This August, a motley assortment of approximately 30,000 attendees, including some of the best cybersecurity professionals, expert programmers and officials from top government agencies packed the Las Vegas Convention Center for DEF CON, the world’s largest hacker convention.

At the convention, a cybersecurity cohort of professors, researchers and graduate students from Arizona State University waited anxiously in a crowded ballroom for the results of the semifinal round of the DARPA AI Cyber Challenge, also known as AIxCC.

The 25-person Shellphish team, comprised of ‘hackademics’ from ASU, the University of California, Santa Barbara and Purdue University had been preparing for this day since March. 

They now waited on the edges of their seats for the answer to a burning question. Would they receive the $2 million in prize money that would enable them to continue their work?

A mural greets DEF CON attendees in the Las Vegas Convention Center.

(Courtesy Jackie LeFevers/ASU)

The AIxCC is a competition hosted at DEF CON by the U.S. Defense Advanced Research Projects Agency, or DARPA, to spur the development of a cybersecurity system powered by artificial intelligence, or AI. 

Because of its desire to protect hospitals, pharmacies and medical devices from cyberattacks, the U.S. Advanced Research Projects Agency for Health, or ARPA-H, is also collaborating on the competition and has expanded the prize pool.

In the semifinals, $14 million were on the line. But the true stakes are even higher. The work is part of the U.S. government’s vital efforts to shore up national cybersecurity defense.

A massive cybersecurity workforce shortage, vulnerabilities in open-source software and a drastic rise in cybercrime have created a desperate need for solutions that can be deployed now to protect the nation’s technical infrastructure.

Open-source software creates cybercrime openings

The Internet Crime Report compiled annually by the FBI warns of an alarming growth in cybercrime, with a record number of complaints received in 2023 and reported financial losses set to exceed $12.5 billion annually. 

Meanwhile, there are an estimated 3.5 million unfilled cybersecurity jobs with around 750,000 of those vacant positions open here in the U.S.

The widespread use of open-source software has created heightened vulnerabilities. With such software, source code is publicly available. Anyone can inspect the code, and anyone can modify it. Anyone can also comb through the code to spot security weaknesses. 

The Linux operating system, the web browser Mozilla Firefox and the web content management system WordPress are popular examples of open-source software.

In March, a lone engineer from Microsoft single-handedly prevented what NPR dubbed, “The hack that almost broke the internet,” spotting what’s now known as the XZ hack, an attack on an open-source data compression utility that would have made it possible for bad actors to remotely access millions of computers.

The ASU AIxCC team is part of a small business venture called the Shellphish Support Syndicate that is organized by Adam Doupé, Fish Wang and Yan Shoshitaishvili, three associate professors of computer science and engineering in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University.

Its objective is to support the Shellphish team through education and research initiatives.

Working with doctoral students, researchers and fellow faculty members, Doupé, Wang and Shoshitaishvili collaborated on the development of an AI-based system called ARTIPHISHELL. Their solution can automatically analyze the code that runs a piece of software, correct any security vulnerabilities found and then retest the system.

Shoshitaishvili said that ARTIPHISHELL is a giant leap toward achieving their vision of humans working alongside AI to keep software safe. 

“Addressing critical cybersecurity challenges will require us to invent new paradigms of collaboration between the human and digital world,” Shoshitaishvili said.

All bets are off

It’s this new vision they brought to the AIxCC Semifinals Competition.

The Shellphish team erupted in cheers at the announcement that they had won. The group is one of seven semifinal winners, out of more than 40 total entries, who will receive $2 million in funds to continue their development work.

Doupé, who is also the director of the Center for Cybersecurity and Trusted Foundations, notes that these types of AI systems are urgently needed for enterprise software as well. Many of these systems rely in part on open-source code and even those that don’t need help with ongoing maintenance.

Adam Doupé (second from left), leads Shellphish in a cheer following the cybersecurity team’s big win in a Las Vegas hacking competition in …

(Courtesy Jackie LeFevers/ASU)

“Today, a company might hire a team of really good cybersecurity consultants to audit their system. That team will find and patch vulnerabilities,” he said. “Then they move on to their next project. But who tests the company’s system the next week? Or the week after that?”

The latest win marks $3 million in total prize money awarded to the Shellphish team from AIxCC competitions. The group received an initial $1 million in March in the first AIxCC round to fund the early work needed for ARTIPHISHELL. 

The winnings also supported the team’s travel and practice participation in cybersecurity competitions.

But now, Shellphish is getting ready to put their money back on the table and bet big that they’ll win in the next round.

They will head to Las Vegas next August for the AIxCC Final Competition where they will demonstrate their finished system live and compete for an additional $4 million prize.