{"id":82,"date":"2020-02-27T21:11:28","date_gmt":"2020-02-27T21:11:28","guid":{"rendered":"https:\/\/reversea.me\/?page_id=82"},"modified":"2020-03-23T10:38:09","modified_gmt":"2020-03-23T10:38:09","slug":"publications","status":"publish","type":"page","link":"https:\/\/reversea.me\/index.php\/research\/publications\/","title":{"rendered":"Publications"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> &lt; 1<\/span> <span class=\"rt-label rt-postfix\">minute<\/span><\/span>\n<div class=\"teachpress_pub_list\"><form name=\"tppublistform\" method=\"get\"><a name=\"tppubs\" id=\"tppubs\"><\/a><div class=\"teachpress_filter\"><select class=\"default\" name=\"yr\" id=\"yr\" tabindex=\"2\" onchange=\"teachpress_jumpMenu('parent',this, 'https:\/\/reversea.me\/index.php\/research\/publications\/?')\">\r\n                   <option value=\"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=#tppubs\">All years<\/option>\r\n                   <option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2026#tppubs\" >2026<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2025#tppubs\" >2025<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2024#tppubs\" >2024<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2023#tppubs\" >2023<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2022#tppubs\" >2022<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2021#tppubs\" >2021<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2020#tppubs\" >2020<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2019#tppubs\" >2019<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2018#tppubs\" >2018<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2017#tppubs\" >2017<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2016#tppubs\" >2016<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2015#tppubs\" >2015<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2013#tppubs\" >2013<\/option><option value = \"tgid=&amp;type=&amp;auth=&amp;usr=&amp;yr=2010#tppubs\" >2010<\/option>\r\n                <\/select><select class=\"default\" name=\"type\" id=\"type\" tabindex=\"3\" onchange=\"teachpress_jumpMenu('parent',this, 'https:\/\/reversea.me\/index.php\/research\/publications\/?')\">\r\n                   <option value=\"tgid=&amp;yr=&amp;auth=&amp;usr=&amp;type=#tppubs\">All types<\/option>\r\n                   <option value = \"tgid=&amp;yr=&amp;auth=&amp;usr=&amp;type=article#tppubs\" >Journal Articles<\/option><option value = \"tgid=&amp;yr=&amp;auth=&amp;usr=&amp;type=incollection#tppubs\" >Book Sections<\/option><option value = \"tgid=&amp;yr=&amp;auth=&amp;usr=&amp;type=inproceedings#tppubs\" >Proceedings Articles<\/option>\r\n                <\/select><select class=\"default\" name=\"tgid\" id=\"tgid\" tabindex=\"4\" onchange=\"teachpress_jumpMenu('parent',this, 'https:\/\/reversea.me\/index.php\/research\/publications\/?')\">\r\n                   <option value=\"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=#tppubs\">All tags<\/option>\r\n                   <option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=127#tppubs\" >adversarial example<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=120#tppubs\" >adversarial examples<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=221#tppubs\" >Adversarial Learning<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=216#tppubs\" >Adversarial Machine Learning<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=99#tppubs\" >Adversarial malware example<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=190#tppubs\" >Algorithmically Generated Domains<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=195#tppubs\" >algorithmically generated domains detection<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=106#tppubs\" >AMQP 1.0<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=95#tppubs\" >analysis evasion<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=21#tppubs\" >Analysis-aware malware<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=76#tppubs\" >Android<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=23#tppubs\" >Anti-analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=70#tppubs\" >anti-forensics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=20#tppubs\" >Anti-instrumentation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=174#tppubs\" >Approximate K-nearest neighbors<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=85#tppubs\" >Approximate matching<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=173#tppubs\" >Approximate search methods<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=6#tppubs\" >APT<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=3#tppubs\" >attacks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=25#tppubs\" >Authenticode<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=36#tppubs\" >Auto-start extensibility points<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=94#tppubs\" >automatic exploit<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=114#tppubs\" >avoidance techniques<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=17#tppubs\" >Bayesian networks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=225#tppubs\" >behavior graphs<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=204#tppubs\" >Behavioral execution trace<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=200#tppubs\" >Behavioral Patterns<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=218#tppubs\" >Benchmarking<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=151#tppubs\" >Binary code analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=234#tppubs\" >binary code similarity<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=217#tppubs\" >Botnet Detection<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=184#tppubs\" >Broken access control<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=89#tppubs\" >Bytewise<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=42#tppubs\" >bytewise approximate matching<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=154#tppubs\" >c&amp;c lifetime<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=224#tppubs\" >call graphs<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=71#tppubs\" >categorization<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=226#tppubs\" >category graphs<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=40#tppubs\" >characterization<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=5#tppubs\" >classification<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=90#tppubs\" >Classification scheme<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=163#tppubs\" >Cloud computing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=229#tppubs\" >clustering<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=107#tppubs\" >CoAP 1.0<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=27#tppubs\" >code signing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=182#tppubs\" >Colored Petri nets<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=202#tppubs\" >Comparative Malware Analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=57#tppubs\" >contactless cards<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=77#tppubs\" >contactless payment<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=139#tppubs\" >critical infrastructure<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=134#tppubs\" >cryptographic libraries<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=188#tppubs\" >cryptography<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=119#tppubs\" >cyber-attacks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=62#tppubs\" >Cyber-Physical Security<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=14#tppubs\" >Cyber-physical systems<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=7#tppubs\" >Cyberattacks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=115#tppubs\" >cybersecurity<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=108#tppubs\" >Data Exfiltration<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=162#tppubs\" >Data privacy<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=175#tppubs\" >Data similarity analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=176#tppubs\" >Dataset generation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=165#tppubs\" >Datatracking<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=51#tppubs\" >deanonymization<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=121#tppubs\" >deep learning<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=96#tppubs\" >digital forensics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=26#tppubs\" >digital signature verification<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=131#tppubs\" >DLL hijacking<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=191#tppubs\" >DNS Traffic Analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=220#tppubs\" >Domain Generation Algorithm<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=144#tppubs\" >domain generation algorithms<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=34#tppubs\" >Domain-generated algorithms<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=157#tppubs\" >Dynamic Analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=65#tppubs\" >Dynamic Bayesian Networks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=22#tppubs\" >Dynamic binary instrumentation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=60#tppubs\" >Dynamic State Machines<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=30#tppubs\" >Dynamic transient analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=92#tppubs\" >evaluation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=219#tppubs\" >Evasion Attacks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=53#tppubs\" >Evolution<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=178#tppubs\" >Execution traces<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=79#tppubs\" >fault-tolerant techniques<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=124#tppubs\" >federated learning<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=112#tppubs\" >file-based race condition<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=232#tppubs\" >firmware vulnerability triage<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=196#tppubs\" >forensic artifacts<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=43#tppubs\" >forensic memory analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=69#tppubs\" >forensics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=126#tppubs\" >free-rider attack<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=86#tppubs\" >Fuzzy hashing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=161#tppubs\" >General data protection regulation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=122#tppubs\" >generalization<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=18#tppubs\" >Generalized stochastic Petri nets<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=100#tppubs\" >Generative adversarial network<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=222#tppubs\" >Generative Adversarial Networks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=186#tppubs\" >hash lookup<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=209#tppubs\" >Heap Forensics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=50#tppubs\" >hidden services<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=235#tppubs\" >high-level intermediate representation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=58#tppubs\" >identity cards<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=172#tppubs\" >IEC104<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=171#tppubs\" >IEC60870-5-104<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=170#tppubs\" >IEC61850<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=215#tppubs\" >indicators of compromise<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=146#tppubs\" >Industrial Control Systems<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=104#tppubs\" >instant messaging<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=81#tppubs\" >integer-linear programming<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=128#tppubs\" >interpretability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=1#tppubs\" >iOS<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=149#tppubs\" >IoT<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=155#tppubs\" >iot malware<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=109#tppubs\" >IoT Protocols<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=189#tppubs\" >Large Language Models<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=29#tppubs\" >Lateral movement-based attack<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=138#tppubs\" >learning outcomes<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=210#tppubs\" >Low Fragmentation Heap<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=145#tppubs\" >LSTM<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=101#tppubs\" >Machine learning<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=193#tppubs\" >machine learning models<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=211#tppubs\" >macOS malware<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=2#tppubs\" >malware<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=199#tppubs\" >Malware Analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=38#tppubs\" >Malware analysis service<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=177#tppubs\" >Malware behavior<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=179#tppubs\" >Malware classification<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=192#tppubs\" >Malware Detection<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=102#tppubs\" >Malware detector<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=203#tppubs\" >Malware dynamic analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=159#tppubs\" >Malware Evolution<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=158#tppubs\" >Malware IoT<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=160#tppubs\" >Malware lineage<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=8#tppubs\" >Markov chains<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=24#tppubs\" >memory forensics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=133#tppubs\" >memory usage<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=117#tppubs\" >menaces<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=214#tppubs\" >methodology<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=212#tppubs\" >MITRE ATT&amp;CK framework<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=63#tppubs\" >Modbus<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=61#tppubs\" >Model checking<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=168#tppubs\" >Model validation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=67#tppubs\" >model-based<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=110#tppubs\" >MQTT 3.1.1<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=111#tppubs\" >MQTT 5.0<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=230#tppubs\" >multiple sequence alignment<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=233#tppubs\" >N-day vulnerabilities<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=227#tppubs\" >network protocol inference<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=194#tppubs\" >neural network models<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=56#tppubs\" >NFC<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=31#tppubs\" >Non-homogeneous continuous-time Markov chain<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=169#tppubs\" >Object Constraint Language<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=136#tppubs\" >OCaml<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=181#tppubs\" >OpenAPI<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=198#tppubs\" >operating system Windows<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=123#tppubs\" >optimization<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=98#tppubs\" >paging<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=147#tppubs\" >Penetration Testing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=78#tppubs\" >Performability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=132#tppubs\" >performance evaluation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=80#tppubs\" >Petri nets<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=32#tppubs\" >Piecewise constant approximation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=52#tppubs\" >POS RAM scraping<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=49#tppubs\" >privacy<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=125#tppubs\" >privacy data<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=68#tppubs\" >program binary analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=46#tppubs\" >Quantitative analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=33#tppubs\" >Random Forest<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=45#tppubs\" >Reactive defense strategy<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=75#tppubs\" >relay attacks<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=84#tppubs\" >relocation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=116#tppubs\" >resilience<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=143#tppubs\" >Resource Degradation<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=135#tppubs\" >resource-constrained devices<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=180#tppubs\" >RESTful web services<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=231#tppubs\" >reverse engineering<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=129#tppubs\" >robustness<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=91#tppubs\" >ROP chain<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=153#tppubs\" >Runtime library identification<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=39#tppubs\" >sandbox<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=59#tppubs\" >SCADA control systems<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=47#tppubs\" >Security<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=183#tppubs\" >Security analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=64#tppubs\" >security assessment<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=148#tppubs\" >Security Auditing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=10#tppubs\" >Security metrics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=142#tppubs\" >Semi-Markov Process<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=74#tppubs\" >sensitive analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=88#tppubs\" >Similarity digest algorithm<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=83#tppubs\" >similarity digest algorithms<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=228#tppubs\" >similarity digests<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=87#tppubs\" >Similarity hashing<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=187#tppubs\" >similarity search<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=55#tppubs\" >Software security<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=72#tppubs\" >software system engineering<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=156#tppubs\" >Static Analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=213#tppubs\" >Static and dynamic analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=152#tppubs\" >Statically linked binaries<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=164#tppubs\" >Sticky policies<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=9#tppubs\" >Stochastic reward nets<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=137#tppubs\" >summer school<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=11#tppubs\" >Survivability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=197#tppubs\" >system binaries<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=205#tppubs\" >System calls<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=35#tppubs\" >System persistence<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=223#tppubs\" >Systematic Literature Review<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=54#tppubs\" >Taxonomy<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=105#tppubs\" >Telegram Desktop<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=140#tppubs\" >testbed<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=4#tppubs\" >threats<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=113#tppubs\" >TOCTOU vulnerability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=48#tppubs\" >Tor<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=103#tppubs\" >Transferability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=12#tppubs\" >Transient analysis<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=93#tppubs\" >Turing-completeness<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=73#tppubs\" >UML<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=16#tppubs\" >UML profile<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=167#tppubs\" >UMLprofiling<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=166#tppubs\" >Unified Modeling Language<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=41#tppubs\" >unlikeability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=141#tppubs\" >Unmanned Aerial Vehicle<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=201#tppubs\" >Visual Analytics<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=28#tppubs\" >Volatility<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=208#tppubs\" >Volatility 3<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=118#tppubs\" >vulnerabilities<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=66#tppubs\" >vulnerability<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=15#tppubs\" >Vulnerability assessment<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=185#tppubs\" >Web application security<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=130#tppubs\" >white-box attack<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=44#tppubs\" >Windows<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=206#tppubs\" >Windows API<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=97#tppubs\" >Windows modules<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=207#tppubs\" >Windows NT Heap<\/option><option value = \"yr=&amp;type=&amp;auth=&amp;usr=&amp;tgid=37#tppubs\" >Windows registry<\/option>\r\n                <\/select><select class=\"default\" name=\"auth\" id=\"auth\" tabindex=\"5\" onchange=\"teachpress_jumpMenu('parent',this, 'https:\/\/reversea.me\/index.php\/research\/publications\/?')\">\r\n                   <option value=\"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=#tppubs\">All authors<\/option>\r\n                   <option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=140#tppubs\" > Abascal, Le\u00f3n<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=112#tppubs\" > Alvarez, Pedro<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=120#tppubs\" > Bai, Jing<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=116#tppubs\" > Blanco, Roberto<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=98#tppubs\" > Breitinger, Frank<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=131#tppubs\" > Cambronero\u200b, Mar\u00eda Emilia<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=148#tppubs\" > Carrillo, Javier<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=126#tppubs\" > Carrillo-Mond\u00e9jar, Javier<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=115#tppubs\" > Chang, Xialoin<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=107#tppubs\" > Chang, Xiaolin<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=128#tppubs\" > Costin, Andrei<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=103#tppubs\" > Feitosa, Eduardo L<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=139#tppubs\" > Feitosa, Eduardo L.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=110#tppubs\" > Fern\u00e1ndez-\u00c1lvarez, Pedro<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=102#tppubs\" > Filho, Ailton Santos<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=130#tppubs\" > Ga\u00f1\u00e1n, Carlos H.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=149#tppubs\" > Guti\u00e9rrez, Esteban Dami\u00e1n<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=151#tppubs\" > Guti\u00e9rrez, Manuel<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=99#tppubs\" > Hern\u00e1ndez-Bejarano, Miguel<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=136#tppubs\" > Huici, Daniel<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=135#tppubs\" > Kotsiuba, Igor<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=122#tppubs\" > Li, Shupan<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=114#tppubs\" > Liu, Jiqiang<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=133#tppubs\" > Llana\u200b, Luis<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=124#tppubs\" > Marcos, Ibai<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=123#tppubs\" > Marrone, Stefano<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=16#tppubs\" > Mart\u00edn-P\u00e9rez, Miguel<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=132#tppubs\" > Mart\u00ednez, Miguel A.