We Need Defensive AI to Protect Us From AI Attacks

My recent work at FICO to make AI better has drawn upon my background in theoretical physics to create what we call defensive AI. This is needed, because AI-based attacks are not s…

AdobeStock_66416593@2x.jpeg
Scott Zoldi by Scott Zoldi

Chief Analytics Officer

expand_less Back to top

Note: This is an edited version of an article I wrote for RT Insights.

I’m convinced we are entering the Golden Age of artificial intelligence (AI); with so much promise and potential in front of us, I am feeling a little like Neo in The Matrix as he swallows the red pill. (Alert: more Matrix analogies ahead.)

However, rather than science fiction, my recent work at FICO to make AI better has drawn upon my background in theoretical physics to create what we call defensive AI. This is needed, because AI-based attacks are not science fiction — they are happening today.

Why We Need Defensive AI

Businesses have relied on AI to fight fraud and financial crime for more than 25 years. Before these neural network defenders came along, banks used rule-based systems to try to prevent fraud.

Today, AI is considered “superhuman” at executing certain tasks, fraud detection being one of them. Criminals have had a harder time testing and understanding the complex inter-relationships between all the data elements that the anti-fraud neural networks combine, compared to the fraud rules they used to test and then evade.

 

But fraudsters, like New York City, never sleep. As business and society, overall, become more and more dependent on AI, we must assume that criminals will want to reproduce the AI models. Once learned, criminals find the secret paths to commit fraud without detection, based on the unique behaviors of the AI system.

To find those paths, fraudsters are again testing and attacking, targeting the bank’s AI defenders with their own offensive AI systems. But now, instead of trying to figure out the thresholds that would trigger an anti-fraud rule set to stop the transaction—such as a new grocery store, for an amount greater than $250 dollars, between the hours of 3-6 p.m.—the attackers are trying to learn the AI model.

If the attackers can learn the AI defender and how it responds, they have the ability to anticipate its move, like a fight scene from The Matrix. The attacker will learn the model and determine what they can get away with. The fraudster could then run millions of transaction perturbations in a cloud testing environment, find those that look the most likely to succeed, and launch attacks based on expert, learned knowledge of the likely AI system.

We’ve long understood this risk. As such, FICO models incorporate adaptive components that adjust scores, making it harder for offensive AI systems to learn the neural network response.

How Fraudsters Create an AI Attack Model

Criminals can learn the AI we rely on by directing fake test data at banks’ AI systems. They could get access by pretending to be a new merchant, and/or by compromising a merchant system to gain access to a payments channel, as well as banks’ testing and governance partitions.

Criminals may even try to steal the AI models outright through cyber breaches. If stolen, these obfuscated and encrypted models may still respond to testing transactions.

Once they have access to the defender AI, fraudsters would likely send batches of testing transactions, millions at a time. The criminals would get a fraud score for each transaction and attempt to map out likely transaction sequences, monitoring the behaviors of the model.

In other words, using AI of their own, criminals can create an AI model to produce the same score response to their testingThis is the offensive AI model, constrained by the quality and effectiveness of the criminals’ testing and the volume of testing transactions.

With their offensive AI tech nailed down, the criminals could steal expertly, working to circumvent the bank’s AI model response with unique transactions that the bank’s anti-fraud system might have not been seen before. Banks that depend on anti-fraud AI systems need to keep them protected, and monitor data streams that may be pointed at the model to ensure that they are legitimate.

But what can the AI do itself to prevent being learned? This is defensive AI, and FICO has recently applied for a patent for this technique.

Defensive AI Outsmarts Criminals

Defensive AI models selectively deceive or return incorrect outputs, if the models believes they are being monitored. They might return scores that are backwards, or create patterns that make the adversary modeling data set inaccurate and consequently the attacker’s AI less effective. Clever score responses could even guide the defensive AI to create artificial patterns in a learned offensive AI, making the criminal’s use of the offensive AI model easier for the bank to detect.

The defensive AI system could also bias the responses for the attacker AI to be misled, to generate data of a particular form. For example, the AI may decide it will give much reduced (non-fraud) scores to the attacker’s test data for electronic purchases between $300-$500. Later, in production, the defensive AI system can determine if the attacker took the bait, and then rapidly isolate the new transactions of this behavior and the sources, to turn over to law enforcement.

Just Like Neo

Defensive AI thwarts criminals’ attempts to measure it. As such, criminals and their AI will find it much harder to determine which responses from defensive reactions are legitimate. The criminals will wonder, “Is it real, or is it The Matrix?”

I’m going to catch up with my old friend Neo now, on Netflix. Send me your favorite Matrix moments on Twitter, where I’m @ScottZoldi.

Scott Zoldi
Scott Zoldi
Dr. Scott Zoldi is chief analytics officer at FICO, responsible for artificial intelligence (AI) and analytic innovation across FICO's product and technology solutions. Dr. Zoldi is a named inventor on 150+ active patents and pending patent applications, with more than 100 granted. Scott is an industry leader in the responsible use of AI, Generative AI (GenAI), and Agentic AI, as well as an outspoken proponent of AI governance and regulation. His groundbreaking work in focused language models (FLMs) for GenAI and a patented use of blockchain technology for AI model development governance has helped propel Scott to AI visionary status. His recent awards include Constellation Research Award AI150, Tech Leadership Award from Banking Tech Awards, Tech Influencer Highly Commendable Award from DataIQ Data & AI Awards, San Diego Business Journal - Leaders of Influence in Technology (2025); Tech Leadership - Software & Services Provider from Fintech Futures, MachineCon AI100 Award, Innovator Award from American Banker (2024); Global Finance Innovator Award (FICO) (2023); and Corinium Future Thinking Award (2022). An enthusiastic member of the southern California tech community, Scott serves on the Boards of Directors of Software San Diego and the San Diego Cyber Center of Excellence. He received his Ph.D. degree in theoretical and computational physics from Duke University, and his work has been published in The Harvard Business Review and numerous scientific journals.

When not at his office or on a plane, Scott can often be found in his Ford Bronco, exploring the desert around San Diego with his family. To hear more of his views follow Scott on LinkedIn and BlueSky @ScottZoldi.
See all posts
chevron_left Blog home
RELATED POSTS

Popular Posts

Take the next step

Connect with FICO for answers to all your product and solution questions. Interested in becoming a business partner? Contact us to learn more. We look forward to hearing from you.

Contact us