7 advance to finals of DARPA's automated cyber challenge

Seven teams from academia and industry have reverse-engineered and hacked their way through to the finals of the DARPA Cyber Grand Challenge, a $3.75 million competition intended to improve automated security software.

The finalists emerged from an original field of 104 registrants in 2014 that was whittled, through a couple of preliminary trials, down to 28 for the first-of-its-kind CGC Qualifying Event in June, the first “capture the flag” cyber competition played strictly by machines. They’ll compete in the finals in August 2016 in Las Vegas, held in conjunction with the DEF Con Hacking Conference, with $2 million going to the winner, $1 million going to the runner-up and $750,000 being awarded for third place.

As with other events like its Robotics Challenge, DARPA doesn’t stage the competition just to see who wins. The idea is to advance technologies in key areas, in this case to develop automated security systems that can respond to cyberattacks as they occur.

As DARPA noted in announcing the finals, cyber defense still relies largely on human security experts to comb through systems to find vulnerabilities, patch them and try to further shore up defenses, a process that can take months. The hacks disclosed last month of Office of Personnel Management databases, for instance, went on for months before being discovered.

Through CGC, DARPA wants to find ways to automate that defensive process so that software can identify and react to cyberattacks in real time.

“After two years of asking ‘What if?’ and challenging teams around the world with a very difficult series of preliminary events, we’ve shown that there is a place for computers in an adversarial contest of the mind that until now has belonged solely to human experts,” said Mike Walker, DARPA program manager. “As we had hoped when we launched this competition, the winning teams reflect a broad array of communities—academic pioneers of the field, security industry powerhouses, and veterans of the CTF [capture the flag] circuit, each of which brings to CGC its own strengths.”

The qualifying competition took the form of a CTF game, which in the cyber realm is a common and popular way for security experts to develop their skills. There are leagues and large-scale competitions devoted to it. Members of the Army’s burgeoning Cyber Mission Force, in fact, recently staged a CTF game as part of their training.

For DARPA’s competition, teams built and programmed high-performance computers to play the game, in which the machines had to reverse-engineer software created for the contest and find and fix weaknesses hidden within. And because it was the first CTF event played solely by machines, it was conducted at a speed that human-controlled computers can’t match. A typical CTF tournament might involve participants analyzing 10 pieces of software over the course of 48 hours; in DARPA’s qualifier, the machines examined 131 pieces of software and had to do it in 24 hours, DARPA said. In total, the teams fixed all 590 software flaws the contest developers knew about.

“The results bode well for an exciting competition next year and confirm the value of using a grand challenge format,” Walker said. “With no clear best approach going in, we can explore multiple approaches and improve the chances of producing groundbreaking improvements in cybersecurity technology.”

Three of the qualifying finalists took part under a funded track, with support from DARPA. They are:

CodeJitsu of Berkeley, Calif., affiliated with the University of California, Berkeley.

ForAllSecure of Pittsburgh, a startup founded by computer security researchers from Carnegie Mellon University.

TECHx of Charlottesville, Va., software analysts from GrammaTech, Inc. and the University of Virginia.

Four finalists emerged from the open, or self-funded, track:

CSDS of Moscow, Idaho, a professor and post-doctoral researcher from the University of Idaho.

DeepRed of Arlington, Va., engineers from Raytheon.

disekt of Athens, Ga., four people, working out of a technology incubator, who participate in CTF competitions around the world.

Shellphish of Santa Barbara, Calif., computer science graduate students at the University of California, Santa Barbara.