When it began a year ago, there were 104 teams competing for $4 million in prize money in the Defense Advanced Research Projects Agency (DARPA)’s ambitious tournament -- known as the Cyber Grand Challenge (CGC) -- to see who can build the best fully automatic network defense system.
+More on Network World: NASA’s cool, radical and visionary concepts+
This week DARPA said that after a couple dry runs and a significant qualifying event the field of CGC teams is down to seven who will now compete in the final battle slated to take place at DEFCON in Las Vegas in August 2016.
That is significant because DEFCON is the home of the longest-running annual capture the flag (CTF) cybersecurity game many security gurus use to test their skills, DARPA said. The teams played a version of CTF in the qualifying event to get the finals.
CTF games require competitors to reverse engineer software created by contest organizers and locate and heal its hidden weaknesses in networked competition.
The qualifying event was important for a number of reasons, DARPA stated:
- IT was the first CTF played solely by machines.
- The test operated at a speed and scale at which only machines can compete. For example, most CTF events challenge experts to analyze and secure about 10 pieces of software over 48 hours. The CGC qualifying event demanded that teams’ machines work on 131 pieces of software—more than any previous CTF event—over just 24 hours. Some teams’ systems secured single pieces of software in less than an hour.
- The test resulted in participating teams together fixing all of the 590 flaws in the competition software of which the contest developers were aware.
“After two years of asking ‘What if?’ and challenging teams around the world with a very difficult series of preliminary events, we’ve shown that there is a place for computers in an adversarial contest of the mind that until now has belonged solely to human experts,” said Mike Walker, DARPA program manager in a statement. Each team designed an innovative system that achieves, to varying degrees, the difficult task of finding and fixing software safety problems in the kind of code used everywhere every day.
“With no clear best approach going in, we can explore multiple approaches and improve the chances of producing groundbreaking improvements in cybersecurity technology,” Walker stated.
The seven teams include three that were in part funded by DARPA and four that weren’t. The funded teams include:
- CodeJitsu (Berkeley, Calif.): A team affiliated with the University of California, Berkeley
- ForAllSecure (Pittsburgh, Pa.): A startup founded by a team of computer security researchers from Carnegie Mellon University
- TECHx (Charlottesville, Va.): Software analysis experts from GrammaTech, Inc., a developer of software assurance tools and advanced cybersecurity solutions, and the University of Virginia
The four open-track teams are:
- CSDS (Moscow, Idaho): A professor and post-doctoral researcher from the University of Idaho
- DeepRed (Arlington, Va.): A team of engineers from the Raytheon Company
- disekt (Athens, Ga.): Four people, working out of a technology incubator, who participate in CTF competitions around the world
- Shellphish (Santa Barbara, Calif.): A group of computer science graduate students at the University of California, Santa Barbara
Each team will receive $750,000 to help them prepare over the next 13 months for the CGC final competition. They will have the opportunity to access a specialized IT infrastructure, a “digital arena” in which they can practice and refine their systems against dummy opponents that DARPA is providing. The winning team from the CGC final competition will receive $2 million. Second place will earn $1 million and third place $750,000.
The CGC's goal is to vastly improve the speed and effectiveness of IT security against escalating cyber threats. Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber attack may change from zero-day to zero-second, DARPA stated when it first introduced the CGC in 2013.
In fully autonomous defense, a cyber system capable of reasoning about software will create its own knowledge, autonomously emitting and using knowledge quanta such as vulnerability scanner signatures, intrusion detection signatures, and security patches, DARPA stated.
Check out these other hot stories: