Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Resistance is futile: DARPA’s competition to automate security

$
0
0

Resistance is futile: DARPA’s competition to automate security

At the DEF CON hacker conference in Las Vegas this week, the US Defense Advanced Research Projects Agency (DARPA)’s much-anticipated event finally took place the “world’s first all-machine hacking tournament.”

Over the last few years, seven teams built their own “Cyber Reasoning System” (CRS), automatic systems that sniff out security issues in software learning as they go and fixing the problems, too.

Each team’s CRS competed during a 12-hour capture-the-flag event. It and was assessed based on how well it performed against specific challenges: evaluating flaws and fixing them while making sure their fixes didn’t fundamentally change the software’s performance.

Born from faculty and alumni of Carnegie Mellon University, ForAllSecure were the overall winners of the tournament. The team netted the $2m Grand Prize with their CRS, named “Mayhem”.

DARPA wants to speed up a lot of components in security research like finding vulnerabilities, patch creation and application by using machine learning to have computers do this work automatically, and a lot faster than humans would.

The reason DARPA wants to take these tasks out of human hands is that we just can’t keep up with all the security flaws and related maintenance and mitigation tasks.

As we’vepreviously noted here on Naked Security, one of the reasons the idea of automated security is so powerful is that defenders have to try to lock down all possible attack vectors, while an attacker only needs to have one success.

“Our best data tell us that that hole will work for about a year before it’s discovered by defenders… You want computers to be able to defend themselves, and it’s going to change the balance of power between attackers and defenders.” DARPA program manager Mike Walker, 60 Minutes

Given how long it can take for an attack on an organization’s systems to even be noticed, let alone fixed,ifdefenders have automated machine-learning arsenalson their side, the fight becomes that bit fairer.

The implications of the success of the CRS tournament are indeed wide-ranging. Securing the software that runs our electrical and waterinfrastructure with CRS testing could help keep these sensitive systemstightly secured. And the rampant security lapseswe see in consumer IoTdevices could be significantlyreduced if tested and fixed by automated CRS testing.

The CRS shown at the DARPA tournament arepowerful proofs of a concept that could change the face of security as we know it. But no one’s in danger of losing their information security careers to the robot overlords just yet.

It may not be too far away though, after all, there are already services to automate blog writing.

Follow @NakedSecurity

Viewing all articles
Browse latest Browse all 12749

Trending Articles