Gerardo Fernandez

Malware analyst / Project management

Edificio de Investigación Ada Byron
C/ Arquitecto Francisco Peñalosa, nº 18
Ampliación Campus de Teatinos. Universidad de Málaga
29071 Málaga (Spain)
Phone: (+34) 951 952 984    Fax:

Domain of interest and research

Since 2004 I've been performing research into the attack patterns and malware behaviour areas, designing countermeasures and developing prototypes for the research projects I've worked on.

As part of the NICS team, we designed an automated attack platform for the national SACO research project. Based on an architecture centered on the use of virtualized scenarios deployment, we modeled attacks patterns and conducted automated training guide for operators. As a result, we developed an expert system able to guide operators in the process of attacking hosts selected as objetives. This work has been incorporated into the iPhalanx CTR product sold by INDRA.

I've been also working in the Critical Infrastructure area as member of the UMA team, both for national research projects (PROTECT-IC, SECRET and eCid) and european research projects (FACIES). My contribution was centered in the penetration testing of CI equipments, modeling of intrusion detection architectures, and the design of countermeasures.

Intrusion detection was also an area where I've been working on in the past. As part of the SEGUR@ project team, I've been working actively in the design of an intrusion detection solution based on mobile agents that uses Intel VPRO technology for protecting and reacting to attacks in a compromised network. Moreover, I've been involved in the design of a new architecture for antivirus systems that also employs Intel VPRO technology, mainly Intel AMT, for protecting the communication between elements of the antivirus solution while also isolating a compromised system in realtime. 

Current research

  • Attack patterns and Malware analysis
  • Adaptive Honeypots
  • Malware Intelligence


  • Master in Software Engineering and Artificial Intelligence, a post graduate program with quality mention from the Spanish Ministry of Science and Education, University of Malaga.
  • M.Sc. in Computer Science, University of Malaga, Spain.


Recent publications

  • A. Acien, A. Nieto, G. Fernandez, and J. Lopez, "A comprehensive methodology for deploying IoT honeypots",
    15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2018), vol. LNCS 11033, Springer Nature Switzerland AG, pp. 229–243, 09/2018. DOI More..


    Recent news have raised concern regarding the security on the IoT field. Vulnerabilities in devices are arising and honeypots are an excellent way to cope with this problem. In this work, current solutions for honeypots in the IoT context, and other solutions adaptable to it are analyzed in order to set the basis for a methodology that allows deployment of IoT honeypot.

  • A. Nieto, A. Acien, and G. Fernandez, "Crowdsourcing analysis in 5G IoT: Cybersecurity Threats and Mitigation",
    Mobile Networks and Applications (MONET), Springer US, pp. 881-889, 10/2018. DOI (I.F.: 2.39)More..


    Crowdsourcing can be a powerful weapon against cyberattacks in 5G networks. In this paper we analyse this idea in detail, starting from the use cases in crowdsourcing focused on security, and highlighting those areas of a 5G ecosystem where crowdsourcing could be used to mitigate local and remote attacks, as well as to discourage criminal activities and cybercriminal behaviour. We pay particular attention to the capillary network, where an infinite number of IoT objects coexist. The analysis is made considering the different participants in a 5G IoT ecosystem.

    Impact Factor: 2.39
    Journal Citation Reports® Science Edition (Thomson Reuters, 2018)

  • G. Fernandez, A. Nieto, and J. Lopez, "Modeling Malware-driven Honeypots",
    14th International Conference On Trust, Privacy & Security In Digital Business (TrustBus 2017), vol. 10442, Springer International Publishing, pp. 130-144, 08/2017. DOI More..


    In this paper we propose the Hogney architecture for the deployment of malware-driven honeypots. This new concept refers to honeypots that have been dynamically configured according to the environment expected by malware. The adaptation mechanism designed here is built on services that offer up-to-date and relevant intelligence information on current threats. Thus, the Hogney architecture takes advantage of recent Indicators Of Compromise (IOC) and information about suspicious activity currently being studied by analysts. The information gathered from these services is then used to adapt honeypots to fulfill malware requirements, inviting them to unleash their full strength.

  • "Reversing WannaCry", August 2017, OneHacker Magazine (spanish).
  • G. Fernandez, and A. Nieto, "Configuración de honeypots adaptativos para análisis de malware",
    III Jornadas Nacionales de Investigación en Ciberseguridad (JNIC 2017), Servicio de Publicaciones de la URJC, pp. 91-98, 06/2017. More..


    Este trabajo propone una arquitectura de despliegue de honeypots adaptativos, configurados dinámicamente a partir de los requisitos del malware que intenta infectar los servicios trampa. A diferencia de otros trabajos sobre honeypots adaptativos, los mecanismos de adaptabilidad aquí diseñados tomarán como base información de inteligencia sobre amenazas actuales, indicadores de compromiso (IOCs) conocidos, así como información de actividades sospechosas actualmente en estudio por los analistas. Este conocimiento será empleado para configurar honeypots de manera dinámica, permitiendo satisfacer los requisitos necesarios para que el malware pueda desplegar toda su operativa. 

Attended courses and seminars

  • 1st CIIP International Meeting "Cybersecurity and Protection of Critical Infrastructures" 2010
  • Student at IPICS 2009 (
  • Seminar titled "Security and Privacy for wireless resource constrained devices" by Roberto di Pietro
  • 13th European Symposium on Research in Computer Security (ESSORICS 2008)
  • 2nd International Workshop on Information Security Theory and Practices (WISTP 2008)
  • 2nd International Workshop on Critical Information Infrastructures Security (CRITIS'07)
  • EuroPKI 2007