ATD — Agentic Threat Detection | ATR

技法已編目

有 CVE 佐證

已有 live 規則

100% · 0 FP

recall(skill 語料 n=341)

98%

recall(garak 野外 n=650)

ATD 的偵測規則由 ATR 發布 —— 已在 production:Microsoft Agent Governance Toolkit、Cisco AI Defense;並於 MISP/CIRCL 對映。consumer 整合的是 ATR 規則,非對本草案標準的背書。DOI 10.5281/zenodo.19178002。

Abstract (摘要)Informative

Agentic Threat Detection (ATD) 是 agent 原生威脅技法的開放、機器可讀、可執行列舉。每條技法綁定偵測邏輯,並對映既有的論述型框架 ── OWASP Agentic Top 10、MITRE ATLAS、CWE、AVID。

那些框架告訴你 agent 會出什麼錯。ATD 是其下的一層,告訴你 怎麼在 runtime 偵測它 ── 而且附帶可量測的誤報率。ATD 之於 agentic 安全,如同 Sigma 之於 SIEM 偵測。

狀態:Editor's Draft ── 一份 request for comments,公開邀請共同撰寫。它尚未是 ratified standard;唯有達到 §8 的中立門檻後才冠此名。我們公開它是為了徵集協作者與對映夥伴,不是宣稱權威。

Scope ── ATD 是什麼、不是什麼Normative

ATD 列舉 可在 agent I/O 觀測到的 agent-runtime 威脅技法:prompt/content、tool call、tool response、inter-agent 訊息、memory 操作、trace、螢幕狀態、payment mandate。

ATD MUST NOT 鑄造漏洞實例識別碼。特定 MCP server 的特定 CVE 屬於 CVE / GHSA / OSV / AVID;ATD 引用它,不取代它。
ATD MUST NOT 自居為競爭性的頂層風險分類。「agentic 十大風險」的框架屬於 OWASP ASI;ATD 在其下,讓它可執行。
ATD MUST 為每條技法至少對映一個上游框架,或在尚無對映時記錄該缺口。

此邊界是刻意的。鏡像 CVE 地盤的漏洞登錄(如已封存的 GSD)碎片化而停擺。ATD 填的是無人覆蓋的 可執行偵測 層,不重打已定的戰場。

概念模型Normative

ATD 採用兩條軸,借自已驗證的標準:

Tactic / Technique 矩陣(MITRE ATLAS 模型):Tactic 是對手的目標階段;Technique 是具體、可偵測的攻擊模式;Sub-technique 是變體。
抽象層級(CWE 模型):每條技法標 pillar / class / base / variant。

識別碼。Tactic 為 ATD-TA1 … ATD-TA9。Technique 為 ATD-T0001(補零、序列、永久、不重用);sub-technique 用點記法 ATD-T0001.001。每條偵測規則另帶 UUIDv4,使規則在改名後仍可追蹤 ── technique 是 catalog,rule 是綁定其上的可執行實例。

成熟度。每條技法與規則皆帶階梯狀態 experimental → test → stable(加 deprecated)。production 消費者 SHOULD 只自動同步 stable。

技法目錄Normative

24 條技法,跨 9 個戰術。每條對映 OWASP ASI / MITRE ATLAS / CWE,並附真實 CVE 或研究佐證;9 條已有 live 的 ATR 偵測規則。無公開實例者誠實標 research / aspirational。框架識別碼對原始來源現驗 (2026-06-14)。

ATD-TA1 · Protocol & Interconnect (9)

ATD-T0001Shell metacharacter injection through MCP tool parameterslive 規則 ↗

Unsanitized MCP tool input reaches execSync/exec, yielding RCE on the server host.

CVE-2025-53355 ↗ASI05ASI02AML.T0053CWE-77

ATD-T0002curl-fallback command injection in an MCP serverlive 規則 ↗

A failed fetch falls back to exec'ing curl with an unsanitized URL, enabling RCE.

CVE-2025-53967 ↗ASI05ASI02AML.T0053CWE-420

ATD-T0003Command injection in a scaffolded MCP stdio serverlive 規則 ↗

Generated server concatenates tool input into exec(), giving RCE to anything built from it.

CVE-2025-54994 ↗ASI04ASI05AML.T0010.005CWE-78

ATD-T0004Line-jumping — tool-description injection at listing timelive 規則 ↗

Hidden instructions in a tool description enter the model context at tools/list, before any call.

