Deep ahead-of-threat virtual patching

TL;DR

This paper introduces a novel AI-based approach for virtual patching that predicts potential malicious inputs in real time, enabling proactive defense against vulnerabilities before they are discovered or exploited.

Contribution

It presents an innovative method using deep neural networks trained on synthetic data to detect malicious inputs ahead of vulnerability discovery.

Findings

Achieved over 91% accuracy in predicting malicious inputs for LibXML2 and LibTIFF.

Demonstrated the feasibility of ahead-of-threat virtual patching in real-world applications.

Showed potential to stay ahead of attackers by predicting vulnerabilities before they are exploited.

Abstract

Many applications have security vulnerabilities that can be exploited. It is practically impossible to find all of them due to the NP-complete nature of the testing problem. Security solutions provide defenses against these attacks through continuous application testing, fast-patching of vulnerabilities, automatic deployment of patches, and virtual patching detection techniques deployed in network and endpoint security tools. These techniques are limited by the need to find vulnerabilities before the black-hats. We propose an innovative technique to virtually patch vulnerabilities before they are found. We leverage testing techniques for supervised-learning data generation, and show how artificial intelligence techniques can use this data to create predictive deep neural-network models that read an application's input and predict in real time whether it is a potential malicious input. We set up an ahead-of-threat experiment in which we generated data on old versions of an application, and then evaluated the predictive model accuracy on vulnerabilities found years later. Our experiments show ahead-of-threat detection on LibXML2 and LibTIFF vulnerabilities with 91.3% and 93.7% accuracy, respectively. We expect to continue work on this field of research and provide ahead-of-threat virtual patching for more libraries. Success in this research can change the current state of endless racing after application vulnerabilities and put the defenders one step ahead of the attackers