Uroz, Daniel; Pinilla, Abraham Díaz-Campo; Rodríguez, Ricardo J.
Structural Analysis of the Windows NT Heap for Memory Forensics Journal Article
In: Forensic Science International: Digital Investigation, vol. PP, no. PP, pp. PP, 2026, ISSN: 2666-2817, (Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.).
Abstract | Links | BibTeX | Tags: Heap Forensics, Low Fragmentation Heap, memory forensics, Volatility 3, Windows NT Heap
@article{Uroz2026,
title = {Structural Analysis of the Windows NT Heap for Memory Forensics},
author = {Daniel Uroz and Abraham Díaz-Campo Pinilla and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/UrozDR-FSIDI-26.pdf},
issn = {2666-2817},
year = {2026},
date = {2026-03-01},
journal = {Forensic Science International: Digital Investigation},
volume = {PP},
number = {PP},
pages = {PP},
abstract = {Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called tt HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both x86 and x64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with tt WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.},
note = {Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.},
keywords = {Heap Forensics, Low Fragmentation Heap, memory forensics, Volatility 3, Windows NT Heap},
pubstate = {published},
tppubtype = {article}
}
Miró, Daniel Lastanao; Carrillo, Javier; Rodríguez, Ricardo J.
Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape Journal Article
In: Computers & Security, vol. 162, pp. 104806, 2026, ISSN: 0167-4048.
Abstract | Links | BibTeX | Tags: macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis
@article{Miro2026,
title = {Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape},
author = {Daniel Lastanao Miró and Javier Carrillo and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/LastanaoCR-COSE-26.pdf},
doi = {10.1016/j.cose.2025.104806},
issn = {0167-4048},
year = {2026},
date = {2026-03-01},
journal = {Computers & Security},
volume = {162},
pages = {104806},
abstract = {As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.},
keywords = {macOS malware, Malware behavior, MITRE ATT&CK framework, Static and dynamic analysis},
pubstate = {published},
tppubtype = {article}
}
Gutiérrez, Esteban Damián; Narváez, Christian Mauricio; Gutiérrez, Manuel; Rodríguez, Ricardo J.
Real-Time IDS for Digital Substations: From Lab to Field Deployment Proceedings Article
In: CIGRE Paris Session 2026, Paris, France, 2026, (Accepted for publication. To appear.).
@inproceedings{Gutierrez2026,
title = {Real-Time IDS for Digital Substations: From Lab to Field Deployment},
author = {Esteban Damián Gutiérrez and Christian Mauricio Narváez and Manuel Gutiérrez and Ricardo J. Rodríguez},
year = {2026},
date = {2026-08-01},
booktitle = {CIGRE Paris Session 2026},
address = {Paris, France},
abstract = {This paper presents an end-to-end intrusion detection framework for digital substations, spanning dataset construction, model development, embedded deployment, and field-oriented validation. A hybrid dataset is leveraged, combining traffic traces collected from operational substations with laboratory-generated traces designed to emulate cyberattack behaviors that cannot be safely reproduced in critical infrastructure environments. On this basis, a machine learning-based intrusion detection system (IDS) is trained to identify anomalous IEC 61850 communications, with particular emphasis on GOOSE messaging and substation-specific traffic dynamics. To bridge the gap between offline analysis and operational use, the IDS is integrated into SecureBox, an embedded cybersecurity device engineered for substation deployment. The implementation supports real-time packet capture and on-the-fly feature extraction, enabling continuous monitoring directly at the network interface with minimal operational disruption. Alerts and telemetry are exported to higher-level monitoring components to facilitate centralized correlation and response. The proposed approach provides a practical and reproducible pathway from controlled experimentation toward field deployment-oriented IDS framework with preliminary laboratory validation and ongoing fieldevaluation, addressing common constraints such as limited availability of real attack traces, strict uptime requirements, and the need for low-overhead edge execution. The resulting framework establishes a reproducible methodology for transitioning IDS research from laboratory conditions toward real-world substation environments.},
note = {Accepted for publication. To appear.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Pelayo-Benedet, Tomás; Rodríguez, Ricardo J.
Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models Proceedings Article
In: Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2026.
Abstract | BibTeX | Tags: Adversarial Machine Learning, Benchmarking, Botnet Detection, domain generation algorithms, Evasion Attacks
@inproceedings{PelayoBenedet2026,
title = {Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models},
author = {Tomás Pelayo-Benedet and Ricardo J. Rodríguez},
year = {2026},
date = {2026-01-01},
booktitle = {Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
abstract = {Adversarial Domain Generation Algorithms (DGAs) pose a growing threat to botnet detection systems; however, the lack of a standardized evaluation makes comparing existing models virtually impossible. We present an open-source benchmarking framework that evaluates four adversarial DGA models (DeepDGA, CharBot, Deception, and MaskDGA) in a unified environment, assessing lexical characteristics, detection evasion against LSTM and CNN classifiers, and computational cost. Our results show that CharBot and Deception consistently outperform the other two models: both achieve evasion rates above 75% with a training time of less than two seconds. DeepDGA and MaskDGA, despite their complexity, exhibit evasion rates below 21% in all cases. These findings highlight that lexical similarity to benign domains is related to evasion success, and that computational cost does not necessarily translate into effectiveness.},
keywords = {Adversarial Machine Learning, Benchmarking, Botnet Detection, domain generation algorithms, Evasion Attacks},
pubstate = {published},
tppubtype = {inproceedings}
}
Pelayo-Benedet, Tomás; Rodríguez, Ricardo J.
A Systematic Literature Review of Adversarial Domain Generation and Defense Journal Article
In: Machine Learning with Applications, vol. 24, pp. 100888, 2026, ISSN: 2666-8270.
Abstract | Links | BibTeX | Tags: Adversarial Learning, Domain Generation Algorithm, Generative Adversarial Networks, Systematic Literature Review
@article{PelayoBenedet2026a,
title = {A Systematic Literature Review of Adversarial Domain Generation and Defense},
author = {Tomás Pelayo-Benedet and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/PelayoBenedetR-MLWA-26.pdf},
doi = {10.1016/j.mlwa.2026.100888},
issn = {2666-8270},
year = {2026},
date = {2026-06-01},
journal = {Machine Learning with Applications},
volume = {24},
pages = {100888},
abstract = {Domain Generation Algorithms (DGAs) have long allowed malware to maintain persistent command and control channels by evading static blocklists. However, this dynamic has evolved into a sophisticated arms race: DGAs are no longer simply random but are now optimized to actively deceive detection systems. This paper presents a systematic literature review analyzing 32 primary studies (2016–2025) at the intersection of algorithmically generated domain detection and adversarial machine learning. We construct a comprehensive taxonomy of the evasion landscape, mapping the progression from simple character perturbations to advanced generative adversarial networks and semantic mimicry. Our analysis reveals two systemic flaws in the state of the art. First, we identify a significant deployment gap, where proposed defenses ignore operational realities, such as strict latency limits and the need for false positive rates below $0.1%$. Second, we highlight a serious reproducibility crisis driven by a lack of public code and standardized datasets. We conclude by proposing a roadmap to standardize assessment frameworks and bridge the gap between theoretical soundness and operational feasibility.},
keywords = {Adversarial Learning, Domain Generation Algorithm, Generative Adversarial Networks, Systematic Literature Review},
pubstate = {published},
tppubtype = {article}
}
Raducu, Razvan; Rodríguez, Ricardo J.; Álvarez, Pedro
A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications Journal Article
In: The Computer Journal, 2026, (Accepted for publication. To appear.).
