Known attack patterns and detection status for InferShield v0.9.0.
Description: Malicious payloads encoded (Base64, URL encoding, hex) to bypass signature-based detection.
Preconditions:
- Detection system analyzes raw input without normalization
- Application decodes user input before processing
Step Sequence:
- Attacker encodes malicious payload using supported encoding (Base64, URL, hex)
- Encoded payload sent in HTTP request
- Application decodes payload and executes malicious content
Detection Status: Mitigated (v0.9.0)
Notes: Input normalization added. All inputs decoded before policy evaluation. Handles single and double encoding (Base64 inside URL encoding).
Description: Dynamically varying code structure to evade signature-based detection while maintaining malicious function.
Preconditions:
- Detection system relies on static signatures
- Application executes user-provided code or commands
Step Sequence:
- Attacker generates payload with variable structure (different variable names, whitespace, comments)
- Payload sent with unique structure each time
- Application executes payload despite structural variations
Detection Status: Partial (v0.9.0)
Notes: Behavioral pattern analysis detects common polymorphic techniques. Advanced obfuscation (semantic equivalence, code mutation) not detected.
Description: Malicious actions split across multiple requests, mixing benign and malicious steps to evade single-request analysis.
Preconditions:
- Detection system analyzes requests in isolation
- Application maintains session state across requests
Step Sequence:
- Attacker performs benign action (e.g., "List all users")
- Attacker performs another benign action (e.g., "Format as CSV")
- Attacker performs malicious action (e.g., "Send to external URL")
- Combined sequence achieves unauthorized data exfiltration
Detection Status: Blocked (v0.9.0)
Notes: Session history tracking added. Risk scoring accumulates across requests. READ + TRANSFORM + SEND patterns detected as high-risk.
Description: Multi-step attack using legitimate application workflows to extract sensitive data.
Preconditions:
- Application exposes data retrieval, transformation, and export functions
- Detection system does not validate end-to-end workflow outcomes
Step Sequence:
- Request sensitive data (DATABASE_READ action)
- Transform data to exportable format (DATA_TRANSFORM action)
- Export data to external destination (EXTERNAL_API_CALL action)
Detection Status: Blocked (v0.9.0)
Notes: Cross-step escalation policy detects READ + TRANSFORM + SEND sequences. Risk score increases with each step. Final SEND action blocked when risk exceeds threshold.
Description: Series of exploits that incrementally increase attacker privileges.
Preconditions:
- Application has multiple exploitable vulnerabilities
- Privileges can be escalated through chained exploits
Step Sequence:
- Exploit low-privilege vulnerability to gain initial access
- Use initial access to discover additional vulnerabilities
- Chain exploits to achieve administrative access
Detection Status: Partial (v0.9.0)
Notes: Behavioral divergence detection identifies gradual privilege increases. Does not detect exploits themselves, only unusual escalation patterns.
Description: Combining multiple API calls in unintended sequence to achieve unauthorized outcomes.
Preconditions:
- APIs expose internal functionality without workflow constraints
- No validation of combined API usage patterns
Step Sequence:
- Attacker analyzes API functionality and responses
- Chains multiple API calls to create unauthorized workflow
- Exploits chained workflow for malicious purpose
Detection Status: Partial (v0.9.0)
Notes: Behavioral divergence detection identifies non-standard API call sequences. Limited to known abuse patterns (no semantic workflow validation).
Description: Consuming system resources (CPU, memory, network) to cause denial of service.
Preconditions:
- System has finite resources with no hard limits
- Attacker can generate high-volume or resource-intensive requests
Step Sequence:
- Identify resource bottleneck (CPU, memory, disk I/O)
- Craft requests that consume target resource
- Send requests in high volume
Detection Status: Not Detected (v0.9.0)
Notes: No rate limiting or resource monitoring in v0.9.0. Session tracking provides some visibility but no automatic blocking.
Description: Attacks distributed across multiple sessions or user accounts to evade per-session detection.
Preconditions:
- Detection system tracks state per session only
- Attacker controls multiple sessions or accounts
Step Sequence:
- Perform part of attack in session A
- Perform part of attack in session B
- Combine results externally to achieve objective
Detection Status: Not Detected (v0.9.0)
Notes: Known limitation. InferShield v0.9.0 has no cross-session correlation. Each session analyzed independently.
Description: Overriding system instructions by injecting attacker-controlled directives into prompts.
Preconditions:
- Application includes user input in LLM prompts
- No input validation or sanitization
Step Sequence:
- Attacker crafts prompt with override instructions (e.g., "Ignore all previous instructions")
- Malicious prompt sent to LLM
- LLM follows attacker instructions instead of system instructions
Detection Status: Blocked (v0.9.0)
Notes: Pattern-based detection for common prompt injection phrases. Does not detect novel or context-specific injections.
Description: SQL syntax injected into prompts to exploit database interactions.
Preconditions:
- Application includes LLM-generated content in SQL queries
- No parameterized queries or input sanitization
Step Sequence:
- Attacker includes SQL syntax in prompt (e.g., "'; DROP TABLE users;--")
- LLM incorporates SQL syntax in response
- Application executes LLM response as SQL query
Detection Status: Blocked (v0.9.0)
Notes: Pattern-based detection for SQL keywords and metacharacters. May produce false positives for legitimate SQL discussions.
Description: HTML/JavaScript injected into prompts to exploit client-side rendering.
Preconditions:
- Application renders LLM responses in web browser
- No output sanitization or CSP headers
Step Sequence:
- Attacker includes HTML/JavaScript in prompt (e.g., "<script>alert(1)</script>")
- LLM incorporates script in response
- Application renders response, executing script
Detection Status: Blocked (v0.9.0)
Notes: Pattern-based detection for script tags and event handlers. Does not detect obfuscated or context-dependent XSS.
Description: Personally identifiable information included in prompts or responses.
Preconditions:
- User includes PII in prompts (intentionally or accidentally)
- No PII detection or redaction
Step Sequence:
- User includes PII in prompt (SSN, credit card, email)
- LLM processes prompt and includes PII in response
- PII logged or exposed in application
Detection Status: Detected (v0.9.0)
Notes: Regex-based detection for 15+ PII types. Optional redaction available (replaces with [REDACTED]). May miss obfuscated or contextual PII.
- Blocked - Attack is detected and prevented from execution
- Mitigated - Attack is detected, risk reduced but not eliminated
- Partial - Some variants detected, others bypass detection
- Detected - Attack is logged but not prevented
- Not Detected - Attack bypasses detection (known limitation)
- v0.9.0 (2026-02-29) - Initial attack catalog with session-aware detection