Your search keyword '"Sangchul Han"' showing total 28 results

1. Analyzing the Effects of API Calls in Android Malware Detection Using Machine Learning

Author

Seong-je Cho, Kang Mun Yeong, Park Ji Hyeon, Sangchul Han, and Park Seong Hyun

Subjects

Computer science, Argument, Android malware, Computer security, computer.software_genre, Return type, computer

Published

2021

2. Machine-Learning-Based Android Malware Family Classification Using Built-In and Custom Permissions

Author

Daehan Kim, Seong-je Cho, Sangchul Han, Changha Hwang, Minkyu Park, and Min-Ki Kim

Subjects

built-in permission, Technology, Software_OPERATINGSYSTEMS, QH301-705.5, Computer science, QC1-999, Android malware, Permission, Machine learning, computer.software_genre, Classifier (linguistics), balanced accuracy, Feature (machine learning), General Materials Science, AdaBoost, Biology (General), Malware analysis, QD1-999, Instrumentation, Fluid Flow and Transfer Processes, business.industry, Physics, Process Chemistry and Technology, General Engineering, Engineering (General). Civil engineering (General), Matthews correlation coefficient, Computer Science Applications, Chemistry, ComputingMethodologies_PATTERNRECOGNITION, machine learning, Malware, Artificial intelligence, TA1-2040, malware family classification, business, computer, custom permission

Abstract

Malware family classification is grouping malware samples that have the same or similar characteristics into the same family. It plays a crucial role in understanding notable malicious patterns and recovering from malware infections. Although many machine learning approaches have been devised for this problem, there are still several open questions including, “Which features, classifiers, and evaluation metrics are better for malware familial classification”? In this paper, we propose a machine learning approach to Android malware family classification using built-in and custom permissions. Each Android app must declare proper permissions to access restricted resources or to perform restricted actions. Permission declaration is an efficient and obfuscation-resilient feature for malware analysis. We developed a malware family classification technique using permissions and conducted extensive experiments with several classifiers on a well-known dataset, DREBIN. We then evaluated the classifiers in terms of four metrics: macrolevel F1-score, accuracy, balanced accuracy (BAC), and the Matthews correlation coefficient (MCC). BAC and the MCC are known to be appropriate for evaluating imbalanced data classification. Our experimental results showed that: (i) custom permissions had a positive impact on classification performance, (ii) even when the same classifier and the same feature information were used, there was a difference up to 3.67% between accuracy and BAC, (iii) LightGBM and AdaBoost performed better than other classifiers we considered.

Published

2021

3. Distribution of Malicious Apps Considering App Categories and Development Tools in Major Android Markets

Author

OhJiHwan, Sangchul Han, Lee Myeonggeon, and Seong-je Cho

Subjects

Computer science, Malware, Android (operating system), Computer security, computer.software_genre, computer

Published

2019

4. A New Technique for Detecting Android App Clones Using Implicit Intent and Method Information

Author

Seong-je Cho, Soyeon Jeon, Byoungchul Kim, Sangchul Han, Jongmoo Choi, and Jaemin Jung

Subjects

Reverse engineering, ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, GeneralLiterature_INTRODUCTORYANDSURVEY, Computer science, 020206 networking & telecommunications, 0102 computer and information sciences, 02 engineering and technology, computer.software_genre, 01 natural sciences, Android app, 010201 computation theory & mathematics, Human–computer interaction, mental disorders, 0202 electrical engineering, electronic engineering, information engineering, Android (operating system), computer, Repackaging

Abstract

Detecting repackaged apps is one of the important issues in the Android ecosystem. Many attackers usually reverse engineer a legitimate app, modify or embed malicious codes into the app, repackage and distribute it in the online markets. They also employ code obfuscation techniques to hide app cloning or repackaging. In this paper, we propose a new technique for detecting repackaged Android apps, which is robust to code obfuscation. The technique analyzes the similarity of Android apps based on the method call information of component classes that receive implicit intents. We developed a tool Calldroid that implemented the proposed technique, and evaluated it on apps transformed using well-known obfuscators. The evaluation results showed that the proposed technique can effectively detect repackaged apps.

