An Intrusion Detection Method Based on Symmetric Federated Deep Learning in Complex Networks

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The article proposes a method to enhance intrusion detection by leveraging symmetry within deep learning and federated learning frameworks. While the concept is promising, the current manuscript requires several revisions and clarifications. My key suggestions are as follows:

• Clarify the concept of symmetry as applied in the IDS model. Is it architectural symmetry (e.g., UNet’s encoder-decoder structure), data-level symmetry, or mathematical symmetry in the optimization process? Terms like “symmetric federation optimization,” “input matrix construction,” and “symmetry learning” are introduced without clear definitions. It is essential to explain how symmetry is enforced, interpreted, or quantified within the model.
• Justify the use of symmetry in intrusion detection. Elaborate on how symmetry contributes to improved generalization, learning efficiency, or robustness. Provide the theoretical or algorithmic basis for its use and explain its impact on detection performance.
• Include a diagram of the proposed architecture. Clearly illustrate how the UNet, symmetric autoencoder, and federated learning modules interact. Describe the role and contribution of each component within the overall IDS system.
• Detail the dataset characteristics, including the number of samples, types of attacks, class distribution, and preprocessing steps used during training and evaluation.
• Expand the results section by reporting additional performance metrics such as Precision, Recall, F1-score, and AUC to offer a more comprehensive evaluation.
• Include comparisons with baseline models such as traditional machine learning approaches, CNNs, LSTMs, or other established IDS architectures to contextualize your model’s performance.
• Report resource-related metrics such as training time, model size, and scalability to substantiate the claims regarding efficiency improvements.
• Explain the federated learning setup, including the number of participating clients, the aggregation algorithm used (e.g., FedAvg), and synchronization details.
• Discuss the privacy and security advantages offered by federated learning in the context of intrusion detection, emphasizing its practical relevance in sensitive environments.

Author Response

Thanks the reviewers for giving us the helpful comments and suggestions, which helps us to improve the quality of the manuscript. We have formally acknowledged them in the revised manuscript. In the revised version, we have incorporated their concerns and changes made in the revised manuscript are red in color. 

 

Reviewer 1

 

The article proposes a method to enhance intrusion detection by leveraging symmetry within deep learning and federated learning frameworks. While the concept is promising, the current manuscript requires several revisions and clarifications. My key suggestions are as follows:

 

1. Clarify the concept of symmetry as applied in the IDS model. Is it architectural symmetry (e.g., UNet’s encoder-decoder structure), data-level symmetry, or mathematical symmetry in the optimization process? Terms like “symmetric federation optimization,” “input matrix construction,” and “symmetry learning” are introduced without clear definitions. It is essential to explain how symmetry is enforced, interpreted, or quantified within the model.

Reply to Question 1: Many thanks for the reviewer’s careful check, the main contribution of this work is to use the symmetrical network to optimize the network traffic detection process, that is, the Unet network to perform deep feature learning, and then achieve the purpose of classification. In Page 13, we have added discussion and explanations of related concepts to make it easier for the reader to understand.

 

2. Justify the use of symmetry in intrusion detection. Elaborate on how symmetry contributes to improved generalization, learning efficiency, or robustness. Provide the theoretical or algorithmic basis for its use and explain its impact on detection performance.

Reply to Question 2: Many thanks for the reviewer’s check. We have elaborated in the Discussion section (Page 13) of the paper to explain the contribution of symmetry to this work as well as the positive influence.

 

3. Include a diagram of the proposed architecture. Clearly illustrate how the UNet, symmetric autoencoder, and federated learning modules interact. Describe the role and contribution of each component within the overall IDS system.

Reply to Question 3: Many thanks for the reviewer’s check. We have revised the architecture diagram in Figure 2 to explain the interplay and impact of UNet, symmetric autoencoders, and federated learning.

 

4. Detail the dataset characteristics, including the number of samples, types of attacks, class distribution, and preprocessing steps used during training and evaluation.

Reply to Question 4: Many thanks for this, we have included a detailed description of the experimental data set in the experimental setup section with Table 1, so that readers can better understand the comparison experiment.

