Three Detection Paradigms. One Dataset. One Result.

Short summary

aRGus, an open-source ML-based network detection platform, significantly outperformed signature-based Suricata (0 alerts, 0% recall) and telemetry-observation Zeek (14 alerts, 2% recall) on a controlled botnet dataset. The key insight: different detection paradigms solve different problems—signatures need prior knowledge, Zeek provides observability without attack classification, while behavioral ML detects novel threats regardless of family or IOC availability. Mature security stacks require all three layers.

• •aRGus achieved F1 0.998, 100% recall on CTU-13 Neris botnet; Suricata 0%, Zeek 2%
• •Each paradigm solves different problems: signatures detect known threats, telemetry observes anomalies, ML classifies behavioral patterns
• •Open-source behavioral ML-based NDR offers enterprise-grade detection at commodity hardware costs

Generated with AI, which can make mistakes.