Proposals should try to “capture and leverage the thought patterns of expert hackers as they analyze code for vulnerabilities. Using passive, non-invasive biometric sensing, and an instrumented research environment, [proposals] will map experts’ cognitive states to specific elements — e.g., functions, variables — with minimal disruption to their normal workflow. This process will capture expert intuition about relationships between elements and their vulnerability detection strategies in a comprehensive, machine-readable format. [Proposals] will develop tools to execute these human expert strategies at machine speed and scale, enabling [it] to deploy remediations to discover vulnerabilities faster than adversaries can exploit them [using] automated vulnerability detection tools and models of expert hacker workflows, focused on hospital equipment.”
The RFP also sought projections that appear to be leveraging generative AI, although instead of predicting the next word, it will try and predict the next one or two actions. The technology “will study the behavior and workflows of expert hackers as they search for vulnerabilities and will create predictive models based on these observations. This may involve a combination of active and passive instrumentation including but not limited to gaze tracking, electroencephalography (EEG), system monitoring, and interviews. Proposals should describe the approach for studying expert hacker behavior and workflows. [It] will limit expert hackers under observation to analysis of artifacts that can be reasonably acquired — e.g., application binaries, firmware images — or are publicly available, such as open-source code.”
Larry Trotter, CEO of Inherent Security, which specializes in healthcare security issues, said the government proposal showed that the agency “wants to take steps in the right direction” but he said he was puzzled about the overall proposal because it seems to be trying to create tools that already exist.
“They are trying to create an automated vulnerability detection tool and there are plenty of tools today that already do this in the marketplace,” Trotter said. “They are spending money in the wrong place.”
Trotter also questioned how they phrased the portion dealing with predictive behaviors. “Using the phrase ‘thought-patterns’ in this context, it sounds like they are trying to read their minds. It is a poor choice of words,” he said.
The name of the ARPA-H program is UPGRADE, a rather tortured acronym standing for “the Universal PatchinG and Remediation for Autonomous DEfense program.”
