BLOG

23 Mar 2025

AI and ML Treat Modelling Resources

SEC

Threat modelling AI systems is a critical practice for understanding and mitigating potential vulnerabilities. This process involves identifying potential threats, assessing the risks, and developing strategies to defend against these threats. By proactively analysing the ways in which an AI system can be compromised, organizations can bolster their defences and ensure the integrity, confidentiality, and availability of their AI-driven solutions. Effective threat modelling not only addresses known attack vectors but also anticipates emerging threats, fostering a robust security posture in the ever-evolving landscape of AI technology.

ATLAS Matrix

ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of adversary tactics and techniques against Al-enabled systems based on real-world attack observations and realistic demonstrations from Al red teams and security groups. The ATLAS Matrix shows the progression of tactics used in attacks.

https://atlas.mitre.org

The MIT – AI Risk Repository

The AI Risk Repository has three parts:

  • The AI Risk Database captures 1000+ risks extracted from 56 existing frameworks and classifications of AI risks
  • The Causal Taxonomy of AI Risks classifies how, when, and why these risks occur
  • The Domain Taxonomy of AI Risks classifies these risks into 7 domains (e.g., “Misinformation”) and 23 subdomains (e.g., “False or misleading information”)

https://airisk.mit.edu

The OWASP Gen AI Security Project

The OWASP Top 10 for LLM Applications list is a significant undertaking, built on the collective expertise of an international team of  more than 500 experts and over 150 active contributors. Our contributors come from diverse backgrounds, including AI companies, security companies, ISVs, cloud hyperscalers, hardware providers, and academia.

https://genai.owasp.org

https://genai.owasp.org/llm-top-10-2023-24/

https://genai.owasp.org/2025/01/31/owasp-ai-security-guidelines-offer-a-supporting-foundation-for-new-uk-government-ai-security-guidelines/

06 Jun 2021

Introduction to Steganography

SEC

In this talk the history and basic concept of steganography is explained. Steganography is the art and science of hidden communication. There are examples showing image and audio steganography. This video is a back up for a lecture to LMU SCDM 2020/21 just in case MS Teams / BB Collaborate doesn’t work on the day.

07 Feb 2021

Covid, Cholera, Water Pumps and ATM’s

C19, TEC

After attending a talk on data visualisation I was reflecting on the work of John Snow and the early use of data visualisation via mapping in 1854.  John produced maps showing the location of water pumps and the prevalence of the disease cholera which was causing many deaths at the time. By plotting the number of deaths as bars at their geographic location and also the locations of water pumps a pattern emerged. In particular it was noted that around a pump in Broad Street Soho, there were a high number of deaths. Also at a brewery where workers had access to a private water supply there were less deaths. Up to that point the disease was thought to be spread through the air.  By careful data collection, generating useful maps and gaining insight from the story they told, it was possible to trace the infection sources to poor water quality.  Subsequent action taken directly from the data mapping saved numerous lives.

 

 

 

 

 

 

 

Disease mapping and the efforts of the track and trace app are the latest version of this effort of match disease data with geolocation. With Covid-19 infection data available for every postcode in the UK, what are todays Broad Street water pumps and Soho brewery equivalents?  Interestingly one of the services still in use during the lockdowns that also require human contact are ATM’s and cashpoints. It just so happens that both google maps and most of the banks provide this information via API’s. An interesting question is therefore, are there ATM and Covid-19 hotspots? Is there a relationship between the location and use of cashpoints and Covid19 transmission? Are some machines cleaned more frequently than others and does this matter? Are there any other services from which mapping data and Covid-19 infections can draw unexpected but useful insight?

To start the experiment the first step is to collect the data. For me that looks like accessing API’s:

NHS Developer Portal

https://developer.api.nhs.uk/coronavirus

 

Banking API’s

https://developer.lloydsbank.com/

https://developer.santander.co.uk/sanuk/external/atms

https://developer.barclays.com/catalogue

 

The next step is to play around with these. If the most dangerous ATM in the country can be found you’ll at least know whether to take one or two bottles of hand sanitiser with you the next time you use cash (if indeed you ever need to again!!!).

 

 

03 Feb 2021

What if you need to remain safe and secure online because your safety depended on it?

SEC

I attended a seminar today in which the role of identity was discussed in the context of gender. It was the first time I learnt the correct definition of gender vs. sex and gained an appreciation of how online and offline identity might play a role in peoples very personal journeys.

During the questions another interesting topic came up – if we had a general AI, what gender would it be?

As more of our lives and even our identities move on line, it occurred to me that protection of a persons online identities may have a safety implication, if not a privacy one. So as an exercise, the following links have been collated for me to share to those who ask for them:

Links

Get Safe Online – great all round privacy and protection advice

https://www.getsafeonline.org/

Digital privacy website

https://www.eff.org/

UK Government advice on staying safe with guides to each platform

https://www.ncsc.gov.uk/guidance/social-media-how-to-use-it-safely

Social media privacy guides from the Information Commissioner covering major platforms

https://ico.org.uk/your-data-matters/be-data-aware/social-media-privacy-settings/

 

Tools

The tools below are for when privacy becomes a priority beyond social engineering and casual snooping.