Published

2019

5. Detecting Malicious Android Apps using the Popularity and Relations of APIs

Author

Byoungchul Kim, Kyoungwon Suh, Jaemin Jung, Kyeonghwan Lim, Seong-je Cho, and Sangchul Han

Subjects

0209 industrial biotechnology, Software_OPERATINGSYSTEMS, Information retrieval, Computer science, 02 engineering and technology, computer.software_genre, Popularity, 020901 industrial engineering & automation, Android malware, mental disorders, 0202 electrical engineering, electronic engineering, information engineering, Malware, 020201 artificial intelligence & image processing, Android (operating system), computer

Abstract

Accurate malware detection is important to protect Android users against the growing number of sophisticated malwares. In this paper, we propose a simple but efficient malware detection methodology that identifies the subset of Android APIs as classification features. Since each app needs to use a set of Android APIs to fulfill its main objective, the list of APIs used in an app represents the app’s characteristic. Our methodology constructs two ranked lists of Android APIs, namely benign_API_list and malicious_API_list. The benign_API_list contains the most commonly invoked APIs among benign apps and the malicious_API_list contains the most commonly invoked APIs among malicious apps. Then, for a given suspicious app, we compute the sum of inverse values of the rankings of the used benign APIs and also the sum of inverse value s of the ranking of the used malicious APIs. We determine whether the app is benign or malicious by comparing the two sums. More specifically, if the sum of inverse values based on benign apps is larger than the one based on malicious apps, we determine that the given app is benign. Otherwise, we determine that the given app is malicious. Our experimental evaluation shows that the proposed methodology achieves an accuracy of 87.35%~89.93% for Android malware detection. The proposed method can be possibly utilized in features selections in machine learning-based malware detection algorithms.

Published

2019

6. Classifying Windows Executables using API-based Information and Machine Learning

Author

Seong-je Cho, Young-Sup Hwang, Sangchul Han, Kyeonghwan Lim, and DaeHee Cho

Subjects

Computer science, business.industry, Software classification, Data mining, Executable, computer.file_format, Artificial intelligence, Machine learning, computer.software_genre, business, computer

Published

2016

7. A software classification scheme using binary-level characteristics for efficient software filtering

Author

Ilsun You, Seong-je Cho, Sangchul Han, and Yesol Kim

Subjects

Scheme (programming language), business.industry, Computer science, 020207 software engineering, Static program analysis, 02 engineering and technology, Machine learning, computer.software_genre, Theoretical Computer Science, Software, 0202 electrical engineering, electronic engineering, information engineering, Overhead (computing), 020201 artificial intelligence & image processing, Geometry and Topology, Software system, Artificial intelligence, Data mining, Software regression, business, computer, computer.programming_language

Abstract

Software filtering systems can be employed to detect and filter out pirated or counterfeit software on the Web sites and peer-to-peer networks. They determine whether a suspicious program is legal or not by comparing it with original programs in a database or in the market. To identify pirated or counterfeit software, software filtering systems need to measure software similarity when comparing a suspicious program with original ones. In this case, the comparison overhead might be very high because the suspicious program is compared with all programs in the database or market in the worst case. This paper proposes a software classification scheme for efficient software filtering systems. The scheme focuses specifically on the Windows portable executable files which have been prime targets for software pirates. The scheme extracts software characteristics from a suspicious program and classifies it into one of pre-defined categories quickly based on the characteristics. The suspicious program is compared only with the programs in the one of pre-defined categories in most cases; thus, the comparison overhead is reduced. We propose two classification methods. The first one extracts strings from GUI-related resources of a program and computes the relevance of the program to each category based on the pre-computed score of the strings. The second one extracts API call frequency from a program's execution codes and uses Random Forest technique to classify the program. Experimental results show that the proposed scheme can classify programs effectively and can reduce the comparison overhead significantly.

