Record link: 
http://hdl.handle.net/20.500.12708/192188
-
Title: 
Getting pwn’d by AI: Penetration Testing with Large Language Models
en
Citation: 
Happe, A., & Jürgen, C. (2023). Getting pwn’d by AI: Penetration Testing with Large Language Models. In ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (pp. 2082–2086). Association for Computing Machinery. https://doi.org/10.1145/3611643.3613083
-
Publisher DOI: 
10.1145/3611643.3613083
-
Publication Type: 
Inproceedings - Full-Paper Contribution
en
Language: 
English
-
Authors: 
Happe, Andreas 
Jürgen, Cito 
-
Organisational Unit: 
E194-01 - Forschungsbereich Software Engineering 
-
Published in: 
ESEC/FSE 2023: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering 
-
ISBN: 
979-8-4007-0327-0
-
Date (published): 
Nov-2023
-
Event name: 
ESEC/FSE'23 : 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering 
en
Event date: 
3-Dec-2023 - 9-Dec-2023
-
Event place: 
San Francisco, United States of America (the)
-
Number of Pages: 
5
-
Publisher: 
Association for Computing Machinery, New York
-
Peer reviewed: 
Yes
-
Keywords: 
machine learning; penetration testing; automated software testing; large language model; privilege escalation attacks
en
Abstract: 
The field of software security testing, more specifically penetration testing, requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential use of large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore two distinct use cases: high-level task planning for security testing assignments and low-level vulnerability hunting within a vulnerable virtual machine. For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement, and close deliberating on the ethics of AI sparring partners.
en
Research Areas: 
Computer Engineering and Software-Intensive Systems: 100%
-
Science Branch: 
1020 - Informatik: 100%
-
Appears in Collections:
Conference Paper

Show full item record

Page view(s)

208
checked on Jan 18, 2024

Google ScholarTM

Check