Skip to main content
Security evaluation in Trusys is a critical process for identifying and mitigating potential vulnerabilities in your AI applications. This section focuses on Security Configs, which allow you to define and execute targeted security assessments against your AI models. Security Configs enable you to set up customized security tests, simulating various attack scenarios and evaluating your AI application’s resilience against them. This proactive approach helps ensure the robustness and safety of your deployed AI systems.

Create a Security Config

To create a new security configuration, navigate to the ‘Security Config’ tab on the left panel and click on ‘Create New Security Config’. You will then be prompted to give it a unique name: Assign a clear and descriptive name to your security configuration, such as “Prompt Injection Test - Customer Service Bot” or “Data Leakage Scan - Financial Advisor LLM.”
1

Select Application

  1. Select Application by selecting a specific AI model or application you wish to test from your list of connected applications. This is the target for your security evaluation.
  2. Add AI Application Configuration Provide context about the AI application to help Trusys generate more relevant and effective security tests. This includes:
    • Purpose: Describe the primary objective of the AI in this application. Example: “To assist users with banking inquiries and transactions.”
    • User Context: Describe the type of user the redteamer is impersonating. Example: “A disgruntled customer attempting to access sensitive information.”
    • Connected Systems: List any external systems or databases connected to this application. Example: “Customer database, transaction history API.”
    • Accessible Data: Specify what data is available to the LLM from connected systems that the user has legitimate access to. Example: “User’s account balance, recent transactions.”
    • Restricted Data: Identify what data is available to the LLM from connected systems that the user should not have access to. Example: “Other users’ personal information, internal financial records.”
    • Allowed Actions: Detail what actions the user can legitimately take on connected systems through the AI application. Example: “Check balance, transfer funds to linked accounts.”
    • Restricted Actions: Outline what actions the user should not be able to take on connected systems. Example: “Initiate transfers to unlinked accounts, modify account details.”
  3. Evaluation Configurations Define the parameters for the security test generation:
    • Number of Test Cases: Enter the desired number of test cases to be generated for each vulnerable category. This controls the depth of the evaluation.
    • Language: Specify the language for the generated tests. This ensures the attacks are crafted in the relevant linguistic context.
    • Test Generate Instruction: Provide any additional instructions to guide the test generation process and refine the attack creation. Example: “Focus on subtle prompt injection techniques.”
2

Vulnerable Categories

Select vulnerabilities categories you want to test against. Trusys leverages a comprehensive set of categories to identify various security weaknesses. These categories are designed to cover a wide range of potential attack vectors against AI systems.Examples of vulnerable categories include: Prompt Injection, Data Leakage, Jailbreaking, Role Play, and more
3

Attack Strategies

Select the attack strategies that Trusys will employ to test the selected vulnerable categories. These strategies define the methodologies used to attempt to exploit the identified weaknesses. Examples of attack strategies include: Adversarial Suffixes, Role Play Induction, and others that simulate real-world attack techniques.
4

Review & Save | Run Evaluation

After configuring all the settings, review your security configuration to ensure accuracy. Once satisfied, you can save the configuration for future use and immediately initiate the evaluation. Trusys will then execute the defined tests and provide a detailed report of any identified vulnerabilities.

Security Config List

The Security Config List provides an organized overview of all the security configurations that have been created within your Trusys project. This list allows you to quickly assess the status and key characteristics of each defined security test:
  • Config Name: The unique name assigned to each security configuration, making it easy to identify its purpose.
  • Application: The AI application or LLM model targeted by the security configuration.
  • Run Date: The timestamp of the most recent execution of this security configuration.
  • Status: Indicates the current status of the last run (e.g., Completed, Failed, Running).
  • Vulnerabilities Configured: A count of the vulnerabilities configured in the security evaluation config.
  • Attack Strategies: A count of the attack startegies configured in the security evaluation config.
This list serves as a central hub for managing your security testing efforts, allowing you to monitor the execution of your defined security assessments and quickly identify configurations that require attention or further analysis.

Security Config Details

Clicking on a specific security configuration from the Security Config List will navigate you to the Security Config Details page. This page provides an in-depth view of the configuration settings and the results of its executions.
  • Configuration Overview: Displays all the parameters defined when creating the security config, including the selected application, AI application context, evaluation configurations, vulnerable categories, and attack strategies.
  • Execution History: A chronological list of all test runs performed using this specific security configuration. For each run, you can view:
    • Run ID: A unique identifier for the test run.
    • Start Time & End Time: The duration of the test run.
    • Status: The completion status of the run.
    • Summary of Findings: A high-level overview of the vulnerabilities detected in that particular run.
  • Detailed Results: From the execution history, you can drill down into the detailed results of any specific test run. This will provide comprehensive reports on the vulnerabilities identified, including their severity, description, affected components, recommended remediations, and supporting evidence. For adversarial attack simulations, it will detail the attack vectors, success rates, and model behavior under attack. For compliance scans, it will outline adherence to specific regulatory frameworks.
  • Edit Configuration: You can modify the existing parameters of the security configuration from this page, allowing for iterative refinement of your security testing strategies.
By leveraging the detailed insights available in the Security Config Details, you can thoroughly analyze the security posture of your AI applications, track improvements over time, and ensure continuous protection against emerging threats.