Published

2016

8. Android malware detection using convolutional neural networks and data section images

Author

Seong-je Cho, Young-Sup Hwang, Minkyu Park, Sangchul Han, Jongmoo Choi, and Jaemin Jung

Subjects

Computer science, business.industry, Image processing, Pattern recognition, 0102 computer and information sciences, 02 engineering and technology, computer.file_format, computer.software_genre, 01 natural sciences, Grayscale, Convolutional neural network, Identifier, Stochastic gradient descent, 010201 computation theory & mathematics, Header, 0202 electrical engineering, electronic engineering, information engineering, Malware, 020201 artificial intelligence & image processing, Executable, Artificial intelligence, business, computer

Abstract

The paper proposes a new technique to detect Android malware effectively based on converting malware binaries into images and applying machine learning techniques on those images. Existing research converts the whole executable files (e.g., DEX files in Android application package) of target apps into images and uses them for machine learning. However, the entire DEX file (consisting of header section, identifier section, data section, optional link data area, etc.) might contain noisy information for malware detection. In this paper, we convert only data sections of DEX files into grayscale images and apply machine learning on the images with Convolutional Neural Networks (CNN). By using only the data sections for 5,377 malicious and 6,249 benign apps, our technique reduces the storage capacity by 17.5% on average compared to using the whole DEX files. We apply two CNN models, Inception-v3 and Inception-ResNet-v2, which are known to be efficient in image processing, and examine the effectiveness of our technique in terms of accuracy. Experiment results show that the proposed technique achieves better accuracy with smaller storage capacity than the approach using the whole DEX files. Inception-ResNet-v2 with the stochastic gradient descent (SGD) optimization algorithm reaches 98.02% accuracy.

Published

2018

9. An effective and intelligent Windows application filtering system using software similarity

Author

Seong-je Cho, Sangchul Han, Minkyu Park, Guk-Seon Lee, Young-Sup Hwang, Yesol Kim, and Dongjin Kim

Subjects

Scheme (programming language), business.industry, Computer science, 010102 general mathematics, 02 engineering and technology, Filter (signal processing), computer.file_format, Similarity measure, computer.software_genre, 01 natural sciences, Theoretical Computer Science, Software, 0202 electrical engineering, electronic engineering, information engineering, Microsoft Windows, 020201 artificial intelligence & image processing, The Internet, Geometry and Topology, Software system, Executable, Data mining, 0101 mathematics, business, computer, computer.programming_language

Abstract

As licensed programs are pirated and illegally spread over the Internet, it is necessary to filter illegally distributed or cracked programs. The conventional software filtering systems can prevent unauthorized dissemination of the programs maintained by their databases using an exact matching method where the feature of a suspicious program is the same as that of any program stored in the database. However, the conventional filtering systems have some limitations to deal with cracked or new programs which are not maintained by their database. To address the limitations, we design and implement an efficient and intelligent software filtering system based on software similarity. Our system measures the similarity of the characteristics extracted from an original program and a suspicious one (or, a cracked one) and then determines whether the suspicious program is a cracked version of the copyrighted original program based on the similarity measure. In addition, the proposed system can handle a new program by categorizing it using a machine learning scheme. This scheme helps an unknown program to be identified by narrowing the search space. To demonstrate the effectiveness of the proposed system, we perform a series of experiments on a number of executable programs under Microsoft Windows. The experimental results show that our system has achieved comparable performance.

Published

2015

10. Static and Dynamic Analysis of Android Malware and Goodware Written with Unity Framework

Author

Minkyu Park, Kyeonghwan Lim, Seong-je Cho, Sangchul Han, and Jaewoo Shim

Subjects

Reverse engineering, Article Subject, Computer Networks and Communications, Computer science, GeneralLiterature_INTRODUCTORYANDSURVEY, 020206 networking & telecommunications, 020207 software engineering, 02 engineering and technology, computer.file_format, Static analysis, computer.software_genre, Android malware, lcsh:Technology (General), 0202 electrical engineering, electronic engineering, information engineering, Operating system, Java code, Malware, lcsh:T1-995, Executable, Android (operating system), lcsh:Science (General), computer, Machine code, Information Systems, lcsh:Q1-390

Abstract

Unity is the most popular cross-platform development framework to develop games for multiple platforms such as Android, iOS, and Windows Mobile. While Unity developers can easily develop mobile apps for multiple platforms, adversaries can also easily build malicious apps based on the “write once, run anywhere” (WORA) feature. Even though malicious apps were discovered among Android apps written with Unity framework (Unity apps), little research has been done on analysing the malicious apps. We propose static and dynamic reverse engineering techniques for malicious Unity apps. We first inspect the executable file format of a Unity app and present an effective static analysis technique of the Unity app. Then, we also propose a systematic technique to analyse dynamically the Unity app. Using the proposed techniques, the malware analyst can statically and dynamically analyse Java code, native code in C or C ++, and the Mono runtime layer where the C# code is running.

