Authors: Ákos Milánkovich (Search Lab), Erkuden Rios (TECNALIA)
As cyber threats evolve and become increasingly sophisticated, the need for robust and resilient systems has never been more apparent. To address this challenge, AI4CYBER is working on both preventive and reactive tools to ensure cyber resilience. The preventive tools aim at empowering developers to create securer software and systems, while reactive tools aid operators in handling security monitoring and response tasks.
One of the main ways to ensure system resilience is to prepare the system components to be robust against cyber incidents and attacks. As part of the preparedness management, the security testing phase in the Dev phase of the DevOps cycle is a key activity which goal is to verify the components are free from flaws, known vulnerabilities and weaknesses.
Considering the exponentially growing complexity of software architectures which may result in overwhelming volumes of lines of code, in the last decades, automatic tools are gaining more and more prominence. Among these tools, Artificial Intelligence-based solutions for code testing are becoming fundamental means for verifying design robustness. AI-powered test automation and AI-based optimisation of vulnerability identification are two of the main ways in which AI is helping code testers doing their job.
At the heart of AI4CYBER approach for source code robustness is the AI-driven self-testing and automatic error correction system (AI4FIX). This solution harnesses advanced AI technologies, such as transformer networks and seq2seq models, which have proven successful in machine translation of human languages. AI4FIX applies this technology to automatically correct robustness-related weaknesses in source code, a feat unattainable by current code analysis tools that require human intervention.
To ensure the efficacy of these automatic corrections, AI4FIX generates unit tests and validates the modified system using AI-based methods. This process relies on a repository of datasets created by analysing both owned and third-party software development records spanning decades. The extracted knowledge gives insights on the software evolution, enabling AI4FIX to detect and rectify vulnerabilities as they arise.
Complementing AI4FIX we are delivering the AI-enhanced vulnerability identification system (AI4VULN), which employs AI-boosted symbolic execution techniques to efficiently discover vulnerabilities in source code. By leveraging machine learning models, AI4VULN identifies execution paths with a higher likelihood of security issues and prioritizes their investigation, improving the overall effectiveness of symbolic execution.
Both AI4FIX and AI4VULN are currently being designed to respond to the needs identified in AI4CYBER use cases, and their initial validated version is expected for August next year. Both tools will have an open source version, so please stay tuned!