HITB⁺ AI Challenge

A malware evasion and penetrating testing challenge for machine learning and AI enthusiasts with US$100,000 up for grabs!

CONGRATULATIONS TO OUR FINALISTS

The following teams have been selected to receive USD10k and be flown to HITB+ CyberWeek in Abu Dhabi where they'll show off their final projects and our judges will vote for who should get the grand prize of USD50k!

  • Deep(P)en – Eindhoven University of Technology – Netherlands
  • tAIchi – New York University Abu Dhabi – United Arab Emirates
  • FullHunt – New York University ++ Private / United Arab Emirates
  • sploit00n – National Research Nuclear University MEPhI – Russia
  • Dirichlet’s Principle – American Univ of Sharjah / U. Toronto / Harvard

Overview

AI and deep learning are revolutionizing all industries and the cyber security industry is no exception. Changing times means changing tactics and machine learning is going to be at the center of all things cyber security. To stay one step ahead, we need to think differently.

If you like solving complex problems, know your CNNs from your RNNs, and the world of PyTorch and Tensorflow are your playgrounds, then we’ve got a security challenge for you!

We initiated this competition to spur the development of defensive security solutions using advances in machine learning to detect and protect against vulnerabilities and malicious exploits.  We have a bold ambition: to accelerate progress in automated cyber defense processes and contribute to the development of the first generation of autonomous and real-time models applied to cyber security problems.

Challenge 1: ExploAIt

Prize: US$50,000

You know pwn fu? It’s time to teach your AI to hack!

We’re challenging you to develop an automated penetration testing model based on the DeepExploit framework (https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit).

The goal is to produce a tool which can be pointed at a victim machine, and will use AI to exploit the victim machine completely automatically and without the need for human intervention.

Teams will be provided with a series of virtual machines with known vulnerabilities as testing data. Expected output consists of the development of a fully automatic penetration test tool using Machine Learning.  The HITB testing VMs will be released the first week of July.

The penetration testing tool should perform the following:

    • Intelligence gathering
    • Threat Modelling
    • Vulnerability analysis
    • Exploits analysis
    • Blue team Exploitation  
    • Post-Exploitation Reporting

All of these steps should be performed without any intervention of the team, however the team may intervene between steps.

Evaluation Criteria:

Submissions will be evaluated on a points basis with points being awarded for:

  • The sophistication of the ML model derived and underlying algorithms being used (for example, managing to build an RNN model vs. a CNN model with simplified Matrix operations vs. Vector operations vs. SVMs, etc.)
  • The performance of the model in terms of speed and thoroughness
  • Quality of documentation

Challenge 2: MalwAIre

Prize: US$50,000

Finding needles in haystacks is hard. Detecting constantly evolving malware is even harder.

The goal of this contest is to use reinforcement learning and generative adversarial networks to modify existing malware to defeat virus detection agents. Teams will receive as input, decompiled code of known malware. A successful entry will use AI to modify this code so that it still functions as malware and can successfully avoid detection by antivirus scanners.

For testing data, you may use the examples on this repository:  https://github.com/ytisf/theZoo.  This repository contains both binaries and source code for actual malware examples.  Please do NOT submit your example with live malware binaries.  

Evaluation Criteria:

 

Submissions will be evaluated on a points basis with points being awarded for:

  • The number of anti-virus scanners that the updated malware can bypass on Virus Total.
  • The ability of the updated malware to perform its original functionality
  • Quality of documentation

    I Am AI. Take Me To Your Data.

    Application Deadline: 31st July 2019
    Code Submission Deadline: 15th August 2019

    Teams selected for the final round will have their models judged in a public demonstration on the 16th & 17th of October at HITB+ CyberWeek in Abu Dhabi

    RULES

      • Participating teams should consist of 3 – 5 team members.
      • At least one team member from each team must qualify as a full-time student, as defined by the institution they are attending.
      • The remaining team members can be working or part-time students.
      • Each team will designate a team captain for the duration of the competition to act as the team liaison between the competition staff and the teams.
      • Teams may submit an application to only one of the competition topics listed below.
      • Team members can only participate on one team in the competition.
      • Decisions of the judges are final and not subject to appeal.
      • Teams will be selected to the semi-finalist round based on the selection criteria for that competition topic.
      • In the case where a team is selected to the semi-finalist round, final product submission is expected by the deadline.
      • A team’s work must be their own, original work.  
      • Any entries which contain code that is deemed to have been plagiarized from other sources will be immediately disqualified.  
      • External code is permitted with appropriate attribution.

      We encourage students to be student led – Faculty, staff, and external partners may only play an advisory role for student teams.

        Submision Procedure

        1. Fill in the form
        2. Once accepted you will receive an email with private github repo link (all team members will be granted access to their respective team’s repo.)
        3. Provide us your final code by the deadline

        The final product must be posted to a branch named final_submission in the team’s respective repository by submission deadline.  After the submission deadline, this branch will be locked.  If a team is accepted for the final round, they will be informed and their push privileges will be restored to all branches.

