Next Article in Journal
Remote Monitoring of Vital Signs in Diverse Non-Clinical and Clinical Scenarios Using Computer Vision Systems: A Review
Previous Article in Journal
Locating Multiple Sources of Contagion in Complex Networks under the SIR Model
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 9
Issue 20
10.3390/app9204473
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing

Appl. Sci. 2019, 9(20), 4473; https://doi.org/10.3390/app9204473
by Yiran Hao 1,2, Yiqiang Sheng 1,2,* and Jinlin Wang 1,2
Reviewer 1:
Tian Zhao
Reviewer 2:
Jaime Moreno
Appl. Sci. 2019, 9(20), 4473; https://doi.org/10.3390/app9204473
Submission received: 12 September 2019 / Revised: 15 October 2019 / Accepted: 18 October 2019 / Published: 22 October 2019
(This article belongs to the Section Computing and Artificial Intelligence)

Round 1

Reviewer 1 Report

Summary:

This paper proposed an algorithm for intrusion detection by analyzing the similarity of data packages using random walk associated with penalty. The pre-processing step with local similarity scores helps improve classification performance using deep auto-encoder. The authors evaluated the performance of the algorithm using public data sets and demonstrated superior performance of accuracy but worse detection rate than state-of-art algorithms. 

 

Comments:

 The paper presented an intrusion detecting algorithm with better accuracy than existing solutions. The structure of the algorithm is clearly stated. The novelty of contribution seems limited. If I understand it correctly, the sole contribution is in the use of penalty in random walk for calculating similarity scores between packages. This in itself is not a problem if the performance is good. Unfortunately, the algorithm does not outperform prior approaches in both accuracy and detection rate. Moreover, the performance is sensitive to parameters such as optimization methods of the training algorithm (table 8) and the length of the random walk (table 9). It is unclear whether the length of the random walk that gives the best result should be used for other test sets. Indeed, if we use adam optimizer and l = 10, the performance is not that impressive. Also, it is unclear whether the length of the random walk has any significant affect on the runtime cost of the algorithm.  

For improvement, I would like to see experiments on another dataset and see whether the chosen optimization method and random walk length provide the best result on that data set as well. 

 

Minor comments:

1. Color legends are not visible in the figures. Should be larger.

2. Repeated use of 'in detail', 'It is worth noting'.

3. Lots of grammar problems.

  Line 3 : 'To builds' to 'To build'

  Remove 'relative' from line 38 and 39. Too many use of 'relative' when not needed. 

  Line 50: 'leaning' to 'learning'

  Line 65: remove 'intuitively'

  Line 72: 'uses deep Auto-encoder to' --> 'uses deep Auto-encoder for'

  Line 79: This sentence is a mess. 

  Line 145: 'The literature reveals that has not used ...' --> 'The literature that we surveyed has not used ...'

  Line 225: 'This section will be described in section 3.4.' --> 'This step will be detailed in section 3.4.'

4. Excessive repetition of the same idea through out the paper. Should be more concise.

5. While accuracy is great, detection rate is lower than state of art. How about using another metric?

6. training time and inference time? How munch overhead does this intrusion detection algorithm add to network stack?

Author Response

Response to Reviewer 1 Comments

 

 

Response to the reviewer’s comments:

Point 1: This paper proposed an algorithm for intrusion detection by analyzing the similarity of data packages using random walk associated with penalty. The pre-processing step with local similarity scores helps improve classification performance using deep auto-encoder. The authors evaluated the performance of the algorithm using public data sets and demonstrated superior performance of accuracy but worse detection rate than state-of-art algorithms. 

 

Response 1: Thank you for your comment. We have added evaluation indicators to Line 409-414. We added a comparison experiment in Line 506-515. We add the precision (P), and the F1 as evaluation indicators. The results show that the overall performance of our proposed algorithm is better than the latest unsupervised IDS algorithms. The newly added F1 is the harmonic mean of the precision and the detection rates. From the experimental results, it can be concluded that the proposed method is superior to the state-of-art algorithms in the accuracy, the precision, and the F1. The detection rate is the only metric for the proposal that ranks second among all five algorithms. The F1 of the proposed algorithm is 8.7% higher than the state-of-the-art algorithm. In summary, the overall performance of our proposal outperforms that of the state-of-the-art algorithm.

