The new HTTPS anomaly detection module in Slips builds per-host adaptive baselines in traffic time, then detects deviations at two levels: per-flow (for bytes to known servers) and per-hour (for host behavior like new servers, unique servers, JA3 changes, and flow volume). It uses online statistics and z-scores for transparent scoring, plus controlled adaptation states (training_fit, drift_update, suspicious_update) to keep learning while reducing poisoning risk.
The result is explainable, operational evidence in clear human text: what changed, confidence, and why it is anomalous.
Our research identifies sixteen fundamental principles of biological immunity and translates them into cybersecurity defense architectures that emphasize multi-dimensional coordination over single- point tactics.
We are pleased to announce the publication of our latest paper, “Building adaptive and transparent cyber agents with local language models,” in the Journal of Expert Systems with Applications.
Can a Raspberry Pi 5 run Large Language Models? In this post, we share the results of our experiments, analyzing how LLMs perform on this low-cost hardware and exploring the challenges and performance trade-offs.
The complete automation of cyber-attacks has become one of the areas of greatest interest since the introduction of Large Language Models (LLMs) to the public. The creation of attacking LLM agents that can act independently is among the most popular options.
In this blog, we introduce a brand-new agent: ARACNE. We also share the results of attack tests and what they mean in terms of the agent’s current capabilities.
This white paper explores what is the current state of IPv6 security in IoT, what is the global growth of IPv6 and how does this growth look like in a real network. If IPv6 is already being used, are attackers already attacking using this protocol? Is there already malware capable of attacking on IPv6? Read through as we aim to answer these questions.
In this blog post we were able to take a sneak peek of what is Dark Nexus capable of and its details. We explored this by presenting it via three characteristics we named the old, the new and the ugly.
For this blog post we will analyze the x86-64 version of RHOMBUS, originally shared by MMD and found by R. Bansal (@0xrb). At the time this post was written, this sample has a 4/59 detection rate (4 out of 59 AVs detected this file as malicious) according to VirusTotal.
In this IoT Honeypot Analysis Series, we focus on the traffic analysis of the Edimax IC-7113W camera. In this episode, we will continue with the analysis of the encrypted packets mentioned in the previous episode. Our goals for this blog post are:
to obtain the AES key from the Edimax server
to understand what happens with the communication after we obtain the AES key
to get a plaintext of the encrypted payload sent from the camera to the server
This is a follow-up blogpost from the IoT Honeypot Analysis Series we have started earlier (here and here). In this episode we go more into understanding packets sent from and to the Edimax IC-7113W camera by using reverse engineering techniques and some hacking.
This blog post describes the analysis of a malware sample that was executed in a RapsberryPi from our IoT laboratory. The SHA256 of the sample that we executed in our laboratory is: d8040a64b88b4a738d333015ddd93a27187abb7584412df56633a7e7d12127f4.
On February 28th, 2019 we infected one of our devices with the malware sample that most AV detect as Mirai. However, it was a bash script downloader that obtains and exacute an ARM ELF binary to attack others using the HNAP vulnerability in order to infect new bots.
This blogpost aims to give an insight of an IRCBased botnet describing the network behavior and showing the analysis of the C&C. By analyzing this botnet network traffic it was possible to identify the botmasters using an IRC channel and observe not only the conversation between them but also the orders they give to the bot.
