UVA Computer Scientists Prepare for $4 Million Cybersecurity Challenge

In a few short weeks, University of Virginia computer scientists will find out whether their automated cybersecurity system can compete with some of the best hackers in the world.

Team TechX, which consists of cybersecurity experts from the UVA School of Engineering and Applied Science and partners at GrammaTech, Inc., an Ithaca, NY, developer of software assurance tools and advanced cybersecurity solutions, is one of seven finalist teams that will compete August 4 in a $4 million Cyber Grand Challenge competition sponsored by the Defense Advanced Research Projects Agency. DARPA searches for breakthrough technologies that bolster national defense.

Following the competition, the finalists’ innovations also could have important benefits for protecting a society that is increasingly dependent on what is commonly referred to as the “Internet of things,” networks powering and linking everything from cell phones to healthcare devices to home appliances, as well as major public systems such as power grids, water supplies and emergency services.

The competition will take place in Las Vegas, and winners will be announced August 5. The first-place team will win $2 million. Second place will earn $1 million; third place, $750,000.

The UVA/GrammaTech contingent, which includes computer science professors Jack Davidsonand John Knight, has built a fully automated system to thwart cyber-attacks. (Click here to watch a video about the team’s work.)

“Our goal is to create a tool that can automatically protect software systems,” said David Melski, GrammaTech’s vice president of research.

During the competition, other teams will try to get around the system’s defenses.

“It’s important to understand how these attacks work, because how can you defend against them, if you don’t understand how they work?” Davidson said. “DARPA was very clever in how they structured this, so they don’t have to come up with tests to see how strong our defenses are. The other competitors are doing that, so we’re testing each other’s defenses by attacking each other.”

The UVA team was among 104 international teams that originally registered for the competition in 2014.

In the first round of the competition, the competitors had to build a supercomputer that could rapidly analyze software, identify security holes in the software and then patch these holes, all without human intervention.

Swarms of malicious programs are constantly seeking to take advantage of network vulnerabilities. Computers can detect the hacking attempts, but cyber defense today still ultimately depends on human experts to patch those weaknesses and stymie new attacks – a process that can take months or longer, by which time critical systems may have been breached. The Cyber Grand Challenge is a first-of-its-kind tournament designed to speed the development of automated security systems, able to defend against cyber-attacks as fast as they are launched.

Davidson said his team had been working on cyber security since 2001, receiving research contracts from agencies such the Department of Defense and the Intelligence Advanced Research Projects Agency. The UVA team and GrammaTech had just completed a project for the latter agency when the DARPA competition was announced.

Among the other finalists are teams from the University of California at Berkeley; University of California, Santa Barbara; Carnegie Mellon University; University of Idaho; Raytheon Company; and a technology incubator from Georgia.

UVA’s Davidson said the competition will open commercial opportunities for GrammaTech and create research possibilities for the University.

“This puts the University of Virginia with an elite group in cybersecurity,” said Kevin Skadron, chair of UVA Engineering’s Department of Computer Science.

DARPA believes the final round of competitors brings diversity and a new approach to the cybersecurity field.

“We’re all in this together,” said Mike Walker, DARPA program manager, in a video explaining the challenge (click here to watch the video). “We have to build defensible networks. We have to give tools to these institutions that work. And right now, as we want to put network technologies into more and more things, we also have to find a way to make them safer, and it’s a challenge for civilization.”

DARPA has developed a custom data visualization technology to make it easy for spectators – both a live audience and anyone watching the event’s video stream worldwide – to follow the action in real time during the final contest. (Click here to watch the event from 8-11 p.m. EDT, 5-8 p.m. PDT.) “Wired” online magazine describes how DARPA will make must-see TV from a contest among super-computers.

Even more important to Walker than the competition is igniting the cybersecurity community’s belief that automated cybersecurity analysis and remediation are finally within reach.

“We want an automation revolution in computer security so machines can discover, confirm and fix software flaws within seconds, instead of waiting up to a year under the current human-centric system,” he said. “These capabilities are essential for protecting data and processes as more and more devices, including vehicles and homes, get networked in the ‘Internet of Things.’”