Update 2024_Talks.markdown

Updating formatting to make it look better.

_pages/2024_Talks.markdown

@@ -7,13 +7,15 @@ toc_icon: "calendar"
 toc_sticky: true
 title: "Talks"
 ---
+
+# August 9
 
-# BOLABuster: Harnessing LLMs for Automating BOLA Detection
+## BOLABuster: Harnessing LLMs for Automating BOLA Detection
 
 August 9; 1130-1230
 
 
-## Abstract
+**Abstract**
 
 Broken Object Level Authorization (BOLA) is a prevalent vulnerability in modern APIs and web
 applications, ranked as the top risk in the OWASP API top 10 and the fourth most reported vulnerability type in HackerOne Global Top 10. The consequences of BOLA can be severe, from sensitive data exposure to a total loss of system control. 
@@ -29,18 +31,18 @@ When benchmarked against other state-of-the-art fuzzing tools using applications
 In this talk, we will share our methodology and the lessons learned from our research. We invite you to join us to learn about our journey with AI and explore a new approach to conducting vulnerability research.
 
 
-## Authors
+**Authors**
 
 1. Ravid Mazon (Palo Alto Networks)
 2. Jay Chen (Palo Alto Networks)
 
 
-# AI’ll be watching you. Greybox Attacks against an Embedded AI
+## AI’ll be watching you. Greybox Attacks against an Embedded AI
 
 August 9; 1330-1430
 
 
-## Abstract
+**Abstract**
 
 AI’ll be watching you will cover attacking an embedded AI on a family of popular security cameras with over 100,000 combined reviews on Amazon. The camera’s embedded AI system is used for on-device person detection, a system that filters notifications based on whether a person is detected. Traditionally the camera would alert the owner if any motion was detected, meaning that an attacker would have to have no motion be detected, but now with the embedded AI making decisions, an attacker needs to only appear not to be human. While this may seem a simple task, dressing up as a giant bush would be noticeable by the people around the attacker, meaning that a successful attack against this system requires the on-camera AI to be tricked while not alerting nearby people to any suspicious disguises.
 
@@ -49,24 +51,24 @@ In this talk we will cover the steps we took to research and gain access to the
 The purpose of this talk is to raise awareness about the insecurity of embedded AI as well as to demonstrate how known attack techniques can be used on never-before-seen models, showcasing that AI/ML research has truly passed the infant stage and has reached a point where developed methods can be broadly applied.
 
 
-## Authors
+**Authors**
 
 1. Ryan Tracey (HiddenLayer)
 2. Kasimir Schulz (HiddenLayer)
 3. Tom Boner (HiddenLayer)
 
 
-# Removing the Ring of Gyges: Lessons from Securing AI Systems Against File Format Abuse
+## Removing the Ring of Gyges: Lessons from Securing AI Systems Against File Format Abuse
 
 August 9; 1430-1500
 
 
-## Abstract
+**Abstract**
 
 This talk will focus on the implications of our work defending AI based cybersecurity systems against file format abuse for the design of AI systems for cyber. The audience will learn how the interface between traditional cybersecurity systems and the AI models being integrated into them impacts security. File format abuse enables polyglot files to bypass state-of-the-art malware detection systems (EDR tools) that utilize machine learning in an attempt to catch novel forms of malware. The polyglot file is sent to the wrong model because the embedded file type is not detected. Existing file type, file carving, and polyglot detection tools are insufficient to detect polyglots used by threat actors in the wild. However, we trained a machine learning model capable of detecting all polyglot types in our dataset, which is based on threat actor usage of polyglots in the wild, with over 99.9% accuracy. Content disarm and reconstruct (CDR) tools can also be used to disarm polyglots, but are not effective on all file types. 
 
