DARPA is looking to build hacker-proof future with self-healing software
Software so advanced that it’s capable of self-healing in case of attacks from hackers, responding to attacks and even updating its code in real-time, without the assistance of humans. The Defense Advanced Research Projects Agency (DARPA), scientist wing of the Pentagon, is planning to make that happen and for this reason the agency has announced a new “Cyber Grand Challenge” competition with a $2 million prize.
The aim of the competition is to build a “fully automated cyber defense system” that not only scans for and identifies vulnerabilities, but patches them on the fly. DARPA officials plan on holding qualifying events where teams of experts would compete for a spot in the final competition to be held in 2016.
“DARPA’s series of vehicle Grand Challenges were the dawn of the self-driving car revolution,” said Mike Walker, DARPA program manager. “With the Cyber Grand Challenge, we intend a similar revolution for information security. Today, our time to patch a newly discovered security flaw is measured in days. Through automatic recognition and remediation of software flaws, the term for a new cyber-attack may change from zero-day to zero-second.”
Interested teams have until January 14, 2014 to submit a new technology that can examine and correct a software system without any human intervention. Up to $750,000 in funding will be available for teams to present designs plausible to fix security flaws in a basket of commercially available software. The first tests will be held in December this year to eliminate weaker candidates. The final competition will be held in early to mid-2016.
The agency expects its “Cyber Grand Challenge” encourages the development of systems that emulate the skills of programmers skilled in their reasoning on the task of finding fault code. The security industry is still based much of its work in the technology reactive analysis of malware signature.
“The growth trends we’ve seen in cyber attacks and malware point to a future where automation must be developed to assist IT security analysts,” said Dan Kaufman, director of DARPA’s Information Innovation Office, which oversees the Challenge.
DARPA will score entries on how well systems protect hosts, identify flaws and keep software running. First prize is $2 million, with the runners-up getting $1 million and third place receiving $750,000.
“Competitors can choose one of two routes: an unfunded track in which anyone capable of fielding a capable system can participate, and a funded track in which DARPA awards contracts to organizations presenting the most compelling proposals,” DARPA said in a statement.
DARPA also said a competitor will improve and combine these semiautomated technologies into an unmanned cyber reasoning system that can autonomously reason about novel program flaws, prove the existence of flaws in networked applications and formulate effective defenses.
“Human analysts develop these signatures through a process of reasoning about software. In fully autonomous defense, a cyber system capable of reasoning about software will create its own knowledge, autonomously emitting and using knowledge quanta such as vulnerability scanner signatures, intrusion detection signatures, and security patches.”
The US official is not alone in throwing money at the issue of security flaws in software. Big companies including Microsoft, Google, Facebook etc. offer rewards for hackers who find and help fix security flaws in their software.
In an era of pervasive intervention by foreign government-sponsored hackers that steal data from the government and the private sector, the manual process is not future proof. Companies and agencies spent millions of dollars and hours on fixing software flaws and dealing with the real-world ramifications.
The growth trends we have in cyber-attacks and malware suggest an advanced new generation of fully automated cyber defense systems. The DARPA technology might replace constant cycle of intrusion, compromise discovery, patch formulation, patch deployment and recovery.
DARPA compared this new competition with another one held earlier that stimulated the development of automatic vehicles for almost a decade. It is true that the previous competition helped spur the auto industry to create automatic vehicles including the Google’s self-driven cars, but this new challenge can cause some problems for the vulnerability scanning industry.
For large companies that have built a lucrative industry based on malware and virus scanning signatures, will face a hard time if someone build a system that can able to find and fix bugs much faster than those in the market.
On the other hand, independent security researchers think that such a system would be very difficult to build and will take years before get the confidence and trust of large businesses.
“Automated patching within seconds? Sounds like a great idea, and I can imagine it working well on the Starship Enterprise,” said security watcher and former Sophos specialist Graham Cluley.
“However, in reality I suspect this would be a very difficult to achieve in a way which would win the confidence and trust of large businesses. Good luck to them – but I’m not holding my breath.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.