BSides Cymru

This talk will provide an overview of Project Ava – a 400 day research project that we performed to explore whether machine learning could ever be used to complement web application penetration testing. The research began from ground zero with very little prior knowledge to machine learning and the various techniques that it offers. Over the course of the research we developed four different proofs of concept using different machine learning techniques, each with their own signs of promise and limitation. In addition to exploring neural networks and anomaly detection to uncover SQL injection flaws, we also explored reinforcement learning and use of expert systems to uncover XSS vulnerabilities. During the research we also went off on a brief yet curious tangent exploring use of machine learning in social engineering situations, leveraging the power of Natural Language Processing (NLP) and personality trait analysis in this regard.

This talk will walk through the various phases of our research, what we did, what we learned with some demos along the way. We hope that the talk will help stimulate thought and discussion on the role of machine learning in penetration testing.