Gerardo Fernandez

Malware analyst / Project management

Edificio de Investigación Ada Byron
C/ Arquitecto Francisco Peñalosa, nº 18
Ampliación Campus de Teatinos. Universidad de Málaga
29071 Málaga (Spain)
Phone: (+34) 951 952 984    Fax:

Domain of interest and research

Since 2004 I've been performing research into the attack patterns and malware behaviour areas, designing countermeasures and developing prototypes for the research projects I've worked on.

As part of the NICS team, we designed an automated attack platform for the national SACO research project. Based on an architecture centered on the use of virtualized scenarios deployment, we modeled attacks patterns and conducted automated training guide for operators. As a result, we developed an expert system able to guide operators in the process of attacking hosts selected as objetives. This work has been incorporated into the iPhalanx CTR product sold by INDRA.

I've been also working in the Critical Infrastructure area as member of the UMA team, both for national research projects (PROTECT-IC, SECRET and eCid) and european research projects (FACIES). My contribution was centered in the penetration testing of CI equipments, modeling of intrusion detection architectures, and the design of countermeasures.

Intrusion detection was also an area where I've been working on in the past. As part of the SEGUR@ project team, I've been working actively in the design of an intrusion detection solution based on mobile agents that uses Intel VPRO technology for protecting and reacting to attacks in a compromised network. Moreover, I've been involved in the design of a new architecture for antivirus systems that also employs Intel VPRO technology, mainly Intel AMT, for protecting the communication between elements of the antivirus solution while also isolating a compromised system in realtime. 

Current research

  • Attack patterns and Malware analysis


  • Master in Software Engineering and Artificial Intelligence, a post graduate program with quality mention from the Spanish Ministry of Science and Education, University of Malaga.
  • M.Sc. in Computer Science, University of Malaga, Spain.

Recent publications

  • G. Fernandez, A. Nieto, and J. Lopez, "Modeling Malware-driven Honeypots", In 14th International Conference On Trust, Privacy & Security In Digital Business (TrustBus 2017), vol. 10442, Springer International Publishing, pp. 130-144, 08/2017. More..


    In this paper we propose the Hogney architecture for the deployment of malware-driven honeypots. This new concept refers to honeypots that have been dynamically configured according to the environment expected by malware. The adaptation mechanism designed here is built on services that offer up-to-date and relevant intelligence information on current threats. Thus, the Hogney architecture takes advantage of recent Indicators Of Compromise (IOC) and information about suspicious activity currently being studied by analysts. The information gathered from these services is then used to adapt honeypots to fulfill malware requirements, inviting them to unleash their full strength.

  • G. Fernandez, and A. Nieto, "Configuración de honeypots adaptativos para análisis de malware", In III Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2017), 2017. More..


    Este trabajo propone una arquitectura de despliegue de honeypots adaptativos, configurados dinámicamente a partir de los requisitos del malware que intenta infectar los servicios trampa. A diferencia de otros trabajos sobre honeypots adaptativos, los mecanismos de adaptabilidad aquí diseñados tomarán como base información de inteligencia sobre amenazas actuales, indicadores de compromiso (IOCs) conocidos, así como información de actividades sospechosas actualmente en estudio por los analistas. Este conocimiento será empleado para configurar honeypots de manera dinámica, permitiendo satisfacer los requisitos necesarios para que el malware pueda desplegar toda su operativa. 

  • C. Alcaraz, L. Cazorla, and G. Fernandez, "Context-Awareness using Anomaly-based Detectors for Smart Grid Domains", In 9th International Conference on Risks and Security of Internet and Systems , vol. 8924, Springer International Publishing, pp. 17-34, 04/2015. DOI More..


    Anomaly-based detection applied in strongly interdependent systems, like Smart Grids, has become one of the most challenging research areas in recent years. Early detection of anomalies so as to detect and prevent unexpected faults or stealthy threats is attracting a great deal of attention from the scientific community because it offers potential solutions for context-awareness. These solutions can also help explain the conditions leading up to a given situation and help determine the degree of its severity. However, not all the existing approaches within the literature are equally effective in covering the needs of a particular scenario. It is necessary to explore the control requirements of the domains that comprise a Smart Grid, identify, and even select, those approaches according to these requirements and the intrinsic conditions related to the application context, such as technological heterogeneity and complexity. Therefore, this paper analyses the functional features of existing anomaly-based approaches so as to adapt them, according to the aforementioned conditions. The result of this investigation is a guideline for the construction of preventive solutions that will help improve the context-awareness in the control of Smart Grid domains in the near future.

