Proposals ought to attempt to “seize and leverage the thought patterns of professional hackers as they analyze code for vulnerabilities. Utilizing passive, non-invasive biometric sensing, and an instrumented analysis surroundings, [proposals] will map consultants’ cognitive states to particular components — e.g., features, variables — with minimal disruption to their regular workflow. This course of will seize professional instinct about relationships between components and their vulnerability detection methods in a complete, machine-readable format. [Proposals] will develop instruments to execute these human professional methods at machine velocity and scale, enabling [it] to deploy remediations to find vulnerabilities quicker than adversaries can exploit them [using] automated vulnerability detection instruments and fashions of professional hacker workflows, centered on hospital tools.”
The RFP additionally sought projections that look like leveraging generative AI, though as a substitute of predicting the following phrase, it can attempt to predict the following one or two actions. The expertise “will examine the conduct and workflows of professional hackers as they seek for vulnerabilities and can create predictive fashions based mostly on these observations. This may increasingly contain a mix of lively and passive instrumentation together with however not restricted to gaze monitoring, electroencephalography (EEG), system monitoring, and interviews. Proposals ought to describe the strategy for finding out professional hacker conduct and workflows. [It] will restrict professional hackers below commentary to evaluation of artifacts that may be fairly acquired — e.g., software binaries, firmware photographs — or are publicly obtainable, equivalent to open-source code.”
Larry Trotter, CEO of Inherent Safety, which makes a speciality of healthcare safety points, mentioned the federal government proposal confirmed that the company “needs to take steps in the correct course” however he mentioned he was puzzled concerning the total proposal as a result of it appears to be making an attempt to create instruments that exist already.
“They’re making an attempt to create an automatic vulnerability detection instrument and there are many instruments right this moment that already do that within the market,” Trotter mentioned. “They’re spending cash within the incorrect place.”
Trotter additionally questioned how they phrased the portion coping with predictive behaviors. “Utilizing the phrase ‘thought-patterns’ on this context, it seems like they’re making an attempt to learn their minds. It’s a poor selection of phrases,” he mentioned.
The identify of the ARPA-H program is UPGRADE, a relatively tortured acronym standing for “the Common PatchinG and Remediation for Autonomous DEfense program.”
