TY - GEN
T1 - Interrogating Virtual Agents
T2 - 32nd IFIP WG 6.1 International Conference on Testing Software and Systems, ICTSS 2020
AU - Bozic, Josip
AU - Wotawa, Franz
PY - 2020/1/1
Y1 - 2020/1/1
N2 - Chatbots, i.e., systems that communicate in natural language, have been of increasing importance over the last few years. These virtual agents provide specific services or products to clients on a 24/7 basis. Chatbots provide a simple and intuitive interface, i.e., natural language processing, which makes them increasingly attractive for various applications. In fact, chatbots are used as substitutes for repetitive tasks or user inquiries that can be automated. However, these advantages always are accompanied with concerns, e.g., whether security and privacy can be assured. These concerns become more and more important, because in contrast to simple requests, more sophisticated chatbots are able to utilize personalized services to users. In such cases, sensitive user data are processed and exchanged. Hence, such systems become natural targets for cyber-attacks with unforeseen consequences. For this reason, assuring information security of chatbots is an important challenge in practice. In this paper, we contribute to this challenge and introduce an automated security testing approach for chatbots. The presented framework is able to generate and run tests in order to detect intrinsic software weaknesses leading to the XSS vulnerability. We assume a vulnerability to be triggered when obtaining critical information from or crashing the virtual agent, regardless of its purpose. We discuss the underlying basic foundations and demonstrate the testing approach using several real-world chatbots.
AB - Chatbots, i.e., systems that communicate in natural language, have been of increasing importance over the last few years. These virtual agents provide specific services or products to clients on a 24/7 basis. Chatbots provide a simple and intuitive interface, i.e., natural language processing, which makes them increasingly attractive for various applications. In fact, chatbots are used as substitutes for repetitive tasks or user inquiries that can be automated. However, these advantages always are accompanied with concerns, e.g., whether security and privacy can be assured. These concerns become more and more important, because in contrast to simple requests, more sophisticated chatbots are able to utilize personalized services to users. In such cases, sensitive user data are processed and exchanged. Hence, such systems become natural targets for cyber-attacks with unforeseen consequences. For this reason, assuring information security of chatbots is an important challenge in practice. In this paper, we contribute to this challenge and introduce an automated security testing approach for chatbots. The presented framework is able to generate and run tests in order to detect intrinsic software weaknesses leading to the XSS vulnerability. We assume a vulnerability to be triggered when obtaining critical information from or crashing the virtual agent, regardless of its purpose. We discuss the underlying basic foundations and demonstrate the testing approach using several real-world chatbots.
KW - Chatbots
KW - Model-based testing
KW - Security testing
KW - Web applications
UR - http://www.scopus.com/inward/record.url?scp=85097816474&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-64881-7_2
DO - 10.1007/978-3-030-64881-7_2
M3 - Conference paper
AN - SCOPUS:85097816474
SN - 9783030648800
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 20
EP - 34
BT - Testing Software and Systems - 32nd IFIP WG 6.1 International Conference, ICTSS 2020, Proceedings
A2 - Casola, Valentina
A2 - De Benedictis, Alessandra
A2 - Rak, Massimiliano
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 9 December 2020 through 11 December 2020
ER -