Sheetal Temara

DOI: https://doi.org/10.48550/arXiv.2307.06391

2023-03-20

Abstract:ChatGPT is a generative pretrained transformer language model created using artificial intelligence implemented as chatbot which can provide very detailed responses to a wide variety of questions. As a very contemporary phenomenon, this tool has a wide variety of potential use cases that have yet to be explored. With the significant extent of information on a broad assortment of potential topics, ChatGPT could add value to many information security uses cases both from an efficiency perspective as well as to offer another source of security information that could be used to assist with securing Internet accessible assets of organizations. One information security practice that could benefit from ChatGPT is the reconnaissance phase of penetration testing. This research uses a case study methodology to explore and investigate the uses of ChatGPT in obtaining valuable reconnaissance data. ChatGPT is able to provide many types of intel regarding targeted properties which includes Internet Protocol (IP) address ranges, domain names, network topology, vendor technologies, SSL/TLS ciphers, ports & services, and operating systems used by the target. The reconnaissance information can then be used during the planning phase of a penetration test to determine the tactics, tools, and techniques to guide the later phases of the penetration test in order to discover potential risks such as unpatched software components and security misconfiguration related issues. The study provides insights into how artificial intelligence language models can be used in cybersecurity and contributes to the advancement of penetration testing techniques. Keywords: ChatGPT, Penetration Testing, Reconnaissance

Cryptography and Security,Artificial Intelligence

Forrest McKee,David Noever

DOI: https://doi.org/10.48550/arXiv.2212.11126

2022-12-23

Abstract:Question-and-answer formats provide a novel experimental platform for investigating cybersecurity questions. Unlike previous chatbots, the latest ChatGPT model from OpenAI supports an advanced understanding of complex coding questions. The research demonstrates thirteen coding tasks that generally qualify as stages in the MITRE ATT&CK framework, ranging from credential access to defense evasion. With varying success, the experimental prompts generate examples of keyloggers, logic bombs, obfuscated worms, and payment-fulfilled ransomware. The empirical results illustrate cases that support the broad gain of functionality, including self-replication and self-modification, evasion, and strategic understanding of complex cybersecurity goals. One surprising feature of ChatGPT as a language-only model centers on its ability to spawn coding approaches that yield images that obfuscate or embed executable programming steps or links.

Cryptography and Security,Computation and Language,Machine Learning

Muna Al-Hawawreh,Ahamed Aljuhani,Yaser Jararweh

DOI: https://doi.org/10.1007/s10586-023-04124-5

2023-08-26

Cluster Computing

Abstract:Artificial intelligence (AI) advancements have revolutionized many critical domains by providing cost-effective, automated, and intelligent solutions. Recently, ChatGPT has achieved a momentous change and made substantial progress in natural language processing. As such, a chatbot-driven AI technology has the capabilities to interact and communicate with users and generate human-like responses. ChatGPT, on the other hand, has the potential to influence changes in the cybersecurity domain. ChatGPT can be utilized as a chatbot-driven security assistant for penetration testing to analyze, investigate, and develop security solutions. However, ChatGPT raises concerns about how the tool can be used for cybercrime and malicious activities. Attackers can use such a tool to cause substantial harm by exploiting vulnerabilities, writing malicious code, and circumventing security measures on a targeted system. This article investigates the implications of the ChatGPT model in the domain of cybersecurity. We present the state-of-the-art practical applications of ChatGPT in cybersecurity. In addition, we demonstrate in a case study how a ChatGPT can be used to design and develop False data injection attacks against critical infrastructure such as industrial control systems. Conversely, we show how such a tool can be used to help security analysts to analyze, design, and develop security solutions against cyberattacks. Finally, this article discusses the open challenges and future directions of ChatGPT in cybersecurity.

computer science, information systems, theory & methods

Andreas Happe,Jürgen Cito

DOI: https://doi.org/10.1145/3611643.3613083

2023-08-17

Abstract:The field of software security testing, more specifically penetration testing, is an activity that requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential usage of large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore the feasibility of supplementing penetration testers with AI models for two distinct use cases: high-level task planning for security testing assignments and low-level vulnerability hunting within a vulnerable virtual machine. For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement, and close deliberating on the ethics of providing AI-based sparring partners.

Computation and Language,Artificial Intelligence,Cryptography and Security,Software Engineering

M. Mehdi Kholoosi,M. Ali Babar,Roland Croft

2024-08-01

Abstract:Artificial Intelligence (AI) advancements have enabled the development of Large Language Models (LLMs) that can perform a variety of tasks with remarkable semantic understanding and accuracy. ChatGPT is one such LLM that has gained significant attention due to its impressive capabilities for assisting in various knowledge-intensive tasks. Due to the knowledge-intensive nature of engineering secure software, ChatGPT's assistance is expected to be explored for security-related tasks during the development/evolution of software. To gain an understanding of the potential of ChatGPT as an emerging technology for supporting software security, we adopted a two-fold approach. Initially, we performed an empirical study to analyse the perceptions of those who had explored the use of ChatGPT for security tasks and shared their views on Twitter. It was determined that security practitioners view ChatGPT as beneficial for various software security tasks, including vulnerability detection, information retrieval, and penetration testing. Secondly, we designed an experiment aimed at investigating the practicality of this technology when deployed as an oracle in real-world settings. In particular, we focused on vulnerability detection and qualitatively examined ChatGPT outputs for given prompts within this prominent software security task. Based on our analysis, responses from ChatGPT in this task are largely filled with generic security information and may not be appropriate for industry use. To prevent data leakage, we performed this analysis on a vulnerability dataset compiled after the OpenAI data cut-off date from real-world projects covering 40 distinct vulnerability types and 12 programming languages. We assert that the findings from this study would contribute to future research aimed at developing and evaluating LLMs dedicated to software security.

Software Engineering,Artificial Intelligence,Cryptography and Security

Mark Scanlon,Frank Breitinger,Christopher Hargreaves,Jan-Niclas Hilgert,John Sheppard

2023-07-11

Abstract:The disruptive application of ChatGPT (GPT-3.5, GPT-4) to a variety of domains has become a topic of much discussion in the scientific community and society at large. Large Language Models (LLMs), e.g., BERT, Bard, Generative Pre-trained Transformers (GPTs), LLaMA, etc., have the ability to take instructions, or prompts, from users and generate answers and solutions based on very large volumes of text-based training data. This paper assesses the impact and potential impact of ChatGPT on the field of digital forensics, specifically looking at its latest pre-trained LLM, GPT-4. A series of experiments are conducted to assess its capability across several digital forensic use cases including artefact understanding, evidence searching, code generation, anomaly detection, incident response, and education. Across these topics, its strengths and risks are outlined and a number of general conclusions are drawn. Overall this paper concludes that while there are some potential low-risk applications of ChatGPT within digital forensics, many are either unsuitable at present, since the evidence would need to be uploaded to the service, or they require sufficient knowledge of the topic being asked of the tool to identify incorrect assumptions, inaccuracies, and mistakes. However, to an appropriately knowledgeable user, it could act as a useful supporting tool in some circumstances.

Cryptography and Security,Artificial Intelligence,Computation and Language

Fangzhou Wu,Qingzhao Zhang,Ati Priya Bajaj,Tiffany Bao,Ning Zhang,Ruoyu "Fish" Wang,Chaowei Xiao

DOI: https://doi.org/10.48550/arXiv.2312.05275

2023-12-08

Cryptography and Security

Abstract:Large language models (LLMs) have undergone rapid evolution and achieved remarkable results in recent times. OpenAI's ChatGPT, backed by GPT-3.5 or GPT-4, has gained instant popularity due to its strong capability across a wide range of tasks, including natural language tasks, coding, mathematics, and engaging conversations. However, the impacts and limits of such LLMs in system security domain are less explored. In this paper, we delve into the limits of LLMs (i.e., ChatGPT) in seven software security applications including vulnerability detection/repair, debugging, debloating, decompilation, patching, root cause analysis, symbolic execution, and fuzzing. Our exploration reveals that ChatGPT not only excels at generating code, which is the conventional application of language models, but also demonstrates strong capability in understanding user-provided commands in natural languages, reasoning about control and data flows within programs, generating complex data structures, and even decompiling assembly code. Notably, GPT-4 showcases significant improvements over GPT-3.5 in most security tasks. Also, certain limitations of ChatGPT in security-related tasks are identified, such as its constrained ability to process long code contexts.