Published

2018

11. An Anti-Reverse Engineering Technique using Native code and Obfuscator-LLVM for Android Applications

Author

Sangchul Han, Jongmoo Choi, Jaemin Jeong, Kyeonghwan Lim, Minkyu Park, Seong-je Cho, and Seong-Tae Jhang

Subjects

Reverse engineering, Java, Computer science, Call stack, Programming language, Code reuse, Byte, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Obfuscation (software), 0202 electrical engineering, electronic engineering, information engineering, Operating system, 020201 artificial intelligence & image processing, Android (operating system), computer, Machine code, computer.programming_language

Abstract

Android applications are exposed to reverse engineering attacks. In particular, the applications written in Java are more prone to reverse engineering in comparison to the applications written in native-code languages such as C or C++ on the Android platform. This is because Java applications are distributed as byte codes, while applications written in native-code languages are distributed as low-level binary codes. In this paper, we propose a new technique to protect Android applications against reverse engineering. Three key characteristics of the proposed approach are as follows. First, we write the main parts of the application in native-code using Android NDK. This not only makes reverse engineering more difficult, but it is also more effective in terms of code reuse. Second, we introduce obfuscation, which hides the intent of the native codes and obscures theirs structure, at the intermediate representation (IR) level. Finally, we integrate an integrity verification scheme which detects whether the critical module of the application has been modified prior to execution of the application. Based on the results of experimentation on five known Android applications, we show that the proposed techniques can be applied without a significant effect on performance.

Published

2017

12. A dual speed scheme for dynamic voltage scaling on real-time multiprocessor systems

Author

Minkyu Park, Sangchul Han, Moonju Park, and Xuefeng Piao

Subjects

Scheme (programming language), Computer science, Multiprocessing, Parallel computing, Energy consumption, Theoretical Computer Science, Dual (category theory), Scheduling (computing), Dynamic voltage scaling, Task (computing), Hardware and Architecture, computer, Software, Information Systems, computer.programming_language

Abstract

This paper proposes an off-line dynamic voltage scaling (DVS) scheme that can be integrated with EDF$$^{(k)}$$(k), which is a global real-time scheduling algorithm for symmetric multiprocessor systems. The scheme computes the static execution speed for each individual task assuming the task's worst-case execution. Based on the individual speed, it determines static dual speeds off-line for each task to make use of the gap between actual execution demand and the worst-case execution demand. The simulation results show that the proposed scheme combined with an existing online DVS technique can reduce energy consumption by up to 37 % compared with a uniform speed technique when the number of processors is 32.

Published

2014

13. Two-Round Password-Only Authenticated Key Exchange in the Three-Party Setting

Author

Kim-Kwang Raymond Choo, Dongho Won, Junghyun Nam, Juryon Paik, Sangchul Han, Nam, Junghyun, Choo, Kim-Kwang Raymond, Sangchul, Han, Paik, Juryon, and Won, Dongho

Subjects

TheoryofComputation_MISCELLANEOUS, Physics and Astronomy (miscellaneous), Computer science, General Mathematics, communication round, Oakley protocol, dictionary attack, Computer security, computer.software_genre, Key authentication, Computer Science (miscellaneous), Key-agreement protocol, Password, Cryptographic primitive, business.industry, lcsh:Mathematics, three-party key exchange, Cryptographic protocol, lcsh:QA1-939, implicit key authentication, Authenticated Key Exchange, password-only authenticated key exchange (PAKE), Chemistry (miscellaneous), Authentication protocol, symmetric encryption, business, computer, Computer network

Abstract

We present the first provably-secure three-party password-only authenticated key exchange (PAKE) protocol that can run in only two communication rounds. Our protocol is generic in the sense that it can be constructed from any two-party PAKE protocol. The protocol is proven secure in a variant of the widely-accepted model of Bellare, Pointcheval and Rogaway (2000) without any idealized assumptions on the cryptographic primitives used. We also investigate the security of the two-round, three-party PAKE protocol of Wang, Hu and Li (2010) and demonstrate that this protocol cannot achieve implicit key authentication in the presence of an active adversary. Refereed/Peer-reviewed

Published

2015

14. Runtime Input Validation for Java Web Applications using Static Bytecode Instrumentation

Author

Jongmoo Choi, Sangwook Cho, Minkyu Park, Seong-je Cho, Sangchul Han, and Gyoosik Kim

Subjects

Java, business.industry, Computer science, Cross-site scripting, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Directory traversal attack, Bytecode, SQL injection, 0202 electrical engineering, electronic engineering, information engineering, Operating system, Web application, 020201 artificial intelligence & image processing, Web service, business, computer, Java applet, computer.programming_language

Abstract

As web applications is becoming more prominent due to the ubiquity of web services, web applications have become main targets for attackers. In order to steal or leak sensitive user data managed by web applications, attackers exploit a wide range of input validation vulnerabilities such as SQL injection, path traversal (or directory traversal), cross-site scripting (XSS), etc. This paper propose a technique that can verify input values of Java-based web applications using static bytecode instrumentation and runtime input validation. The technique searches for target methods or object constructors in compiled Java class files, and statically inserts bytecode modules. At runtime, the instrumented bytecode modules validate input values of the targets, and take countermeasure against malicious inputs. The proposed technique can mitigate the input validation vulnerabilities in Java-based web applications without source codes. To evaluate the effectiveness of the proposed technique, experiments are carried out with an insecure web application maintained by OWASP WebGoat Project. The experimental results show that the proposed technique successfully mitigates input validation vulnerabilities such as SQL injection and path traversal.

Published

2016

15. An Efficient Prefix Caching Scheme with Bounded Prefix Expansion for High-Speed IP Lookup

Author

Junghwan Kim, Minkyu Park, Sangchul Han, and Jin-Soo Kim

Subjects

Scheme (programming language), Theoretical computer science, Computer Networks and Communications, Computer science, Parallel computing, Prefix delegation, Prefix, Bounded function, Longest prefix match, Electrical and Electronic Engineering, Routing (electronic design automation), computer, Software, computer.programming_language

Published

2012

16. Machine learning-based software classification scheme for efficient program similarity analysis

Author

Minkyu Park, Jonghyuk Park, Seong-je Cho, Sangchul Han, Yesol Kim, and Yunmook Nah

Subjects

Scheme (programming language), Artificial neural network, Computer science, business.industry, Static program analysis, Machine learning, computer.software_genre, Random forest, Counterfeit, Software, The Internet, Software system, Artificial intelligence, Data mining, business, computer, computer.programming_language

Abstract

For the health of software ecosystems, we should detect and filter out pirated and counterfeit software on the Web sites and peer-to-peer (P2P) networks. Whenever a suspicious program is found on the Internet or software market, we can adopt a software filtering system that determines whether the program is legal one or not by comparing it with the all programs maintained in the market. That is, we need to measure similarity between a suspicious program and one of the programs in the market for determining whether the suspicious program is one of pirated or hacked versions from its original. In this case, it is necessary to reduce the number of programs to be compared since there are so many programs in the market. This paper proposes a machine learning-based software classification scheme to reduce the number of comparisons for measuring software similarity. The scheme extracts API call frequency from a suspicious program, and classifies the program automatically through a machine learning technique like random forests. Experimental results show that the proposed scheme can effectively classify a program into one of nine categories and can reduce the time to determine whether the program is illegal version or not.

Published

2015

17. Protecting Android Applications with Multiple DEX Files against Static Reverse Engineering Attacks

Author

Seong-je Cho, Younsik Jeong, Sangchul Han, Minkyu Park, Kyeonghwan Lim, and Nak Young Kim

Subjects

060201 languages & linguistics, Reverse engineering, Computer science, 06 humanities and the arts, 02 engineering and technology, computer.software_genre, Theoretical Computer Science, Computational Theory and Mathematics, Artificial Intelligence, 0602 languages and literature, 0202 electrical engineering, electronic engineering, information engineering, Operating system, 020201 artificial intelligence & image processing, Android (operating system), computer, Software

Published

2018

18. Characteristics and perspectives of wearable smart devices and industrial ecosystem

Author

Sangchul Han, Hui Sik Kim, and Youn-Hee Han

Subjects

Open platform, Multimedia, business.industry, Computer science, media_common.quotation_subject, Smart device, Wearable computer, computer.software_genre, law.invention, Product (business), Industrial ecosystem, law, Internet of Things, business, Telecommunications, Function (engineering), computer, Wearable technology, media_common

Abstract

Wearable smart devices industry is booming up and being highlighted by the market recently as an alternative of post smart phone industry. Wearable smart devices have an intrinsic nature that their visual style should be very important like fashion as well as the sophisticated function is. They also have unique characteristics of industrial ecosystem different from the ecosystem of the smart phone industry. In this paper, we insist that there are a huge number of vertical markets for wearable smart device product and services. We also suggests that the small and medium companies should be more aggressive to advance such vertical markets with the application products and services with components as well as solutions.

Published

2014

19. A robust and efficient birthmark-based android application filtering system

Author

Hyungjoon Shim, Seong-je Cho, SeongWook Kang, Sangchul Han, and Minkyu Park

Subjects

ComputerSystemsOrganization_COMPUTERSYSTEMIMPLEMENTATION, Computer science, business.industry, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Computer security, computer.software_genre, medicine.disease, Android app, Software, Robustness (computer science), Server, medicine, Android application, Birthmark, Android (operating system), business, License, computer

Abstract

Since it is very easy to decompile and repackage Android applications (or apps), many paid apps in the official Android Market are exposed to software piracy such as illegal copy, license cracking, and illegal distribution. To address this problem, we can employ app filtering systems that can prevent OSP servers from distributing illegally copied or tampered apps. In this paper, we propose a birthmark-based Android app filtering system. The system extracts birthmarks from APK files, and compares the birthmarks to examine if a given APK file is actually identical to one of (paid) original apps, that is, the APK file is a duplicated or tampered one. The experimental results show that the system is efficient and robust in the sense that the birthmark size is very small and the tampered apps can be identified effectively.

Published

2014

20. Efficient Identification of Windows Executable Programs to Prevent Software Piracy

Author

Minkyu Park, Sangchul Han, Yesol Kim, Seong-je Cho, and Jeongoh Moon

Subjects

Windows Vista, Computer science, Microsoft Windows, Operating system, Backporting, computer.file_format, Executable, Software distribution, New Executable, computer.software_genre, computer, Software versioning, Portable Executable

Abstract

Pirated software used to be distributed through physical exchange. The Internet, however, is increasingly being used to distributed pirate software. P2P networks, one-click hosting site, and bit-torrent indexing site are typical examples. To block illegal distribution of software through the Internet, we must identify software stored and distributed on such sites. In this paper, we propose a new scheme for identifying software. In this scheme, we concentrate on Microsoft Windows applications because most piracy targets MS Windows applications. The scheme analyzes PE header and PE (Portable Executable) is the executable file format of Windows. The scheme translates information in the header such as start address, the size of the initialized data, etc. into the unique value and uses the value to identify software in question. We show the proposed scheme can identify software effectively and efficiently through an experiment with 439 sample executable files.

Published

2014

21. A kernel-based monitoring approach for analyzing malicious behavior on Android

Author

Seong-je Cho, Sangchul Han, Younsik Jeong, Minkyu Park, and Hwan-taek Lee

Subjects

Cryptovirology, Computer science, Android malware, Obfuscation, False detection, Malware, Android (operating system), Computer security, computer.software_genre, computer, Hooking

Abstract

This paper proposes a new technique that monitors important events at the kernel level of Android and analyzes malicious behavior systematically. The proposed technique is designed in two ways. First, in order to analyze malicious behavior that might happen inside one application, it monitors file operations by hooking the system calls to create, read from, and write to a file. Secondly, in order to analyze malicious behavior that might happen in the communication between colluding applications, it monitors IPC messages (Intents) by hooking the binder driver. Our technique can detect even the behavior of obfuscated malware using a run-time monitoring method. In addition, it can reduce the possibility of false detection by providing more specific analysis results compared to the existing methods on Android. Experimental results show that our technique is effective to analyze malicious behavior on Android and helpful to detect malware.

Published

2014

22. Measuring similarity of android applications via reversing and K-gram birthmarking

Author

Jeonguk Ko, Younsik Jeong, Seong-je Cho, Dongjin Kim, Hyungjoon Shim, Seong Baeg Kim, Minkyu Park, and Sangchul Han

Subjects

Java, Computer science, Software birthmark, Reversing, Android application, Executable, computer.file_format, Data mining, Android (operating system), computer.software_genre, computer, computer.programming_language, Gram

Abstract

By measuring similarity of programs, we can determine whether someone illegally copies a program from another program or not. If the similarity is significantly high, it means that a program is a copy of the other. This paper proposes three techniques to measure similarity of the Dalvik executable codes (DEXs) in the Android application Packages (APKs). Firstly, we decompile the DEXs of candidate applications into Java sources and compute the similarity between the decompiled sources. Secondly, candidate DEXs are disassembled and the similarities between disassembled codes are measured. Finally, we extract k-gram based software birthmark form the dissembled codes and calculate the similarity of sample DEXs by comparing the extracted birthmarks. We perform several experiments to identify effects of the three techniques. With the analysis of the experimental results, the advantages and disadvantages of each technique are discussed.

Published

2013

23. A Static Birthmark of Windows Binary Executables Based on Strings

Author

Sangchul Han, Dongjin Kim, Seong-je Cho, Minkyu Park, Jeongoh Moon, Yesol Kim, and Younsik Jeong

Subjects

Measure (data warehouse), Theoretical computer science, Source code, Computer science, Programming language, media_common.quotation_subject, Binary number, Software birthmark, ComputingMilieux_LEGALASPECTSOFCOMPUTING, computer.file_format, medicine.disease, computer.software_genre, Set (abstract data type), medicine, Birthmark, Executable, computer, media_common

Abstract

A software birthmark is a unique characteristic or a set of those characteristics that are used to identify the program or to measure similarities between programs. Existing birthmarks have two problems. First, when an executable file is generated, some information of the source code is deformed or lost. Second, the amount of data to be processed and the processing time for extracting the birthmark are very large. This paper provides a new birthmark that can solve such problems. This birthmark takes advantage of the information, which is not lost in the executable file and is also associated with API to be used by the program. Experimental results show that the proposed birthmark can be used to effectively measure similarities between programs.

Published

2013

24. A Survey of Feature Extraction Techniques to Detect the Theft of Windows Applications

Author

Jongcheon Choi, Yongman Han, Hae-Young Yoo, Sangchul Han, Ilsun You, Minkyu Park, Seong-je Cho, and Inshik Song

Subjects

Source code, Database, Computer science, business.industry, media_common.quotation_subject, Feature extraction, ComputingMilieux_LEGALASPECTSOFCOMPUTING, Static program analysis, computer.file_format, computer.software_genre, Software, Microsoft Windows, Backporting, Executable, Software system, business, computer, media_common

Abstract

As software industry has been grown, it occurs more frequently to illegally copy software or to steal the core modules of a program. In order to detect program plagiarism, similarity analysis of suspicious programs based on source codes is one of accurate methods. However, the source codes are not always available. Therefore, it is necessary to analyze and determine software piracy or theft with only binary executables that are release versions of their products. In this paper, we propose a method to extract the feature information from the binary codes of the executable files on MS Windows systems in order to determine whether software is pirated or core modules of a program are stolen. We perform a small experiment to detect program similarity and plagiarism by comparing the statically extracted features of target programs.

Published

2013

25. Enhancing Security of a Group Key Exchange Protocol for Users with Individual Passwords

Author

Minkyu Park, Sangchul Han, Junghyun Nam, Juryon Paik, and Ung-Mo Kim

Subjects

Password, Password policy, Encrypted key exchange, Zero-knowledge password proof, Dictionary attack, Cognitive password, computer.internet_protocol, business.industry, Salt (cryptography), Computer science, Internet privacy, Computer security, computer.software_genre, One-time password, S/KEY, Password strength, Authentication protocol, Key stretching, Session key, Password authentication protocol, Key derivation function, Challenge–response authentication, Reflection attack, business, computer

Abstract

Group key exchange protocols allow a group of parties communicating over a public network to come up with a common secret key called a session key . Due to their critical role in building secure multicast channels, a number of group key exchange protocols have been suggested over the years for a variety of settings. Among these is the so-called EKE-M protocol proposed by Byun and Lee for password-based group key exchange in the different password authentication model , where group members are assumed to hold an individual password rather than a common password. While the announcement of the EKE-M protocol was essential in the light of the practical significance of the different password authentication model, Tang and Chen showed that the EKE-M protocol itself suffers from an undetectable on-line dictionary attack. Given Tang and Chen's attack, Byun et al. have recently suggested a modification to the EKE-M protocol and claimed that their modification makes EKE-M resistant to the attack. However, the claim turned out to be untrue. In the current paper, we demonstrate this by showing that Byun et al.'s modified EKE-M is still vulnerable to an undetectable on-line dictionary attack. Besides reporting our attack, we also figure out what has gone wrong with Byun et al.'s modification and how to fix it.

