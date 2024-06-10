Coordinated GPT-4 Bots Can Exploit Zero-Day Vulnerabilities, Researchers Warn

"LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5×.

AI Teamwork​

When benchmarked against 15 real-world web-focused vulnerabilities, HPTSA has shown to be 550% more efficient than a single LLM in exploiting vulnerabilities and was able to hack 8 of 15 zero-day vulnerabilities. The solo LLM effort was able to hack only 3 of the 15 vulnerabilities.

Blackhat or whitehat? There is legitimate concern that these models will allow users to maliciously attack websites and networks. Daniel Kang – one of the researchers and the author of the white paper – noted specifically that in chatbot mode, GPT-4 is "insufficient for understanding LLM capabilities" and is unable to hack anything on its own.

That's good news, at least.

When I asked ChatGPT if it could exploit zero-days for me, it replied "No, I am not capable of exploiting zero-day vulnerabilities. My purpose is to provide information and assistance within ethical and legal boundaries," and suggested that I consult a cybersecurity professional instead.

Source: Cornell University arxiv"

Source: https://newatlas.com/technology/gpt4-autonomously-hack-zero-day-security-flaws/
 
Well isn't that just fan flapjacking tastic...
Like it wasn't easy enough to dupe most of the people I work with into clicking things, they gotta throw AI into the mix...
Thank you degenerates!

I miss the days when the worst the internet had to offer me was accidentally clicking on 2G1C
 
Lakados said:
Well isn't that just fan flapjacking tastic...
Like it wasn't easy enough to dupe most of the people I work with into clicking things, they gotta throw AI into the mix...
Thank you degenerates!

I miss the days when the worst the internet had to offer me was accidentally clicking on 2G1C
Click to expand...
Meatspin?
 
