IDPS-ESCAPE (Intrusion Detection and Prevention System - Enhanced Security through a Cooperative Anomaly Prediction Engine) is a sub-project of CyFORT implementing a MAPE-K-based (Monitor, Analyze, Plan, Execute, Knowledge) Security Orchestration, Automation, and Response (SOAR) system. Developed in the context of IPCEI-CIS, it targets SMEs, CERT/CSIRT entities, SOC managers, system administrators, security engineers and cloud deployments.
Core components:
- RADAR - Risk-aware detection and automated response with Ansible-based deployment
- SONAR - Production-grade multivariate anomaly detection powered by deep learning
- ADBox - Legacy research framework
Built on: Ansible, OpenSearch, Wazuh, Flowintel and PyFlowintel, Suricata, MISP
We adopt a hybrid detection approach for defense-in-depth against known and emerging threats, combining signature-based engines (Wazuh, Suricata) and machine learning (ML) algorithms for ML-based anomaly detection (AD) through SONAR and RADAR relying on MTAD-GAT (attention mechanism and deep learning) and RRCF (random forest) for streaming data, respectively.
This repository contains complete documentation, user manual, technical specifications, and validation test reports based on the C5-DEC method. See our traceability website for interlinked specifications and the TRB page providing our beta phase validation test execution report.
Table of contents
RADAR provides hybrid detection and intelligent automated response with Ansible-based Infrastructure-as-Code deployment:
- Hybrid detection: Signature-based (Wazuh, Suricata) + ML-based anomaly detection (RRCF)
- Risk-aware actions: Tiered response (low/medium/high risk) with host isolation, process control, network rules, alert escalation, and incident case creation
- Automatic case creation: Incident case creation via integration with the DECIPHER subsystem of SATRAP-DL and Flowintel
- Flexible deployment: Local/remote manager and agent configurations
- Production scenarios: GeoIP detection, log volume monitoring, suspicious login
- Experimental scenarios: Insider threat, DDoS, C2 malware (require adaptation)
Deployment modes:
| Wazuh Manager | Wazuh Agents | Use Case |
|---|---|---|
| Local | Local | Single-node testing/development |
| Local | Remote | Central manager with distributed endpoints |
| Remote | Remote | Fully distributed production |
See RADAR README, scenarios, adversarial ML guidance and developer README.
SONAR provides production-grade anomaly detection:
- Microsoft MVAD engine: Battle-tested multivariate time-series detection
- Debug mode: Offline testing with synthetic data (no infrastructure required)
- Scenario-based: YAML configuration for repeatable workflows
- RADAR integration: Data shipping to Wazuh for automated response
- Flexible modes: Real-time, batch, and historical analysis
See SONAR README, scenario guide, architecture and developer README.
We provide a complete Infrastructure-as-Code (IaC) deployment mechanism using Ansible, enabling teams to spin up a fully operational environment automatically and consistently, currently supporting only RADAR. This ensures a reproducible, scalable installation process suitable for production environments, testbeds, or research. We also provide a detailed technical documentation of the manager automation pipeline.
The automated setup includes:
- Wazuh Manager: automatically installed and configured for signature-based and ML-based monitoring, AD and alerting.
- Wazuh Agents: deployed to monitored endpoints without manual intervention.
- RADAR stack: including all dependencies, configuration templates, and communication channels between RADAR, Wazuh, SONAR, and ADBox.
⚠️ Legacy System: ADBox uses MTAD-GAT for research purposes only. Use SONAR for all production deployments.
ADBox is maintained for research continuity with PyTorch-based Graph Attention Networks. See the ADBox manual for legacy documentation.
See our user manual for comprehensive documentation on RADAR, SONAR, and ADBox. Visit our traceability page for interlinked requirements, technical specifications such as architecture diagrams, and test reports (TRB).
- Want full automated response? Bootstrap complete RADAR stack
- Need production anomaly detection? Deploy SONAR with Wazuh
- Just exploring? Start with SONAR debug mode (no infrastructure needed)
Prerequisites:
- System requirements: Ensure your environment meets the resource and network requirements specified below
- Create
radar/.envwith credentials (see env.example):- OpenSearch URL, username, password, SSL certificates
- Wazuh API credentials and manager address
- SMTP settings for email alerts
- FlowIntel API key (optional, for incident case creation)
- Webhook URL (default:
http://<manager-ip>:8080/notify)
- Configure
radar/inventory.yamlfor remote endpoints (if using--agent remoteor--manager remote)
# Bootstrap entire stack with Ansible
cd radar
sudo ./build-radar.sh geoip_detection --agent remote --manager local --manager_exists falseSee the RADAR getting started page for more details.
What this deploys:
- Wazuh Manager with scenario-specific rules, decoders, and active responses
- Wazuh Agents on remote endpoints with RADAR Helper (GeoIP enrichment)
- OpenSearch detector and monitor for anomaly detection (only if applicable, e.g. in log volume change scenario)
- Webhook service for alert routing
- Complete automation pipeline for the chosen scenario
Here we provide a screenshot of a successful run of the Geo IP detection RADAR scenario:
The currently implemented active response sends an email to a designated recipient.
Additionally, if Flowintel is configured, the RADAR active response module creates a case in Flowintel for medium and high risk scenarios.
