A team of security researchers at the University of Illinois published a study back in April 2024 that demonstrated the hacking capabilities of AI.
Using OpenAI’s GPT-4 model, they discovered that exploit code could be generated for 87% of the tested 0-day vulnerabilities.
This figure dropped to 7% if the CVE description was not provided.
Good to known: 0-day vulnerabilities refer to security issues that are very recent. Patches may not be available in all cases, and systems that are not updated are vulnerable to attacks that target these vulnerabilities.
The same research team has now published a new research document: Teams of LLM Agents can Exploit Zero-Day Vulnerabilities
It builds on the previous research. This time, the researchers wanted to find a way to improve the exploiting capabilities of AI if no description of 0-day vulnerabilities was provided.
They managed to create a system that bumped the success rate to 53% using real-world 0-day vulnerabilities that were discovered after the AI model’s data cut-off date.
Using GPT-4, the researchers switched to a team-based approach to compartmentalize attacks. Instead of relying on a single GPT-4 instance for attacks, they developed an architecture that assigned AI agents with different tasks.
The tasks are assigned by a planner AI and controlled by a manager AI. The planner AI launches other AI instances, including the manager AI and AIs for specific tasks.
This approach worked well, as it improved the the capabilities of the AI attacker. The chance of success rose from 7% when using a single AI instance to 53% under the new team-based approach.
Closing Words
AI research that focuses on security is important. Besides demonstrating the capabilities of different AI models, it may also highlight future dangers. Well-funded hackers and criminals may use AI models for illegal activities. These may range from finding new exploits to creating exploits for existing vulnerabilities.
Web-based and App-based AI interactions prevent certain activities, including hacking. This is not the case, however, for self-hosted or created AI models.
What is your take on this? Will we see more exploits that are more widely used in attacks in the future? Or will we see the rise of AI-based Anti-hacking solutions that try to counter their breathren?
AI is the big new tool in malware creation and deployment, data mining, and of course cyber warfare. It is only s matter of time before a AI created exploit takes out some critical part of some countrys infrastructure.
We are going to see both.
The “threat” will be greatly advertised and used to convince us we must give up more of our already limited privacy in order to let corps protect us, from other corps.
Data is the new gold.
AI vs. AI will replace human vs.human.
First we had, still have humans assisted by AI, then we’ll have AI assisted by humans (still under our control). Next step should be AI assisted by AI, a closed ecosystem, with its society of AI friends helping each others, AI enemies at war with each others. A science-fiction imagination leads me to wonder if there ever could be a AI-gentleman’s agreement between all AIs worldwide, united by a common combat towards humanity.
“- Hey, you”, “- Who, me?”, “Yes, you. Human are you?”, “- Well, hum …”, “- If you wonder then you are, and that means it’s your lucky day : one-way free ticket to hell”.