Polina Zilberman,Rami Puzis,Sunders Bruskin,Shai Shwarz,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.2003.01518

2020-10-02

Abstract:Threat emulators are tools or sets of scripts that emulate cyber attacks or malicious behavior. They can be used to create and launch single procedure attacks and multi-step attacks; the resulting attacks may be known or unknown cyber attacks. The motivation for using threat emulators varies and includes the need to perform automated security audits in organizations or reduce the size of red teams in order to lower pen testing costs; or the desire to create baseline tests for security tools under development or supply pen testers with another tool in their arsenal. In this paper, we review and compare various open-source threat emulators. We focus on tactics and techniques from the MITRE ATT&CK Enterprise matrix and determine whether they can be performed and tested with the emulators. We develop a comprehensive methodology for our qualitative and quantitative comparison of threat emulators with respect to general features, such as prerequisites, attack definition, cleanup, and more. Finally, we discuss the circumstances in which one threat emulator is preferred over another. This survey can help security teams, security developers, and product deployment teams examine their network environment or products with the most suitable threat emulator. Using the guidelines provided, a team can select the threat emulator that best meets their needs without evaluating all of them.

Cryptography and Security

Radu Marian Portase,Adrian Colesa,Gheorghe Sebestyen

DOI: https://doi.org/10.3390/s24175601

IF: 3.9

2024-09-01

Sensors

Abstract:Cybercriminals have become an imperative threat because they target the most valuable resource on earth, data. Organizations prepare against cyber attacks by creating Cyber Security Incident Response Teams (CSIRTs) that use various technologies to monitor and detect threats and to help perform forensics on machines and networks. Testing the limits of defense technologies and the skill of a CSIRT can be performed through adversary emulation performed by so-called "red teams". The red team's work is primarily manual and requires high skill. We propose SpecRep, a system to ease the testing of the detection capabilities of defenses in complex, heterogeneous infrastructures. SpecRep uses previously known attack specifications to construct attack scenarios based on attacker objectives instead of the traditional attack graphs or a list of actions. We create a metalanguage to describe objectives to be achieved in an attack together with a compiler that can build multiple attack scenarios that achieve the objectives. We use text processing tools aided by large language models to extract information from freely available white papers and convert them to plausible attack specifications that can then be emulated by SpecRep. We show how our system can emulate attacks against a smart home, a large enterprise, and an industrial control system.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Mantas Mazeika,Long Phan,Xuwang Yin,Andy Zou,Zifan Wang,Norman Mu,Elham Sakhaee,Nathaniel Li,Steven Basart,Bo Li,David Forsyth,Dan Hendrycks

DOI: https://doi.org/10.48550/arXiv.2402.04249

2024-02-27

Abstract:Automated red teaming holds substantial promise for uncovering and mitigating the risks associated with the malicious use of large language models (LLMs), yet the field lacks a standardized evaluation framework to rigorously assess new methods. To address this issue, we introduce HarmBench, a standardized evaluation framework for automated red teaming. We identify several desirable properties previously unaccounted for in red teaming evaluations and systematically design HarmBench to meet these criteria. Using HarmBench, we conduct a large-scale comparison of 18 red teaming methods and 33 target LLMs and defenses, yielding novel insights. We also introduce a highly efficient adversarial training method that greatly enhances LLM robustness across a wide range of attacks, demonstrating how HarmBench enables codevelopment of attacks and defenses. We open source HarmBench at <a class="link-external link-https" href="https://github.com/centerforaisafety/HarmBench" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Artificial Intelligence,Computation and Language,Computer Vision and Pattern Recognition

Jack Whitter-Jones,Mathew Evans

DOI: https://doi.org/10.48550/arXiv.1906.07242

2019-06-18

Abstract:Security testing has been a career path that many are beginning to take. In doing so, security testing can hit the realms of many different types of engagements, ranging from web, infrastructure and social engineering. With the risk of sabotage, corporate espionage it has been seen that many organisations are beginning to develop a tactical capability. In doing so, the term 'Red Team' has been coined to market such engagements. Red Teaming is the method of having almost free reign towards a target. By doing such an engagement a target will be able to fully understand the breadth of vulnerabilities facing their organisation. However, Red Teaming can be an expensive and resource intensive task. Through this paper, it is discussed that it is possible to make a covert disposable phone to help aide Red Teamer's with the reconnaissance phase without drawing attention to themselves within a day to day task.

