IDPS-ESCAPE (v0.4): RADAR for enhanced SOAR Capabilities

/ CyFORT, IDPS-ESCAPE / By

We have released version 0.4 of IDPS-ESCAPE on GitHub.

Risk-aware Anomaly Detection-based Automated Response

The IDPS-ESCAPE team is excited to announce a major update to the RADAR subsystem, delivering new SOAR capabilities for automated threat detection and response in modern Security Operations Centers (SOCs).

This release introduces three new RADAR detection scenarios:

  • Suspicious Login Detection: Identifies anomalous login behavior, such as access from unusual locations or times.
  • DDoS Detection: Monitors for traffic spikes indicative of Distributed Denial-of-Service attacks.
  • C2 Malware Communication: Flags covert traffic patterns linked to command-and-control servers.

To support these scenarios, the update includes an automated RADAR Test Framework powered by Ansible. This framework streamlines deployment, attack simulation, data ingestion, and statistical evaluation—making it easier to test and validate detection strategies.

Also new:

  • An Experiment Evaluation Module for computing precision, recall, and other performance metrics.
  • Curated Datasets for benchmarking RADAR experiments.
  • Infrastructure-as-Code (IaC) deployment scripts for Wazuh server and agents, enabling rapid and reproducible setup.

This release builds on the hybrid anomaly detection approach combining ADBox’s deep learning models with the Robust Random Cut Forest (RCF) algorithm via OpenSearch, offering resilience against adversarial interference and false positives.

Explore the full release and documentation on GitHub.

Roadmap

  • Adding new reusable RADAR and ADBox use case scenarios;
  • Hybridizing RADAR scenarios: AD + signature-based detection;
  • Combining classical AD with deep learning, in our case: RRCF + MTAD-GAT;
  • SATRAP engine integration for advanced real-time CTI on a system security graph combined with world CTI;
  • OpenTRICK asset dependency conversion to a SATRAP system security graph;
  • OpenTide integration;
  • Interconnecting ADBox and RADAR;
  • ADBox: add support for categorical features;
  • ADBox: add automatic (online) retraining (policy-based, e.g. schedule, custom criteria, etc.);
  • Stabilizing the current implementation and improving its resilience/fault tolerance, especially when it comes to dealing with missing and ill-formed raw data.
Scroll to Top