Pioneering an AI-driven Approach to Cybersecurity Analysis

A Northwestern Computer Science team won first place in the fuzzing tool competition at the 17th International Workshop on Search-Based and Fuzz Testing (SBFT 2024), held April 14 - 20 and co-located with the International Conference on Software Engineering in Lisbon, Portugal.

Fuzz testing, or “fuzzing,” is an automated testing technique used to detect coding errors and security vulnerabilities in software, operating systems, or networks by supplying a large volume of invalid or random data inputs and monitoring for system crashes, failures, or memory leaks.

The Northwestern Engineering team included computer science PhD students Wenxuan Shi and Jiahao Yu and associate professor of computer science Xinyu Xing, with collaborators Hongwei Li (Purdue University) and Wenbo Guo (University of California, Santa Barbara).

Their tool — called BandFuzz — is an AI-powered collaborative fuzzing tool designed to uncover software vulnerabilities. Leveraging a reinforcement learning algorithm, BandFuzz boosts the efficiency of fuzzing practices and outperforms widely utilized industry tools.

Unlike traditional fuzzing strategies that are static or based on human experience, Shi explained, BandFuzz employs AI to dynamically select the most effective fuzzing strategy based on its real-time performance. This AI-driven approach enables more intelligent decision-making during the fuzzing process, resulting in quicker coverage expansion and enhanced bug detection capabilities.

“BandFuzz marks a new direction away from traditional fuzzing research, offering tangible evidence that AI can facilitate automatic bug hunting and fixing,” Xing said. “This advancement is not only a leap forward for security research but is also of paramount importance to the general public, as it promises to fortify digital security in an increasingly interconnected world.”

Through comprehensive experimentation, the BandFuzz team demonstrated that depending solely on AI is inadequate for tackling complex security challenges.

“The integration of AI with traditional system security analysis tools — such as fuzzing, static analysis, and automatic bug patching — has demonstrated remarkable effectiveness,” Shi said. “BandFuzz serves as a prime example of how AI can significantly enhance automated decision-making processes and supplant human-written, rule-based heuristic functions in a wide array of traditional security analysis methods.

Competitors at the SBFT 2024 competition were evaluated using FuzzBench, Google’s open source platform for testing and comparing fuzzers in an authentic environment.

“Our success at the competition is a beacon for AI-assisted cybersecurity, showcasing a pioneering approach to software analysis,” Yu said.

Xing and Yan Chen, professor of computer science at the McCormick School of Engineering, will continue advancing AI integration into existing security solutions through participation in the AI Cyber Challenge's Small Business Track Competition.

As part of the AI Cyber Challenge, Team 42-b3yond-6ug, Net Shield LLC was among the seven companies awarded $1 million by the Defense Advanced Research Projects Agency to develop AI-enabled cyber reasoning systems that automatically find and fix software vulnerabilities at scale. Xing and Chen will collaborate with researchers from Johns Hopkins University, the University of Colorado, the University of New Hampshire, the University of Utah, and the University of Waterloo.