• I2O_title
  • Cyber Grand Challenge (CGC)

    For any given software vulnerability, the lengthy time window from initial bug report to widespread patch deployment puts cybersecurity analysts at a significant disadvantage.  In many cases a race ensues between miscreants intending to exploit the vulnerability and analysts who must assess, remediate, test, and deploy a patch before significant damage can be done. Experts follow a process that involves sophisticated reasoning followed by manual creation of each security signature and software patch — an artisanal approach that can require months and many dollars. This approach has resulted in an environment of ubiquitous software insecurity that favors attackers over defenders.

    For any given software vulnerability, the lengthy time window from initial bug report to widespread patch deployment puts cybersecurity analysts at a significant disadvantage.  In many cases a race ensues between miscreants intending to exploit the vulnerability and analysts who must assess, remediate, test, and deploy a patch before significant damage can be done. Experts follow a process that involves sophisticated reasoning followed by manual creation of each security signature and software patch — an artisanal approach that can require months and many dollars. This approach has resulted in an environment of ubiquitous software insecurity that favors attackers over defenders.

    To help overcome these challenges, DARPA has launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo.

    Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge weren’t initially ready to take to the highways, the first generation of automated network defense systems won’t be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a “league of their own,” allowing them to compete head-to-head to defend a network of bespoke software. DARPA plans to model the contest on today’s elite cybersecurity tournaments.

    The program envisions numerous future benefits, including:

    • Expert-level software security analysis and remediation, at machine speeds on enterprise scales 
    • Establishment of a lasting competition community for automated cyber defense
    • Identification of thought leaders for the future of cybersecurity
    • Creation of a public, high-fidelity recording of real time competition between automatic systems

    Competitors would navigate a series of challenges starting with a qualifying event in which a collection of software is automatically analyzed. Competitors would qualify by identifying, proving, and repairing software flaws. A select group of competitors who display top performance during the qualifying event would be invited to the Cyber Grand Challenge final event, slated for early to mid-2016. Each team’s system would automatically identify software flaws, scanning the network to identify affected hosts. Teams would be scored against each other based on how capably their systems can protect hosts, scan the network for vulnerabilities, and maintain the correct function of software. The winning team would receive a cash prize of $2 million, with second place earning $1 million and third place taking home $750,000.

    Realization of this vision will require breakthrough approaches in a variety of disciplines, including applied computer security, program analysis, and data visualization.

    A Broad Agency Announcement (BAA) with specific information for potential competitors is available at http://go.usa.gov/WqcH. Competitors can choose one of two routes: an unfunded track in which anyone capable of fielding a capable system can participate, and a funded track in which DARPA awards contracts to organizations presenting the most compelling proposals. 

    In addition, a second BAA with specific information for potential proposers seeking to develop technologies in support of the competition, for example, challenge sets and integrity development techniques, is available at http://go.usa.gov/KKjk.

    The program also plans to hold two Challengers’ Days—one at DARPA’s offices in Arlington, Va., and the other on the West Coast—where interested competitors can learn more about the event.

  • Images

    Cyber Grand Challenge 

    Click for High-Resolution Image
    Computer security experts from academia, industry and the larger security community have organized themselves into more than 30 teams to compete in DARPA’s Cyber Grand Challenge—a first-of-its-kind tournament designed to speed the development of automated security systems able to defend against cyberattacks as fast as they are launched. DARPA also announced today that it has reached an agreement to hold the 2016 Cyber Grand Challenge final competition in conjunction with DEF CON, one of the largest computer security conferences in the world.

     

Share this page: