Caturano, Francesco (2021) Automated Offensive Security: Intelligence is all you need. [Tesi di dottorato]

[img]
Preview
Text
Caturano_34.pdf

Download (7MB) | Preview
[error in script] [error in script]
Item Type: Tesi di dottorato
Resource language: English
Title: Automated Offensive Security: Intelligence is all you need
Creators:
CreatorsEmail
Caturano, Francescofrancesco.caturano@unina.it
Date: 13 December 2021
Number of Pages: 178
Institution: Università degli Studi di Napoli Federico II
Department: Ingegneria Elettrica e delle Tecnologie dell'Informazione
Dottorato: Ingegneria informatica ed automatica
Ciclo di dottorato: 34
Coordinatore del Corso di dottorato:
nomeemail
Riccio, Danieledaniele.riccio@unina.it
Tutor:
nomeemail
Romano, Simon PietroUNSPECIFIED
Date: 13 December 2021
Number of Pages: 178
Keywords: offensive security, penetration testing, cybersecurity, reinforcement learning, cross-site scripting, intelligent agent, expert system, knowledge graph, artificial intelligence, ethical hacking, exploitation
Settori scientifico-disciplinari del MIUR: Area 09 - Ingegneria industriale e dell'informazione > ING-INF/05 - Sistemi di elaborazione delle informazioni
Date Deposited: 16 Feb 2022 14:53
Last Modified: 28 Feb 2024 12:04
URI: http://www.fedoa.unina.it/id/eprint/14276

Collection description

Offensive security is the practice of testing security measures from the adversary's perspective. Though it is constantly growing from a set of disorganized hacking practices to a mature and separate engineering discipline, most of it still relies on personal experience and skills. Tools that automate security testing, perform well when they have to provide hints on what is the most promising attack plan to conduct. However, they heavily rely on inefficient business logic models, such as brute force. These are far away from the way human testers would work, who try to be as precise and efficient as possible. This Thesis deals with offensive security, by exploring a few approaches to its automation that are inspired by the way security experts would act. First, a Reinforcement Learning-based intelligent agent that performs discovery of Cross-Site scripting vulnerabilities, is presented. In particular, the design and implementation of an interactive Reinforcement Learning environment are discussed. Such a framework allows the agent to learn autonomously, through interactions with the environment, the policy that an expert penetration tester applies to look for such vulnerabilities in a web application. The final platform is evaluated with respect to other popular automated frameworks, in order to show the improvements in terms of accuracy and efficiency. Then, an approach to create an ontology for web application penetration testing, representing the knowledge of such a context in the form of a knowledge graph, is showed. The purpose of this work is to create an expert system that recommends the best actions to perform during a penetration test, by making inferences that output the most promising attack paths. Finally, a toolset for collecting actions performed during a web application penetration test, such as browser interactions as well as generated network traffic, is presented. Such a platform is capable of creating hacking sessions datasets, in order to promote research in the field of machine learning applied to cybersecurity.

Downloads

Downloads per month over past year

Actions (login required)

View Item View Item