Cryptography and Security

Zhenduo Wang,Saifei Li,Lijie Zhang,Chunduo Hu,Lianshan Yan

DOI: https://doi.org/10.1016/j.cose.2024.103945

IF: 5.105

2024-06-08

Computers & Security

Abstract:Post-penetration red team automation testing effectively addresses the pain points of traditional manual red teams, including manpower, time costs, and the high level of professional knowledge required, thereby improving the efficiency and effectiveness of red team penetration testing. However, introducing automation technology into the red team testing domain still faces numerous technical challenges. These challenges include accurately simulating real attack environments, coordinating complex attack actions, and effectively resolving uncertainties during the attack process. These challenges remain critical issues that require urgent solutions. In this context, we propose a post-penetration-oriented automated red team penetration test modeling and planning approach. The objective of this approach is to automatically generate attack paths, coordinate attack behaviors, and adjust attack behaviors based on feedback, enabling attacks on real target networks through corresponding operations. We conducted analysis and performance testing on our solution, comparing it with other available planners. Our experimental results demonstrate the effectiveness of the proposed planner in achieving automated penetration testing. Compared to other available planners, ours can generate valid attack paths more quickly and exhibits excellent performance in planning effectiveness and quality. Furthermore, our planner possesses wide applicability across various penetration testing scenarios.

computer science, information systems

Bojian Jiang,Yi Jing,Tianhao Shen,Tong Wu,Qing Yang,Deyi Xiong

2024-10-05

Abstract:Ensuring the safety of large language models (LLMs) is paramount, yet identifying potential vulnerabilities is challenging. While manual red teaming is effective, it is time-consuming, costly and lacks scalability. Automated red teaming (ART) offers a more cost-effective alternative, automatically generating adversarial prompts to expose LLM vulnerabilities. However, in current ART efforts, a robust framework is absent, which explicitly frames red teaming as an effectively learnable task. To address this gap, we propose Automated Progressive Red Teaming (APRT) as an effectively learnable framework. APRT leverages three core modules: an Intention Expanding LLM that generates diverse initial attack samples, an Intention Hiding LLM that crafts deceptive prompts, and an Evil Maker to manage prompt diversity and filter ineffective samples. The three modules collectively and progressively explore and exploit LLM vulnerabilities through multi-round interactions. In addition to the framework, we further propose a novel indicator, Attack Effectiveness Rate (AER) to mitigate the limitations of existing evaluation metrics. By measuring the likelihood of eliciting unsafe but seemingly helpful responses, AER aligns closely with human evaluations. Extensive experiments with both automatic and human evaluations, demonstrate the effectiveness of ARPT across both open- and closed-source LLMs. Specifically, APRT effectively elicits 54% unsafe yet useful responses from Meta's Llama-3-8B-Instruct, 50% from GPT-4o (API access), and 39% from Claude-3.5 (API access), showcasing its robust attack capability and transferability across LLMs (especially from open-source LLMs to closed-source LLMs).

Cryptography and Security,Computation and Language

Alexander Staves,Antonios Gouglidis,David Hutchison

DOI: https://doi.org/10.1145/3569958

2023-02-10

Digital Threats: Research and Practice

Abstract:Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this paper, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.

Maya Pavlova,Erik Brinkman,Krithika Iyer,Vitor Albiero,Joanna Bitton,Hailey Nguyen,Joe Li,Cristian Canton Ferrer,Ivan Evtimov,Aaron Grattafiori

2024-10-02

Abstract:Red teaming assesses how large language models (LLMs) can produce content that violates norms, policies, and rules set during their safety training. However, most existing automated methods in the literature are not representative of the way humans tend to interact with AI models. Common users of AI models may not have advanced knowledge of adversarial machine learning methods or access to model internals, and they do not spend a lot of time crafting a single highly effective adversarial prompt. Instead, they are likely to make use of techniques commonly shared online and exploit the multiturn conversational nature of LLMs. While manual testing addresses this gap, it is an inefficient and often expensive process. To address these limitations, we introduce the Generative Offensive Agent Tester (GOAT), an automated agentic red teaming system that simulates plain language adversarial conversations while leveraging multiple adversarial prompting techniques to identify vulnerabilities in LLMs. We instantiate GOAT with 7 red teaming attacks by prompting a general-purpose model in a way that encourages reasoning through the choices of methods available, the current target model's response, and the next steps. Our approach is designed to be extensible and efficient, allowing human testers to focus on exploring new areas of risk while automation covers the scaled adversarial stress-testing of known risk territory. We present the design and evaluation of GOAT, demonstrating its effectiveness in identifying vulnerabilities in state-of-the-art LLMs, with an ASR@10 of 97% against Llama 3.1 and 88% against GPT-4 on the JailbreakBench dataset.

