BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)
Abstract
We present a novel tool BertRLFuzzer, a BERT and Reinforcement Learning (RL) based fuzzer aimed at finding security vulnerabilities for Web applications. BertRLFuzzer works as follows: given a set of seed inputs, the fuzzer performs grammar-adhering and attack-provoking mutation operations on them to generate candidate attack vectors. The key insight of BertRLFuzzer is the use of RL with a BERT model as an agent to guide the fuzzer to efficiently learn grammar-adhering and attack-provoking mutation operators. In order to establish the efficacy of BertRLFuzzer we compare it against a total of 13 black box and white box fuzzers over a benchmark of 9 victim websites with over 16K LOC. We observed a significant improvement, relative to the nearest competing tool in terms of time to first attack (54% less), new vulnerabilities found (17 new vulnerabilities), and attack rate (4.4% more attack vectors generated).
Cite
Text
Jha et al. "BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)." AAAI Conference on Artificial Intelligence, 2024. doi:10.1609/AAAI.V38I21.30455Markdown
[Jha et al. "BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)." AAAI Conference on Artificial Intelligence, 2024.](https://mlanthology.org/aaai/2024/jha2024aaai-bertrlfuzzer/) doi:10.1609/AAAI.V38I21.30455BibTeX
@inproceedings{jha2024aaai-bertrlfuzzer,
title = {{BertRLFuzzer: A BERT and Reinforcement Learning Based Fuzzer (Student Abstract)}},
author = {Jha, Piyush and Scott, Joseph and Ganeshna, Jaya Sriram and Singh, Mudit and Ganesh, Vijay},
booktitle = {AAAI Conference on Artificial Intelligence},
year = {2024},
pages = {23521-23522},
doi = {10.1609/AAAI.V38I21.30455},
url = {https://mlanthology.org/aaai/2024/jha2024aaai-bertrlfuzzer/}
}