ML arms race

How an Open-Source ML Project is Helping Penetration Testers Hunt Security Flaws

Andrej Kovačević
© Shutterstock / josefkubes

The world of cybersecurity is rapidly becoming an ML arms race, where security pros arm themselves with ML and AI-enhanced defensive tools, while the bad guys use the technology to amplify the threat they pose. See what open source machine learning project is helping hunt security flaws.

In recent years, you haven’t had to look too hard to find amazing stories about how machine learning is revolutionizing everything it touches. It’s helping the energy sector cut down on its carbon emissions, which will help the world to avert the worst outcome in its climate change fight. It’s helping to fight fraud and increase efficiency in the financial sector.

But for all of the great positive ways that ML is making the world a better place, it’s important to also remember that it’s also being used in ways that aren’t so positive. And one of the areas where that’s certainly true is in the world of cybersecurity. It’s rapidly becoming an ML arms race, where security pros arm themselves with ML and AI-enhanced defensive tools, while the bad guys use the technology to amplify the threat they pose.

SEE ALSO: Introducing software fuzzing – part of AI and ML in DevOps

The most interesting of those tools, however, belong to a unique set of cybersecurity pros: penetration testers. They’re the security experts tasked with figuring out where a company’s digital vulnerabilities lay before anyone else can find them and exploit them. And recently, the world’s largest private penetration testing firm – Bishop Fox – added ML to its arsenal in a big way with the development of a tool called Eyeballer. But they’re not keeping it to themselves. It’s open-source and available for anyone to use. Here’s what it is and why it might help tip the balance in the world of cybersecurity towards the good guys.

The Laborious Process of Finding Vulnerabilities

In today’s digital environment, it’s growing more difficult than ever for businesses to keep themselves safe from determined attackers. Even security-focused businesses fall victim to security breaches and have to convince customers and the public they’ve fixed the flaws that led to their troubles. But one of the most difficult attack vectors for businesses to defend is their sometimes vast, public-facing web presence.

That’s because it’s not easy to make sure that every bit of public-facing web code is hardened, secure, and free from known vulnerabilities. That’s one of the reasons that experienced hackers focus on exploiting vulnerable websites as a way to gain a potential foothold in a targeted company’s systems. But they face the same obstacles as the defenders – that it takes a great deal of time to look through every available web page to hunt for telltale signs of potential vulnerability.

Eyeballer Knows What to Look For

It is that slow and laborious task that Eyeballer does for penetration testers. It uses a deep convolutional neural network (CNN) to analyze screenshots of webpages, ranking them as potential targets to exploit. The system can, for example, mark webpages that appear to be old, which is often a sign that there may be vulnerabilities to pry into.

It also goes looking for things like login fields, homepages, and custom 404 error pages. Those are all things that can easily get missed by a conventional automated scan. They’re also things that attackers look for as potential points of entry into protected systems. The good news is that Eyeballer can identify those pages fast enough for their owners to update or remove them, and long before any manual process ever could.

How Eyeballer Works

Like all CNNs, Eyeballer examines images by breaking them down into smaller pieces. The pieces are then grouped by their original proximity so the system can examine the pixel values. Then, whatever the system learned from the first analysis becomes the input for the next layer. After a few rounds, the system can begin to identify the general features of the image it’s working with.

In Eyeballer’s case, that means it will be able to see things like groupings of text fields and buttons that might indicate a login form. That is how Eyeballer can rank pages for further review by human penetration testers. And by doing so, it makes it possible for them to focus their efforts on the targets most likely to bear fruit – and to alert their clients to the vulnerabilities they discover.

SEE ALSO: “AIOps will play a key role in enhancing the security of IT infrastructure”

An Evolving Tool

In their tests of the Eyeballer approach, the original developers found that it had an accuracy of around 92%. While that’s far from perfect, it’s good enough to make Eyeballer a very useful tool in any penetration tester’s toolbox. And since it’s an open-source project, any security firm or independent expert can adapt it to their own needs – and so far the project’s been forked 48 times.

But as with all things, there’s a decent chance that the bad guys won’t be far behind. That means businesses should be doing whatever they can to leverage tools like Eyeballer to find and fix as many vulnerabilities as possible while they still can. Because if they don’t do it, they’re not going to like who does, and what they’re apt to do once they find a vulnerability to exploit.

Andrej Kovačević
Andrej is a digital marketing expert, editor at TechLoot, and a contributing writer for a variety of other technology-focused online publications. He has covered the intersection of marketing and technology for several years and is pursuing an ongoing mission to share his expertise with business leaders and marketing professionals everywhere.

Inline Feedbacks
View all comments