Hybrid evolutionary machine learning model for advanced intrusion detection architecture for cyber threat identification

Ankita Sharma; Shalli Rani; Maha Driss

doi:10.1371/journal.pone.0308206

Peer Review History

Original SubmissionMay 22, 2024
22 May 2024 Author Response Attachments Attachment Submitted filename: Response Sheet for Plos.docx https://doi.org/10.1371/journal.pone.0308206.r001
25 Jun 2024 Decision Letter - Raman Singh, Editor PONE-D-24-20436Hybrid Evolutionary Machine Learning Model for Advanced Intrusion Detection Architecture for Cyber Threat IdentificationPLOS ONE Dear Dr. Rani, Thank you for submitting your manuscript to PLOS ONE. After careful consideration, we feel that it has merit but does not fully meet PLOS ONE’s publication criteria as it currently stands. Therefore, we invite you to submit a revised version of the manuscript that addresses the points raised during the review process. Please submit your revised manuscript by Aug 09 2024 11:59PM. If you will need more time than this to complete your revisions, please reply to this message or contact the journal office at plosone@plos.org. When you're ready to submit your revision, log on to https://www.editorialmanager.com/pone/ and select the 'Submissions Needing Revision' folder to locate your manuscript file. Please include the following items when submitting your revised manuscript: A rebuttal letter that responds to each point raised by the academic editor and reviewer(s). You should upload this letter as a separate file labeled 'Response to Reviewers'. A marked-up copy of your manuscript that highlights changes made to the original version. You should upload this as a separate file labeled 'Revised Manuscript with Track Changes'. An unmarked version of your revised paper without tracked changes. You should upload this as a separate file labeled 'Manuscript'. If you would like to make changes to your financial disclosure, please include your updated statement in your cover letter. Guidelines for resubmitting your figure files are available below the reviewer comments at the end of this letter. If applicable, we recommend that you deposit your laboratory protocols in protocols.io to enhance the reproducibility of your results. Protocols.io assigns your protocol its own identifier (DOI) so that it can be cited independently in the future. For instructions see: https://journals.plos.org/plosone/s/submission-guidelines#loc-laboratory-protocols. Additionally, PLOS ONE offers an option for publishing peer-reviewed Lab Protocol articles, which describe protocols hosted on protocols.io. Read more information on sharing protocols at https://plos.org/protocols?utm_medium=editorial-email&utm_source=authorletters&utm_campaign=protocols. We look forward to receiving your revised manuscript. Kind regards, Raman Singh Academic Editor PLOS ONE Additional Editor Comments: As per the reviewer's report, the paper needs some improvements. It is advised to work on reviewer's comments. The reviewer has listed one reference to compare the results. If the authors think the work is relevant and comparison will add the readability and novelty of the paper, only then authors can decide on this aspect. [Note: HTML markup is below. Please do not edit.] Reviewers' comments: Reviewer's Responses to Questions Comments to the Author 1. Is the manuscript technically sound, and do the data support the conclusions? The manuscript must describe a technically sound piece of scientific research with data that supports the conclusions. Experiments must have been conducted rigorously, with appropriate controls, replication, and sample sizes. The conclusions must be drawn appropriately based on the data presented. Reviewer #1: Partly ******** 2. Has the statistical analysis been performed appropriately and rigorously? Reviewer #1: N/A ****** 3. Have the authors made all data underlying the findings in their manuscript fully available? The PLOS Data policy requires authors to make all data underlying the findings described in their manuscript fully available without restriction, with rare exception (please refer to the Data Availability Statement in the manuscript PDF file). The data should be provided as part of the manuscript or its supporting information, or deposited to a public repository. For example, in addition to summary statistics, the data points behind means, medians and variance measures should be available. If there are restrictions on publicly sharing data—e.g. participant privacy or use of data from a third party—those must be specified. Reviewer #1: No ****** 4. Is the manuscript presented in an intelligible fashion and written in standard English? PLOS ONE does not copyedit accepted manuscripts, so the language in submitted articles must be clear, correct, and unambiguous. Any typographical or grammatical errors should be corrected at revision, so please note any specific errors here. Reviewer #1: Yes ****** 5. Review Comments to the Author Please use the space provided to explain your answers to the questions above. You may also include additional comments for the author, including concerns about dual publication, research ethics, or publication ethics. (Please upload your review as an attachment if it exceeds 20,000 characters) Reviewer #1:** The authors propose an approach to enhance the accuracy of IDSs through the use of hybrid evolutionary approach for feature selection. I find the idea interesting but do have the following comments: - introduction and motivation are very vague and don't really provice specefic