Aiming to make computer networks and systems self-defending, more than 30 teams will compete in the U.S. government’s first-ever Cyber Grand Challenge, the Defense Advanced Research Project Agency (DARPA) announced on June 3.
The contest will challenge teams to create systems that can detect vulnerabilities in a network and fix them before attackers can exploit the flaws to penetrate the network and their underlying data stores.
Defenders normally need to find flaws, create patches and deploy those software updates to harden their networks against attack. Yet the process takes time. While more than 80 percent of attacks compromise systems in days, less than 20 percent of incidents are detected by defenders in the same amount of time, according to the latest Data Breach Investigations Report released by communications services firm Verizon.
The Cyber Grand Challenge aims to find a solution to that fundamental imbalance between attackers and defenders, Mike Walker, DARPA program manager, said in a statement announcing the contest.
“The only effective approach to defending against today’s ever-increasing volume and diversity of attacks is to shift to fully automated systems capable of discovering and neutralizing attacks instantly,” Walker said.
The Cyber Grand Challenge will take the form of a capture-the-flag event, with an attacker attempting to breach defenders’ networks to grab sensitive data. Unlike other contests run all over the world, however, the CGC will task automated defenses, not human defenders, to repel the attackers. Teams will have to make it through qualifying events to compete in the finals, which will be held at the DEFCON hacking conference in 2016.
The team that wins the challenge will be awarded $2 million, while second- and third-place runner ups will received $1 million and $750,000, respectively.
Since competition breeds innovation, the contest could deliver some interesting new technologies, Michael Sutton, vice president of security research for Zscaler, a cloud-security company, told eWEEK. While companies and academic researchers have created components of self-healing networks and biologically inspired digital immune systems, no one has succeeded in creating a fully automated system.
One major issue is the problem of false positives, labeling legitimate traffic as malicious. Many automated analysis systems have high rates of false positives, sending defenders on wild goose chases to find non-existent threats, he said.
“I will incur the wrath of my customers far more if I prevent them from getting to the Internet than if I miss a vulnerability,” Sutton said.
As part of the infrastructure to support the Cyber Grand Challenge, DARPA released on June 3 a software platform dubbed DECREE, a unique framework on which malicious software samples can be executed without running the risk of infecting other systems. Because the structure of DECREE is unlike other computer systems, software that runs on DECREE will not run on production systems, and so cannot escape into the wild, according to DARPA.