Steps Results Source ↗

Configure the botnet, launch an attack, and watch LUCID respond in real-time.

BOT 01 TCP flood :9000 BOT 02 UDP flood :7000 BOT 03 GET flood :8080 ROUT ER VICTIM 192.168.1.78 HTTP/TCP/UDP LUCID IDS CNN detector interface: en1 ATTACKER SERVER
0 Packets
0 DDoS samples
Accuracy
F1 score
0 Threshold / 200

Lab Setup & Implementation

Five steps from Docker botnet deployment through CNN retraining to automated protection.

Set Up the Botnet

Three Docker containers simulate distinct attack vectors — TCP flood on :9000, UDP flood on :7000, and HTTP GET flood on :8080 — all targeting the victim server at 192.168.1.78.

docker mhddos tcp-flood udp-flood get-flood
# Create shared network and base image
docker network create botnet
docker build -t mhddos-image .

# Bot 01 — TCP flood  (3 threads, 50s)
docker run -it --name bot01-tcp-flood \
  --network botnet mhddos-image \
  tcp 192.168.1.78:9000 3 50

# Bot 02 — UDP flood  (3 threads, 50s)
docker run -it --name bot02-udp-flood \
  --network botnet mhddos-image \
  udp 192.168.1.78:7000 3 50

# Bot 03 — HTTP GET flood  (50s)
docker run -it --name bot03-get-flood \
  --network botnet mhddos-image \
  GET 192.168.1.78:8080 1 3 http.txt 200 50
Configure & Retrain LUCID

The original model was never trained on GET flood patterns. Capture new traffic via Wireshark, register attacker/victim IPs, and retrain on the extended DOS2019 dataset with 10-second time windows.

lucid_dataset_parser.py lucid_cnn.py DOS2019 --time_window 10
# lucid_dataset_parser.py — register IP addresses
DOS2019_FLOWS = {
    'attackers': ['172.16.0.5', '192.168.1.79'],
    'victims':   ['192.168.50.1', '192.168.1.78']
}

# Preprocess traffic captures
python3 lucid_dataset_parser.py \
  --dataset_type DOS2019 \
  --dataset_folder ./sample-dataset/ \
  --packets_per_flow 10 \
  --traffic_type all \
  --time_window 10

python3 lucid_dataset_parser.py \
  --preprocess_folder ./sample-dataset/

# Train CNN on extended dataset
python3 lucid_cnn.py --train ./sample-dataset/
Add Notification Module

Extend LUCID beyond passive detection. A POST-based alert hook forwards each detection result to a management service, which can then shut down or migrate the attacked service automatically.

util_function.py lucid_cnn.py --server_url requests.post
# util_function.py — alert function
def message_to_server(url, data):
    try:
        response = requests.post(url, json=data)
        if response.status_code == 200:
            print("Data sent successfully!")
    except RequestException as e:
        print(f"An error occurred: {e}")

# lucid_cnn.py — register argument
parser.add_argument(
    '-su', '--server_url',
    default=None, type=str,
    help='URL of the management server endpoint'
)
Run LUCID IDS

Start live packet capture on network interface en1. LUCID classifies incoming flows every 10 seconds and streams JSON metrics — accuracy, F1, TPR, FPR — to the optional management server endpoint.

--predict_live --model --attack_net --victim_net
python3 lucid_cnn.py \
  --predict_live en1 \
  --model ./output/10t-50n-DOS2019-LUCID.h5 \
  --server_url http://localhost:6000/api/msg \
  --attack_net  192.168.1.79 \
  --victim_net  192.168.1.78

# Sample JSON output per 10-second window
{
  'Model':    'DOS2019-LUCID',
  'Packets':  3095,  'Samples': 83,
  'DDOS%':    '0.916',
  'Accuracy': '0.9157', 'F1Score': '0.9560',
  'TPR':      '0.9157', 'FPR':     'N/A'
}
Management Service & Protection

The Node.js management service on port 6000 monitors LUCID's JSON stream. When DDoS% exceeds 67% or the threshold (DDoS% × Packets) surpasses 200, it shuts down the attacked service.

DDOS% threshold = DDoS% × Packets port 6000 httpServer.close()
const ddos = jsonData['DDOS%'];
const pkgs = jsonData['Packets'];

// Trigger if DDoS% > 67% OR threshold ≥ 200 samples
if (ddos && pkgs) {
  const threshold = pkgs * ddos;

  if (ddos > 0.67 || threshold >= 200) {
    res.end('High DDOS% detected. Shutting down.');
    httpServer.close(() => {
      console.log('HTTP server has been shut down.');
    });
  } else {
    res.end('DDOS% is not detected.');
  }
}

Benchmark Results

Accuracy and F1 scores from the paper, across attack types, model configurations, and time window / packet configurations.

Dataset10t-10n10t-50n10t-100n5t-10n5t-50n5t-100n
Trained with original dataset
Accuracy0.0420.0040.020
F1 Score0.0340.0040.007
Trained with new dataset
Accuracy0.7950.8160.8110.9660.9590.935
F1 Score0.8790.8940.8800.9830.9780.965
TCP Flood

Retraining Is Critical

Original dataset accuracy: as low as 0.004. New dataset (5t-100n): 0.935 acc / 0.965 F1. A 233× improvement — LUCID's performance is entirely dependent on representative training data matching the actual environment.

UDP Flood

Suspicious Perfect Scores

All original-dataset configs score exactly 1.000 — likely data overlap or overfitting. When the 5t model is evaluated on genuinely new data, accuracy drops to 0.764, revealing that the 1.0 result was anomalous rather than representative.

GET Flood

New Attack Type Adaptation

LUCID was never exposed to GET floods during initial training: original accuracy 0.066. After capturing GET flood pcaps and extending the dataset, accuracy rebounded to 0.829–0.860 — validating LUCID's dataset-agnostic preprocessing design.