Cyber Security of Multi-Locational Work in Modern Organisation

Multi-locational work has become an integral part of working life in recent decades, and during the Covid-19 pandemic, it has continued to increase. The probability of certain cyber security risks has increased with this change. Based on the literature, this thesis presents the key cyber security risks in multi-locational work. The risks were categorized in four levels according to who is primarily responsible of the risk. The categories being primarily employee’s responsibility, shared responsibility between the employee and the organisation, primarily organisation’s responsibility and abstract responsibility. The risk analysis matrix was chosen to illustrate the level of risk as it considers both severity and probability of the risks. The empirical part of the study was conducted as a case study focusing on cyber security in a modern Finnish organisation, and both interview and questionnaire were used. Risk analysis matrix was then used to identify the level of risk in the organisation. Based on the risk analysis, priority proposals for action were targeted at those risks that are intolerable or significant. The risk assessment matrix was found to be a practical tool for assessing a company's cyber security risk. Once the level of risk has been identified, measures can be taken in the most appropriate way for the company, prioritizing the risks requiring immediate action or other necessary measures

Catching Remote Administration Trojans (RATs)

A Remote Administration Trojan (RAT) allows an attacker to remotely control a computing system and typically consists of a server invisibly running and listening to specific TCP/UDP ports on a victim machine as well as a client acting as the interface between the server and the attacker. The accuracy of host and/or network-based methods often employed to identify RATs highly depends on the quality of Trojan signatures derived from static patterns appearing in RAT programs and/or their communications. Attackers may also obfuscate such patterns by having RATs use dynamic ports, encrypted messages, and even changing Trojan banners. In this paper, we propose a comprehensive framework termed RAT Catcher, which reliably detects and ultimately blocks RAT malicious activities even when Trojans use multiple evasion techniques. Employing network-based methods and functioning in inline mode to inspect passing packets in real time, our RAT Catcher collects and maintains status information for every connection and conducts session correlation to greatly improve detection accuracy. The RAT Catcher re-assembles packets in each data stream and dissects the resulting aggregation according to known Trojan communication protocols, further enhancing its traffic classification. By scanning not only protocol headers but also payloads, RAT Catcher is a truly application-layer inspector that performs a range of corrective actions on identified traffic including alerting, packet dropping, and connection termination. We show the effectiveness and efficiency of RAT Catcher with experimentation in both laboratory and real-world settings. Copyright © 2007 John Wiley & Sons, Ltd

Challenges and Open Questions of Machine Learning in Computer Security

This habilitation thesis presents advancements in machine learning for computer security, arising from problems in network intrusion detection and steganography. The thesis put an emphasis on explanation of traits shared by steganalysis, network intrusion detection, and other security domains, which makes these domains different from computer vision, speech recognition, and other fields where machine learning is typically studied. Then, the thesis presents methods developed to at least partially solve the identified problems with an overall goal to make machine learning based intrusion detection system viable. Most of them are general in the sense that they can be used outside intrusion detection and steganalysis on problems with similar constraints. A common feature of all methods is that they are generally simple, yet surprisingly effective. According to large-scale experiments they almost always improve the prior art, which is likely caused by being tailored to security problems and designed for large volumes of data. Specifically, the thesis addresses following problems: anomaly detection with low computational and memory complexity such that efficient processing of large data is possible; multiple-instance anomaly detection improving signal-to-noise ration by classifying larger group of samples; supervised classification of tree-structured data simplifying their encoding in neural networks; clustering of structured data; supervised training with the emphasis on the precision in top p% of returned data; and finally explanation of anomalies to help humans understand the nature of anomaly and speed-up their decision. Many algorithms and method presented in this thesis are deployed in the real intrusion detection system protecting millions of computers around the globe