Components Archive

Platform Software

The SOCCRATES Platform consists of multiple components. Each component provides a particular service within the security automation and decision support platform. On this webpage the software is listed for each component, including information on where to get the software and instructions for installation. The SOCCRATES Platform can be deployed as a whole, or individual SOCCRATES components can be integrated within your own security infrastructure. See deliverables D2.3 SOCCRATES platform System Architecture & Interface Specification and D6.4 Final version of the SOCCRATES Platform for more information.

Click on the SOCCRATES component in the figure below to get more information.

ADG Analyser

The ADG performs an analysis based on probabilistic attack simulations conducted on models of the infrastructure under assessment. The model is generated from data provided by the infrastructure modelling component (IMC) and can be further enriched with cyber threat information from the threat intelligence platform (TIP). Based on the analysis, ADG provides quantitative metrics on risk exposure and time to compromise (TTC), the most likely attack paths to high value assets as well as suggested mitigations. The attack defence graph analyser will use the attack simulation and automated threat modelling solution called securiCAD, which is a product of foreseeti.

More information

AI based Attack Detection

The AAD consists of multiple anomaly detection based Attack Detection tools, an evidential network called REASENS and software for integration of these tools. In the figure above this is visualized. Below all software components are referenced.

More information

Automated Reconfiguration

Short: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vulputate augue at enim.

More information

Business Impact Analyser

The Business Impact Analyser (BIA) is a component that aims at providing impact assessment on business functions and processes. It assess the business impact in case an attacker successfully compromises a host in the infrastructure. The BIA performs impact analysis in terms of impact propagation to other assets, and ultimately to business functions and processes. To do so, the BIA relies on Business Logic Modelling (BLM), which builds a graph model of assets and business entities.

More information

Business Logic Modelling

Business Logic Modelling (BLM) builds a graph model of assets and business entities of an organisation for the Business Impact Analyser (BIA).

More information

CoA Generator

The function of the Course of Action (CoA) generator is to suggest defences for improving the security of ICT architecture. The CoA generator operates on a model of an IT architecture as used by the ADG and generates a set of defences that are inactive in the model and are suggested to activate.

More information

Infrastructure Modelling

The infrastructure modelling component (IMC) is the basis for producing a current and accurate model of the ICT infrastructure to enable automated security analysis tools to reason about the security state and for visualizations that accommodate human comprehension of the IT infrastructure. The IMC is build upon ACT-platform to store ICT infrastructure model data in a graph database. Different adapters are used to fetch and transform the raw data into the IMC data model.

More information

Orchestration & Integration Engine

The OIE is the core of the SOCCRATES Platform. It consists of two engines:

SOCCRATES Orchestration Engine
SOCCRATES Integration Engine

The SOCCRATES Orchestration Engine executes one of the SOCCRATES workflows depending on the triggering event type received via the API. It is build on open source tool Activiti. The SOCCRATES Integration Engine is based on Cortex from the TheHive Project and facilitates communication and information exchange between SOCCRATES components and the SOCCRATES Orchestration Engine.

More information

Response Planner

The Response Planner (RP) has two main functions in the SOCCRATES platform:

the RP can estimate the financial and operational impact of CoAs obtained from the CoA generator, and rank these CoAs based on the Return On Response Investment (RORI) metric.
the RP also generates Containment CoAs to mitigate an ongoing attack.

More information

Threat data collection & AI based threat prediction

Threat Data Collection & Threat Prediction is a component that runs at ShadowServer and provides an API to get access to trends observed in the Sandbox DNS queries, as well as training datasets that can be used to build ML based DGA detection models. It uses among other domain name traffic at scale from Shadowserver’s sandbox and DGA Detective.

More information

Threat Intelligence Platform

The Threat Intelligence Platform (TIP) is based on the open-source ACT platform developed by mnemonic. It provides contextualised threat intelligence to the SOCCRATES platform. A new component in the ACT platform that has been developed within the SOCCRATES project is the Adversary Emulation Planner (AEP).

More information

Web Front-end

Web Front End of the SOCCRATES Platform provides information on the execution of the workflows at the OIE.

More information

ADG Analyser

securiCAD

securiCAD is a product of foreseeti. It uses Meta Attack Language (MAL), the open source platform for creation of cyber threat modeling systems.

For more information: https://foreseeti.com/

ADG Cortex Analyser

For the integration between OIE and securiCAD the ADG Cortext Analyser has been developed. It enables the OIE to request ADG analysis using securiCAD and provide the results back to the OIE. In addition, the ADG Cortext Analyser also collects data from other SOCCRATES components necessary to perform the requested ADG analysis.

For more information: https://foreseeti.com/

AI based Attack Detection

REASENS

REASENS Framework is a hierarchical REAsoning system that enables the collection of events from distributed and heterogeneous SENSors. REASENS provides among others alert correlation and system state inference (under attack, normal operation, erroneous operation). REASENS was developed by AIT.

REASENS will become available as open source. Contact for more information: Paul.Smith@ait.ac.at

AMiner

AMiner (logdata Anomaly Miner) is part of the ÆCID system, a log-based anomaly detection system operating on logs collected from the network layer (e.g., firewalls, switches, routers) and application layer (e.g., Web servers, DNS, application servers etc.). AMiner was developed by AIT. For more information see ÆCID.

AMiner is available on https://github.com/ait-aecid/logdata-anomaly-miner

ABC Tool

ABC Tool is a netflow-based anomaly detection system, developed by TNO, for internal host communication profiling to detect among others lateral movement and data exfiltration.

ABC Tool is part of an Anomaly Detection product of Sightlabs. Contact SightLabs for information.

DNS Ninja

DNS Ninja is an anomaly detection system, developed by TNO, that allows you to monitor internal DNS traffic and provides insight into potentially malicious nodes in your infrastructure.

DNS Ninja is a product of SightLabs. Contact SightLabs for information.

L-ADS

L-ADS is a netflow-based anomaly detection tool developed by Atos.

Contact Atos for information on how to obtain L-ADS: rodrigo.diaz@atos.net

Platform Software

Get in contact

Platform Software

ADG Analyser

AI based Attack Detection

Automated Reconfiguration

Business Impact Analyser

Business Logic Modelling

CoA Generator

Infrastructure Modelling

Orchestration & Integration Engine

Response Planner

Threat data collection & AI based threat prediction

Threat Intelligence Platform

Web Front-end

ADG Analyser

securiCAD

ADG Cortex Analyser

AI based Attack Detection

REASENS

AMiner

ABC Tool

DNS Ninja

L-ADS