Next Article in Journal
Magnetic Shell Structure of 2D-Trapped Fermi Gases in the Flat-Band Lieb Lattices
Previous Article in Journal
Femtosecond Pulse Laser Near-Field Ablation of Ag Nanorods
Previous Article in Special Issue
Cyber-Physical Attack Detection and Recovery Based on RNN in Automotive Brake Systems
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 9
Issue 3
10.3390/app9030364
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Efficacy Improvement of Anomaly Detection by Using Intelligence Sharing Scheme

Appl. Sci. 2019, 9(3), 364; https://doi.org/10.3390/app9030364
by Muhammad Tahir 1,*, Mingchu Li 1,*, Naeem Ayoub 2 and Muhammad Aamir 3
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3: Anonymous
Appl. Sci. 2019, 9(3), 364; https://doi.org/10.3390/app9030364
Submission received: 6 November 2018 / Revised: 21 December 2018 / Accepted: 13 January 2019 / Published: 22 January 2019
(This article belongs to the Special Issue Security and Privacy for Cyber Physical Systems)

Round 1

Reviewer 1 Report

This paper addresses the problem of improving the network flow-based

detection of malicious communication performed by the Cisco Cognitive

Threat Analytics IDS by using the features provided this monitoring

system and aggregating information provided from several instances on

the system across different networks.


While the authors put certain effort into performing a series of

experiments and evaluating their idea of global and individual

detection, the paper presents, unfortunately, a large number

of important flaws.


In particular:


- The English language used is very poor and sometimes broken to the

  point of rendering some sentences very hard to understand. Moreover,

  the are some strange things like the use of parenthesis in sentences

  that do not require them (e.g. lines 91, 94, 203, 205, 207, 212,

  254, 261, 264, 267, 715, 717, etc). In general, the authors need to

  reread the text and be sure that every sentence has a proper

  structure (subject, verb, etc).


- The structure of the text could be largely improved. For instance,

  the authors describe the different types of IDS in the introduction

  but this is unrelated to the topic of the paper. Instead, the

  authors could clearly state the problem they are trying to address

  and explain how their approach improves over existing approaches.

  Also, lines from 54 to 64 could be indented.  Although it can be

  understood from reading the text, it is rather confusing to have all

  bullet points at the same indentation.  Moreover, the challenges faced by

  network anomaly detection would be better in a background section or

  in the introduction than in the related work. Here, the

  authors should review previous literature where machine learning is

  applied to network flows for malware detection. There is plenty of

  it and it and would allow the authors to motivate their work.

  Additionally, the section "Proposed architecture" should not be in

  the related work section.  Again in 210, bullets and indentation

  would help. Finally, the authors mention results from the

  experiments during the explanation of the method, as in line 500

  (eg. "specifically 99.2%"). Such references are out of context and

  should be removed.


- Regarding the methodology and the evaluation, it is clear from the

  results, that the approach does not work properly. In any case, it

  is difficult to make a clear assertion of the performance. Here, I

  see several issues. For instance, in Figure 7, for the TPR to reach

  a reasonable value, the FPR needs to be almost 20%. This is

  extremely large for a detection system. For a 10% FPR, which is

  already very large, the TPR is very low.  In the case of Figure 8,

  the AUC between 0 and 1 only tells us, roughly, how different

  methods compare with each other, but no information about the TPR at

  a low FPR is provided. This is essential to understand how a

  classifier is performing for a specific problem.


OTHER COMMENTS:


- Figure 2 proportions distort the image.

- L15: What does sharing intelligence mean?

- L683: Strange character over the text. 

- Figure 5 should not have lines, it is an histogram, company IDs are

  independent, they should be bars.


TYPOS (only some here, there are many more):


- L16: In *the* second

- L17: variants __ based 

- L728: "Figure 5. Flow counts per network."

- L729 Networks/networks


Author Response

First of all, we would like to thank the reviewer for the excellent suggestions and comments. Without these suggestions, this manuscript would not have been in the current shape and form. Based on the valuable reviews and comments of the reviewers, we have thoroughly revised the manuscript. We hope that the reviewers will find that the current revision is up to their required standards. 

