‘Mayhem’ wins $2M first prize in DARPA Cyber Grand Challenge

Autonomous programs slug it out in first computer-on-computer Capture the Flag competition

Cyber-reasoning platform Mayhem pulled down the $2 million first prize in a DARPA-sponsored Cyber Grand Challenge competition that pitted entrants against each other in the classic hacking game Capture the Flag, never before played by programs running on supercomputers.

A team from Carnegie Mellon University spin-out All Secure entered Mayhem in the competition against six other programs played in front of thousands in the ballroom of the Paris hotel in Las Vegas. Most of the spectators were in town for the DEF CON hacker conference starting Friday at the same site.

BLACK HAT: Quick look at hot issues

In addition to the cash, the All Secure team gets to enter Mayhem in the DEF CON Capture the Flag competition for human teams, although it is not expected to do well. While computers can outpace humans in performing mundane tasks, people are still thought to have the edge in strategy and intuition.

The DARPA event was sportscast live by a team of hacking experts who provided commentary over the 96 rounds of competition as they reviewed what actions the teams had taken against each other and what bugs they had discovered during each round.

How the Machines Discovered Bugs

The competition was remarkable in that each program based on cyber reasoning engines could discover bugs in never-before-seen code supplied by the DARPA organizers. They could then create patches for them on the fly.

All the programs ran on their own, without human intervention. The teams that created them sat by in a cordoned off area, basically spectators observing their bots doing battle.

Artificial intelligence, which learns as it goes along, was not in play here. Rather the competing programs were applying preset policies about how to analyze and respond to characteristics of the code they found.

In second place, winning $1M, was Xandra from GrammaTech in Ithaca, N.Y. and the University of Virginia, and the third place prize of $750,000 went to Mech.Phish from a team from the University of California at Santa Barbara.

The programs could score points three ways.

Security: They had to protect their own servers by finding vulnerabilities and successfully defending them by creating patches.

Availability: At the same time, they had to keep a set of tasks on their servers up and running well.

Evaluation: Finally, they scanned opponents’ servers to find vulnerabilities.

darpa cgc wide shot Tim Greene/NetworkWorld

DARPA-sponsored Capture the Flag competition at the Paris in Las Vegas

Surprisingly, Mayhem managed to win the competition despite being entirely disabled through most of the final rounds 30 rounds. That is not uncommon in Capture the Flag competitions where sometimes the best game strategy is to do nothing while others struggle with problems of their own.

During the competition, an entrant dubbed Rubeus (created by a team from Raytheon) was slowed down after issuing a patch to a flaw found by a competitor. The patch apparently sucked up so much CPU that it affected the performance of other services being run on the server.

Later, Rubeus’s logic apparently decided that it was better to remove the patch and remain vulnerable than to do poorly in its availability score.

Organizers spared no expense, with a dozen or so large-screen displays showing the coverage supplied by experts at an anchor desk and a reporter in the pit talking to the teams behind the programs that were competing.

The supercomputers were lit with colored light on a stage at one end of the room. They were isolated from the outside world except for power cables and supercooled water to keep them from overheating.

In order for officials to monitor what they were up to, their activity was recorded to disks that were lifted out by a mechanical robot to be placed in separate computers for reading – creating an air gap from the outside world.

Other competitors were Team CSDS, with just two members from the University of Idaho and a platform named Jima; CRSPY from a team in Athens, Ga.; and Galactica from a group based in Berkeley, Calif., Syracuse, N.Y., and Lausanne, Switzerland.

Join the Computerworld newsletter!

Error: Please check your email address.

More about MellonSwitzerland

Show Comments