Product presentation

IDPS-ESCAPE: AI-driven intrusion detection and automated security response

IDPS-ESCAPE turns detection into action. It combines signature-based engines (Wazuh, Suricata) with machine learning anomaly detection to catch both known and emerging threats — then automatically fires risk-scaled responses, from alert emails to host isolation, enriched with live cyber threat intelligence. Incident cases are created automatically, closing the loop from detection to remediation. Built for SMEs, SOC teams, and CERT/CSIRT entities under the CyFORT project.

Open quick start Browse user manual

Hybrid detection Signature + AI-based anomaly detection

3-tier response Low, Medium, and High risk

CTI integration Live threat intelligence via SATRAP-DL

Full traceability Interlinked specs via C5-DEC method

Core capabilities

From detection to response

SONAR — multivariate anomaly detection

Microsoft MTAD-GAT multivariate time-series anomaly detection on Wazuh alerts. Scenario-driven YAML configuration, offline debug mode, and direct RADAR data shipping in Wazuh.

Microsoft MTAD-GAT YAML scenarios Debug mode

RADAR — risk-aware automated response

RRCF-based behavioral and signature detection with Ansible Infrastructure-as-Code deployment. Tiered active responses scale automatically to computed risk level.

RRCF Ansible IaC Active response

Hybrid detection engine

Three-layer defense in depth: Wazuh/Suricata signature rules catch known patterns, RADAR (RRCF) detects behavioral anomalies, and SONAR (MTAD-GAT) identifies multivariate ML anomalies.

Wazuh Suricata Defense-in-depth

CTI enrichment via DECIPHER

SATRAP-DL's DECIPHER subsystem queries MISP IOC feeds for blacklisted IPs, malicious domains, and hash indicators. The resulting CTI score T is fused into the normalized risk score R.

DECIPHER SATRAP-DL MISP

Flowintel case management

Incident cases are created automatically by DECIPHER in Flowintel when risk thresholds are crossed. Alert emails include the case URL, risk score breakdown, and full IOC context.

Flowintel Case creation Tiered alerts

Ansible IaC deployment

Zero-touch deployment of Wazuh manager and agents, OpenSearch AD detectors, monitors, webhooks, and active response scripts via reproducible Ansible playbooks.

Ansible Docker Reproducible

Product screenshot gallery

Click any screenshot to zoom

SONAR anomaly scores and prediction over time — SONAR MTAD-GAT model detecting an intrusion spike: anomaly score rises above the learned threshold, highlighting the anomalous window in red.

RADAR email notification for impossible-travel detection — RADAR alert email for impossible-travel (≥900 km/h + country change): risk score, CTI component breakdown, IOC summary, and Flowintel case link.

Automatically created incident cases in Flowintel — Flowintel case list creation by DECIPHER with auto-compiled RADAR incidents: scenario, detection type, risk tier, CTI component breakdown, IOC context, and unique decision IDs.

DECIPHER suspicious login case with MISP severity score — SATRAP-DL's DECIPHER CTI analysis uses MISP lookup (e.g. sightings) to compute a CTI score involving severity confidence, admiralty scale ratings, event threat level, and MITRE ATT&CK tag relevance, evidence attributes, and MISP event correlation hits.

IDPS-ESCAPE stack automated and scalable deployment powered by Ansible and Docker.

IDPS-ESCAPE full system context diagram — Full system context diagram: SONAR, RADAR, DECIPHER/SATRAP-DL, MISP, Flowintel, Wazuh SIEM&XDR, NIDS capture points, and external CTI tools.

MAPE-K automated response cycle

Monitor to response, continuously

1. Monitor

Wazuh agents and Suricata sensors collect logs, network events, and endpoint telemetry, feeding the OpenSearch indexer in real time.

2. Analyze

SONAR (MTAD-GAT multivariate ML) and RADAR (RRCF behavioral) detect anomalies. Wazuh rules simultaneously match known signature attack patterns.

3. Plan

The RADAR risk engine fuses anomaly intensity A, signature risk S, and DECIPHER CTI score T into a weighted R = wₐ·A + wₛ·S + wₜ·T, assigning a Low, Medium, or High response tier.

4. Execute

Active responses fire automatically: email alerts, Flowintel incident case creation, and strong actions (IP block, host isolation, credential disable) scaled to the risk tier.

5. Knowledge

DECIPHER queries MISP IOC feeds to keep threat intelligence current. Flowintel accumulates case history and SONAR models are retrained with fresh alert evidence.