The multimillion dollar challenge is attempting to harness artificial intelligence to convey significant additions in cybersecurity.
LAS VEGAS — The Pentagon is one bit nearer to building independent mechanics that can find and fix weaknesses on the planet’s digital underside — and all it took was two or three million bucks and a challenge with probably awesome and most brilliant at hacker day camp.
At this end of the week’s DEF CON meeting, the Defense Advanced Research Projects Agency convened 90 teams and asked them to build autonomous agents to probe open-source code bases, find vulnerabilities and automatically fix them. Building technology capable of doing so represents a white whale of AI development: a highly difficult-to-achieve technological breakthrough that could deliver massive gains in cybersecurity.
Whether the members of the Artificial Intelligence Cyber Challenge will actually want to construct that tool remains unclear, but this weekend’s competition delivered positive signs that recent innovations in AI might enable such a breakthrough.
Eventually, the 90 contenders had the option to find 22 unique vulnerabilities in major open-source programs like the Linux kernel, automatically patching 15. One team delivered an even more surprising result, finding a new vulnerability in one of the most popular open-source programs out there. Team Atlanta’s project Atlantis found a previously undiscovered vulnerability in the database program SQLite — one of the most used database libraries in the world.
“The thesis of the challenge is that Artificial intelligence can have a major effect. It very well may be a progressive extra to existing project investigation techniques for finding and fixing vulnerabilities,” Perri Adams, the special assistant to the director at DARPA who oversaw the competition, said Sunday.
Launched last year at DEF CON, the two-year contest advanced seven teams to the final round, in which they’ll be tasked with creating artificial intelligence-enabled tools that can automatically find vulnerabilities and patch them.
The way things are, there are a greater number of bugs in basic frameworks than there are individuals who can find and fix them. The Pentagon is wagering that artificial intelligence empowered instruments can find and fix those weaknesses and address these asset requirements.
The seven semifinalist teams — 42-b3yond-6ug, all_you_need_is_a_fuzzing_brain, Lacrosse, Shellphish, Team Atlanta, Theori, and Trail of Bits — won $2 million in prize money. Microsoft, Google, Anthropic, and OpenAI provided the models for the contest. The finalists have until next year to build out their AI systems before the final competition at next year’s DEF CON. The competition will award a total of $29.5 million in prize money.
One of the semifinalists, Trail of Bits, was among the champs of another DARPA challenge thought about an ancestor — the Cyber Grand Challenge — back in 2016 that also chased automatic vulnerability fixes.
“There’s simply a lot of code to glance through, and too complex to process in order to find all the vulnerabilities that are spread out,” said Dan Guido, the CEO and founder of Trail of Bits, a cybersecurity firm. “AI is an opportunity that might help assist us in finding and fixing security issues that are now pervasive and expanding in number.”
The competition challenges focused on well-known open-source programs like the Linux kernel, the database engine SQLite, and the automation Jenkins in Java, among others. Those programs were loaded with vulnerabilities for the contestants to find.
“This isn’t like a hackathon. This is certainly not a chivalrous exertion by a solitary individual. This is a truly complicated challenge with loads of moving parts and it requires a lot of work to assemble accurately,” Guido said.
Utilizing Artificial intelligence to take care of the vulnerability issue accompanies a few benefits, Guido said. The groups needed to come up with a cyber-reasoning system that used existing programs to analyze and find the vulnerabilities in millions of lines of code.
The challenge likewise requires producing a “proof of vulnerability,” which ensures that the distinguished vulnerability is genuine and not a pipedream created by a probabilistic program.
There are a few different difficulties too, Guido said. . Convincing the AI to find vulnerabilities in the first place can be problematic, as there are ethical constraints built into the models given to the teams.
Another challenge is giving the AI program enough autonomy to run without needing human intervention and without causing a global disaster through a faulty fix.
Challenge hope that the tools generated by competitors might be applied toward open-source software libraries and innovation created by the opposition will be delivered as open-source projects at the following year’s DEF CON.
“We’re hoping this is going to result in the reduction in vulnerabilities to delivered products. There are a lot of widely adopted programs and we want those to be extremely secure and hard to break into,” said David Wheeler, the director of open source supply chain security at the Open Source Security Foundation. “Even simply releasing [the code] can be a helpful way to improve these products.”
Tending to open-source security has turned into a significant need of the Biden administration. On Friday, the Workplace of the National Cyber Director released a report containing summaries of recommendations from the security community about how to improve open-source security. The Department of Homeland Security is also opening an office that would study vulnerabilities in open-source programs that are found in critical infrastructure, like energy and water.
