NVIDIA Uses Generative AI to Streamline CVE Analysis at an Enterprise Scale
According to the NVIDIA Technical Blog, NVIDIA is making innovative strides in the software security sector by applying generative AI to streamline the process of scanning and patching software vulnerabilities, especially given the exponentially increasing complexity of modern enterprise applications.
Addressing the Complexity of Software Vulnerability Scanning
The traditional approach to scanning and patching software has become increasingly unmanageable due to the surge in reported security flaws in the common vulnerabilities and exposures (CVE) database, which hit a record high in 2022. With over two hundred thousand cumulative vulnerabilities reported by the end of 2023, a more efficient solution is needed.
Generative AI offers a promising solution to this issue, as it can improve vulnerability defense while decreasing the load on security teams. The AI not only detects and remediates CVEs from a database but also investigates the scanned software container to determine if upgrading is required. This process is significantly faster than the manual work of a human security analyst.
Introducing Agent Morpheus: An AI-based CVE Analysis Tool
NVIDIA has developed a generative AI application, referred to as 'Agent Morpheus', which executes a more sophisticated response to CVEs. Agent Morpheus determines if a vulnerability actually exists, generates a checklist of tasks to thoroughly investigate the CVE, and most importantly, determines if it's exploitable. This process significantly decreases the time spent researching and investigating CVEs before securely publishing software containers.
The Role of Generative AI in Software Security
Generative AI is becoming increasingly vital in software security, particularly in the enterprise context. It is crucial to differentiate between a container being vulnerable (a CVE is present) and being exploitable (the vulnerability can actually be executed and abused). The method to determine the exploitability of each CVE is unique based on the specific vulnerability and requires the synthesis of CVE information from a variety of intelligence sources. This process can be incredibly tedious and time-consuming, thus the introduction of AI significantly improves efficiency.
Benefits of Agent Morpheus
With Agent Morpheus, organizations can reduce the time it takes to triage software for vulnerabilities from hours or days to seconds. It can perceive, reason, and act independently, without prompting or assistance from a human analyst. When it is finished with its analysis, Agent Morpheus presents a summary of findings to the human analyst who can then determine the best course of action. Any human-approved patching exemptions or changes to the Agent Morpheus summary from the analyst are fed back into the LLM fine-tuning datasets to continually improve the models based on human output.
Conclusion
Overall, NVIDIA's application of generative AI in the form of 'Agent Morpheus' is a groundbreaking approach to handling the increasing complexity of software vulnerability scanning and patching at an enterprise scale. This innovation represents a significant stride in software security and showcases the potential of AI in improving efficiency and accuracy in the sector.