PORTLAND, Ore. ó The Cyber Grand Challenge, announced this week by the Defense Advanced Research Project Agency (DARPA), is a three-year program offering a $2 million prize to the programming team that can create the best automated cyberspace sentries to spot and neutralize security intrusions in real-time.
Today, cyber security intrusions are always detected after the fact, often taking days or even weeks to patch with code that neutralizes the threat, thus "closing the barn door after the cows have gotten out," since by then the attackers have already made off with their bounty. Darpa's aim is to stimulate the programming community to discover new techniques for identifying threats as they happen, preventing the data loses in the first place.
"The Grand Challenge will be pushing the envelope on automation," said John Pescatore, director of emerging security trends at SANS Institute in Bethesda, Md., who warns that self-protecting systems have been tried before, and failed:
Self-protecting or self-healing systems -- or other host based intrusion prevention techniques -- sound good and works well in the lab, but when deployed invariably fail. However, Darpa has set up more realistic tests with "challenge binaries" operating on network hosts that the competitors have to remotely scan/analyze and then either have some form of automated patch creation, or use some form of network defense to block attempts to exploit the vulnerabilities found, and that sounds promising.
Darpa's will for the first time pit automated systems against each other in a real-time "Capture the Flag" tournament.
To realize its goal of automated cyber security, Darpa envisions a "Capture the Flag" tournament style, which it claims for the first time will pit automated systems against each other in a real-time search-and-destroy scenario on a network built especially for the competition. The initial competition, to take place in 2015, will require automated systems to identify vulnerabilities in various segments of software code then generate security patches.
The winners of the initial contest will then be invited to the final event in 2016 where automated systems will first identify software flaws, as before, then scan a network to identify affected hosts and patch their vulnerabilities to protect them in real time. The first place winner will receive $2 million in cash, with second place getting $1 million and third place $750,000.
A Broad Agency Announcement (BAA) supplies specific information for potential competitors who can choose from two tracks -- an unfunded track in which any capable programming team can compete, and a funded track where contestants can make proposals for award contracts from Darpa. A second BAA will also be issued in 2014 soliciting proposals for technologies to support the competition including a real-time visualization system for the cyber competitions.
Competing teams are expected to draw on a wide swath of the programming community, including experts in reverse engineering, program analysis, and formal methodologies. Darpa will host two Challengers Days -- one on each coast -- which interested competitors can attend in 2014 to learn about the event. Darpa has also created an online forum for team members to share ideas from their respective disciplines. For more information, visit the Cyber Grand Challenge website.