1 Open-Source Release MRS-001
The IDPS-ESCAPE source code and technical documentation SHALL be made available as open-source software using either a permissive or a copyleft software license.
| Attribute | Value |
|---|---|
| type | B |
| rationale | To comply with organizational and project constraints. |
| importance | 5 |
| urgency | 1 |
| vm | I |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
2 Command & Control MRS-002
The IDPS-ESCAPE system architecture SHALL include a centralized subsystem, throughout called command-and-control (C&C), for updating user-exposed settings of subsystems tackling data collection, intrusion detection and prevention.
Child links: HARC-001 ADBox subsystem, SRS-001 Centralized C&C Deployment, SRS-002 Endpoint Status Monitoring, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To centralize and simplify agent/sensor configuration management. |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
3 Agent Data Centralization MRS-003
The IDPS-ESCAPE system architecture SHALL include end-point monitoring agents/sensors that gather host and network data and relay the said data back to the C&C.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To enable a multi-node deployment of monitoring endpoints and centralization of data collection. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
4 Multivariate Anomaly Detection MRS-004
The IDPS-ESCAPE system architecture SHALL include a multivariate anomaly detection (AD) subsystem to detect anomalies across at least two features/dimensions in at least one of the following types of security event capturing data sets: host-based and network-based.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-037 Anomaly-Based NIDS, SRS-040 Data Management Subpackage, SRS-041 Time Management Package
| Attribute | Value |
|---|---|
| type | A |
| rationale | To detect deviations from an a priori normal baseline system behavior, possibly caused by malicious actors. |
| importance | 5 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
5 Host-based Intrusion Detection MRS-005
The IDPS-ESCAPE system architecture SHALL include a host-based intrusion detection system (HIDS) with agents deployed on the of hosts' monitored system, that can be enabled/disabled by the user.
Child links: HARC-003 IDPS-ESCAPE context, SRS-003 HIDS Agent Deployment, SRS-004 HIDS Agent Management
| Attribute | Value |
|---|---|
| type | A |
| rationale | To support host-based IDS. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
6 NIDS Support MRS-006
The IDPS-ESCAPE system architecture SHALL include a network-based intrusion detection system (NIDS) covering channels between endpoints running IDPS-ESCAPE subsystems, that can be enabled/disabled by the user.
Child links: HARC-003 IDPS-ESCAPE context, SRS-005 Network Monitoring Control
| Attribute | Value |
|---|---|
| type | A |
| rationale | To support network-based IDS. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
7 Intrusion Prevention MRS-007
The subsystems of IDPS-ESCAPE SHOULD include intrusion prevention (IP) capabilities.
Child links: HARC-003 IDPS-ESCAPE context, SRS-006 Centralized NIDPS Prevention
| Attribute | Value |
|---|---|
| type | F |
| rationale | To be able to take reactive corrective measures and mitigate intrusions. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
8 Network Capture Forwarding MRS-008
The IDPS-ESCAPE network sensors SHOULD be able to capture and forward raw network traffic to the C&C server.
Child links: HARC-003 IDPS-ESCAPE context, SRS-007 Raw Traffic Capture
| Attribute | Value |
|---|---|
| type | F |
| rationale | To collect events for threat hunting and CTI operations, reducing the NIDS overhead and to do customized AD. |
| importance | 3 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
9 Docker Deployment Option MRS-009
The IDPS-ESCAPE end-point monitoring components MAY be deployed in Docker containers.
Child links: SRS-008 Dockerized NIDS Deployment
| Attribute | Value |
|---|---|
| type | O |
| rationale | To ensure the following properties: consistent and reproducible environments, isolation, resource efficiency, scalability, portability, fast spawning and shutdown, improved CI/CD, support of micro services architecture, improved dependency management. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
11 Signature-based Host IDS MRS-011
IDPS-ESCAPE SHALL include a signature-based host intrusion detection engine.
Child links: HARC-003 IDPS-ESCAPE context, SRS-009 Signature-Based HIDS
| Attribute | Value |
|---|---|
| type | F |
| rationale | To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk. |
| importance | 5 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
12 XDR & SIEM Integration MRS-012
The IDPS-ESCAPE system architecture SHALL include an XDR & SIEM subsystem (see the system concept for definitions).
Child links: HARC-003 IDPS-ESCAPE context, SRS-010 Centralized Threat Management
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ingest data from tools in an security technology stack to create greater context for Security Operations Center (SOC) teams to perform faster threat detection, investigation, and response. |
| importance | 5 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
13 Visual Dashboard MRS-013
The IDPS-ESCAPE system architecture SHOULD include a subsystem providing a data visualization dashboard capable of presenting data collected by the endpoint monitoring agents; precise feature definitions are deferred to system requirement specifications (SRS).
Child links: HARC-003 IDPS-ESCAPE context, SRS-011 Network Event Visualization, SRS-012 Host Event Visualization, SRS-013 HIDS Agent Status Panel
| Attribute | Value |
|---|---|
| type | A |
| rationale | To improve accessibility and easy-of-use for IDPS-ESCAPE end-users (e.g., security engineers, CTI analysts, etc.). |
| importance | 4 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
14 Data Extraction API MRS-014
IDPS-ESCAPE SHALL provide an API for retrieving data obtained from the IDPS-ESCAPE endpoint monitoring agents.
Child links: SRS-014 Event Decoding & Transformation, SRS-015 Custom Rule Support
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enable programmatic access to data gathered by IDPS-ESCAPE endpoint agents. |
| importance | 4 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
15 Software Configuration Management MRS-015
The C&C subsystem of IDPS-ESCAPE SHALL provide the user with a software configuration management (SCM) mechanism (e.g., a CLI or configuration files) to set the user-adjustable parameters of subsystems and modules scoped within the C&C system boundary.
Child links: SRS-016 Indexer Credential Management, SRS-017 Custom Data Source, SRS-018 ML Hyperparameter Tuning, SRS-019 Datatype Transformation Map, SRS-020 Ingestion Field Update, SRS-021 Default Use Case Update, SRS-022 Indexer Credentials Update
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable centralize management of subsystems controlled by the C&C. |
| importance | 4 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
16 Agent (De)Registration MRS-016
The SCM mechanism SHALL provide a (de)registration solution for the removal and addition of end-point monitoring agents.
Child links: SRS-023 Agent Registration Process
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable a non-static configuration of monitored nodes. |
| importance | 4 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
17 Monitoring Frontend MRS-017
The IDPS-ESCAPE system architecture SHALL include a frontend subsystem presenting monitoring outcomes to the end-user, with the specific outcome definitions deferred to system requirement specifications (SRS).
Child links: HARC-003 IDPS-ESCAPE context, SRS-043 AD Data Visualization
| Attribute | Value |
|---|---|
| type | A |
| rationale | To allow end-users to monitor complex indicators more easily. |
| importance | 3 |
| urgency | 2 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
18 Data Management Subsystem MRS-018
The IDPS-ESCAPE system architecture design SHALL include a data management subsystem aimed at consolidating access to data obtained from endpoint monitoring agents such as events, alerts and statistics.
Child links: HARC-003 IDPS-ESCAPE context, SRS-024 Event Querying Capability, SRS-042 Prediction Shipping Feature
| Attribute | Value |
|---|---|
| type | A |
| rationale | To simplify programmatic access to security alert and event data and to ensure a single source of truth. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
19 3rd-Party Open-source Signature-based NIDS MRS-019
The IDPS-ESCAPE architecture SHOULD integrate third-party open-source tools for signature-based intrusion detection.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To capitalize on and build upon existing open-source capabilities. |
| importance | 2 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
20 Platform Independence MRS-020
The IDPS-ESCAPE architecture SHALL rely on a platform-independent solution (e.g., containerization-based) enabling the C&C subsystem and endpoint monitoring agents to run on the following operating systems: Windows 10/11 64-bit, MacOS 10.12 above and GNU/Linux-based distributions based on Debian such as Ubuntu.
Child links: HARC-003 IDPS-ESCAPE context, SRS-044 Platform-Independent Deployment, SRS-046 Cross-Platform ADBox Deployment
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ensure cross-platform compatibility and portability. |
| importance | 3 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
21 IaC Deployment MRS-021
The deployment solution of IDPS-ESCAPE for the C&C subsystem and the endpoint monitoring agents SHALL make use of installation scripts (e.g., Shell or Python) that can be integrated into infrastructure-as-code paradigms used for automating scalable VM-based technology stacks used in cloud environments.
Child links: SRS-049 Anomaly Shipping to Indexer
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable deployments in cloud infrastructures. |
| importance | 4 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
22 Network Endpoint Monitoring MRS-022
The IDPS-ESCAPE architecture SHALL define endpoint monitoring for networked nodes capable of running IDPS-ESCAPE agents/sensors and relying on network connections between the said agents and the C&C subsystem.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To allow sensors/agents and the central server to be deployable across multiple distinct nodes. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
23 MITRE ATT&CK Mapping MRS-023
The SIEM subsystem SHOULD include threat enumeration based on a mapping of security incident detections to MITRE ATT&CK entries.
Child links: SRS-025 MITRE ATT&CK Mapping
| Attribute | Value |
|---|---|
| type | F |
| rationale | To improve and speed up threat detection and classification, thereby facilitating CTI analysis. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
24 TIP API Integration MRS-024
The IDPS-ESCAPE system architecture SHOULD include a mechanism for an API-based integration with at least one threat intelligence platform (TIP), e.g., MISP, with integration here referring to sending detection alert information to a TIP and receiving additional threat intelligence from the said TIP.
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enhance cyber threat Intelligence capabilities by capitalizing on mature TIPs. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
25 Threat Detection API MRS-025
IDPS-ESCAPE SHALL provide an API for retrieving threat detection events and security information gathered by agents/sensors.
Child links: SRS-026 TIP Data Export
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enable programmatic access, which would also in turn support integration with SATRAP-DL. |
| importance | 4 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
26 C5-DEC Development Model MRS-026
IDPS-ESCAPE SHALL be designed and developed following the C5-DEC model, methodology, and tools.
Child links: SRS-045 High-Level Architecture Overview
| Attribute | Value |
|---|---|
| type | C |
| rationale | To comply with project requirements and to follow a consistent and well-defined process, while improving development security. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
27 Secure Inter-Component Communication MRS-027
Communication between IDPS-ESCAPE subsystems/modules/components that do not reside in the same system/trust/cryptographic boundaries SHALL occur over authenticated and encrypted channels.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to malicious actors (adversaries). |
| importance | 5 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
28 Standardized AD Input MRS-028
Security events and alerts used as raw input to the AD subsystem SHALL either follow a standardized data scheme or an open-source specification (e.g., syslog).
| Attribute | Value |
|---|---|
| type | C |
| rationale | To foster adoption, improve data management efficiency and robustness, enable code reuse (parsing, (de)serialization, and marshalling libraries), and to avoid proprietary formats and vendor lock-in. |
| importance | 2 |
| urgency | 1 |
| vm | I |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
29 Data Collection Scalability MRS-029
IDPS-ESCAPE endpoint monitoring SHALL be able to monitor at least 5 endpoint nodes capable of running IDPS-ESCAPE sensors/agents.
| Attribute | Value |
|---|---|
| type | O |
| rationale | To address stakeholder scalability needs. |
| importance | 3 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
30 Deep Learning Technique MRS-030
The AD subsystem SHALL use an ML technique to detect anomalies, relying on a deep learning method, with the definition of the concrete AD solution traced to the mathematical specification of AD for the selected algorithm.
