Jackpot! ASU hackers win $2M at Vegas AI competition


Adam Doupé and the Shellphish team cheer from their seats in the Las Vegas Convention Center.

Adam Doupé (second from left), an associate professor of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University, leads Shellphish in a cheer following the cybersecurity team’s big win in a Las Vegas hacking competition in August. Photo courtesy of Jackie LeFevers/ASU

|

This August, a motley assortment of approximately 30,000 attendees, including some of the best cybersecurity professionals, expert programmers and officials from top government agencies packed the Las Vegas Convention Center for DEF CON, the world’s largest hacker convention.

At the convention, a cybersecurity cohort of professors, researchers and graduate students from Arizona State University waited anxiously in a crowded ballroom for the results of the semifinal round of the DARPA AI Cyber Challenge, also known as AIxCC.

Related

Watch what the team is up to next, via Fox 10 Phoenix.

The 25-person Shellphish team, comprised of "hackademics" from ASU, the University of California, Santa Barbara and Purdue University had been preparing for this day since March. They now waited on the edges of their seats for the answer to a burning question: Would they receive the $2 million in prize money that would enable them to continue their work?

The AIxCC is a competition hosted at DEF CON by the U.S. Defense Advanced Research Projects Agency, or DARPA, to spur the development of a cybersecurity system powered by artificial intelligence, or AI. Because of its desire to protect hospitals, pharmacies and medical devices from cyberattacks, the U.S. Advanced Research Projects Agency for Health, or ARPA-H, is also collaborating on the competition and has expanded the prize pool.

In the semifinals, $14 million was on the line. But the true stakes are even higher. The work is part of the U.S. government’s vital efforts to shore up national cybersecurity defense.

A massive cybersecurity workforce shortage, vulnerabilities in open-source software and a drastic rise in cybercrime have created a desperate need for solutions that can be deployed now to protect the nation’s technical infrastructure.

The team of Shellphish doctoral students pose at the bottom of a staircase.
Doctoral students from computer science and engineering programs, including those in the Fulton Schools, pause their work as part of the Shellphish team and take a break for a photo opportunity. Photo courtesy of Shellphish

Open-source software creates cybercrime openings

The Internet Crime Report compiled annually by the Federal Bureau of Investigation warns of an alarming growth in cybercrime, with a record number of complaints received in 2023 and reported financial losses set to exceed $12.5 billion annually. Meanwhile, there are an estimated 3.5 million unfilled cybersecurity jobs, with around 750,000 of those vacant positions open here in the U.S.

The widespread use of open-source software has created heightened vulnerabilities. With such software, source code is publicly available. Anyone can inspect the code, and anyone can modify it. Anyone can also comb through the code to spot security weaknesses. The Linux operating system, the web browser Mozilla Firefox and the web content management system WordPress are popular examples of open-source software.

In March, a lone engineer from Microsoft single-handedly prevented what NPR dubbed “the hack that almost broke the internet," spotting what’s now known as the XZ hack, an attack on an open-source data compression utility that would have made it possible for bad actors to remotely access millions of computers.

“We want to redefine how we secure widely used, critical codebases, because of how ubiquitous open-source is across the critical infrastructure sectors,” Andrew Carney, DARPA program manager for AIxCC and program manager for resilient systems at ARPA-H, told the Washington Post.

The ASU AIxCC team is part of a small business venture called the Shellphish Support Syndicate that is organized by Adam Doupé, Fish Wang and Yan Shoshitaishvili, three associate professors of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University. Its objective is to support the Shellphish team through education and research initiatives.

Working with doctoral students and researchers, Doupé, Wang and Shoshitaishvili, along with fellow Fulton Schools faculty member Tiffany Bao, collaborated on the development of an AI-based system called ARTIPHISHELL. Their solution can automatically analyze the code that runs a piece of software, correct any security vulnerabilities found and then retest the system.

“ARTIPHISHELL is a giant leap toward achieving our vision of humans working alongside AI to keep our software safe,” says Shoshitaishvili. “Addressing critical cybersecurity challenges will require us to invent new paradigms of collaboration between the human and digital world.”

A pink and purple mural at the entrance to DEF CON 2024.
A mural greets DEF CON attendees in the Las Vegas Convention Center. With more than 30,000 participants each year, DEF CON has become the world’s largest hacking convention. The event has emerged as a go-to destination for cybersecurity research and training. Photo courtesy of Jackie LeFevers/ASU

All bets are off

It’s this new vision they brought to the AIxCC Semifinals Competition.

The Shellphish team erupted in cheers at the announcement that they had won. The group is one of seven semifinal winners, out of more than 40 total entries, who will receive $2 million in funds to continue their development work.

Doupé, who is also the director of the Center for Cybersecurity and Trusted Foundations, notes that these types of AI systems are urgently needed for enterprise software as well. Many of these systems rely in part on open-source code, and even those that don’t need help with ongoing maintenance.

“Today, a company might hire a team of really good cybersecurity consultants to audit their system. That team will find and patch vulnerabilities,” he says. “Then they move on to their next project. But who tests the company’s system the next week? Or the week after that?”

The latest win marks $3 million in total prize money awarded to the Shellphish team from AIxCC competitions. The group received an initial $1 million in March in the first AIxCC round to fund the early work needed for ARTIPHISHELL. The winnings also supported the team’s travel and practice participation in cybersecurity competitions.

But now, Shellphish is getting ready to put their money back on the table and bet big that they’ll win in the next round.

They will head to Las Vegas next August for the AIxCC Final Competition where they will demonstrate their finished system live and compete for an additional $4 million prize.

More Science and technology

 

A closeup of a silicon wafer next to a molded wafer

ASU and Deca Technologies selected to lead $100M SHIELD USA project to strengthen U.S. semiconductor packaging capabilities

The National Institute of Standards and Technology — part of the U.S. Department of Commerce — announced today that it plans to award as much as $100 million to Arizona State University and Deca…

Close-up illustration of cancer cells

From food crops to cancer clinics: Lessons in extermination resistance

Just as crop-devouring insects evolve to resist pesticides, cancer cells can increase their lethality by developing resistance to treatment. In fact, most deaths from cancer are caused by the…

Close-up of a DNA double helix with colorful bokeh lights and network lines in the background.

ASU professor wins NIH Director’s New Innovator Award for research linking gene function to brain structure

Life experiences alter us in many ways, including how we act and our mental and physical health. What we go through can even change how our genes work, how the instructions coded into our DNA are…