IDPS-ESCAPE v1.0 Now on GitHub!

Abstractions Lab announces the stable release of IDPS-ESCAPE v1.0, now available on GitHub.

1D1B2_LOG_IDPS-ESCAPE-Stable-Geometrized-400x400_v1.0

This milestone marks the transition from research prototype to production-ready platform, with a browser-based control panel for RADAR, a Ruleset-as-Code CI/CD pipeline, and targeted SONAR improvements. For a visual tour, visit the product presentation page.

RADAR_GUI_RADAR_Scenarios — IDPS-ESCAPE v1.0 RADAR web interface — scenario configuration panel

Since the last announcement, v0.9 extended detection coverage to Apache and Nginx web access logs and added multi-node Wazuh deployment support; v0.10 introduced default rules for rapid deployment, SONAR per-bucket max aggregation, alert filtering, and resource-monitoring derived features; v1.0 crowns this progression with a fully operational web control panel for RADAR, encrypted credential management with Ansible Vault, a GitHub Actions Ruleset-as-Code pipeline, and the SpecEngine C5-DEC v1.3 upgrade — all within a hardened, fully documented, and specification-complete release.

What Is IDPS-ESCAPE?

IDPS-ESCAPE is an AI-driven intrusion detection and automated response platform combining signature-based detection (Wazuh, Suricata) with machine-learning anomaly detection, orchestrated through a MAPE-K control loop. Three subsystems work together end-to-end:

RADAR fuses an ML anomaly score from the RRCF algorithm, a signature-based risk value, along with a CTI score based on live CTI from DECIPHER, into a normalized risk score,

R = w_a \cdot A + w_s \cdot S + w_t \cdot T

driving a three-tier proportionate response: notification, incident case creation, or active host remediation.

DECIPHER (via SATRAP-DL) enriches medium- and high-risk events with MISP-backed threat intelligence and automatically opens Flowintel incident cases with full detection context — scenario type, risk tier, and IOC set — without manual SOC intervention.

SONAR ingests Wazuh alert streams and trains multivariate deep learning models (Microsoft MTAD-GAT) from versioned YAML scenario files. Pre-built scenarios cover Linux resource consumption, and prototypes for authentication patterns, GeoIP anomalies, log volume changes, suspicious logins; these can be further developed based on demand.

Key Highlights Of V1.0

RADAR Web Interface

Every operational aspect of RADAR is now configurable through a browser. The Active Responses page lets operators tune risk weights, tier boundaries, and per-tier mitigation actions for each scenario — and see the risk fusion formula at a glance. The Infrastructure page manages the Ansible inventory; the Connectors page handles credentials for all integrated services; the Deploy page triggers build, run, and health-check operations with live streaming output. Credentials are secured throughout: sudo passwords are encrypted at rest via Ansible Vault and SSH passphrases are held in a server-side in-memory session, never written to disk.

Ruleset As Code

Detection rules and decoders are now version-controlled alongside the rest of the platform, reviewed in pull requests, and deployed automatically through a GitHub Actions pipeline — eliminating direct server access and treating detection logic as first-class code.

Expanded Detection Coverage

A new GeoIP frequency rule flags coordinated high-rate authentication attempts from non-whitelisted countries. v1.0 also lays the groundwork for off-hour login detection using per-user behavioral baselines. These build on v0.9’s extension of GeoIP monitoring to Apache and Nginx web access logs and its introduction of multi-node Wazuh deployment support.

SONAR Enhancements And Default Rules

v0.10 added per-bucket maximum aggregation to catch brief spikes that averages would miss, scoped alert ingestion filtering to keep feature signals clean, and five resource-monitoring derived features that give the anomaly model explicit signal about sustained CPU, memory, and load pressure. A set of default rules enables a functional detection posture from first deployment without any custom rule authoring or data preparation.

Hardening, Documentation, And Traceability

v1.0 hardens RADAR container images, fixes a decoder parsing edge case, and resolves a monitor re-attach issue. The active response engine now logs a full audit trail of planned actions regardless of operational mode. Four new manual pages cover GUI setup, the rules workflow, the CTI integration roadmap, and suspicious login extensibility. The SpecEngine has been upgraded to C5-DEC v1.3 with dependency content fingerprinting, and the product presentation page now includes a RADAR GUI gallery.

Availability

IDPS-ESCAPE v1.0 product presentation page:

https://abstractionslab.github.io/idps-escape/website/product-presentation.html

IDPS-ESCAPE v1.0 is available as a free and open-source release on GitHub:

https://github.com/AbstractionsLab/idps-escape

Live specification browser and traceability statistics:
https://abstractionslab.github.io/idps-escape/traceability/index.html

Community feedback and contributions are welcome.