If your safety is dependant on your privacy you should consider technology solutions beyond just the settings on your social media accounts.

Signal – secure messaging

https://signal.org/en/

 

Tor – secure anonymised browsing

https://tor.eff.org/

Encryption – storage and email

https://www.openpgp.org/

Secure/Transient OS

https://tails.boum.org/

Journalist tools

https://www.journaliststoolbox.org/2021/02/05/security-tools/

https://gcatoolkit.org/journalists/

 

 

Interesting Articles

Interesting intersection between privacy, consent to process and the work of researchers…

https://twitter.com/schulite/status/1357714009181605889?s=21

Do your online photos respect your privacy?

https://www.kaspersky.co.uk/blog/exif-privacy/7893/

Anonymous Location Data Problems

https://youtu.be/vaOXxahojhQ

 

 

 

21 Jan 2021

The alignment problem: how can machines learn human values?

THX,

After reading the excellent – Algorithms to Live By: The Computer Science of Human Decisions last year, I was pleased to see Brian Christian (@brianchristian) not only has a new book out but also he was presenting a virtual event at Ri.

The presentation explored the ethical issues of Artificial Intelligence and what happens when it goes wrong, and is based on his new book The alignment problem: how can machines learn human values?

The presentation can be seen on the Ri YouTube channel

The journey starts in 1939 with – Bertrand Russel, Walter Pitts and Warren McCulloch. Citing examples such as machine learning issues in the judicial system and racial bias, the discussion moved onto the two key challenges

  1. The training data
  2. The objective function

Examples where issues with training data caused undesirable consequences included offensive misclassification of photo and even a self driving car collision resulting in the death of a pedestrian.

Examples of issues with objective function issues included ethical issues and how models can learn in unexpected ways to “game” the system to get what are unexpected outcomes.

Worth the donation to watch!

19 Jan 2021

Data Visualisation – Making the Invisible, Visible

C19

I attended a fantastic Royal Institution event today – Data visualisation: seeing, sensing, stimulating from  Valentina D’Efilippo – @defilippovale

It started with a historical context and problem solving in the 1800’s. John Snow mapped the outbreak of cholera in Soho and noticed the proximity of high infection rates to certain street water pumps. Concentrations around Broad Street (todays Broadwick Street) were observed as a source of the disease which was confirmed when the pump handle was removed. Also note worthy were the lack of cases at the nearby brewery proving the health benefits of beer? A great early use of data science and visualisation.

Giving more modern examples, a plethora of Covid 19 data visualisation charts were shown and the importance of these in telling the story of what is happening. The “flatten the curve” charts have been a really good visualisation and story telling vehicle with great impactful on policy and the public response.

Overall the importance of both hearts and minds was emphasised by the emphasis on both the Science and Art. The science comprising of data and statistics. The art more concerned with graphic design and visual story telling.

A few other noteworthy things to follow up in my notes:

William Playfair – The inventor of modern pie charts / graphing / charting

Global warming colour spectrum  – a colour plot telling the compelling story of climate change

Data Design Principles

  • Data – as creative material
  • Design – as a tool to aid understanding

3 steps to an impactful visualisation:

  • See – make data visible
  • Sense  – the implications should be clear
  • Stimulate – the data should drive action

The presenter has produce a book:  Infographic History of the World – book by the author

She gave three examples

Example 1

Which was the most significant war – 133 wars 95 M deaths
She used inspiration from science, art, nature
Looking at Poppy and its significance – using flower size, stem length and height to represent the data

See http://poppyfield.org

Example 2

What would music look like through data visualisation?

Using David Bowie for inspiration and his song Space Oddity which in turn was influenced by the film 2001  a Space Odessy and by the 1960’s Apollo Moon missions. Some of the techniques used included:

  • Zoom into the grooves!
  • Major Tom and Ground Control characters represented and their distance apart
  • Visual form to the music itself

Overall the data was the vehicle to explain human experiences.

Example 3

Social Media force for change – MeToomentum.com from the impactful movement from the Alyssa Milano tweet @Alyssa_Milano

The visualisation used the Dandelion metaphor with the following attirbutes

  • Spreading – geography
  • Rooting – what themes / what / where / who
  • Trending – popularity – loudest voices / re-tweets / followers

A powerful way to show – creators have the power to shape the way others understand the world!

A great summary at the end – data visualisation provides a snapshot of a complex world

@defilippovale

Question and answers session:

Dataforc
hange – hear the blind spot – google search this – bring data to life through sound

Paolo Ciuccarelli

First thing to do when creating a visualisation:

Who are we talking to and what are we trying to do?

