University of Virginia computer scientists are at the forefront of cybersecurity.
Four U.Va. computer scientists from the School of Engineering and Applied Science are on one of seven finalist teams that will compete in a $4 million cyber security competition sponsored by the Defense Advanced Research Projects Agency, which looks for breakthrough technologies that can be used in national defense. The final competition will be held in August 2016 in Las Vegas, in conjunction with DEF CON, the world’s largest annual hacker convention.
The U.Va. contingent – computer science professor Jack Davidson, research scientist Michele Co and senior scientists Jason Hiser and Anh Nguyen-Tuong – partnered with software analysis experts from GrammaTech Inc. of Ithaca, New York, a developer of software assurance tools and advanced cybersecurity solutions, to build a fully automatic system to thwart cyber attacks.
In the first round of the competition, the competitors had to build a supercomputer that could rapidly analyze software, identify security holes in the software and then patch these holes, all without human intervention.
In the final round, each team will attempt to breach other competitors’ defenses.
“We will be attacking each other,” said Davidson, principal researcher of the U.Va. team. “What better way to evaluate cyber defenses than having the foremost cybersecurity teams attack your defenses? As competitors, we have incentive to be innovative and work incredibly hard.”
Swarms of malicious programs are constantly seeking to take advantage of network vulnerabilities. Computers can detect the hacking attempts, but cyber defense today still ultimately depends on human experts to patch those weaknesses and stymie new attacks – a process that can take months or longer, by which time critical systems may have been breached. The Cyber Grand Challenge is a first-of-its-kind tournament designed to speed the development of automated security systems, able to defend against cyber-attacks as fast as they are launched.
Of the 104 international teams that originally registered in 2014, 28 survived two DARPA-sponsored dry runs and made it into June’s qualifying event. In that contest, teams tested the high-performance computers they had built and programmed in a round of “capture the flag,” a game experts use to test their cyber defense skills. These games require competitors to reverse-engineer software created by contest organizers and locate and heal its hidden weaknesses in networked competition.
Davidson said his team had been working on cyber security since 2001, receiving research contracts from agencies such the Department of Defense and the Intelligence Advanced Research Projects Agency. The U.Va. team and GrammaTech had just completed a project for the latter agency when the DARPA competition was announced.
“We approached one another about entering the competition,” said Co, a research scientist in the Department of Computer Science, about working again with GrammaTech. “We had done projects before and we enjoyed working together, so it was natural we team up.”
Davidson said being among the seven finalists will open commercial opportunities for GrammaTech and create research possibilities for the University.
“This puts the University of Virginia with an elite group in cybersecurity,” said Kevin Skadron, chair of the Department of Computer Science.
DARPA believes the final round of competitors brings diversity and a new approach to the cybersecurity field.
“After two years of asking ‘What if?’ and challenging teams around the world with a very difficult series of preliminary events, we’ve shown that there is a place for computers in an adversarial contest of the mind that until now has belonged solely to human experts,” said Mike Walker, DARPA program manager. “As we had hoped when we launched this competition, the winning teams reflect a broad array of communities – academic pioneers of the field, security industry powerhouses and veterans of the [Capture the Flag] circuit, each of which brings to [the Cyber Grand Challenge] its own strengths.”
Each qualifying team will receive $750,000 to help them prepare for the final competition. They will have the opportunity to access a specialized IT infrastructure, a “digital arena” in which they can practice and refine their systems against dummy opponents that DARPA is providing. For its part, DARPA is developing custom data visualization technology to make it easy for spectators – both a live audience and anyone watching the event’s video stream worldwide – to follow the action in real time during the final contest next year.
The winning team will receive $2 million. Second place will earn $1 million; third place, $750,000. More important to Walker than the prize money, however, is igniting the cybersecurity community’s belief that automated cybersecurity analysis and remediation are finally within reach.
“We want an automation revolution in computer security so machines can discover, confirm and fix software flaws within seconds, instead of waiting up to a year under the current human-centric system,” he said. “These capabilities are essential for protecting data and processes as more and more devices, including vehicles and homes, get networked in the ‘Internet of Things.’”