What if machines could outsmart would-be attackers to protect national security?
A system called "Mayhem" has clinched the $2 million top prize in DARPA’s Cyber Grand Challenge in a competition to use software that automatically defends networks against attacks.
In the Cyber Grand Challenge, DARPA challenged the world to create software that can defend networks against attacks without a human typing at a keyboard. This software is designed to identify threats and react to, defend, and seal off vulnerabilities from future attacks.
Last week, the Paris Las Vegas Conference Center became the battleground for the world's first all-machine hacking tournament, the culmination of three years of development and qualifiers. The cyber challenge took place on the eve of the famous DEF CON tournament, where top code slingers from around the world converge annually.
The winning system, “Mayhem,” was created by a team called ForAllSecure, and scored $2 million in prize money. Xandra (made by TECHx) and Mechanical Phish (created by Shellphish) came in second and third and won their human creators $1 million and $750,000 respectively.
The results of the competition were clear. Computer systems – all by themselves thanks to the extraordinary human talent that created them– have the potential to become a powerful force to defend the United States against cyber attacks.
Seven computers face off
Seven high-performance computers played an all-machine Capture the Flag contest for the nearly $4 million in prizes. The competing teams were comprised of white-hat hackers, academics, and private-sector cyber systems experts developed the computers.
Set against Vegas-style glamour, huge machines dominated the stage and commanded the action. The all-day intense competition drew thousands of spectators, and commentators provided analysis as the battle unfolded. The systems for this battle required more power than the entire hotel itself takes to run.
It also required engineering feats to pull of the event itself, as the machines ran so hot that DARPA was running thousands of gallons of cooled water to keep them fighting fit.
The machines did things like probe the security of opponent software, reverse engineer unknown binary software, defend and generate patches – all by themselves without humans directing their responses in real time.
What’s the threat?
From allegations that Russian hackers are influencing a presidential election by hacking the Democratic National Committee to security concerns over the vulnerability of Hillary Clinton’s personal server, the threat of hacking has been in the news a lot lately.
Adversaries come in all shapes and sizes. Whether it is nation-state actors with advanced abilities and resources, or individuals with rudimentary capability, tens of thousands attacks are launched every single day against just the Department of Defense systems alone, for example.
Attacks are not limited to government systems and military platforms. Attacks are also launched against U.S. companies and even home computers and appliances – anything connected to the internet can make Americans vulnerable to all sorts of damage and loss.
Bugs can go undetected for years and do vast damage in that time. One example is Heartbleed. It rendered an estimated half million of the internet’s secure servers vulnerable to theft and beyond for about two and half years before it was caught.
The machine advantage?
Currently, the world relies on talented cyber experts to hunt down and capture bugs. Hunting and defeating bugs, hacks and other infections could be characterized as an art that requires intellect, expertise, imagination, extraordinary problem solving, determination, and out-of-the-box thinking— and begs the question whether a machine could ever do it.
Defending against threats and scouring millions of code lines to identify and fix vulnerabilities takes massive amounts of man hours and there are a limited number of humans with the skills to do this. Sometimes it can be done very quickly, but more often it can take a year from detection to solution.
And the time to discovery and defeat is something that adversaries can exploit.
By automating the cyber defense process with machines that can discover, confirm and fix software flaws in real-time, would-be hackers would lose a lot of the advantages they currently exploit.
So the seven competing teams had to successfully tackle the monumental task of creating and training machines to do just that. If machines could accelerate the speed of effective response, then they could lead to a powerful force against cyber attacks.
As Program Director Mike Walker noted, "Challenges work not because of the many who can imagine, but because of the few who dare."
DARPA challenges are renowned for sparking leap aheads in innovation, and the Cyber Grand Challenge seems to have done just that.
Walker explained, “For two decades the hacker community has been perfecting a skills contest that lets their best compete head to head: Capture the Flag. Yesterday, we let machines play this contest in a league of their own. We don't know if this new generation of automated security machines will ever stand up to the abilities of the best hackers of the world, but a spark was lit and the road from here will be exciting to watch."