Machine Learning,Artificial Intelligence

Xiangmin Shen,Zhenyuan Li,Graham Burleigh,Lingzhi Wang,Yan Chen

2024-04-23

Abstract:Endpoint detection and response (EDR) systems have emerged as a critical component of enterprise security solutions, effectively combating endpoint threats like APT attacks with extended lifecycles. In light of the growing significance of endpoint detection and response (EDR) systems, many cybersecurity providers have developed their own proprietary EDR solutions. It's crucial for users to assess the capabilities of these detection engines to make informed decisions about which products to choose. This is especially urgent given the market's size, which is expected to reach around 3.7 billion dollars by 2023 and is still expanding. MITRE is a leading organization in cyber threat analysis. In 2018, MITRE started to conduct annual APT emulations that cover major EDR vendors worldwide. Indicators include telemetry, detection and blocking capability, etc. Nevertheless, the evaluation results published by MITRE don't contain any further interpretations or suggestions.

Cryptography and Security

Mingjie Shen,Akul Pillai,Brian A. Yuan,James C. Davis,Aravind Machiry

2023-09-30

Abstract:This paper performs the first study to understand the prevalence, challenges, and effectiveness of using Static Application Security Testing (SAST) tools on Open-Source Embedded Software (EMBOSS) repositories. We collect a corpus of 258 of the most popular EMBOSS projects, representing 13 distinct categories such as real-time operating systems, network stacks, and applications. To understand the current use of SAST tools on EMBOSS, we measured this corpus and surveyed developers. To understand the challenges and effectiveness of using SAST tools on EMBOSS projects, we applied these tools to the projects in our corpus. We report that almost none of these projects (just 3%) use SAST tools beyond those baked into the compiler, and developers give rationales such as ineffectiveness and false positives. In applying SAST tools ourselves, we show that minimal engineering effort and project expertise are needed to apply many tools to a given EMBOSS project. GitHub's CodeQL was the most effective SAST tool -- using its built-in security checks we found a total of 540 defects (with a false positive rate of 23%) across the 258 projects, with 399 (74%) likely security vulnerabilities, including in projects maintained by Microsoft, Amazon, and the Apache Foundation. EMBOSS engineers have confirmed 273 (51%) of these defects, mainly by accepting our pull requests. Two CVEs were issued. In summary, we urge EMBOSS engineers to adopt the current generation of SAST tools, which offer low false positive rates and are effective at finding security-relevant defects.

Software Engineering,Cryptography and Security

Simon Yusuf Enoch,Zhibin Huang,Chun Yong Moon,Donghwan Lee,Myung Kil Ahn,Dong Seong Kim

DOI: https://doi.org/10.1109/ACCESS.2020.3009748

2020-07-18

Abstract:With the increasing growth of cyber-attack incidences, it is important to develop innovative and effective techniques to assess and defend networked systems against cyber attacks. One of the well-known techniques for this is performing penetration testing which is carried by a group of security professionals (i.e, red team). Penetration testing is also known to be effective to find existing and new vulnerabilities, however, the quality of security assessment can be depending on the quality of the red team members and their time and devotion to the penetration testing. In this paper, we propose a novel automation framework for cyber-attacks generation named `HARMer' to address the challenges with respect to manual attack execution by the red team. Our novel proposed framework, design, and implementation is based on a scalable graphical security model called Hierarchical Attack Representation Model (HARM). (1) We propose the requirements and the key phases for the automation framework. (2) We propose security metrics-based attack planning strategies along with their algorithms. (3) We conduct experiments in a real enterprise network and Amazon Web Services. The results show how the different phases of the framework interact to model the attackers' operations. This framework will allow security administrators to automatically assess the impact of various threats and attacks in an automated manner.

