{"id":214544,"updated":"2025-01-19T16:35:01.585520+00:00","links":{},"created":"2025-01-19T01:15:21.415702+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00214544","sets":["6164:6165:6462:10749"]},"path":["10749"],"owner":"44499","recid":"214544","title":["深層強化学習を用いたWebアプリの脆弱性検査のためのAIエージェント"],"pubdate":{"attribute_name":"公開日","attribute_value":"2021-10-19"},"_buckets":{"deposit":"1f7c9b59-7462-4395-851b-f2b0b87c41b5"},"_deposit":{"id":"214544","pid":{"type":"depid","value":"214544","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"深層強化学習を用いたWebアプリの脆弱性検査のためのAIエージェント","author_link":["551384","551382","551381","551383","551380","551379"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"深層強化学習を用いたWebアプリの脆弱性検査のためのAIエージェント"},{"subitem_title":"AI Agent Based on Deep Reinforcement Learning for Web Application Vulnerabilities","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"SQLインジェクション，強化学習，脆弱性検査，Webアプリ，CTF","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2021-10-19","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"佐賀大学理工学部"},{"subitem_text_value":"佐賀大学理工学部"},{"subitem_text_value":"神戸大学大学院工学研究科"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Faculty of Science and Engineering, Saga University","subitem_text_language":"en"},{"subitem_text_value":"Faculty of Science and Engineering, Saga University","subitem_text_language":"en"},{"subitem_text_value":"Graduate School of Engineering, Kobe University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/214544/files/IPSJCSS2021144.pdf","label":"IPSJCSS2021144.pdf"},"date":[{"dateType":"Available","dateValue":"2023-10-19"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJCSS2021144.pdf","filesize":[{"value":"1.2 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"728b06a8-8639-441e-8153-699d7a52442f","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2021 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"谷崎, 俊介"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"廣友, 雅徳"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"白石, 善明"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Shunsuke, Tanizaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Masanori, Hirotomo","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yoshiaki, Shiraishi","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Web アプリの脆弱性を突いたサイバー攻撃は脅威であり，Web アプリの脆弱性検査が重要である．脆弱性検査用のツールとして OWASP ZAP や Burp Suite などのスキャナーがあるが，これらのツールの利用には専門知識を必要とし，人手に頼る部分が多い．本稿では Web アプリの脆弱性検査の自動化を目指し，SQL インジェクション攻撃を自動的に行う強化学習のエージェントを提案する．強化学習のアルゴリズムとして Deep Q-learning を利用した．エージェントは Web アプリに存在する脆弱性のパターンを自ら学び，攻撃手法の最適化を続ける．エージェントの学習には，SQL インジェクション攻撃に成功すると特定の文字列を含む HTTP レスポンスを返す，Capture The Flag (CTF) 型の Web アプリを使用した．エージェントの学習が進むと，攻撃成功に必要な HTTP リクエストの送信回数は大幅に減少し，エージェントは攻撃に成功する可能性が高い HTTP リクエストを優先的に送信するようになった．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Cyber attacks that exploit vulnerabilities in web applications are a threat, and vulnerability analysis of web applications is important. There are vulnerability scanners such as OWASP ZAP and Burp Suite for web applications, but the use of these tools requires specialized knowledge and requires a lot of manual labor. In this paper, we propose the reinforcement learning agent that automatically performs SQL injection attacks on web applications. We used Deep Q-learning for reinforcement learning algorithm. The agent learns the vulnerability patterns in web applications by itself and continues to optimize its own attack method. For agent learning, we developed CTF web applications that returns a flag when the SQL injection attack is successful. As the learning of the agent progressed, the number of HTTP requests sent for a successful attack decreased significantly, and the agent began to preferentially send HTTP requests that are likely to succeed in the attack.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1084","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2021論文集"}],"bibliographicPageStart":"1077","bibliographicIssueDates":{"bibliographicIssueDate":"2021-10-19","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"44499"}}