Safeguarding Critical Software Infrastructure through Novel AI Systems

The open-source software underlying critical infrastructure — from financial systems to public utilities to emergency services and electronic health records — is vulnerable to malicious cyberattacks. In 2022, there were 1,463 cyberattacks per week globally in the healthcare industry alone, according to the National Institutes of Health. That number has only grown since.

While manual vulnerability detection for increasingly complex open-source software supply chains is both prohibitively time-consuming and prone to human error, dynamic artificial intelligence (AI) algorithms present a viable solution.

Aiming to harness the significant potential of AI to address pervasive cybersecurity challenges, the Defense Advanced Research Projects Agency (DARPA) and Advanced Research Projects Agency for Health (ARPA-H) launched the two-year AI Cyber Challenge (AIxCC) competition.

A Northwestern Computer Science team led by associate professor of computer science Xinyu Xing and professor of computer science Yan Chen was among the top seven scoring teams at the semifinal AIxCC competition, held August 9 - 11 at DEF CON 32 in Las Vegas.

Team 42-b3yond-6ug — a name combining an homage to Douglas Adams's The Hitchhiker's Guide to the Galaxy with the goal to go beyond bug identification to developing viable solutions — was awarded $2 million and will advance to the final competition in August 2025.

The Northwestern Engineering team members included computer science PhD students Ziyi Guo, Dang Le, Wenxuan Shi, Xinqian Sun, Yuhang Wu, and Zheng Yu; visiting scholar Kefu Wu; and research associate Youngjoo Lee; with collaborators Yinzhi Cao (PhD ’14) and Zhengyu Liu (Johns Hopkins University), Yueqi Chen and Qinrun Dai (University of Colorado Boulder), Zheyun Feng and Dongpeng Xu (University of New Hampshire), Jun Xu and Yunhang Zhang (University of Utah), and Meng Xu and Qingyang Zhou (University of Waterloo).

“Fully harnessing AI techniques for vulnerability discovery and patching is a ground-breaking endeavor,” Xing said. “Incorporating and maximizing the usage of AI techniques can significantly boost the capability of cybersecurity systems.”

For the AIxCC semifinals, team 42-b3yond-6ug developed a cyber reasoning system called BugBuster, an integrated toolchain that leverages state-of-the-art AI techniques to automatically find and fix vulnerabilities in modern open-source software systems.

A fully autonomous system, BugBuster is engineered to efficiently identify and analyze vulnerabilities, and automatically generate and validate corresponding patches. BugBuster releases proof-of-vulnerability and proof-of-understanding outputs through oracle instrumentation, which allows the continuous improvement of the system, and generates patches that maintain the intended functionalities of the software.

Chen explained that BugBuster’s architecture facilitates dynamic adjustment in resource allocation, enhancing the overall efficiency and adaptability of the system. System components operate in parallel without the need for a central control panel.

Over the coming year, Team 42-b3yond-6ug will advance BugBuster’s AI components in preparation for the AIxCC final competition.

“This research underscores our commitment to developing specialized, AI-driven solutions for diverse cybersecurity challenges, demonstrating the potential of AI to revolutionize vulnerability identification and remediation in software systems,” Chen said.