Longtime Slashdot reader Tippen shared this report. register:
AI agents that combine large-scale language models and automation software can successfully exploit real-world security vulnerabilities by reading security advisories, scholars argue.
In a newly published paper, four computer scientists at the University of Illinois at Urbana-Champaign (UIUC), Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang, discuss how OpenAI's GPT -4 reports that large-scale language models (LLMs) can autonomously exploit real-world vulnerabilities. -If a CVE advisory is provided that describes a flaw in the global system. “To demonstrate this, we collected a dataset of 15 of his one-day vulnerabilities, including vulnerabilities classified as critical severity in their CVE descriptions,” the US-based The authors explain in their paper. “Given the CVE description, GPT-4 can exploit 87 percent of these vulnerabilities, whereas all other models we tested (GPT-3.5, open source LLM) and open source vulnerability scanners (ZAP and Metasploit) can exploit 0 percent…”
The researchers' work builds on previous findings that LLM can be used to automate attacks on websites in sandbox environments. UIUC Assistant Professor Daniel Kang wrote in a statement to the Register that GPT-4 “can actually autonomously take steps to perform specific exploits that open source vulnerability scanners (at the time of writing) cannot discover.” said in an email.
“Our vulnerabilities span website vulnerabilities, container vulnerabilities, and Python package vulnerabilities,” the researchers wrote. “It is classified as…”
“Kang and his colleagues calculated the cost of a successful LLM agent attack and came up with a figure of $8.80 per exploit.”