Cryptography and Security

Stephen Casper,Jason Lin,Joe Kwon,Gatlen Culp,Dylan Hadfield-Menell

2023-10-11

Abstract:Deploying large language models (LMs) can pose hazards from harmful outputs such as toxic or false text. Prior work has introduced automated tools that elicit harmful outputs to identify these risks. While this is a valuable step toward securing models, these approaches rely on a pre-existing way to efficiently classify undesirable outputs. Using a pre-existing classifier does not allow for red-teaming to be tailored to the target model. Furthermore, when failures can be easily classified in advance, red-teaming has limited marginal value because problems can be avoided by simply filtering training data and/or model outputs. Here, we consider red-teaming "from scratch," in which the adversary does not begin with a way to classify failures. Our framework consists of three steps: 1) Exploring the model's range of behaviors in the desired context; 2) Establishing a definition and measurement for undesired behavior (e.g., a classifier trained to reflect human evaluations); and 3) Exploiting the model's flaws using this measure to develop diverse adversarial prompts. We use this approach to red-team GPT-3 to discover classes of inputs that elicit false statements. In doing so, we construct the CommonClaim dataset of 20,000 statements labeled by humans as common-knowledge-true, common knowledge-false, or neither. We are making code and data available.

Computation and Language,Artificial Intelligence,Machine Learning

Huiyu Xu,Wenhui Zhang,Zhibo Wang,Feng Xiao,Rui Zheng,Yunhe Feng,Zhongjie Ba,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2407.16667

2024-07-24

Abstract:Recently, advanced Large Language Models (LLMs) such as GPT-4 have been integrated into many real-world applications like Code Copilot. These applications have significantly expanded the attack surface of LLMs, exposing them to a variety of threats. Among them, jailbreak attacks that induce toxic responses through jailbreak prompts have raised critical safety concerns. To identify these threats, a growing number of red teaming approaches simulate potential adversarial scenarios by crafting jailbreak prompts to test the target LLM. However, existing red teaming methods do not consider the unique vulnerabilities of LLM in different scenarios, making it difficult to adjust the jailbreak prompts to find context-specific vulnerabilities. Meanwhile, these methods are limited to refining jailbreak templates using a few mutation operations, lacking the automation and scalability to adapt to different scenarios. To enable context-aware and efficient red teaming, we abstract and model existing attacks into a coherent concept called "jailbreak strategy" and propose a multi-agent LLM system named RedAgent that leverages these strategies to generate context-aware jailbreak prompts. By self-reflecting on contextual feedback in an additional memory buffer, RedAgent continuously learns how to leverage these strategies to achieve effective jailbreaks in specific contexts. Extensive experiments demonstrate that our system can jailbreak most black-box LLMs in just five queries, improving the efficiency of existing red teaming methods by two times. Additionally, RedAgent can jailbreak customized LLM applications more efficiently. By generating context-aware jailbreak prompts towards applications on GPTs, we discover 60 severe vulnerabilities of these real-world applications with only two queries per vulnerability. We have reported all found issues and communicated with OpenAI and Meta for bug fixes.

Cryptography and Security,Artificial Intelligence,Computation and Language

Jonathan Brokman,Omer Hofman,Oren Rachmil,Inderjeet Singh,Rathina Sabapathy,Aishvariya Priya,Vikas Pahuja,Amit Giloni,Roman Vainshtein,Hisashi Kojima

2024-10-22

Abstract:This report presents a comparative analysis of open-source vulnerability scanners for conversational large language models (LLMs). As LLMs become integral to various applications, they also present potential attack surfaces, exposed to security risks such as information leakage and jailbreak attacks. Our study evaluates prominent scanners - Garak, Giskard, PyRIT, and CyberSecEval - that adapt red-teaming practices to expose these vulnerabilities. We detail the distinctive features and practical use of these scanners, outline unifying principles of their design and perform quantitative evaluations to compare them. These evaluations uncover significant reliability issues in detecting successful attacks, highlighting a fundamental gap for future development. Additionally, we contribute a preliminary labelled dataset, which serves as an initial step to bridge this gap. Based on the above, we provide strategic recommendations to assist organizations choose the most suitable scanner for their red-teaming needs, accounting for customizability, test suite comprehensiveness, and industry-specific use cases.

