logo

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when a system uses automated AI or machine learning to classify complex inputs like images, audio, or text, but fails to correctly identify or process inputs that have been deliberately altered. Attackers can exploit this by crafting subtle modifications that cause the system to misclassify the input, leading to incorrect and potentially harmful decisions.

Extended Description

When machine learning models are deployed for security-critical tasks—such as autonomous vehicle perception, content moderation, or fraud detection—their classification errors become direct security flaws. Attackers can exploit weaknesses in the model's training or design by creating adversarial inputs (e.g., subtly perturbed images, malicious audio clips, or jailbreak prompts for LLMs) to force misclassification, bypass safeguards, or disrupt services. This is especially dangerous in systems where automated recognition directly triggers actions without human oversight. Preventing these attacks requires robust adversarial training, continuous testing with malicious inputs, and implementing input validation layers. Managing this at scale across multiple AI components is difficult; an ASPM like Plexicus can help you inventory, track, and prioritize these model vulnerabilities alongside traditional code flaws in your entire application stack.
Common Consequences 4
Scope: Integrity

Impact: Bypass Protection Mechanism

When the automated recognition is used in a protection mechanism, an attacker may be able to craft inputs that are misinterpreted in a way that grants excess privileges.

Scope: Availability

Impact: DoS: Resource Consumption (Other)DoS: Instability

There could be disruption to the service of the automated recognition system, which could cause further downstream failures of the software.

Scope: Confidentiality

Impact: Read Application Data

This weakness could lead to breaches of data privacy through exposing features of the training data, e.g., by using membership inference attacks or prompt injection attacks.

Scope: Other

Impact: Varies by Context

The consequences depend on how the application applies or integrates the affected algorithm.
Detection Methods 3
Dynamic Analysis with Manual Results Interpretation
Use indicators from model performance deviations such as sudden drops in accuracy or unexpected outputs to verify the model.
Dynamic Analysis with Manual Results Interpretation
Use indicators from input data collection mechanisms to verify that inputs are statistically within the distribution of the training and test data.
Architecture or Design Review
Use multiple models or model ensembling techniques to check for consistency of predictions/inferences.
Potential Mitigations 7
Phase: Architecture and Design
Algorithmic modifications such as model pruning or compression can help mitigate this weakness. Model pruning ensures that only weights that are most relevant to the task are used in the inference of incoming data and has shown resilience to adversarial perturbed data.
Phase: Architecture and Design
Consider implementing adversarial training, a method that introduces adversarial examples into the training data to promote robustness of algorithm at inference time.
Phase: Architecture and Design
Consider implementing model hardening to fortify the internal structure of the algorithm, including techniques such as regularization and optimization to desensitize algorithms to minor input perturbations and/or changes.
Phase: Implementation
Consider implementing multiple models or using model ensembling techniques to improve robustness of individual model weaknesses against adversarial input perturbations.
Phase: Implementation
Incorporate uncertainty estimations into the algorithm that trigger human intervention or secondary/fallback software when reached. This could be when inference predictions and confidence scores are abnormally high/low comparative to expected model performance.
Phase: Integration
Reactive defenses such as input sanitization, defensive distillation, and input transformations can all be implemented before input data reaches the algorithm for inference.
Phase: Integration
Consider reducing the output granularity of the inference/prediction such that attackers cannot gain additional information due to leakage in order to craft adversarially perturbed data.
References 5
Intriguing properties of neural networks
Christian Szegedy, Wojciech Zaremba, Ilya Sutskever, Joan Bruna, Dumitru Erhan, Ian Goodfellow, and Rob Fergus
19-02-2014
https://arxiv.org/abs/1312.6199
ID: REF-16
Attacking Machine Learning with Adversarial Examples
OpenAI
24-02-2017
https://openai.com/index/attacking-machine-learning-with-adversarial-examples/(2025-07-25)
ID: REF-17
Magic AI: These are the Optical Illusions that Trick, Fool, and Flummox Computers
James Vincent
The Verge
12-04-2017
https://www.theverge.com/2017/4/12/15271874/ai-adversarial-images-fooling-attacks-artificial-intelligence
ID: REF-15
CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition
Xuejing Yuan, Yuxuan Chen, Yue Zhao, Yunhui Long, Xiaokang Liu, Kai Chen, Shengzhi Zhang, Heqing Huang, Xiaofeng Wang, and Carl A. Gunter
24-01-2018
https://arxiv.org/pdf/1801.08535(2025-08-04)
ID: REF-13
Audio Adversarial Examples: Targeted Attacks on Speech-to-Text
Nicholas Carlini and David Wagner
05-01-2018
https://arxiv.org/abs/1801.01944
ID: REF-14
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Technologies:
AI/ML : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Protection Mechanism Failure (CWE-693)
ChildOf: Incorrect Comparison (CWE-697)
Notes
RelationshipFurther investigation is needed to determine if better relationships exist or if additional organizational entries need to be created. For example, this issue might be better related to "recognition of input as an incorrect type," which might place it as a sibling of Incorrect Type Conversion or Cast (incorrect type conversion).