Next Article in Journal
Comparison of Battery Electrical Vehicles and Internal Combustion Engine Vehicles–Greenhouse Gas Emission Life Cycle Assessment
Next Article in Special Issue
A Blockchain Network Communication Architecture Based on Information-Centric Networking
Previous Article in Journal
Three-Dimensional Microstructure and Structural Representative Volume Element of the Intact and Remolded Loess
Previous Article in Special Issue
Secure Cryptographic Key Encapsulation and Recovery Scheme in Noisy Network Conditions
 
 
Article
Peer-Review Record

Cyberattack Detection Systems in Industrial Internet of Things (IIoT) Networks in Big Data Environments

Appl. Sci. 2025, 15(6), 3121; https://doi.org/10.3390/app15063121
by Abdullah Orman
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3: Anonymous
Appl. Sci. 2025, 15(6), 3121; https://doi.org/10.3390/app15063121
Submission received: 1 February 2025 / Revised: 9 March 2025 / Accepted: 10 March 2025 / Published: 13 March 2025
(This article belongs to the Special Issue Trends and Prospects for Wireless Sensor Networks and IoT)

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The manuscript presents a contribution to the field of cybersecurity by investigating the effectiveness of various machine learning, deep learning, and hybrid models in detecting cyber attacks in IIoT networks. In general, there are several areas that require improvement to enhance the quality of the paper.

  • The abstract provides an overview of the study, but it lacks clarity and conciseness. Certain sentences are lengthy and repetitive, making it difficult to grasp the key contributions efficiently. Consider restructuring the abstract to ensure a clear problem statement, research objectives, methodology, key findings, and contributions.
  • The manuscript references existing studies but does not adequately compare or contrast them with the proposed approach. A more in-depth discussion on why the selected machine learning, deep learning, and hybrid models were chosen over other possible alternatives is needed. How do these models address the unique challenges of IIoT cyber attack detection better than prior works?
  • The study mentions the use of Apache Spark in Google Colab, but the rationale for this choice is not well elaborated. How does this infrastructure affect scalability, efficiency, or real-time applicability? Additionally, a clearer explanation of the dataset preprocessing steps and feature selection methods is required.
  • The manuscript reports high accuracy values for models such as MLPand CART, there is little discussion on why individual models performed better than hybrid models, which generally outperform standalone models in the literature. A comparative analysis with recent state-of-the-art approaches should be included to contextualize the results.
  • The manuscript lacks sufficient statistical validation of the results. Were cross-validation techniques applied to prevent overfitting? Were statistical significance tests performed to ensure the robustness of the proposed models?
  • The study primarily focuses on the WUSTL-IIoT-2021 dataset. However, it is unclear how well the proposed models would generalize to other IIoT environments. A discussion on the adaptability of the models to different datasets, real-world IIoT infrastructures, and varying cyber attack scenarios is necessary.
  • Although the manuscript briefly mentions future research directions, it should elaborate more on the limitations of the current approach. For example, are there any computational cost concerns associated with training deep learning models? Can real-time detection be achieved? Moreover, the inclusion of XAI techniques is proposed for future studies, but a clearer discussion on how these techniques would benefit IIoT cybersecurity is needed.
Comments on the Quality of English Language

The English could be improved to more clearly express the research.

Author Response

Comments 1: The abstract provides an overview of the study, but it lacks clarity and conciseness. Certain sentences are lengthy and repetitive, making it difficult to grasp the key contributions efficiently. Consider restructuring the abstract to ensure a clear problem statement, research objectives, methodology, key findings, and contributions.

 

Response 1: Thank you for your advice. I agree with you and restructured the Abstract section.

Comments 2: The manuscript references existing studies but does not adequately compare or contrast them with the proposed approach. A more in-depth discussion on why the selected machine learning, deep learning, and hybrid models were chosen over other possible alternatives is needed. How do these models address the unique challenges of IIoT cyber attack detection better than prior works?

