RidgeBot is a neural network-based fully automated penetration test system that makes its own decision for every attack step or in our term, performs attack planning.

In traditional vulnerability scan or exploit tools, as well as other emerging automated tools, the attack path is preset: once a target is fixed, the system will follow a pre-defined logic and execute it sequentially. There may be some if-else evaluation in the middle, but it lacks real-time feedback in the attack lifecycle that helps implement dynamic adjustment into the attack path.

RidgeBot, on the other hand, uses an intelligent decision model to perform the attack. In some cases, the RidgeBot would make its decision based on a traditional exploit of a vulnerability. For example, if an SQL injection vulnerability is detected in the target system, it will insert arbitrary SQL queries into the database of the web application, thus exposing vital information.

In other cases, the decision RidgeBot makes would resemble human intuition.  For example, if an XSS vulnerability is detected, instead of performing a traditional XSS attack of stealing cookies and sending phishing emails to the addresses found on the vulnerable site, it would attempt an SQL injection attack. This is because empirically, the fact that XSS vulnerabilities exists on the site could be an indication of its security level and unfiltered or uncontrolled user input data. As a result, the website could have a high probability of SQL injection vulnerability, thus the decision to attempt a SQL inject attack. In fact, the user input being unfiltered or uncontrolled could result in various vulnerabilities. Thus, we have trained RidgeBot to build attack chains like a human attacker, once they find a vulnerability, would usually attempt non-linear distinct attacks to devastate the target system.

Additionally, RidgeBot has a function called attack source tracking. Since RidgeBot’s attack are guided by neural network-based decision model, the attack path is not static: it dynamically creates new attacks and possibly changes in real-time based on the different scenarios it runs into. Such complex process means that even as a designer or programmer of RidgeBot, it is hard to tell how RidgeBot managed to determine the attack path. Therefore, we use attack source tracking to record the corresponding attack chains. After the user sees the entire attack chain, he would clearly know which patches have the highest priority and which ones can be put on the back burner.