1 Open-Source Release MRS-001
The IDPS-ESCAPE source code and technical documentation SHALL be made available as open-source software using either a permissive or a copyleft software license.
Rationale
To comply with organizational and project constraints.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | B |
| importance | 5 |
| urgency | 1 |
| vm | I |
| release | Alpha |
2 Command & Control MRS-002
The IDPS-ESCAPE system architecture SHALL include a centralized subsystem, throughout called command-and-control (C&C), for updating user-exposed settings of subsystems tackling data collection, intrusion detection and prevention.
Rationale
To centralize and simplify agent/sensor configuration management.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, SRS-001 Centralized C&C Deployment, SRS-002 Endpoint Status Monitoring, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| urgency | 5 |
| vm | R |
| release | Alpha |
3 Agent Data Centralization MRS-003
The IDPS-ESCAPE system architecture SHALL include end-point monitoring agents/sensors that gather host and network data and relay the said data back to the C&C.
Rationale
To enable a multi-node deployment of monitoring endpoints and centralization of data collection.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
4 Multivariate Anomaly Detection MRS-004
The IDPS-ESCAPE system architecture SHALL include a multivariate anomaly detection (AD) subsystem to detect anomalies across at least two features/dimensions in at least one of the following types of security event capturing data sets: host-based and network-based.
Rationale
To detect deviations from an a priori normal baseline system behavior, possibly caused by malicious actors.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-037 Anomaly-Based NIDS, SRS-040 Data Management Subpackage, SRS-041 Time Management Package
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 4 |
| vm | R |
| release | Alpha |
5 Host-based Intrusion Detection MRS-005
The IDPS-ESCAPE system architecture SHALL include a host-based intrusion detection system (HIDS) with agents deployed on the of hosts' monitored system, that can be enabled/disabled by the user.
Rationale
To support host-based IDS.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-003 HIDS Agent Deployment, SRS-004 HIDS Agent Management
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
6 NIDS Support MRS-006
The IDPS-ESCAPE system architecture SHALL include a network-based intrusion detection system (NIDS) covering channels between endpoints running IDPS-ESCAPE subsystems, that can be enabled/disabled by the user.
Rationale
To support network-based IDS.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-005 Network Monitoring Control
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
7 Intrusion Prevention MRS-007
The subsystems of IDPS-ESCAPE SHOULD include intrusion prevention (IP) capabilities.
Rationale
To be able to take reactive corrective measures and mitigate intrusions.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, HARC-004 RADAR architecture, HARC-005 RADAR Automated Test Framework architecture, HARC-006 RADAR deployment: Remote Agent and Remote Manager mode, SRS-006 Centralized NIDPS Prevention, HARC-007 RADAR deployment: Remote Agent and Local Manager mode, HARC-008 RADAR deployment: Local Agent and Local Manager mode, SRS-050 Insider Threat Detection and Prevention: Data exfiltration, SRS-051 Suspicious login Detection and Prevention: Impossible travel and Failed-login bursts, SRS-052 DDoS Detection and Prevention: SYN-flood, SRS-053 Malware Communication Detection and Prevention: Beaconing, SRS-054 RADAR Automated Test Framework, SRS-055 Geo-based Access Control: Non-whitelisted Country Login Detection and Prevention, SRS-056 Log volume spike detection per endpoint
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 3 |
| vm | T |
| release | Alpha |
8 Network Capture Forwarding MRS-008
The IDPS-ESCAPE network sensors SHOULD be able to capture and forward raw network traffic to the C&C server.
Rationale
To collect events for threat hunting and CTI operations, reducing the NIDS overhead and to do customized AD.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-007 Raw Traffic Capture
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 4 |
| vm | T |
| release | Alpha |
9 Docker Deployment Option MRS-009
The IDPS-ESCAPE end-point monitoring components MAY be deployed in Docker containers.
Rationale
To ensure the following properties: consistent and reproducible environments, isolation, resource efficiency, scalability, portability, fast spawning and shutdown, improved CI/CD, support of micro services architecture, improved dependency management.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-008 Dockerized NIDS Deployment
| Attribute | Value |
|---|---|
| type | O |
| importance | 4 |
| urgency | 3 |
| vm | R |
| release | Alpha |
11 Signature-based Host IDS MRS-011
IDPS-ESCAPE SHALL include a signature-based host intrusion detection engine.
Rationale
To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-009 Signature-Based HIDS
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
12 XDR & SIEM Integration MRS-012
The IDPS-ESCAPE system architecture SHALL include an XDR & SIEM subsystem (see the system concept for definitions).
Rationale
To ingest data from tools in an security technology stack to create greater context for Security Operations Center (SOC) teams to perform faster threat detection, investigation, and response.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, HARC-004 RADAR architecture, SRS-010 Centralized Threat Management
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 4 |
| vm | R |
| release | Alpha |
13 Visual Dashboard MRS-013
The IDPS-ESCAPE system architecture SHOULD include a subsystem providing a data visualization dashboard capable of presenting data collected by the endpoint monitoring agents; precise feature definitions are deferred to system requirement specifications (SRS).
Rationale
To improve accessibility and easy-of-use for IDPS-ESCAPE end-users (e.g., security engineers, CTI analysts, etc.).
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-011 Network Event Visualization, SRS-012 Host Event Visualization, SRS-013 HIDS Agent Status Panel
| Attribute | Value |
|---|---|
| type | A |
| importance | 4 |
| urgency | 4 |
| vm | R |
| release | Alpha |
14 Data Extraction API MRS-014
IDPS-ESCAPE SHALL provide an API for retrieving data obtained from the IDPS-ESCAPE endpoint monitoring agents.
Rationale
To enable programmatic access to data gathered by IDPS-ESCAPE endpoint agents.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-014 Event Decoding & Transformation, SRS-015 Custom Rule Support
| Attribute | Value |
|---|---|
| type | I |
| importance | 4 |
| urgency | 4 |
| vm | R |
| release | Alpha |
15 Software Configuration Management MRS-015
The C&C subsystem of IDPS-ESCAPE SHALL provide the user with a software configuration management (SCM) mechanism (e.g., a CLI or configuration files) to set the user-adjustable parameters of subsystems and modules scoped within the C&C system boundary.
Rationale
To enable centralize management of subsystems controlled by the C&C.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-016 Indexer Credential Management, SRS-017 Custom Data Source, SRS-018 ML Hyperparameter Tuning, SRS-019 Datatype Transformation Map, SRS-020 Ingestion Field Update, SRS-021 Default Use Case Update, SRS-022 Indexer Credentials Update
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 3 |
| vm | T |
| release | Alpha |
16 Agent (De)Registration MRS-016
The SCM mechanism SHALL provide a (de)registration solution for the removal and addition of end-point monitoring agents.
Rationale
To enable a non-static configuration of monitored nodes.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-023 Agent Registration Process
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 3 |
| vm | T |
| release | Alpha |
17 Monitoring Frontend MRS-017
The IDPS-ESCAPE system architecture SHALL include a frontend subsystem presenting monitoring outcomes to the end-user, with the specific outcome definitions deferred to system requirement specifications (SRS).
Rationale
To allow end-users to monitor complex indicators more easily.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-043 AD Data Visualization
| Attribute | Value |
|---|---|
| type | A |
| importance | 3 |
| urgency | 2 |
| vm | R |
| release | Alpha |
18 Data Management Subsystem MRS-018
The IDPS-ESCAPE system architecture design SHALL include a data management subsystem aimed at consolidating access to data obtained from endpoint monitoring agents such as events, alerts and statistics.
Rationale
To simplify programmatic access to security alert and event data and to ensure a single source of truth.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-024 Event Querying Capability, SRS-042 Prediction Shipping Feature
| Attribute | Value |
|---|---|
| type | A |
| importance | 4 |
| urgency | 3 |
| vm | R |
| release | Alpha |
19 3rd-Party Open-source Signature-based NIDS MRS-019
The IDPS-ESCAPE architecture SHOULD integrate third-party open-source tools for signature-based intrusion detection.
Rationale
To capitalize on and build upon existing open-source capabilities.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| importance | 2 |
| urgency | 1 |
| vm | R |
| release | Alpha |
20 Platform Independence MRS-020
The IDPS-ESCAPE architecture SHALL rely on a platform-independent solution (e.g., containerization-based) enabling the C&C subsystem and endpoint monitoring agents to run on the following operating systems: Windows 10/11 64-bit, MacOS 10.12 above and GNU/Linux-based distributions based on Debian such as Ubuntu.
Rationale
To ensure cross-platform compatibility and portability.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-044 Platform-Independent Deployment, SRS-046 Cross-Platform ADBox Deployment
| Attribute | Value |
|---|---|
| type | A |
| importance | 3 |
| urgency | 1 |
| vm | R |
| release | Alpha |
21 IaC Deployment MRS-021
The deployment solution of IDPS-ESCAPE for the C&C subsystem and the endpoint monitoring agents SHALL make use of installation scripts (e.g., Shell or Python) that can be integrated into infrastructure-as-code paradigms used for automating scalable VM-based technology stacks used in cloud environments.
Rationale
To enable deployments in cloud infrastructures.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-049 Anomaly Shipping to Indexer
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 2 |
| vm | T |
| release | Alpha |
22 Network Endpoint Monitoring MRS-022
The IDPS-ESCAPE architecture SHALL define endpoint monitoring for networked nodes capable of running IDPS-ESCAPE agents/sensors and relying on network connections between the said agents and the C&C subsystem.
Rationale
To allow sensors/agents and the central server to be deployable across multiple distinct nodes.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| importance | 4 |
| urgency | 3 |
| vm | R |
| release | Alpha |
23 MITRE ATT&CK Mapping MRS-023
The SIEM subsystem SHOULD include threat enumeration based on a mapping of security incident detections to MITRE ATT&CK entries.
Rationale
To improve and speed up threat detection and classification, thereby facilitating CTI analysis.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-025 MITRE ATT&CK Mapping
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 3 |
| vm | T |
| release | Alpha |
24 TIP API Integration MRS-024
The IDPS-ESCAPE system architecture SHOULD include a mechanism for an API-based integration with at least one threat intelligence platform (TIP), e.g., MISP, with integration here referring to sending detection alert information to a TIP and receiving additional threat intelligence from the said TIP.
Rationale
To enhance cyber threat Intelligence capabilities by capitalizing on mature TIPs.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | I |
| importance | 3 |
| urgency | 3 |
| vm | T |
| release | Alpha |
25 Threat Detection API MRS-025
IDPS-ESCAPE SHALL provide an API for retrieving threat detection events and security information gathered by agents/sensors.
Rationale
To enable programmatic access, which would also in turn support integration with SATRAP-DL.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-026 TIP Data Export
| Attribute | Value |
|---|---|
| type | I |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Alpha |
26 C5-DEC Development Model MRS-026
IDPS-ESCAPE SHALL be designed and developed following the C5-DEC model, methodology, and tools.
Rationale
To comply with project requirements and to follow a consistent and well-defined process, while improving development security.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-045 High-Level Architecture Overview
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
27 Secure Inter-Component Communication MRS-027
Communication between IDPS-ESCAPE subsystems/modules/components that do not reside in the same system/trust/cryptographic boundaries SHALL occur over authenticated and encrypted channels.
Rationale
To ensure confidentiality and integrity with respect to malicious actors (adversaries).
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | S |
| importance | 5 |
| urgency | 3 |
| vm | A |
| release | Alpha |
28 Standardized AD Input MRS-028
Security events and alerts used as raw input to the AD subsystem SHALL either follow a standardized data scheme or an open-source specification (e.g., syslog).
Rationale
To foster adoption, improve data management efficiency and robustness, enable code reuse (parsing, (de)serialization, and marshalling libraries), and to avoid proprietary formats and vendor lock-in.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | C |
| importance | 2 |
| urgency | 1 |
| vm | I |
| release | Alpha |
29 Data Collection Scalability MRS-029
IDPS-ESCAPE endpoint monitoring SHALL be able to monitor at least 5 endpoint nodes capable of running IDPS-ESCAPE sensors/agents.
Rationale
To address stakeholder scalability needs.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | O |
| importance | 3 |
| urgency | 2 |
| vm | T |
| release | Alpha |
30 Deep Learning Technique MRS-030
The AD subsystem SHALL use an ML technique to detect anomalies, relying on a deep learning method, with the definition of the concrete AD solution traced to the mathematical specification of AD for the selected algorithm.
Rationale
To address stakeholder needs and project proposal requirements and constraints.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-027 ML-Based Anomaly Detection, SRS-038 Joint Host-Network Training, SRS-047 Interactive Use Case Builder, SRS-048 Default Detector Training
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | A |
| release | Alpha |
31 Multiple ML Techniques MRS-031
The AD subsystem MAY use several different ML techniques to detect anomalies.
Rationale
To allow for the use of different types of data and methods to consolidate, improve, validate and extend AD capabilities.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-002 ADBox architecture, SRS-028 Algorithm Comparison Feature, SRS-039 Algorithm Selection Option
| Attribute | Value |
|---|---|
| type | F |
| importance | 1 |
| urgency | 1 |
| vm | R |
| release | Alpha |
32 Host and Network Ingestion MRS-032
IDPS-ESCAPE SHALL provide a data ingestion solution capable of retrieving endpoint observation data from both host and network events.
Rationale
To enable holistic system monitoring.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-029 Host & Network Ingestion
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Alpha |
33 API Data Retrieval MRS-033
The AD subsystem SHALL retrieve data via the IDPS-ESCAPE API.
Rationale
To provide consolidated raw data capturing host and network level data for detecting anomalies.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 5 |
| vm | T |
| release | Alpha |
34 Standardized AD Output MRS-034
The AD subsystem SHALL output anomaly detection events to a log file using a machine-readable format (e.g., YAML, syslog).
Rationale
To ensure automation, programmatic access, wide and easy adoption, code reuse.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-030 AD Results Visualization, SRS-031 Training Loss Visualization, SRS-032 Predicted Anomalies Visualization
| Attribute | Value |
|---|---|
| type | C |
| importance | 3 |
| urgency | 3 |
| vm | T |
| release | Alpha |
35 Secure Log Storage MRS-035
The C&C subsystem SHALL store log files containing anomaly detection events as well as detection and observation data originating from endpoint monitoring agents on nodes located within the same trust boundary as the C&C subsystem.
Rationale
To ensure confidentiality and integrity with respect to adversaries.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | S |
| importance | 4 |
| urgency | 3 |
| vm | A |
| release | Alpha |
36 Secure pcap Storage MRS-036
The C&C subsystem SHALL store pcap files (if any) on nodes located within the same trust boundary as the C&C subsystem.
Rationale
To ensure confidentiality and integrity with respect to adversaries.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | S |
| importance | 4 |
| urgency | 3 |
| vm | A |
| release | Alpha |
37 Multiple Deployment Models MRS-037
The IDPS-ESCAPE architecture SHOULD define at least two deployment models for network-based intrusion detection, one relying on a monitoring and detection (MD) engine running on each monitored node, and another relying on a single MD receiving consolidated raw input originating from multiple monitored nodes, e.g., using channel redirection.
Rationale
To provide flexibility and potential for adapting and improving performance.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-033 Remote Endpoint Deployment
| Attribute | Value |
|---|---|
| type | O |
| importance | 3 |
| urgency | 3 |
| vm | R |
| release | Alpha |
38 pcap Support MRS-038
IDPS-ESCAPE SHOULD capture network traffic using a pcap-based API.
Rationale
To ensure reuse, wide adoption and known standards-based arguments.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | C |
| importance | 2 |
| urgency | 2 |
| vm | T |
| release | Alpha |
39 Offline AD MRS-039
The AD subsystem SHALL be able to perform off-line AD using static input, e.g., static data sets compiled from a pcap-based API or SIEM indices.
Rationale
To mitigate the risk of poor online detection as well as design and implementation obstacles.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-035 Offline Anomaly Detection
| Attribute | Value |
|---|---|
| type | F |
| importance | 2 |
| urgency | 2 |
| vm | T |
| release | Alpha |
40 Signature-Based NIDS MRS-040
IDPS-ESCAPE SHALL include a signature-based network intrusion detection engine.
Rationale
To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-003 IDPS-ESCAPE context, SRS-036 Custom NIDS Rules
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
41 Standalone AD Subsystem MRS-041
The AD subsystem SHALL run as an independent process, i.e., as a standalone UNIX process.
Rationale
To ensure autonomy, self-sufficiency, extensibility, flexibility, and to minimize dependency on third-party tools.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| importance | 3 |
| urgency | 3 |
| vm | T |
| release | Alpha |