这篇重新定义了AI渗透测试,从入侵系统变成操纵行为,提示注入、数据投毒都算,还给了具体测试步骤和案例,搞AI安全可以看看。
传统渗透测试侧重评估对手能否通过漏洞获取资源,但AI系统中攻击者可通过提示注入、数据投毒、传感器操纵等路径改变行为而不入侵基础设施。论文重新定义AI系统渗透测试为操作目标驱动的行为评估,提出六步工作流:识别操作目标、映射AI行为、分析影响面、定义失败标准、执行场景测试、报告证据。以AI安全运营中心助手为例,演示提示注入可导致误判而不触发基础设施入侵。
Rethinking Penetration Testing for AI-Enabled Systems: From Resource Compromise to Behavioral Objective Violation
Penetration testing traditionally evaluates whether adversaries can exploit weaknesses in software, infrastructure, configurations, or operational controls to achieve security-relevant compromise. This paradigm remains necessary for AI-enabled systems, but it is no longer sufficient. In such systems, adversaries may influence prompts, retrieved content, sensor inputs, training data, memory, tools, or human-AI interaction loops to alter system behavior without directly compromising the underlying infrastructure. This paper reframes penetration testing for AI-enabled systems as objective-driven behavioral evaluation. We define an AI-enabled system as one in which learned models materially influence behavior affecting operational outcomes, and we define AI-enabled penetration as the feasible induction of AI-governed behavior that violates one or more operational objectives under an explicit threat model. This definition preserves conventional penetration testing while extending it to adversarial pathways such as prompt injection, indirect prompt injection, data poisoning, sensor manipulation, retrieval poisoning, tool misuse, and agentic misalignment. We further propose a testing workflow that identifies operational objectives, maps AI-governed behavior, analyzes adversarial influence surfaces, defines behavioral failure criteria, executes scenario-based tests, and reports evidence linking adversarial action to objective violation. A running example involving an AI-enabled security operations center assistant illustrates how penetration may occur through behavioral influence rather than infrastructure compromise. Together, the definitions, workflow, and example provide a technical framework for evaluating adversarial success in deployed AI-enabled systems.