Response 2: Thank you for your comment. I added the following two paragraphs at the end of the "Related Works" section to better establish the connection between the literature and this study:

“In summary, studies utilizing the WUSTL-IIoT-2021 dataset frequently adapt their methodologies and consistently report high accuracy in intrusion detection. Many of the proposed models evaluated on this dataset achieve accuracy rates nearing 99%, reflecting a prevailing trend in developing robust and effective intrusion detection systems for Industrial Internet of Things (IIoT) environments. Several studies have demonstrated superior performance compared to existing literature, highlighting the reliability and effectiveness of these approaches. The strong emphasis on achieving high accuracy underscores the critical need for advanced, trustworthy security solutions to protect IIoT networks. As a widely adopted benchmark, the WUSTL-IIoT-2021 dataset plays a key role in these evaluations.

As shown in Table 1, the WUSTL-IIoT-2021 dataset has been analyzed in various studies. However, being relatively new compared to other datasets in the field, research directly focused on it remains limited. This study is expected to contribute to its growing adoption. Furthermore, it stands out by examining three different modeling approaches—machine learning, deep learning, and hybrid models—making it one of the few studies in this domain to do so. The analysis also incorporates 12 different models, a rare approach in existing research. Notably, while hybrid methods generally outperform standalone deep learning techniques in previous studies, the specific models employed in this research demonstrated superior performance on the WUSTL-IIoT-2021 dataset.”

Comments 3: The study mentions the use of Apache Spark in Google Colab, but the rationale for this choice is not well elaborated. How does this infrastructure affect scalability, efficiency, or real-time applicability? Additionally, a clearer explanation of the dataset preprocessing steps and feature selection methods is required.

Response 3: I explained this issue a bit more in the article. I improved the following paragraph:

“Subsequently, machine learning, deep learning, and hybrid models were applied to the preprocessed dataset. To overcome hardware limitations, all modeling tasks were executed within the Google Colaboratory environment, leveraging Google’s computational infrastructure. The analysis was conducted using widely recognized libraries, including Pandas, MLlib, Scikit-learn, and PyCharm. Apache Spark was selected as the computing platform, and Python was used as the primary programming language. Hyperparameter tuning was performed for the deep learning models, with optimal values determined through iterative testing and alignment with commonly adopted parameters in the literature. The models categorized network traffic into normal and attack classes, and their performance was assessed on an independent test set that was not utilized during training. The model achieving the highest accuracy in attack detection was identified and considered for integration into network-based intrusion detection systems (IDS). When implemented in IDS, the developed model demonstrates superior detection rates and reduced error margins, surpassing traditional intrusion detection techniques.”

·         Comments 4: The manuscript reports high accuracy values for models such as MLP and CART, there is little discussion on why individual models performed better than hybrid models, which generally outperform standalone models in the literature. A comparative analysis with recent state-of-the-art approaches should be included to contextualize the results.

Response 4: I agree with your comment and restructured the entire Results section. I tried to make sense of why hybrid models performed worse in this study.

·         Comments 5: The manuscript lacks sufficient statistical validation of the results. Were cross-validation techniques applied to prevent overfitting? Were statistical significance tests performed to ensure the robustness of the proposed models?

Response 5: Removed areas that could lead to overfitting in the dataset during the feature selection phase.

In the section "4.1. Model Parameters and Training Configurations" the parameters used are clearly stated, for example, the following paragraphs are added:

“The dataset includes various host-specific attributes, such as source and destination IP addresses. However, incorporating these features during model training may lead to overfitting, limiting the model's ability to generalize to unseen data. Additionally, certain attributes, such as flow start and end times, do not directly contribute to attack detection. Consequently, features such as StartTime, Last-Time, SrcAddr, DstAddr, slpld, and dlpld were removed to prevent model over-learning and improve detection performance. Following this refinement process, the total number of features was reduced to 42.”

 

“Adam dynamically adjusts the learning rate, improving optimization efficiency and model convergence. To prevent overfitting, the epoch count should be increased carefully.”

·         Comments 6: The study primarily focuses on the WUSTL-IIoT-2021 dataset. However, it is unclear how well the proposed models would generalize to other IIoT environments. A discussion on the adaptability of the models to different datasets, real-world IIoT infrastructures, and varying cyber attack scenarios is necessary.

Response 6: The results obtained are a rare situation in the general literature. While the general expectation is that hybrid models will be more successful, this is not the case in this study. Other studies have obtained this result, although they are few. I believe that the reason for this is a situation specific to the data set used. In other words, the same result is not expected to be obtained in other real-world IIoT data sets.

