Bayesian Optimization in Security Fuzzing¶
The fuzzer implements an optimization system using scikit-optimize (skopt) to minimize failure rates during security scans. This document explains the optimizer's implementation and behavior.
Overview¶
The optimizer is used in both single-shot and many-shot scanning modes when the optimize parameter is True. It dynamically adjusts scan parameters to minimize failure rates while staying within budget constraints.
Implementation Details¶
Initialization¶
The optimizer is initialized with:
Optimizer(
[Real(0, 1)], # Single parameter space (0 to 1)
base_estimator="GP", # Gaussian Process estimator
n_initial_points=25 # Initial exploration points
)
Optimization Process¶
- Parameter Space: A single real-valued parameter between 0 and 1
- Objective: Minimize the failure rate (negative failure rate is maximized)
- Update Mechanism:
- Early Stopping: If best failure rate exceeds 50%:
Usage in Scanning¶
The optimizer is integrated into both scan types:
Single-shot Scan¶
- Used in
perform_single_shot_scan() - Optimizes failure rates across prompt modules
- Considers token budget constraints
Many-shot Scan¶
- Used in
perform_many_shot_scan() - Handles more complex multi-step attacks
- Maintains separate failure rate tracking
Key Parameters¶
| Parameter | Description |
|---|---|
| base_estimator | Gaussian Process (GP) used for optimization |
| n_initial_points | 25 initial exploration points |
| Real(0, 1) | Single parameter space being optimized |
| failure_rate | Current failure rate being minimized |
Optimization Flow¶
- Initialize optimizer with GP estimator
- Collect initial 25 data points
- For each prompt:
- Calculate current failure rate
- Update optimizer with new point
- Check for early stopping conditions
- Continue until scan completes or budget exhausted
Error Handling¶
The optimizer is wrapped in try/except blocks to ensure scan failures don't crash the entire process. Any optimization errors are logged and the scan continues with default parameters.