Forrest McKee,David Noever

DOI: https://doi.org/10.48550/arXiv.2301.03771

2023-01-10

Abstract:Question-and-answer agents like ChatGPT offer a novel tool for use as a potential honeypot interface in cyber security. By imitating Linux, Mac, and Windows terminal commands and providing an interface for TeamViewer, nmap, and ping, it is possible to create a dynamic environment that can adapt to the actions of attackers and provide insight into their tactics, techniques, and procedures (TTPs). The paper illustrates ten diverse tasks that a conversational agent or large language model might answer appropriately to the effects of command-line attacker. The original result features feasibility studies for ten model tasks meant for defensive teams to mimic expected honeypot interfaces with minimal risks. Ultimately, the usefulness outside of forensic activities stems from whether the dynamic honeypot can extend the time-to-conquer or otherwise delay attacker timelines short of reaching key network assets like databases or confidential information. While ongoing maintenance and monitoring may be required, ChatGPT's ability to detect and deflect malicious activity makes it a valuable option for organizations seeking to enhance their cyber security posture. Future work will focus on cybersecurity layers, including perimeter security, host virus detection, and data security.

Cryptography and Security,Computers and Society,Machine Learning

Attia Qammar,Hongmei Wang,Jianguo Ding,Abdenacer Naouri,Mahmoud Daneshmand,Huansheng Ning

DOI: https://doi.org/10.48550/arXiv.2306.09255

2023-05-29

Abstract:Chatbots shifted from rule-based to artificial intelligence techniques and gained traction in medicine, shopping, customer services, food delivery, education, and research. OpenAI developed ChatGPT blizzard on the Internet as it crossed one million users within five days of its launch. However, with the enhanced popularity, chatbots experienced cybersecurity threats and vulnerabilities. This paper discussed the relevant literature, reports, and explanatory incident attacks generated against chatbots. Our initial point is to explore the timeline of chatbots from ELIZA (an early natural language processing computer program) to GPT-4 and provide the working mechanism of ChatGPT. Subsequently, we explored the cybersecurity attacks and vulnerabilities in chatbots. Besides, we investigated the ChatGPT, specifically in the context of creating the malware code, phishing emails, undetectable zero-day attacks, and generation of macros and LOLBINs. Furthermore, the history of cyberattacks and vulnerabilities exploited by cybercriminals are discussed, particularly considering the risk and vulnerabilities in ChatGPT. Addressing these threats and vulnerabilities requires specific strategies and measures to reduce the harmful consequences. Therefore, the future directions to address the challenges were presented.

Cryptography and Security,Artificial Intelligence,Computers and Society

Ricardo J Dinis-Oliveira,Rui M S Azevedo

DOI: https://doi.org/10.1093/fsr/owad039

2023-11-10

Abstract:ChatGPT is a variant of the generative pre-trained transformer (GPT) language model that uses large amounts of text-based training data and a transformer architecture to generate human-like text adjusted to the received prompts. ChatGPT presents several advantages in forensic sciences, namely, constituting a virtual assistant to aid lawyers, judges, and victims in managing and interpreting forensic expert data. But what would happen if ChatGPT began to be used to produce forensic expertise reports? Despite its potential applications, the use of ChatGPT and other Large Language Models and artificial intelligence tools in forensic writing also poses ethical and legal concerns, which are discussed in this perspective together with some expected future perspectives.

Jingyue Li,Per Håkon Meland,Jakob Svennevik Notland,André Storhaug,Jostein Hjortland Tysse

2023-09-19

Abstract:Along with the development of large language models (LLMs), e.g., ChatGPT, many existing approaches and tools for software security are changing. It is, therefore, essential to understand how security-aware these models are and how these models impact software security practices and education. In exercises of a software security course at our university, we ask students to identify and fix vulnerabilities we insert in a web application using state-of-the-art tools. After ChatGPT, especially the GPT-4 version of the model, we want to know how the students can possibly use ChatGPT to complete the exercise tasks. We input the vulnerable code to ChatGPT and measure its accuracy in vulnerability identification and fixing. In addition, we investigated whether ChatGPT can provide a proper source of information to support its outputs. Results show that ChatGPT can identify 20 of the 28 vulnerabilities we inserted in the web application in a white-box setting, reported three false positives, and found four extra vulnerabilities beyond the ones we inserted. ChatGPT makes nine satisfactory penetration testing and fixing recommendations for the ten vulnerabilities we want students to fix and can often point to related sources of information.

