Shellphish qualifies for AIxCC Final event with $2-million cash award
Purdue University students and faculty are part of a team that has advanced to the finals of the prestigious AI Cyber Challenge. The Shellphish hacker collective also includes representatives from Arizona State University and UC Santa Barbara. This remarkable achievement comes with a $2 million cash award.
The DARPA AIxCC competition brings together the brightest minds in artificial intelligence and cybersecurity, to develop novel AI-driven systems that can find and repair the software components supporting the nation's critical infrastructure. Shellphish’s entry is the cutting-edge Cyber Reasoning System (CRS), ARTIPHISHELL. The LLM-based system has demonstrated exceptional capabilities in autonomously identifying, analyzing, and patching complex vulnerabilities found in real-world software.
Aravind Machiry, professor in the Elmore Family School of Electrical and Computer Engineering at Purdue, said ARTIPHISHELL's qualification for the finals is a testament to the team's dedication, innovative approach, and technical expertise.
“This milestone of ARTIPHISHELL in the competition demonstrates the capabilities of LLMs to handle common security tasks paving the way for more disruptive research in this direction,” said Machiry.
Antonio Bianchi, an assistant professor of computer science at Purdue, said ARTIPHISHELL has been developed over several years and competitions.
"Many ideas developed as part of other cutting-edge DARPA programs, such as CHESS, HACCS, AMP, and HARDEN have contributed to defining the ideas at the basis of ARTIPHISHELL," said Bianchi.
Adam Doupe is CEO at Shellphish Support Syndicate (the company supporting Shellphish's effort) and Director of the Center for Cybersecurity and Trusted Foundations at Arizona State University, where he is an Associate Professor.
"We are thrilled to see ARTIPHISHELL making it to the final round," said Doupe. "This accomplishment reflects the team's hard work and collaborative spirit. We are eager to compete in the finals and continue pushing the boundaries of what AI and LLMs can achieve in cybersecurity."
Having been the only CRS in the competition to patch one of the identified vulnerabilities in the nginx target, Shellphish is looking forward to seeing how far they can advance the CRS in the upcoming year. The $2 million cash award will further support the Shellphish team's efforts to refine and enhance ARTIPHISHELL as they prepare for the final phase of the competition, which is scheduled for August 2025. The seven qualifying teams will compete for not only bragging rights in the finals, but also a portion of the $8.5-million prize money reserved for the top three.
In addition to Machiry and Bianchi, team members from Purdue include:
From ECE:
- Aditya Vardhan Padala, PhD student
- Sourag Cherupattamoolayil, PhD Student
- Shashank Sharma, PhD student
From the Department of Computer Science:
- Siddharth Muralee, PhD student
- Han Dai, Graduate Research Assistant
- Hongwei Li, graduate student
- Yuzhou Nie, PhD student
Shellphish was founded in 2005 when it won the prestigious DEF CON Capture the Flag competition. Since then, the team has grown into a team of "hackademics" participating in both security competitions and producing a substantial corpus of research. Shellphish also competed in the DARPA Cyber Grand Challenge (CGC) in 2016, ultimately winning 3rd place and $750,000 in prize money with the world's first open-source cyber reasoning system, the Mechanical Phish.