RSA Conference

AI may soon find and patch a software bug automatically

The cybersecurity industry is getting closer to artificial intelligence that can find and patch software bugs automatically, but that same tech could lead to autonomous hacking.

SAN FRANCISCO -- At RSA Conference 2016 this week, Konstantinos Karagiannis, CTO of security consulting at BT America,...

said artificial intelligence is set to make a leap in the next 10 years, but it may be as soon as this summer that a software bug can be found and patched by autonomous programs.

Software bug beware

Karagiannis said, traditionally, when the term hacking machine was used, it referred to a vulnerability scanner that had no artificial intelligence (AI), even in the narrow sense. Scanners have design flaws that keep the technology from being much use in autonomous hacking or patching, but Karagiannis said the most critical flaw was a lack of multistep thinking.

"I like to think of [scanners] like collision detection programs, kind of like little cockroach robots that MIT was working on. You know, they can move and detect a wall, then move around it, but they'll never learn," Karagiannis said. "We see that in a lot of scanners. It's just this, 'Hey, I can do it; I can't do it; move on,' and there's no multistep thinking that happens there."

Karagiannis said logic flow is critical, and programs need to be able to follow a natural progression. While IBM's Deep Blue and Watson were able to show machine thinking, Karagiannis said they were still narrow AI, focused on single tasks.

Modern AI, such as Google's DeepMind and various neural networks, have been reducing intelligence to an algorithm, Karagiannis said, and can simulate short-term memory. With fast cycles of repetition, this short-term memory allowed machines to learn how to play and beat games -- starting with Atari and all the way up to Go, which has historically been seen as a benchmark for AI.

Google's DeepMind AlphaGo program will be taking on a Go master next week to test its skills, and Karagiannis said the sequential decision making required in this task can be translated to hacking.

Will AI capture the flag?

Karagiannis said another major challenge for AI will be the DARPA Cyber Grand Challenge of "capture the flag" at DEF CON this summer.

"Capture the flag, in the sense that it's played at DEF CON, is not who can find a new vulnerability first. It's not that at all," Karagiannis said. "Capture the flag is finding flaws in new software and services that [have] never been seen before. These are brand-new binaries with flaws, and the teams have to find the flaws; they have to defend the services that they're responsible for, keep them running, and there's a referee making sure that all this is happening."

Karagiannis said these machines will attempt to reverse-engineer unknown software and heal software bugs in real time. These machines are not yet compatible with broadly used software, but they could be modified easily, Karagiannis said.

In a qualifying round, contestants were able to find 73% of software bugs in the binaries, and were able to patch 100% of those vulnerabilities, Karagiannis said.

"If you think about applying this to the real world," Karagiannis said, "if you have a machine, even if it patches software in an inefficient and non-elegant way, it's still a whole lot better than having a vulnerability living in your network, right?"

Karagiannis said the list of DARPA requirements for machines in this contest should scare IT specialists and security researchers who still want to have jobs in a few years. DARPA requires machines to be able to autonomously analyze and comprehend computer software; patch software bugs; perform vulnerability scanning and prove the existence of flaws found; offer service resiliency and maintain systems in real time; and discover and mitigate flaws.

Coming soon: The future

Karagiannis said within this year, threat monitoring and analytics could improve, while automating scanning may stagnate. But over the next 10 years, as AI improves and quantum computers become available, Karagiannis said the potential for autonomous hacking and security will jump.

"I imagine human hackers will be unlikely to keep up with bulk work. Not to say that they'll be useless; it's just that keeping up with the bulk will be impossible. We'll never be able to tackle as many applications in a given month as a machine would," Karagiannis said. "Universal quantum computers definitely within 10 years. Australia claims they'll have one within three years. I believe we'll have a universal quantum computer soon. Definitely within a decade, [public key] encryption will be useless."

"We have to prepare for tomorrow," Karagiannis said. "Even if it takes a while for narrow AI to become really diverse AI, it's here to stay. The demon that we've summoned is out of the bottle."

Next Steps

Learn more about how IBM's Watson and cognitive analytics will impact IT jobs.

Learn more about the rise of general-purpose AI and its threat to humanity.

Learn how AI is being deployed to reduce back-end complexity.

Dig Deeper on Security Industry Market Trends, Predictions and Forecasts



Find more PRO+ content and other member only offers, here.

Related Discussions

Michael Heller asks:

How do you feel about the potential not only for AI-powered security, but AI-powered hacking machines as well?

3  Responses So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: