1 MRS-001
The IDPS-ESCAPE source code and technical documentation SHALL be made available as open-source software using either a permissive or a copyleft software license.
| Attribute | Value |
|---|---|
| type | B |
| rationale | To comply with organizational and project constraints. |
| importance | 5 |
| urgency | 1 |
| vm | I |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
2 MRS-002
The IDPS-ESCAPE system architecture SHALL define a centralized subsystem, throughout called command-and-control (C&C), for updating user-exposed settings of subsystems tackling data collection, intrusion detection and prevention.
Child links: HARC-001 ADBox subsystem, SRS-001, SRS-002, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To centralize and simplify agent/sensor configuration management. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
3 MRS-003
The IDPS-ESCAPE system architecture SHALL define end-point monitoring agents/sensors that gather host and network data and relay the said data back to the C&C.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To enable a multi-node deployment of monitoring endpoints and centralization of data collection. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
4 MRS-004
The IDPS-ESCAPE system architecture SHALL include a multivariate anomaly detection (AD) subsystem to detect anomalies across at least two features/dimensions in at least one of the following types of security event capturing data sets: host-based and network-based.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-037, SRS-040
| Attribute | Value |
|---|---|
| type | A |
| rationale | To detect deviations from an a priori normal baseline system behavior, possibly caused by malicious actors. |
| importance | 5 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
5 MRS-005
The IDPS-ESCAPE system architecture SHALL include a host-based intrusion detection system (HIDS) with agents deployed on the of hosts' monitored system, that can be enabled/disabled by the user.
Child links: HARC-003 IDPS-ESCAPE context, SRS-003, SRS-004
| Attribute | Value |
|---|---|
| type | A |
| rationale | To support host-based IDS. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
6 MRS-006
The IDPS-ESCAPE system architecture SHALL include a network-based intrusion detection system (NIDS) covering channels between endpoints running IDPS-ESCAPE subsystems, that can be enabled/disabled by the user.
Child links: HARC-003 IDPS-ESCAPE context, SRS-005
| Attribute | Value |
|---|---|
| type | A |
| rationale | To support network-based IDS. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
7 MRS-007
The subsystems of IDPS-ESCAPE SHOULD include intrusion prevention (IP) capabilities.
Child links: HARC-003 IDPS-ESCAPE context, SRS-006
| Attribute | Value |
|---|---|
| type | F |
| rationale | To be able to take reactive corrective measures and mitigate intrusions. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
8 MRS-008
The IDPS-ESCAPE network sensors SHOULD be able to capture and forward raw network traffic to the C&C server.
Child links: HARC-003 IDPS-ESCAPE context, SRS-007
| Attribute | Value |
|---|---|
| type | F |
| rationale | To collect events for threat hunting and CTI operations, reducing the NIDS overhead and to do customized AD. |
| importance | 3 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
9 MRS-009
The IDPS-ESCAPE end-point monitoring components MAY be deployed in Docker containers.
Child links: SRS-008
| Attribute | Value |
|---|---|
| type | O |
| rationale | To ensure the following properties: consistent and reproducible environments, isolation, resource efficiency, scalability, portability, fast spawning and shutdown, improved CI/CD, support of micro services architecture, improved dependency management. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
11 MRS-011
IDPS-ESCAPE SHALL include a signature-based host intrusion detection engine.
Child links: HARC-003 IDPS-ESCAPE context, SRS-009
| Attribute | Value |
|---|---|
| type | F |
| rationale | To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk. |
| importance | 5 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
12 MRS-012
The IDPS-ESCAPE system architecture SHALL include an XDR & SIEM subsystem (see the system concept for definitions).
Child links: HARC-003 IDPS-ESCAPE context, SRS-010
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ingest data from tools in an security technology stack to create greater context for Security Operations Center (SOC) teams to perform faster threat detection, investigation, and response. |
| importance | 5 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
13 MRS-013
The IDPS-ESCAPE system architecture SHOULD include a subsystem providing a data visualization dashboard capable of presenting data collected by the endpoint monitoring agents; precise feature definitions are deferred to system requirement specifications (SRS).
Child links: HARC-003 IDPS-ESCAPE context, SRS-011, SRS-012, SRS-013
| Attribute | Value |
|---|---|
| type | A |
| rationale | To improve accessibility and easy-of-use for IDPS-ESCAPE end-users (e.g., security engineers, CTI analysts, etc.). |
| importance | 4 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
14 MRS-014
IDPS-ESCAPE SHALL provide an API for retrieving data obtained from the IDPS-ESCAPE endpoint monitoring agents.
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enable programmatic access to data gathered by IDPS-ESCAPE endpoint agents. |
| importance | 4 |
| urgency | 4 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
15 MRS-015
The C&C subsystem of IDPS-ESCAPE SHALL provide the user with a software configuration management (SCM) mechanism (e.g., a CLI or configuration files) to set the user-adjustable parameters of subsystems and modules scoped within the C&C system boundary.
Child links: SRS-016, SRS-017, SRS-018, SRS-019, SRS-020, SRS-021, SRS-022
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable centralize management of subsystems controlled by the C&C. |
| importance | 4 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
16 MRS-016
The SCM mechanism SHALL provide a (de)registration solution for the removal and addition of end-point monitoring agents.
Child links: SRS-023
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable a non-static configuration of monitored nodes. |
| importance | 4 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
17 MRS-017
The IDPS-ESCAPE system architecture SHALL include a frontend subsystem presenting monitoring outcomes to the end-user, with the specific outcome definitions deferred to system requirement specifications (SRS).
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To allow end-users to monitor complex indicators more easily. |
| importance | 3 |
| urgency | 2 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
18 MRS-018
The IDPS-ESCAPE system architecture design SHALL include a data management subsystem aimed at consolidating access to data obtained from endpoint monitoring agents such as events, alerts and statistics.
Child links: HARC-003 IDPS-ESCAPE context, SRS-024
| Attribute | Value |
|---|---|
| type | A |
| rationale | To simplify programmatic access to security alert and event data and to ensure a single source of truth. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
19 MRS-019
The IDPS-ESCAPE architecture SHOULD integrate third-party open-source tools for signature-based intrusion detection.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To capitalize on and build upon existing open-source capabilities. |
| importance | 2 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
20 MRS-020
The IDPS-ESCAPE architecture SHALL rely on a platform-independent solution (e.g., containerization-based) enabling the C&C subsystem and endpoint monitoring agents to run on the following operating systems: Windows 10/11 64-bit, MacOS 10.12 above and GNU/Linux-based distributions based on Debian such as Ubuntu.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ensure cross-platform compatibility and portability. |
| importance | 3 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
21 MRS-021
The deployment solution of IDPS-ESCAPE for the C&C subsystem and the endpoint monitoring agents SHALL make use of installation scripts (e.g., Shell or Python) that can be integrated into infrastructure-as-code paradigms used for automating scalable VM-based technology stacks used in cloud environments.
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable deployments in cloud infrastructures. |
| importance | 4 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
22 MRS-022
The IDPS-ESCAPE architecture SHALL define endpoint monitoring for networked nodes capable of running IDPS-ESCAPE agents/sensors and relying on network connections between the said agents and the C&C subsystem.
Child links: HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To allow sensors/agents and the central server to be deployable across multiple distinct nodes. |
| importance | 4 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
23 MRS-023
The SIEM subsystem SHOULD include threat enumeration based on a mapping of security incident detections to MITRE ATT&CK entries.
Child links: SRS-025
| Attribute | Value |
|---|---|
| type | F |
| rationale | To improve and speed up threat detection and classification, thereby facilitating CTI analysis. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
24 MRS-024
The IDPS-ESCAPE system architecture SHOULD include a mechanism for an API-based integration with at least one threat intelligence platform (TIP), e.g., MISP, with integration here referring to sending detection alert information to a TIP and receiving additional threat intelligence from the said TIP.
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enhance cyber threat Intelligence capabilities by capitalizing on mature TIPs. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
25 MRS-025
IDPS-ESCAPE SHALL provide an API for retrieving threat detection events and security information gathered by agents/sensors.
Child links: SRS-026
| Attribute | Value |
|---|---|
| type | I |
| rationale | To enable programmatic access, which would also in turn support integration with SATRAP-DL. |
| importance | 4 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
26 MRS-026
IDPS-ESCAPE SHALL be designed and developed following the C5-DEC model, methodology, and tools.
| Attribute | Value |
|---|---|
| type | C |
| rationale | To comply with project requirements and to follow a consistent and well-defined process, while improving development security. |
| importance | 5 |
| urgency | 5 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
27 MRS-027
Communication between IDPS-ESCAPE subsystems/modules/components that do not reside in the same system/trust/cryptographic boundaries SHALL occur over authenticated and encrypted channels.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to malicious actors (adversaries). |
| importance | 5 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
28 MRS-028
Security events and alerts used as raw input to the AD subsystem SHALL either follow a standardized data scheme or an open-source specification (e.g., syslog).
| Attribute | Value |
|---|---|
| type | C |
| rationale | To foster adoption, improve data management efficiency and robustness, enable code reuse (parsing, (de)serialization, and marshalling libraries), and to avoid proprietary formats and vendor lock-in. |
| importance | 2 |
| urgency | 1 |
| vm | I |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
29 MRS-029
IDPS-ESCAPE endpoint monitoring SHALL be able to monitor at least 5 endpoint nodes capable of running IDPS-ESCAPE sensors/agents.