Abstract | Links | BibTeX | Tags: behavior graphs, call graphs, category graphs, Dynamic Analysis, malware, Windows
@article{Raducu2026,
title = {A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications},
author = {Razvan Raducu and Ricardo J. Rodríguez and Pedro Álvarez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/RaducuRA-COMPJ-26.pdf},
year = {2026},
date = {2026-01-01},
journal = {The Computer Journal},
publisher = {Oxford University Press},
abstract = {The increasing sophistication of malicious software (em malware) requires advanced tools to effectively analyze and counter threats. In this paper, we present sc MalGraphIQ, a dynamic analysis system designed to understand the behavior of unknown Windows binaries by introducing the em Windows Behavior Catalog (WBC). The WBC is a new repository of behavioral patterns inspired by MITRE's Malware Behavior Catalog (MBC), which systematically catalogs key APIs and system calls used by Windows binaries to exhibit specific behaviors. By leveraging sandbox technologies (specifically, CAPEv2), our dynamic analysis system uses the WBC to detect and quantify behaviors in programs, regardless of whether they are malicious or benign. It also generates graph-based visual representations of these behaviors, simplifying the interpretation of the actions performed by the program. To evaluate its effectiveness, we apply our system to multiple malware families and validate the results using cross-validation, demonstrating its ability to uncover specific actions and behavioral patterns across different malware samples and unknown binaries. The results show the system’s ability to detect behavioral patterns and distinguish between different types of malware, with an accuracy of up to 0.96 and an F1 score of 0.92, underlining the potential of our approach in malware detection and program behavioral analysis.},
note = {Accepted for publication. To appear.},
keywords = {behavior graphs, call graphs, category graphs, Dynamic Analysis, malware, Windows},
pubstate = {published},
tppubtype = {article}
}
Ruiz-Lezcano, Pablo; Uroz, Daniel; Rodríguez, Ricardo J.
sc MARISSA: Efficient Inference of Network Protocols using Similarity Digest Clustering and Multiple Sequence Algorithms Proceedings Article
In: Proceedings of the 11th IEEE European Symposium on Security and Privacy (EuroS&P 2026), pp. 1300–1313, IEEE, Lisbon, Portugal, 2026.
Links | BibTeX | Tags: clustering, multiple sequence alignment, network protocol inference, reverse engineering, similarity digests
@inproceedings{RuizLezcano2026,
title = {sc MARISSA: Efficient Inference of Network Protocols using Similarity Digest Clustering and Multiple Sequence Algorithms},
author = {Pablo Ruiz-Lezcano and Daniel Uroz and Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/RuizLezcanoUR-EuroSP-26.pdf},
doi = {10.1109/EuroSP68448.2026.00084},
year = {2026},
date = {2026-07-01},
booktitle = {Proceedings of the 11th IEEE European Symposium on Security and Privacy (EuroS&P 2026)},
pages = {1300–1313},
publisher = {IEEE},
address = {Lisbon, Portugal},
keywords = {clustering, multiple sequence alignment, network protocol inference, reverse engineering, similarity digests},
pubstate = {published},
tppubtype = {inproceedings}
}
Huici, Daniel; Yousefnezhad, Narges; Rodríguez, Ricardo J.; Costin, Andrei
Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests Proceedings Article
In: Proceedings of the Workshop on Binary Analysis Research (BAR) 2026, 2026, ISBN: 978-1-970672-08-4.
Abstract | Links | BibTeX | Tags: binary code similarity, firmware vulnerability triage, high-level intermediate representation, N-day vulnerabilities, similarity digests
@inproceedings{Huici2026,
title = {Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests},
author = {Daniel Huici and Narges Yousefnezhad and Ricardo J. Rodríguez and Andrei Costin},
url = {https://webdiis.unizar.es/~ricardo/files/papers/HuiciYRC-BAR-26.pdf},
doi = {10.14722/bar.2026.23027},
isbn = {978-1-970672-08-4},
year = {2026},
date = {2026-01-01},
booktitle = {Proceedings of the Workshop on Binary Analysis Research (BAR) 2026},
abstract = {Tracking N-day vulnerabilities in fragmented firmware ecosystems is an open challenge, often hampered by the disconnect between abstract CVE descriptions and the binary code actually distributed in production and connected devices. In this paper, we present a generic CVE-based framework for correlating vulnerable files in heterogeneous firmware images using similarity digests. Our approach leverages sc APOTHEOSIS, an open-source approximate nearest neighbor search system, to scale similarity queries across massive collections of artifacts. To bridge the semantic gap between vulnerability reports and binary reality, we introduce an automated process that lifts confirmed vulnerable implementations to high-level intermediate representations and generates function-level search signatures. We demonstrate the effectiveness of this system as a rapid triage tool using the sc OpenWrt ecosystem as a case study. In the event of a new CVE disclosure, our approach allows analysts to consult the pre-created sc APOTHEOSIS index to immediately generate a prioritized list of affected firmware versions, significantly accelerating impact assessment without being dependent on reliable nor accurate vendor/CVE metadata or source code.},
keywords = {binary code similarity, firmware vulnerability triage, high-level intermediate representation, N-day vulnerabilities, similarity digests},
pubstate = {published},
tppubtype = {inproceedings}
}
Carrillo-Mondéjar, Javier; Rodríguez, Ricardo J.
