SPHINX User Interface Functional Requirements & Guidelines: Data Traffic Monitoring & Anomaly Detection

The SPHINX System interacts with the user in order to develop cyber awareness concerning risks, vulnerabilities and incidents within the  IT  network and connected devices. Moreover,  it allows the user to perform vulnerability assessment and certification of devices.  In this regard,  the user interface needs to be designed according to the user’s needs and expectations to ensure the utility of SPHINX.

Continue from Part I.

Data Traffic Monitoring

Data Traffic Monitoring (DTM) monitors data from devices that are connected to a network. It captures data packets in real-time and displays them in a human-readable format, in order to detect suspicious programmes’ network traffic. It highlights unusual communication/activity according to defined rules and filters.

The snapshot below shows the DTM dashboard that includes two features: (1) statistical information in tabular form including the number of alerts, the number of critical events and the number of warnings, (2) statistical information in the form of charts.

Anomaly Detection

Anomaly Detection (AD) identifies events, activities or observations that raise suspicion by differing significantly from the normal infrastructure/component/user behaviour.  AD uses as input the logs generated by DTM.

AD uses machine learning or statistical algorithms in order to identify outliers, that are reported as alerts. The next snapshots present the AD dashboard (top) that includes statistical information about the number of alerts (in tabular and chart forms) and the algorithms setup page (bottom): the first tab is used to enable or disable the desired algorithms. The remaining tabs are used to configure the algorithms listed in the first tab.

More information about the Functional Requirements and Guidelines of SPHINX can be found in Deliverable 2.10 that is publicly available here.