Winpen: A fast clustering approach for black-box penetration testing

Official URL: https://risc01.sabanciuniv.edu/record=b2708495_(Table of contents)

In black-box penetration testing, a payload is a piece of code that potentially enables unauthorized access to a computer system through an exploit. Grouping payloads based on the behavior they trigger in the target application is a labor-intensive process, where each payload and the corresponding behavior of the application to that payload should be analyzed and interpreted by humans. To assist human evaluation, we propose a new algorithm WinPen, which classifies the payloads based on the behavior they are triggering in the system. Each payload is represented as the length of the response strings generated after a payload is submitted in the system. WinPen performs mean-based comparisons for each point in the dataset with respect to the point’s previous neighbors. We show on several datasets that WinPen performs with an average 99.85% accuracy score across several datasets. WinPen runs in O(nlogn + n)) and the time complexity is reduced to O(n) for already sorted inputs. WinPen is programming-language and source-code independent, and can be utilized in Cyber Security applications, faster than the other clustering algorithms (e.g., up to 46× faster than kmeans1d), without the need for tedious hyper-parameter tuning procedures.