Shallow Learning Techniques for Early Detection and Classification of Cyberattacks over MQTT IoT Networks

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The papeer needs the fooliwing modidications

1- Write the full of the abbreviations

2- What is the gap? In the introduction section, write what the previous studies are lacking explicitly 

3- state the contribtion in the introduction section. it is better to itemize the contribution 

4- Also, define the three model, who are the attackers, and what they can do? and why you focus only on Intrusion, DoS, and MitM attacks

5- define the term lightweight in terms of what: CPU time, memory, training time, etc. 

6- add more text to the figure captions to explain the figures more clearly 

7- Line 232 σ is the standard deviation,, it is variance ?

8- the classification techniques 3.2.1 to 3.2.8 need references to guide readers to the original source and support the arguments in the manuscript, and why these models are shallow learning?

9- line 322, After this cleansing process, the dataset was reduced to 16 variables, of which 15 were 322 used as predictors and 1 as the target variable.,,,, how the 16 variables where selected? 

10- a flow chart or algorithm can be added to make the methodology used in the research clearer

11- The resolution of figures in the results section is low and must be fixed 

12- add more details in the discussion of the results why the random forest outperforms the other models

 

4- define the threat model

Comments on the Quality of English Language

minor check 

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

The reviewed paper proposes a shallow machine learning framework for the detection and classification of cyberattacks, specifically Denial-of-Service (DoS) and intrusion attacks, within IoT networks utilizing the MQTT protocol. The core methodology leverages inter-device communication data to train a multiclassifier model, with the explicit objective of enabling deployment on resource-constrained IoT devices themselves. This approach aims to facilitate local network monitoring, thereby enhancing security incident response time by identifying attacks directly at the edge. Validation on a real MQTT-based IoT dataset, resulting in high accuracy and F1-score metrics, shows the operational feasibility and effectiveness of this lightweight intrusion detection system. This work is useful for security experts and analysts, particularly in intrusion detection. English is good, paper is light readable, well presented and good structured.

However, the major concerns with this paper are as follows:

1. A significant concern regarding the experimental test bench (Section 2.1) is its limited validity for modeling real-life IoT attack surfaces and traffic heterogeneity. The topology is confined to a single, controlled WLAN with a minimal number of homogeneous, low-power devices (2 ESP8266 nodes) generating predictable, low-volume MQTT telemetry. This fails to replicate the scale, device diversity, protocol mix (e.g., coexistence with HTTP, CoAP, Zigbee), and complex traffic patterns.
2. While the setup validly demonstrates proof-of-concept for the proposed classifier in a simplified environment, the attack patterns and network behavior it captures may not be generalizable, potentially leading to an overestimation of the model performance when meeting the noise, scale, and variability of a real heterogeneous IoT ecosystem.
3. Section 3 and 4 present models and experimental results, but not the proposed method itself.

Therefore, the paper is interesting and very useful, it can be recommended to be published, but after re-editing in reference to the listed concerns.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The author made the required modifications. However, σ is used to refer to the standard deviation (line 286) and the variance (line 258) together. variance should be σ squared

Author Response

First, we wish to express our gratitude to the reviewer for taking the time to review this manuscript and for their valuable contributions to this article.
Second, we would like to apologize to the reviewer for the confusion regarding the use of the sigma symbol. After this further review, we identified the error correctly pointed out by the reviewer in their initial review and have now corrected the issue.

Line 286 reflects the use of variance, not standard deviation.

Thank you so much for all your comments. We are, once again, very grateful for your help in improving the quality of the article.

Reviewer 2 Report

Comments and Suggestions for Authors

All my concerns and questions have been answered by the authors in the cover letter and the revised version of the manuscript. I have no more questions and can recommend this version of the paper.

Author Response

We are pleased to know that all concerns have been addressed in our manuscript.
We greatly appreciate the time and effort invested throughout this process. Thank you again for your comments.

Best regards,
On behalf of all authors