 

Point 2: The paper presented an intrusion detecting algorithm with better accuracy than existing solutions. The structure of the algorithm is clearly stated. The novelty of contribution seems limited. If I understand it correctly, the sole contribution is in the use of penalty in random walk for calculating similarity scores between packages.

 

Response 2: Thank you for your comment. We rewrote the content of Line 68-100 to get better understanding for our contributions. We have modified Line 77-81 to describe the contribution of a method for applying graph representation learning to IDS. It is the first time to extract features in intrusion detection using graph representation leaning. Specifically, the main contributions are as follows. (1) This paper proposes a packet2vec learning algorithm based on graph representation by considering the relationship between network packets. (2) In this algorithm, we construct a relational graph G’ by using each packet as a node, calculate the cosine similarity between packets as edges, and then explore the low-order proximity of each packet via the penalty-based random walk in G’. We use the above algorithm as a preprocessing method to enhance the accuracy of unsupervised IDS by retaining the local proximity features of packets maximally. This is the first time in the intrusion detection to extract features using the graph representation leaning algorithm. (3) A penalty is added to extract the local proximity features of network packets. (4) The local k-order proximity features are obtained to accurately characterize the similarity relationship between network packets from the similarity relational graph. In the best case, the accuracy, the detection rate, the precision, and the F1 of packet2vec-AE are up to 94.7%, 90.9%, 94.3%, and 92.6%, respectively. The proposed algorithm achieves the best performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms by 11.6%, 11.9% and 8.7%, respectively. In the worst case, the accuracy, the detection rate, the precision, and the F1 of packet2vec-AE reached 87.4%, 81.1%, 87.3% and 84.1%, respectively. In the worst case, the proposed algorithm achieves the good performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms by 4.3%, 4.9% and 0.2%, respectively. (5) An empirical formula, i.e. pruning threshold É› Mean of weights in G’-depth’* penalty value, is designed to calculate the approximately optimal penalty value.

 

 

Point 3: This in itself is not a problem if the performance is good. Unfortunately, the algorithm does not outperform prior approaches in both accuracy and detection rate.

 

Response 3: Thank you for your comment. First, we added a performance comparison between our proposed algorithm and the latest algorithms in Line 84-101. Next, we added evaluation indicators to Line 410-415. Then, we added contrast experiments and analysis to Line 506-515. The accuracy of our proposed packet2vec algorithm is better than the accuracy of the latest methods available. In addition, we added two indicators, precision and F1, to evaluate the comprehensive performance of the proposed algorithm. The proposed algorithm achieves the good performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms. From Table 14, we can conclude that the algorithm outperforms state-of-the-art unsupervised algorithms approaches in accuracy, precision and F1.

Experiments have shown that using packet2vec-AE with penalty has the ability to achieve better performance than packet2vec-AE without penalty. In the best case, the accuracy and the detection rate of packet2vec-AE are up to 94.7% and 90.9%, respectively. The accuracy of the proposed algorithm is 11.6% higher than the state-of-the-art algorithm. In the worst case, the accuracy and the detection rate of packet2vec-AE reached 87.4% and 81.1%, respectively. In the worst case, the accuracy of the proposed algorithm is 4.3% higher than the state-of-the-art algorithm. The detection rate ranks second among all five algorithms. We used the harmonic mean to extract the local proximity features of network packets to comprehensively assess the detection rate and precision. We have added two indicators, precision and F1, to evaluate the comprehensive performance of the IDS. The precision and the F1 of packet2vec-AE are up to 94.3% and 92.6%, respectively. The precision of the proposed algorithm is 11.9% higher than the state-of-the-art algorithm. The F1 of the proposed algorithm is 8.7% higher than the state-of-the-art algorithm. In summary, the overall performance of our proposed algorithm outperforms the performance of the state-of-the-art algorithm.

 

 

Point 4: Moreover, the performance is sensitive to parameters such as optimization methods of the training algorithm (table 8) and the length of the random walk (table 9).

 

Response 4: Thank you for your suggestion. We added a parameter sensitivity analysis of our proposed algorithm in Line 594-605. We complement the performance of Table 8 and Table 9. We added the experiment and analyzed the experimental results. We have added a parameter sensitivity analysis of the proposed algorithm. From the experimental results of Table 8 and Table 9, it can be concluded that fluctuation range of the accuracy, the detection rate, the precision, and the F1 is not large regardless of how these parameters are changed. In other words, the experimental results are not sensitive to the parameters.

 

 

Point 5: It is unclear whether the length of the random walk that gives the best result should be used for other test sets.

 

Response 5:  Thank you for your comment. We added the worst-case experimental results in Line 506-515. We added the scalability analysis of our proposed algorithm in Line 598-605. It shows the length of the random walk is not sensitive.  In the worst case, the performance of the proposed algorithm is still higher than the state-of-the-art unsupervised algorithm. Therefore, we have reason to believe that the proposed algorithm has the potential to be extended to other data sets. Through the experimental results on the ISCX2012 dataset, it can be concluded that the fluctuation range of the accuracy of the length of the random walk, the accuracy rate, the detection rate, the precision, and the F1 is small. In other words, the experimental results are not sensitive to the length of the random walk. In the worst case, the performance of the proposed algorithm on the accuracy, the precision, and the F1 is still higher than the state-of-the-art unsupervised algorithm. Therefore, we have reason to believe that the proposed algorithm has the potential to be extended to other data sets. In future work, we will apply this algorithm to other data sets.

 

 

Point 6:  Indeed, if we use adam optimizer and l = 10, the performance is not that impressive.

 

Response 6: Thank you for your comment. Since it achieves better performances on the accuracy, the precision, and the F1 exceeding those of state-of-the-art algorithms by 4.3%, 4.9% and 0.2% in the worst case, the proposal is still with the best performance even if we use adam optimizer and l = 10. To make it clear, we added the worst-case experimental results in Line 506-515. Table 8 and Table 9 in this paper are mainly to illustrate how the proposed model chooses the optimal optimizer and the optimal random walk lengths. Table 8 and Table 9 provide the performance of the proposed algorithm under different optimizers and random walk lengths.

 

 

Point 7: Also, it is unclear whether the length of the random walk has any significant affect on the runtime cost of the algorithm.  

 

Response 7: Thank you for your suggestion. We added the effect of random walk length on the runtime cost of the algorithm in Line 626-630. Intuitively, the length of the random walk is directly proportional to the runtime overhead of the proposed algorithm. The length of the random walk is the number of times the next node needs to be selected during the random walk. The transition probability needs to be calculated each time the next node is selected during the random walk.

 

Point 8: For improvement, I would like to see experiments on another dataset and see whether the chosen optimization method and random walk length provide the best result on that data set as well. 

 

Response 8: Thank you for your suggestion. We added new experiments in Line 506-515, and the parameter sensitivity analysis of our proposed algorithm in Line 594-605. In Line 601-605 we discussed the proposed algorithm is still superior to the latest algorithms available even if the selected parameters are not suitable. We think that the experimental results based on ISCX2012 are representative. We added new experiments and sensitivity analysis of the parameters. Most of the existing network intrusion detection data sets are based on manual experience to extract network packet features [23], such as NSL-KDD [17], KDD CUP 1999 [29], and Kyoto2009 [30]. The datasets of the existing raw network packets are ISCX2012 [27] and DAPAR1998 [31]-[33]. The attacks in ISCX2012 are new [6]. Therefore, we didn’t increase another dataset this time. But we have added new experiments and sensitivity analysis of parameters. From Table 8, Table 9, and Table 14, we can conclude that our proposed algorithm is not sensitive to parameters. In the worst case, the proposed algorithm achieves the good performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms. Therefore, the proposed algorithm is still superior to the latest algorithms available even if the selected parameters are not suitable.

 

Response to the reviewer’s minor comments:

Point 1:

Color legends are not visible in the figures. Should be larger. Repeated use of 'in detail', 'It is worth noting'. Lots of grammar problems.

