Next Article in Journal
Novel Models for the Warm-Up Phase of Recommendation Systems
Previous Article in Journal
Assessing Blockchain Health Devices: A Multi-Framework Method for Integrating Usability and User Acceptance
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Computers
Volume 14
Issue 8
10.3390/computers14080301
Review Report
computers-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

A Hybrid Approach Using Graph Neural Networks and LSTM for Attack Vector Reconstruction

Computers 2025, 14(8), 301; https://doi.org/10.3390/computers14080301
by Yelizaveta Vitulyova 1,2, Tetiana Babenko 3, Kateryna Kolesnikova 4, Nikolay Kiktev 5,* and Olga Abramkina 3,6
Reviewer 1:
Ahmed Al Mulhem
Reviewer 3:
Abdulaziz Alsulami
Reviewer 4: Anonymous
Computers 2025, 14(8), 301; https://doi.org/10.3390/computers14080301
Submission received: 5 June 2025 / Revised: 15 July 2025 / Accepted: 17 July 2025 / Published: 24 July 2025
(This article belongs to the Section ICT Infrastructures for Cybersecurity)

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This study presented a hybrid model that integrates Graph Neural Networks (GNNs) with Long Short-Term Memory (LSTM) networks to reconstruct and predict attack vectors in cybersecurity. GNNs are employed to analyze the structural relationships within the MITRE ATT&CK framework, while LSTMs are utilized to model the temporal dynamics of attack sequences, effectively capturing the evolution of cyber threats.

Comments should be addressed and considered before publication:
1. The proposed hybrid model used the Graph Neural Networks (GNNs) to predict attacks. There are other several graph-related methods beyond GNNs that are especially relevant for cybersecurity and attack detection like GCN (Graph Convolutional Networks) or GAT (Graph Attention Networks) or others. Why use it and compare and justify.
2. One of the main weakness point for hybrid GNNs and LSTMs are computationally expensive. GNNs require message passing across all connected nodes, while LSTMs process sequences step-by-step. Can you discuss the computational complexity and scalability?
3. In the Introduction, the study did not discuss the main security breaches or security risks that face. You can use this study:- Aldossary, A., Algirim, T., Almubarak, I., & Almuhish, K. (2024). Cyber Security in Data Breaches. Journal of Cyber Security and Risk Auditing.
Also can use the NIST to discuss the security riks using this study:- Aljumaiah, O., Jiang, W., Addula, S. R., & Almaiah, M. A. (2025). Analyzing cybersecurity risks and threats in IT infrastructure based on NIST framework. J. Cyber Secur. Risk Audit.
4. Add a table at the end of the literature review to summarize the previous studies interms of objectives, proposed model, main findings and limitations.
5. The equation 𝐻𝑡 = 𝐿𝑆𝑇𝑀 𝐻𝐺𝑁𝑁, 𝑋𝑡ℎ𝑡−1,𝑐𝑡−1
 This expression defines a hybrid architecture that uses Graph Neural Networks (GNNs) in conjunction with an LSTM network to process time-varying graph-structured data for attack prediction in cybersecurity. 
6. In Table 3, the output is the risk score. How the study compute it?
7. Is there any comparison with findings from previous work ?
8. The tables format is not fit with the template. Revise.

Author Response

Dear Reviewer!

Thank you for your comments. We have tried to take them into account as much as possible to improve our article.
The answers are in the attached file.

Respectfully,
Authors

Author Response File: Author Response.docx

Reviewer 2 Report

Comments and Suggestions for Authors

Accept

Author Response

Dear Reviewer!

Thank you for your feedback and rating of our article. We have tried to improve our article as much as possible.

Respectfully,
Authors

Reviewer 3 Report

Comments and Suggestions for Authors

This research proposes a hybrid model that combines LSTM networks with GNNs to reconstruct and predict attack vectors in cybersecurity. Several important comments and suggestions must be addressed to strengthen the work.

Abstract

  • In the abstract, it’s best to write out the full term before using its acronym for the first time. This should also be applied throughout the entire manuscript.

Introduction

  • Summarize your main contributions and key research points as bullet points at the end of the introduction. This will make it easier for the reader to quickly understand your work.
  • You should write a paragraph that shows the organization of your paper. Place it at the end of the introduction, after you write the summary of your contributions.

Literature Review

  • Create a table at the end of the literature review section to summarize the key studies discussed. The table should include each study’s strengths, weaknesses, and reported accuracy.

Methodology

  • Create a figure in the methodology section (preferably around Table 1) that shows how the GNN and LSTM models are integrated. The figure should show the flow of data(starting from the input, through the GNN and LSTM components, and ending with the final output).This will help readers better understand the architecture of your hybrid GNN-LSTM model.
  • It is better to include citations for the equations.

Results and Discussion

  • The authors evaluated their proposed model on a single dataset (CICIDS2017). They should evaluate the model on at least three datasets to demonstrate its generality and robustness.
  • The authors did not compare the results of their model with existing research to validate their findings. You should compare your results with related work to demonstrate the effectiveness and relevance of your approach.
  • The authors should perform cross-validation to evaluate the reliability and generalizability of their model.

Author Response

Dear Reviewer!

Thank you for your comments. We have tried to take them into account as much as possible to improve our article.
The answers are in the attached file.

Respectfully,
Authors

Author Response File: Author Response.docx

Reviewer 4 Report

Comments and Suggestions for Authors

The manuscript presents a hybrid machine learning approach that combines Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks to reconstruct and predict attack vectors in cybersecurity. This approach leverages the MITRE ATT&CK framework for structural analysis (using GNNs) and employs LSTMs to model the temporal evolution of attack sequences. The model is evaluated on the CICIDS2017 dataset, reportedly achieving high performance (AUC of 0.99, F1-score of 0.85 for technique prediction, and MSE of 0.05 for risk assessment).

However, the authors need to address the following issues:

  • The idea of combining GNNs and LSTMs for multi-stage cyberattack prediction is not entirely new. Recent literature already includes similar hybrid approaches, some of which are cited by the authors themselves.
  • The manuscript would be stronger with a clearer and more precise claim of what is fundamentally new, either methodologically (for example, a unique integration strategy, optimization, or explainability contribution) or by benchmarking against the latest state-of-the-art competitors.
  • The experimental validation is limited to the CICIDS2017 dataset, a widely used but relatively old and well-known dataset. No additional or more challenging datasets are used for cross-validation or to demonstrate the method’s generalizability.
  • Most synthetic data is derived from the same underlying attack model, which raises the risk of overfitting to the MITRE ATT&CK taxonomy.
  • The work does not provide any demonstration (even simulated) of real-time deployment, scalability to much larger graphs (such as those in enterprise networks), or integration with live threat intelligence streams.
  • There is no discussion of computational costs, resource consumption, or deployment latency, all of which are key considerations for practical cybersecurity adoption.
  • The model uses SHAP and other explainability techniques, but the discussion remains technical and does not clearly demonstrate how an analyst would interact with or benefit from the outputs in an operational SOC (Security Operations Center) setting.
  • No human-in-the-loop or expert validation is presented.
  • Although the manuscript is generally clear, it is overly long (more than 32 pages) and at times verbose. Some explanations are repetitive, and figures could be streamlined.
  • Minor language and typographical issues remain, although these do not impede understanding.
  • The discussion of limitations is present but could be more self-critical, particularly regarding dataset limitations and the risk of synthetic data bias.
  • The conclusion repeats earlier points and does not sufficiently outline a clear path for future research or deployment.

 

Author Response

Dear Reviewer!

Thank you for your comments. We have tried to take them into account as much as possible to improve our article.
The answers are in the attached file.

Respectfully,
Authors

Author Response File: Author Response.docx

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

In the Introduction, the study did not discuss the main security breaches or security risks that face. You can use this study:- Cyber Security in Data Breaches. Journal of Cyber Security and Risk Auditing. Discuss the main security issues using this study - Adversarial attack detection in industrial control systems using LSTM-based intrusion detection and black-box defense strategies

Add future directions for future work 

Author Response

Dear Reviewer!

Thank you for your thoughtful comments. The answers are provided in the attached file.


Sincerely,
The Authors

Author Response File: Author Response.docx

Reviewer 3 Report

Comments and Suggestions for Authors

We thank the authors for their valuable effort and time in addressing some of the comments, however there are several important comments still need to be addressed as follows:

  • Summarize your main contributions and key research points as bullet points at the end of the introduction. This will make it easier for the reader to quickly understand your work.

My comment: I could not find bullet points at the end of the introduction that state the main contribution of the research.

  • Create a table at the end of the literature review section to summarize the key studies discussed. The table should include each study’s strengths, weaknesses, and reported accuracy

My comment: I could not find a table at the end of the literature review section to summarize the key studies discussed.

  • The authors evaluated their proposed model on a single dataset (CICIDS2017). They should evaluate the model on at least three datasets to demonstrate its generality and robustness.

My comment: The authors addressed this comment as a limitation of the study, however relying on a single dataset could affect the generality and robustness of the model. Therefore, we strongly encourage the authors to evaluate their models on more than two datasets.

Author Response

Dear Reviewer!

Thank you for your thoughtful comments. The answers are provided in the attached file.

Sincerely,
Authors

Author Response File: Author Response.docx

Reviewer 4 Report

Comments and Suggestions for Authors

Accept in present form

Author Response

Dear Reviewer!

Thank you for your positive assessment of our work.

Sincerely,
Authors

Round 3

Reviewer 3 Report

Comments and Suggestions for Authors

None

Back to TopTop