·         Comments 7: Although the manuscript briefly mentions future research directions, it should elaborate more on the limitations of the current approach. For example, are there any computational cost concerns associated with training deep learning models? Can real-time detection be achieved? Moreover, the inclusion of XAI techniques is proposed for future studies, but a clearer discussion on how these techniques would benefit IIoT cybersecurity is needed.

Response 7: This section has been restructured considering other referee suggestions, and some paragraphs have been removed because they are not very relevant to the article. See the last 2 paragraphs:

“The integration of SCADA systems with IIoT provides advantages but also poses significant security threats. Increasing DoS attacks and the complexity of industrial networks require a multi-layered cybersecurity approach to protect critical infrastructures. In this context, the developed MLP model can detect anomalies and attacks in real-time by analyzing live network traffic of SCADA systems. The model increases the security of critical infrastructures such as power plants, water treatment plants, and transportation systems while making intrusion detection processes more efficient by integrating with existing IDS/IPS systems.

In the scope of future studies, hybrid approaches are planned to increase the performance of machine learning and deep learning algorithms and test the performance of these models on different data sets. In addition, different oversampling and undersampling methods will be evaluated to eliminate data imbalance. Finally, it aims to increase the reliability and transparency of intrusion detection systems by applying Explainable Artificial Intelligence (XAI) techniques and to make the systems more reliable and understandable.”

4. Response to Comments on the Quality of English Language

Point 1 The English could be improved to more clearly express the research.

Response 1: Professional native language support was received for the entire article. Long sentences were shortened. Repetitions were avoided. If you have suggestions, it can be edited again.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

Regarding this paper i have the following comments

1. The authors need to revise the abstract with care by providing more clearly the achievement that to be done.

2. The introduction must be first in broad sense and later it should be properly linked to the main work. I suggest related research for introduction 10.1109/TMC.2023.3314837,doi: https://doi.org/10.1002/rnc.7777

3. In the last para of introduction, the authors must mention the main novelty of the present work.

4. Section 2, the authors must be careful when discussing the work by providing the missing gap of the research.

5. In methods section, the authors should provide carefully any method used, or related software etc , should be linked properly.

6. Can you explain more about Table 2, how the data came where is the available link?

7. Subsection 4.2, the authors need to provide more detail information about the statistical analysis.

8. How the statistical analysis is performed? provide an overview.

9. In section, provide the details for the methods, sample size, data nature and the parameters rationality, the model used etc.

10. Conclusion must be carefully presented by mentioning what the authors achieved in this work which were not achieved in the past.

 

Author Response

Comments 1: The authors need to revise the abstract with care by providing more clearly the achievement that to be done.

Response 1: Thank you for your advice. I agree with you and restructured the Abstract section.

Comments 2: The introduction must be first in broad sense and later it should be properly linked to the main work. I suggest related research for introduction 10.1109/TMC.2023.3314837,doi: https://doi.org/10.1002/rnc.7777

Response 2: I benefited from the study you suggested, thank you very much. I have reorganized the section.

Comments 3: In the last para of introduction, the authors must mention the main novelty of the present work.

Response 3: The introduction section has been revised. The innovations of the study are explained in the last 4 paragraphs.

Comments 4: Section 2, the authors must be careful when discussing the work by providing the missing gap of the research.

Response 4: The first 2 and last 2 paragraphs of the 2nd section have been re-edited in relation to gaps in the literature.

Comments 5: In methods section, the authors should provide carefully any method used, or related software etc , should be linked properly.

Response 5: The following arrangement has been made:

Subsequently, machine learning, deep learning, and hybrid models were applied to the preprocessed dataset. To overcome hardware limitations, all modeling tasks were executed within the Google Colaboratory environment, leveraging Google’s computational infrastructure. The analysis used widely recognized libraries, including Pandas, MLlib, Scikit-learn, and PyCharm. Apache Spark was selected as the computing platform, and Python was used as the primary programming language. Hyperparameter tuning was performed for the deep learning models, with optimal values determined through iterative testing and alignment with commonly adopted parameters in the litera-ture. The models categorized network traffic into normal and attack classes, and their performance was assessed on an independent test set that was not utilized during train-ing. The model achieving the highest accuracy in attack detection was identified and con-sidered for integration into network-based intrusion detection systems (IDS). When implemented in IDS, the developed model demonstrates superior detection rates and reduced error margins, surpassing traditional intrusion detection techniques.”

