ML Defender (aRGus NDR): An Open-Source Embedded ML NIDS for Botnet and Anomalous Traffic Detection in Resource-Constrained Organizations

Abstract

Ransomware and DDoS attacks disproportionately impact hospitals, schools, and small organizations that cannot afford enterprise security. We present ML Defender (aRGus NDR), an open-source C++20 NIDS with embedded ML inference, deployable on commodity hardware at 150-200 USD. The system implements a six-component pipeline over eBPF/XDP, ZeroMQ, and Protocol Buffers, with a dual-score Fast Detector + Random Forest architecture. Evaluated on CTU-13 Neris: F1=0.9985, Precision=0.9969, Recall=1.0000 (2 FP in 12,075 benign flows, both VirtualBox artifacts). We report the first three-paradigm experimental comparison on CTU-13 Neris under identical conditions: (1) Suricata 6.0.10 with 50,010 ET Open rules generates zero alerts -- confirmed by offline experiment (DAY 148) on 323,154 packets with 251 IRC, 475 botnet/C2, and 853 trojan signatures active, eliminating replay artifacts as explanation; (2) Zeek 8.1.2 generates 14 correct detections (Precision=1.000, F1=0.042) while observing the complete botnet profile in structured logs without alerting; (3) aRGus NDR achieves F1=0.9985, Recall=1.000. These results define a taxonomy of decision architectures -- signature, scripted behavioral, ML behavioral -- differing in the layer at which network knowledge is encoded. The three paradigms are complementary: Zeek's telemetry and Suricata's signatures operate naturally alongside an ML behavioral classifier. ML Defender is released under the MIT license.