In the first head-to-head hacking competition of autonomous computers, a system developed by a team of Pittsburgh-based researchers is the presumptive winner.
Mayhem was developed by the ForAllSecure team from Pittsburgh.
Results were still being verified, but the winning team, a startup with roots at Carnegie Mellon University, is set to be awarded the $2 million grand prize today.
The winning system also is expected to be invited to compete against the world’s best human hackers at Defcon later today. It would be the first time a machine has played in a tournament at DefCon, long-running hacking conference.
“I’m enormously gratified that we achieved [the Cyber Grand Challenge’s] primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible,” said Mike Walker, DARPA program manager, in a statement. “I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today.”
During the 12-hour "capture the flag" tournament, the teams were scored on how well their systems "protected hosts, scanned the network for vulnerabilities and maintained the correct function of software."
Walker said the challenge has launched a revolution in software security.
“In the same way that the Wright brothers’ first flight -- although it didn’t go very far -- launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense,” he said. “That is a huge advance compared to where the cyber defense world was yesterday.”
In Thursday’s competition, Xandra, a computer system designed by TechX, a team from Ithaca, N.Y. and the University of Virginia, took second place, winning $1 million.
Mechanical Phish, a system designed by team Shellphish from the University of California, Santa Barbara, was the third-place winner and will take home $750,000.
DARPA has been running the cyber challenge since 2013 in an effort to stimulate research into autonomous systems that can be used to protect the computer software that runs in nearly all devices of daily life, including cars, refrigerators, home security systems and coffee makers.
With the Internet of Things steadily growing, more devices are connected to the Internet, requiring even more cybersecurity. Keeping all of that software secure has become an overwhelming scenario for humans acting alone.
The answer, according to DARPA and some researchers, is to combine forces with smart systems.
“I want to make sure that everyone can check the security of the software they’re using,” said David Brumley, CEO of ForAllSecure, in a video interview “I want to make sure that the person who buys a smart refrigerator knows it’s not going to be a new avenue for someone to steal their credit card numbers. That they can install a new app on their phone and they don’t have to worry about it stealing their contacts.”
ForAllSecure’s system uses a two-pronged approach, combining two autonomous systems.
One system generates deep paths in the software searching for flaws. A second system is a fast directed fuzzer, a technique for testing software that can generate proof that a flaw exists and then begin the patching process.
Combining the two autonomous systems is more powerful than either technique is alone, according to ForAllSecure.
“It’s a much faster way of searching through programs than by hand,” said Tyler Nighswander, a software engineer with ForAllSecure. “There is a lot of creativity and almost art in crafting exploits and doing that sort of thing, so the real solution is a two-pronged approach where you have computers and humans working together.”
Brumley, however, doesn’t foresee computers, even autonomous systems, replacing people in all areas of cybersecurity.
“I look at computers freeing us from mundane tasks,” he said. “You always want that human spark of creativity, and that’s something the computer will never have. I look at [the Cyber Grand Challenge] as upping the bar so we can focus more on those abstract concepts, as people, and let the computer worry about the details.”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.