The Analytic Engine of SPHINX Toolkit
Logging mechanisms on web applications daily collect a huge amount of data that, when used effectively, they can provide important insights for cybersecurity. Identifying attacks and responding to them appears as a challenge to cybersecurity researchers, who need to adopt user and data provenance centric approaches in decision-making on cyber-attacks. For this reason, it is important to define common guidelines and policies to deal with the information representation, the selection of the colours, the use of the shapes and the way the user interacts with the platform.
Many components and techniques have been developed to improve the visualization of cybersecurity information, but the evaluation of these approaches remains a challenge, due to the heterogeneity of purposes and scope that they aim to achieve. A commonplace approach is focusing on the usability evaluation of user interfaces, as well as their functionality in specific circumstances and environments, while providing a positive experience. In addition, the data provenance as a security visualization service (DPaaSVS) helps visualize observed attack patterns, relationships and behaviors, understand the attacker’s behaviors and the actions that took place before the attack demonstration, by utilizing past knowledge and updating the visualizations and analytics in real-time.
In this direction, the SPHINX Analytic Engine’s (AE) main scope is to support the user in decision-making by combining several components (e.g. SIEM, MLID, HP, RCRA), that allow the following functionalities;
- Support in decision-making
- Overall assessment of the organization’s cyber state
- Provides ID data for visualization
- User interaction through the ID
Data from other components are stored in the AE’s database to aggregate them based on specific characteristics. For example, the aggregation may be based on IP addresses to identify the number of attacks that are related to a specific IP. Moreover, the aggregation may be based on the day or the time interval of the day that an attack or specific attack types were identified, to figure out if there are any particular time intervals that some attacks applied, by utilizing data from MLID, HP and SIEM.
The aggregated data is then visualized through the ID with the use of charts such as pie/line and bar plots. More specifically, data can be visualized in the following ways;
- The use of line plots support the user with the identification of the day and the time intervals that the system receives more alerts to increase the users’ SA. They also visualize the risk level of the system (data from the RCRA component).
- Descriptive statistics are provided through the ID, such as the mean number of attacks or attack types that were identified the previous day. The user can set a preferable period to visualize the historical data, so that a first insight into the cyber situation of the organization is provided, and users are able to identify attack patterns.
- The users’ applied actions and the relevant reduction of the risk level for each of them, are going to be stored also to the AE’s database. In this case, the aggregation that is based on both, i.e., the incident type and the impact of the actions (regarding the amount of the risk level reduction), will provide the most effective actions for each incident that will be displayed to the ID with the use of bar plots.
To sum up, considering these functionalities and principles, the SPHINX AE supports the user in a multifaced way providing the ability to monitor the system and act efficiently in case of an event. This is achieved by minimising the response time to each incident type and the losses of the affected system, while providing confidence to the user to follow a specific response plan that is guaranteed to be effective.
More information about the Decision Support System component can be found at Deliverable 5.1 which is publicly available here.