4 Areas where Artificial Intelligence Fails in Automated Penetration Testing

Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool at iViZ. Where it did not help is in dancing. I think I am a poor dancer since my mind thinks modeling. By the time I model the step in my mind, I miss the beat. I believe there are a few things which we need to do from heart and not from mind.

I was thinking why in the context of today’s maturity of Artificial Intelligence (AI) we cannot fully automate Penetration Testing (or “maybe” we will never be able to). Here are the top reasons that come to my mind.

( Read More: Major Components Of IT GRC Solutions )

Penetration Testing: Multi Stage Attack Planning is a PSPACE Complete Problem

In Penetration Testing, attack chaining becomes a critical element in terms of strategizing as well as executing some brilliant hacks. Human mind sometimes can compute some brilliant attack plans in just a jiffy. However, when we try to model this as a standard “AI Planning” problem, we get into a mess. Every exploit/attack can be modeled as an action with precondition and post condition. So, the standard solution we can think of is to use “Planning Algorithms” to build the entire attack graph. However, the challenge is with state explosion and we will immediately run out of memory (PSPACE Complete Problem). Though approximations can help, it can never find all the possible attack paths the moment the number of nodes increases beyond a threshold. However, when it comes to coverage, AI would definitely do better than humans (since humans get bored).

Modeling Creativity is a Hard Problem

There had been some work in terms of Artificial Creativity. We do have AI programs writing Poems (Flowerewolf). However we are quite far from creating automation that can match the human creativity. There are potential ways to model creativity. As an example you can model the knowledge from one field and apply it in a completely different field and in some cases you may end up with a "creative model". However not much of work has happened to model human creativity in the field of ethical hacking.

( Read More: Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist) )

Programs cannot Question the Assumptions

Human minds can question the fundamental assumptions. However a program runs on fundamental assumptions. Einstein challenged the assumptions of Newton. Heisenberg challenged the assumptions of Einstein and the game goes on. Any good pen tester/hacker challenges the assumption. When we broke Microsoft Bit locker encryption we challenged the assumption of the coders that from user land BIOS memory cannot be accessed. A program does not have the capability to challenge the assumptions and that is a severe limitation when it comes to automating Penetration Testing.

Artificial Intuition” is still in early days

Humans have intuition. As per wiki- “Intuition is the ability to acquire knowledge without inference and/or the use of reason. Intuition provides us with beliefs that we cannot justify in every case”. We can sometime solve some brilliant problem without the use of any reasoning. Artificial Intuition is there to model this but we are still in quite a primitive state to match what our brains can do.

I am a big believer of AI and a bigger believer of the human mind. We did use some decent bit of AI to automate Penetration Testing during our iViZ days. While doing that I learn’t more of what we cannot do than what we can do. I am sure with time AI will get better but will we ever be able to do Penetration Testing without the humans?

 

More:  Join the community of 3000+ Chief Information Security Officers.  C...

Views: 2254

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service