IDPS-ESCAPE (Intrusion Detection and Prevention System - Enhanced Security through a Cooperative Anomaly Prediction Engine) is a sub-project of CyFORT implementing a MAPE-K-based (Monitor, Analyze, Plan, Execute, Knowledge) Security Orchestration, Automation, and Response (SOAR) system. Developed in the context of IPCEI-CIS, it targets SMEs, CERT/CSIRT entities, SOC managers, system administrators, security engineers and cloud deployments.
Core components:
- RADAR - Risk-aware detection and automated response with Ansible-based deployment
- SONAR - Production-grade multivariate anomaly detection powered by deep learning
- ADBox - Legacy research framework
Built on: Ansible, OpenSearch, Wazuh, SATRAP-DL, PyFlowintel, Flowintel, MISP, Suricata
We adopt a hybrid detection approach for defense-in-depth against known and emerging threats, combining signature-based engines (Wazuh, Suricata) and machine learning (ML) algorithms for ML-based anomaly detection (AD) through SONAR and RADAR relying on MTAD-GAT (attention mechanism and deep learning) and RRCF (random forest) for streaming data, respectively.
This repository contains complete documentation, user manual, interlinked technical specifications for traceability, and validation test results, all based on the C5-DEC method.
For a visual user-oriented tour of IDPS-ESCAPE, visit the product presentation page.
RADAR provides hybrid detection and intelligent automated response with Ansible-based Infrastructure-as-Code deployment:
- Hybrid detection: Signature-based (Wazuh, Suricata) + ML-based anomaly detection (RRCF)
- Risk-aware actions: Tiered response (low/medium/high risk) with host isolation, process control, network rules, alert escalation, and incident case creation
- Automatic case creation: Incident case creation via integration with the DECIPHER subsystem of SATRAP-DL and Flowintel
- Flexible deployment: Local/remote manager and agent configurations
- Production scenarios: GeoIP detection, log volume monitoring, suspicious login
- Experimental scenarios: Insider threat, DDoS, C2 malware (require adaptation)
See RADAR README, scenarios, adversarial ML guidance and developer README.
SONAR provides production-grade anomaly detection:
- Microsoft MVAD engine: Battle-tested multivariate time-series detection
- Debug mode: Offline testing with synthetic data (no infrastructure required)
- Scenario-based: YAML configuration for repeatable workflows
- RADAR integration: Data shipping to Wazuh for automated response
- Flexible modes: Real-time, batch, and historical analysis
See SONAR README, scenario guide, architecture and developer README.
RADAR ships complete Ansible IaC for reproducible, production-ready deployments — covering the Wazuh Manager, Wazuh Agents, and the full RADAR stack. See the pipeline documentation for details.
⚠️ Legacy System: ADBox uses MTAD-GAT for research purposes only. Use SONAR for all production deployments.
ADBox is maintained for research continuity with PyTorch-based Graph Attention Networks. See the ADBox manual for legacy documentation.
See our user manual for comprehensive documentation on RADAR, SONAR, and ADBox. Visit our traceability page for interlinked requirements, technical specifications such as architecture diagrams, and test reports (TRP).
- Want full automated response? Bootstrap complete RADAR stack
- Need production anomaly detection? Deploy SONAR with Wazuh
- Just exploring? Start with SONAR debug mode (no infrastructure needed)
Prerequisites:
- System requirements: Ensure your environment meets the resource and network requirements specified below
- Create
radar/.envwith credentials (see env.example):- OpenSearch URL, username, password, SSL certificates
- Wazuh API credentials and manager address
- SMTP settings for email alerts
- FlowIntel API key (optional, for incident case creation)
- Webhook URL (default:
http://<manager-ip>:8080/notify)
- Configure
radar/inventory.yamlfor remote endpoints (if using--agent remoteor--manager remote)
# Bootstrap entire stack with Ansible
cd radar
sudo ./build-radar.sh suspicious_login --agent remote --manager local --manager_exists falseSee the RADAR getting started page for full details.
Screenshots from a Suspicious Login scenario run:
SONAR provides scenario-based anomaly detection with flexible execution modes:
# Install and connect to Wazuh
poetry install --only sonar
# Check Wazuh connection
poetry run sonar check
# Run complete scenario (train + detect)
poetry run sonar scenario --use-case sonar/scenarios/brute_force_detection.yaml
# Debug mode (offline testing with synthetic data)
poetry run sonar scenario --use-case sonar/scenarios/example_scenario.yaml --debug
# Production mode with data shipping to RADAR
poetry run sonar scenario --use-case sonar/scenarios/my_scenario.yaml --shipSee the SONAR documentation for details.
Data shipping for Wazuh and RADAR integration:
What --ship does:
- Creates dedicated data streams in Wazuh Indexer for scenario-specific anomalies
- Enables custom dashboard creation in Wazuh
- Enables real-time monitoring and RADAR automated response integration
- Installs index templates for proper field typing and validation
- Required for production SONAR→RADAR workflows
See the data shipping guide for configuration details and the dashboard tutorial for visualization and instructions explaining how to build such a dashboard (same process for SONAR and ADBox).
No infrastructure required — debug mode runs the full train → detect → report workflow offline with synthetic data:
poetry install --with sonar
poetry run sonar scenario --use-case sonar/scenarios/example_scenario.yaml --debug| Component | RAM | Storage | CPU |
|---|---|---|---|
| Wazuh Manager | 8 GB minimum | ~15 GB | 4 cores |
| SONAR | 4 GB | ~2 GB (models) | 2 cores |
| RADAR | 2 GB | ~1 GB | 2 cores |
| Wazuh Agents | 512 MB each | ~500 MB each | 1 core |
| Full Stack | 16 GB+ | ~26 GB total | 8+ cores |
See deployment guide for network requirements and multi-node setups.
Build and run with convenience scripts:
# Build images
./build.sh all # All components
./build.sh sonar # SONAR only
# Run SONAR
./sonar.sh check # Check Wazuh connection
./sonar.sh scenario --use-case sonar/scenarios/example_scenario.yaml --debug
# Run ADBox (legacy)
./adbox.sh -u 1
# Run with custom arguments
./adbox.sh <your-adbox-arguments>Note: Docker-based execution requires building the images first with build.sh.
# Install dependencies
poetry install --with sonar,radar,adbox,test
# Run tests
poetry run pytest tests/sonartests/ # SONAR
poetry run pytest tests/ # All
./radar/test.sh # RADAR
# SONAR CLI
poetry run sonar check
poetry run sonar scenario --use-case sonar/scenarios/example.yaml --debug
# Docker builds
./build.sh allSee SONAR README and RADAR README for component-specific development guides.
See our test report (TRP) in the list of published documents on the technical specifications traceability page detailing the validation test campaign results. Unit tests are available in the tests folder.
- Web-based management interface for our Ansible-based RADAR deployment solution
- Support for automatic Wazuh multi-node RADAR deployment
- New detection and response scenarios via hybrid correlation (signatures + RRCF + SONAR anomalies)
- Automatic model retraining in SONAR (schedule-based, drift-triggered)
- Automated SONAR-RADAR integration
Provided for evaluation and testing. While SONAR and RADAR have been deployed in controlled environments, conduct thorough security assessments before production use. Use at your own risk.
Copyright © itrust Abstractions Lab and itrust consulting. Licensed under GNU AGPL v3.0. See AUTHORS for contributors.
Co-funded by the Ministry of the Economy of Luxembourg in the context of the CyFORT project.
Abstractions Lab: info@abstractionslab.lu