Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Ahmet Tortumlu; Kemal Bicakci

doi:10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Ahmet Tortumlu
, Kemal Bicakci

Bilişim Enstitüsü

Istanbul Technical University

Araştırma sonucu: Kitap/Rapor/Konferans Bildirisinde Bölüm › Konferans katkısı › bilirkişi

Özet

The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

Orijinal dil	İngilizce
Ana bilgisayar yayını başlığı	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings
Editörler	Ali Aydin Selcuk, Seref Sagiroglu, Oguz Yayla, Cihangir Tezcan
Yayınlayan	Institute of Electrical and Electronics Engineers Inc.
ISBN (Elektronik)	9798331533649
DOI'lar	https://doi.org/10.1109/ISCTrkiye64784.2024.10779256
Yayın durumu	Yayınlandı - 2024
Etkinlik	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Ankara, Türkiye Süre: 16 Eki 2024 → 17 Eki 2024

Yayın serisi

Adı	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

???event.eventtypes.event.conference???

???event.eventtypes.event.conference???	17th International Conference on Information Security and Cryptology, ISCTurkiye 2024
Ülke/Bölge	Türkiye
Şehir	Ankara
Periyot	16/10/24 → 17/10/24

Bibliyografik not

Publisher Copyright:
© 2024 IEEE.

Belgeye Erişim

10.1109/ISCTrkiye64784.2024.10779256

Diğer Dosyalar ve Linkler

Link to publication in Scopus

Alıntı Yap

Tortumlu, A., & Bicakci, K. (2024). Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. In A. A. Selcuk, S. Sagiroglu, O. Yayla, & C. Tezcan (Eds.), 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ISCTrkiye64784.2024.10779256

Tortumlu, Ahmet ; Bicakci, Kemal. / Friends, Not Foes : Enhancing Attack Surface Metrics of Web Applications with Large Language Models. 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. editör / Ali Aydin Selcuk ; Seref Sagiroglu ; Oguz Yayla ; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings).

@inproceedings{03d4f70c43e54ea9bd68f04a124e610d,

title = "Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models",

abstract = "The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.",

keywords = "LLM, attack surface, chatGPT, large language model, web application security, web security",

author = "Ahmet Tortumlu and Kemal Bicakci",

note = "Publisher Copyright: {\textcopyright} 2024 IEEE.; 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 ; Conference date: 16-10-2024 Through 17-10-2024",

year = "2024",

doi = "10.1109/ISCTrkiye64784.2024.10779256",

language = "English",

series = "17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

editor = "Selcuk, \{Ali Aydin\} and Seref Sagiroglu and Oguz Yayla and Cihangir Tezcan",

booktitle = "17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings",

address = "United States",

}

Tortumlu, A & Bicakci, K 2024, Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. in AA Selcuk, S Sagiroglu, O Yayla & C Tezcan (eds), 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024, Ankara, Türkiye, 16/10/24. https://doi.org/10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. / Tortumlu, Ahmet; Bicakci, Kemal.
17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. ed. / Ali Aydin Selcuk; Seref Sagiroglu; Oguz Yayla; Cihangir Tezcan. Institute of Electrical and Electronics Engineers Inc., 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings).

Araştırma sonucu: Kitap/Rapor/Konferans Bildirisinde Bölüm › Konferans katkısı › bilirkişi

TY - GEN

T1 - Friends, Not Foes

T2 - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024

AU - Tortumlu, Ahmet

AU - Bicakci, Kemal

PY - 2024

Y1 - 2024

N2 - The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

AB - The attack surface refers to all potential points of entry in a system that an attacker could exploit. In this work, we present an advanced metric for calculating the attack surface of web applications by leveraging the capabilities of large language models (LLMs) and introducing new features based on recent evaluations of the OWASP Top 10 security risks. Incorporating 28 parameters across 9 main categories and drawing on past studies to address previously identified limitations, this metric provides a comprehensive assessment of the attack surface. The Euclidean norm of the metric allows for quantitative comparisons, enabling precise evaluation and monitoring of security risks. Additionally, we develop a tool to facilitate the calculation of attack surface parameters, with the source code available as open source. The tool features an interface that visualizes the attack surface vector, presenting the metrics of web applications in graphical form. Among its many uses, web security analysts can employ our metric and tool to monitor changes in an application's attack surface across different versions. We also provide recommendations for further improving attack surface metric calculations using LLMs.

KW - LLM

KW - attack surface

KW - chatGPT

KW - large language model

KW - web application security

KW - web security

UR - https://www.scopus.com/pages/publications/85216523066

U2 - 10.1109/ISCTrkiye64784.2024.10779256

DO - 10.1109/ISCTrkiye64784.2024.10779256

M3 - Conference contribution

AN - SCOPUS:85216523066

T3 - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

BT - 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings

A2 - Selcuk, Ali Aydin

A2 - Sagiroglu, Seref

A2 - Yayla, Oguz

A2 - Tezcan, Cihangir

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 16 October 2024 through 17 October 2024

ER -

Tortumlu A, Bicakci K. Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models. In Selcuk AA, Sagiroglu S, Yayla O, Tezcan C, editörler, 17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2024. (17th International Conference on Information Security and Cryptology, ISCTurkiye 2024 - Proceedings). doi: 10.1109/ISCTrkiye64784.2024.10779256

Friends, Not Foes: Enhancing Attack Surface Metrics of Web Applications with Large Language Models

Özet

Yayın serisi

???event.eventtypes.event.conference???

Bibliyografik not

Belgeye Erişim

Diğer Dosyalar ve Linkler

Parmak izi

Alıntı Yap