Applying Transfer Learning Approaches for Intrusion Detection in Software-Defined Networking

Round 1

Reviewer 1 Report

In this paper, authors have proposed a transfer-learning method based on the SDN environment for evaluating intrusion detection. Experimental results show that their method outperforms typical machine learning methods.  The performances of three issues are stated respectively: (1) with regard to unknown attack, authors model’s performance in the anomaly detection stage reached 0.71 F1-score; (2) with regard to small  samples, the model performance in the anomaly detection stage reached 0.98 F1-score, and the  performance of attack types identification was 0.51 F1-score; and (3) for class imbalance, our model’s  performance in the anomaly detection stage obtained a 1.00 F1-score, and the performance of attack types identification is 0.91 F1-score. In addition, our model took 15,230 seconds (4:13’:50”) for training, ranking second among the six models, taking into account both performance and efficiency. In future research, we will combine sampling techniques with few-shot learning to improve the performance of minority classes in class imbalance.

Overall the paper is well explained and well written. However, I suggest some changes to the authors. If these are inculcated in the revised version, then it will improve its readability and technical soundness.

1.     It will be good if authors show some confusion matrix results.

2.     The authors should give references for the datasets used in the paper.

3.     Moreover, the authors should mention some features considered from these datasets and explain its relevancy with SDN environment in the intrusion detection.

4.     In addition, I suggest to use some latest literature and mention it in the revised paper. such as “B. -h. Roh, B. Lee, J. Oh and M. Adil, "A Machine Learning Framework for Prevention of Software-Defined Networking controller from DDoS Attacks and dimensionality reduction of big data," 2020 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Korea (South), 2020, pp. 515-519, doi: 10.1109/ICTC49870.2020.9289504.”, and “ESCALB: An Effective Slave Controller Allocation-Based Load Balancing Scheme for Multi-Domain SDN-enabled-IoT Networks”, Mention the ESCALB while explaining the SDN/NFV

5.     While explaining the efficiency of the results, please explain why the proposed method is better than others with some rational explanation.

 

6.     Abstract of the paper seems long. It can be shortened.

Needs minor edits with respect to grammar 

 

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Authors propose a transfer-learning method based on the SDN environment for evaluating intrusion detection.

 

It is a good paper with a nice research contribution. But there are some issues to to be pulished before accepting the paper:

 

- Authors should explain the structure of the paper at the end of the introduction section.

 

- I find missing some related works not included in the related work section such as:

 

Conditional Variational Autoencoder for Prediction and Feature Recovery Applied to Intrusion Detection in IoT. Sensors 2017, 17, 1967.

 

A GRU deep learning system against attacks in software defined networks, Journal of Network and Computer Applications 177, 102942. 2021

 

In section 3.2 there are some equation that should be placed out of the text and numbered.

 

- Graphs are quite better displayed if authors remove the boder of the figures and include the Y axis of the graph.

 

- Authors should place the graphs after thei have cited from the text. It is hard to start a section with a graph without any text before exaplinig what I am going to read and even without a sentence introducing the section.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

This paper proposes a new attack detection and identification method by using the machine learning methods, which solve the difficulty caused by small samples.  In general, the consider topic is interesting and the technique seems novel. I have the following comments:

1. The proposed method is a combination of the existing Transfer learning and Meta Learning methods. Hence, what is the difficulty by combining these two learning methods? If the combination is simple, then the novelty of this paper becomes minor.

2. On the1st stage (attack detection). The attack signal is usually strategically designed such that it is difficult to be detected. How to avoid the "stealthy" attacks based on the proposed algorithm? Or saying, the proposed method cannot be used to address the stealthy attacks?

3. On the 2nd step (attack detection). Is the proposed applicable to the case when only one type of attacks occurs? When the system suffers to multiple types of attacks, is the proposed method still feasible?

4. In my opinion, the proposed attack detection and identification method can only addree the active atacks such as DoS attacks, False data injection attacks. However, such a method cannot be applied to address the passive attacks such as eavesdropping attack which is studied in [Enhancement of opacity for distributed state estimation in cyber-physical systems]. I suggest that the authors give some remarks by combining the reference.

5. A main highlight of the proposed method that the performance is improve. However, how to evalute the performance of the proposed method? What is the performance measurement index?

The English of this paper is general good. I cannot find the grammatial errors.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 3 Report

The authors have addressed my previous comments. I have no further comments.

The English of this paper is generally good.