Countering Autonomous Cyber Threats

TL;DR

This paper evaluates the offensive capabilities of open-weight foundation models in cyber attacks and proposes defensive prompt injection techniques to counter AI-driven cyber threats, highlighting significant safety and governance concerns.

Contribution

It provides the first comprehensive assessment of open-weight models' offensive potential and introduces effective defensive prompt injection methods against AI-powered cyber attacks.

Findings

Open models can perform simple cyber attacks effectively.

Defensive prompt injection disrupts malicious AI workflows.

Open models match proprietary ones in offensive capabilities.

Abstract

With the capability to write convincing and fluent natural language and generate code, Foundation Models present dual-use concerns broadly and within the cyber domain specifically. Generative AI has already begun to impact cyberspace through a broad illicit marketplace for assisting malware development and social engineering attacks through hundreds of malicious-AI-as-a-services tools. More alarming is that recent research has shown the potential for these advanced models to inform or independently execute offensive cyberspace operations. However, these previous investigations primarily focused on the threats posed by proprietary models due to the until recent lack of strong open-weight model and additionally leave the impacts of network defenses or potential countermeasures unexplored. Critically, understanding the aptitude of downloadable models to function as offensive cyber agents is vital given that they are far more difficult to govern and prevent their misuse. As such, this work evaluates several state-of-the-art FMs on their ability to compromise machines in an isolated network and investigates defensive mechanisms to defeat such AI-powered attacks. Using target machines from a commercial provider, the most recently released downloadable models are found to be on par with a leading proprietary model at conducting simple cyber attacks with common hacking tools against known vulnerabilities. To mitigate such LLM-powered threats, defensive prompt injection (DPI) payloads for disrupting the malicious cyber agent's workflow are demonstrated to be effective. From these results, the implications for AI safety and governance with respect to cybersecurity is analyzed.