Featured Publications

Rescuing the Unpoisoned: Efficient Defense against Knowledge Corruption Attacks on RAG Systems (To appear)

Rescuing the Unpoisoned: Efficient Defense against Knowledge Corruption Attacks on RAG Systems (To appear)

Minseok Kim, Hankook Lee, and Hyungjoon Koo

In the 41th Annual Computer Security Applications Conference (ACSAC'25)

Large language models (LLMs) are reshaping numerous facets of our daily lives, leading widespread adoption as web-based services. Despite their versatility, LLMs face notable challenges, such as generating hallucinated content and lacking access to up-to-date information. Lately, to address such limitations, Retrieval-Augmented Generation (RAG) has emerged as a promising direction by generating responses grounded in external knowledge sources. A typical RAG system consists of i) a retriever that probes a group of relevant passages from a knowledge base and ii) a generator that formulates a response based on the retrieved content. However, as with other AI systems, recent studies demonstrate the vulnerability of RAG, such as knowledge corruption attacks by injecting misleading information. In response, several defense strategies have been proposed, including having LLMs inspect the retrieved passages individually or fine-tuning robust retrievers. While effective, such approaches often come with substantial computational costs. In this work, we introduce RAGDefender, a resource-efficient defense mechanism against knowledge corruption (i.e., by data poisoning) attacks in practical RAG deployments. RAGDefender operates during the post-retrieval phase, leveraging lightweight machine learning techniques to detect and filter out adversarial content without requiring additional model training or inference. Our empirical evaluations show that RAGDefender consistently outperforms existing state-of-the-art defenses across multiple models and adversarial scenarios: e.g., RAGDefender reduces the attack success rate (ASR) against the Gemini model from 0.89 to as low as 0.02, compared to 0.69 for RobustRAG and 0.24 for Discern-and-Answer when adversarial passages outnumber legitimate ones by a factor of four (4x).
A Decade-long Landscape of Advanced Persistent Threats: Longitudinal Analysis and Global Trends

A Decade-long Landscape of Advanced Persistent Threats: Longitudinal Analysis and Global Trends

Shakhzod Yuldoshkhujaev, Mijin Jeon, Doowon Kim, Nick Nikiforakis, and Hyungjoon Koo

In the 32nd ACM Conference on Computer and Communications Security (CCS'25)

An advanced persistent threat (APT) refers to a covert and long-term cyberattack, typically conducted by state-sponsored actors, targeting critical sectors and often remaining undetected for long periods. In response, collective intelligence from around the globe collaborates to identify and trace surreptitious activities, generating substantial documentation on APT campaigns publicly available on the web. While a multitude of prior works predominantly focus on specific aspects of APT cases, such as detection, evaluation, cyber threat intelligence, and dataset creation, limited attention has been devoted to revisiting and investigating these scattered dossiers in a longitudinal manner. The objective of our study lies in filling the gap by offering a macro perspective, connecting key insights and global trends in the past APT attacks. We systematically analyze six reliable sources - three focused on technical reports and another three on threat actors - examining 1,509 APT dossiers (i.e., totaling 24,215 pages) spanning from 2014 to 2023 (a decade), and identifying 603 unique APT groups in the world. To efficiently unearth relevant information, we employ a hybrid methodology that combines rule-based information retrieval with large-language-model-based search techniques. Our longitudinal analysis reveals shifts in threat actor activities, global attack vectors, changes in targeted sectors, and the relationships between cyberattacks and significant events, such as elections or wars, which provides insights into historical patterns in APT evolution. Over the past decade, 154 countries have been affected, primarily using malicious documents and spear phishing as the dominant initial infiltration vectors, and a noticeable decline in zero-day exploitation since 2016. Furthermore, we present our findings through interactive visualization tools, such as an APT map or a flow diagram, to facilitate intuitive understanding of the global patterns and trends in APT activities.
arXiv Code
R2I: A Relative Readability Metric for Decompiled Code

R2I: A Relative Readability Metric for Decompiled Code

Haeun Eom, Dohee Kim, Sori Lim, Hyungjoon Koo, and Sungjae Hwang

In the ACM International Conference on the Foundations of Software Engineering (FSE 2024)

Decompilation is a process of converting a low-level machine code snippet back into a high-level programming language such as C. It serves as a basis to aid reverse engineers in comprehending the contextual semantics of the code. In this respect, commercial decompilers like Hex-Rays have made significant strides in improving the readability of decompiled code over time. While previous work has proposed the metrics for assessing the readability of source code, including identifiers, variable names, function names, and comments, those metrics are unsuitable for measuring the readability of decompiled code primarily due to i) the lack of rich semantic information in the source and ii) the presence of erroneous syntax or inappropriate expressions. In response, to the best of our knowledge, this work first introduces R2I, the Relative Readability Index, a specialized metric tailored to evaluate decompiled code in a relative context quantitatively. In essence, R2I can be computed by i) taking code snippets across different decompilers as input and ii) extracting pre-defined features from an abstract syntax tree. For the robustness of R2I, we thoroughly investigate the enhancement efforts made by existing decompilers and academic research to promote code readability, identifying 31 features to yield a reliable index collectively. Besides, we conducted a user survey to capture subjective factors such as one’s coding styles and preferences. Our empirical experiments demonstrate that R2I is a versatile metric capable of representing the relative quality of decompiled code (e.g., obfuscation, decompiler updates) and being well aligned with human perception in our survey.
Paper Code
BENZENE: A Practical Root Cause Analysis System with an Under-Constrained State Mutation

BENZENE: A Practical Root Cause Analysis System with an Under-Constrained State Mutation

Younggi Park, Hwiwon Lee, Jinho Jung, Hyungjoon Koo, and Huy Kang Kim

In the 45th IEEE Symposium on Security and Privacy, 2024 (S&P ’24)Distinguished Paper Award*

Fuzzing has demonstrated great success in bug discovery and plays a crucial role in software testing today. Despite the increasing popularity of fuzzing, automated root cause analysis (RCA) has drawn less attention. One of the recent advances in RCA is crash-based statistical debugging, which leverages the behavioral differences in program execution between crash-triggered and non-crashing inputs. Hence, obtaining non-crashing behaviors close to the original crash is crucial but challenging with previous approaches (e.g., fuzzing). In this paper, we present BENZENE, a practical end-to-end RCA system that facilitates a fully automated crash diagnosis. To this end, we introduce a novel technique, called under-constrained state mutation, that generates both crashing and non-crashing behaviors for effective and efficient RCA. We design and implement the BENZENE prototype, and evaluate it with 60 vulnerabilities in the wild. Our empirical results demonstrate that BENZENE not only surpasses in performance (i.e., root cause ranking), but also achieves superior results in both speed (4.6 times faster) and memory footprint (31.4 times less) on average than prior approaches.
Paper Code
A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary Reversing

A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary Reversing

Hyunjin Kim, Jinyeong Bak, Kyunghyun Cho, and Hyungjoon Koo

In the 18th ACM Asia Conference on Computer and Communications Security, 2023 (ASIACCS ’23)

Reverse engineering of a stripped binary has a wide range of applications, yet it is challenging mainly due to the lack of contextually useful information within. Once debugging symbols (e.g., variablenames, types, function names) are discarded, recovering such informationis not technically viable with traditional approacheslike static or dynamic binary analysis. We focus on a functionsymbol name recovery, which allows a reverse engineer to gaina quick overview of an unseen binary. The key insight is that awell-developed program labels a meaningful function name thatdescribes its underlying semantics well. In this paper, we presentAsmDepictor, the Transformer-based framework that generates afunction symbol name from a set of assembly codes (i.e., machine instructions),which consists of three major components: binary coderefinement, model training, and inference. To this end, we conductsystematic experiments on the effectiveness of code refinement thatcan enhance an overall performance. We introduce the per-layerpositional embedding and Unique-softmax for AsmDepictor sothat both can aid to capture a better relationship between tokens.Lastly, we devise a novel evaluation metric tailored for a short descriptionlength, the Jaccard* score. Our empirical evaluation showsthat the performance of AsmDepictor by far surpasses that of thestate-of-the-art models up to around 400%. The best AsmDepictormodel achieves an F1 of 71.5 and Jaccard* of 75.4.
Paper
Practical Binary Code Similarity Detection with BERT-based Transferable Similarity Learning

Practical Binary Code Similarity Detection with BERT-based Transferable Similarity Learning

Sunwoo Ahn, Seonggwan Ahn, Hyungjoon Koo, and Yunheung Paek

In the 38th Annual Computer Security Applications Conference (ACSAC ’22)

