ARLINGTON, Va. – U.S. military researchers are asking for industry's help to use artificial intelligence (AI) to measure cyber vulnerabilities in sophisticated and complex computer and weapons systems.
Officials of the U.S. Defense Advanced research Projects Agency (DARPA) in Arlington, Va., issued a broad-agency announcement on Thursday (HR001123S0049) for the Intelligent Generation of Tools for Security (INGOTS) project.
This project assumes that today's sophisticated cyber attacks link several vulnerabilities together into exploit chains that bypass software and hardware security measures to compromise critical, high-value devices.
Instead, INGOTS aims to harden systems against exploit chains by identifying and fixing these vulnerabilities before attackers can capitalize on them. INGOTS will characterize and measure interdependent exploitability to protect against the next generation of cyber security vulnerabilities.
Understanding cyber risk is critical, yet today crucial vulnerabilities go unfixed as resources are misallocated to lesser issues. The reason is that today’s metrics fail to capture factors that differentiate an innocuous software flaw from a potent vulnerability.
Without accurate ways to measure exploitability, developers and defenders must rely on empirical evidence like a manually developed proof-of-concept exploits to assess severity and rank vulnerabilities for remediation in order of importance.
Attempts to do this today are expensive, and not only require time and subject matter expertise, but also are unable to keep up with the speed and scale of the problem.
The INGOTS program aims to measure chainable vulnerabilities within widely used secure computing systems at speed and at scale before attackers can take advantage of unauthorized access, and create an automated process to triage vulnerabilities rapidly.
INGOTS will develop datasets that capture artifacts and features of vulnerabilities and exploits to drive program analysis and AI-related approaches for rapid risk assessment.
Rather than develop a automatic process, INGOTS aims to create a computer-human pipeline that enables human intervention with semi-automatic tools. Ultimately, the project seeks to reduce the level of human-intervention and expertise, and measure the severity of vulnerabilities can be measured at scale with near-full automation.
The INGOTS 36-month program has four technical areas: -- vulnerability triage; severity analysis; data modeling; and integration. Several contractors will be involved. The project also will target three use cases: mobile operating systems; cellular baseband stack; and Wi-Fi and Bluetooth stacks.
Vulnerability triage will use machine automation to rank potential vulnerabilities within widely used secure computing systems. Severity analysis will develop theories, tools, and techniques for automating how to find and generate proofs of vulnerabilities. Data modeling will develop an architecture to analyze vulnerabilities automatically and manually. Transition will identify use cases and work with the Pentagon to establish how to deploy enabling technologies developed in the INGOTS project.
Companies interested should upload four-page abstracts by 14 July 2023, and 20-page proposals no later than 22 Aug. 2023 to the DARPA BAA website online at https://baa.darpa.mil.
Email questions or concerns to DARPA at [email protected]. More information is online at https://sam.gov/opp/7afef7eed5db4ff490971d0667cbaa48/view.