Comments 6: Can you explain more about Table 2, how the data came where is the available link?

Response 6: Added link reference to text. Added explanation.

“Data Availability Statement: WUSTL-IIOT-2021 dataset was used. Dataset link: https://www.cse.wustl.edu/~jain/iiot2/index.html (accessed date: 15, September, 2024)”

Comments 7: Subsection 4.2, the authors need to provide more detail information about the statistical analysis.

Response 7: The name of the subheading was changed to "3.2. Data Preprocessing" and the label encoding, normalization and Features selection processes were explained in detail.

Comments 8: How the statistical analysis is performed? provide an overview.

Response 8: In line with your suggestion, the subheadings of the Method section "3.1 Dataset" and "3.2. Data Preprocessing" have been revised.

Comments 9: In section, provide the details for the methods, sample size, data nature and the parameters rationality, the model used etc.

Response 9: Thank you for pointing this out. I agree with this comment. The subheadings of "4. Experiments and Evaluations" and "4.1. Model Parameters and Training Configurations" have been revised based on your suggestion. Please review page 12.

Comments 10: Conclusion must be carefully presented by mentioning what the authors achieved in this work which were not achieved in the past.

Response 10: The conclusion section was reorganized based on the referees' suggestions.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The manuscript evaluates diverse machine learning algorithms (including deep learning and hybrid algorithms) to consider how well they can detect attacks in the WUSTL-IIOT-2021 dataset. Concrete research questions are not explicitly presented. The way to come to the results is described but in an overly verbose way. Several of the results are surprising, and a comparison to results from the literature is lacking. For several of the claims, evidence is not given. The results and their implications are not discussed.

The manuscript contains a large number of acronyms and abbreviations. However, a list of these acronyms and abbreviations is not present. Please add at the end of the manuscript, following the template.

Line 113ff: There is no evidence for this claim. The dataset has been used for ML experiments by many researchers, also applying ML. Please describe that you compare 12 models in a more "neutral" way. The sentence Line 121 should be removed.

The literature review in Section 2 should be better structured. Suggestion to structure into using machine learning and similar, creating the dataset, and using the dataset for research.

Section 3 presents the security aspects of the IIoT. This text is background information in which context the dataset has been created. For a further understanding of the manuscript, Section 3 is too long and contains information that is rather irrelevant to the manuscript. Note that related subjects of IIoT, such as IT-OT integration are not further outlined. (For the understanding of the dataset and its analysis, however, this would also be irrelevant as other details of this section).

Paragraph starting Line 387: much of this is said before.

Figure 1: The term model is used in different ways. Do you mean "research methodology" or "workflow"? Later, the term model is used for the machine learning models.

Line 411ff: The binary approach is unclear. It seems that the authors classify into no attack and attack, although DoS attacks might be more noticeable in the data traffic than other attacks. Please discuss and explain why mixing into one attack category is useful to do. One could analyse each attack and then merge the results afterwards.

Line 449: unclear. This has already been done by the authors of the dataset, I suppose.

In Table 6, what does the second column characterise? This is the count of what? Is this a number from the data set? Why is one count less for some features?

In Section 4.2, the process of converting textual values to numerical values is unclear. It seems that the textual values are discrete values given a label.

Regarding feature extraction, it seems odd that all parameters are relevant. Did other authors in the literature find the same? Please compare. Possibly, this is due to classifying into binary attack-no attack.

Section 5.1: This text is unstructured, and it is unclear what the message is.

Line 602: Why "possible"?

Section 5.2: This text is unstructured and lengthy. It is unclear what the message is.

Equation 4: This reads F1 minos Score; please reformat

Figure 5: too tiny fonts and bad contrast. Please improve the image quality of the textual information.

Section 6 appears to be unstructured.

The evaluation of the ML models seems to be done out of precision, recall, F-Score and accuracy. The result is only presented, not discussed. There might be reasons, such as overfitting, that might be behind this result. Please discuss such issues.

Line 668: The term "complicated" might not be the right term. Maybe "complex" is better in this context.