Binary code similarity detection serves as a basis for a wide spectrum of applications, including software plagiarism, malware classification, and known vulnerability discovery. However, the inference of contextual meanings of a binary is challenging due to the absence of semantic information available in source codes. Recent advances leverage the benefits of a deep learning architecture into a better understanding of underlying code semantics and the advantages of the Siamese architecture into better code similarity detection. In this paper, we propose BinShot, a BERT-based similarity learning architecture that is highly transferable for effective binary code similarity detection. We tackle the problem of detecting code similarity with one-shot learning (a special case of few-shot learning). To this end, we adopt a weighted distance vector with a binary cross entropy as a loss function on top of BERT. With the prototype implementation of BinShot, our experimental results demonstrate the effectiveness, transferability, and practicality of BinShot, which is robust to detecting the similarity of previously unseen functions.We show that BinShot outperforms the previous state-of-the-art approaches for binary code similarity detection.
Paper Code Slides

International Conferences and Journals

Rescuing the Unpoisoned: Efficient Defense against Knowledge Corruption Attacks on RAG Systems (To appear)

Minseok Kim, Hankook Lee, and Hyungjoon Koo

In the 41th Annual Computer Security Applications Conference (ACSAC'25)

A Decade-long Landscape of Advanced Persistent Threats: Longitudinal Analysis and Global Trends

arXiv Code

Shakhzod Yuldoshkhujaev, Mijin Jeon, Doowon Kim, Nick Nikiforakis, and Hyungjoon Koo

In the 32nd ACM Conference on Computer and Communications Security (CCS'25)

BOOTKITTY: A Stealthy Bootkit-Rootkit Against Modern Operating Systems

Paper

Junho Lee, Jihoon Kwon, HyunA Seo, Myeongyeol Lee, Hyungyu Seo, Jinho Jung, and Hyungjoon Koo

In the 19th USENIX WOOT Conference on Offensive Technologies (WOOT'25)

Evaluating the Effectiveness and Robustness of Visual Similarity-based Phishing Detection Models

Paper

Fujiao Ji, Kiho Lee, Hyungjoon Koo, Wenhao You, Euijin Choo, Hyoungshick Kim, and Doowon Kim

In the 34nd USENIX Conference on Security Symposium (USENIX'25)

An Empirical Study of Black-box based Membership Inference Attacks on a Real-World Dataset

Paper

Yujeong Kwon, Simon S. Woo, and Hyungjoon Koo

International Symposium on Foundations and Practice of Security (FPS 2024)

R2I: A Relative Readability Metric for Decompiled Code

Paper Code

Haeun Eom, Dohee Kim, Sori Lim, Hyungjoon Koo, and Sungjae Hwang

In the ACM International Conference on the Foundations of Software Engineering (FSE 2024)

BinAdapter: Leveraging Continual Learning for Inferring Function Symbol Names in a Binary

Paper Code

Nozima Murodova and Hyungjoon Koo

In the 19th ACM Asia Conference on Computer and Communications Security, 2024 (ASIACCS ’24)

ToolPhet: Inference of Compiler Provenance from Stripped Binaries with Emerging Compilation Toolchains

Paper

Hohyeon Jang, Nozima Murodova, and Hyungjoon Koo

IEEE Access (2024)

Demystifying the Regional Phishing Landscape in South Korea

Hyunjun Park, Kyungchan Lim, Doowon Kim, Donghyun Yu, and Hyungjoon Koo

IEEE Access (2023)

BENZENE: A Practical Root Cause Analysis System with an Under-Constrained State Mutation

Paper Code

Younggi Park, Hwiwon Lee, Jinho Jung, Hyungjoon Koo, and Huy Kang Kim

In the 45th IEEE Symposium on Security and Privacy, 2024 (S&P ’24)Distinguished Paper Award*

Binary Code Representation with Well-balanced Instruction Normalization

Paper

Hyungjoon Koo, Soyeon Park, Daejin Choi, and Taesoo Kim

IEEE Access (2023)

SmartMark: Software Watermarking Scheme for Smart Contracts

Paper

Taeyoung Kim, Yunhee Jang, Chanjong Lee, Hyungjoon Koo, and Hyoungshick Kim

In the 45th IEEE/ACM International Conference on Software Engineering, 2023 (ICSE ’23)

A Transformer-based Function Symbol Name Inference Model from an Assembly Language for Binary Reversing

