GPT-based identification of publicly known vulnerabilities

Abstract

Security vulnerabilities are inherent to software systems. Nevertheless, the software industry is continuously growing and so is the amount of security vulnerabilities discovered every year. For instance, during the year 2023, an average of 79 software vulnerabilities were published every day. In the software security field, the use of vulnerability scanners is common practice. These tools have databases of known vulnerabilities and verify whether a target system is vulnerable or not, by looking for matching records in their database. Although vulnerability scanners automate the tedious process of checking software applications for vulnerabilities, the daily updates to vulnerability scanners remain, predominantly, a manual task. This poses a scalability problem for vulnerability scanners. In this work, we present a novel architecture designed to automate the Vulnerability Identification in software products. This thesis explores the architecture’s underlying principles, its implementation, and its performance evaluation. We demonstrate how our system effectively identifies vulnerabilities by using pre-existing AI tools, thereby empowering organizations to proactively secure their software assets, protect sensitive data, and enhance overall cybersecurity resilience. The architecture proposes the use of a database that contains vulnerability signatures which, when compared with the signature of a software product, are used to identify vulnerabilities. To demonstrate the viability of the architecture, two implementations are carried out. The first solution addresses a heuristic model, and the second the use of Artificial Intelligence (AI). More specifically, a Generative Pre-Trained Transformer (GPT) model. The results showed that, for the signature’s generation, the GPT model automatically creates the vulnerability database signatures with an accuracy of 100%, whereas its heuristic counterpart achieves a modest 73,2%. In the vulnerability identification process, the recall metric is crucial in because it reflects the ability to detect actual vulnerabilities among all possible cases. Our results show that the GPT-based approach exhibited significantly higher recall 94,6% than the heuristic-based Vulnerability Identification System 23,8%, indicating a more reliable detection of vulnerabilities. This advantage means that using GPT for vulnerability identification reduces the risk of missing critical vulnerabilities, leading to a more secure and resilient system. Based on the results obtained, we conclude that the proposed architecture is able to automate the MITRE CVE-based vulnerability identification, Artificial Inteligence being one of the most promising technologies to automate and improve future vulnerability identification systems.