For any given software vulnerability, the lengthy time window from initial bug report to widespread patch deployment puts cybersecurity analysts at a significant disadvantage. In many cases a race ensues between miscreants intending to exploit the vulnerability and analysts who must assess, remediate, test, and deploy a patch before significant damage can be done. Experts follow a process that involves sophisticated reasoning followed by manual creation of each security signature and software patch — an artisanal approach that can require months and many dollars. This approach has resulted in an environment of ubiquitous software insecurity that favors attackers over defenders.
To help overcome these challenges, DARPA has launched the Cyber Grand Challenge: a competition that seeks to create automatic defensive systems capable of reasoning about flaws, formulating patches and deploying them on a network in real time. By acting at machine speed and scale, these technologies may someday overturn today’s attacker-dominated status quo.
Just as the first autonomous ground vehicles fielded during DARPA’s 2004 Grand Challenge weren’t initially ready to take to the highways, the first generation of automated network defense systems won’t be able to meaningfully compete against expert analysts or defend production networks. The Cyber Grand Challenge aims to give these groundbreaking prototypes a “league of their own,” allowing them to compete head-to-head to defend a network of bespoke software. DARPA plans to model the contest on today’s elite cybersecurity tournaments.
The program envisions numerous future benefits, including:
Competitors would navigate a series of challenges starting with a qualifying event in which a collection of software is automatically analyzed. Competitors would qualify by identifying, proving, and repairing software flaws. A select group of competitors who display top performance during the qualifying event would be invited to the Cyber Grand Challenge final event, slated for early to mid-2016. Each team’s system would automatically identify software flaws, scanning the network to identify affected hosts. Teams would be scored against each other based on how capably their systems can protect hosts, scan the network for vulnerabilities, and maintain the correct function of software. The winning team would receive a cash prize of $2 million, with second place earning $1 million and third place taking home $750,000.
Realization of this vision will require breakthrough approaches in a variety of disciplines, including applied computer security, program analysis, and data visualization.
A Broad Agency Announcement (BAA)
with specific information for potential competitors is available at http://go.usa.gov/WqcH. Competitors can
choose one of two routes: an unfunded track in which anyone capable of
fielding a capable system can participate, and a funded track in which DARPA
awards contracts to organizations presenting the most compelling proposals.
In addition, a second BAA with specific information for potential
proposers seeking to develop technologies in support of the competition, for
example, challenge sets and integrity development techniques, is available at
The program also plans to hold two Challengers’ Days—one at
DARPA’s offices in Arlington, Va., and the other on the West Coast—where
interested competitors can learn more about the event.
You are now leaving the DARPA.mil website that is under the control and
management of DARPA. The appearance of hyperlinks does not constitute
endorsement by DARPA of non-U.S. Government sites or the information,
products, or services contained therein. Although DARPA may or may not
use these sites as additional distribution channels for Department of
Defense information, it does not exercise editorial control over all of
the information that you may find at these locations. Such links are
provided consistent with the stated purpose of this website.
After reading this message, click to continue