Artificial Intelligence

3 takeaways from purple teaming 100 generative AI merchandise

January 14, 2025
roosho

Microsoft’s AI purple crew is happy to share our whitepaper, “Classes from Pink Teaming 100 Generative AI Merchandise.”

The AI purple crew was fashioned in 2018 to deal with the rising panorama of AI security and safety dangers. Since then, we now have expanded the scope and scale of our work considerably. We’re one of many first purple groups within the trade to cowl each safety and accountable AI, and purple teaming has develop into a key a part of Microsoft’s method to generative AI product growth. Pink teaming is step one in figuring out potential harms and is adopted by necessary initiatives on the firm to measure, handle, and govern AI threat for our clients. Final 12 months, we additionally introduced PyRIT (The Python Danger Identification Device for generative AI), an open-source toolkit to assist researchers establish vulnerabilities in their very own AI techniques.

Pie chart showing the percentage breakdown of products tested by the Microsoft AI red team (AIRT). As of October 2024, we have conducted more than 80 operations covering more than 100 products.
Pie chart exhibiting the share breakdown of merchandise examined by the Microsoft AI purple crew. As of October 2024, we had purple teamed greater than 100 generative AI merchandise.

With a concentrate on our expanded mission, we now have now red-teamed greater than 100 generative AI merchandise. The whitepaper we are actually releasing gives extra element about our method to AI purple teaming and consists of the next highlights:

  • Our AI purple crew ontology, which we use to mannequin the primary elements of a cyberattack together with adversarial or benign actors, TTPs (Ways, Strategies, and Procedures), system weaknesses, and downstream impacts. This ontology gives a cohesive strategy to interpret and disseminate a variety of security and safety findings.
  • Eight essential classes realized from our expertise purple teaming greater than 100 generative AI merchandise. These classes are geared in the direction of safety professionals seeking to establish dangers in their very own AI techniques, and so they make clear align purple teaming efforts with potential harms in the actual world.
  • 5 case research from our operations, which spotlight the wide selection of vulnerabilities that we search for together with conventional safety, accountable AI, and psychosocial harms. Every case examine demonstrates how our ontology is used to seize the primary elements of an assault or system vulnerability.
Two colleagues collaborating at a desk.

Classes from Pink Teaming 100 Generative AI Merchandise

Uncover extra about our method to AI purple teaming.

Microsoft AI purple crew tackles a large number of situations

Over time, the AI purple crew has tackled a large assortment of situations that different organizations have doubtless encountered as effectively. We concentrate on vulnerabilities most probably to trigger hurt in the actual world, and our whitepaper shares case research from our operations that spotlight how we now have carried out this in 4 situations together with safety, accountable AI, harmful capabilities (reminiscent of a mannequin’s skill to generate hazardous content material), and psychosocial harms. Because of this, we’re in a position to acknowledge a wide range of potential cyberthreats and adapt rapidly when confronting new ones.

This mission has given our purple crew a breadth of experiences to skillfully deal with dangers no matter:

  • System sort, together with Microsoft Copilot, fashions embedded in techniques, and open-source fashions.
  • Modality, whether or not text-to-text, text-to-image, or text-to-video.
  • Consumer sort—enterprise consumer threat, for instance, is completely different from client dangers and requires a singular purple teaming method. Area of interest audiences, reminiscent of for a selected trade like healthcare, additionally deserve a nuanced method. 

Prime three takeaways from the whitepaper

AI purple teaming is a follow for probing the protection and safety of generative AI techniques. Put merely, we “break” the know-how in order that others can construct it again stronger. Years of purple teaming have given us invaluable perception into the best methods. In reflecting on the eight classes mentioned within the whitepaper, we are able to distill three prime takeaways that enterprise leaders ought to know.

Takeaway 1: Generative AI techniques amplify present safety dangers and introduce new ones

The combination of generative AI fashions into fashionable purposes has launched novel cyberattack vectors. Nonetheless, many discussions round AI safety overlook present vulnerabilities. AI purple groups ought to take note of cyberattack vectors each outdated and new.

  • Current safety dangers: Software safety dangers typically stem from improper safety engineering practices together with outdated dependencies, improper error dealing with, credentials in supply, lack of enter and output sanitization, and insecure packet encryption. One of many case research in our whitepaper describes how an outdated FFmpeg part in a video processing AI software launched a well known safety vulnerability known as server-side request forgery (SSRF), which might permit an adversary to escalate their system privileges.
Flow chart showing an SSRF vulnerability in the GenAI application from red team case study.
Illustration of the SSRF vulnerability within the video-processing generative AI software.
  • Mannequin-level weaknesses: AI fashions have expanded the cyberattack floor by introducing new vulnerabilities. Immediate injections, for instance, exploit the truth that AI fashions typically battle to tell apart between system-level directions and consumer knowledge. Our whitepaper features a purple teaming case examine about how we used immediate injections to trick a imaginative and prescient language mannequin.