Identifying Runtime Libraries in Statically Linked Linux Binaries Journal Article
In: Future Generation Computer Systems, vol. 164, pp. 107602, 2025, ISSN: 0167-739X.
Abstract | Links | BibTeX | Tags: Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries
@article{CarrilloR-FGCS-25,
title = {Identifying Runtime Libraries in Statically Linked Linux Binaries},
author = {Javier Carrillo-Mondéjar and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CarrilloR-FGCS-25.pdf},
doi = {10.1016/j.future.2024.107602},
issn = {0167-739X},
year = {2025},
date = {2025-01-01},
journal = {Future Generation Computer Systems},
volume = {164},
pages = {107602},
abstract = {Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).},
keywords = {Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries},
pubstate = {published},
tppubtype = {article}
}
Huici, Daniel; Rodríguez, Ricardo J.; Mena, Eduardo
APOTHEOSIS: An efficient approximate similarity search system Journal Article
In: SoftwareX, vol. 29, pp. 102016, 2025, ISSN: 2352-7110.
Abstract | Links | BibTeX | Tags: Approximate K-nearest neighbors, Approximate matching, Approximate search methods, Data similarity analysis, similarity digest algorithms
@article{HuiciRM-SoftX-25,
title = {APOTHEOSIS: An efficient approximate similarity search system},
author = {Daniel Huici and Ricardo J. Rodríguez and Eduardo Mena},
url = {https://webdiis.unizar.es/~ricardo/files/papers/HuiciRM-SoftX-25.pdf},
doi = {10.1016/j.softx.2024.102016},
issn = {2352-7110},
year = {2025},
date = {2025-02-01},
urldate = {2025-02-01},
journal = {SoftwareX},
volume = {29},
pages = {102016},
abstract = {APOTHEOSIS is a tool for efficiently identifying and comparing data similarity in large datasets, addressing challenges faced by traditional methods such as scalability and speed. APOTHEOSIS overcomes them by combining advanced algorithms and data structures, enabling fast and accurate similarity analysis. Specifically, it uses a custom hierarchical small navigation world as an approximate $K$-nearest neighbors search method, and approximate similarity digests algorithms to find common features between similar data items, also supporting various distance metrics beyond vector-based approaches. Our software tool is designed for seamless integration into research workflows, improving reproducibility and facilitating the comparison of large-scale, high-dimensional data comparison across multiple domains.},
keywords = {Approximate K-nearest neighbors, Approximate matching, Approximate search methods, Data similarity analysis, similarity digest algorithms},
pubstate = {published},
tppubtype = {article}
}
Raducu, Razvan; Villagrasa-Labrador, Alain; Rodríguez, Ricardo J.; Álvarez, Pedro
MALVADA: A Framework for Generating Datasets of Malware Execution Traces Journal Article
In: SoftwareX, vol. 30, pp. 102082, 2025, ISSN: 2352-7110.
