This project presents a security system designed to address the growing cybersecurity vulnerabilities in IoT-connected surveillance camera environments. The system specifically targets botnet attacks, particularly the Mirai and Gafgyt malware families, which represent a well-documented and prevalent threat to IP camera infrastructures.
System Architecture
The system is built upon a hybrid, two-layer machine learning architecture that combines two complementary approaches:
Layer One — Supervised Classification: Employs the Random Forest algorithm to classify network traffic patterns and identify known attacks with a high degree of accuracy.
Layer Two — Unsupervised Anomaly Detection: Utilizes an Autoencoder model to detect statistical deviations in network traffic, enabling the discovery of unknown threats and Zero-day attacks that were not represented in the training data.
Evaluation Methodology
System performance was validated in a controlled laboratory environment, using the N-BaIoT benchmark dataset, which is specifically tailored to surveillance camera network traffic. It is explicitly noted that evaluation was limited to a simulated environment and did not extend to live production networks — a clear methodological boundary of the current project scope.
Operational Workflow
During simulation sessions, the system monitors incoming network traffic in real-time via the MQTT protocol within an isolated network environment secured by a WireGuard VPN tunnel. Upon detection of malicious traffic, the system executes an immediate and automated response that includes:
Applying block rules at the firewall level to instantly isolate the threat source.
Automatically lifting the block once traffic originating from the flagged address returns to normal ranges, as determined by the system's detection mechanisms.
Control and Monitoring Platform
The system includes a centralized web platform secured by Multi-Factor Authentication (MFA), offering two integrated interfaces:
Technical Operator Interface: A comprehensive dashboard providing detailed visibility into performance metrics, security event logs, and model status.
Simplified Client Interface: A display panel designed for non-technical users, enabling straightforward monitoring of the overall security status of the system.
