[Owasp-leaders] 2 Million Dollars

johanna curiel curiel johanna.curiel at owasp.org
Sat Dec 7 03:20:20 UTC 2013


Hi Josh
Well, I don't want to get in deep theoretical discussions about AI :-) but
let's remember that Bayesian networks is a 'little' different than Bayesian
analysis alone. If you think ModSecurity can do all this for the
competition then why not try it ;-)?

However, the challenges will come when unexpected attacks, where no
historical data is present  are launched. The competition has the caliber
of attacks based on DEFCON competitions and honestly , I think it requires
a lot more thought to write the proposal and create an autonomous system
able to resist attacks of this type than just go ahead with ModSecurity,
ESAPI and AppSensor alone.

regards

Johanna


On Fri, Dec 6, 2013 at 6:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Johanna,
>
> I don't want to get into an argument over semantics, but I politely
> disagree with your assertion that Bayesian analysis is "not exactly AI".
> While there may be multiple forms that Artificial Intelligence can take,
> there is a wealth of knowledge on the use of Bayesian analysis for neural
> networks as you suggest dating back many many years.  Here is one such
> example:
>
> http://www.lce.hut.fi/publications/pdf/LampinenVehtari_NN2001_preprint.pdf
>
> The whole point of Bayesian analysis is to make future predictions based
> on past data.  It is an autonomous learning algorithm and can most
> certainly be used for Artificial Intelligence.  I'm not sure how you can
> possibly argue otherwise.
>
> As for the competition going beyond AppSec, I'm not sure, but the site
> does say:
>
> During the competition, automatic systems would reason about software
> flaws, formulate patches and deploy them on a network in real time.
>
> Perhaps I'm oversimplifying, but detection of software flaws and automated
> virtual patching is most certainly something that ModSecurity is capable of.
>
> ~josh
>
>
> On Fri, Dec 6, 2013 at 3:29 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Josh
>>
>> "The CGC competitions require a fully automated solution – no human
>> assistance is permitted in any cyber reasoning processes, including reverse
>> engineering and patch formulation.
>>
>> Bayesian analysis is not exactly AI....
>>
>> "In statistics <http://en.wikipedia.org/wiki/Statistics>, *Bayesian
>> inference* is a method of inference<http://en.wikipedia.org/wiki/Statistical_inference> in
>> which Bayes' rule <http://en.wikipedia.org/wiki/Bayes%27_rule> is used
>> to update the probability estimate for a hypothesis as additional
>> evidence <http://en.wikipedia.org/wiki/Evidence> is acquired. Bayesian
>> updating is an important technique throughout statistics, and especially in
>> mathematical statistics<http://en.wikipedia.org/wiki/Mathematical_statistics>
>> "
>>
>> I don't think that ESAPI and APPSENSOR are that far as described
>> above, however I believe you can use part of that knowledge to construct
>> this solution. Also the areas in the challenge go further than application
>> security alone.
>>
>> I believe you need Neural networks or some Prolog. I think that a
>> combination of semantics for programming the rules and decisions (models)
>> will be a possible approach.
>>
>>
>> Regards
>>
>>
>> Johanna
>>
>>
>> On Fri, Dec 6, 2013 at 5:19 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> Pick up a copy of Ryan Barnett's Web Application Defenders Cookbook and
>>> you'll start to realize just how close to AI it is.  Especially given it's
>>> ability to perform bayesian analysis and take automated action based on
>>> those results.  And if the application can be hooked with ESAPI and
>>> AppSensor, then you can do similar based on events at the code level as
>>> well.  Autonomous sounds like "AI" to me as well, but I'm pretty sure that
>>> toolset is capable with some forethought and minor modifications.
>>>
>>> ~josh
>>>
>>>
>>> On Fri, Dec 6, 2013 at 3:13 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>>
>>>> Now we have the start of a party...
>>>>
>>>> http://www.darpa.mil/cybergrandchallenge/
>>>>
>>>> On Dec 6, 2013, at 4:03 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> Well, not so fast , because ...
>>>>
>>>> "DARPA is soliciting innovative proposals from teams that will develop
>>>> and field* autonomous Cyber Reasoning Systems* capable of
>>>> comprehending and protecting software during a live exercise. Specifically
>>>> excluded is research that primarily results in evolutionary improvements to
>>>> the existing state of practice."
>>>>
>>>> ...
>>>>
>>>> The DARPA Cyber Grand Challenge will utilize a series of competition
>>>> events to test the abilities of a new generation of fully automated cyber
>>>> defense systems. During a final competition event, automated Cyber
>>>> Reasoning Systems will compete against each other in real time. This event
>>>> will be held in a public setting and documented for research purposes.
>>>>
>>>>
>>>> This smells Artificial intelligence ...
>>>>
>>>>
>>>> On Fri, Dec 6, 2013 at 4:56 PM, Josh Sokol <josh.sokol at owasp.org>wrote:
>>>>
>>>>> ModSecurity + ESAPI + AppSensor.  Done.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> On Fri, Dec 6, 2013 at 2:15 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>>>>
>>>>>>
>>>>>> http://www.theregister.co.uk/2013/12/06/darpa_enlists_def_con_talent_for_2m_security_bugswatting_challenge
>>>>>>
>>>>>> Interested?
>>>>>>
>>>>>> Now that AppSecUSA is over its time for the next OWASP mission
>>>>>> focused project.   Add a 2M dollar bounty you got my attention - how about
>>>>>> yours?
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131206/ceb3b10e/attachment-0001.html>


More information about the OWASP-Leaders mailing list