The new HTTPS anomaly detection module in Slips builds per-host adaptive baselines in traffic time, then detects deviations at two levels: per-flow (for bytes to known servers) and per-hour (for host behavior like new servers, unique servers, JA3 changes, and flow volume). It uses online statistics and z-scores for transparent scoring, plus controlled adaptation states (training_fit, drift_update, suspicious_update) to keep learning while reducing poisoning risk.
The result is explainable, operational evidence in clear human text: what changed, confidence, and why it is anomalous.
Our research identifies sixteen fundamental principles of biological immunity and translates them into cybersecurity defense architectures that emphasize multi-dimensional coordination over single- point tactics.
We are pleased to announce the publication of our latest paper, “Building adaptive and transparent cyber agents with local language models,” in the Journal of Expert Systems with Applications.
Can a Raspberry Pi 5 run Large Language Models? In this post, we share the results of our experiments, analyzing how LLMs perform on this low-cost hardware and exploring the challenges and performance trade-offs.
The complete automation of cyber-attacks has become one of the areas of greatest interest since the introduction of Large Language Models (LLMs) to the public. The creation of attacking LLM agents that can act independently is among the most popular options.
In this blog, we introduce a brand-new agent: ARACNE. We also share the results of attack tests and what they mean in terms of the agent’s current capabilities.
This blog post shows the analysis of a malware of the PyRation family by Tomas Nieponice as part of a 3-week winter cybersecurity internship at the Stratosphere Laboratory. The internship was done under the supervision of Assist. prof. Sebastian Garcia, PhD.
This blog shows how a curious research experiment can lead a student into an interesting cybercrime investigation that contains weird -yet interesting- topics, such as understanding underground attackers, botnets, informal Internet forums, and the economy of encrypting malware-as-a-service.
While confined in our homes studying the interactions of individuals involved in the spread of the Android banking Trojan botnet (known as Geost), we encountered a unique opportunity: investigate an automated obfuscation-as-a-service platform for Android malware authors.
Indeed, in a leaked chat log that involved Geost botnet operators, two individuals talked about an obfuscation service used to “protect” their malicious Android Applications (APKs) from being detected by antivirus engines. We visited the website related to the “protection” service (protection from antivirus engines -so basically obfuscation), which raised a lot of questions: How does this obfuscation service work? Is it automated? Does it really obfuscate applications well enough to avoid malicious applications being detected? How well is the service known in the underground community?
For this blog post we will analyze the x86-64 version of RHOMBUS, originally shared by MMD and found by R. Bansal (@0xrb). At the time this post was written, this sample has a 4/59 detection rate (4 out of 59 AVs detected this file as malicious) according to VirusTotal.
In this blog post we introduce the “Hexa Payload Decoder Tool”, a tool that is able to process a pcap file and return any decoded characters translated to English. This tool was developed to assist the network security analyst when working and interpreting data sent and received by command and control servers used by malware.
On February 28th, 2019 we infected one of our devices with the malware sample that most AV detect as Mirai. However, it was a bash script downloader that obtains and exacute an ARM ELF binary to attack others using the HNAP vulnerability in order to infect new bots.
This blog post aims to give an overview of what do we know so far about the Quasar RAT, and provide an exhaustive list of references associated with this piece of software.
This blog post aims to give an overview of what do we know so far about the NanoCore RAT, and provide an exhaustive list of references associated with this piece of software.
This capture was done between Thu Sep 5 15:40:07 CEST 2013 and Tue Oct 1 13:38:29 CEST 2013, having a total of 25 days and 21 hours. It corresponds to a binary with the MD5 46b3df3eaf1312f80788abd43343a9d2 of and that was classified by Kaspersky in VirusTotal as Trojan-Spy.Win32.Zbot.oowo. However we are not sure of the name.
