ML Defender (aRGus NDR): An Open-Source Embedded ML NIDS for Botnet and Anomalous Traffic Detection in Resource-Constrained Organizations
Alonso Isidoro Rom\'an
TL;DR
ML Defender (aRGus NDR) is an open-source, embedded ML-based network intrusion detection system designed for resource-constrained organizations, demonstrating high accuracy and low false positives on botnet detection.
Contribution
It introduces a novel embedded ML NIDS architecture with a dual-score detector, evaluated under controlled conditions, and compares it with traditional signature-based systems.
Findings
aRGus NDR achieves F1=0.9985, Recall=1.000 in botnet detection
Suricata with open rules generated no alerts in tested scenarios
Zeek detected botnet activity but with low F1 score
Abstract
Ransomware and DDoS attacks disproportionately impact hospitals, schools, and small organizations that cannot afford enterprise security. We present ML Defender (aRGus NDR), an open-source C++20 NIDS with embedded ML inference, deployable on commodity hardware at 150-200 USD. The system implements a six-component pipeline over eBPF/XDP, ZeroMQ, and Protocol Buffers, with a dual-score Fast Detector + Random Forest architecture. Evaluated on CTU-13 Neris: F1=0.9985, Precision=0.9969, Recall=1.0000 (2 FP in 12,075 benign flows, both VirtualBox artifacts). We report the first three-paradigm experimental comparison on CTU-13 Neris under identical conditions: (1) Suricata 6.0.10 with 50,010 ET Open rules generates zero alerts -- confirmed by offline experiment (DAY 148) on 323,154 packets with 251 IRC, 475 botnet/C2, and 853 trojan signatures active, eliminating replay artifacts as…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.