Computers and Society

Derry Pratama,Naufal Suryanto,Andro Aprila Adiputra,Thi-Thu-Huong Le,Ahmada Yusril KadiptyaÂ,Muhammad Iqbal,Howon Kim

DOI: https://doi.org/10.3390/s24216878

IF: 3.9

2024-10-26

Sensors

Abstract:Penetration testing, a critical component of cybersecurity, typically requires extensive time and effort to find vulnerabilities. Beginners in this field often benefit from collaborative approaches with the community or experts. To address this, we develop Cybersecurity Intelligent Penetration-testing Helper for Ethical Researchers (CIPHER), a large language model specifically trained to assist in penetration testing tasks as a chatbot. Unlike software development, penetration testing involves domain-specific knowledge that is not widely documented or easily accessible, necessitating a specialized training approach for AI language models. CIPHER was trained using over 300 high-quality write-ups of vulnerable machines, hacking techniques, and documentation of open-source penetration testing tools augmented in an expert response structure. Additionally, we introduced the Findings, Action, Reasoning, and Results (FARR) Flow augmentation, a novel method to augment penetration testing write-ups to establish a fully automated pentesting simulation benchmark tailored for large language models. This approach fills a significant gap in traditional cybersecurity Q&A benchmarks and provides a realistic and rigorous standard for evaluating LLM's technical knowledge, reasoning capabilities, and practical utility in dynamic penetration testing scenarios. In our assessments, CIPHER achieved the best overall performance in providing accurate suggestion responses compared to other open-source penetration testing models of similar size and even larger state-of-the-art models like Llama 3 70B and Qwen1.5 72B Chat, particularly on insane difficulty machine setups. This demonstrates that the current capabilities of general large language models (LLMs) are insufficient for effectively guiding users through the penetration testing process. We also discuss the potential for improvement through scaling and the development of better benchmarks using FARR Flow augmentation results.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Wesley Tann,Yuancheng Liu,Jun Heng Sim,Choon Meng Seah,Ee-Chien Chang

2023-08-21

Abstract:The assessment of cybersecurity Capture-The-Flag (CTF) exercises involves participants finding text strings or ``flags'' by exploiting system vulnerabilities. Large Language Models (LLMs) are natural-language models trained on vast amounts of words to understand and generate text; they can perform well on many CTF challenges. Such LLMs are freely available to students. In the context of CTF exercises in the classroom, this raises concerns about academic integrity. Educators must understand LLMs' capabilities to modify their teaching to accommodate generative AI assistance. This research investigates the effectiveness of LLMs, particularly in the realm of CTF challenges and questions. Here we evaluate three popular LLMs, OpenAI ChatGPT, Google Bard, and Microsoft Bing. First, we assess the LLMs' question-answering performance on five Cisco certifications with varying difficulty levels. Next, we qualitatively study the LLMs' abilities in solving CTF challenges to understand their limitations. We report on the experience of using the LLMs for seven test cases in all five types of CTF challenges. In addition, we demonstrate how jailbreak prompts can bypass and break LLMs' ethical safeguards. The paper concludes by discussing LLM's impact on CTF exercises and its implications.

Artificial Intelligence,Computation and Language,Computers and Society

Maha Charfeddine,Habib M. Kammoun,Bechir Hamdaoui,Mohsen Guizani

DOI: https://doi.org/10.1109/access.2024.3367792

IF: 3.9

2024-03-06

IEEE Access

Abstract:ChatGPT has been acknowledged as a powerful tool that can radically boost productivity across a wide range of industries. It reveals potential in cybersecurity-related tasks such as social engineering. Nevertheless, this possibility raises important concerns regarding the thin line separating moral use of this technology from its harmful usage. It is imperative to address the challenges of distinguishing between legitimate and malevolent use of ChatGPT. This research paper investigates the many concerns of ChatGPT in cybersecurity, privacy and enterprise settings. It covers harmful attacker uses such as injecting malicious prompts, testing brute force attacks, preparing and developing ransomware attacks, etc. Defenders' proactive activities are also addressed, highlighting ChatGPT's significance in security operations and threat intelligence. These defensive operations are classified based on the National Institute of Standards and Technology cybersecurity framework. They involve analyzing configuration files, inquiring about authoritative server, improving security in various systems, etc. Moreover, secure enterprise practices and mitigations spread through five classes are proposed, with an emphasis on clear usage standards and guidelines establishment, personally identifiable information protection, adversarial attack prevention, watermarking generated content, etc. An integrated discussion digs into the interaction of offensive and defensive applications, covering ethical and practical concerns. Future attacks are also discussed, along with potential solutions such as content filtering and collaboration. Finally, a comparative analysis with recent research on ChatGPT security concerns is directed. The paper provides a thorough framework to comprehend the range of implications associated with ChatGPT, enabling the navigation of cybersecurity and privacy challenges.

