[WEB SECURITY] Artificial Intelligence vs. Human Intelligence on finite amounts of possible outcomes

Andres Riancho andres.riancho at gmail.com
Tue Feb 1 14:20:04 EST 2011


On Tue, Feb 1, 2011 at 3:49 PM, Tasos Laskos <tasos.laskos at gmail.com> wrote:
> Hi guys,
> This isn't a paper or benchmark or some implemented feature, this is
> something that just hit me and I'd appreciate some input.
> It came to me while auditing a very slow server which produced a lot of
> false positives on blind attacks that used time delays.
> The server at some point just died and all modules that used that attack
> type thought that their payloads had been executed successfully due to
> timeouts.

Been there :)

> However, don't focus on this particular situation (I already know the
> solution), this was merely the trigger that prompted my
> question/suggestion/RFC
> which I think will make for an interesting conversation.


> Lots of people in this list would like to see our tools implement some sort
> of AI (I know for a fact that at least Michal does) to make educated
> guesses/decisions about a scan's results
> and adjust the report accordingly.
> Training an expert system would take a lot of effort/time though and until
> convergence has been reached the false results will be reported as
> legitimate (not counting SaaS solutions).


> I'd like to note at this point that I'm a strong proponent of fixing the
> root of the problem instead of adding filtering layers on top of it but
> let's ignore this for argument's sake as well.
> Premises:
>  * We have a finite amount of entities that assert the existence of issues
> -- we'll call these "modules".
>  * We have a finite amount of outcomes for each of the modules; usually a
> binary result (either true/vulnerable or false/safe)
>    but in some cases with a twist about the certainty of a result (i.e. a
> notice that an issue may require manual verification).
> And here comes my point:
>    Do we really need AI? Wouldn't simple rules that check for unusual
> results and give appropriate notice suffice and be a better and more
> efficient way to handle this?

In some cases you need AI, or need lots of signatures (either works).
For example, if you're trying to find SQL injections based on error
messages, a module that has 10 signatures is worse than one that has
100. But I'm sure that the module with 100 signatures doesn't cover
all possible DBMS errors. On the other side, a web application
penetration tester that sees a rendered HTML response can identify a
SQL error even if its not something he has seen in the past (its not
in the expert's signature DB). That's where AI might be handy.

> A possible implementation I have in mind is to pre-tag a module when it's
> added to the system.
> The tags would specify key elements of the behavior of a module and will
> later be used in the decision making process (based on rules).
> For instance, in the example I mentioned at the beginning of this e-mail,
> the system would check how many of the results have the "timing_attack" tag
> and if that number was above a preset threshold it would remove the results
> from the scan report or flag them accordingly.
> And possibly take into account environment statistics to make a more
> well-rounded decision (like average response times etc).

That makes sense... somehow... but I would rather fix the cause of the
timing attack bug.

> What do you guys thing?

AI for web application scanning has been on my mind since I started
with w3af, but I really haven't found a problem for which I would say:
"The best / faster / easier to develop way to solve this is AI". Maybe
if we hit our heads hard enough, we can find something where AI is
applied and then state: "w3af/arachni , the only web app scanner with
AI" ? :)

> Cheers,
> Tasos L.
> PS. I guess that this could be perceived as pre-trained expert system but
> not really.
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af

More information about the websecurity mailing list