[WEB SECURITY] Artificial Intelligence vs. Human Intelligence on finite amounts of possible outcomes

Michal Zalewski lcamtuf at coredump.cx
Tue Feb 1 15:56:53 EST 2011

> Lots of people in this list would like to see our tools implement some sort
> of AI (I know for a fact that at least Michal does)


To clarify, I don't think that the current "AI toolset" (ANN, genetic
algorithms, expert systems) is going to make a substantial difference.
These tools simply offer you a glorified framework for brute-forcing
quasi-optimal decision algorithms in some not-too-complicated cases.
One time, they may arrive at results better than what would be
possible with, ahem, a man-made algorithm; other times, they work just
as well or worse, and just introduce a layer of indirection.

There's a cost to that layer, too: when your "dumb" scanner
incorrectly labels a particular response as XSRF, you just tweak
several lines of code. If the same determination is made by a complex
ANN with hundreds of inputs, there is no simple fix. You may retrain
it with new data, which may or may not help; and even if it helps, it
may decrease performance in other areas. Then you have to change the
topology or inputs, or the learning algorithm... and nothing of this
guarantees success.

Web scanners do lack certain cognitive abilities of humans, which
makes these tools fairly sucky - but I don't think we know how to
approximate these abilities with a computer yet; they're mostly
related to language comprehension and abstract reasoning.

> Do we really need AI?

The term is sort of meaningless. Scanners will require a lot of human
assistance until they can perform certain analytic tasks that
computers currently suck at; calling it "AI" is probably just a


More information about the websecurity mailing list