Python AI Mini Practice Run a small scikit-learn classification task and read the experiment output.
  9. Handwritten Digit Dataset Basics Read train.csv, test.csv, labels, and the flattened 28 by 28 pixel layout before training the classifier.
  10. Handwritten Digit Softmax in C Follow the C implementation from logits and softmax probabilities to confusion matrices and submission export.
  11. Handwritten Digit Playground Notes See how the offline classifier was adapted into a browser demo with drawing input and probability output.
  12. CIFAR-10 Tiny CNN Tutorial in C Build and train a small convolutional neural network for CIFAR-10 image classification, then read its loss and accuracy output.
  13. Building a Tiny CIFAR-10 CNN in C: Convolution, Pooling, and Backpropagation A source-based walkthrough of cifar10_tiny_cnn.c, covering CIFAR-10 binary input, 3x3 convolution, ReLU, max pooling, fully connected logits, softmax, backpropagation, and local commands.
  14. High-Entropy Traffic Defense Notes Study encrypted metadata leaks, entropy, traffic classifiers, and a defensive Python chaffing prototype.
  15. AI Security Threat Modeling Build a defense map with NIST adversarial ML, MITRE ATLAS, and OWASP LLM risks.
  16. Adversarial Examples and Robust Evaluation Evaluate clean and perturbed accuracy with an FGSM-style digits experiment.
  17. Data Poisoning and Backdoor Defense Study poison rate, trigger behavior, attack success rate, and training pipeline controls.
  18. Model Privacy and Extraction Defense Measure membership inference signal and surrogate fidelity against a local toy model.
  19. LLM, RAG, and Agent Security Separate instructions from data and enforce tool permissions against indirect prompt injection.

Published resources

  1. Python AI practice code guide The article includes a runnable scikit-learn classification script.
  2. digit_softmax_classifier.c The C source for the handwritten digit softmax classifier.
  3. train.csv.zip Compressed handwritten digit training set with 42000 labeled samples.
  4. test.csv.zip Compressed handwritten digit test set with 28000 unlabeled samples.
  5. sample_submission.csv The official submission format example for checking the final output columns.
  6. submission.csv The prediction file generated by the current C project.
  7. digit-playground-model.json The compact softmax demo model and sample set used by the browser playground.
  8. digit-sample-grid.svg A small handwritten digit preview grid extracted from the training set.
  9. Handwritten digit project bundle Contains the source file, compressed datasets, submission files, browser model, and preview grid.
  10. cifar10_tiny_cnn.c source Single-file C tiny CNN with CIFAR-10 loading, convolution, pooling, softmax, and backpropagation.
  11. model_weights.bin sample weights Model weights generated by one local small-sample run.
  12. test_predictions.csv sample predictions Sample test prediction output from the CIFAR-10 tiny CNN.
  13. CNN project explanation PDF Companion explanation material for the CNN project.
  14. Virtual Mirror redacted code skeleton A redacted mld_chaffing_v2.py control-flow skeleton with secrets, node topology, and target lists removed.
  15. Virtual Mirror stress-test template A redacted CSV template for CPU, memory, peak threads, pulse rate, latency, and error measurements.
  16. Virtual Mirror classifier-evaluation template A CSV template for TP, FN, FP, TN, accuracy, precision, recall, F1, ROC-AUC, entropy, and JS divergence.
  17. Virtual Mirror resource notes Notes explaining why the public resources include only redacted code, test templates, and architecture context.
  18. AI Security Lab README Setup, safety boundaries, and quick-run commands for the AI Security series.
  19. AI Security Lab full bundle Includes safe toy scripts, result CSVs, risk register, attack-defense matrix, and architecture diagram.
  20. AI security risk register CSV risk register template for AI threat modeling and release review.
  21. AI attack-defense matrix Maps attack surface, toy demo, metric, and defensive control into one CSV table.
  22. AI Security Lab architecture diagram Shows threat modeling, robustness, data integrity, model privacy, and RAG guardrails.
  23. FGSM digits robustness script FGSM-style perturbation and accuracy-drop experiment for a local digits classifier.
  24. Data poisoning and backdoor toy script Demonstrates poison rate, trigger behavior, and attack success rate on digits.
  25. Model privacy and extraction toy script Outputs membership AUC, target accuracy, surrogate fidelity, and surrogate accuracy.
  26. RAG prompt injection guard toy script Uses a deterministic toy agent to demonstrate external-data demotion and tool-policy blocking.
  27. Deep Learning topic share card A 1200x630 SVG card for sharing the Deep Learning / CNN topic hub.
  28. Machine Learning From Scratch share card A 1200x630 SVG card for the K-means, Iris, and ML workflow topic hub.
  29. Student AI Projects share card A 1200x630 SVG card for handwritten digits, C classifiers, and browser demos.
  30. CNN convolution scan animation An 8-second Remotion animation showing how a 3x3 convolution kernel scans an input and builds a feature map.

Current route

  1. AI Basics Learning Roadmap Learning path step
  2. Machine Learning Workflow Learning path step
  3. Model Training and Evaluation Learning path step
  4. Neural Network Basics Learning path step
  5. Transformer Self-Attention Learning path step
  6. LLM Visualizer Learning path step
  7. Python AI Mini Practice Learning path step
  8. Handwritten Digit Dataset Basics Learning path step
  9. Handwritten Digit Softmax in C Learning path step
  10. Handwritten Digit Playground Notes Learning path step
  11. CIFAR-10 Tiny CNN Tutorial in C Learning path step
  12. High-Entropy Traffic Defense Notes Learning path step
  13. AI Security Threat Modeling Learning path step
  14. Adversarial Examples and Robust Evaluation Learning path step
  15. Data Poisoning and Backdoor Defense Learning path step
  16. Model Privacy and Extraction Defense Learning path step
  17. LLM, RAG, and Agent Security Learning path step

Next notes

  1. Add more image-classification and error-analysis cases
  2. Turn common metrics into a quick reference
  3. Add more AI security defense experiment notes