Use cases

For the realization, testing and validation of the SYMBIOTIK vision and objectives, two real-world use cases will be used that correspond to the criticality of time-sensitive decision making and the acceleration of end-user transition from novice to expert. A Crime Investigation use case will focus mainly on the novice to expert transition objective and a Security Operation Center use case will realize the time sensitive decision making objective.

Crime Investigation

Conducting criminal investigations in today’s digital world requires processing a vast amount of data coming from a variety of sources. These data come in different forms (modalities), such as auditory, visual or textual. Sometimes it is also possible to obtain evidence in a structured format, such as date/time information, location information, etc. These data modalities are usually complementary to each other, and need to be examined in combination with other data sources. For example, a specific point of interest which is found on a text document and which is considered of critical importance to the investigation might have been uttered in a telephone conversation, and the exact location of this place might already be existing inside the structured evidence data. In light of this goal, the Crime Investigation use case focuses on identification of phone users based on the multi-modal data obtained from their phone device. This entitles processing different data types as well as using the correlations and interactions between them to help the investigators arrive at a more accurate and/or confident decision.

During criminal investigations, law enforcement practitioners working on their case need to collect and review evidence and intelligence to reconstruct the committed crime or, in case of an ongoing offense, to understand the “modus operandi” of a criminal group and prosecute its members. This process can be modeled using the concept of the “intelligence cycle”, which includes the following consecutive phases:

  • Direction/Planning: A new case is brought to the law enforcement agency’s attention and a set of questions are formulated, e.g., Who are the main suspects? What phone numbers/email addresses belong to the main suspects? Are two particular suspects connected to each other? These questions express a requirement for an investigation focusing on a subject or a range of subjects of concern, a risk, threat or opportunity.
  • Collection: After the set of questions are clearly defined, the law enforcement practitioners need to follow a data collection plan in which the specific data items needed, possible sources of information are identified and eventually the relevant data are obtained.
  • Evaluation: The validity and accuracy of the data obtained is assessed, which heavily depends on the reliability of the source.
  • Collation/Processing: The data that were found to be relevant and accurate is transferred into a digital storage system in a structured way (e.g., indexed and cross-referenced) that permits authenticated and timely access.
  • Analysis: In this phase the investigator examines the data by querying and filtering the digital storage system so that the questions formulated during the Direction/Planning phase(s) are answered.
  • Dissemination: The intelligence developed during the analysis phase is disseminated to the rest investigative team using formal reports or presentations with supporting documentation. In this way, candidate answers to the questions posed are given, information gaps are highlighted and decisions on how to proceed are taken, e.g., new questions are posed, and responsibilities are assigned. This leads to a new intelligence cycle, where the scope may be broader or narrower, depending on the quality of intelligence already obtained.

This use case builds on such a hypothetical scenario and aims to identify/verify the user(s) of a phone number and the user(s) of the phone device, based on the prior information, the evidence data, and the extracted files encompassing different modalities. Visualizing the behaviors and relations among individuals is necessary for monitoring the network analysis to uncover hidden patterns. Those patterns could be the distribution of relationships among the individuals, the underlying factors determining the links, or cohesive groups of individuals with dense connections. Several existing network analysis methods using a wide range of computational and statistical algorithms could be integrated into the network visualization tools. Some practical applications of these methods in SYMBIOTIK are relevant to identify the most influential individuals in a criminal group, individuals’ frequent cohesive subgroups, and to uncover the missing or hidden, unobserved interactions and to predict the most likely ones to be formed soon for providing possibly not yet observed in the investigation. An indicative version of the Crime Investigation Dashboard derives from AEGIS’ Advanced Visualization Toolkit (AVT).

Security Operation Centers

A Security Operations Center (SOC) is a centralized function or team responsible for improving an organization’s cybersecurity posture and preventing, detecting, and responding to threats. SOC team members take on the following functions to help prevent, respond, and recover from malicious attacks. The SOC team monitors identities, endpoints, servers, databases, network applications, websites, and other systems to uncover potential cyberattacks in real time. It also does proactive security work by using the latest threat intelligence to stay current on threat groups and infrastructure and identify and address system or process vulnerabilities before attackers exploit them.

The main investigation scenarios for a SOC involve identifying and mitigating potential security threats to the organization’s IT infrastructure, systems, and data, and may include:

  • Security Alerts and Incidents: Investigating security alerts generated by various security tools, such as intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, antivirus software, etc. These alerts may indicate potential security breaches, malware infections, or unauthorized access attempts.
  • Malware Analysis: Analyzing and understanding the behavior of malware discovered within the organization’s network. SOC analysts, with the help of the dashboard visualizations, need to determine the extent of the infection, its impact on systems, and how to contain and remove it.
  • Anomalous Network Activity: Investigating unusual or suspicious network activity, such as unexpected traffic patterns, unusual data transfers, or large volumes of data leaving the network.
  • Data Breaches: Responding to incidents involving unauthorized access to sensitive data, customer information, or intellectual property. SOC analysts need to determine the scope of the breach, the data affected, and how to prevent future breaches.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks: Investigating and mitigating attacks that attempt to overwhelm an organization’s systems or network resources, rendering them unavailable.
  • Unauthorized Access: Probing attempts to gain unauthorized access to critical systems, databases, or applications. SOC analysts must quickly identify and block such attempts.
  • Vulnerability Analysis: Assessing vulnerabilities within the organization’s infrastructure and determining the potential risk they pose. SOC teams work with IT and security teams to prioritize patching and mitigation efforts.
  • Ransomware Attacks: Responding to incidents involving ransomware infections, where attackers encrypt data and demand ransom for its release.
  • Threat Hunting: Proactively searching for signs of potential threats and indicators of compromise (IOCs) that may not trigger traditional security alerts.
  • Log Analysis: Analyzing system and network logs to identify suspicious activities, trace the timeline of an incident, and gather evidence for forensic investigations.

Effective investigation and response in these scenarios require skilled and knowledgeable SOC analysts, well-defined incident response processes, up-to-date security tools and technologies and intuitive visualizations that help the operator to get actionable knowledge about the cybersecurity incidents and respond as quickly as possible in a time-critical context. The SOC use case supports runtime monitoring, dynamic and static testing, cyber threat intelligence and impact assessments to provide customized, continuous assessment of the security and privacy posture of information and communication technology systems, and comprehensive risk management. For this use case we will rely on SPHYNX’s Security and Privacy Assurance Platform and will be the basis on the SOC dashboard.