        Submision Requirements

        The final product submission should consist of:

        • All executable code and documentation.
        • Installation instructions
        • Training and testing data as applicable
        • Testing procedures and results

        The documentation must include installation instructions and any other information that the judges would need to install and execute your code.

        If the judges are unable to install or execute your product due to incomplete documentation or errors after running the code, it is at the judges discretion as to whether they will continue to evaluate your entry, so please test your code and installation instructions. The documentation should include information about installing any 3rd party dependencies. Incomplete, undocumented, or unexecutable entries will not be accepted.

        Prizes

        A grand prize of $50,000 per category!

        • From all submitted applicants, three semi-finalist teams will be selected for each of the two competition projects.
        • Each of the six semi-finalist teams will be awarded a grant of $10,000 to be used to develop their model further / to be shared among their team members as they see fit.
        • Each semifinalist team will be provided with:
          • A max $6,000 reimbursement for team transportation to the HITB+CyberWeek conference held in Abu Dhabi, UAE, on October 12-17, 2019.
          • Hotel accommodation for 4 nights / 5 days (shared) booked by HITB.
          • Complimentary access to HITB+ CyberWeek conference and activities.

        Judges

        Dr. Hoda Alkhzaimi

        Director of Center for Cyber Security, New York University AD

        Hoda A.Alkhzaimi is currently a research assistant professor in New York University and the Director of Center of Cyber Security in New York University AD. She served in different posts for research and development in Cyber Security and Cryptology for the past years. She headed the Department of Research and Development for Cyber Security and Cryptology in different national initiatives in the United Arab Emirates along with her associations to different security initiatives nationally and internationally.

        Dr. Fadi Aloul

        Professor & Department Head of Computer Science & Engineering, American University of Sharjah

        Dr. Fadi holds a PhD and MS degrees in Computer Science & Engineering from the University of Michigan, Ann Arbor, USA, respectively, and a BS degree in Electrical Engineering summa cum laude from Lawrence Technological University, Michigan, USA.  He is the founder of several cyber security awareness initiatives in UAE including UAE’s Cyber Academy.

        Eric Camellini

        Security Lead, buildo

        Eric Camellini is a software and security engineer at buildo, in Milano, Italy, where he is working on the evolution of the company design & development process with a focus on security. He works day-by-day on software projects where security is crucial and taken into account in all phases, starting from the design down to the development and deployment. Before that, he was a Computer Science and Engineering master’s student at Politecnico di Milano, where he graduated cum laude. During his studies, he worked as a research intern at the Security Laboratory at UCSB (UCSB Seclab), in Santa Barbara, California.

        Dr. Stefano Zanero

        Associate Professor, Politecnico milano

        I received a Ph.D. degree in Computer Engineering from the Politecnico of Milano university, where I am currently an associate professor. My research interests focus on cybersecurity: cyberphysical systems security, computer virology, malware analysis, financial fraud, and in general data analysis applied to security. 

        Isao Takaesu

        AUTHOR, DEEPEXPLOIT

        Isao Takaesu is CISSP. He is working in Mitsui Bussan Secure Directions, Inc. as security engineer and researcher. He found many vulnerabilities in server of enterprises and proposed countermeasures to enterprises. He thinks that there’s more and wants to find vulnerabilities. Therefore, he is focused on artificial intelligence technology for cyber security. Now, he is developing the penetration testing tool DeepExploit.

        Charles Givre

        Co-Founder, GTK Cyber

        An innovative, resourceful, and self-motivated data scientist with 10 years of experience in the intelligence community in various organizations. I am passionate about solving difficult problems with data, and using data in unique ways to drive business decisions. Additionally, I enjoy teaching and mentoring.

        Dr. Bushra Al Belooshi

        Research and Innovation Manager, Dubai Electronic Security Center (DESC)

        Dr.Bushra AlBelooshi is the Research and Innovation Manager In Dubai Electronic Security Center ( DESC). Prior to joining DESC, AlBelooshi was a research assistant and a PhD candidate in Electrical and Computer Engineering department at Khalifa University of Science , Technology and Research (KUSTAR), UAE. AlBelooshi has a master in Information Security from KUSTAR and another master in Public Administration from Mohammed Bin Rashed College in collaboration with Harvard University.

        Dr.Bushra’s research interests include cloud computing, cyber security, forensics and cryptography. She in one of the inventors for “Volatile Memory Erasure by Controlling Refreshment of Stored Data” Patent submitted to US Regular Patent. AlBelooshi also published and participated in many national and international conferences.

        Organizers & Partners

        (HITB CyberWeek Main Organizer)

        GTK Cyber
        (Co-Organizer / University Outreach Partner)

        Take control of your cyber career and get on the fast track to success. Countering tomorrow's Cyber threats requires a novel way of thinking. We teach how to efficiently hunt threats and identify anomalous network behavior using data science. We create force multipliers. We transform analyst into automating machines.