Paper

Hyunjin Kim, Jinyeong Bak, Kyunghyun Cho, and Hyungjoon Koo

In the 18th ACM Asia Conference on Computer and Communications Security, 2023 (ASIACCS ’23)

Practical Binary Code Similarity Detection with BERT-based Transferable Similarity Learning

Paper Code Slides

Sunwoo Ahn, Seonggwan Ahn, Hyungjoon Koo, and Yunheung Paek

In the 38th Annual Computer Security Applications Conference (ACSAC ’22)

DeView: Confining Progressive Web Applications by Debloating Web APIs

Paper Code

ChangSeok Oh, Sangho Lee, Chenxiong Qian, Hyungjoon Koo, and Wenke Lee

In the 38th Annual Computer Security Applications Conference (ACSAC ’22)

IoTivity Packet Parser for Encrypted Messages in Internet of Things

Paper

Hyeonah Jung, Hyungjoon Koo, and Jaehoon (Paul) Jeong

In the 24th International Conference on Advanced Communications Technology (ICACT ’22)

Software Watermarking via a Binary Function Relocation

Paper

Honggoo Kang, Yonghwi Kwon, Sangjin Lee, and Hyungjoon Koo

In the 37th Annual Computer Security Applications Conference (ACSAC ’21)

A Look Back on a Function Identification Problem

Paper

Hyungjoon Koo, Soyeon Park, and Taesoo Kim

In the 37th Annual Computer Security Applications Conference (ACSAC ’21)

Slimium: Debloating the Chromium Browser with Feature Subsetting

Paper

Chenxiong Qian, Hyungjoon Koo, Changseok Oh, Taesoo Kim, and Wenke Lee

In the 27th ACM Conference on Computer and Communications Security (CCS ’20)

Compiler-assisted Code Randomization

Paper Code

Hyungjoon Koo, Yaohui Chen, Long Lu, Vasileios P. Kemerlis, and Michalis Polychronakis

In the 39th IEEE Symposium on Security & Privacy, 2018 (S&P ’18)

Defeating Zombie Gadgets by Re-randomizing Code Upon Disclosure

Paper

Micah Morton, Hyungjoon Koo, Forrest Li, Kevin Z. Snow, Michalis Polychronakis, and Fabian Monrose

In the 9th International Symposium on Engineering Secure Software and Systems, 2017 (ESSoS ’17)

Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code-Inference Attacks

Paper

Kevin Z. Snow, Roman Rogowski, Jan Werner, Hyungjoon Koo, Fabian Monrose and Michalis Polychronakis

In the 37th IEEE Symposium on Security and Privacy, 2016 (S&P ’16)

Juggling the Gadgets: Binary-level Code Randomization using Instruction Displacement

Paper Code

Hyungjoon Koo and Michalis Polychronakis

In the 11th ACM Asia Conference on Computer and Communications Security, 2016 (ASIACCS ’16)

Identifying Traffic Differentiation in Mobile Networks

Paper

Arash Molavi Kakhki, Abbas Razaghpanah, Anke Li, Hyungjoon Koo, Rajeshkumar Golani, David Choffnes, Phillipa Gill, and Alan Mislove

In the 15th ACM Internet Measurement Conference, 2015 (IMC ’15)

Workshops and Domestic Conferences

On the Learnability, Robustness, and Adaptability of Deep Learning Models for Obfuscation-applied Code

Paper

Jiyong Uhm, Yujeong Kwon, and Hyungjoon Koo

Workshop on Software Understanding and Reverse Engineering (SURE'25)

Trends in Securing Unsafe Regions for Rust

Paper

Hyungjun Jeon, Jiyong Uhm, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’25)

Security Analysis of Agentic Communication Protocols: Model Context Protocol (MCP) and Agent-to-Agent (A2A)

Paper

Yiyue Zhang, Minseok Kim, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’25)

Investigating the Acquisition and Analysis of Digital Artifacts for Messaging Applications

Paper

Suyeon Lee, Yuldoshkhujaev Shakhzod, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’25)

Trends in LLM-assisted Attacks

Paper

Mijin Jeon, Yujeong Kwon, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’25)

Advanced Persistent Threats: Addressed and Open Research Questions

Paper

Shakhzod Yuldoshkhujaev and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’24)

Trends in Attacks and Defenses against Retrieval-Augmented Generation (RAG) Systems

