Got vulns? vuln_GPT debuts as AI-powered approach to find and remediate software vulnerabilities

A primary security challenge for organizations of all sizes is the ability to detect, then fix, potential software vulnerabilities. 

According to New York based cybersecurity startup Vicarius, the solution to patching vulnerabilities quickly could well rely on the use of generative AI large language models (LLMs).

Founded in 2016, Vicarius develops a vulnerability management platform that helps enterprises remediate potential issues and improve security.

Today, in a move designed to coincide with the Black Hat security conference in Las Vegas, Vicarius announced its vuln_GPT initiative, an LLM designed to help organizations quickly find and create scripts for vulnerability management and remediation using simple queries. Vicarius has a community known as vsociety where researchers and users can collaborate and submit their own remediations for known security vulnerabilities.

What CEO Michael Assraf realized very quickly after ChatGPT debuted in 2022, he told VentureBeat, was that some researchers were using gen AI to quickly develop scripts, and he decided it was in his company’s best interest to build its own AI engine.

Assraf told VentureBeat that vuln_gpt enables users to quickly and freely generate remediation scripts based on an LLM that has been fine-tuned and trained on Vicarius’ knowledge base and data.

How vuln_GPT works

Assraf explained that vuln_GPT makes use of data from Vicarius as well as from OpenAI, which has its own set of code generation capabilities. Vicarius is also now experimenting with other LLMs including Meta’s LLaMA and HugginFace/ServiceNow’s StarCoder which Vicariua said it might use in the future.

When a user queries the vuln_GPT system, a search is first executed in Vicarius’ vector database platform to see if a remediation has already been proposed or if there is one similar to the query. Assraf said that a user query can be something as basic as just asking for a remediation or detection script for a specific known vulnerability based on the Common Vulnerabilities and Exposures (CVE) identifier. The gen AI engine is able to respond to the query and use an existing script or create a new one based on trained data.

Scripts in the vsociety community and in Vicarius’ commercial VRx platform are all validated before they are published. Having some kind of human in the loop feedback with vuln_GPT is also part of Assraf’s plan.

“We have an internal platform called a vadmin and in that system we can backfill the model, meaning that if it has hallucinated and it provides scripts that are not really working or they have problems, we can edit them,” he said. “So for scripts going out to either VRx or to vsociety, we will tweak it and only then we will publish it so everything is human validated before it goes up.”

Patching and compensating controls

When it comes to vulnerability remediation, a fix isn’t always a software patch. Sometimes, the most effective immediate approach is to have some form of compensating control that limits risk.

Assraf said that the vuln_GPT model can be used to help generate those compensating controls in a highly effective manner. For example, if there is a vulnerability in a Linux operating system based application, vuln_GPT can quickly generate a script that can be deployed by a user to turn off a feature in the Linux kernel so the vulnerability is no longer exploitable.

“You can think of a compensating control and as an alternative way to remediate vulnerabilities,” said Assraf. “Which makes sense, because a lot of times companies don’t want to patch as they go through a  long change, change management processes, and it can break stuff, so they just would rather use these compensating controls.”