Security Challenges in AI and Cloud Infrastructure, Including Software Supply Chains and Model-Deployment Pipelines
DOI:
https://doi.org/10.54536/ajise.v5i2.7220Keywords:
AI Supply-Chain Security, Container Risk, Cloud Infrastructure, Dependency, ML Pipeline Integrity, Model Deployment SecurityAbstract
AI-enabled services are increasingly being engineered as cloud-native pipelines that reuse dependencies, deliver predictions via managed endpoints, source data, package models and containers. This widens the attack surface across cloud boundaries. This scoping review examines the security challenges associated with cloud and AI infrastructure, including those relating to model deployment pipelines and software supply chains. Using a PRISMA-Scr-guided process and PCC-framed question, studies published between 2015 and 2025 were identified in IEEE Xplore, Scopus, and the ACM Digital Library. These were then de-duplicated and screened. Nineteen empirical studies were synthesized, covering exposure of inference boundaries, data/model compromise, and propagation through imagies, build systems, dependencies, and accelerators in cloud-native environments. The evidence shows that clean-label poisoning can persist with minimal accuracy loss, that gradients and prediction interfaces can enable model theft and leak sensitive training information, and that build artifacts, registry, and container can carry malicious code or secrets at scale. Evaluated controls include runtime entropy checks and trigger reconstruction, confidential inference and privacy-preserving training, GPU isolation and builds, provenance frameworks, detectors and safe deserialization. This research supports the idea of treating AI security as part of continuous pipeline governance, which means using enforceable gates and telemetry in today’s complex multicloud operations.
Downloads
References
Abadi, M., Chu, A., Goodfellow, I., McMahan, H. B., Mironov, I., Talwar, K., & Zhang, L. (2016). Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 308–318). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978318
Sood, A. K., & Zeadally, S. (2025). Malicious AI models undermine software supply-chain security. Communications of the ACM, 68(6), 62–71. https://doi.org/10.1145/3704724
Ahmad, T., Adnan, M., Rafi, S., Akbar, M. A., & Anwar, A. (2024, June). MLOps-Enabled Security Strategies for Next-Generation Operational Technologies. In Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering (pp. 662-667). https://doi.org/10.1145/3661167.3661283
Alfadel, M., Costa, D.E. & Shihab, E. Empirical analysis of security vulnerabilities in Python packages. Empir Software Eng 28, 59(2023). https://doi.org/10.1007/s10664-022-10278-4
Bonawitz, K., Ivanov, V., Kreuter, B., Marcedone, A., McMahan, H. B., Patel, S., ... & Seth, K. (2017, October). Practical secure aggregation for privacy-preserving machine learning. In proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (pp. 1175-1191).https://doi.org/10.1145/3133956.3133982
Correia-Silva, J. R., Berriel, R. F., Badue, C., De Souza, A. F., & Oliveira-Santos, T. (2021). Copycat CNN: Are random non-labeled data enough to steal knowledge from black-box models?. Pattern Recognition, 113, 107830.https://doi.org/10.1016/j.patcog.2021.107830
Dahlmanns, M., Sander, C., Decker, R., & Wehrle, K. (2023, July). Secrets revealed in container images: an internet-wide study on occurrence and impact. In Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security (pp. 797-811).https://doi.org/10.1145/3579856.3590329
Dong, P., Guo, S., & Wang, J. (2023, August). Investigating trojan attacks on pre-trained language model-powered database middleware. In Proceedings of the 29th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (pp. 437-447). https://doi.org/10.1145/3580305.3599395
Duan, R., Alrawi, O., Kasturi, R., Elder, R., Saltaformaggio, B., & Lee, W. (2021). Towards measuring supply chain attacks on package managers for interpreted languages. In Proceedings of the Network and Distributed System Security Symposium (NDSS) 2021. Internet Society. https://doi.org/10.14722/ndss.2021.23055
Filus, K., & Domańska, J. (2023). Software vulnerabilities in TensorFlow-based deep learning applications. Computers & Security, 124, 102948. https://doi.org/10.1016/j.cose.2022.102948
Fredrikson, M., Jha, S., & Ristenpart, T. (2015, October). Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22nd ACM SIGSAC conference on computer and communications security (pp. 1322-1333). https://doi.org/10.1145/2810103.2813677
Gao, Y., Xu, C., Wang, D., Chen, S., Ranasinghe, D. C., & Nepal, S. (2019, December). Strip: A defence against trojan attacks on deep neural networks. In Proceedings of the 35th annual computer security applications conference (pp. 113-125). https://doi.org/10.1145/3359789.3359790
Garaev, R., Rasheed, B., & Khan, A. M. (2024). Not so robust after all: Evaluating the robustness of deep neural networks to unseen adversarial attacks. Algorithms, 17(4), 162. 10.3390/a17040162
Giechaskiel, I., Tian, S., & Szefer, J. (2022). Cross-VM covert-and side-channel attacks in cloud FPGAs. ACM Transactions on Reconfigurable Technology and Systems, 16(1), 1-29. https://doi.org/10.1145/3534972
Guo, W., Xu, Z., Liu, C., Huang, C., Fang, Y., & Liu, Y. (2023, September). An empirical study of malicious code in pypi ecosystem. In 2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE) (pp. 166-177). IEEE. https://doi.org/10.1109/ASE56229.2023.00135
Hugenroth, D., Lins, M., Mayrhofer, R., & Beresford, A. R. (2025, November). Attestable builds: compiling verifiable binaries on untrusted systems using trusted execution environments. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (pp. 4514-4528). https://doi.org/10.1145/3719027.3765128
Juuti, M., Szyller, S., Marchal, S., & Asokan, N. (2019, June). PRADA: protecting against DNN model stealing attacks. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 512-527). IEEE. doi: 10.1109/EuroSP.2019.00044.