  Line 3 : 'To builds' to 'To build'

  Remove 'relative' from line 38 and 39. Too many use of 'relative' when not needed. 

  Line 50: 'leaning' to 'learning'

  Line 65: remove 'intuitively'

  Line 72: 'uses deep Auto-encoder to' --> 'uses deep Auto-encoder for'

  Line 79: This sentence is a mess. 

  Line 145: 'The literature reveals that has not used ...' --> 'The literature that we surveyed has not used ...'

  Line 225: 'This section will be described in section 3.4.' --> 'This step will be detailed in section 3.4.'

Excessive repetition of the same idea throughout the paper. Should be more concise.

 

Response 1: Thank you for your careful work.  We have tried our best to modify the colors in the figures to increase their discrimination. We modified the grammar problems in the comment. We have simplified the language of the full text as much as possible, and we removed the duplicate 'in detail', 'It is worth noting' words. For example:

Line 411: ‘In detail, the accuracy rate is an indicator that ...’ --> ‘The accuracy rate is an indicator that ...’

Line 165: ‘It is worth noting that the vector of the network packet used to... ’--> ‘The vector of the network packet used to... ’

Line 184: ‘It is worth noting that first-order proximity is equivalent to ...’ --> ‘First-order proximity is equivalent to ...’

 

Point 2:

While accuracy is great, detection rate is lower than state of art. How about using another metric?

 

Response 2: Thank you for your suggestion. We added two evaluation indicators precision and F1 in Line 409-414. We added Table 7, Table 8, Table 9 experiments in Page 17-19. We add a comparison of the performance of the proposed algorithm with the latest algorithms in Table 14 and Line 506-515. We have added two evaluation indicators, precision and F1. We use accuracy (ACC), detection rate (DR), precision (P), and F1 as evaluation indicators [34]. In detail, the accuracy rate is an indicator that describes the correctness of the intrusion detection algorithm to detect whether there is an intrusion. The detection rate is used to measure the detection performance of the intrusion detection system. The precision refers to the ratio of the number of positive samples that are actually predicted to positive samples to the number of positive samples predicted by the intrusion detection system. F1 is the harmonic mean of the precision and detection rates.

From the experimental results, it can be concluded that the performance of the proposed algorithm is superior to state-of-art algorithms in accuracy, precision, and F1. It can be seen from Table 14 that the proposed packet2vec-AE algorithm achieves the best performances regarding the accuracy exceeding those of the other state-of-the-art algorithms by 11.6%. The proposed packet2vec-AE algorithm achieves the best performances regarding the precision exceeding those of the other state-of-the-art algorithms by 11.9%. The detection rate was only worse than that of the best algorithm and ranks second among all five algorithms. We used the harmonic mean F1 to comprehensively assess the detection rate and precision. The proposed packet2vec-AE algorithm achieves the best performances regarding the F1 exceeding those of the other state-of-the-art algorithms by 8.7%. The proposed node2vec-AE algorithm achieves the best performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms by 4.3%, 4.9% and 0.2%, respectively. Therefore, we have enough reason to say that the performance of the proposed algorithm is better than the latest methods.

 

 

Point 3:

Training time and inference time? How much overhead does this intrusion detection algorithm add to network stack?

 

Response 3:Thank you for your suggestion. We added a discussion of training time and inference time on Line 547-553. For training and testing time, all of my experiments were able to run in 24 hours under the server configuration shown in Table 13. The experiment of obtaining the local proximity features of the network packet using the Packet2vec algorithm can be completed in 16G memory within 12 hours. The experimental time for intrusion detection using the extracted network packet characteristics as input to Deep Auto-encoder is within 1 hour. The overall operating time is within an acceptable range. The ISCX 2012 dataset appeared later. Therefore, we could not find enough literature on training, testing time, and memory size, and we were not able to evaluate it [6].

 

 

Reviewer 2 Report

Regarding the article applsci-604573 entitled A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing and they have clearly shown the advantages in performance of their approach with respect to others from the literature in this field.