computer science, information systems,telecommunications,engineering, electrical & electronic

Christopher Rodriguez,Daniel M. Oppenheimer

DOI: https://doi.org/10.3758/s13428-024-02357-9

IF: 5.953

2024-04-03

Behavior Research Methods

Abstract:The standard approach for detecting and preventing bots from doing harm online involves CAPTCHAs. However, recent AI research, including our own in this manuscript, suggests that bots can complete many common CAPTCHAs with ease. The most effective methodology for identifying potential bots involves completing image-processing, causal-reasoning based, free-response questions that are hand coded by human analysts. However, this approach is labor intensive, slow, and inefficient. Moreover, with the advent of Generative AI such as GPT and Bard, it may soon be obsolete. Here, we develop and test various automated, bot-screening questions, grounded in psychological research, to serve as a proactive screen against bots. Utilizing hand coded free-response questions in the naturalistic domain of MTurkers recruited for a Qualtrics survey, we identify 18.9% of our sample to be potential bots, whereas Google's reCAPTCHA V3 identified only 1.7% to be potential bots. We then look at the performance of these potential bots on our novel bot-screeners, each of which has different strengths and weaknesses but all of which outperform CAPTCHAs.

psychology, experimental, mathematical

Jinyin Chen,Shulong Hu,Haibin Zheng,Changyou Xing,Guomin Zhang

DOI: https://doi.org/10.1016/j.cose.2022.103055

2022-12-09

Abstract:Penetration testing (PT) is an efficient tool for network testing and vulnerability mining by simulating the hackers' attacks to obtain valuable information applied in operating and database systems. Most of the traditional manual solutions are strongly relying on the domain knowledge of human experts with high penetration costs. Therefore, solutions based on the artificial intelligent algorithm such as reinforcement learning (RL) and deep reinforcement learning (DRL), with less time-consuming and lower labor costs, become a great solution to address the challenge. However, there are still a few challenges for RL/DRL-based PT in real penetration scenarios, such as the large dimension size of the agent's discrete action space usually causing difficulties in convergence. To address the above issue, this paper proposes a novel framework named G enerative A dversarial I mitation L earning based intelligent P enetration T esting (GAIL-PT), which utilizes expert knowledge base and GAIL network to guide the policy generation of RL/DRL agents with lower costs. Specifically, we first construct the expert knowledge bases by collecting state-action pairs from the successful exploitations of pre-trained RL/DRL models. Secondly, we feed the expert knowledge bases generated by different RL/DRL models online into the discriminator of GAIL-PT to guide its training process. Besides, we integrate the losses of the generator and the discriminator in GAIL-PT to optimize the overall objective and use the discriminator's discounted rewards for policy generation. The extensive experiments conducted on the practical target hosts and simulated network scenarios demonstrate that GAIL-PT achieves outstanding performance, and outperforms the state-of-art method DeepExploit in exploiting Metasploitable2 and Q-learning in different scale networks. It also verified that GAIL-PT is a general leading framework suitable for RL/DRL-based methods. The code of GAIL-PT is open-sourced at https://github.com/Shulong98/GAIL-PT//.

computer science, information systems

Gelei Deng,Yi Liu,Víctor Mayoral-Vilches,Peng Liu,Yuekang Li,Yuan Xu,Tianwei Zhang,Yang Liu,Martin Pinzger,Stefan Rass

2024-06-03

Abstract:Penetration testing, a crucial industrial practice for ensuring system security, has traditionally resisted automation due to the extensive expertise required by human professionals. Large Language Models (LLMs) have shown significant advancements in various domains, and their emergent abilities suggest their potential to revolutionize industries. In this research, we evaluate the performance of LLMs on real-world penetration testing tasks using a robust benchmark created from test machines with platforms. Our findings reveal that while LLMs demonstrate proficiency in specific sub-tasks within the penetration testing process, such as using testing tools, interpreting outputs, and proposing subsequent actions, they also encounter difficulties maintaining an integrated understanding of the overall testing scenario. In response to these insights, we introduce PentestGPT, an LLM-empowered automatic penetration testing tool that leverages the abundant domain knowledge inherent in LLMs. PentestGPT is meticulously designed with three self-interacting modules, each addressing individual sub-tasks of penetration testing, to mitigate the challenges related to context loss. Our evaluation shows that PentestGPT not only outperforms LLMs with a task-completion increase of 228.6\% compared to the \gptthree model among the benchmark targets but also proves effective in tackling real-world penetration testing challenges. Having been open-sourced on GitHub, PentestGPT has garnered over 4,700 stars and fostered active community engagement, attesting to its value and impact in both the academic and industrial spheres.

