‘Mayhem’ wins $2M first prize in DARPA Cyber Grand Challenge

Autonomous programs slug it out in first computer-on-computer Capture the Flag competition

Cyber-reasoning platform Mayhem pulled down the $2 million first prize in a DARPA-sponsored Cyber Grand Challenge competition that pitted entrants against each other in the classic hacking game Capture the Flag, never before played by programs running on supercomputers.

A team from Carnegie Mellon University spin-out All Secure entered Mayhem in the competition against six other programs played in front of thousands in the ballroom of the Paris hotel in Las Vegas. Most of the spectators were in town for the DEF CON hacker conference starting Friday at the same site.

BLACK HAT: Quick look at hot issues

In addition to the cash, the All Secure team gets to enter Mayhem in the DEF CON Capture the Flag competition for human teams, although it is not expected to do well. While computers can outpace humans in performing mundane tasks, people are still thought to have the edge in strategy and intuition.

The DARPA event was sportscast live by a team of hacking experts who provided commentary over the 96 rounds of competition as they reviewed what actions the teams had taken against each other and what bugs they had discovered during each round.

How the Machines Discovered Bugs

The competition was remarkable in that each program based on cyber reasoning engines could discover bugs in never-before-seen code supplied by the DARPA organizers. They could then create patches for them on the fly.

All the programs ran on their own, without human intervention. The teams that created them sat by in a cordoned off area, basically spectators observing their bots doing battle.

Artificial intelligence, which learns as it goes along, was not in play here. Rather the competing programs were applying preset policies about how to analyze and respond to characteristics of the code they found.

In second place, winning $1M, was Xandra from GrammaTech in Ithaca, N.Y. and the University of Virginia, and the third place prize of $750,000 went to Mech.Phish from a team from the University of California at Santa Barbara.

The programs could score points three ways.

Security: They had to protect their own servers by finding vulnerabilities and successfully defending them by creating patches.

Availability: At the same time, they had to keep a set of tasks on their servers up and running well.

Evaluation: Finally, they scanned opponents’ servers to find vulnerabilities.

darpa cgc wide shot Tim Greene/NetworkWorld

DARPA-sponsored Capture the Flag competition at the Paris in Las Vegas

Surprisingly, Mayhem managed to win the competition despite being entirely disabled through most of the final rounds 30 rounds. That is not uncommon in Capture the Flag competitions where sometimes the best game strategy is to do nothing while others struggle with problems of their own.

During the competition, an entrant dubbed Rubeus (created by a team from Raytheon) was slowed down after issuing a patch to a flaw found by a competitor. The patch apparently sucked up so much CPU that it affected the performance of other services being run on the server.

Later, Rubeus’s logic apparently decided that it was better to remove the patch and remain vulnerable than to do poorly in its availability score.

Organizers spared no expense, with a dozen or so large-screen displays showing the coverage supplied by experts at an anchor desk and a reporter in the pit talking to the teams behind the programs that were competing.

The supercomputers were lit with colored light on a stage at one end of the room. They were isolated from the outside world except for power cables and supercooled water to keep them from overheating.

In order for officials to monitor what they were up to, their activity was recorded to disks that were lifted out by a mechanical robot to be placed in separate computers for reading – creating an air gap from the outside world.

Other competitors were Team CSDS, with just two members from the University of Idaho and a platform named Jima; CRSPY from a team in Athens, Ga.; and Galactica from a group based in Berkeley, Calif., Syracuse, N.Y., and Lausanne, Switzerland.

Join the CSO newsletter!

Error: Please check your email address.

More about MellonSwitzerland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts