The Agent Web Model -- Modelling web hacking for reinforcement learning
This work addresses the need for ethical hackers to have automated tools and understand AI agents' impact in cybersecurity, though it is incremental as it builds on existing reinforcement learning frameworks.
The authors tackled the problem of modeling web hacking tasks for reinforcement learning agents by introducing the Agent Web Model, which formalizes web hacking as capture-the-flag challenges across seven abstraction levels, and they provided an implementation for the first three layers to encourage community development.
Website hacking is a frequent attack type used by malicious actors to obtain confidential information, modify the integrity of web pages or make websites unavailable. The tools used by attackers are becoming more and more automated and sophisticated, and malicious machine learning agents seems to be the next development in this line. In order to provide ethical hackers with similar tools, and to understand the impact and the limitations of artificial agents, we present in this paper a model that formalizes web hacking tasks for reinforcement learning agents. Our model, named Agent Web Model, considers web hacking as a capture-the-flag style challenge, and it defines reinforcement learning problems at seven different levels of abstraction. We discuss the complexity of these problems in terms of actions and states an agent has to deal with, and we show that such a model allows to represent most of the relevant web vulnerabilities. Aware that the driver of advances in reinforcement learning is the availability of standardized challenges, we provide an implementation for the first three abstraction layers, in the hope that the community would consider these challenges in order to develop intelligent web hacking agents.