Configure the botnet, launch an attack, and watch LUCID respond in real-time.
Five steps from Docker botnet deployment through CNN retraining to automated protection.
Three Docker containers simulate distinct attack vectors — TCP flood on :9000, UDP flood on :7000, and HTTP GET flood on :8080 — all targeting the victim server at 192.168.1.78.
# Create shared network and base image docker network create botnet docker build -t mhddos-image . # Bot 01 — TCP flood (3 threads, 50s) docker run -it --name bot01-tcp-flood \ --network botnet mhddos-image \ tcp 192.168.1.78:9000 3 50 # Bot 02 — UDP flood (3 threads, 50s) docker run -it --name bot02-udp-flood \ --network botnet mhddos-image \ udp 192.168.1.78:7000 3 50 # Bot 03 — HTTP GET flood (50s) docker run -it --name bot03-get-flood \ --network botnet mhddos-image \ GET 192.168.1.78:8080 1 3 http.txt 200 50
The original model was never trained on GET flood patterns. Capture new traffic via Wireshark, register attacker/victim IPs, and retrain on the extended DOS2019 dataset with 10-second time windows.
# lucid_dataset_parser.py — register IP addresses DOS2019_FLOWS = { 'attackers': ['172.16.0.5', '192.168.1.79'], 'victims': ['192.168.50.1', '192.168.1.78'] } # Preprocess traffic captures python3 lucid_dataset_parser.py \ --dataset_type DOS2019 \ --dataset_folder ./sample-dataset/ \ --packets_per_flow 10 \ --traffic_type all \ --time_window 10 python3 lucid_dataset_parser.py \ --preprocess_folder ./sample-dataset/ # Train CNN on extended dataset python3 lucid_cnn.py --train ./sample-dataset/
Extend LUCID beyond passive detection. A POST-based alert hook forwards each detection result to a management service, which can then shut down or migrate the attacked service automatically.
# util_function.py — alert function def message_to_server(url, data): try: response = requests.post(url, json=data) if response.status_code == 200: print("Data sent successfully!") except RequestException as e: print(f"An error occurred: {e}") # lucid_cnn.py — register argument parser.add_argument( '-su', '--server_url', default=None, type=str, help='URL of the management server endpoint' )
Start live packet capture on network interface en1. LUCID classifies incoming flows every 10 seconds and streams JSON metrics — accuracy, F1, TPR, FPR — to the optional management server endpoint.
python3 lucid_cnn.py \ --predict_live en1 \ --model ./output/10t-50n-DOS2019-LUCID.h5 \ --server_url http://localhost:6000/api/msg \ --attack_net 192.168.1.79 \ --victim_net 192.168.1.78 # Sample JSON output per 10-second window { 'Model': 'DOS2019-LUCID', 'Packets': 3095, 'Samples': 83, 'DDOS%': '0.916', 'Accuracy': '0.9157', 'F1Score': '0.9560', 'TPR': '0.9157', 'FPR': 'N/A' }
The Node.js management service on port 6000 monitors LUCID's JSON stream. When DDoS% exceeds 67% or the threshold (DDoS% × Packets) surpasses 200, it shuts down the attacked service.
const ddos = jsonData['DDOS%']; const pkgs = jsonData['Packets']; // Trigger if DDoS% > 67% OR threshold ≥ 200 samples if (ddos && pkgs) { const threshold = pkgs * ddos; if (ddos > 0.67 || threshold >= 200) { res.end('High DDOS% detected. Shutting down.'); httpServer.close(() => { console.log('HTTP server has been shut down.'); }); } else { res.end('DDOS% is not detected.'); } }
Accuracy and F1 scores from the paper, across attack types, model configurations, and time window / packet configurations.
| Dataset | 10t-10n | 10t-50n | 10t-100n | 5t-10n | 5t-50n | 5t-100n |
|---|---|---|---|---|---|---|
| Trained with original dataset | ||||||
| Accuracy | 0.042 | 0.004 | 0.020 | — | — | — |
| F1 Score | 0.034 | 0.004 | 0.007 | — | — | — |
| Trained with new dataset | ||||||
| Accuracy | 0.795 | 0.816 | 0.811 | 0.966 | 0.959 | 0.935 |
| F1 Score | 0.879 | 0.894 | 0.880 | 0.983 | 0.978 | 0.965 |
Original dataset accuracy: as low as 0.004. New dataset (5t-100n): 0.935 acc / 0.965 F1. A 233× improvement — LUCID's performance is entirely dependent on representative training data matching the actual environment.
All original-dataset configs score exactly 1.000 — likely data overlap or overfitting. When the 5t model is evaluated on genuinely new data, accuracy drops to 0.764, revealing that the 1.0 result was anomalous rather than representative.
LUCID was never exposed to GET floods during initial training: original accuracy 0.066. After capturing GET flood pcaps and extending the dataset, accuracy rebounded to 0.829–0.860 — validating LUCID's dataset-agnostic preprocessing design.