Shellphish Submits ARTIPHISHELL to the Final Round of the DARPA AI Cyber Competition

After two years and several rounds of competition, the UCSB hacking collective aims for the $4 million first prize

After two years of working on their Cyber Reasoning System (CRS), called ARTIPHISHELL, the Shellphish team, which was formed as a hacking collecting at UC Santa Barbara in 2005, will submit their system to the Artificial Intelligence Cyber Challenge (AIxCC) team on June 26. The system and those of the other six finalist teams will then be evaluated, and the results presented to the public at the annual DEF CON event, to be held in Las Vegas in August.

Each of the seven teams participating in the final competition has already received $2 million by qualifying in the AIxCC semifinal round, which was held in August 2024. First prize for the final is $4 million, second prize is worth $3 million, and the third-place team will receive $1.5 million.

“As the competition is coming to a close soon, it is worth reflecting on the long journey to this point and acknowledging the dozens of students who have been involved,” said Kruegel. “It is really impressive what the team has achieved, and I am immensely proud of the ingenuity that went into our system, the academic breakthroughs that resulted, and the sheer amount of work and engineering effort. I truly believe that we have meaningfully advanced the state-of-the-art in software security. Of course, I hope that we will win, but I believe that the experiences that our students had and the lifelong bonds such a competition forges are the true reward.”   

Added Vigna, “Our AI system and its agent-based architecture — the culmination of two years of work  — is representative of how much AI has changed the way we attack difficult problems.” 

AIxCC is aimed at harnessing the power of artificial intelligence to counteract the growing threat posed by the exploitation of security flaws in critical software. Organized by the Defense Advanced Research Projects Agency (DARPA) in collaboration with the Advanced Research Projects Agency for Health (ARPA-H) and leading AI firms, the $29.5 million competition is designed to advance automated cybersecurity technologies capable of protecting critical open-source software systems. 

Twenty years after Shellphish was established, and now operating under the guidance of computer science professors and Cyber Security Center leads, Christopher Kruegel and Giovanni Vigna, the hacking collective has grown to include hundreds of people from UCSB, Arizona State University, Purdue University, and other universities and organizations around the world. They are brought together by the joy of collaborating on cutting-edge research, participating in cybersecurity competitions (such as many DEF CON CTFs and the 2016 DARPA CGC), and spending time together. The AIxCC Shellphish team comprises professors and students from UCSB, ASU, and Purdue.

Over the past two years, the group has created and refined ARTIPHISHELL, an agent-based system that uses AI autonomously to find vulnerabilities and patch them in complex, real-world software that is routinely used in the nation's critical infrastructure. ARTIPHISHELL has more than sixty AI agents programmed to collaborate to identify and fix bugs without any human intervention. This allows for increasing the scale and speed at which flaws in critical software can be analyzed and mitigated, before they can be exploited by malicious threat actors. 

AIxCC brings together the cybersecurity and AI communities to design autonomous CRSs that can identify and patch software vulnerabilities. The competition unfolds over a series of structured rounds, including three unscored exhibitions and one scored final round, culminating in August at DEF CON 33. 

For everyone at the College of Engineering, Good luck, SHELLPHISH!