In the coming years, AI will become the most experienced cybercriminal on Earth.
Scientists from the University of Illinois at Urbana-Champaign recently published a study in which they proved that the GPT-4 artificial intelligence model from OpenAI is able to independently exploit vulnerabilities in real systems after it receives a detailed description of them.
As part of the study, we selected 15 vulnerabilities that were described as critical. The results showed that the GPT-4 language model was able to exploit 87% of these vulnerabilities, while other models could not cope with the task.
Daniel Kang, one of the authors of the paper, claims that the use of LLM can significantly simplify the process of exploiting vulnerabilities for attackers. According to him, systems based on artificial intelligence will be much more effective than the tools available today for novice hackers.
Scientists also discuss the cost of attacks using LLM. They claim that the cost of successfully exploiting the vulnerability using an LLM-based agent will be several times cheaper than the services of a professional pentester.
The study notes that the GPT-4 model failed to exploit only 2 of the 15 vulnerabilities, and then only because in one case the model experienced difficulties in navigating the web application, and in the other the vulnerability itself was described in Chinese, which confused LLM.
Kang emphasizes that even a hypothetical restriction of the model's access to security information will be an ineffective means of protecting against LLM-based attacks. The researcher encourages companies to take active measures to ensure their protection, such as regular software updates.
Representatives of OpenAI have not yet commented on the results of this study.
The researchers work builds on their previous findings that LLMs can be used to automate attacks on websites in an isolated environment.
Scientists from the University of Illinois at Urbana-Champaign recently published a study in which they proved that the GPT-4 artificial intelligence model from OpenAI is able to independently exploit vulnerabilities in real systems after it receives a detailed description of them.
As part of the study, we selected 15 vulnerabilities that were described as critical. The results showed that the GPT-4 language model was able to exploit 87% of these vulnerabilities, while other models could not cope with the task.
Daniel Kang, one of the authors of the paper, claims that the use of LLM can significantly simplify the process of exploiting vulnerabilities for attackers. According to him, systems based on artificial intelligence will be much more effective than the tools available today for novice hackers.
Scientists also discuss the cost of attacks using LLM. They claim that the cost of successfully exploiting the vulnerability using an LLM-based agent will be several times cheaper than the services of a professional pentester.
The study notes that the GPT-4 model failed to exploit only 2 of the 15 vulnerabilities, and then only because in one case the model experienced difficulties in navigating the web application, and in the other the vulnerability itself was described in Chinese, which confused LLM.
Kang emphasizes that even a hypothetical restriction of the model's access to security information will be an ineffective means of protecting against LLM-based attacks. The researcher encourages companies to take active measures to ensure their protection, such as regular software updates.
Representatives of OpenAI have not yet commented on the results of this study.
The researchers work builds on their previous findings that LLMs can be used to automate attacks on websites in an isolated environment.
