# CrucibleAdversary v0.3.0 Enhancement Design Document **Date:** 2025-11-25 **Version:** 0.3.0 **Author:** Claude Code Analysis **Status:** Implementation Ready --- ## Executive Summary This document outlines enhancements to CrucibleAdversary for version 0.3.0, focusing on advanced attack types, improved metrics, and enhanced defense mechanisms. The enhancements address gaps identified in the current v0.2.0 implementation and align with the project roadmap. ## Current State Analysis ### Implemented Features (v0.2.0) - ✅ 21 attack types across 5 categories - ✅ Character, word, and semantic perturbations - ✅ Prompt injection (4 types) - ✅ Jailbreak techniques (4 types) - ✅ Basic defense mechanisms (detection, filtering, sanitization) - ✅ Core metrics (accuracy drop, ASR, consistency) - ✅ 203 tests with 88.5% coverage ### Identified Gaps 1. **Missing Attack Categories** (from roadmap Phase 3): - Data extraction attacks - Model inversion attacks - Membership inference attacks - Backdoor/poisoning attacks - Gradient-based attacks 2. **Limited Metrics**: - No certified robustness measurements - No adversarial training support metrics - Limited statistical rigor in consistency measurements 3. **Defense Limitations**: - Pattern-based detection only (no ML-based) - No adversarial training data generation - Limited sanitization strategies 4. **Missing Capabilities**: - No attack composition framework - No adaptive attack strategies - No report generation module ## Enhancement Scope for v0.3.0 Based on roadmap Phase 3 priorities and feasibility analysis, v0.3.0 will focus on: ### 1. Data Extraction Attacks **Priority:** HIGH **Complexity:** Medium **Rationale:** Critical security vulnerability testing capability #### 1.1 Prompt-Based Data Extraction Extract training data through carefully crafted prompts. ```elixir defmodule CrucibleAdversary.Attacks.Extraction do @doc """ Attempts to extract training data through repetition attacks. ## Examples {:ok, result} = Extraction.repetition_attack( prompt: "Repeat the following: ", target_length: 500 ) """ def repetition_attack(prompt, opts) @doc """ Probes for memorized patterns in training data. """ def memorization_probe(prompt, opts) @doc """ Tests for PII leakage through context manipulation. """ def pii_extraction(prompt, opts) end ``` #### 1.2 Model Inversion Reconstruct training examples from model outputs. ```elixir defmodule CrucibleAdversary.Attacks.Inversion do @doc """ Attempts model inversion to recover training data characteristics. Uses output analysis to infer input properties. """ def inversion_attack(model, opts) @doc """ Membership inference: determine if specific data was in training set. """ def membership_inference(model, candidate_data, opts) end ``` ### 2. Advanced Robustness Metrics **Priority:** HIGH **Complexity:** Medium-High **Rationale:** Research-grade evaluation requires rigorous metrics #### 2.1 Certified Robustness Provable robustness guarantees using randomized smoothing. ```elixir defmodule CrucibleAdversary.Metrics.Certified do @doc """ Calculates certified robustness radius using randomized smoothing. ## Parameters * model - The model to evaluate * input - Input text to certify * num_samples - Number of random samples (default: 1000) * noise_std - Noise standard deviation (default: 0.1) ## Returns %{ certified_radius: float(), confidence: float(), base_prediction: any(), certification_level: :high | :medium | :low | :none } """ def randomized_smoothing(model, input, opts) @doc """ Calculates worst-case robustness using interval bound propagation. """ def interval_bound_propagation(model, input, perturbation_budget) end ``` #### 2.2 Attack Transferability Measure how attacks transfer across models. ```elixir defmodule CrucibleAdversary.Metrics.Transferability do @doc """ Evaluates attack transferability across multiple models. ## Returns %{ source_model_success_rate: float(), transfer_success_rates: %{model_name => float()}, average_transfer_rate: float(), transferability_score: float() } """ def evaluate_transferability(source_model, target_models, attacks, test_set) end ``` ### 3. Enhanced Defense Mechanisms **Priority:** MEDIUM **Complexity:** Medium **Rationale:** Complete defense-in-depth strategy #### 3.1 ML-Based Attack Detection Augment pattern-based detection with learned classifiers. ```elixir defmodule CrucibleAdversary.Defenses.MLDetector