Fortifying Software Supply Chain Resilience: Leveraging SBOM Concepts to Generate AIBOMs and Detect Vulnerabilities

Abstract

"Artificial Intelligence (AI) based solutions are introducing fresh concerns regarding information security and privacy. There exists a gap in the AI supply chain security in identifying the dependencies associated with AI solutions, akin to a Software Bill of Materials (BOM) as regulated by executive orders of US, and additionally, there is a need to proactively scan these dependencies to detect and remediate vulnerabilities.

This project aims to address the identified gap by using existing methods for creating SBOMs, to create a basic solution that can produce an AIBOM and find its vulnerabilities. Public data for AI dependencies were collected and formatted according to Software Package Data eXchange (SPDX) to generate the AIBOM. Well-known public vulnerability database, the National Vulnerability Database (NVD) was searched to detect the vulnerabilities in the AIBOM.

The solution was capable of successfully generating an AIBOM, with relevant dependencies and identify vulnerabilities against the LLM. Based on the test results the performance of the application was at 100% with the code base being rated as ‘B-Good’. The functional, unit and data integrity test pass rates are respectively 75%, 88% and 87%. However, the application scored an average accuracy rate of 31.38% due to the inability to negate false negatives and lack of vulnerabilities associated with the relevant LLMs."