Cybersecurity: Automate cyber defense with AI reasoning?
Is it possible to automate the cyber defense process with machines that can discover, confirm, and fix software flaws in real-time? The U.S. Defense Advanced Research Projects Agency (DARPA) certainly hopes so and is hosting its Cyber Grand Challenge’s (CGC) final competition in August 2016 in conjunction with DEF CON, home of the longest-running attack/defend Capture the Flag global competition for elite hackers, in Las Vegas, Nevada, to find out.
CGC will challenge fully automated high-performance systems to reverse engineer unknown software, locate weaknesses, search for deeply hidden flaws, and then create securely patched replacement code in a live network competition.
With no clear best approach at the outset, DARPA chose a “Grand Challenge” format for the contest to explore multiple approaches and improve the odds of seeing innovative advances in cybersecurity.
Seven teams’—CodeJitsu, ForAllSecure, TECHx, CSDS, DeepRed, disekt, and Shellphish—souped-up supercomputers will compete. The winning team will walk away with $2 million, second place earns $1 million, and third place nets $750,000.
Just as IBM’s Deep Blue supercomputer became the world’s best chess player, “DARPA’s CGC aims to make a computer the best hacker in the world,” says Mike Walker, program manager, DARPA’s Information Innovation Office.
With the constant onslaught of malicious attacks, an automation revolution in computer security can improve defense by “discovering, confirming, and fixing software flaws within seconds—rather than waiting a year, on average, under the current human-centric system,” Walker says. “A computer could scour the trillions of lines of code we depend on and fix the toughest flaws. We want to upend the economics of computer security and level the playing field between attackers and defenders. With CGC, automated systems may take the first steps toward enabling a defensible connected future.”
What are autonomous “reasoning systems”? Hacking systems designed “to analyze software, detect and patch vulnerabilities, and counterattack adversaries—with zero human involvement,” explains Mike Stevenson, mission manager, Raytheon Centers of Innovation. DeepRed is Raytheon’s team participating in the CGC, named with a nod to the company’s red logo and Deep Blue.
CGC is literally a hands-off event. “Once the game begins, all we can do is watch how our system performs against the other competitors,” Stevenson adds.
So a key aspect is that these systems must be capable of reasoning about software. “It must understand what it means for a program to be either secure or insecure,” points out Stevenson. “We’re developing a system that answers the question: What was the software designed to do vs. what does it actually do?”
Autonomous systems are desirable because they eliminate challenges associated with conventional human defenders. “Unlike people, machines are always on, working, and looking for attackers,” Stevenson say. “And automated solutions scale more effectively than their human counterparts. With the Internet of Things (IoT), an exponential increase in the number of devices coming onto the network will make it impossible for humans to defend every configuration. Automation is the best way to defend a system with potentially thousands of sensors and devices.”
Artificial intelligence (AI) plays a central role in these systems. “We’ve applied AI techniques for search, reasoning, and decision-making as part of the program analysis function,” Stevenson notes. “And we also use AI for game strategy against our competitors because teams are scored on the speed and effectiveness of their attacks against each other. Strategic decisions on the timing and selection of the attack are critical.”
One of the main CGC challenges, according to Stevenson, is to write programs designed to understand other programs—as opposed to performing a simple task. “Teaching programs to rapidly scan code to identify bugs and automatically patch them will lead to more secure software,” he adds.
In terms of capabilities, during the CGC qualifying event, machines worked on 131 pieces of software—within 24 hours. “Some teams’ systems secured single pieces of software in less than an hour,” says Walker.
Today, the technology is intended to protect systems—to reduce opportunities for criminals to identify, exploit, or weaponize vulnerabilities within a defender’s system.
The technology offers the U.S. military “increased resiliency to safely and quickly bring up cyber assets that have been attacked,” Stevenson says. “Using techniques and technologies developed for CGC will give them new capabilities to autonomously isolate malicious software, identify vulnerabilities, automatically patch, and safely restore services.”
A timeline for the technology is difficult to predict—lots of development work remains. “Real-world malware is much larger and complex,” Stevenson explains.
But anyone who watches the CGC finals may well “witness a ‘Kitty Hawk’ moment as the contestants lay a foundation for machine-based cybersecurity solutions,” Walker notes.