| Attribute | Value |
|---|---|
| type | O |
| rationale | To address stakeholder scalability needs. |
| importance | 3 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
30 MRS-030
The AD subsystem SHALL use an ML technique to detect anomalies, relying on a deep learning method, with the definition of the concrete AD solution traced to the mathematical specification of AD for the selected algorithm.
| Attribute | Value |
|---|---|
| type | F |
| rationale | To address stakeholder needs and project proposal requirements and constraints. |
| importance | 4 |
| urgency | 4 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
31 MRS-031
The AD subsystem MAY use several different ML techniques to detect anomalies.
Child links: HARC-002 ADBox architecture, SRS-028, SRS-039
| Attribute | Value |
|---|---|
| type | F |
| rationale | To allow for the use of different types of data and methods to consolidate, improve, validate and extend AD capabilities. |
| importance | 1 |
| urgency | 1 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
32 MRS-032
IDPS-ESCAPE SHALL provide a data ingestion solution capable of retrieving endpoint observation data from both host and network events.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-029
| Attribute | Value |
|---|---|
| type | F |
| rationale | To enable holistic system monitoring. |
| importance | 5 |
| urgency | 4 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
33 MRS-033
The AD subsystem SHALL retrieves data retrieved via the IDPS-ESCAPE API.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | F |
| rationale | To provide consolidated raw data capturing host and network level data for detecting anomalies. |
| importance | 4 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
34 MRS-034
The AD subsystem SHALL output anomaly detection events to a log file using a machine-readable format (e.g., YAML, syslog).
Child links: SRS-030, SRS-031, SRS-032
| Attribute | Value |
|---|---|
| type | C |
| rationale | To ensure automation, programmatic access, wide and easy adoption, code reuse. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
35 MRS-035
The C&C subsystem SHALL store log files containing anomaly detection events as well as detection and observation data originating from endpoint monitoring agents on nodes located within the same trust boundary as the C&C subsystem.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to adversaries. |
| importance | 4 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
36 MRS-036
The C&C subsystem SHALL store pcap files (if any) on nodes located within the same trust boundary as the C&C subsystem.
| Attribute | Value |
|---|---|
| type | S |
| rationale | To ensure confidentiality and integrity with respect to adversaries. |
| importance | 4 |
| urgency | 3 |
| vm | A |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
37 MRS-037
The IDPS-ESCAPE architecture SHOULD define at least two deployment models for network-based intrusion detection, one relying on a monitoring and detection (MD) engine running on each monitored node, and another relying on a single MD receiving consolidated raw input originating from multiple monitored nodes, e.g., using channel redirection.
Child links: HARC-003 IDPS-ESCAPE context, SRS-033
| Attribute | Value |
|---|---|
| type | O |
| rationale | To provide flexibility and potential for adapting and improving performance. |
| importance | 3 |
| urgency | 3 |
| vm | R |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
38 MRS-038
IDPS-ESCAPE SHOULD capture network traffic using a pcap-based API.
| Attribute | Value |
|---|---|
| type | C |
| rationale | To ensure reuse, wide adoption and known standards-based arguments. |
| importance | 2 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
39 MRS-039
The AD subsystem SHALL be able to perform off-line AD using static input, e.g., data static data sets compiled from a pcap-based API or SIEM indices.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context, SRS-035
| Attribute | Value |
|---|---|
| type | F |
| rationale | To mitigate the risk of poor online detection as well as design and implementation obstacles. |
| importance | 2 |
| urgency | 2 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
40 MRS-040
IDPS-ESCAPE SHALL include a signature-based network intrusion detection engine.
Child links: HARC-003 IDPS-ESCAPE context, SRS-036
| Attribute | Value |
|---|---|
| type | F |
| rationale | To build on the mature and existing rule-based detection and CTI body of knowledge and to mitigate low AD detection risk. |
| importance | 5 |
| urgency | 5 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |
41 MRS-041
The AD subsystem SHALL run as an independent process, i.e., as a standalone UNIX process.
Child links: HARC-001 ADBox subsystem, HARC-002 ADBox architecture, HARC-003 IDPS-ESCAPE context
| Attribute | Value |
|---|---|
| type | A |
| rationale | To ensure autonomy, self-sufficiency, extensibility, flexibility, and to minimize dependency on third-party tools. |
| importance | 3 |
| urgency | 3 |
| vm | T |
| acceptance-criteria | Successful validation according to the corresponding test case specification |
| release | Alpha |