See RADAR getting started for deployment modes and configuration.
SONAR provides scenario-based anomaly detection with flexible execution modes:
# Install and connect to Wazuh
poetry install --only sonar
# Check Wazuh connection
poetry run sonar check
# Run complete scenario (train + detect)
poetry run sonar scenario --use-case sonar/scenarios/brute_force_detection.yaml
# Debug mode (offline testing with synthetic data)
poetry run sonar scenario --use-case sonar/scenarios/example_scenario.yaml --debug
# Production mode with data shipping to RADAR
poetry run sonar scenario --use-case sonar/scenarios/my_scenario.yaml --shipSee the SONAR documentation for details.
Data shipping for Wazuh and RADAR integration:
What --ship does:
- Creates dedicated data streams in Wazuh Indexer for scenario-specific anomalies
- Enables custom dashboard creation in Wazuh
- Enables real-time monitoring and RADAR automated response integration
- Installs index templates for proper field typing and validation
- Required for production SONAR→RADAR workflows
Why shipping matters: Without --ship, anomalies are indexed to a generic index. With --ship, each scenario gets a dedicated data stream (e.g., sonar_anomalies_mvad_brute_force_v1), enabling scenario-specific RADAR rules, dedicated dashboards, and independent data lifecycle policies.
# Ship anomalies to dedicated data stream during detection
poetry run sonar detect --scenario sonar/scenarios/my_scenario.yaml --shipBenefits:
- Scenario isolation: Each model gets its own data stream (e.g.,
sonar_anomalies_mvad_brute_force_v1) - RADAR integration: Anomalies automatically available for automated response
- Dashboard visualization: Dedicated index for SIEM dashboard widgets
- Data lifecycle management: Built-in rollover policies for stream management
See the data shipping guide for configuration details and the dashboard tutorial for visualization and instructions explaining how to build such a dashboard (same process for SONAR and ADBox).
Zero infrastructure required - SONAR's debug mode uses synthetic test data for offline evaluation:
# Install and test with debug mode (no Wazuh, no OpenSearch, no containers)
poetry install --with sonar
poetry run sonar scenario --use-case sonar/scenarios/example_scenario.yaml --debugWhat debug mode provides:
- Offline testing with pre-generated synthetic alerts
- Complete train → detect → report workflow
- Model evaluation without infrastructure overhead
- Ideal for proof-of-concept and algorithm evaluation
| Component | RAM | Storage | CPU |
|---|---|---|---|
| Wazuh Manager | 8 GB minimum | ~15 GB | 4 cores |
| SONAR | 4 GB | ~2 GB (models) | 2 cores |
| RADAR | 2 GB | ~1 GB | 2 cores |
| Wazuh Agents | 512 MB each | ~500 MB each | 1 core |
| Full Stack | 16 GB+ | ~26 GB total | 8+ cores |
- Wazuh Manager: Port 55000 (API), Port 1514/1515 (agent communication)
- OpenSearch/Wazuh Indexer: Port 9200 (HTTPS)
- RADAR Webhook: Port 8080 (configurable in
.env) - FlowIntel (optional): Port 7006 (API)
Components can run on separate nodes for distributed deployments. See deployment guide for multi-node setups and Docker deployment for containerized options.
Build and run with convenience scripts:
# Build images
./build.sh all # All components
./build.sh sonar # SONAR only
# Run SONAR
./sonar.sh check # Check Wazuh connection
./sonar.sh scenario --use-case sonar/scenarios/example_scenario.yaml --debug
# Run ADBox (legacy)
./adbox.sh -u 1
# Run with custom arguments
./adbox.sh <your-adbox-arguments>Note: Docker-based execution requires building the images first with build.sh.
# Install dependencies
poetry install --with sonar,radar,adbox,test
# Run tests
poetry run pytest tests/sonartests/ # SONAR
poetry run pytest tests/ # All
./radar/test.sh # RADAR
# SONAR CLI
poetry run sonar check
poetry run sonar scenario --use-case sonar/scenarios/example.yaml --debug
# Docker builds
./build.sh allSee SONAR README and RADAR README for component-specific development guides.
See our traceability page for test reports (TRB) and RADAR test framework for automated experimentation.
- Integration with the DECIPHER subsystem of SATRAP-DL
- Enhancing the RADAR lightweight risk engine with real-time CTI analysis by DECIPHER (in turn integrated with MISP)
- Automating SONAR-RADAR integration
- Scenarios with advanced hybrid correlation (signatures + RRCF + SONAR anomalies)
- Automatic model retraining (schedule-based, drift-triggered)
- Extended categorical feature support
- New scenario templates
- Greater robustness against adversarial ML
- SATRAP CTI integration
- OpenTRICK asset graph conversion
See Wiki for detailed roadmap.
Provided for evaluation and testing. While SONAR and RADAR have been deployed in controlled environments, conduct thorough security assessments before production use. Use at your own risk.
Copyright © itrust Abstractions Lab and itrust consulting. Licensed under GNU AGPL v3.0. See AUTHORS for contributors.
Co-funded by the Ministry of the Economy of Luxembourg in the context of the CyFORT project.
Abstractions Lab: info@abstractionslab.lu