T5-AT-001MEDIUM
Parameter Manipulation
T5 · Model & API Exploitation →Risk score180
RatingMedium
Procedures10
Severity
Mechanism
LLM inference APIs expose generation parameters (temperature, top_p, top_k, frequency_penalty, presence_penalty, max_tokens) as mutable request fields. The design assumption is that parameter ranges are bounded by server-side validation and that extreme values only affect output quality, not safety. The gap: most API implementations validate parameter types (float, int) but not semantic safety implications of extreme combinations.
Detection
- Monitor for API requests with parameters at distribution extremes: temperature >1.5, top_p >0.95, negative frequency/presence penalties
- Alert on logit_bias fields that suppress known refusal tokens (tokenize common refusal phrases and watch for negative bias on those token IDs)
- Detect seed-scanning patterns: same prompt submitted with incrementing seed values
- Log and flag combined parameter configurations that have never appeared in legitimate traffic
Mitigation
Server-side parameter clamping (temperature ≤1.2, penalties ≥0)HIGH
Remove logit_bias from public API surfaceHIGH
Parameter combination scoring (flag degenerate multi-param states)MEDIUM
Output safety classification on full generation, not windowedMEDIUM
Chaining
Successful parameter manipulation degrades safety classifier confidence, enabling follow-on attacks via T1 (Prompt Subversion) or T3 (Reasoning Exploitation) that would otherwise be caught. Parameter manipulation on self-hosted APIs often chains into T5-AT-012 (Resource Exhaustion) via max_tokens abuse.
Framework mapping
Open in the technique browser →OWASP LLMLLM04
MITRE ATLASAML.T0043