Evaluation of ChatGPT as a cybersecurity tool : An experimental CTF based approach

Abstract: The aim of this thesis is to evaluate the artificial intelligence model ChatGPT as a tool in the cybersecurity domain. With the purpose of analysing and facilitating understanding of the technology’s effects on possible threats. The development of AI models has a potential to alter the knowledge required to perform malicious activities. The method for evaluating ChatGPT effectiveness in aiding actors to breach a vulnerable system is a experimental capture the flag based approach. This is a type of cyber-security challenge, simulating a target system. The goal is to find and exploit vulnerabilities on the target and obtain a so-called flag to prove the breach. ChatGPT is used as an assistant and information gathering tool in the simulations. The responses collected from ChatGPT in the simulation challenges is analysed to fulfil the thesis purpose. The results shows that ChatGPT is useful as a tool. However, as with any tool, knowledge on how to use it is required. A potential threat actor do need profound comprehension and technical knowledge to make relevant queries. 41.3% of all 46 collected responses is categorised as partly usable in conjunction with previously obtained knowledge. Furthermore, to successfully breach the simulated targets the actor need to be able to modify and deploy any suggested exploit provided by ChatGPT. The findings show a correlation between more difficult capture the flag challenges and the importance of tester knowledge. The harder challenges had a higher degree of responses categorized as partly usable compared to responses deemed directly usable. In conclusion ChatGPT do not provide enough assistance at this time to increase the potential of malicious actors with limited technical knowledge. Future work in this area includes testing internet connected and newer versions of ChatGPT and further analyse the importance of prompt engineering.