Response to Reviewer 1 Comments

Reviewer #1

This paper addresses the problem of improving the network flow-based detection of malicious communication performed by the Cisco Cognitive Threat Analytics IDS by using the features provided this monitoring system and aggregating information provided from several instances on the system across different networks.

While the authors put certain effort into performing a series of experiments and evaluating their idea of global and individual detection, the paper presents, unfortunately, a large number of important flaws.

Point-1: The English used is very poor and sometimes broken to the point of rendering some sentences very hard to understand?

Response-1: We have revised every section carefully, identify grammar and spelling issues and then rectified errors.

Point-2: Moreover, there are some strange things like the use of parenthesis in sentences that do not require them (e.g. line 91, 94, 203, 205, 207, 212, 254, 261, 264, 267, 715, etc.). In general, the authors need to reread the text and be sure that every sentence has a proper structure (Subject, Verb, etc.).

Response-2: Thanks for the anonymous reviewer for this excellent comment. Yes there were grammatical mistakes in the manuscript. In our updated manuscript we have read each section carefully and the errors are rectified.  We have improved the structure of the sentences throughout the manuscript, now all the sentences are more meaningful and in sequence.

Point-3: The structure of the text could be largely improved. For instance, the authors describe the different types of IDS in the introduction but this is unrelated to the topic of the paper. Instead, the authors could clearly state the problem they are trying to address and explain how their approach improves over existing approaches.

Response-3: Thanks for this valuable comment. According to the suggestions of reviewer, we have added the major challenges (1.1. Major Challenges in Anomaly-based IDS) and main goals (1.2 Main Goals and Contributions) of this study in the Introduction section. 

Point-4: Also, line from 54 to 64 could be indented. Although it can be understood from reading the text, it is rather confusing to have all bullet points at the same indentation. Moreover, the challenges faced by network anomaly detection would be better in a background section or in the introduction than in the related work. Here, the authors should review previous literature where machine learning is applied to network flows for malware detection. There is plenty of it and would allow the authors to motivate their work.

Response-4: This is very good observation by the reviewer, we have rearranged the paragraphs. we have move the section related to the Major Challenges in Anomaly-based IDS in the introduction section. Due to the re-arrangements of the paragraphs, the lines “54-64” are moved to “58-66”.

Point-5: Additionally, the section “Proposed architecture” should not be in the related work section. Again in 210, bullets and indentation would help. Finally, the authors mention results from the experiments during the explanation of the method, as in line 500 (e.g. “specifically 99.2 %”). Such reference are out of context and should be removed.

Response-5: This is also a good observation and thanks for this valuable suggestion. We have moved the section related to the proposed architecture from related work and combined the sections related to the proposed architecture and Proposed Algorithm in Section 4. Additionally, we have removed the reference “specifically 99.2 %” (Line # 450).

Point-6: Regarding the methodology and the evaluation, it is clear from the results that the approach does not work properly. In any case, it is difficult to make a clear assertion of the performance. Here, I see several issues. For instance, in Figure 7, for the TPR to reach a reasonable value, The FPR needs to be almost 20%. This is extremely large for a detection system. For a 10% FPR, which is already very large, the TPR is very low. In the case of Figure 8, the AUC between 0 and 1 only tells us, roughly, how different methods compare with each other, but no information about the TPR at a low FPR is provided. This is essential to understand how a classifier is performing for a specific problem.

Response-6: Thanks for your observation, but according to our experimental evaluation (Section 6.2), we compared TCP flags anomaly detectors with anomaly measures (Section 5.2, Equation #3) (Figure 4). Further, referred both with link aggregation bonding (Fig 1.). over source and destination IP (srcIP, dstIP) addresses (5 detectors in total) with other existing anomaly detectors from the prior art described detail in (section 2). To compare these methods we have created the Receiver Operation Characteristics (ROC) of each of the mentioned anomaly detection methods, chosen several number of real networks (Fig 6.) and number of flow counts per network according to the number of company’s identification ID (Fig 5.). Next, we have evaluated the ROC’s Area Under the Curve (AUC) to be able to easily compare all the presented methods. Because we are interested only in the false positive rates smaller than 1% of all the traffic, we computed the ROC’s AUC as an integral of the ROC up to 1% of false positive threshold. This gives us good insight about the detector’s performance for small false positive threshold, which is important to the field of network anomaly detection.

