Four companies tapped to use artificial intelligence (AI) to find and fix cyber security vulnerabilities
ARLINGTON, Va. – U.S. military researchers are asking three companies to use artificial intelligence (AI) to measure cyber security vulnerabilities in sophisticated and complex computer and weapons systems.
Officials of the U.S. Defense Advanced research Projects Agency (DARPA) in Arlington, Va., announced contracts in Late January to Two Six Labs LLC in Arlington, Va.; RTX BBN Technologies in Cambridge, Mass.; Kudu Dynamics LLC in Chantilly, Va.; and Narf Industries LLC in San Francisco for the Intelligent Generation of Tools for Security (INGOTS) project.
Cyber exploit chains
INGOTS assumes that today's sophisticated cyber attacks link several vulnerabilities together into exploit chains that bypass software and hardware security measures to compromise critical, high-value devices.
Instead, INGOTS aims to harden systems against exploit chains by identifying and fixing these vulnerabilities before attackers can capitalize on them. INGOTS will characterize and measure interdependent exploitability to protect against the next generation of cyber security vulnerabilities.
Two Six Labs won an $18.6 million contract; RTX BBN Technologies won a $10.3 million contract; Kudu Dynamics won a $7.1 million contract; and Narf Industries won a $6.8 million contract. All contracts were awarded on 31 Jan. 2025.
Understanding cyber risk is critical, yet today crucial vulnerabilities go unfixed as resources are misallocated to lesser issues. The reason is that today’s metrics fail to capture factors that differentiate an innocuous software flaw from a potent vulnerability.
Measuring vulnerabilities
Without accurate ways to measure exploitability, developers and defenders must rely on empirical evidence like a manually developed proof-of-concept exploits to assess severity and rank vulnerabilities for remediation in order of importance.
Attempts to do this today are expensive, and not only require time and subject matter expertise, but also are unable to keep up with the speed and scale of the problem.
The INGOTS program aims to measure chainable vulnerabilities within widely used secure computing systems at speed and at scale before attackers can take advantage of unauthorized access, and create an automated process to triage vulnerabilities rapidly.
INGOTS will develop datasets that capture artifacts and features of vulnerabilities and exploits to drive program analysis and AI-related approaches for rapid risk assessment.
Reducing human intervention
Rather than develop a automatic process, INGOTS aims to create a computer-human pipeline that enables human intervention with semi-automatic tools. Ultimately, the project seeks to reduce the level of human-intervention and expertise, and measure the severity of vulnerabilities can be measured at scale with near-full automation.
The INGOTS 36-month program has four technical areas: -- vulnerability triage; severity analysis; data modeling; and integration. Several contractors will be involved. The project also will target three use cases: mobile operating systems; cellular baseband stack; and Wi-Fi and Bluetooth stacks.
Vulnerability triage will use machine automation to rank potential vulnerabilities within widely used secure computing systems. Severity analysis will develop theories, tools, and techniques for automating how to find and generate proofs of vulnerabilities. Data modeling will develop an architecture to analyze vulnerabilities automatically and manually. Transition will identify use cases and work with the Pentagon to establish how to deploy enabling technologies developed in the INGOTS project.
For more information contact Two Six Labs online at https://twosixtech.com; RTX BBN at www.rtx.com/who-we-are/we-are-rtx/transformative-technologies/bbn; Kudu Dynamics at https://recruitingbypaycor.com/career/CareerHome.action?clientId=8a7883d07f5232ae017f88e3c675107b; Narf Industries at https://narfindustries.com; or DARPA at www.darpa.mil/research/programs/intelligent-generation-tools-security.
John Keller | Editor-in-Chief
John Keller is the Editor-in-Chief, Military & Aerospace Electronics Magazine--provides extensive coverage and analysis of enabling electronics and optoelectronic technologies in military, space and commercial aviation applications. John has been a member of the Military & Aerospace Electronics staff since 1989 and chief editor since 1995.