  • J. L. Hernández-Ardieta, et al., "An Intelligent and Adaptive Live Simulator: A new Concept for Cybersecurity Training", In 9th Future Security Conference, 2014. More..


    The rapid rate of change in technology and the increasing sophistication of cyber attacks require any organization to have a continuous preparation. However, the resource and time intensive nature of cybersecurity education and training renders traditional approaches highly inefficient. Simulators have attracted the attention in the last years as a potential solution for cybersecurity training. However, in spite of the advances achieved, there is still an urgent need to address some open challenges. In this paper we present a novel simulator that solves some these challenges. First, we analyse the main properties that any cybersecurity training solution should comprise, and evaluate to what extent training simulators can meet them. Next, we introduce the functional architecture and innovative features of the simulator, of which a functional prototype has already been released. Finally, we demonstrate how these capabilities are put into practice in training courses already available in the simulator.

  • C. Alcaraz, G. Fernandez, and F. Carvajal, "Security Aspects of SCADA and DCS Environments", In Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense, J. Lopez, S.. Wolthunsen, and R. Setola Eds., Advances in Critical Infrastructure Protection: Information Infrastructure Models, Analysis, and Defense. LNCS 7130. 7130, Springer-Verlag, pp. 120-149, September 2012. More..


    SCADA Systems can be seen as a fundamental component in Critical Infrastructures, having an impact in the overall performance of other Critical Infrastructures interconnected. Currently, these systems include in their network designs different types of Information and Communication Technology systems (such as the Internet and wireless technologies), not only to modernize operational processes but also to ensure automation and real-time control. Nonetheless, the use of these new technologies will bring new security challenges, which will have a significant impact on both the business process and home users. Therefore, the main purpose of this Chapter is to address these issues and to analyze the interdependencies of Process Control Systems with ICT systems, to discuss some security aspects and to offer some possible solutions and recommendations.

  • A. Nieto, and G. Fernandez, "Sistema Colaborativo de Detección y Reacción ante Intrusiones basado en Intel vPro", In XII Reunión Española sobre Criptología y Seguridad de la Información (RECSI 2012), pp. 45-50, Sep 2012. More..


    En este trabajo proponemos una plataforma para el desarrollo de un sistema colaborativo para la detección y reacción ante intrusiones, empleando como base las tecnologías presentes en Intel vPro. La solución presentada está dirigida a solventar la necesidad de implantación de nuevas tecnologías que posibiliten la reacción ante ataques, independientemente del sistema operativo usado. Con este fin, en este trabajo abordamos tres puntos fundamentales: la detección de intrusiones colaborativa, la respuesta automática de los nodos ante la detección de una intrusión y el uso de herramientas que posibiliten asegurar la confianza en un nodo. En un sistema colaborativo como el que se propone aquí, un aspecto clave para la seguridad es la protección de las comunicaciones entre los mecanismos de detección y reacción frente a intrusiones. La modificación o el simple acceso a los datos intercambiados por tales sistemas supone un grave riesgo para la seguridad del entorno. Como resultado hemos desarrollado un prototipo preliminar para probar la solución propuesta en un escenario de ataque real.

Attended courses and seminars

  • 1st CIIP International Meeting "Cybersecurity and Protection of Critical Infrastructures" 2010
  • Student at IPICS 2009 (
  • Seminar titled "Security and Privacy for wireless resource constrained devices" by Roberto di Pietro
  • 13th European Symposium on Research in Computer Security (ESSORICS 2008)
  • 2nd International Workshop on Information Security Theory and Practices (WISTP 2008)
  • 2nd International Workshop on Critical Information Infrastructures Security (CRITIS'07)
  • EuroPKI 2007