SoK: A Systems Perspective on Compound AI Threats and Countermeasures

TL;DR

This paper provides a comprehensive survey of attack vectors and countermeasures for compound AI systems, emphasizing the importance of a holistic, system-wide security approach across software and hardware layers.

Contribution

It systematically categorizes AI attack vectors within the Mitre Att&ck framework and highlights the need for integrated defense strategies for complex AI pipelines.

Findings

Combining attack vectors enables more powerful end-to-end attacks.

Current research often isolates attack vectors, missing the compounded threat.

Holistic understanding is essential for effective countermeasures.

Abstract

Large language models (LLMs) used across enterprises often use proprietary models and operate on sensitive inputs and data. The wide range of attack vectors identified in prior research - targeting various software and hardware components used in training and inference - makes it extremely challenging to enforce confidentiality and integrity policies. As we advance towards constructing compound AI inference pipelines that integrate multiple large language models (LLMs), the attack surfaces expand significantly. Attackers now focus on the AI algorithms as well as the software and hardware components associated with these systems. While current research often examines these elements in isolation, we find that combining cross-layer attack observations can enable powerful end-to-end attacks with minimal assumptions about the threat model. Given, the sheer number of existing attacks at each layer, we need a holistic and systemized understanding of different attack vectors at each layer. This SoK discusses different software and hardware attacks applicable to compound AI systems and demonstrates how combining multiple attack mechanisms can reduce the threat model assumptions required for an isolated attack. Next, we systematize the ML attacks in lines with the Mitre Att&ck framework to better position each attack based on the threat model. Finally, we outline the existing countermeasures for both software and hardware layers and discuss the necessity of a comprehensive defense strategy to enable the secure and high-performance deployment of compound AI systems.