 

5. Expand the results section by reporting additional performance metrics such as Precision, Recall, F1-score, and AUC to offer a more comprehensive evaluation.

Reply to Question 5: Many thanks for this, in Page 16-17, we have added the experiment based on the NSL-KDD dataset and obtained confusion matrix through multiple sets of experiments to verify the performance of the proposed method.

 

6. Include comparisons with baseline models such as traditional machine learning approaches, CNNs, LSTMs, or other established IDS architectures to contextualize your model’s performance.

Reply to Question 6: Many thanks for this. Although the dataset we are using may be publicly available, there are multiple subsets in different datasets, and many methods use multiple subsets or collections of multiple parts, so it is difficult to compare a method or baseline for multiclass classification. Therefore, in the comparison experiment part, we just use normal classes and attack classes to conduct multiple sets of comparison experiments on the method to prove its capability.

 

7. Report resource-related metrics such as training time, model size, and scalability to substantiate the claims regarding efficiency improvements.

Reply to Question 7: Many thanks for the reviewer’s check, we have included elaboration of training time, model size, and scale in our experimental configuration in Page 15 to verify the objectivity of our experiments.

 

8. Explain the federated learning setup, including the number of participating clients, the aggregation algorithm used (e.g., FedAvg), and synchronization details.

Reply to Question 8: Many thanks for the reviewer’s check. We have described the federated learning configuration in detail in Page 9, 4.1-Symmetric Deep Learning and Page 14, the experiments section, including the client, the aggregation method, and the synchronization strategy.

 

9. Discuss the privacy and security advantages offered by federated learning in the context of intrusion detection, emphasizing its practical relevance in sensitive environments.

Reply to Question 9: Many thanks for this, we have illustrated the privacy and security benefits provided by federated learning in intrusion detection in Page 13, the Discussion section of the paper and explained its performance in sensitive settings.

Reviewer 2 Report

Comments and Suggestions for Authors

The manuscript presents a promising approach that combines symmetric neural network structures with federated learning for intrusion detection in complex network environments. While the proposed method is technically interesting and potentially impactful, the manuscript would benefit from several important clarifications and improvements to enhance its scientific rigor and readability. Please consider the following suggestions:

1. The manuscript lacks of a proper discussion section that compares the proposed method with similar existing approaches in the literature. A critical comparison would significantly strengthen the scientific value of the paper. This addition would help contextualize the claimed improvements in detection performance and provide a clearer understanding of how the proposed method stands out in terms of accuracy, efficiency, or model complexity. I strongly recommend the authors include such a comparative discussion to better position their contribution within the current state of the art.

2. The manuscript does not clearly specify how the model architecture, particularly the symmetric UNet, how was obtained or initialized. It remains unclear whether the authors used a pre-trained network, built the model from scratch, or relied on public implementations. For transparency I strongly recommend the authors include a subsection clarifying the model’s origin, training setup, and whether any publicly available components  were used.

3. Would it be possible to include a confusion matrix in the results section to better understand how the model performs across different attack classes? This would help identify where the model tends to misclassify and offer insights into its class-specific weaknesses.

4. Several technical terms, such as catastrophic forgetting, data island, diffusion model, soft labels, and knowledge distillation are only mentioned once or twice throughout the manuscript, without proper definition or context. For the benefit of readers who may not be deeply familiar with these concepts, could the authors briefly define these terms upon first mention or include a glossary of key concepts?

 

Author Response

Thanks the reviewers for giving us the helpful comments and suggestions, which helps us to improve the quality of the manuscript. We have formally acknowledged them in the revised manuscript. In the revised version, we have incorporated their concerns and changes made in the revised manuscript are red in color. 

Reviewer 2

The manuscript presents a promising approach that combines symmetric neural network structures with federated learning for intrusion detection in complex network environments. While the proposed method is technically interesting and potentially impactful, the manuscript would benefit from several important clarifications and improvements to enhance its scientific rigor and readability. Please consider the following suggestions:

 

1. The manuscript lacks of a proper discussion section that compares the proposed method with similar existing approaches in the literature. A critical comparison would significantly strengthen the scientific value of the paper. This addition would help contextualize the claimed improvements in detection performance and provide a clearer understanding of how the proposed method stands out in terms of accuracy, efficiency, or model complexity. I strongly recommend the authors include such a comparative discussion to better position their contribution within the current state of the art.

