The Cybersecurity threat intelligence repository of SPHINX Toolkit
The Knowledge Base Repository (KBR) is an important part of SPHINX Toolkit. Its purpose is to combine information regarding attacks and vulnerabilities and to incorporate it into a large repository associated with possible solutions and links to other vulnerabilities.
The component is implemented with user friendliness in mind and that is why it has a functional and easy Dashboard that allows users to review and edit the information available. KBR can also distribute its information to other SPHINX Components as well as draw information from them, that is why it provides a powerful REST API.
The following figure depicts the KBR component UML diagram, describing the entities and their relationships in the SPHINX KBR system. Component diagrams are the most appropriate way to model implementation details and ensure that every aspect of the system’s required function is covered.
As it can be represented by the above diagram KBR consists of the following (sub)components:
- KBR DB: This sub-component is used to store information about attacks, data gathered from external threat repositories and other SPHINX components.
- KBR API: A REST API is used for retrieving pieces of knowledge created by users of the KBR Dashboard and pieces of knowledge generated by other SPHINX components.
- KBR Knowledge Extractor: The KBR Knowledge extractor is implemented in Golang. SPHINX KBR uses MongoDB as its database for storing articles and knowledge generated by SPHINX components.
- KBR Dashboard: A dashboard that allows users to search for existing knowledge or ad a new piece of knowledge. It contains user authentication and management.
The aim of SPHINX Knowledge Base Repository is to represent domain specific knowledge in a form that can be used by both computers and humans to effectively operate on the knowledge acquired by SPHINX. To achieve this, an ontology (knowledge model) of the information security domain is needed.
SPHINX’s envisioned ontology consists of four main entities and the relationships among them and it is divided into two main parts: the concepts representing the IS domain knowledge (i.e. core concepts of the healthcare-related cyber security domain) and the concepts representing information about the considered healthcare organisations that are essential in the measurement of their security level. These concepts are a) Asset; b) Vulnerability; c) Threat; and d) Control. The most important relations among these concepts are a) Asset has a Vulnerability; b) a Vulnerability is exploited by Threat severity; c) a Threat threatens assets; and d) a Vulnerability is mitigated by Control.
Towards collecting and forming knowledge, the SPHINX KBR collects anonymised security intelligence and insights from external web sources (for this purpose, autonomous agents will search and mine web sources), as well as from SPHINX components (e.g. SPHINX MLID and HP). This information is translated into security rules and shared among the network by updating the respective advanced threats registries.
The KBR gathers security incentives for a collective wisdom creation, as well as interconnects/ integrates with third parties threat intelligence. These third parties threat intelligence repositories are included (optionally) in the SPHINX installations and provide insights on occurred cyber-attacks (no specific user or device data, including origin are transmitted, only the sequence and shape of the attacks).