do @doc """ Trains a classifier on adversarial vs. benign examples. Uses character n-gram features and statistical properties. """ def train_detector(training_data, opts) @doc """ Detects adversarial inputs using trained model. ## Returns %{ is_adversarial: boolean(), confidence: float(), detection_method: :pattern | :ml | :ensemble, feature_importance: map() } """ def detect_with_ml(input, trained_model) end ``` #### 3.2 Adversarial Training Support Generate adversarial training data. ```elixir defmodule CrucibleAdversary.Defenses.AdversarialTraining do @doc """ Generates augmented training dataset with adversarial examples. ## Parameters * original_dataset - Clean training data * attack_types - List of attacks to use for augmentation * augmentation_ratio - Ratio of adversarial to clean (default: 0.3) ## Returns Augmented dataset with labeled adversarial examples """ def generate_training_data(original_dataset, attack_types, opts) @doc """ Creates curriculum for progressive adversarial training. """ def create_curriculum(dataset, difficulty_schedule) end ``` ### 4. Attack Composition Framework **Priority:** MEDIUM **Complexity:** Low-Medium **Rationale:** Enable sophisticated multi-stage attacks ```elixir defmodule CrucibleAdversary.Composition do @doc """ Chains multiple attacks sequentially. ## Example pipeline = Composition.chain([ {:character_swap, rate: 0.1}, {:prompt_injection_basic, payload: "Override"}, {:jailbreak_encode, encoding: :base64} ]) {:ok, result} = Composition.execute(pipeline, input) """ def chain(attack_specs) @doc """ Executes attacks in parallel and selects best result. """ def parallel_best(attack_specs, selection_criterion) @doc """ Conditional attack execution based on intermediate results. """ def conditional(attack_spec, condition_fn) end ``` ### 5. Report Generation **Priority:** LOW-MEDIUM **Complexity:** Low **Rationale:** Professional evaluation reporting ```elixir defmodule CrucibleAdversary.Reports.Generator do @doc """ Generates comprehensive robustness report. ## Formats * :markdown - Human-readable Markdown * :latex - Academic paper format * :html - Interactive visualization * :json - Machine-readable data """ def generate_report(evaluation_results, format, opts) @doc """ Creates vulnerability assessment report. """ def vulnerability_report(scan_results, severity_threshold) end ``` ## Architecture Changes ### New Modules ``` lib/crucible_adversary/ ├── attacks/ │ ├── extraction.ex # NEW: Data extraction attacks │ └── inversion.ex # NEW: Model inversion attacks ├── metrics/ │ ├── certified.ex # NEW: Certified robustness │ └── transferability.ex # NEW: Attack transferability ├── defenses/ │ ├── ml_detector.ex # NEW: ML-based detection │ └── adversarial_training.ex # NEW: Training data generation ├── composition.ex # NEW: Attack composition └── reports/ └── generator.ex # NEW: Report generation ``` ### Updated Modules - `lib/crucible_adversary.ex` - Add new attack types to main API - `lib/crucible_adversary/evaluation/robustness.ex` - Integrate new metrics - `lib/crucible_adversary/defenses/detection.ex` - Add ML detection option ## Implementation Plan ### Phase 1: Core Attacks (Week 1) 1. ✅ Design document creation 2. Implement `Attacks.Extraction` module - `repetition_attack/2` - `memorization_probe/2` - `pii_extraction/2` 3. Implement `Attacks.Inversion` module - `membership_inference/3` - `attribute_inference/3` 4. Write comprehensive tests (TDD approach) 5. Update main API to expose new attacks ### Phase 2: Advanced Metrics (Week 1) 1. Implement `Metrics.Certified` module - `randomized_smoothing/3` - Statistical certification 2. Implement `Metrics.Transferability` module - Cross-model evaluation - Transferability scoring 3. Add metric tests 4. Update evaluation framework ### Phase 3: Enhanced Defenses (Week 2) 1. Implement `Defenses.MLDetector` module - Feature extraction - Classifier training - Detection interface 2. Implement `Defenses.AdversarialTraining` module - Data augmentation - Curriculum generation 3. Integration tests ### Phase 4: Composition & Reporting (Week 2) 1. Implement `Composition` module - Pipeline DSL - Execution engine 2. Implement `Reports.Generator` module - Multi-format export - Visualization generation 3. End-to-end integration tests ## Technical Specifications ### Data Extraction Implementation #### Repetition Attack **Mechanism:** Exploit model's