The new HTTPS anomaly detection module in Slips builds per-host adaptive baselines in traffic time, then detects deviations at two levels: per-flow (for bytes to known servers) and per-hour (for host behavior like new servers, unique servers, JA3 changes, and flow volume). It uses online statistics and z-scores for transparent scoring, plus controlled adaptation states (training_fit, drift_update, suspicious_update) to keep learning while reducing poisoning risk.
The result is explainable, operational evidence in clear human text: what changed, confidence, and why it is anomalous.
Our research identifies sixteen fundamental principles of biological immunity and translates them into cybersecurity defense architectures that emphasize multi-dimensional coordination over single- point tactics.
We are pleased to announce the publication of our latest paper, “Building adaptive and transparent cyber agents with local language models,” in the Journal of Expert Systems with Applications.
Can a Raspberry Pi 5 run Large Language Models? In this post, we share the results of our experiments, analyzing how LLMs perform on this low-cost hardware and exploring the challenges and performance trade-offs.
The complete automation of cyber-attacks has become one of the areas of greatest interest since the introduction of Large Language Models (LLMs) to the public. The creation of attacking LLM agents that can act independently is among the most popular options.
In this blog, we introduce a brand-new agent: ARACNE. We also share the results of attack tests and what they mean in terms of the agent’s current capabilities.
The Stratosphere Linux IPs, for short Slips, is a free software intrusion prevention system that uses machine learning. Slips allows analysts to quickly sift through large network captures as well as real live traffic, highlighting what is important to analyze. The analysis we do as part of the Emergency VPN service at Civilsphere relies heavily on Slips.
This white paper explores what is the current state of IPv6 security in IoT, what is the global growth of IPv6 and how does this growth look like in a real network. If IPv6 is already being used, are attackers already attacking using this protocol? Is there already malware capable of attacking on IPv6? Read through as we aim to answer these questions.
The passwd file contains information about the users, ,their login name, user and group IDs, home directory and other information. The shadow file contains the actual user encrypted password along with other information.
Within the Aposemat Team, we’ve been working on testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics we explored was exfiltration of data via the IPv6 protocol. In this blog post we will share our study into this topic.
In this short blog we will describe how to install the T-Pot honeypot framework [1] in a cloud server instance. In this occasion, we chose the cloud provider Digital Ocean [2], which offers a variety of cloud instances or droplets in eight different regions. This blog is divided in three parts: (i) how to create a new Digital Ocean instance, (ii) how to install T-Pot on it, and (iii) a walkthrough to some of the pre-built Kibana T-Pot dashboards.
This blog is the first in a series of blogs about computational propaganda. Post-Modern Computational Propaganda is the new targeted propaganda. Although we know that propaganda exist, it is not clear what it is. In this blog post we examine definitions of propaganda and we explore how to have an operational definition that may help us have a better detection.
At Stratosphere actively use Yara Rules to identify and acquire samples, fresh or old, from specific threats and campaigns. We have published a repository with the rules we have created and used so far. The rules were separated in categories: malware, protocols and tools.
CVEs, or Common Vulnerabilities and Exposures, are IDs used to reference know vulnerabilities. These provide a description and public information provided by the parties involved in the disclosure of the vulnerability or exposure and are often used by researchers to act upon the disclosed information. While working on collecting information about specific CVEs in a simple form we came up with an small piece of code that will make that work much simpler and fast.
By analyzing the activity/traffic of a large network, it is possible to spot scanning attempts potentially performed by threat actors. Scanning for the SAP NetWeaver JAVA default port increased significantly after the release of the patch for the RECON vulnerability.
The Attacker IP Prioritization (AIP) project by the Aposemat team is devoted to using the AIP Tool [3] that we have been developing to generate IPv4 Blacklists[4] using the data collected from the attacks on the honeypots in our IoT lab[9]. In this post, we will be describing the major updates to the AIP Tool that the Aposemat team has been working on, and therefore also the AIP Blacklists which we publish since they are generated using the AIP Tool.
Machine learning systems are now ubiquitous and work well in several applications, but it is still relatively unexplored how much information they can leak. This blog post explores the most recent techniques that cause ML models to leak private data, an overview of the most important attacks, and why this type of attacks are possible in the first place.
In this blog post we were able to take a sneak peek of what is Dark Nexus capable of and its details. We explored this by presenting it via three characteristics we named the old, the new and the ugly.
CyberSec & AI Connected is an annual conference where academic and industrial leaders come together to discuss developments at the intersection of AI and cybersecurity. 2019 brought together a stellar group of speakers from industry and academia to discuss and debate these intellectual challenges (see the 2019 conference report and speaker list at cybersecai.com). This year event will take place online and in four cities on 8th October 2020.
For this blog post we will analyze the x86-64 version of RHOMBUS, originally shared by MMD and found by R. Bansal (@0xrb). At the time this post was written, this sample has a 4/59 detection rate (4 out of 59 AVs detected this file as malicious) according to VirusTotal.
In this blog post we would like to share our first version of a Timeline of IoT Malware. We searched information for all mainstream IoT malware families using OSINT techniques, we correlated the information obtained, and attempted to provide a general high level picture of how the landscape looks like right now and how it evolved in the last years.
The Attacker IP Prioritization Blacklists, or AIP Blacklists, are blacklists of IP addresses generated from the attacks made on the honeypots in our IoT lab by our AIP algorithm.
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios. In this blog post we provide an analysis of Scenario 9, CTU-IoT-Malware-Capture-60-1. This malware sample is called Hide-and-Seek. This variant is an IoT malware family capable of different types of DDoS attacks, exploits vulnerabilities in other devices, such as routers and wireless cameras, and to brute force the Telnet service across the Internet to expand its botnet. This malware makes use of the custom peer-to-peer (P2P) protocol to transfer data.
The CiderSecurityCon conference was scheduled to take place on March 14-15, 2020. Due to the COVID pandemic however, the on-site event was cancelled. The organizing crew however, decided to re-organize a virtual version of the conference. Using Zoom with the speakers, and streaming via YouTube, they managed to pull off a very friendly and nice virtual event. Here’s our wrap up.
This post is a continuation of the IoT-23 In Depth series based on the IoT-23 Dataset, the first dataset of malicious and benign IoT network traffic, that consists of 23 scenarios [1]. In this blog post we provide an analysis of Scenario 9 [2], CTU-IoT-Malware-Capture-60-1. This malware sample is called Gafgyt. This variant is an IoT malware family capable of different types of DDoS attacks and exploits vulnerabilities in other devices, such as routers, to expand its botnet which has been seen attacking gaming servers [3].
The Swiss Cyber Security Days are a two-day event in Fribourg, Switzerland. This event brought together Cyber security researchers, consultants from technology, business, politics and the general public interested in cybersecurity from all over the world.
At the second edition of the Swiss Cyber Security Days our researcher Maria Jose Erquiaga presented the work of the Aposemat laboratory in the talk: “The Truth is out there: Hunting malware from an IoT laboratory”.