Abstract | Links | BibTeX | Tags: Dataset generation, Execution traces, Malware behavior, Malware classification
@article{RaducuVRA-SoftwareX-25,
title = {MALVADA: A Framework for Generating Datasets of Malware Execution Traces},
author = {Razvan Raducu and Alain Villagrasa-Labrador and Ricardo J. Rodríguez and Pedro Álvarez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/RaducuVRA-SoftwareX-25.pdf},
doi = {10.1016/j.softx.2025.102082},
issn = {2352-7110},
year = {2025},
date = {2025-05-01},
journal = {SoftwareX},
volume = {30},
pages = {102082},
abstract = {Malware attacks have been growing steadily in recent years, making more sophisticated detection methods necessary. These approaches typically rely on analyzing the behavior of malicious applications, for example by examining execution traces that capture their runtime behavior. However, many existing execution trace datasets are simplified, often resulting in the omission of relevant contextual information, which is essential to capture the full scope of a malware sample’s behavior. This paper introduces MALVADA, a flexible framework designed to generate extensive datasets of execution traces from Windows malware. These traces provide detailed insights into program behaviors and help malware analysts to classify a malware sample. MALVADA facilitates the creation of large datasets with minimal user effort, as demonstrated by the WinMET dataset, which includes execution traces from approximately 10,000 Windows malware samples.},
keywords = {Dataset generation, Execution traces, Malware behavior, Malware classification},
pubstate = {published},
tppubtype = {article}
}
Filho, Ailton Santos; Rodríguez, Ricardo J.; Feitosa, Eduardo L.
Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation Journal Article
In: International Journal of Information Security, vol. 24, no. 2, pp. 83, 2025, ISSN: 1615-5270.
Abstract | Links | BibTeX | Tags: Broken access control, Colored Petri nets, OpenAPI, RESTful web services, Security analysis, vulnerabilities, Web application security
@article{SantosFilhoRF-IJIS-25,
title = {Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation},
author = {Ailton Santos Filho and Ricardo J. Rodríguez and Eduardo L. Feitosa},
url = {https://webdiis.unizar.es/~ricardo/files/papers/SantosFilhoRF-IJIS-25.pdf},
doi = {10.1007/s10207-024-00970-5},
issn = {1615-5270},
year = {2025},
date = {2025-02-01},
journal = {International Journal of Information Security},
volume = {24},
number = {2},
pages = {83},
abstract = {The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.},
keywords = {Broken access control, Colored Petri nets, OpenAPI, RESTful web services, Security analysis, vulnerabilities, Web application security},
pubstate = {published},
tppubtype = {article}
}
Huici, Daniel; Rodríguez, Ricardo J.; Mena, Eduardo
An Extensible and Scalable System for Hash Lookup and Approximate Similarity Search with Similarity Digest Algorithms Journal Article
In: Forensic Science International: Digital Investigation, vol. 53, pp. 301930, 2025, ISSN: 2666-2817, (DFRWS USA 2025 - Selected Papers from the 25th Annual Digital Forensics Research Conference USA).
Abstract | Links | BibTeX | Tags: Approximate matching, hash lookup, similarity digest algorithms, Similarity hashing, similarity search
@article{HuiciRM-FSIDI-25,
title = {An Extensible and Scalable System for Hash Lookup and Approximate Similarity Search with Similarity Digest Algorithms},
author = {Daniel Huici and Ricardo J. Rodríguez and Eduardo Mena},
url = {https://webdiis.unizar.es/~ricardo/files/papers/HuiciRM-FSIDI-25.pdf},
doi = {10.1016/j.fsidi.2025.301930},
issn = {2666-2817},
year = {2025},
date = {2025-07-01},
journal = {Forensic Science International: Digital Investigation},
volume = {53},
pages = {301930},
abstract = {Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce tt Apotheosis, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that tt Apotheosis not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.},
note = {DFRWS USA 2025 - Selected Papers from the 25th Annual Digital Forensics Research Conference USA},
keywords = {Approximate matching, hash lookup, similarity digest algorithms, Similarity hashing, similarity search},
pubstate = {published},
tppubtype = {article}
}
Abascal, León; Rodríguez, Ricardo J.
Poster: Extracting Cryptographic Keys from Windows Live Processes Proceedings Article
In: Egele, Manuel; Moonsamy, Veelasha; Gruss, Daniel; Carminati, Michele (Ed.): Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 213–219, Springer Nature Switzerland, Cham, 2025, ISBN: 978-3-031-97620-9.
