Real-Time Rogue DHCP Detection System: A Machine Learning-Based Cybersecurity Protection Solution

This project is a Python-based real-time rogue DHCP detection system. It captures packets via Scapy, uses a random forest machine learning model to analyze DHCP traffic features and identify unauthorized servers, and provides a Flask-built web dashboard for visual monitoring. The project addresses the threat of rogue DHCP attacks in enterprise networks and offers a software-level security solution for environments without DHCP Snooping infrastructure.

DHCP is a core protocol for IP allocation in enterprise networks, but rogue DHCP servers can preemptively respond to client requests to launch man-in-the-middle attacks, DNS hijacking, etc. Traditional protection relies on DHCP Snooping, but not all environments have this infrastructure. This project provides a machine learning-based software solution that can run on standard Linux systems.

1. Packet Capture Layer

Uses the Scapy library to monitor DHCP traffic on network interfaces, parse protocol fields (OP Code, Transaction ID, etc.), and extract key information (requires administrator privileges).

2. Feature Engineering

Extracts multi-dimensional features from packets: basic protocol features (OP Code, Server IP, etc.), temporal behavior features (hour/weekday, time interval), network topology features (IP category/subnet), and statistical features (transaction ID entropy, etc.).

3. Machine Learning Model

Random forest algorithm is chosen: it handles mixed data types, resists overfitting, outputs feature importance, performs well with limited data, and the model accuracy is about 95%.

4. Web Dashboard

Built on Flask, it includes real-time data streams, system monitoring, alerts, and statistical charts, and provides RESTful APIs for easy integration into SOC/SIEM platforms.

Model Performance

Project documentation shows the model accuracy is about 95%, and false positive rate tuning should be noted in actual deployment.

Application Scenarios

1. Enterprise network boundary: Deployed on the mirror port of the core switch to monitor DHCP traffic and immediately alert when unauthorized servers are detected;
2. Public WiFi: Block malicious hotspots in high-risk areas like airports/hotels in a timely manner;
3. Security audit: Generate DHCP activity reports for compliance checks.

The value of this open-source project:

1. Low cost: Pure software solution without dedicated hardware;
2. Customizable: Open-source code supports demand modifications;
3. Educational value: Demonstrates the combination of network protocol analysis + machine learning + web development;
4. Practicality: Can be directly used for production environment monitoring.

Conclusion: Machine learning-based anomaly detection is an important direction in cybersecurity. This project provides intelligent protection for network infrastructure and is worth attention and deployment.

Performance Optimization

• Efficient filtering rules to reduce packet processing volume;
• Circular buffer to handle high traffic;
• Consider DPDK hardware acceleration;
• Model quantization to accelerate inference.

Function Enhancement

• Deep learning models to improve accuracy;
• Automatic blocking of rogue servers;
• Cloud platform deployment integration;
• Mobile monitoring application development;
• SIEM/network management system integration.

Security Reinforcement

• Use HTTPS in production environments;
• Identity authentication and authorization;
• Regular security updates;
• Data anonymization processing.