Cryptography and Security,Machine Learning

Deep Ganguli,Liane Lovitt,Jackson Kernion,Amanda Askell,Yuntao Bai,Saurav Kadavath,Ben Mann,Ethan Perez,Nicholas Schiefer,Kamal Ndousse,Andy Jones,Sam Bowman,Anna Chen,Tom Conerly,Nova DasSarma,Dawn Drain,Nelson Elhage,Sheer El-Showk,Stanislav Fort,Zac Hatfield-Dodds,Tom Henighan,Danny Hernandez,Tristan Hume,Josh Jacobson,Scott Johnston,Shauna Kravec,Catherine Olsson,Sam Ringer,Eli Tran-Johnson,Dario Amodei,Tom Brown,Nicholas Joseph,Sam McCandlish,Chris Olah,Jared Kaplan,Jack Clark

DOI: https://doi.org/10.48550/arXiv.2209.07858

2022-08-23

Computation and Language

Abstract:We describe our early efforts to red team language models in order to simultaneously discover, measure, and attempt to reduce their potentially harmful outputs. We make three main contributions. First, we investigate scaling behaviors for red teaming across 3 model sizes (2.7B, 13B, and 52B parameters) and 4 model types: a plain language model (LM); an LM prompted to be helpful, honest, and harmless; an LM with rejection sampling; and a model trained to be helpful and harmless using reinforcement learning from human feedback (RLHF). We find that the RLHF models are increasingly difficult to red team as they scale, and we find a flat trend with scale for the other model types. Second, we release our dataset of 38,961 red team attacks for others to analyze and learn from. We provide our own analysis of the data and find a variety of harmful outputs, which range from offensive language to more subtly harmful non-violent unethical outputs. Third, we exhaustively describe our instructions, processes, statistical methodologies, and uncertainty about red teaming. We hope that this transparency accelerates our ability to work together as a community in order to develop shared norms, practices, and technical standards for how to red team language models.

Bader Al-Sada,Alireza Sadighian,Gabriele Oligeri

DOI: https://doi.org/10.1145/3687300

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:MITRE ATT&CK is a comprehensive framework of adversary tactics, techniques, and procedures based on real-world observations. It has been used as a foundation for threat modeling in different sectors, such as government, academia, and industry. To the best of our knowledge, no previous work has been devoted to the comprehensive collection, study, and investigation of the current state of the art leveraging the MITRE ATT&CK framework. We select and inspect more than 50 major research contributions, while conducting a detailed analysis of their methodology and objectives in relation to the MITRE ATT&CK framework. We provide a categorization of the identified papers according to different criteria such as use cases, application scenarios, adopted methodologies, and the use of additional data. Finally, we discuss open issues and future research directions involving not only the MITRE ATT&CK framework but also the fields of threat analysis, threat modeling, and in general cyber-threat intelligence.

computer science, theory & methods

Lizhi Lin,Honglin Mu,Zenan Zhai,Minghan Wang,Yuxia Wang,Renxi Wang,Junjie Gao,Yixuan Zhang,Wanxiang Che,Timothy Baldwin,Xudong Han,Haonan Li

2024-03-31

Abstract:Generative models are rapidly gaining popularity and being integrated into everyday applications, raising concerns over their safety issues as various vulnerabilities are exposed. Faced with the problem, the field of red teaming is experiencing fast-paced growth, which highlights the need for a comprehensive organization covering the entire pipeline and addressing emerging topics for the community. Our extensive survey, which examines over 120 papers, introduces a taxonomy of fine-grained attack strategies grounded in the inherent capabilities of language models. Additionally, we have developed the searcher framework that unifies various automatic red teaming approaches. Moreover, our survey covers novel areas including multimodal attacks and defenses, risks around multilingual models, overkill of harmless queries, and safety of downstream applications. We hope this survey can provide a systematic perspective on the field and unlock new areas of research.

Computation and Language

Paolo Modesti,Lewis Golightly,Louis Holmes,Chidimma Opara,Marco Moscini

DOI: https://doi.org/10.3390/jcp4030021

2024-07-19

Abstract:The majority of Ethical Hacking (EH) tools utilised in penetration testing are developed by practitioners within the industry or underground communities. Similarly, academic researchers have also contributed to developing security tools. However, there appears to be limited awareness among practitioners of academic contributions in this domain, creating a significant gap between industry and academia's contributions to EH tools. This research paper aims to survey the current state of EH academic research, primarily focusing on research-informed security tools. We categorise these tools into process-based frameworks (such as PTES and Mitre ATT\&CK) and knowledge-based frameworks (such as CyBOK and ACM CCS). This classification provides a comprehensive overview of novel, research-informed tools, considering their functionality and application areas. The analysis covers licensing, release dates, source code availability, development activity, and peer review status, providing valuable insights into the current state of research in this field.

Cryptography and Security