Paper

Minseok Kim and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’24)

Trends in Deep-learning-based Models for Anomaly Detection in Log Records

Paper

Suyeon Lee and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’24)

RoBERTa-based Obfuscated Binary Code Similarity Detection

Paper

Yujeong Kwon, Jiyong Uhm, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’24)Best Paper Award *

Dynamic Analysis of Obfuscated Code with a 64-bit SGN Packer

Paper

Jiyong Uhm, Hyongjun Jeon, and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’24)

ChatPub: Retrieval Augmented Generation-based Service to Aid in Finding Relevant Policies for Korean Youth

Paper

Gangsan Kim, Jinho Park, Seongbin Yang, Changmin Jeon, and Hyungjoon Koo

Annual Spring Conference of KIPS (ASK’24)

Baseball Simulation Game Service Based on Baseball Metrics

Paper

Chaewon Ko, Changwoo Shim, Hyunchang Shin, and Hyungjoon Koo

Annual Spring Conference of KIPS (ASK’24)

Trends in Machine Unlearning via Continual Learning to Mitigate Privacy Risks

Paper

Yujeong Kwon and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’23)

Trends in Membership Inference Attacks and Defenses

Paper

Nozima Murodova and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’23)

Trends in Explainable Artificial Intelligence for Security

Paper

Jiyong Uhm, Hyungjoon Jeon, and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’23)

An Unreal Engine Plugin for Text-based Runtime Animation Generation with a Motion Diffusion Model

Paper

Suho Park, Jaehoon Lee, YongHyeon Jo, Haechan Je, Daniel Cha, and Hyungjoon Koo

Annual Fall Conference of KIPS (ASK ’23)

Kingomanager: A Personalized Information-providing Application with a Recommendation System for University Students

Paper

Shingyu Kang, JunWoo Kim, ChoongHyeon Park, and Hyungjoon Koo

Annual Spring Conference of KIPS (ASK’23)

Vulnerability Analysis of CoAP Using a Coverage-based CoAP Fuzzer

Paper

Sechang Lim and Hyungjoon Koo

Annual Spring Conference of KIPS (ASK’23)

A Recommendation System by Extracting Scholarship Information with a BERT’s Q&A Model

Paper

Byeongjun Kang, Kyujin Kim, Jinah Park, Ijun Jang, Jaehyun Joo, and Hyungjoon Koo

Annual Spring Conference of KIPS (ASK’23)

Evaluating Password Composition Policy and Password Meters of Popular Websites

Paper

Kyungchan Lim, Joshua Hankyul Kang, Matthew Dixson, Hyungjoon Koo, and Doowon Kim

Workshop on Designing Security for the Web (SecWeb ’23)

A Study of Executable Binaries with Emerging Compilation Tools

Paper

Hohyeon Jang and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’22)Best Paper Award *

A Study of Rarely Appeared Instructions in an Executable Binary

Paper

Nozima Murodova and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’22)

Server-client Based Reversing Tools with a Prediction Model for Function Names

Paper

Seok Kim, Hyungjoon Jeon, Hyunjin Kim, and Hyungjoon Koo

Conference on Information Security and Cryptography-Winter 한국정보보호학회 동계학술대회 (CISC-W ’22)

Phishing URL Detection with Text-CNN

Paper

Sechang Lim and Hyungjoon Koo

Conference on Information Security and Cryptography-Summer 한국정보보호학회 하계학술대회 (CISC-S ’22)

Inference of Compiler Provenance from Malware

Paper

Hohyun Jang and Hyungjoon Koo

Poster in the 22nd World Conference on Information Security Applications (WISA ’21)

Semantic-aware Binary Code Representation with BERT

Paper

Hyungjoon Koo, Soyeon Park, Daejin Choi, and Taesoo Kim

ArXiv

Configuration-Driven Software Debloating

Paper

Hyungjoon Koo, Seyedhamed Ghavamnia, and Michalis Polychronakis

In the 12th European Workshop on Systems Security, 2019 (EuroSec’19)

The Politics of Routing: Investigating the Relationship between AS Connectivity and Internet Freedom

Paper

Rachee Singh, Hyungjoon Koo, Najmehalsadat Miramirkhani, Fahimeh Mirhaj, Leman Akoglu, and Phillipa Gill

In the 6th USENIX Workshop on Free and Open Communications on the Internet, 2016 (FOCI ’16)