Kellas, A. D., Christou, N., Jiang, W., Li, P., Simon, L., David, Y., ... & Yang, J. (2025, November). PickleBall: Secure Deserialization of Pickle-based Machine Learning Models. In Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security (pp. 3341-3355). https://doi.org/10.1145/3719027.3765037
Lee, T., Lin, Z., Pushp, S., Li, C., Liu, Y., Lee, Y., Xu, F., Xu, C., Zhang, L., & Song, J. (2019). Occlumency: Privacy-preserving remote deep-learning inference using SGX. In Proceedings of the 25th Annual International Conference on Mobile Computing and Networking (MobiCom ’19) (pp. 1–15). Association for Computing Machinery. https://doi.org/10.1145/3300061.3345447
Liu, Y., Ma, S., Aafer, Y., Lee, W. C., Zhai, J., Wang, W., & Zhang, X. (2018, January). Trojaning attack on neural networks. In 25th Annual Network And Distributed System Security Symposium (NDSS 2018). Internet Soc. https://doi.org/10.14722/ndss.2018.23291.
Melis, L., Song, C., De Cristofaro, E., & Shmatikov, V. (2019). Exploiting unintended feature leakage in collaborative learning. In 2019 IEEE Symposium on Security and Privacy (SP) (pp. 691–706). IEEE. https://doi.org/10.1109/SP.2019.00029
Mohassel, P., & Zhang, Y. (2017). SecureML: A system for scalable privacy-preserving machine learning. In 2017 IEEE Symposium on Security and Privacy (SP) (pp. 19–38). IEEE. https://doi.org/10.1109/SP.2017.12
Nasr, M., Shokri, R., & Houmansadr, A. (2019). Comprehensive privacy analysis of deep learning: Passive and active white-box inference attacks against centralized and federated learning. In 2019 IEEE Symposium on Security and Privacy (SP) (pp. 739–753). IEEE. https://doi.org/10.1109/SP.2019.00065
Neupane, S., Holmes, G., Wyss, E., Davidson, D., & De Carli, L. (2023). Beyond typosquatting: an in-depth look at package confusion. In 32nd USENIX Security Symposium (USENIX Security 23) (pp. 3439-3456).
Mills, A., White, J., & Legg, P. (2023). Longitudinal risk-based security assessment of docker software container images. Computers & Security, 135, 103478. https://doi.org/10.1016/j.cose.2023.103478
Mitchell, M., Wu, S., Zaldivar, A., Barnes, P., Vasserman, L., Hutchinson, B., ... & Gebru, T. (2019, January). Model cards for model reporting. In Proceedings of the conference on fairness, accountability, and transparency (pp. 220-229). https://doi.org/10.1145/3287560.3287596
Ohm, M., Plate, H., Sykosch, A., & Meier, M. (2020). Backstabber’s knife collection: A review of open source software supply chain attacks. In C. Maurice, L. Bilge, G. Stringhini, & N. Neves (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2020) (Lecture Notes in Computer Science, Vol. 12223). Springer. https://doi.org/10.1007/978-3-030-52683-2_2
Papernot, N., McDaniel, P., Jha, S., Fredrikson, M., Celik, Z. B., & Swami, A. (2016). The limitations of deep learning in adversarial settings. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P) (pp. 372–387). IEEE. https://doi.org/10.1109/EuroSP.2016.36
Pavlidakis, M., Vasiliadis, G., Mavridis, S., Argyros, A., Chazapis, A., & Bilas, A. (2024, December). Guardian: Safe GPU sharing in multi-tenant environments. In Proceedings of the 25th International Middleware Conference (pp. 313–326).
Shi, H., Ying, L., Chen, L., Duan, H., Liu, M., & Xue, Z. (2025, April). Dr. Docker: A Large-Scale Security Measurement of Docker Image Ecosystem. In Proceedings of the ACM on Web Conference 2025 (pp. 2813-2823). https://doi.org/10.1145/3696410.3714653
Shokri, R., Stronati, M., Song, C., & Shmatikov, V. (2017, May). Membership inference attacks against machine learning models. In 2017 IEEE symposium on security and privacy (SP) (pp. 3-18). IEEE. https://doi.org/10.1109/sp.2017.41
Song, C., Ristenpart, T., & Shmatikov, V. (2017, October). Machine learning models that remember too much. In Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security (pp. 587-601). https://doi.org/10.1145/3133956.3134077
Taylor, M., Vaidya, R., Davidson, D., De Carli, L., & Rastogi, V. (2020, November). Defending against package typosquatting. In International conference on network and system security (pp. 112-131). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-65745-1_7
Gebru, T., Morgenstern, J., Vecchione, B., Vaughan, J. W., Wallach, H., Daumé III, H., & Crawford, K. (2021). Datasheets for datasets. Communications of the ACM, 64(12), 86–92. https://doi.org/10.1145/3458723
Torres-Arias, S., Afzali, H., Kuppusamy, T. K., Curtmola, R., & Cappos, J. (2019). in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19) (pp. 1393-1410). https://dl.acm.org/doi/10.5555/3361338.3361435
Tramèr, F., Zhang, F., Juels, A., Reiter, M. K., & Ristenpart, T. (2016). Stealing machine learning models via prediction {APIs}. In 25th USENIX security symposium (USENIX Security 16) (pp. 601-618).
Turner, A., Tsipras, D., & Madry, A. (2018). Clean-label backdoor attacks.
Uchida, Y., Nagai, Y., Sakazawa, S., & Satoh, S. I. (2017, June). Embedding watermarks into deep neural networks. In Proceedings of the 2017 ACM on international conference on multimedia retrieval (pp. 269-277).https://doi.org/10.1145/3078971.3078974
Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., & Zhao, B. Y. (2019, May). Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE symposium on security and privacy (SP) (pp. 707-723). IEEE.
Wang, H., Guo, S., He, J., Liu, H., Zhang, T., & Xiang, T. (2025, April). Model Supply Chain Poisoning: Backdooring Pre-trained Models via Embedding Indistinguishability. In Proceedings of the ACM on Web Conference 2025 (pp. 840-851). https://doi.org/10.1145/3696410.3714624
Wyss, E., Davidson, D., & De Carli, L. (2023, November). What’s in a URL? An Analysis of Hardcoded URLs in npm Packages. In Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (pp. 26-32). https://doi.org/10.1145/3689944.3696168
Xue, M., He, C., Wang, J., & Liu, W. (2020). One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. IEEE Transactions on Dependable and Secure Computing, 19(3), 1562-1578. 10.1109/TDSC.2020.3028448.
Zhang, J., Huang, K., Huang, Y., Chen, B., Wang, R., Wang, C., & Peng, X. (2025). Killing two birds with one stone: Malicious package detection in NPM and PyPI using a single model of malicious behavior sequence. ACM Transactions on Software Engineering and Methodology, 34(4), 1-28.
Zhao, J., Wang, S., Zhao, Y., Hou, X., Wang, K., Gao, P., ... & Wang, H. (2024, October). Models are codes: Towards measuring malicious code poisoning attacks on pre-trained model hubs. In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering (pp. 2087-2098). https://doi.org/10.1145/3691620.3695271
Zhu, L., Liu, Z., & Han, S. (2019). Deep leakage from gradients. Advances in neural information processing systems, 32.
Zhang, J., Huang, K., Huang, Y., Chen, B., Wang, R., Wang, C., & Peng, X. (2025). Killing two birds with one stone: Malicious package detection in NPM and PyPI using a single model of malicious behavior sequence. ACM Transactions on Software Engineering and Methodology, 34(4), 1-28. https://doi.org/10.1145/3705304
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Emmanuel Olayinka Afolabi, Goodness Nwabueze
This work is licensed under a Creative Commons Attribution 4.0 International License.