Software Engineering,Cryptography and Security

Sayed Erfan Arefin,Tasnia Ashrafi Heya,Hasan Al-Qudah,Ynes Ineza,Abdul Serwadda

DOI: https://doi.org/10.5220/0012467100003636

2024-05-25

Abstract:The transformative influence of Large Language Models (LLMs) is profoundly reshaping the Artificial Intelligence (AI) technology domain. Notably, ChatGPT distinguishes itself within these models, demonstrating remarkable performance in multi-turn conversations and exhibiting code proficiency across an array of languages. In this paper, we carry out a comprehensive evaluation of ChatGPT's coding capabilities based on what is to date the largest catalog of coding challenges. Our focus is on the python programming language and problems centered on data structures and algorithms, two topics at the very foundations of Computer Science. We evaluate ChatGPT for its ability to generate correct solutions to the problems fed to it, its code quality, and nature of run-time errors thrown by its code. Where ChatGPT code successfully executes, but fails to solve the problem at hand, we look into patterns in the test cases passed in order to gain some insights into how wrong ChatGPT code is in these kinds of situations. To infer whether ChatGPT might have directly memorized some of the data that was used to train it, we methodically design an experiment to investigate this phenomena. Making comparisons with human performance whenever feasible, we investigate all the above questions from the context of both its underlying learning models (GPT-3.5 and GPT-4), on a vast array sub-topics within the main topics, and on problems having varying degrees of difficulty.

Software Engineering,Artificial Intelligence,Computation and Language

Peiyu Liu,Junming Liu,Lirong Fu,Kangjie Lu,Yifan Xia,Xuhong Zhang,Wenzhi Chen,Haiqin Weng,Shouling Ji,Wenhai Wang

2024-06-20

Abstract:Recently, ChatGPT has attracted great attention from the code analysis domain. Prior works show that ChatGPT has the capabilities of processing foundational code analysis tasks, such as abstract syntax tree generation, which indicates the potential of using ChatGPT to comprehend code syntax and static behaviors. However, it is unclear whether ChatGPT can complete more complicated real-world vulnerability management tasks, such as the prediction of security relevance and patch correctness, which require an all-encompassing understanding of various aspects, including code syntax, program semantics, and related manual comments. In this paper, we explore ChatGPT's capabilities on 6 tasks involving the complete vulnerability management process with a large-scale dataset containing 70,346 samples. For each task, we compare ChatGPT against SOTA approaches, investigate the impact of different prompts, and explore the difficulties. The results suggest promising potential in leveraging ChatGPT to assist vulnerability management. One notable example is ChatGPT's proficiency in tasks like generating titles for software bug reports. Furthermore, our findings reveal the difficulties encountered by ChatGPT and shed light on promising future directions. For instance, directly providing random demonstration examples in the prompt cannot consistently guarantee good performance in vulnerability management. By contrast, leveraging ChatGPT in a self-heuristic way -- extracting expertise from demonstration examples itself and integrating the extracted expertise in the prompt is a promising research direction. Besides, ChatGPT may misunderstand and misuse the information in the prompt. Consequently, effectively guiding ChatGPT to focus on helpful information rather than the irrelevant content is still an open problem.

Software Engineering,Artificial Intelligence,Computation and Language,Cryptography and Security

Erik Derner,Kristina Batistič

DOI: https://doi.org/10.48550/arXiv.2305.08005

2023-05-14

Abstract:The increasing popularity of large language models (LLMs) such as ChatGPT has led to growing concerns about their safety, security risks, and ethical implications. This paper aims to provide an overview of the different types of security risks associated with ChatGPT, including malicious text and code generation, private data disclosure, fraudulent services, information gathering, and producing unethical content. We present an empirical study examining the effectiveness of ChatGPT's content filters and explore potential ways to bypass these safeguards, demonstrating the ethical implications and security risks that persist in LLMs even when protections are in place. Based on a qualitative analysis of the security implications, we discuss potential strategies to mitigate these risks and inform researchers, policymakers, and industry professionals about the complex security challenges posed by LLMs like ChatGPT. This study contributes to the ongoing discussion on the ethical and security implications of LLMs, underscoring the need for continued research in this area.

Cryptography and Security,Artificial Intelligence,Computation and Language,Computers and Society,Human-Computer Interaction