Child links: SRS-027 ML-Based Anomaly Detection, SRS-038 Joint Host-Network Training, SRS-047 Interactive Use Case Builder, SRS-048 Default Detector Training
| Attribute | Value |
|---|---|
| type | F |
| rationale | To address stakeholder needs and project proposal requirements and constraints. |
| importance | 4 |
| urgency | 4 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
31 Multiple ML Techniques MRS-031
The AD subsystem MAY use several different ML techniques to detect anomalies.
Child links: HARC-002 ADBox architecture, SRS-028 Algorithm Comparison Feature, SRS-039 Algorithm Selection Option
| Attribute | Value |
|---|---|
| type | F |
| rationale | To allow for the use of different types of data and methods to consolidate, improve, validate and extend AD capabilities. |
| importance | 1 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
32 Host and Network Ingestion MRS-032
IDPS-ESCAPE SHALL provide a data ingestion solution capable of retrieving endpoint observation data from both host and network events.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-029 Host & Network Ingestion
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable holistic system monitoring. |
| importance | 5 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
33 API Data Retrieval MRS-033
The AD subsystem SHALL retrieve data via the IDPS-ESCAPE API.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | F |
| rationale | To provide consolidated raw data capturing host and network level data for detecting anomalies. |
| importance | 4 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
34 Standardized AD Output MRS-034
The AD subsystem SHALL output anomaly detection events to a log file using a machine-readable format (e.g., YAML, syslog).
Child links: SRS-030 AD Results Visualization, SRS-031 Training Loss Visualization, SRS-032 Predicted Anomalies Visualization
| Attribute | Value |
|---|---|
| type | C |
| rationale | To ensure automation, programmatic access, wide and easy adoption, code reuse. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
35 Secure Log Storage MRS-035
The C&C subsystem SHALL store log files containing anomaly detection events as well as detection and observation data originating from endpoint monitoring agents on nodes located within the same trust boundary as the C&C subsystem.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to adversaries. |
| importance | 4 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
36 Secure pcap Storage MRS-036
The C&C subsystem SHALL store pcap files (if any) on nodes located within the same trust boundary as the C&C subsystem.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to adversaries. |
| importance | 4 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
37 Multiple Deployment Models MRS-037
The IDPS-ESCAPE architecture SHOULD define at least two deployment models for network-based intrusion detection, one relying on a monitoring and detection (MD) engine running on each monitored node, and another relying on a single MD receiving consolidated raw input originating from multiple monitored nodes, e.g., using channel redirection.
Child links: HARC-003 IDPS-ESCAPE context, SRS-033 Remote Endpoint Deployment
| Attribute | Value |
|---|---|
| type | O |
| rationale | To provide flexibility and potential for adapting and improving performance. |
| importance | 3 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
38 pcap Support MRS-038
IDPS-ESCAPE SHOULD capture network traffic using a pcap-based API.
| Attribute | Value |
|---|---|
| type | C |
| rationale | To ensure reuse, wide adoption and known standards-based arguments. |
| importance | 2 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
39 Offline AD MRS-039
The AD subsystem SHALL be able to perform off-line AD using static input, e.g., static data sets compiled from a pcap-based API or SIEM indices.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-035 Offline Anomaly Detection
| Attribute | Value |
|---|---|
| type | F |
| rationale | To mitigate the risk of poor online detection as well as design and implementation obstacles. |
| importance | 2 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
40 Signature-Based NIDS MRS-040
IDPS-ESCAPE SHALL include a signature-based network intrusion detection engine.
Child links: HARC-003 IDPS-ESCAPE context, SRS-036 Custom NIDS Rules
| Attribute | Value |
|---|---|
| type | F |
| rationale | To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk. |
| importance | 5 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
41 Standalone AD Subsystem MRS-041
The AD subsystem SHALL run as an independent process, i.e., as a standalone UNIX process.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ensure autonomy, self-sufficiency, extensibility, flexibility, and to minimize dependency on third-party tools. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |