AI for Attackers & Defenders

Automated Threats to web applications are according to the Open Web Applications Project (OWASP) a misuse of their inherent valid functionality by applying automated means. Usually, those automations are referred to as `bots´. The attackers usually reverse engineer the web application, e.g. an e-commerce platform, and based on their discovery, craft bots to exploit vulnerabilities or gaps that allow them to pursue their goal on the platform in an undesirable way. A famous example are sneaker bots, whose goal is to obtain a competitive advantage over human clients in purchasing hyped articles like sneakers. Addressing automated threats is a company-wide effort and requires to tackle the problem from many angles reaching from DevSecOps, architectural changes, raising awareness, establishing transparency in the business, implementing preventive controls, to detective controls. In the first phase of our research, we tackled the problem in a big e-commerce company on this entire spectrum of challenges and are now at the position to enhance our approach in a second phase. In the second phase, we aim for an approach to harden a web-application platform with existing detective and reactive controls using aspects of generative approaches and adversarial attacks while also considering explainability.

In the talk, we are going to explain and motivate the problem space, explain the insights from the first phase and outline the goals of the second phase of our research.