UPDATED 17:05 EDT / OCTOBER 29 2013

NEWS

DARPA is looking to build hacker-proof future with self-healing software

Software so advanced that it’s capable of self-healing in case of attacks from hackers, responding to attacks and even updating its code in real-time, without the assistance of humans. The Defense Advanced Research Projects Agency (DARPA), scientist wing of the Pentagon, is planning to make that happen and for this reason the agency has announced a new “Cyber Grand Challenge” competition with a $2 million prize.

The aim of the competition is to build a “fully automated cyber defense system” that not only scans for and identifies vulnerabilities, but patches them on the fly. DARPA officials plan on holding qualifying events where teams of experts would compete for a spot in the final competition to be held in 2016.

“DARPA’s series of vehicle Grand Challenges were the dawn of the self-driving car revolution,” said Mike Walker, DARPA program manager. “With the Cyber Grand Challenge, we intend a similar revolution for information security. Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber-attack may change from zero-day to zero-second.”

Interested teams have until January 14, 2014 to submit a new technology that can examine and correct a software system without any human intervention. Up to $750,000 in funding will be available for teams to present designs plausible to fix security flaws in a basket of commercially available software. The first tests will be held in December this year to eliminate weaker candidates. The final competition will be held in early to mid-2016.

The agency expects its “Cyber Grand Challenge” encourages the development of systems that emulate the skills of programmers skilled in their reasoning on the task of finding fault code. The security industry is still based much of its work in the technology reactive analysis of malware signature.

“The growth trends we’ve seen in cyber attacks and malware point to a future where automation must be developed to assist IT security analysts,” said Dan Kaufman, director of DARPA’s Information Innovation Office, which oversees the Challenge.

DARPA will score entries on how well systems protect hosts, identify flaws and keep software running. First prize is $2 million, with the runners-up getting $1 million and third place receiving $750,000.

“Competitors can choose one of two routes: an unfunded track in which anyone capable of fielding a capable system can participate, and a funded track in which DARPA awards contracts to organizations presenting the most compelling proposals,” DARPA said in a statement.

DARPA also said a competitor will improve and combine these semiautomated technologies into an unmanned cyber reasoning system that can autonomously reason about novel program flaws, prove the existence of flaws in networked applications and formulate effective defenses.

“Human analysts develop these signatures through a process of reasoning about software. In fully autonomous defense, a cyber system capable of reasoning about software will create its own knowledge, autonomously emitting and using knowledge quanta such as vulnerability scanner signatures, intrusion detection signatures, and security patches.”

The US official is not alone in throwing money at the issue of security flaws in software. Big companies including Microsoft, Google, Facebook etc. offer rewards for hackers who find and help fix security flaws in their software.

HackAngle

In an era of pervasive intervention by foreign government-sponsored hackers that steal data from the government and the private sector, the manual process is not future proof. Companies and agencies spent millions of dollars and hours on fixing software flaws and dealing with the real-world ramifications.

The growth trends we have in cyber-attacks and malware suggest an advanced new generation of fully automated cyber defense systems. The DARPA technology might replace constant cycle of intrusion, compromise discovery, patch formulation, patch deployment and recovery.

DARPA compared this new competition with another one held earlier that stimulated the development of automatic vehicles for almost a decade. It is true that the previous competition helped spur the auto industry to create automatic vehicles including the Google’s self-driven cars, but this new challenge can cause some problems for the vulnerability scanning industry.

For large companies that have built a lucrative industry based on malware and virus scanning signatures, will face a hard time if someone build a system that can able to find and fix bugs much faster than those in the market.

On the other hand, independent security researchers think that such a system would be very difficult to build and will take years before get the confidence and trust of large businesses.

“Automated patching within seconds? Sounds like a great idea, and I can imagine it working well on the Starship Enterprise,” said security watcher and former Sophos specialist Graham Cluley.

“However, in reality I suspect this would be a very difficult to achieve in a way which would win the confidence and trust of large businesses. Good luck to them – but I’m not holding my breath.”


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU