Papers
Topics
Authors
Recent
Search
2000 character limit reached

ColdPress: Dual Systems in Astronomy and Malware

Updated 6 July 2026
  • ColdPress is a term referring to two distinct software systems, one for compressing photometric redshift PDFs and another for automating malware threat intelligence workflows.
  • In astronomy, ColdPress compresses redshift PDFs via quantile-based encoding, achieving up to 35× compression with a fixed 80-byte packet and significant speedups.
  • In malware analysis, ColdPress offers a modular, containerized platform that orchestrates static reverse-engineering tools and integrates threat-intelligence APIs for scalable analysis.

Searching arXiv for both "ColdPress" papers and closely related context papers. ColdPress is the name of two unrelated research software systems described on a Python module for compressing photometric redshift probability distribution functions by encoding quantiles of their cumulative distribution, and an extensible malware analysis platform for automated threat-intelligence extraction and report generation (Hernán-Caballero, 13 Jul 2025, Tan et al., 2021). The shared name can obscure the fact that the two systems arise in distinct technical domains—survey cosmology and malware reverse engineering—and solve different scale problems: one concerns the storage and transmission of billions of photometric redshift PDFs, and the other concerns automation of heterogeneous static analysis and threat-intelligence workflows.

1. Disambiguation and domain placement

The term ColdPress refers to two separate projects with different publication dates, architectures, and objectives. One was published on 2025-07-13 as "ColdPress: Efficient Quantile-Based Compression of Photometric Redshift PDFs" and addresses compact fixed-length encoding of p(z)p(z) objects in large photometric surveys. The other was published on 2021-03-12 as "ColdPress: An Extensible Malware Analysis Platform for Threat Intelligence" and addresses modular orchestration of reverse-engineering tools and threat-intelligence APIs.

ColdPress variant Domain Primary function
"Efficient Quantile-Based Compression of Photometric Redshift PDFs" Photometric redshift inference Compresses PDFs into fixed byte packets
"An Extensible Malware Analysis Platform for Threat Intelligence" Malware analysis and TI Automates static analysis, TI enrichment, and reporting

A recurring misconception is to treat ColdPress as a single software lineage. The record on arXiv instead shows homonymy: the photometric-redshift ColdPress is a quantile-based compression module designed for survey-scale probabilistic data products, whereas the malware-analysis ColdPress is a containerized, plugin-oriented pipeline that combines state-of-the-art tools and concepts into a modular system for analysts (Hernán-Caballero, 13 Jul 2025, Tan et al., 2021).

2. Quantile-based compression of photometric redshift PDFs

In the photometric-redshift literature, ColdPress is a compact representation for storing and transmitting photometric redshift PDFs p(z)p(z) without retaining dense per-object redshift grids. The problem is motivated by wide-field surveys such as Euclid, LSST, J-PAS, and HSC, which produce billions of galaxies, each with a photometric redshift PDF required for propagation of redshift uncertainties, ensemble statistics such as N(z)N(z), weak lensing tomography, and clustering. In the HSC example described for the method, DEmP PDFs span $0$–$6$ in steps of $0.01$, yielding $601$ bins and $2404$ bytes per PDF, while Mizuki PDFs span $0$–$7$ in steps of p(z)p(z)0, yielding p(z)p(z)1 bins and p(z)p(z)2 bytes per PDF. ColdPress compresses each PDF to a fixed small packet, with a default of p(z)p(z)3 bytes per PDF, corresponding in that example to compression ratios of approximately p(z)p(z)4–p(z)p(z)5 (Hernán-Caballero, 13 Jul 2025).

The representation is built from the cumulative distribution function rather than from basis coefficients. For a normalized photometric redshift PDF,

p(z)p(z)6

the cumulative distribution function is

p(z)p(z)7

and quantiles are defined by probability levels p(z)p(z)8 such that

p(z)p(z)9

ColdPress stores the set of quantile redshifts N(z)N(z)0 rather than a dense grid of N(z)N(z)1 values. The method exploits the fact that quantiles naturally concentrate points where the PDF is high and place fewer points in the tails. Because the representation is based on quantiles of N(z)N(z)2, no fixed redshift grid is needed, and the same framework can operate both on binned output from template-fitting codes such as Mizuki and on Monte Carlo sample-based PDFs such as DEmP.

This design differs conceptually from the sparse-basis representation implemented in the pdf_storage module of Carrasco-Kind and Brunner (2014). In that older approach, N(z)N(z)3 is approximated with a sparse combination of Gaussian and Voigt basis functions from a large dictionary, and coefficients are obtained with Orthogonal Matching Pursuit. ColdPress instead represents the CDF through quantiles, avoids a fixed grid, and replaces per-object optimization with array operations and byte encoding. At the same N(z)N(z)4-byte packet size, the paper reports reconstruction accuracy comparable to pdf_storage, but with a reduction in computational cost of approximately a factor of N(z)N(z)5 (Hernán-Caballero, 13 Jul 2025).

3. Packet design, reconstruction, and empirical behavior in astronomy applications

The default ColdPress packet for a photometric-redshift PDF is N(z)N(z)6 bytes, divided into a N(z)N(z)7-byte header and a N(z)N(z)8-byte payload. The header stores a redshift precision parameter N(z)N(z)9 and the first and last quantile redshifts. Byte $0$0 contains $0$1 in units of $0$2,

$0$3

which constrains the absolute precision of recovered quantiles between $0$4 and $0$5. Bytes $0$6–$0$7 encode the first and last quantile redshifts $0$8 and $0$9 as $6$0-bit unsigned integers using

$6$1

This yields a redshift precision of $6$2 for up to $6$3, and the $6$4 offset allows slightly negative effective redshifts corresponding to up to $6$5 km/s to remain representable as positive integers (Hernán-Caballero, 13 Jul 2025).

The payload stores scaled differences between consecutive quantiles. If a difference fits in one byte, the integer value is stored directly; if it exceeds $6$6, a $6$7-byte pattern is used in which the first byte is $6$8 and the next two bytes store the difference as a $6$9-bit unsigned integer. For packet size $0.01$0, number of quantiles $0.01$1, and number of big jumps $0.01$2, the paper gives

$0.01$3

For an $0.01$4-byte packet, most real PDFs are encoded with $0.01$5–$0.01$6 big jumps, leaving room for $0.01$7–$0.01$8 quantiles per PDF. The paper notes that a large enough $0.01$9 to fit most of the differences in a single byte is important, because big jumps are expensive.

Decompression reverses the encoding. The decoder reads $601$0, reconstructs the endpoint quantiles using

$601$1

parses the payload, and recovers the quantile sequence incrementally. ColdPress also provides utilities to convert binned PDFs to quantiles and to reconstruct binned PDFs or CDFs on any desired redshift grid. The reconstruction error metric is defined on the CDF:

$601$2

where $601$3 and $601$4 are the original and reconstructed CDF values at bin centers $601$5, and $601$6 is the number of redshift bins (Hernán-Caballero, 13 Jul 2025).

The empirical comparison uses HSC-SSP PDR3 data for DEmP and Mizuki. For DEmP, $601$7 sources with original size $601$8 bytes each were encoded to $601$9-byte packets; for Mizuki, $2404$0 overlapping sources with original size $2404$1 bytes each were encoded similarly. On a modern laptop using a single CPU, pdf_storage required $2404$2 CPU hours for the DEmP set, whereas ColdPress required $2404$3 CPU seconds, corresponding to a speedup of about $2404$4; the reported speedup for Mizuki is about $2404$5, and the abstract summarizes the reduction in computational cost as a factor of $2404$6. At the same $2404$7-byte budget, the median $2404$8 for ColdPress and pdf_storage is comparable for both DEmP and Mizuki, although pdf_storage exhibits a wider performance range across sources. For noisy Monte Carlo DEmP PDFs, both methods struggle with intrinsic sampling noise: pdf_storage tends to emphasize the strongest spikes and fit the rest with a smooth continuum, while ColdPress smooths the entire PDF more uniformly. For Mizuki PDFs, ColdPress more accurately reproduces peaks, whereas pdf_storage performs somewhat better in the wings. The software is described as free software and is available at https://github.com/ahc-photoz/coldpress-project (Hernán-Caballero, 13 Jul 2025).

4. ColdPress as an extensible malware analysis platform

In malware analysis, ColdPress denotes a separate system: an extensible, containerized platform that automates end-to-end malware threat-intelligence gathering and integrates output modules for report generation of arbitrary file formats. Its motivation is the scale of malware triage: millions of new samples per year, multiple new samples per minute, and a predominantly manual workflow in which analysts run static tools, consult online platforms, and manually consolidate heterogeneous outputs. The platform is explicitly framed not as “yet another sandbox” but as a glue layer that orchestrates static software reverse-engineering tools and threat-intelligence APIs, with emphasis on extensibility and bulk or parallel processing (Tan et al., 2021).

The architecture is modular. A Pipeline Manager acts as the front controller, accepts one or more samples, spawns a thread for each sample, and orchestrates module order and timeouts. An External Module Loader dynamically discovers and loads user-defined modules at runtime. Python modules implement lightweight analysis functions such as hashing with hashlib, ssdeep, pehash, machoke, and imphash, PE parsing with pefile, and regex-based string extraction and categorization for URLs, IPs, domains, and filesystem paths. Command-line tools are invoked as subprocesses, including binwalk for embedded file extraction, capa for capability detection and mapping to MITRE ATT&CK, and additional tools such as YarGen. Threat-intelligence modules query VirusTotal, AlienVault OTX, and ThreatMiner. Output modules then render the aggregated results in JSON, HTML, or other custom formats (Tan et al., 2021).

The data flow is dependency-aware but predominantly parallel. For each sample, early preprocessing modules such as binwalk can extract embedded files, which are then reinserted into the pipeline as additional samples. Static Python modules, SRE modules such as Ghidra and Radare2, and TI queries can run concurrently subject to configured timeouts. The resulting per-sample outputs are collected into a unified structure and passed to output modules. The platform’s extensibility is central to its design: modules are self-contained Python files or wrappers around CLI tools or APIs, can be added or removed without modifying the core engine, and are loaded at runtime. Output formats are likewise pluggable. The paper compares this design to frameworks such as Metasploit and BeEF, in the sense of a core engine plus a library of modules (Tan et al., 2021).

5. Analysis capabilities, operating modes, and evaluation in malware research

The malware-analysis ColdPress currently focuses on static analysis and TI enrichment for Windows PE files. Its static-analysis surface includes PE structure parsing, file and similarity hashes, string extraction and categorization, Ghidra and Radare2 integration for function headers, symbols, CFGs, cross-reference graphs, disassembly, and decompilation, and capa integration for capability detection and ATT&CK mappings. binwalk is used to find and extract embedded files, which can then be analyzed recursively. Threat-intelligence enrichment is obtained from VirusTotal, AlienVault OTX, and ThreatMiner. Through these sources, ColdPress can collect AV detection names, malware family labels, YARA hits, IPs, URLs, domains, campaigns, and Cuckoo-derived dynamic-analysis traces such as network behavior, process activity, and registry activity when available from OTX plugins (Tan et al., 2021).

The system was evaluated against three research questions concerning usefulness, quantity of extracted information, and efficiency. In a WannaCry case study, ColdPress extracted the kill-switch domain through regex-based URL and domain detection in strings, surfaced polymorphism by showing two binaries from the same WannaCry epoch with different MD5 hashes but the same pehash and machoke hashes, retrieved dynamic evidence of network probing through OTX’s Cuckoo sandbox plugin, and identified persistence-related behavior through capa detections of embedded PE files and disk write operations. In a comparative assessment against IntelOwl and HybridAnalysis, ColdPress in full mode provided richer SRE artifacts such as CFGs, cross-reference graphs, function headers, disassembly, decompilation, and embedded-file discovery, while HybridAnalysis remained stronger on first-party dynamic traces. The paper therefore positions ColdPress as an SRE-plus-TI bridge rather than as a replacement for a dynamic sandbox (Tan et al., 2021).

Operationally, the platform supports multithreading across samples and modules. If $2404$9 samples and $0$0 modules are loaded, the paper gives the ideal concurrent task count as

$0$1

In practice, concurrency is bounded by CPU and memory, especially for heavy modules such as Ghidra. User-defined timeouts can be applied per sample or globally. A “fast mode” runs only modules tagged as fast, such as lightweight hashing, PE parsing, simple regex extraction, and TI APIs, thereby reducing analysis time and memory consumption. On an Intel x64 Linux system with an Intel i5 CPU, $0$2 logical cores, and $0$3 GB of RAM, using samples from theZoo malware repository, full mode averaged about $0$4 seconds per file, while fast mode averaged about $0$5 seconds per file. Time per sample remained relatively constant as the number of samples increased until memory became a constraint; beyond about $0$6 samples in parallel, RAM limits were reached because of heavy modules such as Ghidra JVM instances (Tan et al., 2021).

6. Comparative scope, limitations, and shared themes

The two ColdPress systems address different bottlenecks but share a common emphasis on scale, modularity, and downstream interoperability. The photometric-redshift ColdPress targets the storage, movement, and reuse of very large numbers of probabilistic data products. Its relation to prior work is primarily methodological: it is designed to match the reconstruction accuracy of the older sparse-basis pdf_storage approach while being orders of magnitude faster and simpler. The malware-analysis ColdPress targets analyst time and workflow fragmentation. Its relation to adjacent systems is infrastructural: it complements VirusTotal, IntelOwl, HybridAnalysis, and Cuckoo Sandbox by integrating local static SRE tooling with online TI feeds (Hernán-Caballero, 13 Jul 2025, Tan et al., 2021).

Each system also has clearly stated limitations. For photometric redshift compression, the paper notes trade-offs among packet size, $0$7, and fidelity; fewer bytes imply fewer quantiles or coarser precision and therefore more smoothing. Neither ColdPress nor pdf_storage can fully preserve raw Monte Carlo sampling noise in DEmP-like PDFs, and extremely sharp narrow features will be smoothed by quantile-based interpolation. The endpoint encoding assumes an effective usable redshift range up to $0$8 and down to about $0$9. For malware analysis, the current implementation supports only Windows PE files, has no built-in unpacking or deobfuscation engine, lacks first-party dynamic analysis, is resource-constrained by heavy modules such as Ghidra, and depends on the quality and availability of third-party tools and TI APIs. The authors describe future directions including broader file-format support, de-obfuscation and unpacking, direct sandbox integration, and additional output formats (Hernán-Caballero, 13 Jul 2025, Tan et al., 2021).

Taken together, the two projects illustrate how the same software name has been used for distinct technical agendas. In astronomy, ColdPress denotes a fixed-length quantile codec for $7$0 objects and CDF-based reconstruction. In malware research, it denotes a Dockerized orchestration layer for static analysis, TI enrichment, and reporting. The shared label is nominal rather than architectural; the commonality lies chiefly in the effort to replace slow, heterogeneous workflows with compact, automatable representations and pipelines.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to ColdPress.