Published

2009

26. Predictability of Earliest Deadline Zero Laxity Algorithm for Multiprocessor Real-Time Systems

Author

Yookun Cho, Seong-je Cho, Heeheon Kim, Minkyu Park, Sangchul Han, and Xuefeng Piao

Subjects

Job scheduler, Set (abstract data type), Earliest deadline first scheduling, Schedule, Least slack time scheduling, Computer science, Multiprocessing, Parallel computing, Predictability, computer.software_genre, computer, Algorithm, Task (project management)

Abstract

Validation methods for hard real-time jobs are usually performed based on the maximum execution time. The actual execution time of jobs are assumed to be known only when the jobs arrive or not known until they finish. A predictable algorithm must guarantee that it can generate a schedule for any set of jobs such that the finish time for the actual execution time is no later than the finish time for the maximum execution time. It is known that any job-level fixed priority algorithm (such as earliest deadline first) is predictable. However, job-level dynamic priority algorithms (such as least laxity first) may or may not. In this paper, we investigate the predictability of a job-level dynamic priority algorithm EDZL (earliest deadline zero laxity). We show that EDZL is predictable on the domain of integers regardless of the knowledge of the actual execution times. Based on this result, furthermore, we also show that EDZL can successfully schedule any periodic task set if the total utilization is not greater than (m + 1)/2, where m is the number of processors.

Published

2006

27. Fast Real-Time Job Selection with Resource Constraints Under Earliest Deadline First

Author

Yookun Cho, Sangchul Han, and Moonju Park

Subjects

Job scheduler, Earliest deadline first scheduling, Rate-monotonic scheduling, Least slack time scheduling, Computer science, Distributed computing, Processor scheduling, Dynamic priority scheduling, computer.software_genre, Job queue, Scheduling (computing), Resource allocation, computer, Queue

Abstract

The Stack Resource Policy (SRP) is a real-time synchronization protocol suitable for embedded systems for its simplicity. However, if SRP is applied to dynamic priority scheduling, the runtime overhead of job selection algorithms could affect the performance of the system seriously. To solve the problem, a job selection algorithm was proposed that uses a selection tree as a scheduling queue structure. The proposed algorithm selects a job in O(⌈log2n⌉) time, resulting in significant reduction in the run-time overhead of scheduler. In this paper, the correctness of the job selection algorithm is presented. Also, the job selection algorithm was implemented in GSM/GPRS handset with ARM7 processor to see its effectiveness on embedded systems. The experiments performed on the system show that the proposed algorithm can further utilize the processor by reducing the scheduling overhead.

Published

2005

28. An efficient job selection scheme in real-time scheduling under the stack resource policy

Author

Moonju Park, Sangchul Han, and Yookun Cho

Subjects

Earliest deadline first scheduling, Job scheduler, business.industry, Computer science, Distributed computing, Processor scheduling, Dynamic priority scheduling, computer.software_genre, Job queue, Scheduling (computing), Resource allocation, business, Queue, computer, Computer network

Abstract

The stack resource policy (SRP) is a real-time synchronization protocol with some distinct properties. One of such properties is early blocking; the execution of a job is delayed instead of being blocked while requesting shared resources. If SRP is used in dynamic priority scheduling such as in the earliest deadline first (EDF), the early blocking requires that a scheduler should select the highest-priority job among the jobs that will not be blocked, incurring a runtime overhead. In this paper, we analyze the runtime overhead of EDF scheduling when SRP is used. We find out that if jobs share resources using SRP the overhead of selecting a job when using the conventional implementations of a ready queue becomes serious as the number of jobs increases. To solve this problem, we propose an alternative data structure for the ready queue and an algorithm that can significantly reduce the overhead. This paper also describes the design and implementation of a real-time layer that employs the proposed scheme in Linux.

Published

2004