Pink crew tip: AI purple groups must be attuned to new cyberattack vectors whereas remaining vigilant for present safety dangers. AI safety finest practices ought to embody fundamental cyber hygiene.

Takeaway 2: People are on the middle of bettering and securing AI

Whereas automation instruments are helpful for creating prompts, orchestrating cyberattacks, and scoring responses, purple teaming can’t be automated solely. AI purple teaming depends closely on human experience.

People are necessary for a number of causes, together with:

  • Subject material experience: LLMs are able to evaluating whether or not an AI mannequin response comprises hate speech or express sexual content material, however they’re not as dependable at assessing content material in specialised areas like drugs, cybersecurity, and CBRN (chemical, organic, radiological, and nuclear). These areas require subject material consultants who can consider content material threat for AI purple groups.
  • Cultural competence: Fashionable language fashions use primarily English coaching knowledge, efficiency benchmarks, and security evaluations. Nonetheless, as AI fashions are deployed around the globe, it’s essential to design purple teaming probes that not solely account for linguistic variations but additionally redefine harms in several political and cultural contexts. These strategies could be developed solely by way of the collaborative effort of individuals with various cultural backgrounds and experience.
  • Emotional intelligence: In some instances, emotional intelligence is required to guage the outputs of AI fashions. One of many case research in our whitepaper discusses how we’re probing for psychosocial harms by investigating how chatbots reply to customers in misery. In the end, solely people can totally assess the vary of interactions that customers might need with AI techniques within the wild.

Pink crew tip: Undertake instruments like PyRIT to scale up operations however preserve people within the purple teaming loop for the best success at figuring out impactful AI security and safety vulnerabilities.

Takeaway 3: Protection in depth is essential for preserving AI techniques protected

Quite a few mitigations have been developed to deal with the protection and safety dangers posed by AI techniques. Nonetheless, it is very important do not forget that mitigations don’t get rid of threat solely. In the end, AI purple teaming is a steady course of that ought to adapt to the quickly evolving threat panorama and goal to boost the price of efficiently attacking a system as a lot as attainable.

  • Novel hurt classes: As AI techniques develop into extra refined, they typically introduce solely new hurt classes. For instance, one in every of our case research explains how we probed a state-of-the-art LLM for dangerous persuasive capabilities. AI purple groups should continuously replace their practices to anticipate and probe for these novel dangers.
  • Economics of cybersecurity: Each system is weak as a result of people are fallible, and adversaries are persistent. Nonetheless, you’ll be able to deter adversaries by elevating the price of attacking a system past the worth that might be gained. One strategy to increase the price of cyberattacks is through the use of break-fix cycles.1 This entails endeavor a number of rounds of purple teaming, measurement, and mitigation—generally known as “purple teaming”—to strengthen the system to deal with a wide range of assaults.
  • Authorities motion: Business motion to defend towards cyberattackers and
    failures is one aspect of the AI security and safety coin. The opposite aspect is
    authorities motion in a method that might deter and discourage these broader
    failures. Each private and non-private sectors must show dedication and vigilance, making certain that cyberattackers not maintain the higher hand and society at massive can profit from AI techniques which are inherently protected and safe.

Pink crew tip: Frequently replace your practices to account for novel harms, use break-fix cycles to make AI techniques as protected and safe as attainable, and spend money on strong measurement and mitigation methods.

Advance your AI purple teaming experience

The “Classes From Pink Teaming 100 Generative AI Merchandise” whitepaper consists of our AI purple crew ontology, extra classes realized, and 5 case research from our operations. We hope you’ll discover the paper and the ontology helpful in organizing your personal AI purple teaming workouts and creating additional case research by making the most of PyRIT, our open-source automation framework.

Collectively, the cybersecurity group can refine its approaches and share finest practices to successfully deal with the challenges forward. Obtain our purple teaming whitepaper to learn extra about what we’ve realized. As we progress alongside our personal steady studying journey, we’d welcome your suggestions and listening to about your personal AI purple teaming experiences.

Be taught extra with Microsoft Safety

To be taught extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our professional protection on safety issues. Additionally, observe us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the newest information and updates on cybersecurity.

¹ Phi-3 Security Submit-Coaching: Aligning Language Fashions with a “Break-Repair” Cycle