 

Authors use a readable English, since there are some parts that was difficult to understand. So, Authors expose the justification and It is difficult the exposition of the main problem.

 

Furthermore, Authors expose the justification and I could not find the explanation of the main problem in a clearly way.

Also, this paper is a research based on references of years 1981 to 2019, namely authors consider recent references, since the 51.92% of references of the last five years, in addition References are according to the topic that they try to introduce.

 

Originality Report shows that this article has a similarity index of 15%, which can be considered as original work, this similarity report is attached to this review.

 

Please consider the following remarks to improve your article (in some cases, P refers to Page or Pages and L is the Line or Lines where you can find these remarks):

 

The problem and justification are well described.

 

The comparison between state-of-the-art algorithm is not complete at all.

 

Well distribution of the elements to be described or analyzed

 

There is not enought experimentation nor comparison of the results that demonstrate the novelty of the project. Since a comparative table of related work is missing

 

Results barely exposed, It is needed to add more recent algorithms related to Table 14

 

Use a comparative table of the characteristics of the related work, in addition use scatter plots that help the experimental results.

 

Equations are well described or defined

 

Section References is complete, since it have 52% of recent works.

 

Reference 49 has no year.

 

Reference 49 has no year.

 

The conclusions are not consistent with the objectives initially set.

 

So, I suggest modifying, if it is the case, for the publication in the journal MDPI: Applied Sciences, since the paper by itself have a great potential to publish.

 

Regards.

Author Response

Response to Reviewer 2 Comments

 

 

 

Point 1: Regarding the article applsci-604573 entitled A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing and they have clearly shown the advantages in performance of their approach with respect to others from the literature in this field.

 

Equations are well described or defined

 

The problem and justification are well described.

 

Well distribution of the elements to be described or analysed

 

Also, this paper is a research based on references of years 1981 to 2019, namely authors consider recent references, since the 51.92% of references of the last five years, in addition References are according to the topic that they try to introduce.

 

Section References is complete, since it have 52% of recent works.

 

Use a comparative table of the characteristics of the related work, in addition use scatter plots that help the experimental results.

 

Authors use a readable English, since there are some parts that was difficult to understand. So, Authors expose the justification and It is difficult the exposition of the main problem

 

Response 1: Thank you for your comments. In order to improve the expression of English, we have carefully revised the full text. In order to make this article easier to understand, we have modified the use of words, grammatical errors and so on. We also polished the full text. To further enhance the paper, we have added more comparative tables and descriptions of major issues to improve the legibility of the article.

 

 

Point 2: Furthermore, Authors expose the justification and I could not find the explanation of the main problem in a clearly way.

 

Response 2: Thank you for your suggestion. We modified Line 3-6 and Line 68-77 to highlight the main issues we solved. The main problem is the existing unsupervised IDS preprocessing ignores the similarity relationship between network packets, which leads to the performance of IDS is not high.

Most existing studies on unsupervised intrusion detection system (IDS) preprocessing ignore the relationship among packets. According to homophily hypothesis, the local proximity structure in the similarity relational graph has similar embedding after preprocessing. Therefore, the existing unsupervised IDS preprocessing ignores the similarity relationship between network packets, which leads to the performance of IDS is not high. In order to improve the performance of the existing unsupervised algorithms of intrusion detection, this paper proposes a packet2vec learning algorithm to extract the local proximity features of network packets. The proposed algorithm based on graph representation by considering the relationship between network packets, and then uses deep Auto-encoder for an intrusion detection system.

 

 

Point 3: Originality Report shows that this article has a similarity index of 15%, which can be considered as original work, this similarity report is attached to this review.

 

Response 3: Thank you for your careful work. We modified the article to further reduce the similarity index.

 

 

Point 4: The comparison between state-of-the-art algorithm is not complete at all.

