SPHINX’s Forensic Data Collection Engine

SPHINX’s Forensic Data Collection Engine

SPHINX’s support to incident forensics is materialised in the Forensic Data Collection Engine (FDCE) component which correlates, analyses and stores in a privacy-respectful manner all incident-related information and data from different levels and contexts of the system.

The FDCE is able to discover the relationships between devices and the related evidence and produce a timeline of cyber security incidents, including a record of incident related information, a map of involved assets (system components) and a set of meaningful chain of evidence. This component connects to an online cyber threats taxonomy base that is part of a knowledge base of formal and uniformed representations of digital evidence, along with their relationships that encapsulates all concepts of the forensic field.

The operation of the Forensic Data Collection Engine (FDCE) component is based on pioneering mathematical models (e.g. game theory) for analysing, compiling, combining and correlating all incident-related information and data from different levels patterns and contexts in a privacy-aware manner.

These techniques provide the basis required for supporting the processing and storage of data gathered from various sources into a unified structure in order to discover the relationships between devices and the related evidence and produce a timeline of cyber security incidents, including a map of affected devices and a set of meaningful chain of evidence (linked evidence). The always-on and lightweight FDCE component also supports the recording of incident-related information to enable a full reconstruction of cyber security incidents.

In SPHINX, the FDCE component connects to an online cyber threats taxonomy base that is part of a knowledge base of formal and uniform representations of digital evidence, along with their relationship, that encapsulates all concepts of the forensic field. The SPHINX ontology and taxonomy share a common understanding of the structure of all information, linking to evidence the relevant stakeholders and the forensics investigators.

There are 5 interfaces that are applicable to FDCE component, thus enabling it to perform its aforementioned actions and interact adequately with other components inside SPHINX environment, such as the Anomaly Detection, the Blockchain-based Threat Registry and Security Information Event Manager and more (see diagram below). Namely, these interfaces are the:

  • Security Incident-Related Information Interface
  • Attack Types and Patterns Data Sources Interface
  • Knowledge Database Interface
  • Threat Registry Interface and
  • Asset Information Interface

In the following diagram the intereactions between FDCE and other SPHINX components are depicted.

More information about the Forensic Data Collection Engine can be found at Deliverable 2.6 that is publicly available here and Deliverable 3.1 that is publicly available here.