Inferensys

Glossary

STRIDE

STRIDE is a threat modeling framework developed by Microsoft that categorizes security threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.
Governance lead reviewing model governance framework on laptop, policy documents visible, executive office setup.
THREAT MODELING FRAMEWORK

What is STRIDE?

STRIDE is a threat modeling framework developed by Microsoft that categorizes security threats into six distinct types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege.

STRIDE is a structured threat classification methodology used to systematically identify and enumerate security vulnerabilities during the design phase of a system. Each letter corresponds to a specific violation of a desired security property: Spoofing violates authenticity, Tampering violates integrity, Repudiation violates non-repudiation, Information Disclosure violates confidentiality, Denial of Service violates availability, and Elevation of Privilege violates authorization.

Applied to machine learning pipelines, STRIDE helps security engineers map threats such as data poisoning attacks against training integrity (Tampering), model inversion attacks extracting sensitive information (Information Disclosure), and adversarial examples causing misclassification (Denial of Service). The framework integrates with data flow diagrams to pinpoint where each threat category manifests, enabling targeted deployment of defenses like data provenance verification and robust aggregation.

THREAT MODELING FRAMEWORK

The Six STRIDE Threat Categories

STRIDE is a threat modeling framework developed by Microsoft that categorizes security threats into six distinct types. Each category maps to a specific security property that can be violated, providing a systematic approach to identifying vulnerabilities in software systems.

01

Spoofing

Spoofing violates the security property of authenticity. An attacker pretends to be a different person, system, or entity to gain unauthorized access.

  • Examples: Using stolen credentials, forging an IP address, or presenting a fake biometric sample
  • In ML systems: An adversary impersonates a legitimate federated learning client to inject poisoned model updates
  • Mitigation: Strong authentication protocols, multi-factor authentication, and cryptographic signatures
02

Tampering

Tampering violates the security property of integrity. An attacker maliciously modifies data, code, or model parameters in transit or at rest.

  • Examples: Modifying training data labels, altering model weights during deployment, or injecting backdoor triggers
  • In ML pipelines: An adversary intercepts and alters a serialized model file before it reaches the inference server
  • Mitigation: Artifact signing, checksums, and tamper-evident logging
03

Repudiation

Repudiation violates the security property of non-repudiability. A malicious actor performs an action but denies having done so, and the system lacks sufficient proof to attribute the action.

  • Examples: Deleting audit logs, submitting poisoned data without traceability, or denying a model inference request was made
  • In ML governance: A data engineer alters a training dataset and claims the original version was used, with no data provenance records to disprove the claim
  • Mitigation: Immutable audit trails, digital signatures on all artifacts, and secure logging
04

Information Disclosure

Information Disclosure violates the security property of confidentiality. An attacker gains unauthorized access to sensitive data, model parameters, or intellectual property.

  • Examples: Extracting training data via model inversion attacks, inferring membership through membership inference probes, or stealing proprietary model weights
  • In privacy-preserving ML: An adversary queries a model API and reconstructs faces from a facial recognition training set
  • Mitigation: Differential privacy, homomorphic encryption, and output perturbation
05

Denial of Service

Denial of Service violates the security property of availability. An attacker overwhelms system resources to prevent legitimate users from accessing the service.

  • Examples: Flooding a model inference API with requests, triggering computationally expensive adversarial inputs, or exploiting memory leaks
  • In ML operations: An adversary submits sponge examples—inputs specifically designed to maximize energy consumption and latency during inference
  • Mitigation: Rate limiting, input validation, resource quotas, and auto-scaling infrastructure
06

Elevation of Privilege

Elevation of Privilege violates the security property of authorization. An attacker gains permissions beyond what they are legitimately entitled to, enabling broader system compromise.

  • Examples: Exploiting a vulnerability to escalate from a read-only data scientist role to a model deployment admin, or bypassing access controls on a training pipeline
  • In ML platforms: An attacker compromises a Jupyter notebook with limited permissions and exploits a container escape to access the underlying Trusted Execution Environment
  • Mitigation: Principle of least privilege, role-based access control, and regular privilege audits
THREAT MODELING FOR ML

Applying STRIDE to Machine Learning Pipelines

A systematic adaptation of Microsoft's STRIDE threat modeling framework to identify and categorize security threats unique to machine learning systems, from data ingestion to model deployment.

STRIDE is a threat modeling framework that categorizes security threats into six dimensions: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. When applied to ML pipelines, STRIDE maps each category to specific attack vectors—such as data poisoning as tampering or model inversion as information disclosure—providing a structured methodology for security engineers to systematically audit every component of the ML lifecycle.

In practice, STRIDE analysis on an ML system examines threats like spoofing of training data sources, tampering with model weights during transfer, repudiation of inference decisions without cryptographic logging, information disclosure through membership inference attacks, denial of service via adversarial examples that degrade availability, and elevation of privilege through prompt injection that bypasses model constraints. This framework integrates directly with MITRE ATLAS to map identified threats to known adversarial tactics.

STRIDE THREAT MODELING

Frequently Asked Questions

Clear, technical answers to the most common questions about Microsoft's STRIDE framework for identifying and categorizing security threats in machine learning and software systems.

STRIDE is a threat classification framework developed by Microsoft that categorizes security threats into six distinct types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. The framework works by systematically decomposing a system into its component elements—data flows, data stores, processes, and external entities—and then mapping each element to the specific threat categories that apply to it. For each element-threat pair, the security engineer asks a structured question: for example, 'Can an attacker spoof the identity of this external entity?' or 'Can data flowing between these processes be tampered with in transit?' This methodical approach ensures comprehensive threat coverage without relying on the analyst's ability to brainstorm attacks from scratch. In the context of machine learning pipelines, STRIDE extends naturally to cover threats like model weight tampering, training data spoofing, and inference API denial of service.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.