Microsoft Corp. today announced a new method for discovering software security vulnerabilities that combines machine learning and deep neural networks to use past experience in order to identify overlooked issues better.

Dubbed “neural fuzzing,” the method takes traditional fuzz testing, a quality assurance technique used to discover coding errors and security loopholes in software, operating systems or networks, and adds a machine learning model to insert a deep neural network in the feedback loop of a “greybox fuzzer.”

Microsoft found that by deploying the neural network to observe past fuzzing interactions on an existing fuzz testing platform and then using that data to discover vulnerabilities, the results outperformed all existing fuzzing methods in terms of code coverage, unique code paths and crashes.

“We believe our neural fuzzing approach yields a novel way to perform greybox fuzzing that is simple, efficient and generic,” Development Lead William Blum (pictured) said in a blog post. Blum argued that the new method is simple because it is not based on sophisticated handcrafted heuristics; instead, it simply learns from an existing fuzzer. He also argued that the new method is efficient in that more quickly explorers data than a traditional fuzzer, and that the methodology itself is generic in that it could be applied to any fuzzer, including blackbox and random fuzzers.

“We believe our neural fuzzing research project is just scratching the surface of what can be achieved using deep neural networks for fuzzing,” Blum added. “Right now, our model only learns fuzzing locations, but we could also use it to learn other fuzzing parameters such as the type of mutation or strategy to apply.”

More details on the fascinating research, which potentially lays the groundwork for the model to learn other fuzzing parameters and thus improving a key technology that makes up security detection tools, can be found on the project’s research site here.

Photo: Microsoft