BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)

Authors

  • Piyush Jha Georgia Institute of Technology
  • Joseph Scott University of Waterloo
  • Jaya Sriram Ganeshna University of Waterloo
  • Mudit Singh University of Waterloo
  • Vijay Ganesh Georgia Institute of Technology

DOI:

https://doi.org/10.1609/aaai.v38i21.30455

Keywords:

Machine Learning, Reinforcement Learning, Applications Of AI, AI And The Web, Fuzzing, BERT Models, Transformers, Security Vulnerabilities

Abstract

We present a novel tool BertRLFuzzer, a BERT and Reinforcement Learning (RL) based fuzzer aimed at finding security vulnerabilities for Web applications. BertRLFuzzer works as follows: given a set of seed inputs, the fuzzer performs grammar-adhering and attack-provoking mutation operations on them to generate candidate attack vectors. The key insight of BertRLFuzzer is the use of RL with a BERT model as an agent to guide the fuzzer to efficiently learn grammar-adhering and attack-provoking mutation operators. In order to establish the efficacy of BertRLFuzzer we compare it against a total of 13 black box and white box fuzzers over a benchmark of 9 victim websites with over 16K LOC. We observed a significant improvement, relative to the nearest competing tool in terms of time to first attack (54% less), new vulnerabilities found (17 new vulnerabilities), and attack rate (4.4% more attack vectors generated).
AAAI-24 / IAAI-24 / EAAI-24 Proceedings Cover

Downloads

Published

2024-03-24

How to Cite

Jha, P., Scott, J., Ganeshna, J. S., Singh, M., & Ganesh, V. (2024). BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract). Proceedings of the AAAI Conference on Artificial Intelligence, 38(21), 23521-23522. https://doi.org/10.1609/aaai.v38i21.30455

Issue

Vol. 38 No. 21: IAAI-24, EAAI-24, AAAI-24 Student Abstracts, Undergraduate Consortium and Demonstrations

Section

AAAI Student Abstract and Poster Program