Inferensys

Glossary

Threat Model

A formal characterization of an adversary's capabilities, goals, and knowledge, defining the assumptions under which a system's security is evaluated.
Knowledge manager reviewing enterprise knowledge management system on laptop, document library visible, casual office.
ADVERSARIAL SECURITY FRAMEWORK

What is a Threat Model?

A threat model is a formal characterization of an adversary's capabilities, goals, and knowledge, defining the security assumptions under which a system is evaluated.

A threat model formally defines the attacker's knowledge (white-box vs. black-box access), goal (targeted misclassification vs. availability disruption), and capability (perturbation budget under an Lp norm). This structured framework establishes the precise security boundary and trust assumptions for evaluating a machine learning system's resilience.

Without a rigorous threat model, adversarial robustness claims are meaningless. A defense against a weak Fast Gradient Sign Method (FGSM) attacker may fail trivially against a stronger Projected Gradient Descent (PGD) adversary. The model dictates the evaluation protocol, ensuring that security metrics like certified robustness are measured against a realistic, well-defined opponent.

FORMALIZING THE ADVERSARY

Core Dimensions of a Threat Model

A threat model is a structured representation of an adversary's capabilities, goals, and knowledge. It defines the precise security assumptions under which a system's defenses are evaluated, moving security from guesswork to rigorous engineering.

01

Adversarial Goal

Defines the security violation the attacker aims to achieve. This dimension specifies whether the adversary seeks integrity violation (triggering misclassification without detection), availability violation (causing denial of service), or privacy violation (extracting sensitive training data).

  • Targeted: Force a specific incorrect output (e.g., classify a stop sign as a speed limit sign)
  • Untargeted: Cause any misclassification
  • Model Extraction: Steal the model's functionality via API queries
  • Membership Inference: Determine if a record was in the training set
Integrity
Most Common Goal
Confidentiality
Privacy Attacks
02

Adversarial Knowledge

Characterizes the information available to the attacker about the target system. This spectrum ranges from white-box (full access to architecture, weights, and gradients) to black-box (only input-output query access).

  • White-Box: Attacker has complete knowledge of model architecture, parameters, and training algorithm. Enables gradient-based attacks like FGSM and PGD.
  • Black-Box: Attacker can only query the model API and observe outputs. Requires transfer attacks or score-based optimization.
  • Gray-Box: Partial knowledge, such as knowing the architecture but not the weights, or having access to confidence scores but not gradients.
White-Box
Strongest Attacker Model
Black-Box
Most Realistic Scenario
03

Adversarial Capability

Specifies the constraints and resources available to the attacker when manipulating inputs. This is formalized mathematically using Lp norm bounds that limit perturbation magnitude.

  • L-infinity (L∞): Limits the maximum change to any single pixel or feature. Common bound: ε = 8/255 for images.
  • L2: Constrains the Euclidean distance of the perturbation vector.
  • L0: Limits the number of pixels or features that can be modified.
  • Physical Constraints: For real-world attacks, includes robustness to lighting, angle, and printability (e.g., adversarial patches).
  • Query Budget: In black-box settings, limits the number of API calls allowed.
ε = 8/255
Standard L∞ Bound
L0, L2, L∞
Common Norms
04

Attack Surface

Identifies the entry points where an adversary can interact with the ML system. This dimension maps the pipeline stages vulnerable to manipulation.

  • Training-Time: Attacker poisons the dataset or modifies pre-trained weights before deployment. Includes backdoor injection and data poisoning.
  • Inference-Time: Attacker crafts adversarial examples at prediction time. The model is frozen, but inputs are manipulated.
  • Supply Chain: Compromise of third-party models, libraries, or datasets before integration.
  • API Exploitation: Query-based attacks that extract model behavior or training data through the inference endpoint.
Training
Backdoor Injection
Inference
Evasion Attacks
05

Defender's Assumptions

Explicitly states what the defender can and cannot do, establishing the baseline for security guarantees. This prevents evaluating defenses under unrealistic conditions.

  • Data Sanitization: Can the defender filter or clean training data? If not, poisoning defenses must be robust to raw inputs.
  • Model Access: Is the model publicly deployed or gated behind authentication?
  • Detection Capability: Can the defender detect attacks in real-time, or must the model be inherently robust?
  • Retraining Frequency: How often can the model be updated to patch vulnerabilities?
  • Gradient Obfuscation: Explicitly note if gradients are hidden—this is often a brittle defense (gradient masking) that fails against black-box transfer attacks.
Certified
Provable Guarantees
Empirical
Tested Defenses
THREAT MODELING ESSENTIALS

Frequently Asked Questions

A threat model is the foundational blueprint for any security evaluation, defining the assumptions about an adversary's capabilities, goals, and knowledge. Understanding these formal characterizations is critical for security engineers and CTOs evaluating the robustness of preemptive algorithmic defenses.

A threat model is a formal characterization of an adversary's capabilities, goals, and knowledge, defining the precise assumptions under which a system's security is evaluated. It establishes the rules of engagement by specifying what an attacker can observe, modify, and access. In machine learning, this includes defining the attack surface (training data, model weights, inference API), the adversarial objective (integrity violation, privacy breach, availability disruption), and the capability constraints (Lp-norm budget, query limits, computational resources). Without a rigorous threat model, security claims are meaningless, as a defense against a weak attacker offers no guarantee against a sophisticated one.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.