[Owasp-leaders] 2 Million Dollars

Josh Sokol josh.sokol at owasp.org
Fri Dec 6 22:15:11 UTC 2013


Much more information in the challenge rules.  Seems pretty straightforward
and I maintain that ModSecurity can do 99% of what they're asking for
straight out of the box.

At the present time, automated program analysis capabilities are able to
assist the work of human software analysts. These automation technologies
include Dynamic Analysis, Static Analysis, Symbolic Execution, Constraint
Solving, Data Flow Tracking, Fuzz Testing, and a multitude of related
technologies.  In the Cyber Grand Challenge, a competitor will improve and
combine these semi-automated technologies into an unmanned Cyber Reasoning
System (CRS) that can autonomously reason about novel program flaws, prove
the existence of flaws in networked applications, and formulate effective
defenses. The performance of these automated systems will be evaluated
through head-to-head tournament style competition.

The "Areas of Excellence" for the challenge are:

1) Autonomous Analysis
2) Autonomous Patching
3) Autonomous vulnerability Scanning
4) Autonomous Service Resiliency
5) Autonomous Network Defense

~josh


On Fri, Dec 6, 2013 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Johanna,
>
> I don't want to get into an argument over semantics, but I politely
> disagree with your assertion that Bayesian analysis is "not exactly AI".
> While there may be multiple forms that Artificial Intelligence can take,
> there is a wealth of knowledge on the use of Bayesian analysis for neural
> networks as you suggest dating back many many years.  Here is one such
> example:
>
> http://www.lce.hut.fi/publications/pdf/LampinenVehtari_NN2001_preprint.pdf
>
> The whole point of Bayesian analysis is to make future predictions based
> on past data.  It is an autonomous learning algorithm and can most
> certainly be used for Artificial Intelligence.  I'm not sure how you can
> possibly argue otherwise.
>
> As for the competition going beyond AppSec, I'm not sure, but the site
> does say:
>
> During the competition, automatic systems would reason about software
> flaws, formulate patches and deploy them on a network in real time.
>
> Perhaps I'm oversimplifying, but detection of software flaws and automated
> virtual patching is most certainly something that ModSecurity is capable of.
>
> ~josh
>
>
> On Fri, Dec 6, 2013 at 3:29 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Josh
>>
>> "The CGC competitions require a fully automated solution – no human
>> assistance is permitted in any cyber reasoning processes, including reverse
>> engineering and patch formulation.
>>
>> Bayesian analysis is not exactly AI....
>>
>> "In statistics <http://en.wikipedia.org/wiki/Statistics>, *Bayesian
>> inference* is a method of inference<http://en.wikipedia.org/wiki/Statistical_inference> in
>> which Bayes' rule <http://en.wikipedia.org/wiki/Bayes%27_rule> is used
>> to update the probability estimate for a hypothesis as additional
>> evidence <http://en.wikipedia.org/wiki/Evidence> is acquired. Bayesian
>> updating is an important technique throughout statistics, and especially in
>> mathematical statistics<http://en.wikipedia.org/wiki/Mathematical_statistics>
>> "
>>
>> I don't think that ESAPI and APPSENSOR are that far as described
>> above, however I believe you can use part of that knowledge to construct
>> this solution. Also the areas in the challenge go further than application
>> security alone.
>>
>> I believe you need Neural networks or some Prolog. I think that a
>> combination of semantics for programming the rules and decisions (models)
>> will be a possible approach.
>>
>>
>> Regards
>>
>>
>> Johanna
>>
>>
>> On Fri, Dec 6, 2013 at 5:19 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> Pick up a copy of Ryan Barnett's Web Application Defenders Cookbook and
>>> you'll start to realize just how close to AI it is.  Especially given it's
>>> ability to perform bayesian analysis and take automated action based on
>>> those results.  And if the application can be hooked with ESAPI and
>>> AppSensor, then you can do similar based on events at the code level as
>>> well.  Autonomous sounds like "AI" to me as well, but I'm pretty sure that
>>> toolset is capable with some forethought and minor modifications.
>>>
>>> ~josh
>>>
>>>
>>> On Fri, Dec 6, 2013 at 3:13 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>>
>>>> Now we have the start of a party...
>>>>
>>>> http://www.darpa.mil/cybergrandchallenge/
>>>>
>>>> On Dec 6, 2013, at 4:03 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> Well, not so fast , because ...
>>>>
>>>> "DARPA is soliciting innovative proposals from teams that will develop
>>>> and field* autonomous Cyber Reasoning Systems* capable of
>>>> comprehending and protecting software during a live exercise. Specifically
>>>> excluded is research that primarily results in evolutionary improvements to
>>>> the existing state of practice."
>>>>
>>>> ...
>>>>
>>>> The DARPA Cyber Grand Challenge will utilize a series of competition
>>>> events to test the abilities of a new generation of fully automated cyber
>>>> defense systems. During a final competition event, automated Cyber
>>>> Reasoning Systems will compete against each other in real time. This event
>>>> will be held in a public setting and documented for research purposes.
>>>>
>>>>
>>>> This smells Artificial intelligence ...
>>>>
>>>>
>>>> On Fri, Dec 6, 2013 at 4:56 PM, Josh Sokol <josh.sokol at owasp.org>wrote:
>>>>
>>>>> ModSecurity + ESAPI + AppSensor.  Done.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> On Fri, Dec 6, 2013 at 2:15 PM, Tom Brennan - OWASP <tomb at owasp.org>wrote:
>>>>>
>>>>>>
>>>>>> http://www.theregister.co.uk/2013/12/06/darpa_enlists_def_con_talent_for_2m_security_bugswatting_challenge
>>>>>>
>>>>>> Interested?
>>>>>>
>>>>>> Now that AppSecUSA is over its time for the next OWASP mission
>>>>>> focused project.   Add a 2M dollar bounty you got my attention - how about
>>>>>> yours?
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131206/49695a9c/attachment.html>


More information about the OWASP-Leaders mailing list