研究 ↗ASI04ASI01AML.T0110AML.T0104CWE-1427

ATD-T0005Rug pull — silent mutation of an approved toollive 規則 ↗

A server approved once later changes a tool's definition with no integrity re-check.

研究 ↗ASI04AML.T0109AML.T0110CWE-494

ATD-T0006Missing-auth MCP proxy command execution

No auth between client and MCP proxy lets any local/web-driven request spawn MCP processes.

CVE-2025-49596 ↗ASI03ASI05CWE-306

ATD-T0007RCE from a malicious upstream MCP server

A client is RCE'd via a crafted authorization_endpoint URL in an untrusted server's response.

CVE-2025-6514 ↗ASI04ASI05AML.T0010.005CWE-78

ATD-T0008DNS-rebinding to a localhost MCP server

A malicious page rebinds DNS to reach an unauthenticated localhost MCP server cross-origin.

CVE-2025-66416 ↗ASI07ASI03CWE-1188

ATD-T0009Session ID / auth token placed in a URL query stringlive 規則 ↗

A credential in the query string leaks via server logs, proxies, CDNs, history, and Referer.

研究 ↗ASI03ASI07CWE-598

ATD-TA2 · Memory & Context Integrity (2)

ATD-T0010Serialized-object smuggling through an LLM response field

Injected output carries a serialization marker; deserialization rehydrates it as trusted and exfiltrates secrets.

CVE-2025-68664 ↗ASI06ASI01AML.T0051.001CWE-502

ATD-T0011Persistent memory / context-store poisoning

Attacker-controlled content is written into data the agent later reads back as trusted context.

研究 ↗ASI06AML.T0080CWE-349

ATD-TA3 · Goal, Planning & Reasoning (2)

ATD-T0012Indirect prompt injection via tool / API responselive 規則 ↗

Malicious text in returned tool data overrides the agent's plan and redirects its actions.

研究 ↗ASI01AML.T0051.001AML.T0099CWE-1427

ATD-T0013System-prompt / guardrail extraction to plan evasion

Crafted queries coerce the agent to reveal its hidden system prompt, exposing control logic.

研究 ↗ASI01ASI09AML.T0056CWE-200

ATD-TA4 · Identity, Authz & Delegation (1)

ATD-T0014Confused-deputy token passthrough in an MCP server

A server forwards a held token to a downstream API without audience validation, escalating privilege.

研究 ↗ASI03CWE-441

ATD-TA5 · Tool & Supply Chain (2)

ATD-T0015Agent reads .env / secret files without consentlive 規則 ↗

An agent tool reads credential files (.env, credentials, .npmrc) outside any user-approved scope.

研究 ↗ASI02ASI06AML.T0053CWE-538

ATD-T0016Hallucinated-dependency squatting (slopsquatting)

The model recommends a fabricated package name an attacker pre-registers, pulling code into the agent env.

研究 ↗ASI04ASI08AML.T0060AML.T0062CWE-1427

ATD-TA6 · Execution & Autonomy (3)

ATD-T0017Path-traversal blacklist bypass via non-canonical pathslive 規則 ↗

Exact-string path checks are bypassed with ../, /./, redundant slashes to reach sensitive files.

CVE-2025-66689 ↗ASI02ASI03AML.T0053CWE-22

ATD-T0018MCP filesystem sandbox escape via symlink following

A symlink inside an allowed directory resolves to an out-of-scope path, granting system file access.

CVE-2025-53109 ↗ASI02ASI05AML.T0053CWE-59

ATD-T0019Prompt-injection-to-RCE via an agent's file-write capability

Injected instructions drive the agent to write a startup/config file that yields persistent code execution.

研究 ↗ASI05ASI01AML.T0053AML.T0051.001CWE-94

ATD-TA7 · Multi-Agent Dynamics (2)

ATD-T0020Agent Card poisoning to capture A2A task routing

A rogue A2A agent advertises an instruction-laden Agent Card so the orchestrator routes tasks to it.

研究 ↗ASI07ASI10AML.T0051.001CWE-345

ATD-T0021Cross-agent injection propagation (cascading compromise)

One compromised agent emits content that injects the next downstream agent, cascading through the swarm.

