SPHINX Functional Requirements and Guidelines: PART IV

Continue from PART III

SPHINX shall detect anomalous behaviour in the organisation’s IT ecosystem, based on its discovered behavioural patterns.

The SPHINX Platform shall discover patterns in the data produced by the healthcare organisation’s IT ecosystem and capture its normal behaviour (e.g., wait time, number of queries, DICOM characterised traffic). Being aware of the system’s normal behaviour, SPHINX shall be capable of not only reducing the number of time users spent on routine cybersecurity tasks but also, more importantly, of identifying suspicious (potentially malicious) behaviour to be considered in cyber risk assessment reports, learning from it to prevent similar attacks and to apply resources more strategically. The SPHINX Platform shall enable the early detection of anomalies (anomalous and malicious behaviour) in the IT ecosystem, promoting network probes, traffic inspection and user profiling techniques. Overall, these capabilities support the users’ decision-making with respect to the prevention of cyber threats and the response to active cyber-attacks.

IT Domain: IT Hardware Infrastructure, Networking, Applications

Cyber Security Management Cycle: Protect, Detect, Respond

SPHINX shall detect and alert users in case of abnormal network traffic.

The SPHINX Platform shall detect the presence of abnormal (likely non-legitimate) network traffic that exhibit patterns indicating a breach or malicious software. Suspicious and abnormal patterns may consist of irregular traffic flows, a large amount of transmitted data, connections to malicious IPs and unauthorised access attempts to devices. Overall, these capabilities support the users’ decision-making with respect to the prevention of cyber threats and the mitigation of cyber-attacks, including DDoS attacks and botnets.

IT Domain: Networking, Applications

Cyber Security Management Cycle: Detect, Respond

SPHINX shall provide a fully adaptable (near real-time) automated intrusion detection and data filtering algorithms on the individual user profile characteristics.

The SPHINX Platform shall enable the profiling of user behaviour, considering the common characteristics and patterns. Based on registered user profiles, SPHINX shall be capable of flagging and classifying in near-real-time generated abnormal traffic and cyberattack patterns, in order to early detect suspicious user behaviour and perform automated intrusion detection. Overall, these capabilities support the users’ decision-making with respect to the prevention of cyber threats and the mitigation of cyber-attacks.

IT Domain: Networking, Applications

Cyber Security Management Cycle: Detect

SPHINX shall provide an advanced data analysis engine.

The SPHINX Platform shall provide an advanced analytic engine that is capable of visually presenting intuitive data on the IT ecosystem’s network and users’ behaviour. Descriptive statistics and graphs (pie, bar and scatter plots) allow the IT operator to rapidly acknowledge detected suspicious network and user behaviour and take appropriate mitigation measures. Overall, this capability supports the users’ monitoring tasks and decision-making with respect to the prevention of cyber threats and the mitigation of cyber-attacks. Detail reports shall be easily generated in a machine-readable format (JSON, CSV).

IT Domain: Applications

Cyber Security Management Cycle: Protect, Detect

SPHINX shall enable the analysis of successful and unsuccessful cyber-attacks.

The SPHINX Platform shall deliver the capability to analyse successful and unsuccessful cyber-attacks, including access attacks (software, biometric access), network attacks (firewall, routers, switches) and device attacks, based on the information provided by the IT ecosystem. Overall, this capability supports the users’ decision-making with respect to the prevention of cyber threats and the mitigation of cyber-attacks. Detail reports shall be easily generated in a machine-readable format (JSON, CSV). The system should provide a central place where all the events from an incident are stored together and can be viewed by the security analysts.

IT Domain: IT Hardware Infrastructure, Networking, Applications

Cyber Security Management Cycle: Protect, Detect

SPHINX shall be able to recognise the typology of known cyber-attacks.

The SPHINX Platform shall have the capability to identify and recognise the typology of known (already documented) cyber-attacks, with known effects, outcomes and consequences. The SPHINX Platform shall identify cyber-attacks’ paths and patterns and establish a reliable and valid chain of evidence that support the appropriate system response. Overall, this capability supports the users’ decision-making with respect to reacting to known cyber-attacks. This knowledge base should be updatable with common security information exchange formats, such as STIX.

IT Domain: Applications

Cyber Security Management Cycle: Detect, Respond

More information about the Functional Requirements and Guidelines of SPHINX can be found in Deliverable 2.8 that is publicly available here.