Be the first to like this
In Japan, information security engineers are lacking. So, I am focused on artificial intelligence (AI) technology to solve the lack of human resources. And, I have developed the AI to detect vulnerabilities on web apps called SAIVS (Spider Artificial Intelligence Vulnerabilities Scanner). The goal of SAIVS is to obtain ability of equal or higher than vulnerability diagnosis members. Currently, SAIVS is prototype.
But, it is possible to detect vulnerabilities on web apps like a human.
1. It can crawl web apps.
SAIVS can crawl web apps that include dynamic pages such as "login," "create account".
For example, SAIVS recognizes the type of the page. If it crawls the login page without having a login credential, it creates login credential in the create account page. After it login with the created login credentials, it crawls the rest of the pages.
2. It can detect vulnerabilities.
SAIVS can detect vulnerabilities efficiently by observing the behavior of web apps.
I achieve these actions by simulate the thinking pattern of vulnerability diagnosis members using multiple machine learning algorithms.
My presentation will explain how this ability was made possible by the machine learning algorithms and show a demo (detecting reflected XSS).
--- Isao Takaesu
Web security engineer at Mitsui Bussan Secure Directions, Inc. CISSP.
I have worked on the detection of vulnerabilities on the web applications (web applications diagnosis) for seven years. In these days, I have been hoping to detect more vulnerabilities, but I feel the limitation of human resources. So, I am focused on the machine learning for web applications diagnosis, and have tried to develop the AI called SAIVS. In future, I really want SAIVS to take over my tasks of web applications diagnosis. Furthermore, SAIVS has been introduced at Black Hat Asia 2016 Arsenal at Singapore, and was well received.