Videos

Published on December 28th, 2016 📆 | 1908 Views ⚑

0

[CB16] Method of detecting vulnerability in WebApps using Machine Learning by Isao Takaesu


iSpeech.org


In Japan, information security engineers are lacking. So, I am focused on artificial intelligence (AI) technology to solve the lack of human resources. And, I have developed the AI to detect vulnerabilities on web apps called SAIVS (Spider Artificial Intelligence Vulnerabilities Scanner). The goal of SAIVS is to obtain ability of equal or higher than vulnerability diagnosis members. Currently, SAIVS is prototype.
But, it is possible to detect vulnerabilities on web apps like a human.

1. It can crawl web apps.
SAIVS can crawl web apps that include dynamic pages such as "login," "create account".
For example, SAIVS recognizes the type of the page. If it crawls the login page without having a login credential, it creates login credential in the create account page. After it login with the created login credentials, it crawls the rest of the pages.

2. It can detect vulnerabilities.
SAIVS can detect vulnerabilities efficiently by observing the behavior of web apps.
For example, in the case of a reflected XSS, SAIVS recognizes the echoed back place of input value, and it can insert the exploitable tags and scripts that to match the HTML and JavaScript syntax. In addition, if the input value has been sanitized, SAIVS selects test pattern to avoid the sanitization, and it can inspect the XSS again.

I achieve these actions by simulate the thinking pattern of vulnerability diagnosis members using multiple machine learning algorithms.





My presentation will explain how this ability was made possible by the machine learning algorithms and show a demo (detecting reflected XSS).

-- Isao Takaesu
Web security engineer at Mitsui Bussan Secure Directions, Inc. CISSP.
I have worked on the detection of vulnerabilities on the web applications (web applications diagnosis) for seven years. In these days, I have been hoping to detect more vulnerabilities, but I feel the limitation of human resources. So, I am focused on the machine learning for web applications diagnosis, and have tried to develop the AI called SAIVS. In future, I really want SAIVS to take over my tasks of web applications diagnosis. Furthermore, SAIVS has been introduced at Black Hat Asia 2016 Arsenal at Singapore, and was well received.

http://codeblue.jp/2016/en/contents/speakers.html#speaker-takaesu


2016-12-28 10:59:23

source

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