For nearly three hours Thursday night, cyber attacks shot like precision-guided missiles into software built by a team of computer scientists from the University of Virginia and GrammaTech, an Ithaca, NY-based cybersecurity firm.
Over and over, the computerized attackers scoured for vulnerabilities during a first-of-its-kind Cyber Grand Challenge competition, hosted by the Defense Advanced Research Projects Agency. And over and over, UVA’s and GrammaTech’s automated system, called Xandra, detected and closed security holes, even earning a cheer from the watching crowd when it found one security problem that DARPA programmers didn’t even know existed.
When the attacks finally ended after the competition’s 96 rounds, Xandra had outperformed most of its challengers, earning UVA and GrammaTech’s TechX Team a $1 million second-place prize. The first-place team, ForAllSecure, a start-up that originated at Carnegie Mellon University in Pennsylvania, won $2 million for its Mayhem cybersecurity system.
“It’s still sinking in, but we are elated,” said Jack Davidson, a computer science professor at the UVA School of Engineering and Applied Science who helped lead Team TechX, along with with Will Hawkins, a computer science Ph.D. student, and Derek Morris, who graduated from the Computer Science Department in May. (Click here to watch a video about the team’s work.)
“This challenge has demonstrated that it is possible to develop fully autonomous machines that find and patch security vulnerabilities, and now research will accelerate,” Davidson said. “Hopefully in five or six years, systems like this will be proactively protecting our networks and critical systems. I definitely see it coming. And it’s exciting to be part of that.”
DARPA searches for breakthrough technologies that bolster national defense. Swarms of malicious programs are constantly seeking to take advantage of network vulnerabilities. Computers can detect the hacking attempts, but cyber defense today still ultimately depends on human experts to patch those weaknesses and stymie new attacks. That process that can take months or longer, by which time critical systems may have been breached.
The Cyber Grand Challenge was a unique contest of machines hacking each other and defending themselves against attacks, without human participation. The tournament was designed to speed the development of automated security systems, able to defend against cyber attacks as fast as they are launched.
More than 100 international teams registered for the challenge in 2014. The UVA-led team developed its system and survived initial rounds to become one of seven finalists for the final Aug. 4 competition in Las Vegas.
When the competition began, the tension was intense, Davidson said.
“When I was a little boy, I watched the Mercury and Gemini and Apollo space missions, and this must be similar to what those NASA guys felt,” he said. “You spend two years developing these machines, and then you hit a button, and it’s like, ‘Is this thing going to work?’”
When the signals began to come back that Xandra was up and running and defending itself well, Davidson said, “We were just so excited – ‘Yes, it’s playing, it’s doing what it’s designed to do.’”
Now that the challenge is over, Team TechX will evaluate all of the data from the competition to determine where Xandra performed well and where improvements need to be made.
Davidson has been involved in cybersecurity research for many years, and he now is leading a $5.9 million DARPA cybersecurity grant aimed at protecting mission-critical military systems from attacks.
“We’ve got a long way to go,” Davidson said, “but we’ve shown what’s possible.”
Such innovations also could have implications for protecting a society that is increasingly dependent on what is commonly referred to as the “Internet of things,” networks powering and linking everything from cell phones to healthcare devices to home appliances, as well as major public systems such as power grids, water supplies and emergency services.
Davidson said the team’s success in the DARPA challenge will open commercial opportunities for GrammaTech and create additional research possibilities for the University.
“UVA really has some core capabilities in the area of cyber defense, and this gives visibility to our commitment to making UVA one of the premier institutions for cyber research,” he said.