Yang-Sae Moon

Jong-Wouk Kim, Yang-Sae Moon, Mi-Jung Choi

Malware developers use combinations of techniques such as compression, encryption, and obfuscation to bypass anti-virus software. Malware with anti-analysis technologies can bypass AI-based anti-virus software and malware analysis tools. Therefore, classifying pack files is one of the big challenges. Problems arise if the malware classifiers learn packers' features, not those of malware. Training the models with unintended erroneous data turn into poisoning attacks, adversarial attacks, and evasion attacks. Therefore, researchers should consider packing to build appropriate malware classifier models. In this paper, we propose a multi-step framework for classifying and identifying packed samples which consists of pseudo-optimal feature selection, machine learning-based classifiers, and packer identification steps. In the first step, we use the CART algorithm and the permutation importance to preselect important 20 features. In the second step, each model learns 20 preselected features for classifying the packed files with the highest performance. As a result, the XGBoost, which learned the features preselected by XGBoost with the permutation importance, showed the highest performance of any other experiment scenarios with an accuracy of 99.67%, an F1-Score of 99.46%, and an area under the curve (AUC) of 99.98%. In the third step, we propose a new approach that can identify packers only for samples classified as Well-Known Packed.

Sang-Pil Kim, Myeong-Sun Gil, Yang-Sae Moon et al.

Secure similar document detection (SSDD) identifies similar documents of two parties while each party does not disclose its own sensitive documents to another party. In this paper, we propose an efficient 2-step protocol that exploits a feature selection as the lower-dimensional transformation and presents discriminative feature selections to maximize the performance of the protocol. For this, we first analyze that the existing 1-step protocol causes serious computation and communication overhead for high dimensional document vectors. To alleviate the overhead, we next present the feature selection-based 2-step protocol and formally prove its correctness. The proposed 2-step protocol works as follows: (1) in the filtering step, it uses low dimensional vectors obtained by the feature selection to filter out non-similar documents; (2) in the post-processing step, it identifies similar documents only from the non-filtered documents by using the 1-step protocol. As the feature selection, we first consider the simplest one, random projection (RP), and propose its 2-step solution SSDD-RP. We then present two discriminative feature selections and their solutions: SSDD-LF (local frequency) which selects a few dimensions locally frequent in the current querying vector and SSDD-GF (global frequency) which selects ones globally frequent in the set of all document vectors. We finally propose a hybrid one, SSDD-HF (hybrid frequency), that takes advantage of both SSDD-LF and SSDD-GF. We empirically show that the proposed 2-step protocol outperforms the 1-step protocol by three or four orders of magnitude.