Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool. Where it did not help is in dancing. I think I am a poor dancer since my mind thinks modeling. By the time I modeled, I missed the beat. I believe there are a few things which we need to do from heart and not from mind.
I was thinking why in the context of today’s maturity of Artificial Intelligence (AI) we cannot fully automate Penetration Testing (or “maybe” we will never be able to). Here are the top reasons that come to my mind.
Multi Stage Attack Planning is a PSPACE Complete Problem
In Penetration Testing, attack chaining becomes a critical element in terms of strategizing as well as executing some brilliant hacks. Human mind sometimes can compute some brilliant attack plans in just a jiffy. However, when we try to model this as a standard “AI Planning” problem, we get into a mess. Every exploit/attack can be modeled as an action with precondition and post condition. So, the standard solution we can think of is to use “Planning Algorithms” to build the entire attack graph. However, the challenge is with state explosion and we will immediately run out of memory (PSPACE Complete Problem). Though approximations can help, it can never find all the possible attack paths the moment the number of nodes increases beyond a threshold. However, when it comes to coverage, AI would definitely do better than humans (since humans get bored).
Modeling Creativity using Artificial Intelligence is far-fetched
Well, there had been some work in terms of Artificial Creativity. We do have AI programs writing Poems (Flowerewolf). It might be an interesting tool for busy Pen Testers to create some romantic verse for their girlfriend/wives. Please indemnify the author if it doesn’t work. When it comes to designing some cool and creative attacks we still do not have any substantial algorithm to match the human creativity.
Programs cannot Question the Assumptions
Human minds can question the fundamental assumptions. However a program runs on fundamental assumptions. Einstein challenged the assumptions of Newton. Heisenberg challenged the assumptions of Einstein and the game goes on. Any good pen tester/hacker challenges the assumption. When we broke Microsoft Bit locker encryption we challenged the assumption of the coders that from user land BIOS memory cannot be accessed. A program does not have the capability to challenge the assumptions and that is a severe limitation when it comes to automating Penetration Testing.
“Artificial Intuition” is still in early days
Humans have intuition. As per wiki- “Intuition is the ability to acquire knowledge without inference and/or the use of reason. Intuition provides us with beliefs that we cannot justify in every case”. We can sometime solve some brilliant problem without the use of any reasoning. Artificial Intuition is there to model this but we are still in quite a primitive state to match what our brains can do.
I am a big believer of AI and a bigger believer of the human mind. We did use some decent bit of AI to automate Penetration Testing. While doing that I learn’t more of what we cannot do than what we can do. I am sure with time AI will get better but will we ever be able to do Penetration Testing without the humans?