Key components of SPHINX architecture building blocks Part II
Continue from Part I
In SPHINX building blocks, the technical consortium members are joining efforts to deliver twenty-one key components according to their expertise. Below, the components are presented:
Forensic Data Collection Engine (FDCE)
The Forensic Data Collection Engine (FDCE) is a component led by NTUA and is based on on pioneering mathematical models (e.g. game theory) for analysing, compiling, combining and correlating all incident-related information and data from different levels patterns and contexts in a privacy-aware manner.
In SPHINX, the FDCE component connects to an online cyber threats taxonomy base that is part of a knowledge base of formal and uniform representations of digital evidence, along with their relationship, that encapsulates all concepts of the forensic field. The SPHINX ontology and taxonomy share a common understanding of the structure of all information, linking to evidence the relevant stakeholders and the forensics investigators.
Homomorphic Encryption (HE)
The SPHINX architecture makes use of an Encryption technique named Homomorphic Encryption to ensure user data privacy and security. This technique is implemented by the Homomorphic Encryption (HE) component led by TEC that acts as a backbone for the SPHINX Platform and ensures that all stored sensitive data is in encrypted format.
Instead of opting for a conventional approach of downloading all data and decrypting it to find the desired file/content, HE allows for a search to be performed on the encrypted stored data and only the data/files containing the desired content are downloaded for further processing, thus making it a viable solution. The HE module has two main components: one that runs on the gateway/client and another that runs on a server.
Anonymisation and Privacy (AP)
The SPHINX Anonymisation and Privacy (AP) component is led by PDMFC comprised of two modules: the anonymisation module and the privacy module.
The anonymisation module of AP is a dataflow tool that has high throughput for processing large text datasets in unstructured formats and perform user-defined transformations to clean, bake, structure, anonymise and or encrypt. The privacy module of AP is orthogonal to all other components in the sense that is deployed by organisations independently of other components to serve the single purpose of collecting the required evidence of compliance with GDPR by the organisation.
Decision Support System (DSS)
The Decision Support System (DSS) component is led by KT resides on the user’s side. It consists of advanced information processing mechanisms, fully utilising raw data and measurements from SPHINX components dealing with data collection (e.g., VAaaS, SIEM, MLID) and effectively detecting potential abnormalities at different levels of the IT distributed network in the spatiotemporal domain. DSS integrates lower level decisions and alerts that lead to high-level decisions and plan suggestions that are sent to Interactive Dashboards via a REST API.
Analytic Engine (AE)
The Analytic Engine (AE) component is led by KT and it is used to visualise data in real-time (or near real-time) with pie, scatter and bar plots that provide a first insight into the user’s behaviour. The Analytic Engine combines data from the DSS and HP components, as well as historical and real-time data, and delivers descriptive statistics: for example, it provides the total or average number of detected abnormalities in the system (how many attacks) per month or year, using graphs.
Interactive Dashboards (ID)
The advanced SPHINX Interactive Dashboards (ID) component is led by SIMAVI provides a powerful framework for SPHINX components to interactively display and share trends, forecasts and answers to business questions about the cyber security and protection of their IT infrastructure. Delivering information collected from a large set of internal SPHINX components, the ID allow users to interact in a dynamic way with their own information processes and offer a high degree of freedom regarding the analysis of their security system.
A set of diversified panels support the users’ easy-to-access, intuitive and friendly visualisation of relevant cyber security information in the graphical, statistical, tabular and temporal formats, as well as of alerts and notifications, that are designed to enable the users’ rapid situational awareness and understanding.
Attack and Behaviour Simulators (ABS)
The SPHINX Attack and Behaviour Simulators (ABS) component is led by NTUA and provides a ground for testing SPHINX components. By providing routines/scripts of already documented cyber-attacks, with known effects, outcomes and consequences, the ABS allow for the operational capability of the SPHINX Platform to be tested. The success performance indicator is the Platform’s capability to properly identify the simulated attacks. The modelled cyber-attacks/incidents paths and patterns and the reconstruction of reliable and valid chains of evidence, provided by the FDCE component, are used to validate the appropriate response of the system.
More information about the key components of SPHINX’s architecture buidling blocks can be found at Seliverable 2.6 that is publicly available here.