 
-## Authors
+**Authors**
 
 1. Sean Oesch (Oak Ridge National Laboratory)
 2. Luke Koch (Oak Ridge National Laboratory)
@@ -77,12 +79,12 @@ This talk will focus on the implications of our work defending AI based cybersec
 7. Cory Watson (Oak Ridge National Laboratory)
 
 
-# On Your Ocean's 11 Team, I'm the AI Guy (technically Girl)
+## On Your Ocean's 11 Team, I'm the AI Guy (technically Girl)
 
 August 9; 1500-1600
 
 
-## Abstract
+**Abstract**
 
 One of the best parts of DEF CON is the glitz and glam of Vegas, the gambling capital of the world. Many have explored hacking casinos (on and off stage). Unfortunately, it’s just not like it is portrayed in the Oceans franchise.. in real life there’s much less action, no George Clooney, and it’s a lot harder to pull off a heist than it seems. 
 
@@ -94,42 +96,43 @@ The casino industry is at an interesting inflection point. Many large casinos ha
 In this talk I’m going to show you how I bypassed casino AI systems - facial recognition, surveillance systems and game monitoring. AI Security is the new cyber security threat, and attacks on AI systems could have broad implications including misdiagnoses in medical imaging, navigation errors in autonomous vehicles.. and successful casino heists.
 
 
-## Author
+**Author**
 
 1. Harriet Farlow (Mileva Security Labs)
 
+# August 10
 
-# garak : A Framework for Large Language Model Red Teaming
+## garak : A Framework for Large Language Model Red Teaming
 
 August 10; 1130-1230
 
 
-## Abstract
+**Abstract**
 
 Large Language Model (LLM) deployment and integration comes with a need for scalable evaluation of how these models respond to adversarial attacks. However, LLM security is a moving target: models produce unpredictable output, are constantly updated, and the potential adversary is highly diverse: anyone with access to the internet and a decent command of natural language. Further, what constitutes a weakness in one context may not be an issue in a different context; one-fits-all guardrails remain theoretical. It is time to rethink what constitutes ``LLM security'', and pursue a holistic approach to LLM security evaluation, where exploration and discovery of issues are central. To this end, this paper introduces garak (Generative AI Red-teaming and Assessment Kit), a framework which can be used to discover and identify vulnerabilities in a target LLM or dialog system. garak probes an LLM in a structured fashion to discover potential vulnerabilities. The outputs of the framework describe a target model's weaknesses, contribute to an informed discussion of what composes vulnerabilities in unique contexts, and can inform alignment and policy discussions for LLM deployment.
 
 
-## Authors
+**Authors**
 
 1. Leon Derczynski (NVIDIA Corp)
 2. Erick Galinkin (NVIDIA Corp)
 3. Jeffrey Martin (NVIDIA Corp)
 4. Subho Majumdar (vijil)
 
 
-# ConfusedPilot: Data Corruption and Leakage by Misusing Copilot for Microsoft 365
+## ConfusedPilot: Data Corruption and Leakage by Misusing Copilot for Microsoft 365
 
 August 10; 1330-1430
 
 
-## Abstract
+**Abstract**
 
 The hype for integrating artificial intelligence into an enterprise's daily work has become more prevalent after introducing AI-driven systems that use Retrieval Augmented Generation (RAG), such as Copilot for Microsoft 365. But is the trust in such systems and their control over decision-making processes within enterprises rational? Copilot and other RAG-based systems can be misused to cause dissemination of misinformation that negatively impacts decision-making processes without proper auditing and safeguarding of data available to large language models in RAG-based systems.
 
 This talk will demonstrate such an attack that we have termed ConfusedPilot because of its ability to turn Copilot into a confused deputy. The attack occurs when a malicious document is introduced to the data pool (documents, presentations, other relevant files, etc.) related to a topic affecting the enterprise's decision-making process. The malicious document contains a combination of corrupt data and malicious strings that suppress the correct documents related to the topic and respond to the user's query with only the information present within the malicious document. Furthermore, the talk highlights how this attack can persist after deleting content within the malicious document or the document itself. The talk also points to the larger implications of such attacks, highlighting their cascading effect and existing security measures that can be used to reduce the attack's effectiveness. Our talk sheds light on the current attacks and potential security measures that can shield enterprises from the adverse effects of such attacks on their AI-driven systems.
 