 

Response 4: Thank you for your suggestion. We added two evaluation metrics the precision and the F1 in Line 409-414. We added Table 7, Table 8, Table 9 experiments in Page 17-19. We add a comparison of the performance of the proposed algorithm with the state-of-the-art algorithms in Table 14 and Line 505-515. We use accuracy (ACC), detection rate (DR), precision (P), and F1 as evaluation indicators. In detail, the accuracy rate is an indicator that describes the correctness of the intrusion detection algorithm to detect whether there is an intrusion. The detection rate is used to measure the detection performance of the intrusion detection system. The precision refers to the ratio of the number of positive samples that are actually predicted to positive samples to the number of positive samples predicted by the intrusion detection system. F1 is the harmonic mean of the precision and detection rates.

From the experimental results, it can be concluded that the performance of the proposed algorithm is superior to state-of-art algorithms in accuracy, precision, and F1. It can be seen from Table 14 that the proposed packet2vec-AE algorithm achieves the best performances regarding the accuracy exceeding those of the other state-of-the-art algorithms by 11.6%. The proposed packet2vec-AE algorithm achieves the best performances regarding the precision exceeding those of the other state-of-the-art algorithms by 11.9%. The detection rate was only worse than that of the best algorithm and ranks second among all five algorithms. We used the harmonic mean F1 to comprehensively assess the detection rate and precision. The proposed packet2vec-AE algorithm achieves the best performances regarding the F1 exceeding those of the other state-of-the-art algorithms by 8.7%. The proposed node2vec-AE algorithm achieves the best performances regarding the accuracy, the precision, and the F1 exceeding those of the other state-of-the-art algorithms by 4.3%, 4.9% and 0.2%, respectively. Therefore, we have enough reason to say that the performance of the proposed algorithm is better than the latest methods.

 

 

Point 5: There is not enough experimentation nor comparison of the results that demonstrate the novelty of the project. Since a comparative table of related work is missing

 

Response 5: Thank you for your suggestion. In order to highlight the novelty and contribution of this paper, we compare the similarities and differences between our algorithm and existing algorithms in Table 15 and Table 16. In Line 606-625, we added a comparison of the similarities and differences between the proposed algorithm and the latest algorithm. We added the experiments in Table 7, Table 8, Table 9, and Table 14 in Page 17-19 to supplement the experimental results. We have added Table 15, which contains theoretical comparisons of existing and proposed algorithms to highlight the novelty and contribution of this article. We have added Table 16, which contains a theoretical comparison of the latest graph representation learning algorithms to highlight the novelty and contribution of this article. From the experimental results of Table 7, Table 8 and Table 9, it can be concluded that fluctuation range of the accuracy, the detection rate, the precision, and the F1 is not large regardless of how these parameters are changed. In other words, the experimental results are not sensitive to the parameters. In the best case, the accuracy, the detection rate, the precision, and the F1 of packet2vec-AE are up to 94.7%, 90.9%, 94.3%, and 92.6%, respectively. In the worst case, the performance of the proposed algorithm on the accuracy, the precision, and the F1 is still higher than the state-of-the-art unsupervised algorithm. In order to highlight the novelty and contribution of this paper, we compare the similarities and differences between our algorithm and existing algorithms in Table 15 and Table 16. Table 15 compares the similarities and differences between the latest three unsupervised IDS algorithms and our proposed algorithms. Most existing studies on unsupervised IDS preprocessing ignore the relationship among packets. As a result, the performance of existing unsupervised IDS is not high. According to homophily hypothesis, the local proximity structure in the similarity relational graph has similar embedding after preprocessing. Our proposed algorithm pre-processing combines the local proximity feature of the network packet with the original features of the network packet as input to the Deep Auto-Encoder. Our proposed algorithm is equivalent to the use of local proximity features of network packets to enhance the original features of network packets. From Table 15, we can conclude that the performance of the existing PCA-IDS 2017 and RBM-IDS 2017 depends on the features of manual experience extraction. Our proposed algorithm uses graph representation learning for automatic preprocessing. Therefore, our proposed algorithm is suitable for raw network traffic data. Table 16 compares the latest graph representation of the similarities and differences between the learning algorithm and our proposed algorithm. Deepwalk and Node2vec are easy to sample into the higher-order proximity range, which make it impossible to accurately describe the low proximity features of the current node; LINE does not have the ability to simultaneously sample first-order proximity and second-order proximity, so the algorithm has limitations; Our proposed algorithm has the ability to extract first-order proximity, second-order proximity, and low-order proximity. This is the first time in the intrusion detection to extract features using the graph representation leaning algorithm.