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=137#tppubs\" > Mena, Eduardo<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=100#tppubs\" > Merseguer, Jos\u00e9<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=147#tppubs\" > Mir\u00f3, Daniel Lastanao<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=117#tppubs\" > Mlot, Esteban Dami\u00e1n Guti\u00e9rrez<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=150#tppubs\" > Narv\u00e1ez, Christian Mauricio<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=145#tppubs\" > Pelayo-Benedet, Tom\u00e1s<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=146#tppubs\" > Pinilla, Abraham D\u00edaz-Campo<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=125#tppubs\" > Porzio, Giuseppe<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=113#tppubs\" >de Quir\u00f3s, Jorge Garc\u00eda<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=111#tppubs\" > Raducu, Razvan<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=129#tppubs\" > Rodr'\u0131guez, Ricardo J.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=2#tppubs\" > Rodr\u00edguez, Ricardo J<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=101#tppubs\" > Rodr\u00edguez, Ricardo J.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=119#tppubs\" > Rodr\u0131\u0301guez, Ricardo J.<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=152#tppubs\" > Ruiz-Lezcano, Pablo<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=134#tppubs\" > Russo, Alejandro<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=118#tppubs\" > Saldana, Jose<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=104#tppubs\" > Selvi, Jose<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=105#tppubs\" > Soria-Olivas, Emilio<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=127#tppubs\" > Su\u00e1rez-Tangil, Guillermo<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=121#tppubs\" > Trivedi, Kishor<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=4#tppubs\" > Uroz, Daniel<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=138#tppubs\" > Villagrasa-Labrador, Alain<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=106#tppubs\" > Wang, Jianhua<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=108#tppubs\" > Wang, Yixiang<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=153#tppubs\" > Yousefnezhad, Narges<\/option><option value = \"tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=109#tppubs\" > Zhang, Jianan<\/option>\r\n                <\/select><\/div><\/form><div class=\"tablenav\"><div class=\"tablenav-pages\"><span class=\"displaying-num\">68 entries<\/span> <a class=\"page-numbers button disabled\">&laquo;<\/a> <a class=\"page-numbers button disabled\">&lsaquo;<\/a> 1 of 5 <a href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?limit=2&amp;tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=&amp;tsr=#tppubs\" title=\"next page\" class=\"page-numbers button\">&rsaquo;<\/a> <a href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?limit=5&amp;tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=&amp;tsr=#tppubs\" title=\"last page\" class=\"page-numbers button\">&raquo;<\/a> <\/div><\/div><div class=\"teachpress_publication_list\"><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Uroz, Daniel;  Pinilla, Abraham D\u00edaz-Campo;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('136','tp_links')\" style=\"cursor:pointer;\">Structural Analysis of the Windows NT Heap for Memory Forensics<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">Forensic Science International: Digital Investigation, <\/span><span class=\"tp_pub_additional_volume\">vol. PP, <\/span><span class=\"tp_pub_additional_number\">no. PP, <\/span><span class=\"tp_pub_additional_pages\">pp. PP, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2666-2817<\/span><span class=\"tp_pub_additional_note\">, (Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.)<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_136\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('136','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_136\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('136','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_136\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('136','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=209#tppubs\" title=\"Show all publications which have a relationship to this tag\">Heap Forensics<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=210#tppubs\" title=\"Show all publications which have a relationship to this tag\">Low Fragmentation Heap<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=24#tppubs\" title=\"Show all publications which have a relationship to this tag\">memory forensics<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=208#tppubs\" title=\"Show all publications which have a relationship to this tag\">Volatility 3<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=207#tppubs\" title=\"Show all publications which have a relationship to this tag\">Windows NT Heap<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_136\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Uroz2026,<br \/>\r\ntitle = {Structural Analysis of the Windows NT Heap for Memory Forensics},<br \/>\r\nauthor = {Daniel Uroz and Abraham D\u00edaz-Campo Pinilla and Ricardo J. Rodr\u00edguez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/UrozDR-FSIDI-26.pdf},<br \/>\r\nissn = {2666-2817},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-03-01},<br \/>\r\njournal = {Forensic Science International: Digital Investigation},<br \/>\r\nvolume = {PP},<br \/>\r\nnumber = {PP},<br \/>\r\npages = {PP},<br \/>\r\nabstract = {Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called tt HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both x86 and x64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with tt WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.},<br \/>\r\nnote = {Selected Papers of the Thirdteenth Annual DFRWS Europe Conference. Accepted for publication. To appear.},<br \/>\r\nkeywords = {Heap Forensics, Low Fragmentation Heap, memory forensics, Volatility 3, Windows NT Heap},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('136','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_136\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Modern attacks increasingly target user-space memory, leveraging dynamic heap allocations to store payloads, obfuscate runtime behavior, and evade traditional detection mechanisms. These heap-based techniques complicate memory forensics, as existing tools typically treat dynamic memory as a flat, unstructured region. To address this gap, in this paper we present a forensic methodology for the extraction and structural analysis of Windows NT heap entries, implemented in an open-source plugin for the Volatility 3 framework, called tt HeapList. Our approach supports all major Windows versions, from Vista to Windows 11, on both x86 and x64 architectures. We reconstruct the backend and frontend heap layers, decode encoded metadata, and enable navigation and directed extraction of heap entries. We validate our methodology through cross-verification with tt WinDbg and controlled testing using the Windows Heap API. Additionally, we discuss how our plugin can facilitate reverse engineering, the identification of dynamic payloads, heap layout inspection, and memory triage. By providing structured access to user-space heap memory, our work improves forensic visibility into dynamic memory and enables deeper analysis of heap-centric behavior in modern threat landscapes. Finally, we demonstrate the applicability of our approach in real-world scenarios by extracting information relevant to forensic analysis of user-space applications (specifically, from Telegram Desktop) through heap analysis.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('136','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_136\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/UrozDR-FSIDI-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/UrozDR-FSIDI-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/UrozDR-FSIDI-26.pdf<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('136','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Mir\u00f3, Daniel Lastanao;  Carrillo, Javier;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('137','tp_links')\" style=\"cursor:pointer;\">Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">Computers &amp; Security, <\/span><span class=\"tp_pub_additional_volume\">vol. 162, <\/span><span class=\"tp_pub_additional_pages\">pp. 104806, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 0167-4048<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_137\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('137','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_137\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('137','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_137\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('137','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=211#tppubs\" title=\"Show all publications which have a relationship to this tag\">macOS malware<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=177#tppubs\" title=\"Show all publications which have a relationship to this tag\">Malware behavior<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=212#tppubs\" title=\"Show all publications which have a relationship to this tag\">MITRE ATT&amp;CK framework<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=213#tppubs\" title=\"Show all publications which have a relationship to this tag\">Static and dynamic analysis<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_137\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Miro2026,<br \/>\r\ntitle = {Characterizing Tactics, Techniques, and Procedures in the macOS Threat Landscape},<br \/>\r\nauthor = {Daniel Lastanao Mir\u00f3 and Javier Carrillo and Ricardo J. Rodr\u00edguez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/LastanaoCR-COSE-26.pdf},<br \/>\r\ndoi = {10.1016\/j.cose.2025.104806},<br \/>\r\nissn = {0167-4048},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-03-01},<br \/>\r\njournal = {Computers & Security},<br \/>\r\nvolume = {162},<br \/>\r\npages = {104806},<br \/>\r\nabstract = {As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.},<br \/>\r\nkeywords = {macOS malware, Malware behavior, MITRE ATT&amp;CK framework, Static and dynamic analysis},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('137','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_137\" style=\"display:none;\"><div class=\"tp_abstract_entry\">As macOS systems increasingly become malware targets, understanding the tactics, techniques, and procedures (TTPs) used by adversaries is essential to improving defense strategies. This paper provides a systematic and detailed analysis of macOS malware using the MITRE ATT&amp;CK framework, focusing on TTPs at key stages of the malware attack cycle. Leveraging a comprehensive dataset of 57,636 macOS malware samples collected between November 2006 and October 2024, we employ both static and dynamic analysis techniques to uncover patterns in adversary behavior. Our analysis, primarily based on static analysis techniques, offers a broad representation of macOS malware and highlights common characteristics across samples. While we only partially explore dynamic behaviors, we identify recurring patterns that align with specific TTPs in the MITRE ATT&amp;CK framework, such as persistence and defense evasion. This mapping contributes to a more structured understanding of macOS threats and can help inform future detection and mitigation efforts.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('137','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_137\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/LastanaoCR-COSE-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/LastanaoCR-COSE-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/LastanaoCR-COSE-26.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.cose.2025.104806\" title=\"Follow DOI:10.1016\/j.cose.2025.104806\" target=\"_blank\">doi:10.1016\/j.cose.2025.104806<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('137','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Guti\u00e9rrez, Esteban Dami\u00e1n;  Narv\u00e1ez, Christian Mauricio;  Guti\u00e9rrez, Manuel;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\">Real-Time IDS for Digital Substations: From Lab to Field Deployment <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_booktitle\">CIGRE Paris Session 2026, <\/span><span class=\"tp_pub_additional_address\">Paris, France, <\/span><span class=\"tp_pub_additional_year\">2026<\/span><span class=\"tp_pub_additional_note\">, (Accepted for publication. To appear.)<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_140\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('140','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_140\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('140','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_140\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Gutierrez2026,<br \/>\r\ntitle = {Real-Time IDS for Digital Substations: From Lab to Field Deployment},<br \/>\r\nauthor = {Esteban Dami\u00e1n Guti\u00e9rrez and Christian Mauricio Narv\u00e1ez and Manuel Guti\u00e9rrez and Ricardo J. Rodr\u00edguez},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-08-01},<br \/>\r\nbooktitle = {CIGRE Paris Session 2026},<br \/>\r\naddress = {Paris, France},<br \/>\r\nabstract = {This paper presents an end-to-end intrusion detection framework for digital substations, spanning dataset construction, model development, embedded deployment, and field-oriented validation. A hybrid dataset is leveraged, combining traffic traces collected from operational substations with laboratory-generated traces designed to emulate cyberattack behaviors that cannot be safely reproduced in critical infrastructure environments. On this basis, a machine learning-based intrusion detection system (IDS) is trained to identify anomalous IEC 61850 communications, with particular emphasis on GOOSE messaging and substation-specific traffic dynamics. To bridge the gap between offline analysis and operational use, the IDS is integrated into SecureBox, an embedded cybersecurity device engineered for substation deployment. The implementation supports real-time packet capture and on-the-fly feature extraction, enabling continuous monitoring directly at the network interface with minimal operational disruption. Alerts and telemetry are exported to higher-level monitoring components to facilitate centralized correlation and response. The proposed approach provides a practical and reproducible pathway from controlled experimentation toward field deployment-oriented IDS framework with preliminary laboratory validation and ongoing fieldevaluation, addressing common constraints such as limited availability of real attack traces, strict uptime requirements, and the need for low-overhead edge execution. The resulting framework establishes a reproducible methodology for transitioning IDS research from laboratory conditions toward real-world substation environments.},<br \/>\r\nnote = {Accepted for publication. To appear.},<br \/>\r\nkeywords = {},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('140','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_140\" style=\"display:none;\"><div class=\"tp_abstract_entry\">This paper presents an end-to-end intrusion detection framework for digital substations, spanning dataset construction, model development, embedded deployment, and field-oriented validation. A hybrid dataset is leveraged, combining traffic traces collected from operational substations with laboratory-generated traces designed to emulate cyberattack behaviors that cannot be safely reproduced in critical infrastructure environments. On this basis, a machine learning-based intrusion detection system (IDS) is trained to identify anomalous IEC 61850 communications, with particular emphasis on GOOSE messaging and substation-specific traffic dynamics. To bridge the gap between offline analysis and operational use, the IDS is integrated into SecureBox, an embedded cybersecurity device engineered for substation deployment. The implementation supports real-time packet capture and on-the-fly feature extraction, enabling continuous monitoring directly at the network interface with minimal operational disruption. Alerts and telemetry are exported to higher-level monitoring components to facilitate centralized correlation and response. The proposed approach provides a practical and reproducible pathway from controlled experimentation toward field deployment-oriented IDS framework with preliminary laboratory validation and ongoing fieldevaluation, addressing common constraints such as limited availability of real attack traces, strict uptime requirements, and the need for low-overhead edge execution. The resulting framework establishes a reproducible methodology for transitioning IDS research from laboratory conditions toward real-world substation environments.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('140','tp_abstract')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Pelayo-Benedet, Tom\u00e1s;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\">Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_booktitle\">Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_141\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('141','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_141\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('141','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=216#tppubs\" title=\"Show all publications which have a relationship to this tag\">Adversarial Machine Learning<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=218#tppubs\" title=\"Show all publications which have a relationship to this tag\">Benchmarking<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=217#tppubs\" title=\"Show all publications which have a relationship to this tag\">Botnet Detection<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=144#tppubs\" title=\"Show all publications which have a relationship to this tag\">domain generation algorithms<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=219#tppubs\" title=\"Show all publications which have a relationship to this tag\">Evasion Attacks<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_141\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{PelayoBenedet2026,<br \/>\r\ntitle = {Poster: The Simpler, the Stealthier: A Framework for Evaluating Adversarial Domain Generation Algorithm Models},<br \/>\r\nauthor = {Tom\u00e1s Pelayo-Benedet and Ricardo J. Rodr\u00edguez},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-01-01},<br \/>\r\nbooktitle = {Proceedings of the 23rd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},<br \/>\r\nabstract = {Adversarial Domain Generation Algorithms (DGAs) pose a growing threat to botnet detection systems; however, the lack of a standardized evaluation makes comparing existing models virtually impossible. We present an open-source benchmarking framework that evaluates four adversarial DGA models (DeepDGA, CharBot, Deception, and MaskDGA) in a unified environment, assessing lexical characteristics, detection evasion against LSTM and CNN classifiers, and computational cost. Our results show that CharBot and Deception consistently outperform the other two models: both achieve evasion rates above 75% with a training time of less than two seconds. DeepDGA and MaskDGA, despite their complexity, exhibit evasion rates below 21% in all cases. These findings highlight that lexical similarity to benign domains is related to evasion success, and that computational cost does not necessarily translate into effectiveness.},<br \/>\r\nkeywords = {Adversarial Machine Learning, Benchmarking, Botnet Detection, domain generation algorithms, Evasion Attacks},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('141','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_141\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Adversarial Domain Generation Algorithms (DGAs) pose a growing threat to botnet detection systems; however, the lack of a standardized evaluation makes comparing existing models virtually impossible. We present an open-source benchmarking framework that evaluates four adversarial DGA models (DeepDGA, CharBot, Deception, and MaskDGA) in a unified environment, assessing lexical characteristics, detection evasion against LSTM and CNN classifiers, and computational cost. Our results show that CharBot and Deception consistently outperform the other two models: both achieve evasion rates above 75% with a training time of less than two seconds. DeepDGA and MaskDGA, despite their complexity, exhibit evasion rates below 21% in all cases. These findings highlight that lexical similarity to benign domains is related to evasion success, and that computational cost does not necessarily translate into effectiveness.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('141','tp_abstract')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Pelayo-Benedet, Tom\u00e1s;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('142','tp_links')\" style=\"cursor:pointer;\">A Systematic Literature Review of Adversarial Domain Generation and Defense<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">Machine Learning with Applications, <\/span><span class=\"tp_pub_additional_volume\">vol. 24, <\/span><span class=\"tp_pub_additional_pages\">pp. 100888, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2666-8270<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_142\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('142','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_142\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('142','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_142\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('142','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=221#tppubs\" title=\"Show all publications which have a relationship to this tag\">Adversarial Learning<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=220#tppubs\" title=\"Show all publications which have a relationship to this tag\">Domain Generation Algorithm<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=222#tppubs\" title=\"Show all publications which have a relationship to this tag\">Generative Adversarial Networks<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=223#tppubs\" title=\"Show all publications which have a relationship to this tag\">Systematic Literature Review<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_142\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{PelayoBenedet2026a,<br \/>\r\ntitle = {A Systematic Literature Review of Adversarial Domain Generation and Defense},<br \/>\r\nauthor = {Tom\u00e1s Pelayo-Benedet and Ricardo J. Rodr\u00edguez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetR-MLWA-26.pdf},<br \/>\r\ndoi = {10.1016\/j.mlwa.2026.100888},<br \/>\r\nissn = {2666-8270},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-06-01},<br \/>\r\njournal = {Machine Learning with Applications},<br \/>\r\nvolume = {24},<br \/>\r\npages = {100888},<br \/>\r\nabstract = {Domain Generation Algorithms (DGAs) have long allowed malware to maintain persistent command and control channels by evading static blocklists. However, this dynamic has evolved into a sophisticated arms race: DGAs are no longer simply random but are now optimized to actively deceive detection systems. This paper presents a systematic literature review analyzing 32 primary studies (2016\u20132025) at the intersection of algorithmically generated domain detection and adversarial machine learning. We construct a comprehensive taxonomy of the evasion landscape, mapping the progression from simple character perturbations to advanced generative adversarial networks and semantic mimicry. Our analysis reveals two systemic flaws in the state of the art. First, we identify a significant deployment gap, where proposed defenses ignore operational realities, such as strict latency limits and the need for false positive rates below $0.1%$. Second, we highlight a serious reproducibility crisis driven by a lack of public code and standardized datasets. We conclude by proposing a roadmap to standardize assessment frameworks and bridge the gap between theoretical soundness and operational feasibility.},<br \/>\r\nkeywords = {Adversarial Learning, Domain Generation Algorithm, Generative Adversarial Networks, Systematic Literature Review},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('142','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_142\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Domain Generation Algorithms (DGAs) have long allowed malware to maintain persistent command and control channels by evading static blocklists. However, this dynamic has evolved into a sophisticated arms race: DGAs are no longer simply random but are now optimized to actively deceive detection systems. This paper presents a systematic literature review analyzing 32 primary studies (2016\u20132025) at the intersection of algorithmically generated domain detection and adversarial machine learning. We construct a comprehensive taxonomy of the evasion landscape, mapping the progression from simple character perturbations to advanced generative adversarial networks and semantic mimicry. Our analysis reveals two systemic flaws in the state of the art. First, we identify a significant deployment gap, where proposed defenses ignore operational realities, such as strict latency limits and the need for false positive rates below $0.1%$. Second, we highlight a serious reproducibility crisis driven by a lack of public code and standardized datasets. We conclude by proposing a roadmap to standardize assessment frameworks and bridge the gap between theoretical soundness and operational feasibility.