Audit Log Manipulation

Audit logs record queries, predictions, data access, and operational events for ML systems. Log manipulation targets the gap between ML system security and observability infrastructure security. Most ML deployments treat logging as operational rather than a security boundary — logs stored in mutable databases, transmitted without integrity protection, retained on infrastructure with broader access than the ML system itself.

• Append-only log storage (blockchain-backed or WORM) prevents modification
• External log correlation: compare internal logs with independent observation points (network TAPs, API gateways)
• Sequence number gap detection for missing entries
• Volume anomaly detection: sudden spikes or drops signal flooding or deletion

Log manipulation is a post-exploitation enabler for all T10 techniques — conceals extraction (AT-001/002), inference (AT-003/006/008), and poisoning (AT-009/010). Often combined with T14 (Infrastructure) for initial access to log systems.