information on the conducted research. The motivation to apply this approach is not really clear. The introduction section is very general and doesn't provide enough details on the problem being investigated; what it is a problem? why it is a problem? why a new approach is needed. The main problem the authors try to address is the proper selection of features for machine learning algorithms used in IDS. So, i expect the authors to focus on that in their motivation and introduction. - contribution is also not clear - I also advice the authors to compare their approach to flow-based anomaly detection approaches like in L. Van Efferen and A. M. T. Ali-Eldin, "A multi-layer perceptron approach for flow-based anomaly detection," 2017 International Symposium on Networks, Computers and Communications (ISNCC), Marrakech, Morocco, 2017, pp. 1-6, doi: 10.1109/ISNCC.2017.8072036. - more results on the attacks classification accuracy are needed -some other points: the use of abbreviations before introducing them. I suggest adding a symbols table pg 13 line 6: ''The following prototype is integration of principal component analysis (PCA) and GA.'' I cant find the prototype the authors refer to ******** 6. PLOS authors have the option to publish the peer review history of their article (what does this mean?). If published, this will include your full peer review and any attached files. If you choose “no”, your identity will remain anonymous but your review may still be made public. Do you want your identity to be public for this peer review? For information about this choice, including consent withdrawal, please see our Privacy Policy. Reviewer #1: No ******** [NOTE: If reviewer comments were submitted as an attachment file, they will be attached to this email and accessible via the submission site. Please log into your account, locate the manuscript record, and check for the action link "View Attachments". If this link does not appear, there are no attachment files.] While revising your submission, please upload your figure files to the Preflight Analysis and Conversion Engine (PACE) digital diagnostic tool, https://pacev2.apexcovantage.com/. PACE helps ensure that figures meet PLOS requirements. To use PACE, you must first register as a user. Registration is free. Then, login and navigate to the UPLOAD tab, where you will find detailed instructions on how to use the tool. If you encounter any issues or have any questions when using PACE, please email PLOS at figures@plos.org. Please note that Supporting Information files do not need this step. https://doi.org/10.1371/journal.pone.0308206.r002
Revision 1
2 Jul 2024 Author Response TITLE: An Evolutionary Machine Learning Algorithm for Robust Intrusion Detection System for Identification of Cyber Attacks Authors : Ankita Sharma, Shalli Rani, Maha Driss ankita.sharma@chitkara.edu.in, shalli.rani@chitkara .edu.in, mdriss@psu.edu.sa Dear Editors and Reviewers: We are thankful to you for spending your valuable time for making a review and for constructing the comments on our manuscript. These comments are valuable and very helpful for revising and improving our paper. We have studied comments carefully and have made correction as marked in the revised manuscript. We have tried our best to address the mentioned comments to revise our manuscript in the hope that these revisions will meet your requirement. The following changes have been made in the manuscript as per the received comments. The changes made in the manuscript as per received comments have been highlighted in red color. Reviewer #1: The authors propose an approach to enhance the accuracy of IDSs through the use of hybrid evolutionary approach for feature selection. I find the idea interesting but do have the following comments: Comment 1:- introduction and motivation are very vague and don't really provice specefic information on the conducted research. The motivation to apply this approach is not really clear. The introduction section is very general and doesn't provide enough details on the problem being investigated; what it is a problem? why it is a problem? why a new approach is needed. The main problem the authors try to address is the proper selection of features for machine learning algorithms used in IDS. So, i expect the authors to focus on that in their motivation and introduction. Response 1: As per the comment whole introduction and motivation has been updated in the paper. Also, added “The following paper presents a Hybrid Evolutionary Machine Learning Model that is being designed to improve the capabilities of advanced IDS architectures. By leveraging the strengths of EA and ML techniques, this hybrid model aims to provide a more resilient and adaptive solution for cyber threat identification. EA offer robust search capabilities and adaptability, while ML techniques excel in pattern recognition and predictive analytics. The combination of these methodologies results in a powerful tool that can evolve and improve over time, adapting to new and emerging threats in the cybersecurity landscape.” In the last of intro section. Motivation The motivation behind this research stems from the increasing complexity of cyber threats and the limitations of existing intrusion detection systems. Traditional IDS often rely on static rule-based approaches, which are insufficient in detecting novel and sophisticated attacks. Furthermore, machine learning-based IDS, while more dynamic, can suffer from issues such as high false positive rates and the inability to adapt to rapidly