 

 

Point 6: Results barely exposed, It is needed to add more recent algorithms related to Table 14

Response 6: Thank you for your comment. We added some recent algorithms to Table 14. We add a comparison of algorithm performance in Line 540-546. Most of the existing unsupervised algorithms are tested on the NSL-KDD, KDD CUP 1999, and Kyoto2009 data sets. However, these network intrusion detection data sets are based on manual experience to extract network packet feature. The datasets of the existing raw network packets are ISCX2012 and DAPAR1998. The attacks in ISCX2012 are new. Therefore, ISCX2012 is our most suitable choice for a fair comparison. The latest unsupervised algorithms and existing unsupervised algorithms for experiments on the ISCX2012 dataset are included in Table 14. Therefore, we have added supervised algorithms for experiments on ISCX2012, such as SVM-IDS 2017, J48-IDS 2017, and C4.5-IDS 2016. The performance of the SVM-IDS 2017, J48-IDS 2017, and C4.5-IDS 2016 algorithms is for reference only. The algorithm we propose does not require performance comparisons with these three algorithms. The algorithm we propose is unsupervised, but the three algorithms are supervised. So this comparison is unfair. In intrusion detection, labels are difficult to obtain. The advantage of an unsupervised algorithm is that it can perform intrusion detection on all network traffic without being restricted by labels.

 

Point 7: Reference 49 has no year.

 

Response 7: We are sorry for our negligence. The reference has been added to the year. We have modified the article Line 764-765. The revised references are as follows.

Noorbehbahani, F.; Fanian, A.; Mousavi, R.; Hasannejad, H. An incremental intrusion detection system using a new semi-supervised stream classification method, International Journal of Communication Systems. 2015.

 

 

 

Point 8: The conclusions are not consistent with the objectives initially set.

 

Response 8: Thank you for your suggestion. We modified Line 3-6 and Line 68-77 to ensure consistency with the objectives initially set. We revised the abstract of this article to align the conclusion with the objectives initially set. The objectives initially set can be drawn from lines 3-6 and lines 68-77. The main objective is to improve the performance of IDS using the existing unsupervised IDS preprocessing due to ignoring the similarity relationship between network packets. The conclusions of this paper can be drawn from Line 639-652. The conclusions are consistent with the objectives initially set. In this paper, packet2vec learning algorithm is used to preprocess the network packet to obtain local proximity features that describe the similarity relationship between network packets. The local proximity features of the network packets are combined with the original features as the input of the deep auto-encoder for intrusion detection. The experiment proves that our proposed algorithms achieve higher accuracy than three of the state-of-the-art algorithms.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

The authors have mostly addressed my concerns. Though a separate experiment hasn't been conducted, the additional discussion is probably sufficient for publication.

Reviewer 2 Report

First of all, thanks for considering me as reviewer of the Journal MDPI: Applied Sciences. Regarding the article applsci-604573 entitled A Graph Representation Learning Algorithm for Low-Order Proximity Feature Extraction to Enhance Unsupervised IDS Preprocessing and they have clearly shown the advantages in performance of their approach with respect to others from the literature in this field.

Authors use a readable English, since there are some parts that was easy to understand. So, Authors expose the justification and It is easy the exposition of the main problem.

 

Furthermore, Authors expose the justification and I could find the explanation of the main problem in a clearly way.

Also, this paper is a research based on 55 references of years 1981 to 2019 (38 years of research), namely authors consider recent references, since the 60% of references of the last five years, in addition References are according to the topic that they try to introduce.

 

Originality Report shows that this article has a similarity index of 15%, which can be considered as original work, this similarity report is attached to this review.

 

 

So, I suggest accepting the paper for the publication in the journal MDPI: Applied Sciences, since the paper by itself have a great potential to publish.

 

Regards,

 

Dr. Jaime Moreno

Instituto Politécnico Nacional, México

Comments for author File: Comments.pdf

Back to TopTop