sphinx-project.eu / Blog  / The Anomaly Detection Framework of SPHINX Toolkit: PART I – Data Traffic Monitoring

The Anomaly Detection Framework of SPHINX Toolkit: PART I – Data Traffic Monitoring

The Automated Cyber Security Risk Assessment is one of the building blocks of SPHINX Architecture and deals with advanced and automated tools to assess the level of cyber security of a given healthcare IT environment. Integrated in this block, SPHINX features its Cross-Layer Anomaly Detection Framework, a system responsible with the detection of malicious activities by monitoring and analysing network traffic.

These types of systems are called Intrusion Detection Systems (IDS). SPHINX Cross-Layer Anomaly Detection Framework is designed to be modular, configurable, and extensible, thus easily adaptable to hospitals with various types of network infrastructures. The framework aims to support networks with different types of topologies, sizes, and volume traffic.

In order to carry out the above functions, the system consists of two components, the Data Traffic Monitoring (DTM) and Anomaly Detection (AD) components, whose main purpose is to detect, report and alert for cyber threats.

The Data Traffic Monitoring (DTM) is responsible with threat identification by monitoring the network traffic and applying signature-based detection analysis. It monitors all the packets traversing the network and compares them against a database of attack signatures or attributes of known malicious threats.DTM is a Network Intrusion Detection System (NIDS) optimized to work in the SPHINX Ecosystem by communicating with other SPHINX components and exposing alerts and relevant statistics to the users.

The main functionalities of the Data Traffic Monitoring (DTM) component are:

  • capturing traffic from multiple protocols;
  • analysing packets and files in different formats;
  • identifying traffic information for every user and source;
  • highlighting unusual communication/activity according to the rules and filters defined
  • identifying new assets on the network

Design principles

The Data Traffic Monitoring component has to capture relevant network traffic in order for its analysis techniques to be successful. If the network is organized in subnets, DTM must be able to do its analyses on the local traffic from the subnets in order to detect potential threats that don’t generate external traffic (for example, a malware on a compromised device that does a port scan attack in its subnet). DTM is designed to support agents that will be deployed at strategic points within the network. The agents are controlled from a central management DTM instance.

Another consideration in designing the DTM component is the ability to easily modify and extend its capabilities to adapt to specific details of the infrastructures where it is deployed. That is why DTM is designed to make it simple to integrate new tools in the solution.

DTM integrates the following tools:

  • Tshark,  a network protocol analyser. Tshark offers the ability to capture packet data from a live network or allows reading packets from a previously saved capture file. It has a powerful package filtering support and protocol dissection capabilities. DTM and Tshark can be used together for investigations after threat detection or to develop complex custom detection analyses procedures.
  • Suricata, an open source, mature, fast and robust network threat detection engine. It has powerful and extensive rules and signature language for network traffic inspection. There are many prebuilt rules available that cover known attacks and vulnerabilities. Persistent data, like alerts, statistics, agent configuration data and operation data are stored in a PostgreSQL database.

The design of DTM structure is depicted in the image below:

Data Traffic Monitoring component is a support component for other components in the SPHINX ecosystem, which meas that it has direct connection with other SPHINX components as represented in the following image:

This component, part of the SPHINX Universal Cyber Security Toolkit, is targeted to for Healthcare institutions of different sizes, with network infrastructures of different complexities, covering one or more locations, in one or more towns. This leads to a variety of deployment scenarios and has the potential to be a complex solution that needs a large team of security experts to install, configure and administer the component.

More information about DTM component and the Cross-Layer Anomaly Detection Framework can be found at Deliverable 4.1 that is publicly available here.