changing threat environments. Also, conventional models frequently fail to detect intricate or groundbreaking attacks, resulting in high rates of false negatives and the introduction of vulnerabilities in the system. To overcome the limitations of traditional system the proposed approach focuses on enhancement in the detection and management of a wide range of cyber threats, hence reducing the likelihood of security breaches, by highlighting the algorithm's ability to adapt to the threat landscape which motivated us to integrate ML with EC. By combining EA with machine learning, the proposed hybrid model seeks to address these challenges by providing a more adaptive and accurate intrusion detection system. EA can explore a vast search space and optimize detection strategies over time, while machine learning models can continuously learn and update based on new data. This hybrid approach aims to reduce false positives, enhance detection accuracy, and provide a scalable solution Comment 3:- contribution is also not clear Response 3: As per the comment it has been updated “This study employs the Bot-IoT and UNSW-NB15 intrusion datasets to evaluate mean fitness using ML classifiers. An innovative fitness function is constructed for the GA to rank features effectively. The feature selection process is guided by GA, with specific parameters tailored for optimal performance. To achieve the best possible outcomes, the model integrates the GA with DT and SVM. Additionally, the FPR is incorporated as a parameter in the newly created fitness function to simultaneously reduce FAR and enhance the detection of TPR. A high FPR can lead to many benign activities being incorrectly classified as threats, resulting in unnecessary alerts and operational inefficiencies. This disrupts user trust and increases the operational burden due to the need to investigate each false alarm, thus acting as a penalty on the system’s usability and resource management. The study develops a genetic algorithm-based feature selection methodology that leverages evolutionary computing for feature selection in intrusion detection systems. The F1-score is used to balance the importance given to both the recall rate and the accuracy rate. The F1 score harmonizes recall and accuracy, addressing potential imbalances that might lead to misleading interpretations of a model's accuracy. The main goal is to enhance the precision and computational capacity of DT and SVM by optimizing parameters and reducing data dimensionality.” Comment 4:- I also advice the authors to compare their approach to flow-based anomaly detection approaches like in L. Van Efferen and A. M. T. Ali-Eldin, "A multi-layer perceptron approach for flow-based anomaly detection," 2017 International Symposium on Networks, Computers and Communications (ISNCC), Marrakech, Morocco, 2017, pp. 1-6, doi: 10.1109/ISNCC.2017.8072036. Response 4: As per the comment added the same as Reference 51 also added the entry of the same in Table 2 and 4 for comparison. Comment 5: more results on the attacks classification accuracy are needed Response 5: As per the experiment done I have evaluated the heatmap, graphs and tables which I have already put in the result section. Comment 6: -some other points: the use of abbreviations before introducing them. I suggest adding a symbols table Response 6: The same Table has been added as Table 1. Comment 7: pg 13 line 6: ''The following prototype is integration of principal component analysis (PCA) and GA.'' I cant find the prototype the authors refer to Response 7: Sorry for the misinterpretation, The word prototype mentioned in Related Work meaning the authors discussed about the “model”, I wrote prototype for the other word for model. Therefore I have made it correct and updated the word “model” only. Attachments Attachment Submitted filename: Response to Reviewers PLOS.docx* https://doi.org/10.1371/journal.pone.0308206.r003
19 Jul 2024 Decision Letter - Raman Singh, Editor Hybrid Evolutionary Machine Learning Model for Advanced Intrusion Detection Architecture for Cyber Threat Identification PONE-D-24-20436R1 Dear Dr. Rani, We’re pleased to inform you that your manuscript has been judged scientifically suitable for publication and will be formally accepted for publication once it meets all outstanding technical requirements. Within one week, you’ll receive an e-mail detailing the required amendments. When these have been addressed, you’ll receive a formal acceptance letter and your manuscript will be scheduled for publication. An invoice will be generated when your article is formally accepted. Please note, if your institution has a publishing partnership with PLOS and your article meets the relevant criteria, all or part of your publication costs will be covered. Please make sure your user information is up-to-date by logging into Editorial Manager at Editorial Manager® and clicking the ‘Update My Information' link at the top of the page. If you have any questions relating to publication charges, please contact our Author Billing department directly at authorbilling@plos.org. If your institution or institutions have a press office, please notify them about your upcoming paper to help maximize its impact. If they’ll be preparing press materials, please inform our press team as soon as possible -- no later than 48 hours after receiving the formal acceptance. Your manuscript will remain under strict press embargo until 2 pm Eastern Time on the date of publication. For more information, please contact onepress@plos.org. Kind regards, Raman