'Mayhem' takes first in DARPA's all-computer hacking challenge

Cybersecurity system from ForAllSecure of Pittsburgh is presumptive winner of Cyber Grand Challenge

In the first head-to-head hacking competition of autonomous computers, a system developed by a team of Pittsburgh-based researchers is the presumptive winner.

Mayhem, a high-performance computer running an autonomous system, beat six other competing machines in the finals of DARPA’s Cyber Grand Challenge in Las Vegas on Thursday.

Mayhem was developed by the ForAllSecure team from Pittsburgh.

Results were still being verified, but the winning team, a startup with roots at Carnegie Mellon University, is set to be awarded the $2 million grand prize today.

forallsecure DARPA

Members of the ForAllSecure team are the presumptive winners of the DARPA-sponsored Cyber Grand Challenge with their computer program called Mayhem.

The winning system also is expected to be invited to compete against the world’s best human hackers at Defcon later today. It would be the first time a machine has played in a tournament at DefCon, long-running hacking conference.

“I’m enormously gratified that we achieved [the Cyber Grand Challenge’s] primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible,” said Mike Walker, DARPA program manager, in a statement. “I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today.”

During the 12-hour "capture the flag" tournament, the teams were scored on how well their systems "protected hosts, scanned the network for vulnerabilities and maintained the correct function of software."

Walker said the challenge has launched a revolution in software security.

“In the same way that the Wright brothers’ first flight -- although it didn’t go very far -- launched a chain of events that quickly made the world a much smaller place, we now have seen for the first time autonomy involving the kind of reasoning that’s required for cyber defense,” he said. “That is a huge advance compared to where the cyber defense world was yesterday.”

In Thursday’s competition, Xandra, a computer system designed by TechX, a team from Ithaca, N.Y. and the University of Virginia, took second place, winning $1 million.

Mechanical Phish, a system designed by team Shellphish from the University of California, Santa Barbara, was the third-place winner and will take home $750,000.

DARPA has been running the cyber challenge since 2013 in an effort to stimulate research into autonomous systems that can be used to protect the computer software that runs in nearly all devices of daily life, including cars, refrigerators, home security systems and coffee makers.

With the Internet of Things steadily growing, more devices are connected to the Internet, requiring even more cybersecurity. Keeping all of that software secure has become an overwhelming scenario for humans acting alone.

The answer, according to DARPA and some researchers, is to combine forces with smart systems.

“I want to make sure that everyone can check the security of the software they’re using,” said David Brumley, CEO of ForAllSecure, in a video interview “I want to make sure that the person who buys a smart refrigerator knows it’s not going to be a new avenue for someone to steal their credit card numbers. That they can install a new app on their phone and they don’t have to worry about it stealing their contacts.”

ForAllSecure’s system uses a two-pronged approach, combining two autonomous systems.

One system generates deep paths in the software searching for flaws. A second system is a fast directed fuzzer, a technique for testing software that can generate proof that a flaw exists and then begin the patching process.

Combining the two autonomous systems is more powerful than either technique is alone, according to ForAllSecure.

“It’s a much faster way of searching through programs than by hand,” said Tyler Nighswander, a software engineer with ForAllSecure. “There is a lot of creativity and almost art in crafting exploits and doing that sort of thing, so the real solution is a two-pronged approach where you have computers and humans working together.”

Brumley, however, doesn’t foresee computers, even autonomous systems, replacing people in all areas of cybersecurity.

“I look at computers freeing us from mundane tasks,” he said. “You always want that human spark of creativity, and that’s something the computer will never have. I look at [the Cyber Grand Challenge] as upping the bar so we can focus more on those abstract concepts, as people, and let the computer worry about the details.”

Join the CSO newsletter!

Error: Please check your email address.

More about indeedMellon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sharon Gaudin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts