Mad-tech labcoat-sporters DARPA pit infosec AI against itself

It's the Cyber Grand Challenge

The US Defence Advanced Research Projects Agency, DARPA, will host the final round of the world’s first AI hacking tournament in Las Vegas today, where seven teams of competitors will take their custom-built autonomous cyber reasoning systems into battle.

Prestige and technological achievement in the field of AI cyber security aren’t the only motivators behind this competition. Winners of the Cyber Grand Challenge will also get to take home a generous prize of $2m.

The seven teams are made up of academics, white-hat hackers and private-sector cyber systems experts.

All teams will compete in a computer security version of Capture The Flag. The contest pushes cyber reasoning systems (CRS) to hunt for security bugs in software as well as defending their own system, whilst attacking opponents.

Points will be lost if the CRS cannot defend against attacks or if it doesn’t come up with effective patches.

But unlike the world's largest hacker convention, DEF CON, the Cyber Grand Challenge finale will not feature any hackers furiously bashing out lines of code. Instead, hackers will take a step back and let their CRS do all the work.

Team Shellphish, led by Professor Giovanni Vigna, director of the Centre for CyberSecurity at the University of California, Santa Barbara, said that all they’ll be able to do is cross their fingers.

Participants have to write and run autonomous algorithms that can find and patch security flaws.

Photo credit: DARPA

The software uses some aspects of machine learning to analyse code but is more of an expert system, Vigna told The Register.

In AI, an expert system is built to make decisions based on the evidence it has gathered. “It codifies what a human hacker would do,” said Vigna.

“The expert system is able to characterise states of the binary programme it finds interesting. It looks for features in the programme, for example how much memory has been allocated for certain parts of the programme that could mean it was a possible threat.”

After it has caught a security bug, the system exterminates the bug by executing a patch that has been programmed.

The power of the CRS is that it can learn and adapt to different situations, and is intended to be more creative than regular programmes.

Despite the hands-off approach, the hackers will still be nervous, Vigna said. “For two months we built this cyber reasoning system, but if one mistake is made and the system crashes and can’t recover then we are out of the competition. That can happen, and I imagine that could be a problem for a couple of teams.

“It’s like training your kid in Judo then putting it in a room with other kids that have been trained as well, and you don’t know what’s going to happen.”

DARPA are interested in investing into emerging technologies for defence purposes, and the Cyber Grand Challenge isn’t DARPA’s first competition that shows their interest in AI.

There are also Grand Challenges for autonomous cars and robotics. Interest in CRS is growing as it can perform specific tasks at much quicker rate than human hackers can. ®


Biting the hand that feeds IT © 1998–2017