Reply to Question 1: Many thanks for the reviewer’s careful check, in this work, the main contribution of this work is to use the symmetrical network to optimize the network traffic detection process, that is, the UNet network to perform deep feature learning, and then achieve the purpose of classification. We have added Discussion section to make it easier for the reader to understand.

 

2. The manuscript does not clearly specify how the model architecture, particularly the symmetric UNet, how was obtained or initialized. It remains unclear whether the authors used a pre-trained network, built the model from scratch, or relied on public implementations. For transparency I strongly recommend the authors include a subsection clarifying the model’s origin, training setup, and whether any publicly available components were used.

Reply to Question 2: Many thanks for the reviewer’s check. We have modified Figure 2 to illustrate the structure of UNet and the overall network model, as well as the interrelations between modules. At the same time, we have made supplementary explanations on data sets and training methods in the experimental configuration section.

 

3. Would it be possible to include a confusion matrix in the results section to better understand how the model performs across different attack classes? This would help identify where the model tends to misclassify and offer insights into its class-specific weaknesses.

Reply to Question 3: Many thanks for the reviewer’s check. In Page 16-17, we have added the experiment based on the NSL-KDD dataset and obtained confusion matrix through multiple sets of experiments to verify the performance of the proposed method.

 

4. Several technical terms, such as catastrophic forgetting, data island, diffusion model, soft labels, and knowledge distillation are only mentioned once or twice throughout the manuscript, without proper definition or context. For the benefit of readers who may not be deeply familiar with these concepts, could the authors briefly define these terms upon first mention or include a glossary of key concepts?

Reply to Question 4: Many thanks for this, we have added the explanation of technical terms in the relevant section, and made a supplementary explanation in the Discussion section, so that readers can better and more conveniently understand the work of this paper.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors have addressed some of my previous comments; however, the following points from my earlier review remain unaddressed.

‎5.‎    Expand the results section by reporting additional performance metrics such as ‎Precision, Recall, F1-score, and AUC to offer a more comprehensive evaluation.‎
‎6.‎    Include comparisons with baseline models such as traditional machine learning ‎approaches, CNNs, LSTMs, or other established IDS architectures to contextualize your ‎model’s performance.‎
‎7.‎    Report resource-related metrics such as training time, model size, and scalability to ‎substantiate the claims regarding efficiency improvements.‎

Author Response

The authors have addressed some of my previous comments; however, the following points from my earlier review remain unaddressed.

 

5. Expand the results section by reporting additional performance metrics such as Precision, Recall, F1-score, and AUC to offer a more comprehensive evaluation.

Reply to Question 5: Many thanks for this, in Page 16&18, we have calculated the AUC values for the four advanced methods using the ROC curve in Figure 3, and verified IDS’s performance by comparison.

 

6. Include comparisons with baseline models such as traditional machine learning approaches, CNNs, LSTMs, or other established IDS architectures to contextualize your model’s performance.

Reply to Question 6: Many thanks for this. We have compared the performance of the proposed IDS method with other six advanced and classical network intrusion detection methods in Figure 4, Page 19, including those based on traditional federated learning, stochastic gradient descent, cross-entropy loss function, Signature-Based Intrusion Detection (SID), Anomaly-Based Intrusion Detection (AID), and Network-Based Intrusion Detection (NID), to more comprehensively and effectively verify the performance of proposed IDS method.

 

7. Report resource-related metrics such as training time, model size, and scalability to substantiate the claims regarding efficiency improvements.

Reply to Question 7: Many thanks for the reviewer’s check, in Table 4, Page 17, we present the scalability of this method under different data scales, as well as the training time, testing time, and system response time.

Round 3

Reviewer 1 Report

Comments and Suggestions for Authors

Accept