Figure 4: too tiny fonts. The text is not readable. This figure draws an ideal curve, it seems. Also, text Line 682ff is incomprehensible. The entire paragraph is difficult to grasp.

Line 691ff: no evidence for these claims is presented.

The conclusion section repeats some of the results, but it is unclear what the takeaway is. It seems that you found out that the MLP is the model of choice, but it is not discussed how this result is going to be used further.

Line 713ff: generic text that is not related to the results.

Lines 726-728: incomprehensible. what are these "powerful and up-to-date" methods? This sounds very vague. This section is also generic and not related to the results.

Comments on the Quality of English Language

While the sentences are grammatically ok, the manuscript contains many long and verbose explanations that should be made more "to the point". Please condense the text.

For example, the paragraph starting Line 101ff (specifically the last half) needs to be revised.

Lines 69-75: Two different citation styles are used.

Figure 1: not readable due to contrast issues and too small fonts.

Line 449: unclear.

Line 590: valves? Do you mean "values"? Note, that the entire sentence is incomprehensible and should be removed.

Author Response

Comments 1: The manuscript evaluates diverse machine learning algorithms (including deep learning and hybrid algorithms) to consider how well they can detect attacks in the WUSTL-IIOT-2021 dataset. Concrete research questions are not explicitly presented. The way to come to the results is described but in an overly verbose way. Several of the results are surprising, and a comparison to results from the literature is lacking. For several of the claims, evidence is not given. The results and their implications are not discussed.

Response 1: First of all, your detailed review and suggestions had a great impact on the quality of the study. Thank you very much. The Introduction and Conclusion sections have been rearranged. The study has become a clear response to your criticism.

Comments 2: The manuscript contains a large number of acronyms and abbreviations. However, a list of these acronyms and abbreviations is not present. Please add at the end of the manuscript, following the template.

Response 2: Abbreviation section added.

Comments 3: Line 113ff: There is no evidence for this claim. The dataset has been used for ML experiments by many researchers, also applying ML. Please describe that you compare 12 models in a more "neutral" way. The sentence Line 121 should be removed.

Response 3: The relevant paragraph has been rearranged. Line 121 sentence has been deleted. The paragraph in the introduction section has been changed as follows:

“This study employs the WUSTL-IIoT-2021 dataset to detect cyber threats in IIoT systems, providing a robust platform for evaluating security mechanisms by simulating real-world industrial conditions [20]. As machine learning continues to demonstrate significant promise in cybersecurity, research in this area has expanded rapidly [21, 22]

In this study, SCADA network traffic was analyzed using five machine learning models (CART, Decision Tree, Logistic Regression, Naïve Bayes, Random Forest), five deep learning models (CNN, GRU, LSTM, RNN, MLP), and two hybrid models (CNN-LSTM, LSTM-CNN). A key contribution of this research is the comparative evaluation of machine learning, deep learning, and hybrid models within a unified experimental framework, providing a comprehensive analysis of their relative effectiveness. By systematically applying different hyperparameter configurations, the study aims to refine model performance and establish a foundation for future research. The model demonstrating the highest accuracy in cyberattack detection was identified and evaluated for potential integration into network-based IDS solutions. When deployed in IDS environments, the proposed model offers superior detection accuracy and reduced error rates compared to conventional security mechanisms.

The results indicate that the Multilayer Perceptron (MLP) model outperformed other approaches, achieving an accuracy of 99.99%, surpassing similar studies in the literature. Contrary to widely held assumptions that hybrid models yield the highest performance, this study demonstrates that standalone models can achieve superior accuracy when applied to the WUSTL-IIoT-2021 dataset. These findings provide valuable insights for the advancement of cyberattack detection methodologies in IIoT environments.”

Comments 4: The literature review in Section 2 should be better structured. Suggestion to structure into using machine learning and similar, creating the dataset, and using the dataset for research.

Response 4: The literature review has been renewed. It has been sorted from general to specific.

Comments 5: Section 3 presents the security aspects of the IIoT. This text is background information in which context the dataset has been created. For a further understanding of the manuscript, Section 3 is too long and contains information that is rather irrelevant to the manuscript. Note that related subjects of IIoT, such as IT-OT integration are not further outlined. (For the understanding of the dataset and its analysis, however, this would also be irrelevant as other details of this section).