Other Comments:

·         Figure 2 proportions distort the image.

Response: We have improved the quality of the image (Figure 2).

·         L15: What does sharing intelligence mean?

Response: Intelligence sharing is meant to facilitate the user of an actionable intelligence to a broader range of decision making.

·         L683: Strange character over the text.

Response: This was typo, we have rectified the error.

·         Figure 5 should not have lines, it is a histogram, company IDs are independent, and they should be bars.

Response: In figure 5, we were trying to show the number of companies IDs according to the number of networks. As companies IDs are more than 300, it is difficult to show these ids on Histogram.

TYPOS (only some here, there are many more):

·         L16: In *the* Second

Response: We have rectified the error.

·         L17: variants-based

Response: We have rectified the error.

·         L728: “Figures 5. Flow counts per network.”

Response: We have rectified the error.

·         L729: Networks/networks

Response: Yes, It’s a word “Networks”.


Reviewer 2 Report

The authors propose a scheme to improve anomaly detection using threat intelligence. The paper is well written however, will require a thorough proofreading as numerous grammatical mistakes are made within the manuscript.


Section 2 Related Works describes the challenges of the anomaly detection, while most points made are valid, it is surprising to see that no recent work is being considered within the description of this section. I.e. recent work has been published by Al Tobi and Duncan (2018) on the problems of the KD99 datasets ,  Hindy et al. (2018) published a review on the issues of current datasets and the lack of representative attacks, while line 151, touches this problem, I would advise to revise the section and add the problems described hereabove. 


The authors are not clear on how this scheme is different from collaborative anomaly detection systems. 


Equation 1,2,4 and 5 should be better described and information related to the equations should be highlighted within the text. 


In Section 5.1. the authors describe the datasets used. While the dataset is private, but represent a real life example, could the authors highlight how their experiments can be reproduced by other teams.


Can the authors provide a justification of the split of data, why those splits ? have they been chosen at random or over multiple trial and error, etc. 


ROC and AUC have been critisized by multiple researchers succh as Hanczar et al (2010), Lobo et al. (2008) and Hand (2009). Could the authors provide a justification for its usage. 


The future work highlights some solutions to decrease the fp rate , could the author explain why it hasn't been implemented in the main body of work ?


Author Response

First of all, we would like to thank the reviewer for the excellent suggestions and comments. Without these suggestions, this manuscript would not have been in the current shape and form. Based on the valuable reviews and comments of the reviewers, we have thoroughly revised the manuscript. We hope that the reviewers will find that the current revision is up to their required standards. 

Comments Reviewer 2

The authors propose a scheme to improve anomaly detection using threat intelligence. The paper is well written however, will require a thorough proofreading as numerous grammatical mistakes are made within the manuscript.

Point 1. Section 2 Related Works describes the challenges of the anomaly detection, while most points made are valid, it is surprising to see that no recent work is being considered within the description of this section. I.e. recent work has been published by Al Tobi and Duncan (2018) on the problem of the KD99 datasets, Hindy et al. (2018) published a review on the issues of current datasets and the lack of representative attacks, while line 151, touch this problem, I would advise to revise the section and add the problems described here above. 

Response 1: Thanks for the reviewer for this valuable comments. We have thoroughly revised the section and cited the recent articles published by AI Tobi [16, 17] line 139.

Point-2: The authors are not clear on how this scheme is different from collaborative anomaly detection systems.

Response-2: Thanks for this valuable comment. CTA-IDS is already collaborative device installed globally in enterprise-networks, cs-host flow field is not available in HTTP(S) traffic but the host name can be extracted from HTTP(S) certificate information. We are collaborating on the new updated version of software design of CTA-IDS, implementation, and evaluation of new Machine learning algorithms. By the inter-network data correlations in Cisco CTA-IDS, and collaborative anomaly-based networks IDS on malware that uses network traffic encryption to avoid detection described in (Section 2). Further details can be seen in table 1.

