Advertisement

You say you want a revolution: DARPA’s Cyber Grand Challenge

The finals of the Cyber Grand ​Challenge, which will be held by the Defense Advanced Research Projects Agency at the DEFCON security conference in Las Vegas next month, aim to see if a high performance computer system can discover and patch security systems automatically — without human intervention.
Defcon

In a much larger setting than this, hackers will try their hands at launching a fully autonomous security system at DEFCON next month. (DEF CON/Wikipedia/CC 2.0)

In a few weeks, a town better known for events like the World Series of Poker will host the World Series of Hacking.

The finals of the Cyber Grand Challenge, which will be held by the Defense Advanced Research Projects Agency at the DEFCON security conference in Las Vegas next month, aim to see if a high performance computer system can discover and patch security systems automatically — without human intervention.

Seven teams will compete in the finals in front of 5,000 spectators packed into the Paris Las Vegas auditorium, waiting to see if a computer will be able to put the best human penetration testers and security researchers to shame.

Advertisement

While the event has the aura of a sporting finale, DARPA program manager Mike Walker says the efforts undertaken by the finalists are important for eliminating a glaring problem when it comes to cybersecurity: vulnerabilities often go hundreds of days without being discovered and it some instances take more than a year to patch.

[Brand new: Sign up for the CyberScoop Newsletter, a daily look at all things cybersecurity]

“The reaction to unknown flaws in software is entirely manual,” Walker told reporters on Wednesday. “We want to build autonomous systems that can arrive at their own insights, do their own analysis, make their own risk equity decisions of when to patch and how to manage that process.”

The entries, all built on custom high-performance computers, will be responsible for monitoring a network running software with previously unexamined code. The finalists’ systems will need to comprehend the software’s language or author their own logic; explore the almost infinite possible inputs into that software; and arrive at the diagnosis of new vulnerabilities entirely on their own.

Walker says the systems must “then form the solution, whether it’s network defense or patching defense, and manage the solution. If the solution breaks, it’s the machine’s responsibility to fix it.”

Advertisement

[Read more: FedScoop’s coverage of last year’s Cyber Grand Challenge]

If the winners want to test their luck, DEFCON organizers have invited the winning automated system to compete against the world’s best human hackers in their Capture the Flag competition the following day, marking the first-ever inclusion of a mechanical contestant in the event.

DARPA is comparing the Capture the Flag competition to similar competitions, such as the famed Jeopardy! competition where IBM’s Watson cognitive computer defeated two human competitors. Walker said the competition is geared toward these systems, known as reasoning systems, because it tests how close researchers are to achieving full autonomy.

“We wanted to follow in the tradition of reasoning machines like Deep Blue and Watson and AlphaGo,” Walker said. “This is an adversarial domain. In adversarial domains, the way you build a metric — like the Elo rating in chess — is, you measure [your] efficacy by the opponent you can defeat.”

Beyond the competition, Walker wants the challenge to kick off a “revolution” in security automation, eventually getting to the point that it’s as commonplace as nutrition labels on food packaging.

Advertisement

“When you buy [software] and you look on the back, what you don’t have today is a sticker that tells you what machine investigated [its] security and what machine will guard its security in the future,” he said. “That’s something we could see as an open technology revolution in security automation.”

Contact the reporter on this story via email at greg.otto@fedscoop.com, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.

Latest Podcasts