Proposals should attempt to “capture and use the thought patterns of expert hackers as they analyze code for vulnerabilities. Using a passive, non-invasive biometric sensor, and an instrumented research environment, [proposals] it will map professionals’ attitudes towards certain things – eg, tasks, variables – with minimal disruption to their normal flow. This process will capture an expert’s intuition about the relationships between factors and their risk detection strategies in a comprehensive, machine-readable format. [Proposals] will develop the tools to implement these human expert techniques at the speed and scale of the machine, allowing [it] using fixes to detect vulnerabilities faster than adversaries can exploit them [using] automated risk detection tools and professional workflow models, focused on hospital equipment.”
The RFP also called for predictions that seem to benefit the production AI, although instead of predicting the next word, it will try and predict the next action or two. The technology will “learn the behavior and workflow of expert hackers as they search for vulnerabilities and will create predictive models based on these observations. This may include a combination of active and passive instruments including but not limited to tracking, electroencephalography (EEG), system monitoring, and interviews. Proposals should describe how to study professional hacking behavior and workflow. [It] it will limit expert hackers under surveillance to analyze artifacts that can be reasonably obtained – eg, application binaries, firmware images – or that are publicly available, such as open source code.”
Larry Trotter, the CEO of Inherent Security, which is responsible for health security, said that the government’s proposal shows that the organization “wants to take steps in the right way” but he said that he is confused by the whole proposal because it seems that it is trying to create tools that already exist.
“They’re trying to build an automated vulnerability detection tool and there are a lot of tools today that already do this on the market,” Trotter said. “They’re spending money in the wrong place.”
Trotter also asked how they put the part about predictable behavior. “Using the phrase ‘thinking patterns’ in this context, it sounds like they are trying to read their minds. Bad choice of words,” he said.
The name of the ARPA-H program is UPGRADE, an offensive acronym that stands for “Universal PatchinG and Repair of Automated Defense Systems.”
Source link