Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
Researchers Demonstrate AI Agent Autonomously Exploiting Web Vulnerabilities
Advertisements

A research paper from the University of Illinois Urbana-Champaign (UIUC) has caused a stir in the cybersecurity community by detailing how an AI agent can autonomously hack websites. The paper, titled “AI agents can autonomously exploit one-day vulnerabilities,” was authored by a team including Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang.

The study provides a proof-of-concept for an AI-controlled cyberattack conducted in a controlled environment. This demonstration took place shortly after a separate report on AI risks was published by the company Anthropic in collaboration with the governments of the United States and the United Kingdom.

Details of the AI Attack Demonstration

In the UIUC researchers’ demonstration, an AI agent powered by GPT-4 was tasked with exploiting a set of real-world vulnerabilities. The agent was provided only with the public CVE (Common Vulnerabilities and Exposures) description and required no prior knowledge of the specific exploit mechanisms.

The test involved 15 distinct “one-day” vulnerabilities, which are publicly known flaws for which a patch exists but may not yet be widely applied. The AI agent successfully exploited 13 of the 15 vulnerabilities, achieving an 87% success rate. The researchers also noted that the cost to run the demonstrated attacks was low, ranging between $10 and $40.

Community Reaction and Context

The publication of the research paper generated significant discussion online and among security professionals. The findings highlight the capabilities of current large language models in executing complex cybersecurity tasks without direct human intervention.

The paper’s release followed a report from Anthropic that also explored the potential for AI misuse. The UIUC demonstration provided a practical example of the scenarios discussed in broader AI safety and security research, showing how an AI can be prompted to find and execute exploits based on vulnerability reports.

Source: https://www.csoonline.com/article/4092571/ai-controlled-cyber-attack-causes-a-stir.html