Response 5: I agree with you. The sections related to the literature in Section 3 have been added to Section 2 and this section has been completely removed from the article.

Comments 6: Paragraph starting Line 387: much of this is said before.

Response 6: This paragraph has been rearranged. Repetitions have been removed:

 

“This study aims to detect cyberattacks in IIoT networks, which are increasingly adopted, interconnected, and expected to play a growing role in cybersecurity research as network sizes expand. The proposed framework consists of four key stages: data preprocessing, data splitting, classification, and evaluation, as illustrated in Figure 1. The raw dataset was prepared for classification algorithms following the data preprocessing phase.”

Comments 7: Figure 1: The term model is used in different ways. Do you mean "research methodology" or "workflow"? Later, the term model is used for the machine learning models.

Response 7: The name of figure 1 has been changed: Figure 1. Schematic diagram of research methodology

Comments 8: Line 411ff: The binary approach is unclear. It seems that the authors classify into no attack and attack, although DoS attacks might be more noticeable in the data traffic than other attacks. Please discuss and explain why mixing into one attack category is useful to do. One could analyze each attack and then merge the results afterwards.

Response 8: The classification process was performed with a binary classification approach as normal and attack traffic. 90% of the attack types in the data set were taken as DoS Traffic and the characteristics of other attack types were also highly similar, so they were taken as DoS traffic and binary classification was performed.

Comments 9: Line 449: unclear. This has already been done by the authors of the dataset, I suppose.

Response 9: The dataset consists of 46 features. 23 features were selected and used by the authors of the dataset (Zolavari at all). In this study, 41 features were selected from 46 features and one feature was added to the scope of the study. A total of 42 features were analyzed.

 

Maede Zolanvari, Marcio A. Teixeira, Lav Gupta, Raj Jain, "Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things," IEEE Internet of Things Journal, Vol. 6, Issue 4, Aug. 2019, pp. 6822-2834, ISSN: 2327-4662, DOI: 10.1109/JIOT.2019.2912022,

Comments 10: In Table 6, what does the second column characterise? This is the count of what? Is this a number from the data set? Why is one count less for some features?

Response 10: Count: The number of records of the features in the dataset after preprocessing.

Table 6 has been updated.

Comments 11: In Section 4.2, the process of converting textual values to numerical values is unclear. It seems that the textual values are discrete values given a label.

Response 11: Traffic feature classification labels were converted to Target feature as a result of One-Hot Encoding as shown in Table 7. Table 7 has been updated.

Table 7. Digital transformation table.

Name

Label Number

Normal Traffic

0

Attack Traffic

1

Comments 12: Regarding feature extraction, it seems odd that all parameters are relevant. Did other authors in the literature find the same? Please compare. Possibly, this is due to classifying into binary attack-no attack.

Response 12: In data mining, there are also studies where all features (parameters) are used. In particular, situations where all data is analyzed without feature selection may be preferred in some applications. For example, in some clustering analyses or projects where large data sets are processed, using all features may aim to benefit from the entire data. However, the disadvantages of this approach include increased model complexity and processing costs. This may be due to the unique structure of the data set and binary classification in this study.

Comments 13: Section 5.1: This text is unstructured, and it is unclear what the message is.

Response 13: Restructured.

Comments 14: Line 602: Why "possible"?

Response 14: Reorganized. Explanation made.

Comments 15: Section 5.2: This text is unstructured and lengthy. It is unclear what the message is.

Response 15: The subheadings "4.1. Model Parameters and Training Configurations" and "4.2. Evaluation Parameters" have been restructured.

Comments 16: Equation 4: This reads F1 minos Score; please reformat

Response 16: Correction has been made.

Comments 17: Figure 5: too tiny fonts and bad contrast. Please improve the image quality of the textual information.

Response 17: The resolution of the figure has been increased.

Comments 18: Section 6 appears to be unstructured.

Response 18: The section has been completely restructured, taking into account the suggestions of other referees.

Comments 19: The evaluation of the ML models seems to be done out of precision, recall, F-Score and accuracy. The result is only presented, not discussed. There might be reasons, such as overfitting, that might be behind this result. Please discuss such issues.

Response 19: It was previously stated that overfitting measures were taken. A discussion has been added to the conclusion.

