NVIDIA Uses Generative AI to Streamline CVE Analysis at an Enterprise Scale

According
to
the

NVIDIA
Technical
Blog,
NVIDIA
is
making
innovative
strides
in
the
software
security
sector
by
applying
generative
AI
to
streamline
the
process
of
scanning
and
patching
software
vulnerabilities,
especially
given
the
exponentially
increasing
complexity
of
modern
enterprise
applications.

Addressing
the
Complexity
of
Software
Vulnerability
Scanning

The
traditional
approach
to
scanning
and
patching
software
has
become
increasingly
unmanageable
due
to
the
surge
in
reported
security
flaws
in
the
common
vulnerabilities
and
exposures
(CVE)
database,
which
hit
a
record
high
in
2022.
With
over
two
hundred
thousand
cumulative
vulnerabilities
reported
by
the
end
of
2023,
a
more
efficient
solution
is
needed.

Generative
AI
offers
a
promising
solution
to
this
issue,
as
it
can
improve
vulnerability
defense
while
decreasing
the
load
on
security
teams.
The
AI
not
only
detects
and
remediates
CVEs
from
a
database
but
also
investigates
the
scanned
software
container
to
determine
if
upgrading
is
required.
This
process
is
significantly
faster
than
the
manual
work
of
a
human
security
analyst.

Introducing
Agent
Morpheus:
An
AI-based
CVE
Analysis
Tool

NVIDIA
has
developed
a
generative
AI
application,
referred
to
as ‘Agent
Morpheus’,
which
executes
a
more
sophisticated
response
to
CVEs.
Agent
Morpheus
determines
if
a
vulnerability
actually
exists,
generates
a
checklist
of
tasks
to
thoroughly
investigate
the
CVE,
and
most
importantly,
determines
if
it’s
exploitable.
This
process
significantly
decreases
the
time
spent
researching
and
investigating
CVEs
before
securely
publishing
software
containers.

The
Role
of
Generative
AI
in
Software
Security

Generative
AI
is
becoming
increasingly
vital
in
software
security,
particularly
in
the
enterprise
context.
It
is
crucial
to
differentiate
between
a
container
being
vulnerable
(a
CVE
is
present)
and
being
exploitable
(the
vulnerability
can
actually
be
executed
and
abused).
The
method
to
determine
the
exploitability
of
each
CVE
is
unique
based
on
the
specific
vulnerability
and
requires
the
synthesis
of
CVE
information
from
a
variety
of
intelligence
sources.
This
process
can
be
incredibly
tedious
and
time-consuming,
thus
the
introduction
of
AI
significantly
improves
efficiency.

Benefits
of
Agent
Morpheus

With
Agent
Morpheus,
organizations
can
reduce
the
time
it
takes
to
triage
software
for
vulnerabilities
from
hours
or
days
to
seconds.
It
can
perceive,
reason,
and
act
independently,
without
prompting
or
assistance
from
a
human
analyst.
When
it
is
finished
with
its
analysis,
Agent
Morpheus
presents
a
summary
of
findings
to
the
human
analyst
who
can
then
determine
the
best
course
of
action.
Any
human-approved
patching
exemptions
or
changes
to
the
Agent
Morpheus
summary
from
the
analyst
are
fed
back
into
the
LLM
fine-tuning
datasets
to
continually
improve
the
models
based
on
human
output.

Conclusion

Overall,
NVIDIA’s
application
of
generative
AI
in
the
form
of ‘Agent
Morpheus’
is
a
groundbreaking
approach
to
handling
the
increasing
complexity
of
software
vulnerability
scanning
and
patching
at
an
enterprise
scale.
This
innovation
represents
a
significant
stride
in
software
security
and
showcases
the
potential
of
AI
in
improving
efficiency
and
accuracy
in
the
sector.

Image
source:
Shutterstock

.
.
.

Tags