Point.3: Equation 1, 2, 4 and 5 should be better described and information related to the equation should be highlighted within the text.

Response-3: Thanks for your suggestion we have updated and highlighted the text related to the equation 1, 2, 4 and 5.

Point.4: In Section 5.1. The authors describe the datasets used. While the dataset is private, but represent a real life examples, could the authors highlight how their experiments can be reproduced by the other teams? 

Response-4: Thanks for your important question, we agree with you on the datasets are private (indeed). We have represent a several number of real network examples because of the extract observable features in the CTA-IDS software testing requirements, and ideas are new routes. So every researcher can get destination faster. Finally, for the perspective of reproducing new experiments other teams also try to get familiar with decision related classification techniques, prepare and get familiar with the training and testing data sets, propose and implement methods in a chosen programming language and evaluate the methods on real world data set.

Point.5: Can the authors provide a justification of the split of data, why those splits? Have they been chosen at random or over multiple trial and error, etc.?

Response-5: Thanks for your excellent comment, In order to test the deployment scenario described in (Section 5.1), the dataset must be splitted chronologically into two parts. The first part is used to create and test a global reputation table while the second part is used to evaluate the possible improvements of per-flow anomaly scores using a reputation table. Coupled with the fact that there must be a warm-up period in which the anomaly detectors are learning the characteristics of network traffic and do not provide useful output.

Point.6: ROC and AUC have been criticized by multiple researchers such as Hanczar et al (2010), Lobo et al. (2008) and Hand (2009). Could the authors provide a justification for its usage?

Response.6: Thanks for your good question, regarding ROC and AUC criticism. We are agree with you on the criticism according to the articles Hanczar et al (2010), Lobo et al. (2008) and Hand (2009), but according to our experimental evaluation (Section 5.2), we compared TCP flags anomaly detectors with anomaly measures (Section 5.2, Equation #3) denoted by (Figure 4). Furthermore, referred both with link aggregation bonding (Fig 1) over source and destination IP (srcIP, dstIP) addresses (5 detectors in total) with other existing anomaly detectors from the prior art described in detail  (section 2). To compare these methods, we have created the Receiver Operation Characteristics (ROC) of each of the mentioned anomaly detection methods chosen several number of real networks (Fig 6.) and number of flow counts per network according to the number of company’s identification ID (Fig 5.). Next, we have evaluated the ROC’s Area Under the Curve (AUC) to be able to easily compare all the presented methods. Because we are interested only in the false positive rates smaller than 1% of all the traffic, we computed the ROC’s AUC as an integral of the ROC up to 1% of false positive threshold. This gives us good insight about the detector’s performance for small false positive threshold, which is important to the field of network anomaly detection.

Point.7: The future work highlights some solutions to decrease the FP rate, could the author explain why it hasn’t been implemented in the main body of work?

Response-7: Thanks for asking this important question, this future work is also in process, our team is working on this project.


Reviewer 3 Report

In this study, the authors propose two new methods to improve the efficacy of the Cisco Cognitive Threat system. In the first method, the efficacy of CTA is improved by sharing intelligence across many enterprise networks. In the second method, four variants based Global Reputation Model is designed by employing outlier ensemble normalization algorithms in presence of missing data. Intelligence sharing provides additional information to the intrusion detection process, which is much needed particularly for analysis of encrypted traffic with inherently low information content.

This paper has the potential to be accepted, but some important points have to be clarified or fixed before we can proceed and a positive action can be taken.

We here summarize these points:

1.    I think the motivation for the present research would be clearer if the authors could provide a more direct link between the importance of choosing the appropriate methods that have proposed and the case study that have presented. One way to demonstrate this connection would be to a comparison with other similar methods.

2.    A major issue of the paper is the explanation on how the authors have chosen this specific architecture for the proposed method, how it emerged and why the proposed architecture is the optimal solution.  