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('142','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_142\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetR-MLWA-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetR-MLWA-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetR-MLWA-26.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.mlwa.2026.100888\" title=\"Follow DOI:10.1016\/j.mlwa.2026.100888\" target=\"_blank\">doi:10.1016\/j.mlwa.2026.100888<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('142','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Raducu, Razvan;  Rodr\u00edguez, Ricardo J.;  \u00c1lvarez, Pedro<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('143','tp_links')\" style=\"cursor:pointer;\">A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">The Computer Journal, <\/span><span class=\"tp_pub_additional_year\">2026<\/span><span class=\"tp_pub_additional_note\">, (Accepted for publication. To appear.)<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_143\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('143','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_143\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('143','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_143\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('143','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=225#tppubs\" title=\"Show all publications which have a relationship to this tag\">behavior graphs<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=224#tppubs\" title=\"Show all publications which have a relationship to this tag\">call graphs<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=226#tppubs\" title=\"Show all publications which have a relationship to this tag\">category graphs<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=157#tppubs\" title=\"Show all publications which have a relationship to this tag\">Dynamic Analysis<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=2#tppubs\" title=\"Show all publications which have a relationship to this tag\">malware<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=44#tppubs\" title=\"Show all publications which have a relationship to this tag\">Windows<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_143\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{Raducu2026,<br \/>\r\ntitle = {A Graph-Based Dynamic Analysis System for Behavior Detection in Windows Applications},<br \/>\r\nauthor = {Razvan Raducu and Ricardo J. Rodr\u00edguez and Pedro \u00c1lvarez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuRA-COMPJ-26.pdf},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-01-01},<br \/>\r\njournal = {The Computer Journal},<br \/>\r\npublisher = {Oxford University Press},<br \/>\r\nabstract = {The increasing sophistication of malicious software (em malware) requires advanced tools to effectively analyze and counter threats. In this paper, we present sc MalGraphIQ, a dynamic analysis system designed to understand the behavior of unknown Windows binaries by introducing the em Windows Behavior Catalog (WBC). The WBC is a new repository of behavioral patterns inspired by MITRE's Malware Behavior Catalog (MBC), which systematically catalogs key APIs and system calls used by Windows binaries to exhibit specific behaviors. By leveraging sandbox technologies (specifically, CAPEv2), our dynamic analysis system uses the WBC to detect and quantify behaviors in programs, regardless of whether they are malicious or benign. It also generates graph-based visual representations of these behaviors, simplifying the interpretation of the actions performed by the program. To evaluate its effectiveness, we apply our system to multiple malware families and validate the results using cross-validation, demonstrating its ability to uncover specific actions and behavioral patterns across different malware samples and unknown binaries. The results show the system\u2019s ability to detect behavioral patterns and distinguish between different types of malware, with an accuracy of up to 0.96 and an F1 score of 0.92, underlining the potential of our approach in malware detection and program behavioral analysis.},<br \/>\r\nnote = {Accepted for publication. To appear.},<br \/>\r\nkeywords = {behavior graphs, call graphs, category graphs, Dynamic Analysis, malware, Windows},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('143','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_143\" style=\"display:none;\"><div class=\"tp_abstract_entry\">The increasing sophistication of malicious software (em malware) requires advanced tools to effectively analyze and counter threats. In this paper, we present sc MalGraphIQ, a dynamic analysis system designed to understand the behavior of unknown Windows binaries by introducing the em Windows Behavior Catalog (WBC). The WBC is a new repository of behavioral patterns inspired by MITRE's Malware Behavior Catalog (MBC), which systematically catalogs key APIs and system calls used by Windows binaries to exhibit specific behaviors. By leveraging sandbox technologies (specifically, CAPEv2), our dynamic analysis system uses the WBC to detect and quantify behaviors in programs, regardless of whether they are malicious or benign. It also generates graph-based visual representations of these behaviors, simplifying the interpretation of the actions performed by the program. To evaluate its effectiveness, we apply our system to multiple malware families and validate the results using cross-validation, demonstrating its ability to uncover specific actions and behavioral patterns across different malware samples and unknown binaries. The results show the system\u2019s ability to detect behavioral patterns and distinguish between different types of malware, with an accuracy of up to 0.96 and an F1 score of 0.92, underlining the potential of our approach in malware detection and program behavioral analysis.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('143','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_143\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuRA-COMPJ-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuRA-COMPJ-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuRA-COMPJ-26.pdf<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('143','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Ruiz-Lezcano, Pablo;  Uroz, Daniel;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('144','tp_links')\" style=\"cursor:pointer;\">sc MARISSA: Efficient Inference of Network Protocols using Similarity Digest Clustering and Multiple Sequence Algorithms<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_booktitle\">Proceedings of the 11th IEEE European Symposium on Security and Privacy (EuroS&amp;P 2026), <\/span><span class=\"tp_pub_additional_pages\">pp. 1300\u20131313, <\/span><span class=\"tp_pub_additional_publisher\">IEEE, <\/span><span class=\"tp_pub_additional_address\">Lisbon, Portugal, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_resource_link\"><a id=\"tp_links_sh_144\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('144','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_144\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('144','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=229#tppubs\" title=\"Show all publications which have a relationship to this tag\">clustering<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=230#tppubs\" title=\"Show all publications which have a relationship to this tag\">multiple sequence alignment<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=227#tppubs\" title=\"Show all publications which have a relationship to this tag\">network protocol inference<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=231#tppubs\" title=\"Show all publications which have a relationship to this tag\">reverse engineering<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=228#tppubs\" title=\"Show all publications which have a relationship to this tag\">similarity digests<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_144\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{RuizLezcano2026,<br \/>\r\ntitle = {sc MARISSA: Efficient Inference of Network Protocols using Similarity Digest Clustering and Multiple Sequence Algorithms},<br \/>\r\nauthor = {Pablo Ruiz-Lezcano and Daniel Uroz and Ricardo J. Rodr\u00edguez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizLezcanoUR-EuroSP-26.pdf},<br \/>\r\ndoi = {10.1109\/EuroSP68448.2026.00084},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-07-01},<br \/>\r\nbooktitle = {Proceedings of the 11th IEEE European Symposium on Security and Privacy (EuroS&P 2026)},<br \/>\r\npages = {1300\u20131313},<br \/>\r\npublisher = {IEEE},<br \/>\r\naddress = {Lisbon, Portugal},<br \/>\r\nkeywords = {clustering, multiple sequence alignment, network protocol inference, reverse engineering, similarity digests},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('144','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_144\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizLezcanoUR-EuroSP-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizLezcanoUR-EuroSP-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RuizLezcanoUR-EuroSP-26.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1109\/EuroSP68448.2026.00084\" title=\"Follow DOI:10.1109\/EuroSP68448.2026.00084\" target=\"_blank\">doi:10.1109\/EuroSP68448.2026.00084<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('144','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Huici, Daniel;  Yousefnezhad, Narges;  Rodr\u00edguez, Ricardo J.;  Costin, Andrei<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('145','tp_links')\" style=\"cursor:pointer;\">Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_booktitle\">Proceedings of the Workshop on Binary Analysis Research (BAR) 2026, <\/span><span class=\"tp_pub_additional_year\">2026<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 978-1-970672-08-4<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_145\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('145','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_145\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('145','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_145\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('145','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=234#tppubs\" title=\"Show all publications which have a relationship to this tag\">binary code similarity<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=232#tppubs\" title=\"Show all publications which have a relationship to this tag\">firmware vulnerability triage<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=235#tppubs\" title=\"Show all publications which have a relationship to this tag\">high-level intermediate representation<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=233#tppubs\" title=\"Show all publications which have a relationship to this tag\">N-day vulnerabilities<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=228#tppubs\" title=\"Show all publications which have a relationship to this tag\">similarity digests<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_145\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{Huici2026,<br \/>\r\ntitle = {Automating Firmware Vulnerability Triage via High-Level Representations and Similarity Digests},<br \/>\r\nauthor = {Daniel Huici and Narges Yousefnezhad and Ricardo J. Rodr\u00edguez and Andrei Costin},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciYRC-BAR-26.pdf},<br \/>\r\ndoi = {10.14722\/bar.2026.23027},<br \/>\r\nisbn = {978-1-970672-08-4},<br \/>\r\nyear  = {2026},<br \/>\r\ndate = {2026-01-01},<br \/>\r\nbooktitle = {Proceedings of the Workshop on Binary Analysis Research (BAR) 2026},<br \/>\r\nabstract = {Tracking N-day vulnerabilities in fragmented firmware ecosystems is an open challenge, often hampered by the disconnect between abstract CVE descriptions and the binary code actually distributed in production and connected devices. In this paper, we present a generic CVE-based framework for correlating vulnerable files in heterogeneous firmware images using similarity digests. Our approach leverages sc APOTHEOSIS, an open-source approximate nearest neighbor search system, to scale similarity queries across massive collections of artifacts. To bridge the semantic gap between vulnerability reports and binary reality, we introduce an automated process that lifts confirmed vulnerable implementations to high-level intermediate representations and generates function-level search signatures. We demonstrate the effectiveness of this system as a rapid triage tool using the sc OpenWrt ecosystem as a case study. In the event of a new CVE disclosure, our approach allows analysts to consult the pre-created sc APOTHEOSIS index to immediately generate a prioritized list of affected firmware versions, significantly accelerating impact assessment without being dependent on reliable nor accurate vendor\/CVE metadata or source code.