ALFA-Chains: An Artificial Intelligence Approach to Exploit Chain Discovery in Networks

Tulla Lizardi, Miguel A.

Author(s)

Tulla Lizardi, Miguel A.

DownloadThesis PDF (905.5Kb)

Advisor

O’Reilly, Una-May

Hemberg, Erik

Terms of use

In Copyright - Educational Use Permitted Copyright retained by author(s) https://rightsstatements.org/page/InC-EDU/1.0/

Metadata

Show full item record

Abstract

Exploit chains play a crucial role in advanced persistent threats (APTs) and other malicious cyber campaigns. Sophisticated attackers can navigate across a network, escalate their privileges, and compromise valuable targets by executing the right exploits in the right order. However, finding these exploits chains is a challenging task requiring a broad knowledge of the vulnerabilities present in computer systems and the exploits that take advantage of them. Networks can be complex, with many hosts and intricate software stacks. Moreover, the range of known exploits and vulnerabilities is constantly growing, complicating the process of determining how they can be linked. This thesis introduces a solution, ALFA-Chains, that automates the discovery of exploit chains by leveraging classical AI planning, Large Language Models (LLMs), and existing exploit/vulnerability databases. ALFA-Chains describes networks and exploits using the Planning Domain Description Language (PDDL), a formal language to represent planning problems. This allows us to use optimized off-the-shelf planners that have been developed by the AI planning community over many years. Our system takes natural language descriptions of exploits and classifies them into categories based on their preconditions and effects. From this intermediary representation, we can programmatically generate PDDL that captures the requirements needed to run the exploit and the access gained by the attacker. Due to this automated approach, ALFA-Chains is able to consider a vast set of exploits when determining if a network is susceptible to exploit chaining. We show how ALFA-Chains can process 1,880 Metasploit exploits and their corresponding 2,002 CVEs to detect exploit chains in a variety of realistic network configurations. We proceed to discuss potential applications of ALFA-Chains, including automated penetration testing and vulnerability prioritization.

Date issued

2025-02

URI

https://hdl.handle.net/1721.1/159083

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

Massachusetts Institute of Technology

Collections

Graduate Theses