Key components of SPHINX architecture building blocks Part I
The SPHINX solution is featuring a modular architecture, which comprises 5 building blocks. These modules entail a series of components each one of them implementing a specific capability of SPHINX. In this context, the main architectural building blocks should be elaborated on a decomposed perspective to ascertain the variety of components working together to deliver the capability that each of the 5 high-level module aims to achieve.
In SPHINX building blocks, the technical consortium members are joining efforts to deliver twenty-one key components according to their expertise. Below, the components are presented:
Vulnerability Assessment as a Service (VAaaS)
The Vulnerability Assessment as a Service (VAaaS) component is led by HMU and dynamically assesses network entities against certain vulnerabilities and outputs a Common Vulnerability Scoring System (CVSS) score that will reflect the level of security of that particular entity. The component monitors the underlying network and discovers all existing and newly introduced network entities.
Data Traffic Monitoring (DTM)
Supported by multiple protocols based on pre-defined rules and filters, the Data Traffic Monitoring (DTM) component is led by SIMAVI and tracks the devices that are connected to a network, the data those devices are accessing and how much bandwidth each device is using. Moreover, it captures packets in real-time and displays them in a humanreadable format, in order to detect suspicious programmes’ network traffic, analyse the traffic flow on the network or troubleshoot network problems.
Anomaly Detection (AD)
The Anomaly Detection (AD) component is also led by SIMAVI and deals with identification of events, activities or observations that raise suspicion by differing significantly from the normal infrastructure/component/user behaviour. The main functionalities of this component are the detection of ecosystem disturbances, the implementation a set of rules based on the characteristics of previous system events, user activities and incidents and the provision of an alert engine to raise notifications.
Real-time Cyber Risk Assessment (RCRA)
Led by NTUA the Real-time Cyber Risk Assessment (RCRA) component within SPHINX periodically assesses the risk of cyber security incidents, determining their probable consequences and presenting warning levels and alerts for users. The RCRA draws on information a) available in logging systems, b) extracted from other SPHINX components (AD, DTM, HP and SIEM) and c) provided by other intrusion detection systems (external components to SPHINX) d) from its own security protocol analysis capabilities. to periodically assess risk in relation with cyber security incidents, using the corresponding precursors.
Security Information and Event Management (SIEM)
The Security Information and Event Management (SIEM) component is led by PDMFC and provides Security Information Management (SIM), Security Event Management (SEM), Definition of a common taxonomy for security events and incidents and a Definition of a common information model leveraged on the industry and government published standards. The SPHINX SIEM component implements a query interface where other components or users are able to distinguish between normal and abnormal operations. To complement the data search, visual analytics methods are made available to visually depict characteristics that assist the human operator in discovering attacks and their causes.
Artificial Intelligence (AI) Honeypot (HP)
This component is led by FINT. Honeypots are part of the cyber defense arsenal and are used widely to prevent, detect and respond to cyberattacks. Their value resides on luring the adversaries to attack them instead of the real production IT systems. To achieve this, honeypots emulate services or even complete systems that may be considered targets from an adversary. In the context of SPHINX, the Honeypot (HP) component provides data dynamically to the Artificial Intelligence (AI) algorithms designed to detect anomalies, such as the attempt to install malware in the authority’s IT infrastructure.
Machine Learning-empowered Intrusion Detection (MLID)
Based on advanced statistics and pattern recognition principles, the Machine Learning-empowered Intrusion Detection (MLID) component, led by AIDEAS, is capable of mitigating the possibility of an intruder teaching the system to consider its attacks as normal data.
MLID operates in conjunction with honeypots to gather attack information from intruders and supervised machine learning and/or deep learning algorithms for dynamic learning of both registered and unregistered data. The SPHINX HP is used to collect interaction data generated by attackers, whereas supervised learning eliminates the need of manual and continuous updates of databases, as typically performed in traditional intrusion detection.
More information about the key compoments of SPHINX’s architecture buidling blocks can be found at Deliverable 2.6 that is publicly available here.