},<br \/>\r\nkeywords = {binary code similarity, firmware vulnerability triage, high-level intermediate representation, N-day vulnerabilities, similarity digests},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('145','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_145\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Tracking N-day vulnerabilities in fragmented firmware ecosystems is an open challenge, often hampered by the disconnect between abstract CVE descriptions and the binary code actually distributed in production and connected devices. In this paper, we present a generic CVE-based framework for correlating vulnerable files in heterogeneous firmware images using similarity digests. Our approach leverages sc APOTHEOSIS, an open-source approximate nearest neighbor search system, to scale similarity queries across massive collections of artifacts. To bridge the semantic gap between vulnerability reports and binary reality, we introduce an automated process that lifts confirmed vulnerable implementations to high-level intermediate representations and generates function-level search signatures. We demonstrate the effectiveness of this system as a rapid triage tool using the sc OpenWrt ecosystem as a case study. In the event of a new CVE disclosure, our approach allows analysts to consult the pre-created sc APOTHEOSIS index to immediately generate a prioritized list of affected firmware versions, significantly accelerating impact assessment without being dependent on reliable nor accurate vendor\/CVE metadata or source code.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('145','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_145\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciYRC-BAR-26.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciYRC-BAR-26.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciYRC-BAR-26.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.14722\/bar.2026.23027\" title=\"Follow DOI:10.14722\/bar.2026.23027\" target=\"_blank\">doi:10.14722\/bar.2026.23027<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('145','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Carrillo-Mond\u00e9jar, Javier;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('117','tp_links')\" style=\"cursor:pointer;\">Identifying Runtime Libraries in Statically Linked Linux Binaries<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">Future Generation Computer Systems, <\/span><span class=\"tp_pub_additional_volume\">vol. 164, <\/span><span class=\"tp_pub_additional_pages\">pp. 107602, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 0167-739X<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_117\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('117','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_117\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('117','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_117\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('117','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=151#tppubs\" title=\"Show all publications which have a relationship to this tag\">Binary code analysis<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=149#tppubs\" title=\"Show all publications which have a relationship to this tag\">IoT<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=2#tppubs\" title=\"Show all publications which have a relationship to this tag\">malware<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=153#tppubs\" title=\"Show all publications which have a relationship to this tag\">Runtime library identification<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=152#tppubs\" title=\"Show all publications which have a relationship to this tag\">Statically linked binaries<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_117\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{CarrilloR-FGCS-25,<br \/>\r\ntitle = {Identifying Runtime Libraries in Statically Linked Linux Binaries},<br \/>\r\nauthor = {Javier Carrillo-Mond\u00e9jar and Ricardo J. Rodr\u00edguez},<br \/>\r\nurl = {http:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CarrilloR-FGCS-25.pdf},<br \/>\r\ndoi = {10.1016\/j.future.2024.107602},<br \/>\r\nissn = {0167-739X},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-01-01},<br \/>\r\njournal = {Future Generation Computer Systems},<br \/>\r\nvolume = {164},<br \/>\r\npages = {107602},<br \/>\r\nabstract = {Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).},<br \/>\r\nkeywords = {Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('117','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_117\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('117','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_117\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"http:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CarrilloR-FGCS-25.pdf\" title=\"http:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CarrilloR-FGCS-25.pdf\" target=\"_blank\">http:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/CarrilloR-FGCS-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.future.2024.107602\" title=\"Follow DOI:10.1016\/j.future.2024.107602\" target=\"_blank\">doi:10.1016\/j.future.2024.107602<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('117','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Huici, Daniel;  Rodr\u00edguez, Ricardo J.;  Mena, Eduardo<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('124','tp_links')\" style=\"cursor:pointer;\">APOTHEOSIS: An efficient approximate similarity search system<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">SoftwareX, <\/span><span class=\"tp_pub_additional_volume\">vol. 29, <\/span><span class=\"tp_pub_additional_pages\">pp. 102016, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2352-7110<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_124\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('124','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_124\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('124','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_124\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('124','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=174#tppubs\" title=\"Show all publications which have a relationship to this tag\">Approximate K-nearest neighbors<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=85#tppubs\" title=\"Show all publications which have a relationship to this tag\">Approximate matching<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=173#tppubs\" title=\"Show all publications which have a relationship to this tag\">Approximate search methods<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=175#tppubs\" title=\"Show all publications which have a relationship to this tag\">Data similarity analysis<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=83#tppubs\" title=\"Show all publications which have a relationship to this tag\">similarity digest algorithms<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_124\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{HuiciRM-SoftX-25,<br \/>\r\ntitle = {APOTHEOSIS: An efficient approximate similarity search system},<br \/>\r\nauthor = {Daniel Huici and Ricardo J. Rodr\u00edguez and Eduardo Mena},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-SoftX-25.pdf},<br \/>\r\ndoi = {10.1016\/j.softx.2024.102016},<br \/>\r\nissn = {2352-7110},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-02-01},<br \/>\r\nurldate = {2025-02-01},<br \/>\r\njournal = {SoftwareX},<br \/>\r\nvolume = {29},<br \/>\r\npages = {102016},<br \/>\r\nabstract = {APOTHEOSIS is a tool for efficiently identifying and comparing data similarity in large datasets, addressing challenges faced by traditional methods such as scalability and speed. APOTHEOSIS overcomes them by combining advanced algorithms and data structures, enabling fast and accurate similarity analysis. Specifically, it uses a custom hierarchical small navigation world as an approximate $K$-nearest neighbors search method, and approximate similarity digests algorithms to find common features between similar data items, also supporting various distance metrics beyond vector-based approaches. Our software tool is designed for seamless integration into research workflows, improving reproducibility and facilitating the comparison of large-scale, high-dimensional data comparison across multiple domains.},<br \/>\r\nkeywords = {Approximate K-nearest neighbors, Approximate matching, Approximate search methods, Data similarity analysis, similarity digest algorithms},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('124','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_124\" style=\"display:none;\"><div class=\"tp_abstract_entry\">APOTHEOSIS is a tool for efficiently identifying and comparing data similarity in large datasets, addressing challenges faced by traditional methods such as scalability and speed. APOTHEOSIS overcomes them by combining advanced algorithms and data structures, enabling fast and accurate similarity analysis. Specifically, it uses a custom hierarchical small navigation world as an approximate $K$-nearest neighbors search method, and approximate similarity digests algorithms to find common features between similar data items, also supporting various distance metrics beyond vector-based approaches. Our software tool is designed for seamless integration into research workflows, improving reproducibility and facilitating the comparison of large-scale, high-dimensional data comparison across multiple domains.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('124','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_124\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-SoftX-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-SoftX-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-SoftX-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.softx.2024.102016\" title=\"Follow DOI:10.1016\/j.softx.2024.102016\" target=\"_blank\">doi:10.1016\/j.softx.2024.102016<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('124','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Raducu, Razvan;  Villagrasa-Labrador, Alain;  Rodr\u00edguez, Ricardo J.;  \u00c1lvarez, Pedro<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('125','tp_links')\" style=\"cursor:pointer;\">MALVADA: A Framework for Generating Datasets of Malware Execution Traces<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">SoftwareX, <\/span><span class=\"tp_pub_additional_volume\">vol. 30, <\/span><span class=\"tp_pub_additional_pages\">pp. 102082, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2352-7110<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_125\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('125','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_125\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('125','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_125\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('125','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=176#tppubs\" title=\"Show all publications which have a relationship to this tag\">Dataset generation<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=178#tppubs\" title=\"Show all publications which have a relationship to this tag\">Execution traces<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=177#tppubs\" title=\"Show all publications which have a relationship to this tag\">Malware behavior<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=179#tppubs\" title=\"Show all publications which have a relationship to this tag\">Malware classification<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_125\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{RaducuVRA-SoftwareX-25,<br \/>\r\ntitle = {MALVADA: A Framework for Generating Datasets of Malware Execution Traces},<br \/>\r\nauthor = {Razvan Raducu and Alain Villagrasa-Labrador and Ricardo J. Rodr\u00edguez and Pedro \u00c1lvarez},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuVRA-SoftwareX-25.pdf},<br \/>\r\ndoi = {10.1016\/j.softx.2025.102082},<br \/>\r\nissn = {2352-7110},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-05-01},<br \/>\r\njournal = {SoftwareX},<br \/>\r\nvolume = {30},<br \/>\r\npages = {102082},<br \/>\r\nabstract = {Malware attacks have been growing steadily in recent years, making more sophisticated detection methods necessary. These approaches typically rely on analyzing the behavior of malicious applications, for example by examining execution traces that capture their runtime behavior. However, many existing execution trace datasets are simplified, often resulting in the omission of relevant contextual information, which is essential to capture the full scope of a malware sample\u2019s behavior. This paper introduces MALVADA, a flexible framework designed to generate extensive datasets of execution traces from Windows malware. These traces provide detailed insights into program behaviors and help malware analysts to classify a malware sample. MALVADA facilitates the creation of large datasets with minimal user effort, as demonstrated by the WinMET dataset, which includes execution traces from approximately 10,000 Windows malware samples.