Singh Academic Editor PLOS ONE Additional Editor Comments (optional): Reviewers' comments: Reviewer's Responses to Questions Comments to the Author 1. If the authors have adequately addressed your comments raised in a previous round of review and you feel that this manuscript is now acceptable for publication, you may indicate that here to bypass the “Comments to the Author” section, enter your conflict of interest statement in the “Confidential to Editor” section, and submit your "Accept" recommendation. Reviewer #1: All comments have been addressed ******** 2. Is the manuscript technically sound, and do the data support the conclusions? The manuscript must describe a technically sound piece of scientific research with data that supports the conclusions. Experiments must have been conducted rigorously, with appropriate controls, replication, and sample sizes. The conclusions must be drawn appropriately based on the data presented. Reviewer #1: Yes ****** 3. Has the statistical analysis been performed appropriately and rigorously? Reviewer #1: N/A ****** 4. Have the authors made all data underlying the findings in their manuscript fully available? The PLOS Data policy requires authors to make all data underlying the findings described in their manuscript fully available without restriction, with rare exception (please refer to the Data Availability Statement in the manuscript PDF file). The data should be provided as part of the manuscript or its supporting information, or deposited to a public repository. For example, in addition to summary statistics, the data points behind means, medians and variance measures should be available. If there are restrictions on publicly sharing data—e.g. participant privacy or use of data from a third party—those must be specified. Reviewer #1: Yes ****** 5. Is the manuscript presented in an intelligible fashion and written in standard English? PLOS ONE does not copyedit accepted manuscripts, so the language in submitted articles must be clear, correct, and unambiguous. Any typographical or grammatical errors should be corrected at revision, so please note any specific errors here. Reviewer #1: Yes ****** 6. Review Comments to the Author Please use the space provided to explain your answers to the questions above. You may also include additional comments for the author, including concerns about dual publication, research ethics, or publication ethics. (Please upload your review as an attachment if it exceeds 20,000 characters) Reviewer #1: I would like to thank the authors for addressing my comments and further I have no other comments. ****** 7. PLOS authors have the option to publish the peer review history of their article (what does this mean?). If published, this will include your full peer review and any attached files. If you choose “no”, your identity will remain anonymous but your review may still be made public. Do you want your identity to be public for this peer review? For information about this choice, including consent withdrawal, please see our Privacy Policy. Reviewer #1: No ******** https://doi.org/10.1371/journal.pone.0308206.r004
Formally Accepted
26 Jul 2024 Acceptance Letter - Raman Singh, Editor PONE-D-24-20436R1 PLOS ONE Dear Dr. Rani, I'm pleased to inform you that your manuscript has been deemed suitable for publication in PLOS ONE. Congratulations! Your manuscript is now being handed over to our production team. At this stage, our production department will prepare your paper for publication. This includes ensuring the following: * All references, tables, and figures are properly cited * All relevant supporting information is included in the manuscript submission, * There are no issues that prevent the paper from being properly typeset If revisions are needed, the production department will contact you directly to resolve them. If no revisions are needed, you will receive an email when the publication date has been set. At this time, we do not offer pre-publication proofs to authors during production of the accepted work. Please keep in mind that we are working through a large volume of accepted articles, so please give us a few weeks to review your paper and let you know the next and final steps. Lastly, if your institution or institutions have a press office, please let them know about your upcoming paper now to help maximize its impact. If they'll be preparing press materials, please inform our press team within the next 48 hours. Your manuscript will remain under strict press embargo until 2 pm Eastern Time on the date of publication. For more information, please contact onepress@plos.org. If we can help with anything else, please email us at customercare@plos.org. Thank you for submitting your work to PLOS ONE and supporting open access. Kind regards, PLOS ONE Editorial Office Staff on behalf of Dr. Raman Singh Academic Editor PLOS ONE https://doi.org/10.1371/journal.pone.0308206.r005

Open letter on the publication of peer review reports

PLOS recognizes the benefits of transparency in the peer review process. Therefore, we enable the publication of all of the content of peer review and author responses alongside final, published articles. Reviewers remain anonymous, unless they choose to reveal their names.

We encourage other journals to join us in this initiative. We hope that our action inspires the community, including researchers, research funders, and research institutions, to recognize the benefits of published peer review reports for all parts of the research system.

Learn more at ASAPbio .