研究 ↗ASI08ASI07ASI10AML.T0051.001AML.T0080CWE-1427

ATD-TA8 · Model-Intrinsic & Governance (1)

ATD-T0022Trace tampering / non-tamper-evident agent audit logs

An agent logs reasoning but not the actual tool call, or logs are mutable — defeating after-the-fact audit.

研究 ↗ASI10CWE-778

ATD-TA9 · Agentic Commerce (forward) (2)

ATD-T0023Adversarial transaction steering of a purchasing agent

Injected content in a listing/page steers an autonomous-commerce agent to overpay or leak payment authority.

前瞻(尚無實例)ASI01ASI02ASI09CWE-1427

ATD-T0024Payment-mandate forgery in an agent-to-agent handshake

A rogue agent spoofs delegated payment authority or mandate scope in an agentic-commerce exchange.

前瞻(尚無實例)ASI03ASI07CWE-345

Entry schemaNormative

technique entry 是 YAML/JSON 文件,對 normative JSON Schema(Draft 2020-12)驗證,隨 repo 發布,設計上與 OSV 及 Sigma 生態相容。必填欄位:

atd_id            ATD-T####            永久
schema_version    SemVer, 無 "v"        加法式 minor 保證(OSV)
title             簡短祈使片語
tactic            ATD-TA#
abstraction       pillar | class | base | variant
status            experimental | test | stable | deprecated
description       技法與其攻擊機制
detection_surface content | tool_input | tool_response |
                  inter_agent_msg | memory_op | trace | screen | payment_mandate
mappings          owasp_asi[] · mitre_atlas[] · cwe[] · avid[] · maestro_layer[]
references         advisory / CVE / research URL(真實證據)
detection_rules   UUIDv4[] 指向 rule corpus

detection rule 重用已在 production 的 ATR rule schema:regex/conditions、true_positives 與 true_negatives(精準度測試)、false-positive 註記、response action、合法的 agent_source.type。

對映與互通Informative

合法性來自互通,而非自封權威。每條 ATD 技法在有對應槽時對映 OWASP ASI、MITRE ATLAS、CWE;在適用時加上 AVID 與 MAESTRO 層。ATD 借這些框架的權威,並將其 ★缺口以提議技法與案例研究回饋給它們。

ATD 設計上與 AVID 互通而非競爭 ── AVID 已營運一個有治理、開放投稿的 AI 漏洞登錄。ATD 提供 AVID「Detection」報告類型所期待的可執行偵測。

ConformanceNormative

conformant technique entry MUST 通過 JSON Schema 驗證,至少帶一個框架對映(或記錄缺口),並至少引一個 reference。
conformant detection rule MUST 通過精準度閘:每條宣告的 true-positive 命中、對公開 benign corpus 零誤報、無跨規則衝突。
conformant consumer MUST 尊重 maturity 欄,並 SHOULD 在每筆偵測上揭露 ATD-T#### id。

治理與狀態Informative

ATD 依書面 charter 治理,以開放草案發布,並公開邀請共同撰寫。它在達到一條具體、公開的中立門檻(採自 OpenSSF 專案生命週期:至少三名 maintainer,橫跨至少兩個組織)後冠上 standard 之名 ── 我們正在積極就位。

治理採 Minimal Viable Governance charter:maintainer 的 lazy consensus、Technical Steering Committee 簡單多數 fallback、章程修訂需三分之二投票、無單人否決。規格以 CC-BY-4.0 授權且設計上可 fork ── 無任何一方能挾持它 ── 並承諾遷往中立基金會(OpenSSF working group,或 OWASP GenAI Security Project)。

徵求協作者 ── 若你的團隊從事 agent 安全,把工具對映到 ATD、投一條技法、或擔任 maintainer 席位。見 /contribute。

下載與產物Informative

atd-techniques.json — 完整 enumeration(機器可讀,OSV/Sigma 相容欄位)
atd-technique.schema.json — normative JSON Schema (Draft 2020-12)
/spec — ATR 規則格式(技法綁定的可執行規則)
DOI 10.5281/zenodo.19178002 — 研究與引用 artifact

編輯: Adam Lin — 規格 CC-BY-4.0 · Schema 與工具 Apache-2.0 · 規則庫 MIT — ISO 8601 2026-06-13 — Editor's Draft,治理前;非 ratified standard。

§1Abstract (摘要)Informative

§2Scope ── ATD 是什麼、不是什麼Normative

§3概念模型Normative

§4技法目錄Normative