},<br \/>\r\nkeywords = {Dataset generation, Execution traces, Malware behavior, Malware classification},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('125','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_125\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Malware attacks have been growing steadily in recent years, making more sophisticated detection methods necessary. These approaches typically rely on analyzing the behavior of malicious applications, for example by examining execution traces that capture their runtime behavior. However, many existing execution trace datasets are simplified, often resulting in the omission of relevant contextual information, which is essential to capture the full scope of a malware sample\u2019s behavior. This paper introduces MALVADA, a flexible framework designed to generate extensive datasets of execution traces from Windows malware. These traces provide detailed insights into program behaviors and help malware analysts to classify a malware sample. MALVADA facilitates the creation of large datasets with minimal user effort, as demonstrated by the WinMET dataset, which includes execution traces from approximately 10,000 Windows malware samples.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('125','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_125\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuVRA-SoftwareX-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuVRA-SoftwareX-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/RaducuVRA-SoftwareX-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.softx.2025.102082\" title=\"Follow DOI:10.1016\/j.softx.2025.102082\" target=\"_blank\">doi:10.1016\/j.softx.2025.102082<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('125','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Filho, Ailton Santos;  Rodr\u00edguez, Ricardo J.;  Feitosa, Eduardo L.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('126','tp_links')\" style=\"cursor:pointer;\">Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">International Journal of Information Security, <\/span><span class=\"tp_pub_additional_volume\">vol. 24, <\/span><span class=\"tp_pub_additional_number\">no. 2, <\/span><span class=\"tp_pub_additional_pages\">pp. 83, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 1615-5270<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_126\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('126','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_126\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('126','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_126\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('126','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=184#tppubs\" title=\"Show all publications which have a relationship to this tag\">Broken access control<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=182#tppubs\" title=\"Show all publications which have a relationship to this tag\">Colored Petri nets<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=181#tppubs\" title=\"Show all publications which have a relationship to this tag\">OpenAPI<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=180#tppubs\" title=\"Show all publications which have a relationship to this tag\">RESTful web services<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=183#tppubs\" title=\"Show all publications which have a relationship to this tag\">Security analysis<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=118#tppubs\" title=\"Show all publications which have a relationship to this tag\">vulnerabilities<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=185#tppubs\" title=\"Show all publications which have a relationship to this tag\">Web application security<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_126\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{SantosFilhoRF-IJIS-25,<br \/>\r\ntitle = {Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation},<br \/>\r\nauthor = {Ailton Santos Filho and Ricardo J. Rodr\u00edguez and Eduardo L. Feitosa},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/SantosFilhoRF-IJIS-25.pdf},<br \/>\r\ndoi = {10.1007\/s10207-024-00970-5},<br \/>\r\nissn = {1615-5270},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-02-01},<br \/>\r\njournal = {International Journal of Information Security},<br \/>\r\nvolume = {24},<br \/>\r\nnumber = {2},<br \/>\r\npages = {83},<br \/>\r\nabstract = {The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.},<br \/>\r\nkeywords = {Broken access control, Colored Petri nets, OpenAPI, RESTful web services, Security analysis, vulnerabilities, Web application security},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('126','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_126\" style=\"display:none;\"><div class=\"tp_abstract_entry\">The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('126','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_126\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/SantosFilhoRF-IJIS-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/SantosFilhoRF-IJIS-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/SantosFilhoRF-IJIS-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1007\/s10207-024-00970-5\" title=\"Follow DOI:10.1007\/s10207-024-00970-5\" target=\"_blank\">doi:10.1007\/s10207-024-00970-5<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('126','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_article\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Huici, Daniel;  Rodr\u00edguez, Ricardo J.;  Mena, Eduardo<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('127','tp_links')\" style=\"cursor:pointer;\">An Extensible and Scalable System for Hash Lookup and Approximate Similarity Search with Similarity Digest Algorithms<\/a> <span class=\"tp_pub_type tp_  article\">Journal Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span><span class=\"tp_pub_additional_journal\">Forensic Science International: Digital Investigation, <\/span><span class=\"tp_pub_additional_volume\">vol. 53, <\/span><span class=\"tp_pub_additional_pages\">pp. 301930, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_issn\">ISSN: 2666-2817<\/span><span class=\"tp_pub_additional_note\">, (DFRWS USA 2025 - Selected Papers from the 25th Annual Digital Forensics Research Conference USA)<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_127\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('127','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_127\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('127','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_127\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('127','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=85#tppubs\" title=\"Show all publications which have a relationship to this tag\">Approximate matching<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=186#tppubs\" title=\"Show all publications which have a relationship to this tag\">hash lookup<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=83#tppubs\" title=\"Show all publications which have a relationship to this tag\">similarity digest algorithms<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=87#tppubs\" title=\"Show all publications which have a relationship to this tag\">Similarity hashing<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=187#tppubs\" title=\"Show all publications which have a relationship to this tag\">similarity search<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_127\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@article{HuiciRM-FSIDI-25,<br \/>\r\ntitle = {An Extensible and Scalable System for Hash Lookup and Approximate Similarity Search with Similarity Digest Algorithms},<br \/>\r\nauthor = {Daniel Huici and Ricardo J. Rodr\u00edguez and Eduardo Mena},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-FSIDI-25.pdf},<br \/>\r\ndoi = {10.1016\/j.fsidi.2025.301930},<br \/>\r\nissn = {2666-2817},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-07-01},<br \/>\r\njournal = {Forensic Science International: Digital Investigation},<br \/>\r\nvolume = {53},<br \/>\r\npages = {301930},<br \/>\r\nabstract = {Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce tt Apotheosis, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that tt Apotheosis not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.},<br \/>\r\nnote = {DFRWS USA 2025 - Selected Papers from the 25th Annual Digital Forensics Research Conference USA},<br \/>\r\nkeywords = {Approximate matching, hash lookup, similarity digest algorithms, Similarity hashing, similarity search},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {article}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('127','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_127\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Efficient management and analysis of large volumes of digital data has emerged as a major challenge in the field of digital forensics. To quickly identify and analyze relevant artifacts within large datasets, we introduce tt Apotheosis, an approximate similarity search system designed for scalability and efficiency. Our system integrates approximate search techniques (which allow searching for a match on a close value) with Similarity Digest Algorithms (SDA; which capture common features between similar elements), using a space-saving radix tree and a graph-based hierarchical navigable small world structure to perform fast approximate nearest neighbor searches. We demonstrate the effectiveness and versatility of our system through two key case studies: first, in plagiarism detection, demonstrating the effectiveness of our system in identifying similar or duplicate documents within a large source code dataset; then, in memory artifact detection, showing its scalability and performance in processing large-scale forensic data collected from various versions of Microsoft Windows. Our comprehensive evaluation shows that tt Apotheosis not only efficiently handles large datasets, but also provides a way to evaluate the performance of various SDA and their approximate similarity search in different forensic scenarios.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('127','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_127\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-FSIDI-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-FSIDI-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/HuiciRM-FSIDI-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1016\/j.fsidi.2025.301930\" title=\"Follow DOI:10.1016\/j.fsidi.2025.301930\" target=\"_blank\">doi:10.1016\/j.fsidi.2025.301930<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('127','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Abascal, Le\u00f3n;  Rodr\u00edguez, Ricardo J.