“Recent studies show that the use of traditional methods for attack detection is decreasing, and AI-based approaches are becoming more common. Hybrid models are increasingly being developed to minimize false positives. However, in this study, such hybrid approaches showed lower performance. This is thought to be due to the unique feature structure of the dataset.

As seen in Table 1, a comprehensive literature review revealed that this study achieved the highest accuracy on the WUSTL-2021-IIoT dataset using a wide range of models. These results show the importance of choosing the right classification model according to the dataset complexity.”

Comments 20: Line 668: The term "complicated" might not be the right term. Maybe "complex" is better in this context.

Response 20: I agree. It should be complex.

Comments 21: Figure 4: too tiny fonts. The text is not readable. This figure draws an ideal curve, it seems. Also, text Line 682ff is incomprehensible. The entire paragraph is difficult to grasp.

Response 21:

Comments 22: Line 691ff: no evidence for these claims is presented.

Response 22:The paragraph has been changed as follows:

“Recent studies show that the use of traditional methods for attack detection is decreasing, and AI-based approaches are becoming more common. Hybrid models are increasingly being developed to minimize false positives. However, in this study, such hybrid approaches showed lower performance. This is thought to be due to the unique feature structure of the dataset.

As seen in Table 1, a comprehensive literature review revealed that this study achieved the highest accuracy on the WUSTL-2021-IIoT dataset using a wide range of models. These results show the importance of choosing the right classification model according to the dataset complexity.”

Comments 23: The conclusion section repeats some of the results, but it is unclear what the takeaway is. It seems that you found out that the MLP is the model of choice, but it is not discussed how this result is going to be used further.

Response 23: “The integration of SCADA systems with IIoT provides advantages, but also creates significant security threats. Increasing DoS attacks and the complexity of industrial networks require a multi-layered cybersecurity approach to protect critical infrastructures. In this context, the developed MLP model can analyze the live network traffic of SCADA systems and detect anomalies and attacks in real-time. The model increases the security of critical infrastructures such as power plants, water treatment plants, and transportation systems, and can make intrusion detection processes more efficient by integrating with existing IDS/IPS systems.”

Comments 24: Line 713ff: generic text that is not related to the results.

Response 24: Removed from the Text.

Comments 25: Lines 726-728: incomprehensible. what are these "powerful and up-to-date" methods? This sounds very vague. This section is also generic and not related to the results.

Response 25: It was removed from the paragraph as it was deemed not to be relevant to the main subject of the article.

4. Response to Comments on the Quality of English Language

Point 1:While the sentences are grammatically ok, the manuscript contains many long and verbose explanations that should be made more "to the point". Please condense the text.

Response 1:

Point 2: For example, the paragraph starting Line 101ff (specifically the last half) needs to be revised.

Response 2: Sentences were tried to be shortened.

Point 3: Lines 69-75: Two different citation styles are used.

Response 3: The relevant section was converted to a single citation system.

Point 4: Figure 1: not readable due to contrast issues and too small fonts.

Response 4: The quality and contrast of the figure were increased, and small fonts were enlarged.

Point 5: Line 449: unclear.

Response 5: The paragraph was rewritten understandably.

The dataset includes various host-specific attributes, such as source and destination IP addresses. However, incorporating these features during model training may lead to overfitting, limiting the model's ability to generalize to unseen data. Additionally, certain attributes, such as flow start and end times, do not directly contribute to attack detection. Consequently, features such as StartTime, Last-Time, SrcAddr, DstAddr, slpld, and dlpld were removed to prevent model over-learning and improve detection performance. Following this refinement process, the total number of features was reduced to 42.

Feature selection plays a critical role in constructing an adequate dataset for intrusion detection. The selected features were those that exhibited significant changes during attack phases compared to normal network behavior. If a feature remains static across both at-tack and normal states, even the most advanced detection algorithms will fail to identify anomalies. The final dataset contains 42 features, with their descriptions detailed in Table 4.”

Point 6: Line 590: valves? Do you mean "values"? Note, that the entire sentence is incomprehensible and should be removed.

Response 6: The entire subheading was rewritten.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

 Accept in present form.

