Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Ahmet Tortumlu; Kemal Bicakci

doi:10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Ahmet Tortumlu, Kemal Bicakci

Informatics Institute

Istanbul Technical University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

Original language	English
Title of host publication	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings
Editors	Ali Aydin Selcuk, Seref Sagiroglu, Oguz Yayla, Cihangir Tezcan
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9798331533649
DOIs	https://doi.org/10.1109/ISCTrkiye64784.2024.10779256
Publication status	Published - 2024
Event	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Ankara, Turkey Duration: 16 Oct 2024 → 17 Oct 2024

Publication series

Name	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

Conference

Conference	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024
Country/Territory	Turkey
City	Ankara
Period	16/10/24 → 17/10/24

Bibliographical note

Publisher Copyright:
© 2024 IEEE.

Keywords

attack surface
chatGPT
large language model
LLM
web application security
web security

Access to Document

10.1109/ISCTrkiye64784.2024.10779256

Cite this

Tortumlu, A., & Bicakci, K. (2024). Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. In A. A. Selcuk, S. Sagiroglu, O. Yayla, & C. Tezcan (Eds.), 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISCTrkiye64784.2024.10779256

Tortumlu, Ahmet ; Bicakci, Kemal. / Friends, Not Foes : Enhancing Attack Surface Metrics of Web Applications with Large Language Models. 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. editor / Ali Aydin Selcuk ; Seref Sagiroglu ; Oguz Yayla ; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings).

@inproceedings{03d4f70c43e54ea9bd68f04a124e610d,

title = "Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models",

abstract = "The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.",

keywords = "attack surface, chatGPT, large language model, LLM, web application security, web security",

author = "Ahmet Tortumlu and Kemal Bicakci",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 ; Conference date: 16-10-2024 Through 17-10-2024",

year = "2024",

doi = "10.1109/ISCTrkiye64784.2024.10779256",

language = "English",

series = "17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

editor = "Selcuk, {Ali Aydin} and Seref Sagiroglu and Oguz Yayla and Cihangir Tezcan",

booktitle = "17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings",

address = "United States",

}

Tortumlu, A & Bicakci, K 2024, Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. in AA Selcuk, S Sagiroglu, O Yayla & C Tezcan (eds), 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024, Ankara, Turkey, 16/10/24. https://doi.org/10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. / Tortumlu, Ahmet; Bicakci, Kemal.
17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. ed. / Ali Aydin Selcuk; Seref Sagiroglu; Oguz Yayla; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Friends, Not Foes

T2 - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024

AU - Tortumlu, Ahmet

AU - Bicakci, Kemal

PY - 2024

Y1 - 2024

N2 - The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

AB - The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

KW - attack surface

KW - chatGPT

KW - large language model

KW - LLM

KW - web application security

KW - web security

UR - http://www.scopus.com/inward/record.url?scp=85216523066&partnerID=8YFLogxK

U2 - 10.1109/ISCTrkiye64784.2024.10779256

DO - 10.1109/ISCTrkiye64784.2024.10779256

M3 - Conference contribution

AN - SCOPUS:85216523066

T3 - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

BT - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

A2 - Selcuk, Ali Aydin

A2 - Sagiroglu, Seref

A2 - Yayla, Oguz

A2 - Tezcan, Cihangir

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 16 October 2024 through 17 October 2024

ER -

Tortumlu A, Bicakci K. Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. In Selcuk AA, Sagiroglu S, Yayla O, Tezcan C, editors, 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings). doi: 10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this