Abstract | Links | BibTeX | Tags: cryptography, digital forensics, malware, Windows
@inproceedings{AbascalR-DIMVA-25,
title = {Poster: Extracting Cryptographic Keys from Windows Live Processes},
author = {León Abascal and Ricardo J. Rodríguez},
editor = {Manuel Egele and Veelasha Moonsamy and Daniel Gruss and Michele Carminati},
url = {https://webdiis.unizar.es/~ricardo/files/papers/AbascalR-DIMVA-25.pdf},
doi = {10.1007/978-3-031-97620-9_12},
isbn = {978-3-031-97620-9},
year = {2025},
date = {2025-01-01},
booktitle = {Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
volume = {15748},
pages = {213–219},
publisher = {Springer Nature Switzerland},
address = {Cham},
abstract = {Cryptographic keys are a fundamental aspect of modern system security, but when compromised, they become a critical vulnerability, especially in ransomware attacks. Paradoxically, these keys must be available in memory at runtime to function, creating a unique opportunity for defensive tools. We introduce nameTool, an open-source tool designed to locate cryptographic keys in active Windows processes using advanced memory analysis. Unlike traditional approaches that rely on static memory dumps, nameTool performs dynamic analysis in real time, restricting the search to process heap memory to improve efficiency and accuracy. It employs robust key identification heuristics to minimize false positives and is designed for seamless integration with Endpoint Detection and Response systems. nameTool also encourages extensibility: its open-source nature allows researchers and practitioners to enhance its capabilities with custom key detection algorithms. We validated our approach through extensive experiments involving both proof-of-concept ransomware and real-world samples, demonstrating the effectiveness of key extraction and decryption success. Our tool provides a practical path to strengthening ransomware mitigation strategies.},
keywords = {cryptography, digital forensics, malware, Windows},
pubstate = {published},
tppubtype = {inproceedings}
}
Pelayo-Benedet, Tomás; Rodríguez, Ricardo J.; Gañán, Carlos H.
Poster: Exploring the Zero-Shot Potential of Large Language Models for Detecting Algorithmically Generated Domains Proceedings Article
In: Egele, Manuel; Moonsamy, Veelasha; Gruss, Daniel; Carminati, Michele (Ed.): Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 86–92, Springer Nature Switzerland, Cham, 2025, ISBN: 978-3-031-97623-0.
Abstract | Links | BibTeX | Tags: Algorithmically Generated Domains, DNS Traffic Analysis, Large Language Models, Malware Detection
@inproceedings{PelayoBenedetRG-DIMVA-25,
title = {Poster: Exploring the Zero-Shot Potential of Large Language Models for Detecting Algorithmically Generated Domains},
author = {Tomás Pelayo-Benedet and Ricardo J. Rodríguez and Carlos H. Gañán},
editor = {Manuel Egele and Veelasha Moonsamy and Daniel Gruss and Michele Carminati},
url = {https://webdiis.unizar.es/~ricardo/files/papers/PelayoBenedetRG-DIMVA-25.pdf},
doi = {10.1007/978-3-031-97623-0_5},
isbn = {978-3-031-97623-0},
year = {2025},
date = {2025-01-01},
booktitle = {Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
volume = {15748},
pages = {86–92},
publisher = {Springer Nature Switzerland},
address = {Cham},
abstract = {Domain generation algorithms enable resilient malware communication by generating pseudo-random domain names. While traditional detection relies on task-specific algorithms, the use of Large Language Models (LLMs) to identify Algorithmically Generated Domains (AGDs) remains largely unexplored. This work evaluates nine LLMs from four major vendors in a zero-shot environment, without fine-tuning. The results show that LLMs can distinguish AGDs from legitimate domains, but they often exhibit a bias, leading to high false positive rates and overconfident predictions. Adding linguistic features offers minimal accuracy gains while increasing complexity and errors. These findings highlight both the promise and limitations of LLMs for AGD detection, indicating the need for further research before practical implementation.},
keywords = {Algorithmically Generated Domains, DNS Traffic Analysis, Large Language Models, Malware Detection},
pubstate = {published},
tppubtype = {inproceedings}
}