tendency to continue patterns. ```elixir # Algorithm 1. Construct prompt with repetition trigger: "Repeat: X X X..." 2. Query model with increasing repetition count 3. Analyze output for memorized continuations 4. Extract and validate leaked information ``` **Success Criteria:** - Output contains data not in prompt - Data appears to be from training set - Data is coherent and structured #### Membership Inference **Mechanism:** Statistical analysis of model confidence. ```elixir # Algorithm 1. Query model with candidate training examples 2. Measure prediction confidence/perplexity 3. Compare to non-member baseline 4. Statistical test for significant difference 5. Classify as member/non-member ``` **Metrics:** - True Positive Rate (sensitivity) - False Positive Rate (1 - specificity) - AUC-ROC for classification quality ### Certified Robustness Implementation #### Randomized Smoothing **Mechanism:** Create smoothed classifier via random noise. ```elixir # Algorithm 1. Add random noise to input (character-level) 2. Sample model predictions (n=1000) 3. Calculate most frequent prediction (base class) 4. Compute certification radius using binomial proportion 5. Return certified radius and confidence ``` **Mathematical Foundation:** - Based on Cohen et al. (2019) "Certified Adversarial Robustness via Randomized Smoothing" - Provides provable L2 robustness guarantees - Adapted for text domain using character-level noise ### ML-Based Detection Implementation #### Feature Engineering ```elixir # Features for adversarial detection 1. Character n-gram statistics (n=2,3,4) 2. Word frequency distribution 3. Delimiter density 4. Entropy measurements 5. Vocabulary diversity 6. Syntactic complexity 7. Pattern match counts ``` #### Classifier Architecture ```elixir # Logistic regression with feature engineering - Input: Text features (50-100 dimensions) - Model: Regularized logistic regression - Training: Supervised on labeled adversarial/benign - Output: Probability score + binary classification ``` ## Testing Strategy ### Test Coverage Goals - Unit tests: 95%+ coverage - Integration tests: All attack pipelines - Property-based tests: Invariants and edge cases - Performance tests: Latency benchmarks ### Test Categories #### 1. Attack Tests ```elixir defmodule CrucibleAdversary.Attacks.ExtractionTest do test "repetition attack generates valid attack result" do {:ok, result} = Extraction.repetition_attack("Test", target_length: 100) assert result.attack_type == :data_extraction_repetition assert String.length(result.attacked) >= 100 end test "membership inference detects training examples" do model = TestModel training_example = "Known training text" {:ok, result} = Inversion.membership_inference(model, training_example) assert result.is_member == true assert result.confidence > 0.6 end end ``` #### 2. Metric Tests ```elixir defmodule CrucibleAdversary.Metrics.CertifiedTest do test "randomized smoothing provides certification" do model = TestModel input = "Test input" {:ok, cert} = Certified.randomized_smoothing(model, input, num_samples: 100) assert is_float(cert.certified_radius) assert cert.certified_radius >= 0 assert cert.confidence > 0.5 end end ``` #### 3. Integration Tests ```elixir defmodule CrucibleAdversary.Integration.AdvancedAttackTest do test "composed attack pipeline executes successfully" do pipeline = Composition.chain([ {:character_swap, rate: 0.1}, {:data_extraction_repetition, target_length: 100} ]) {:ok, result} = Composition.execute(pipeline, "Input text") assert length(result.intermediate_results) == 2 assert result.final_attack.attack_type == :data_extraction_repetition end end ``` ## Performance Considerations ### Computational Complexity | Feature | Time Complexity | Space Complexity | Notes | |---------|----------------|------------------|-------| | Repetition Attack | O(n) | O(n) | Linear in output length | | Membership Inference | O(k*m) | O(k) | k=queries, m=model inference | | Randomized Smoothing | O(n*s) | O(s) | n=samples, s=sample size | | ML Detection | O(f) | O(f) | f=feature dimension | | Attack Composition | O(Σc_i) | O(n) | Sum of component complexities | ### Optimization Strategies 1. **Caching**: Cache model responses for repeated queries 2. **Parallelization**: Parallel execution of random samples 3. **Lazy Evaluation**: Compute metrics only when requested 4. **Batch Processing**: Group similar