Tools

Visualisation book – Excel / Adobe Illustrator

For the websites and other projects::

E3 – javascript library and SVG’s

Tableau

Datagraph

Dataillustrator Beta

Rawgraph.io

Also interesting

Mapping disease: John Snow and Cholera:

https://www.rcseng.ac.uk/library-and-publications/library/blog/mapping-disease-john-snow-and-cholera/

18 Jan 2021

Your Safety Number Has Changed. Everyone is Joining Signal!

SEC,

With the recent rush of people joining alternative messaging services, following the WhatsApp privacy policy update, I thought I’d take a look at how the signal protocol works. Luckily I didn’t need to look far as the good folks at Computerfile have already created some excellent explanatory videos.

It provides the answers to the questions:

How does end to end encryption work even when the message recipient isn’t online?
What does it mean when I get “your safety number has changed” from a trusted contact?
How do group chats preserve security?

The rest of the story…

And group messaging…..

 

 

 

 

17 Jan 2021

Sampling Sound From Pictures

DSP, SEC

A great video came up in my YouTube feed today. A video from the excellent Computerphile channel caught my eye. It concerned turning pictures of sound waves back into audio files. It was entitled How NOT to Sample Audio!

The basic method used was as follows:

  • Get a screen grab of a sound file waveform (in the time domain)
  • Loop through the columns of the BMP picture file to find and extract the approximation of the waveform
  • Brightness is used to detect if the difference between background and the sound
  • A loop is used to pick out column max and min heights
  • Store these values as the sound (basically a series of values
  • To compensate for low resolution, a stretch is required to make up for fact the resolution of the image is less in columns than you would have samples, in an audio file
  • Values added between samples to enable the stretch
  • Add the WAV file header information to the series of numbers you have created

In the example in the film, an 8 Bit sound generated in a 35k file (ASCII). Clearly the WAV to graphics accuracy is dependant on the number of screen pixels used.

The result reminded me of the first voice synthesis I heard from the Commodore 64 game, Ghostbusters! The magic of hearing “you slimed me” is etched in my mind,

Reading the comments on the video I also noticed someone had mentioned a fascinating project called the Visual Microphone. A quick search of the internet revealed the following paper and website. The Visual Microphone: Passive Recovery of Sound from Video

http://people.csail.mit.edu/mrub/VisualMic/

That looks like the next rabbit hole to dive down…

16 Jan 2021

Conference Paper Video With Bizarre Pandemic Timing

C19, DSP, SEC

When you’re strange…

Possibly the oddest conference presentation ever. People from around the globe presenting papers remotely to an IEEE conference in China just after midnight on New Years Eve to New Years Day. The conference had to be postponed due to the pandemic and the new timing meant my presentation had to be at a session starting at the very dawn of the new year, remote, and also that recordings had to be provided in case the tech failed (recording below). I’m not sure how many of the delegates and presenters were sober but it made for a memorable, if not strange experience. Sorry but I had to miss Jools Holland this time!

Paper ID: IEEE TrustCom 2020 

Title: Enhancing Cyber Security Using Audio Techniques: A Public Key Infrastucture for Sound  

Conference: The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2020), Guangzhou, China, December 29, 2020 – January 1, 2021

Conference Website: http://www.ieee-trustcom.org/TrustCom…

04 Dec 2020

Cyber Threat Modelling

SEC

As well as preparing a threat model for a new conceptual model I am developing for my research, I was recently asked to give an overview of how threat modelling can assist in architectural and design processes. The request was for a video presentation and so I had two requirements to revisit this topic. Time for revision!

So this post is a landing page for my unlisted YouTube video and useful links I might need to reference. In other words, more useful to me than anyone else who ends up here on their travels!

The video covers:

  • What is threat modelling?
  • What is it used for and why do it?
  • What is the link between threat intelligence and threat modelling?
  • What is the relationship between threat modelling and risk assessment?
  • Example
  • Emerging uses, techniques and tools
  • References & resources

Links and resources:

Link between TM and Risk:

https://www2.cso.com.au/article/664928/link-between-threat-modelling-risk-management/

Microsoft tooling:

https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling

https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool

https://docs.microsoft.com/en-us/archive/msdn-magazine/2009/january/security-briefs-getting-started-with-the-sdl-threat-modeling-tool

Learning TM:

https://medium.com/@roberthurlbut/learning-about-threat-modeling-3f6811e7520c

https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat-modeling.pdf

OWASP Application Threat Modelling

https://owasp.org/www-community/Application_Threat_Modeling

CIS Benchmarks

https://www.cisecurity.org/cis-benchmarks/

STRIDE Threat Modelling with Examples

https://www2.slideshare.net/GirindroPringgoDigdo/threat-modeling-using-stride?from_action=save

Adam Shostack

https://adam.shostack.org/blog/category/threat-modeling/