In November of last year, the AI research and development lab OpenAI revealed its latest, most advanced language project: A tool called ChatGPT.
ChatGPT is so much more than “just” a chatbot. As users have shown with repeated testing and prodding, ChatGPT seems to “understand” things. It can give you recipes that account for whatever dietary restrictions you have. It can deliver basic essays about moments in history. It can — and has been — used to cheat by university students who are giving a new meaning to plagiarism, stealing work that is not theirs. It can write song lyrics about X topic as though composed by Y artist. It can even have fun with language.
For example, when ChatGPT was asked to “ Write a Biblical verse in the style of the King James Bible explaining how to remove a peanut butter sandwich from a VCR,” ChatGPT responded in part:
“ And it came to pass that a man was troubled by a peanut butter sandwich, for it had been placed within his VCR, and he knew not how to remove it. And he cried out to the Lord, saying ‘ Oh Lord, how can I remove this sandwich from my VCR, for it is stuck fast and will not budge. ’ ”
Is this fun? Yes. Is it interesting? Absolutely. But what we’re primarily interested about in today’s episode of Lock and Code, with host David Ruiz, is where artificial intelligence and machine learning — ChatGPT included — can be applied to cybersecurity, because as some users have already discovered, ChatGPT can be used to some success to analyze lines of code for flaws.
It is a capability that has likely further energized the multibillion-dollar endeavor to apply AI to cybersecurity.
Today, on Lock and Code, we speak to Josh Saxe about what machine learning is “good” at, what problems it can make worse, whether we have defenses to those problems, and what place machine learning and artificial intelligence have in the future of cybersecurity. According to Saxe, there are some areas where, under certain conditions, machine learning will never be able to compete.
“If you’re, say, gonna deploy a set of security products on a new computer network that’s never used your security products before, and you want to detect, for example, insider threats — like insiders moving files around in ways that look suspicious — if you don’t have any known examples of people at the company doing that, and also examples of people not doing that, and if you don’t have thousands of known examples of people at the company doing that, that are current and likely to reoccur in the future, machine learning is just never going to count with just manually writing down some heuristics around what we think bad looks like.”
“Because basically in this case, the machine learning is competing with the common sense model of the world and expert knowledge of a security analyst, and there’s no way machine learning is gonna compete with the human brain in this context.”
Tune in today
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
Outro Music: “Good God” by Wowa (unminus.com)