[Owasp-leaders] 2 Million Dollars

Josh Sokol josh.sokol at owasp.org
Fri Dec 6 22:06:48 UTC 2013


Johanna,

I don't want to get into an argument over semantics, but I politely
disagree with your assertion that Bayesian analysis is "not exactly AI".
While there may be multiple forms that Artificial Intelligence can take,
there is a wealth of knowledge on the use of Bayesian analysis for neural
networks as you suggest dating back many many years.  Here is one such
example:

http://www.lce.hut.fi/publications/pdf/LampinenVehtari_NN2001_preprint.pdf

The whole point of Bayesian analysis is to make future predictions based on
past data.  It is an autonomous learning algorithm and can most certainly
be used for Artificial Intelligence.  I'm not sure how you can possibly
argue otherwise.

As for the competition going beyond AppSec, I'm not sure, but the site does
say:

During the competition, automatic systems would reason about software
flaws, formulate patches and deploy them on a network in real time.

Perhaps I'm oversimplifying, but detection of software flaws and automated
virtual patching is most certainly something that ModSecurity is capable of.

~josh


On Fri, Dec 6, 2013 at 3:29 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Josh
>
> "The CGC competitions require a fully automated solution – no human
> assistance is permitted in any cyber reasoning processes, including reverse
> engineering and patch formulation.
>
> Bayesian analysis is not exactly AI....
>
> "In statistics <http://en.wikipedia.org/wiki/Statistics>, *Bayesian
> inference* is a method of inference<http://en.wikipedia.org/wiki/Statistical_inference> in
> which Bayes' rule <http://en.wikipedia.org/wiki/Bayes%27_rule> is used to
> update the probability estimate for a hypothesis as additional evidence<http://en.wikipedia.org/wiki/Evidence> is
> acquired. Bayesian updating is an important technique throughout
> statistics, and especially in mathematical statistics<http://en.wikipedia.org/wiki/Mathematical_statistics>
> "
>
> I don't think that ESAPI and APPSENSOR are that far as described
> above, however I believe you can use part of that knowledge to construct
> this solution. Also the areas in the challenge go further than application
> security alone.
>
> I believe you need Neural networks or some Prolog. I think that a
> combination of semantics for programming the rules and decisions (models)
> will be a possible approach.
>
>
> Regards
>
>
> Johanna
>
>
> On Fri, Dec 6, 2013 at 5:19 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Johanna,
>>
>> Pick up a copy of Ryan Barnett's Web Application Defenders Cookbook and
>> you'll start to realize just how close to AI it is.  Especially given it's
>> ability to perform bayesian analysis and take automated action based on
>> those results.  And if the application can be hooked with ESAPI and
>> AppSensor, then you can do similar based on events at the code level as
>> well.  Autonomous sounds like "AI" to me as well, but I'm pretty sure that
>> toolset is capable with some forethought and minor modifications.
>>
>> ~josh
>>
>>
>> On Fri, Dec 6, 2013 at 3:13 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>
>>> Now we have the start of a party...
>>>
>>> http://www.darpa.mil/cybergrandchallenge/
>>>
>>> On Dec 6, 2013, at 4:03 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> Well, not so fast , because ...
>>>
>>> "DARPA is soliciting innovative proposals from teams that will develop
>>> and field* autonomous Cyber Reasoning Systems* capable of comprehending
>>> and protecting software during a live exercise. Specifically excluded is
>>> research that primarily results in evolutionary improvements to the
>>> existing state of practice."
>>>
>>> ...
>>>
>>> The DARPA Cyber Grand Challenge will utilize a series of competition
>>> events to test the abilities of a new generation of fully automated cyber
>>> defense systems. During a final competition event, automated Cyber
>>> Reasoning Systems will compete against each other in real time. This event
>>> will be held in a public setting and documented for research purposes.
>>>
>>>
>>> This smells Artificial intelligence ...
>>>
>>>
>>> On Fri, Dec 6, 2013 at 4:56 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>>> ModSecurity + ESAPI + AppSensor.  Done.
>>>>
>>>> ~josh
>>>>
>>>>
>>>> On Fri, Dec 6, 2013 at 2:15 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>>>
>>>>>
>>>>> http://www.theregister.co.uk/2013/12/06/darpa_enlists_def_con_talent_for_2m_security_bugswatting_challenge
>>>>>
>>>>> Interested?
>>>>>
>>>>> Now that AppSecUSA is over its time for the next OWASP mission focused
>>>>> project.   Add a 2M dollar bounty you got my attention - how about yours?
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131206/0fa763b9/attachment-0001.html>


More information about the OWASP-Leaders mailing list