3.    Also, the authors should clearly define which are the innovative features of their proposal with respect to adopted logics.

4.    We need to understand precisely if the proposed mechanism is able to face other real case scenarios.

5.    Is the design of the study consistent with its aims?

6.    The authors do not include a detailed description of how the method proposed can be extended.

7.    Finally, the authors should make a final check on the compliance of the paper to the formatting guidelines and need to delete the template guidance at the end of the paper.


Author Response

First of all, we would like to thank the reviewers for the excellent suggestions and comments. Without these suggestions, this manuscript would not have been in the current shape and form. Based on the valuable reviews and comments of the reviewers, we have thoroughly revised the manuscript. We hope that the reviewers will find that the current revision is up to their required standards. 

Comments Reviewer #3

In this study, the authors propose two new methods to improve the efficacy of the Cisco Cognitive Threat system. In the first method, the efficacy of CTA is improved by sharing intelligence across many enterprise networks. In the second method, four variants based Global Reputation Model is designed by employing outlier ensemble normalization algorithms in presence of missing data. Intelligence sharing provides additional information to the intrusion detection process, which is much needed particularly for analysis of encrypted traffic with inherently low information content.

This paper has the potential to be accepted, but some important points have to be clarified or fixed before we can proceed and a positive action can be taken.


Point-1. I think the motivation for the present research would be clearer if the authors could provide a more direct link between the importance of choosing the appropriate methods that have proposed and the case study that have presented. One way to demonstrate this connection would be to a comparison with other similar methods.

Response.1: Thanks for this valuable comment. According to the suggestions of reviewer, we have added the major challenges (1.1. Major Challenges in Anomaly-based IDS) and main goals (1.2 Main Goals and Contributions) of this study in the Introduction section, which demonstrate the importance of the proposed method. The comparison of the proposed method with state-of-the-Art method is given in the section 3 (Related work and State-of-the-Art).

Point-2.  A major issue of the paper is the explanation on how the authors have chosen this specific architecture for the proposed method, how it emerged and why the proposed architecture is the optimal solution.

Response.2: CTA-IDS is already collaborative device installed globally in enterprise-networks, there is a gap of cs-host flow field that is not available in HTTP(S) traffic but the host name can be extracted from HTTP(S) certificate information. We are collaborating on the new updated version of software design of CTA-IDS, implementation, and evaluation of new Machine learning algorithms. By the inter-network data correlations in Cisco CTA-IDS, and collaborative anomaly-based networks IDS on malware that uses network traffic encryption to avoid detection described in (Section 2). Further details can be seen in table 1.

Point.3: Also, the authors should clearly define which are the innovative features of their proposal with respect to adopted logics.

Response-3: This study describes the State-of-the-Art algorithms for statically anomaly detection and outlier detection, with emphases on the algorithm used in the network security domain. We have Built a several variants-based Global Reputation Model (GRM) on top of the CTA-IDS, Evaluated the performance of the system variants when used as global reputation lists and Used the global intelligence to improve upon existing anomaly detection capabilities in individual networks and measure the results on both HTTP and HTTP(S) traffic (section 1 “Introduction”, subsection 1.2).

Point-4.    We need to understand precisely if the proposed mechanism is able to face other real case scenarios.

Response-4: Experimental evaluations shows that our proposed algorithm remains consistent and is able to be used in the real time cases scenarios.

Point-5.    Is the design of the study consistent with its aims?

Response-5: Yes, experimental evaluations shows that our proposed algorithm remains consistent and scalable with its aims.

Point-6.    The authors do not include a detailed description of how the method proposed can be extended.

Response-6: Thanks for asking this important question, this future work is also in process, our team is working on this project.

Point-7. Finally, the authors should make a final check on the compliance of the paper to the formatting guidelines and need to delete the template guidance at the end of the paper.

Response-7: Thanks for this comment, we have removed the lines related to the guidance of the temple from the end of manuscript.


Round 2

Reviewer 2 Report

The authors have addressed all comments. I am happy for the paper to be published.

Back to TopTop