Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool at iViZ. Where it did not help is in dancing. I think I am a poor dancer since my mind thinks modeling. By the time I model the step in my mind, I miss the beat. I believe there are a few things which we need to do from heart and not from mind.
I was thinking why in the context of today’s maturity of Artificial Intelligence (AI) we cannot fully automate Penetration Testing (or “maybe” we will never be able to). Here are the top reasons that come to my mind.
( Read More: Major Components Of IT GRC Solutions )
Penetration Testing: Multi Stage Attack Planning is a PSPACE Complete Problem
In Penetration Testing, attack chaining becomes a critical element in terms of strategizing as well as executing some brilliant hacks. Human mind sometimes can compute some brilliant attack plans in just a jiffy. However, when we try to model this as a standard “AI Planning” problem, we get into a mess. Every exploit/attack can be modeled as an action with precondition and post condition. So, the standard solution we can think of is to use “Planning Algorithms” to build the entire attack graph. However, the challenge is with state explosion and we will immediately run out of memory (PSPACE Complete Problem). Though approximations can help, it can never find all the possible attack paths the moment the number of nodes increases beyond a threshold. However, when it comes to coverage, AI would definitely do better than humans (since humans get bored).
Modeling Creativity is a Hard Problem
There had been some work in terms of Artificial Creativity. We do have AI programs writing Poems (Flowerewolf). However we are quite far from creating automation that can match the human creativity. There are potential ways to model creativity. As an example you can model the knowledge from one field and apply it in a completely different field and in some cases you may end up with a "creative model". However not much of work has happened to model human creativity in the field of ethical hacking.
Programs cannot Question the Assumptions
Human minds can question the fundamental assumptions. However a program runs on fundamental assumptions. Einstein challenged the assumptions of Newton. Heisenberg challenged the assumptions of Einstein and the game goes on. Any good pen tester/hacker challenges the assumption. When we broke Microsoft Bit locker encryption we challenged the assumption of the coders that from user land BIOS memory cannot be accessed. A program does not have the capability to challenge the assumptions and that is a severe limitation when it comes to automating Penetration Testing.
“Artificial Intuition” is still in early days
Humans have intuition. As per wiki- “Intuition is the ability to acquire knowledge without inference and/or the use of reason. Intuition provides us with beliefs that we cannot justify in every case”. We can sometime solve some brilliant problem without the use of any reasoning. Artificial Intuition is there to model this but we are still in quite a primitive state to match what our brains can do.
I am a big believer of AI and a bigger believer of the human mind. We did use some decent bit of AI to automate Penetration Testing during our iViZ days. While doing that I learn’t more of what we cannot do than what we can do. I am sure with time AI will get better but will we ever be able to do Penetration Testing without the humans?