 
-## Authors
+**Authors**
 1. Ayush RoyChowdhury (The University of Texas at Austin)
 2. Mulong Luo (The University of Texas at Austin)
 3. Mohit Tiwari (The University of Texas at Austin)
@@ -140,21 +143,21 @@ This talk will demonstrate such an attack that we have termed ConfusedPilot beca
 August 10; 1430-1500
 
 
-## Abstract
+**Abstract**
 
 Prompt injections are a class of attacks against LLM-powered applications that exploit the inclusion of untrusted user inputs in LLM prompts. We give an overview of two open source frameworks developed by Meta related to understanding and mitigating prompt injection risks:
 
 - our *CyberSecEval Prompt Injection benchmarks* (evaluations of the propensity of popular LLMs to succumb to prompt injection when used without guardrails), 
 - as well as *PromptGuard* (an open-source model for identifying risky inputs to LLM-powered applications, both direct jailbreaks and indirect injections).
 
-**Findings of interest:**
+Findings of interest:
 
 - *Evaluating foundation model vulnerability to indirect prompt injection:* LLMs can be trained to have contextual awareness of which parts of the input prompt are coming from a trusted user versus an untrusted third party - in particular via inclusion of a system prompt. We share our benchmark for direct and indirect prompt injection susceptibility of foundational LLMs (across a wide variety of attack strategies)  introduced as part of CyberSecEval (an open-source suite of benchmarks for measuring the cybersecurity risks of foundational models). We present the results of these evaluations for currently-popular foundational LLMs. We conclude that model conditioning is not enough to defend against indirect prompt injection risks in most contexts, even with the usage of a system prompt.
 
 - *Guardrailing against prompt injection attacks in real applications:* We present PromptGuard, a model designed for both the detection of direct jailbreak and indirect injection attacks. We highlight the differences between our models and existing malicious prompt detectors (which largely only address direct prompt injection or jailbreaking risks), and the specific risks that can be prevented by utilizing our guardrail in LLM-powered applications. We also show how the model can be fine-tuned to improve application-specific performance.
 
 
-## Authors
+**Authors**
 1. Cyrus Nikolaidis (Meta Platforms, Inc)
 2. Faizan Ahmad (Meta Platforms, Inc)
 
@@ -164,22 +167,22 @@ Prompt injections are a class of attacks against LLM-powered applications that e
 August 11; 1000-1100
 
 
-## Abstract
+**Abstract**
 
 The possibility of an altered photo revising history in a convincing way highlights a salient threat of imaging technology. After all, seeing is believing. Or is it? The examples history has preserved make it clear that the observer is more often than not meant to understand that something has changed. Surprisingly, the objectives of photographic manipulation have remained largely the same since the camera first appeared in the 19th century. The old battleworn techniques have simply evolved to keep pace with technological developments. In this talk, we will learn about the history of photographic manipulation, from the invention of the camera to the advent of generative AI. Importantly, we will consider the reception of photo editing and its relationship to the notion of reality, which is more significant than the technologies themselves. Surprisingly, we will discover that creative myth making has found a new medium to embed itself in. This talk is based on Walter Scheirer's recent book A History of Fake Things on the Internet (Stanford University Press 2023). 
 
 
-## Author
+**Author**
 
 1. Walter Scheirer (University of Notre Dame)
 
 
-# My Conversations with a GenAI-Powered Virtual Kidnapper
+## My Conversations with a GenAI-Powered Virtual Kidnapper
 
 August 11; 1100-1130
 
 
-## Abstract
+**Abstract**
 
 For the past few months, I've been seeing how far I can push several commercially available GenAI systems past their ethical boundaries. ... hint: it's way too far.
 
@@ -188,6 +191,6 @@ In this talk, I'll demonstrate how I was able to turn LLMs into a powerful backe
 Note: this session includes demos of a violent and profane chatbot. Please do not attend if that will be offensive to you. 
 
 
-## Author
+**Author**
 
 1. Perry Carpenter (KnowBe4, Inc.)