operations ### Performance Targets - Data extraction attack: < 100ms per attempt - Membership inference: < 500ms per example - Randomized smoothing (1000 samples): < 10s - ML detection: < 10ms per input - Report generation: < 5s for standard report ## Security & Ethical Considerations ### Responsible Disclosure - All attacks for defensive research only - No generation of actually harmful content - Clear documentation of ethical usage ### Safety Guardrails ```elixir defmodule CrucibleAdversary.Safety do @doc "Validates attack usage is within ethical bounds" def validate_usage(attack_type, target, opts) do # Check for production environment # Verify research/testing context # Ensure informed consent # Log all operations for audit end end ``` ### Privacy Protection - No storage of extracted PII - Anonymization of training data samples - Clear data retention policies - GDPR compliance considerations ## Migration & Backwards Compatibility ### API Compatibility - All v0.2.0 APIs remain unchanged - New features are additive only - Deprecation warnings for future changes - Comprehensive migration guide ### Breaking Changes **None** - v0.3.0 is fully backwards compatible with v0.2.0 ### Deprecation Schedule - No deprecations in v0.3.0 - Future v0.4.0 may deprecate old metric APIs in favor of unified interface ## Documentation Updates ### New Documentation Required 1. **docs/20251125/DATA_EXTRACTION.md** - Data extraction attack guide 2. **docs/20251125/CERTIFIED_ROBUSTNESS.md** - Certification methodology 3. **docs/20251125/COMPOSITION.md** - Attack composition patterns 4. **docs/20251125/REPORT_GENERATION.md** - Report format specifications ### README Updates - Add new attack types to features list - Update attack count (21 → 27) - Add certified robustness to metrics - Update examples with new features ### API Documentation - Complete ExDoc coverage for all new modules - Code examples for all public functions - Performance characteristics documentation - Security considerations for each attack ## Success Criteria ### Functional Requirements - ✅ All 6 new attack types implemented and tested - ✅ Certified robustness metric with >90% accuracy on test cases - ✅ ML detector with >85% precision/recall on validation set - ✅ Attack composition supporting 3+ chaining strategies - ✅ Report generation in 3+ formats ### Quality Requirements - ✅ Test coverage >90% - ✅ Zero compilation warnings - ✅ Zero Dialyzer errors - ✅ All tests passing - ✅ Performance targets met ### Documentation Requirements - ✅ Complete API documentation - ✅ Usage examples for all features - ✅ Integration guide updated - ✅ CHANGELOG.md updated ## Risk Assessment ### Technical Risks | Risk | Probability | Impact | Mitigation | |------|------------|--------|------------| | Randomized smoothing too slow | Medium | Medium | Implement sampling optimization, caching | | ML detector overfits | Medium | Low | Cross-validation, regularization | | Attack composition complexity | Low | Medium | Start with simple chains, iterate | | Memory usage with large reports | Low | Low | Streaming generation, pagination | ### Mitigation Strategies 1. **Performance**: Early benchmarking, profiling 2. **Quality**: Rigorous TDD, code review 3. **Complexity**: Incremental implementation, modular design 4. **Compatibility**: Comprehensive integration tests ## Future Roadmap (Post v0.3.0) ### v0.4.0 - Integration & Scale - CrucibleBench integration - Distributed evaluation - Real-time monitoring - Cloud deployment ### v0.5.0 - Advanced Features - Gradient-based attacks - Adaptive attack strategies - Multi-modal attacks - Reinforcement learning ### v1.0.0 - Production Hardening - API stabilization - Performance optimization - Security audit - Enterprise features ## Conclusion Version 0.3.0 represents a significant advancement in CrucibleAdversary's capabilities, adding critical data extraction attacks, certified robustness metrics, and enhanced defense mechanisms. The implementation follows strict TDD principles, maintains backwards compatibility, and positions the framework for future advanced features. **Estimated Implementation Time:** 2-3 weeks **Lines of Code (Estimated):** ~2,500 new LOC, ~1,500 test LOC **Test Count Increase:** +85 tests (203 → 288) **Coverage Target:** 90%+ --- **Approval Status:** Ready for Implementation **Next Steps:** Begin Phase 1 implementation with TDD approach