Agent-based (BDI) modeling for automation of penetration testing

TL;DR

This paper introduces an automated penetration testing method using BDI agent modeling, enabling interactive, adaptable, and extensible security assessments in complex environments, improving efficiency over static approaches.

Contribution

It presents a novel BDI agent-based framework for penetration testing, allowing dynamic, interactive, and extensible automation beyond static attack graph methods.

Findings

Successful proof of concept implementation in simulated environments

Enhanced adaptability to complex and dynamic targets

Potential for reducing manual effort and costs in pentesting

Abstract

Penetration testing (or pentesting) is one of the widely used and important methodologies to assess the security of computer systems and networks. Traditional pentesting relies on the domain expert knowledge and requires considerable human effort all of which incurs a high cost. The automation can significantly improve the efficiency, availability and lower the cost of penetration testing. Existing approaches to the automation include those which map vulnerability scanner results to the corresponding exploit tools, and those addressing the pentesting as a planning problem expressed in terms of attack graphs. Due to mainly non-interactive processing, such solutions can deal effectively only with static and simple targets. In this paper, we propose an automated penetration testing approach based on the belief-desire-intention (BDI) agent model, which is central in the research on agent-based processing in that it deals interactively with dynamic, uncertain and complex environments. Penetration testing actions are defined as a series of BDI plans and the BDI reasoning cycle is used to represent the penetration testing process. The model is extensible and new plans can be added, once they have been elicited from the human experts. We report on the results of testing of proof of concept BDI-based penetration testing tool in the simulated environment.