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('128','tp_links')\" style=\"cursor:pointer;\">Poster: Extracting Cryptographic Keys from Windows Live Processes<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span> Egele, Manuel;  Moonsamy, Veelasha;  Gruss, Daniel;  Carminati, Michele (Ed.): <span class=\"tp_pub_additional_booktitle\">Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, <\/span><span class=\"tp_pub_additional_pages\">pp. 213\u2013219, <\/span><span class=\"tp_pub_additional_publisher\">Springer Nature Switzerland, <\/span><span class=\"tp_pub_additional_address\">Cham, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 978-3-031-97620-9<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_128\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('128','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_128\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('128','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_128\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('128','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=188#tppubs\" title=\"Show all publications which have a relationship to this tag\">cryptography<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=96#tppubs\" title=\"Show all publications which have a relationship to this tag\">digital forensics<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=2#tppubs\" title=\"Show all publications which have a relationship to this tag\">malware<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=44#tppubs\" title=\"Show all publications which have a relationship to this tag\">Windows<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_128\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{AbascalR-DIMVA-25,<br \/>\r\ntitle = {Poster: Extracting Cryptographic Keys from Windows Live Processes},<br \/>\r\nauthor = {Le\u00f3n Abascal and Ricardo J. Rodr\u00edguez},<br \/>\r\neditor = {Manuel Egele and Veelasha Moonsamy and Daniel Gruss and Michele Carminati},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf},<br \/>\r\ndoi = {10.1007\/978-3-031-97620-9_12},<br \/>\r\nisbn = {978-3-031-97620-9},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-01-01},<br \/>\r\nbooktitle = {Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},<br \/>\r\nvolume = {15748},<br \/>\r\npages = {213\u2013219},<br \/>\r\npublisher = {Springer Nature Switzerland},<br \/>\r\naddress = {Cham},<br \/>\r\nabstract = {Cryptographic keys are a fundamental aspect of modern system security, but when compromised, they become a critical vulnerability, especially in ransomware attacks. Paradoxically, these keys must be available in memory at runtime to function, creating a unique opportunity for defensive tools. We introduce nameTool, an open-source tool designed to locate cryptographic keys in active Windows processes using advanced memory analysis. Unlike traditional approaches that rely on static memory dumps, nameTool performs dynamic analysis in real time, restricting the search to process heap memory to improve efficiency and accuracy. It employs robust key identification heuristics to minimize false positives and is designed for seamless integration with Endpoint Detection and Response systems. nameTool also encourages extensibility: its open-source nature allows researchers and practitioners to enhance its capabilities with custom key detection algorithms. We validated our approach through extensive experiments involving both proof-of-concept ransomware and real-world samples, demonstrating the effectiveness of key extraction and decryption success. Our tool provides a practical path to strengthening ransomware mitigation strategies.},<br \/>\r\nkeywords = {cryptography, digital forensics, malware, Windows},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('128','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_128\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Cryptographic keys are a fundamental aspect of modern system security, but when compromised, they become a critical vulnerability, especially in ransomware attacks. Paradoxically, these keys must be available in memory at runtime to function, creating a unique opportunity for defensive tools. We introduce nameTool, an open-source tool designed to locate cryptographic keys in active Windows processes using advanced memory analysis. Unlike traditional approaches that rely on static memory dumps, nameTool performs dynamic analysis in real time, restricting the search to process heap memory to improve efficiency and accuracy. It employs robust key identification heuristics to minimize false positives and is designed for seamless integration with Endpoint Detection and Response systems. nameTool also encourages extensibility: its open-source nature allows researchers and practitioners to enhance its capabilities with custom key detection algorithms. We validated our approach through extensive experiments involving both proof-of-concept ransomware and real-world samples, demonstrating the effectiveness of key extraction and decryption success. Our tool provides a practical path to strengthening ransomware mitigation strategies.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('128','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_128\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/AbascalR-DIMVA-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1007\/978-3-031-97620-9_12\" title=\"Follow DOI:10.1007\/978-3-031-97620-9_12\" target=\"_blank\">doi:10.1007\/978-3-031-97620-9_12<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('128','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><div class=\"tp_publication tp_publication_inproceedings\"><div class=\"tp_pub_info\"><p class=\"tp_pub_author\"> Pelayo-Benedet, Tom\u00e1s;  Rodr\u00edguez, Ricardo J.;  Ga\u00f1\u00e1n, Carlos H.<\/p><p class=\"tp_pub_title\"><a class=\"tp_title_link\" onclick=\"teachpress_pub_showhide('129','tp_links')\" style=\"cursor:pointer;\">Poster: Exploring the Zero-Shot Potential of Large Language Models for Detecting Algorithmically Generated Domains<\/a> <span class=\"tp_pub_type tp_  inproceedings\">Proceedings Article<\/span> <\/p><p class=\"tp_pub_additional\"><span class=\"tp_pub_additional_in\">In: <\/span> Egele, Manuel;  Moonsamy, Veelasha;  Gruss, Daniel;  Carminati, Michele (Ed.): <span class=\"tp_pub_additional_booktitle\">Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, <\/span><span class=\"tp_pub_additional_pages\">pp. 86\u201392, <\/span><span class=\"tp_pub_additional_publisher\">Springer Nature Switzerland, <\/span><span class=\"tp_pub_additional_address\">Cham, <\/span><span class=\"tp_pub_additional_year\">2025<\/span>, <span class=\"tp_pub_additional_isbn\">ISBN: 978-3-031-97623-0<\/span>.<\/p><p class=\"tp_pub_menu\"><span class=\"tp_abstract_link\"><a id=\"tp_abstract_sh_129\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('129','tp_abstract')\" title=\"Show abstract\" style=\"cursor:pointer;\">Abstract<\/a><\/span> | <span class=\"tp_resource_link\"><a id=\"tp_links_sh_129\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('129','tp_links')\" title=\"Show links and resources\" style=\"cursor:pointer;\">Links<\/a><\/span> | <span class=\"tp_bibtex_link\"><a id=\"tp_bibtex_sh_129\" class=\"tp_show\" onclick=\"teachpress_pub_showhide('129','tp_bibtex')\" title=\"Show BibTeX entry\" style=\"cursor:pointer;\">BibTeX<\/a><\/span> | <span class=\"tp_pub_tags_label\">Tags: <\/span><a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=190#tppubs\" title=\"Show all publications which have a relationship to this tag\">Algorithmically Generated Domains<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=191#tppubs\" title=\"Show all publications which have a relationship to this tag\">DNS Traffic Analysis<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=189#tppubs\" title=\"Show all publications which have a relationship to this tag\">Large Language Models<\/a>, <a rel=\"nofollow\" href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?tgid=192#tppubs\" title=\"Show all publications which have a relationship to this tag\">Malware Detection<\/a><\/p><div class=\"tp_bibtex\" id=\"tp_bibtex_129\" style=\"display:none;\"><div class=\"tp_bibtex_entry\"><pre>@inproceedings{PelayoBenedetRG-DIMVA-25,<br \/>\r\ntitle = {Poster: Exploring the Zero-Shot Potential of Large Language Models for Detecting Algorithmically Generated Domains},<br \/>\r\nauthor = {Tom\u00e1s Pelayo-Benedet and Ricardo J. Rodr\u00edguez and Carlos H. Ga\u00f1\u00e1n},<br \/>\r\neditor = {Manuel Egele and Veelasha Moonsamy and Daniel Gruss and Michele Carminati},<br \/>\r\nurl = {https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetRG-DIMVA-25.pdf},<br \/>\r\ndoi = {10.1007\/978-3-031-97623-0_5},<br \/>\r\nisbn = {978-3-031-97623-0},<br \/>\r\nyear  = {2025},<br \/>\r\ndate = {2025-01-01},<br \/>\r\nbooktitle = {Proceedings of the 22nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},<br \/>\r\nvolume = {15748},<br \/>\r\npages = {86\u201392},<br \/>\r\npublisher = {Springer Nature Switzerland},<br \/>\r\naddress = {Cham},<br \/>\r\nabstract = {Domain generation algorithms enable resilient malware communication by generating pseudo-random domain names. While traditional detection relies on task-specific algorithms, the use of Large Language Models (LLMs) to identify Algorithmically Generated Domains (AGDs) remains largely unexplored. This work evaluates nine LLMs from four major vendors in a zero-shot environment, without fine-tuning. The results show that LLMs can distinguish AGDs from legitimate domains, but they often exhibit a bias, leading to high false positive rates and overconfident predictions. Adding linguistic features offers minimal accuracy gains while increasing complexity and errors. These findings highlight both the promise and limitations of LLMs for AGD detection, indicating the need for further research before practical implementation.},<br \/>\r\nkeywords = {Algorithmically Generated Domains, DNS Traffic Analysis, Large Language Models, Malware Detection},<br \/>\r\npubstate = {published},<br \/>\r\ntppubtype = {inproceedings}<br \/>\r\n}<br \/>\r\n<\/pre><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('129','tp_bibtex')\">Close<\/a><\/p><\/div><div class=\"tp_abstract\" id=\"tp_abstract_129\" style=\"display:none;\"><div class=\"tp_abstract_entry\">Domain generation algorithms enable resilient malware communication by generating pseudo-random domain names. While traditional detection relies on task-specific algorithms, the use of Large Language Models (LLMs) to identify Algorithmically Generated Domains (AGDs) remains largely unexplored. This work evaluates nine LLMs from four major vendors in a zero-shot environment, without fine-tuning. The results show that LLMs can distinguish AGDs from legitimate domains, but they often exhibit a bias, leading to high false positive rates and overconfident predictions. Adding linguistic features offers minimal accuracy gains while increasing complexity and errors. These findings highlight both the promise and limitations of LLMs for AGD detection, indicating the need for further research before practical implementation.<\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('129','tp_abstract')\">Close<\/a><\/p><\/div><div class=\"tp_links\" id=\"tp_links_129\" style=\"display:none;\"><div class=\"tp_links_entry\"><ul class=\"tp_pub_list\"><li><i class=\"fas fa-file-pdf\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetRG-DIMVA-25.pdf\" title=\"https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetRG-DIMVA-25.pdf\" target=\"_blank\">https:\/\/webdiis.unizar.es\/~ricardo\/files\/papers\/PelayoBenedetRG-DIMVA-25.pdf<\/a><\/li><li><i class=\"ai ai-doi\"><\/i><a class=\"tp_pub_list\" href=\"https:\/\/dx.doi.org\/10.1007\/978-3-031-97623-0_5\" title=\"Follow DOI:10.1007\/978-3-031-97623-0_5\" target=\"_blank\">doi:10.1007\/978-3-031-97623-0_5<\/a><\/li><\/ul><\/div><p class=\"tp_close_menu\"><a class=\"tp_close\" onclick=\"teachpress_pub_showhide('129','tp_links')\">Close<\/a><\/p><\/div><\/div><\/div><\/div><div class=\"tablenav\"><div class=\"tablenav-pages\"><span class=\"displaying-num\">68 entries<\/span> <a class=\"page-numbers button disabled\">&laquo;<\/a> <a class=\"page-numbers button disabled\">&lsaquo;<\/a> 1 of 5 <a href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?limit=2&amp;tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=&amp;tsr=#tppubs\" title=\"next page\" class=\"page-numbers button\">&rsaquo;<\/a> <a href=\"https:\/\/reversea.me\/index.php\/research\/publications\/?limit=5&amp;tgid=&amp;yr=&amp;type=&amp;usr=&amp;auth=&amp;tsr=#tppubs\" title=\"last page\" class=\"page-numbers button\">&raquo;<\/a> <\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\"> &lt; 1<\/span> <span class=\"rt-label rt-postfix\">minute<\/span><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":46,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-82","page","type-page","status-publish","hentry","no-featured-image"],"_links":{"self":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/pages\/82","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/comments?post=82"}],"version-history":[{"count":8,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/pages\/82\/revisions"}],"predecessor-version":[{"id":126,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/pages\/82\/revisions\/126"}],"up":[{"embeddable":true,"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/pages\/46"}],"wp:attachment":[{"href":"https:\/\/reversea.me\/index.php\/wp-json\/wp\/v2\/media?parent=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}