DARPA Contest to Pay $2M for Automated Network Defense, Patching

DARPA announced the Cyber Grand Challenge, a $2M competition for the development of an automated network defense system that not only scans for and identifies vulnerabilities, but patches them on the fly.

The bug bounty continues to be turned on its ear.

Microsoft began the wave of paying premium money for mitigation technologies via its Blue Hat prizes, and now DARPA has gone all-in to the tune of $2 million for the development of an automated network defense system that not only scans for and identifies vulnerabilities, but patches them on the fly.

The Cyber Grand Challenge was announced today and DARPA officials said they plan on holding qualifying events where teams of experts would compete for a spot in the final competition to be held in 2016.

“Today, our time to patch a newly discovered security flaw is measured in days,” said Mike Walker, DARPA program manager. “Through automatic recognition and remediation of software flaws, the term for a new cyberattack may change from zero-day to zero-second.”

Competitors will be tasked with building an unmanned system that will go up against other similar systems looking for, and patching, critical vulnerabilities.

“The growth trends we’ve seen in cyberattacks and malware point to a future where automation must be developed to assist IT security analysts,” said Dan Kaufman, DARPA’s Information Innovation Office director.

The competition is expected to be carried out in stages, starting with qualifying events where teams of security and networking experts specializing in reverse engineering and program analysis would build systems that automatically analyze a software package for vulnerabilities. Teams that automatically identify, analyze and patch the bug in question would move on to the final, DARPA said in a statement.

DARPA will score entries on how well systems protect hosts, identify flaws and keep software running. First prize is $2 million, with the runners-up getting $1 million and third place receiving $750,000.

“Competitors can choose one of two routes: an unfunded track in which anyone capable of fielding a capable system can participate, and a funded track in which DARPA awards contracts to organizations presenting the most compelling proposals,” DARPA said in a statement.

The competition, DARPA said, emerged out of the continued failures of signature-based defenses, as well as static analysis, fuzzing, data flow tracking and more.

“A competitor will improve and combine these semiautomated technologies into an unmanned cyber reasoning system that can autonomously reason about novel program flaws, prove the existence of flaws in networked applications and formulate effective defenses,” DARPA said in its broad agency announcement. “Human analysts develop these signatures through a process of reasoning about software. In fully autonomous defense, a cyber system capable of reasoning about software will create its own knowledge, autonomously emitting and using knowledge quanta such as vulnerability scanner signatures, intrusion detection signatures, and security patches.”

Suggested articles


  • Rotimi Aluko on

    excellent idea, artificial intelligence methodology framework is needed, a defense mechanism that can react instantly to on going or potential attack is the answer to the rapid growing attack. To actively secure your environment, one need a solution that is reactive and preventive at the same time.
  • FDunn on

    2 Million$...REALLY??!! Heck if someone had something like that to sell it would be worth FAR more than that!
  • Pierre on

    As every patch management person knows, often pushing patches breaks things. Automated processes will automatically break stuff. And the best part? What if the scanning/patching program find multiple patches that are required? Multiple patches makes is hard to find what broke things. Then you always have the exemptions. The java patch/update that needs to be done, however cannot because some particular vendor demands an old version. Not that I care
  • rotimi aluko on

    @Piere, yes absolutely patching without testing could add another risk, in a well established technology environment a sandbox is available for critical server or technology that can mitigate issue that could arrive from patch and more

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.