US DARPA wants AI to detect and fix vulnerabilities in open-source code

The Defense Advanced Research Projects Agency (DARPA) announced the finalists for its AI Cyber Challenge (AIxCC) at DEF CON, a competition that rewards teams for training large language models (LLMs) to identify and fix vulnerabilities in open-source code. BigTech companies like Google, Microsoft, Anthropic, and OpenAI supported participants with AI model credits. The challenge saw about 40 teams submit projects, which were tested on their ability to detect and remediate injected vulnerabilities in open-source coding projects.

Experts say that generative AI can help automate the detection and patching of security flaws in code, and this development can be critical as unsophisticated yet harmful cyberattacks increasingly target critical facilities such as hospitals and water systems. Automating basic cybersecurity practices, such as scanning and fixing code bugs, could significantly reduce these incidents.

Despite running these tests in a controlled, sandboxed environment, the semifinalists’ LLM projects managed to discover 22 unique vulnerabilities and automatically patch 15 of them. DARPA, which has invested over $2 billion in AI research since 2018, plays a unique role in cybersecurity innovation: it created a mock city under cyberattack within DEF CON, attracting over 12,500 visitors. The seven finalist teams will compete in the challenge’s final round at next year’s DEF CON conference, with government officials hoping these AI tools will soon be applied to protect real-life critical infrastructure.

Anne Neuberger, the Biden administration’s deputy national security advisor for cyber and emerging technology, emphasised the goal of using AI for defense as swiftly as adversaries use it for offense. The White House is already collaborating with the Department of Energy to explore deploying these AI tools within the energy sector and hopes to eventually apply them to proprietary company code.