This August, a motley assortment of approximately 30,000 attendees, including some of the best cybersecurity professionals, expert programmers and officials from top government agencies packed the Las Vegas Convention Center for DEF CON, the world’s largest hacker convention.
At the convention, a cybersecurity cohort of professors, researchers and graduate students from Arizona State University waited anxiously in a crowded ballroom for the results of the semifinal round of the DARPA AI Cyber Challenge, also known as AIxCC.
The 25-person Shellphish team, comprised of "hackademics" from ASU, the University of California, Santa Barbara and Purdue University had been preparing for this day since March. They now waited on the edges of their seats for the answer to a burning question: Would they receive the $2 million in prize money that would enable them to continue their work?
The AIxCC is a competition hosted at DEF CON by the U.S. Defense Advanced Research Projects Agency, or DARPA, to spur the development of a cybersecurity system powered by artificial intelligence, or AI. Because of its desire to protect hospitals, pharmacies and medical devices from cyberattacks, the U.S. Advanced Research Projects Agency for Health, or ARPA-H, is also collaborating on the competition and has expanded the prize pool.
In the semifinals, $14 million was on the line. But the true stakes are even higher. The work is part of the U.S. government’s vital efforts to shore up national cybersecurity defense.
A massive cybersecurity workforce shortage, vulnerabilities in open-source software and a drastic rise in cybercrime have created a desperate need for solutions that can be deployed now to protect the nation’s technical infrastructure.
Open-source software creates cybercrime openings
The Internet Crime Report compiled annually by the Federal Bureau of Investigation warns of an alarming growth in cybercrime, with a record number of complaints received in 2023 and reported financial losses set to exceed $12.5 billion annually. Meanwhile, there are an estimated 3.5 million unfilled cybersecurity jobs, with around 750,000 of those vacant positions open here in the U.S.
The widespread use of open-source software has created heightened vulnerabilities. With such software, source code is publicly available. Anyone can inspect the code, and anyone can modify it. Anyone can also comb through the code to spot security weaknesses. The Linux operating system, the web browser Mozilla Firefox and the web content management system WordPress are popular examples of open-source software.
In March, a lone engineer from Microsoft single-handedly prevented what NPR dubbed “the hack that almost broke the internet," spotting what’s now known as the XZ hack, an attack on an open-source data compression utility that would have made it possible for bad actors to remotely access millions of computers.
“We want to redefine how we secure widely used, critical codebases, because of how ubiquitous open-source is across the critical infrastructure sectors,” Andrew Carney, DARPA program manager for AIxCC and program manager for resilient systems at ARPA-H, told the Washington Post.
The ASU AIxCC team is part of a small business venture called the Shellphish Support Syndicate that is organized by Adam Doupé, Fish Wang and Yan Shoshitaishvili, three associate professors of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University. Its objective is to support the Shellphish team through education and research initiatives.
Working with doctoral students and researchers, Doupé, Wang and Shoshitaishvili, along with fellow Fulton Schools faculty member Tiffany Bao, collaborated on the development of an AI-based system called ARTIPHISHELL. Their solution can automatically analyze the code that runs a piece of software, correct any security vulnerabilities found and then retest the system.
“ARTIPHISHELL is a giant leap toward achieving our vision of humans working alongside AI to keep our software safe,” says Shoshitaishvili. “Addressing critical cybersecurity challenges will require us to invent new paradigms of collaboration between the human and digital world.”
All bets are off
It’s this new vision they brought to the AIxCC Semifinals Competition.
The Shellphish team erupted in cheers at the announcement that they had won. The group is one of seven semifinal winners, out of more than 40 total entries, who will receive $2 million in funds to continue their development work.
Doupé, who is also the director of the Center for Cybersecurity and Trusted Foundations, notes that these types of AI systems are urgently needed for enterprise software as well. Many of these systems rely in part on open-source code, and even those that don’t need help with ongoing maintenance.
“Today, a company might hire a team of really good cybersecurity consultants to audit their system. That team will find and patch vulnerabilities,” he says. “Then they move on to their next project. But who tests the company’s system the next week? Or the week after that?”
The latest win marks $3 million in total prize money awarded to the Shellphish team from AIxCC competitions. The group received an initial $1 million in March in the first AIxCC round to fund the early work needed for ARTIPHISHELL. The winnings also supported the team’s travel and practice participation in cybersecurity competitions.
But now, Shellphish is getting ready to put their money back on the table and bet big that they’ll win in the next round.
They will head to Las Vegas next August for the AIxCC Final Competition where they will demonstrate their finished system live and compete for an additional $4 million prize.
More Science and technology
ASU physics chair elected to the American Physical Society Fellowship
The American Physical Society (APS) has elected Patricia Rankin, the chair of the Department of Physics at Arizona State University, as a 2024 fellow for her leadership in promoting…
ASU engineering schools pioneer leaves behind a legacy of caring
Albert McHenry, who died last month at the age of 83, retired from Arizona State University’s Ira A. Fulton Schools of Engineering as an emeritus professor in 2008 after 45 years in higher education.…
ASU-developed SolarSPELL libraries deployed to help communities in Arizona
SolarSPELL, which started as a student engineering assignment at Arizona State University and grew into a global humanitarian project, is now providing its solar-powered library devices to help…