Measuring and Augmenting Large Language Models for Solving Capture-the-Flag Challenges

TL;DR

This paper evaluates large language models' ability to solve cybersecurity Capture-the-Flag challenges, introduces a focused benchmark to measure their knowledge application, and proposes a new framework that significantly improves their problem-solving performance.

Contribution

It constructs the CTFKnow benchmark for measuring LLMs' cybersecurity knowledge and introduces CTFAgent, a novel framework with modules that enhance LLMs' CTF-solving capabilities.

Findings

LLMs have substantial technical knowledge but struggle with applying it effectively.

CTFAgent achieves over 80% performance improvement on CTF datasets.

In picoCTF2024, CTFAgent ranked in the top 23.6% of nearly 7,000 teams.

Abstract

Capture-the-Flag (CTF) competitions are crucial for cybersecurity education and training. As large language models (LLMs) evolve, there is increasing interest in their ability to automate CTF challenge solving. For example, DARPA has organized the AIxCC competition since 2023 to advance AI-powered automated offense and defense. However, this demands a combination of multiple abilities, from knowledge to reasoning and further to actions. In this paper, we highlight the importance of technical knowledge in solving CTF problems and deliberately construct a focused benchmark, CTFKnow, with 3,992 questions to measure LLMs' performance in this core aspect. Our study offers a focused and innovative measurement of LLMs' capability in understanding CTF knowledge and applying it to solve CTF challenges. Our key findings reveal that while LLMs possess substantial technical knowledge, they falter in accurately applying this knowledge to specific scenarios and adapting their strategies based on feedback from the CTF environment. Based on insights derived from this measurement study, we propose CTFAgent, a novel LLM-driven framework for advancing CTF problem-solving. CTFAgent introduces two new modules: two-stage Retrieval Augmented Generation (RAG) and interactive Environmental Augmentation, which enhance LLMs' technical knowledge and vulnerability exploitation on CTF, respectively. Our experimental results show that, on two popular CTF datasets, CTFAgent both achieves over 80% performance improvement. Moreover, in the recent picoCTF2024 hosted by CMU, CTFAgent ranked in the top 23.6% of nearly 7,000 participating teams. This reflects the benefit of our measurement study and the potential of our framework in advancing LLMs' capabilities in CTF problem-solving.