Author Response

Esteemed Reviewer,

I would like to express my deepest gratitude for your time, effort, and valuable insights throughout the review process of my manuscript, titled "Cyber Attack Detection Systems in Industrial Internet of Things (IIoT) Networks in Big Data Environments." Your constructive feedback and thoughtful recommendations have been instrumental in improving my work's clarity, coherence, and overall quality.

The detailed and insightful comments provided by the reviewers have allowed me to refine key aspects of the study, ensuring that it makes a more substantial contribution to the field. I genuinely appreciate the meticulous evaluation and the effort put into providing guidance that has helped enhance the scientific rigor of the manuscript.

Additionally, I am sincerely grateful to the editorial team for their support and professionalism throughout the submission and review process. Having my work considered for publication in Applied Sciences has been an honor. I look forward to contributing to the academic community through your esteemed journal.

Once again, I extend my heartfelt appreciation for your invaluable contributions. Thank you for your time and consideration.

Abdullah Orman, PhD

Reviewer 2 Report

Comments and Suggestions for Authors

Accepted

Author Response

Esteemed Reviewer,

I would like to express my deepest gratitude for your time, effort, and valuable insights throughout the review process of my manuscript, titled "Cyber Attack Detection Systems in Industrial Internet of Things (IIoT) Networks in Big Data Environments." Your constructive feedback and thoughtful recommendations have been instrumental in improving my work's clarity, coherence, and overall quality.

The detailed and insightful comments provided by the reviewers have allowed me to refine key aspects of the study, ensuring that it makes a more decisive contribution to the field. I genuinely appreciate the meticulous evaluation and the effort put into providing guidance that has helped enhance the scientific rigor of the manuscript.

Additionally, I am sincerely grateful to the editorial team for their support and professionalism throughout the submission and review process. Having my work considered for publication in Applied Sciences has been an honor. I look forward to contributing to the academic community through your esteemed journal.

Once again, I extend my heartfelt appreciation for your invaluable contributions. Thank you for your time and consideration.

Best regards,

Abdullah Orman, PhD

Reviewer 3 Report

Comments and Suggestions for Authors

The manuscript has been improved, and many of my comments have been addressed sufficiently.

Please address the following comments:

In the abstract, Line 21ff: This is unclear and vague. Also, the following sentence regarding hyperparameter configuration is unclear at this stage. Further, a recommendation to remove the last sentence Line 25-27.

Line 61: Please define your understanding of the term "hybrid deep learning".

Line 61ff: Please put the references directly after the authors of the reference; e.g., "Marzouk et al. [14] ..." (Line 70). Please address this throughout the manuscript.

Line 128-133: This should be moved to the conclusions.

Line 134-136: Suggestion to remove, as this is incomprehensible.

Research questions are not formulated. E.g., "which is the best model ... WUSTL-IIOT-2021 ... regarding the parameters precision, recall, F1-score, accuracy", or similar.

Table 1: Why is reference [43] in the list, since there are no results, it seems?

Figure 1: Please increase the contrast in Figure 1. White font on a middle blue, green, and red background is difficult to read. Why do you need these background colours?

Line 336: Why do you use "our developed dataset"? As you use the WUSTL-IIOT-2021 as a dataset, it is unclear why you use "our". It does not seem that you made changes to the dataset. It is unclear whether you did. Also, the information about the data set is statistics for  WUSTL-IIOT-2021, and should be available from the dataset producer(s). Or did I misunderstand something? Please clarify.

Line 421ff: Please put this into a table (instead of a subsection). (A bulleted list here gives an unfinished impression).

I still don't understand Figure 4. It looks like an idealized curve, not something from the results.

Lines 597-610 are incomprehensible and are not related to the results or the future work. Instead, please write about the future work that is based on the outcome of your research, such as what further research you want to do. Or what do your results mean for other work and the verification of this? etc.

Author Response

Comments 1: In the abstract, Line 21ff: This is unclear and vague. Also, the following sentence regarding hyperparameter configuration is unclear at this stage. Further, a recommendation is to remove the last sentence Line 25-27.

Response 1: The sentence was rewritten more clearly. And Line 25-27 sentence is removed.

“This outcome highlights the critical role of dataset-specific feature distributions in determining model effectiveness and calls for a more nuanced approach when selecting detection models for IIoT cybersecurity applications.”

Comments 2: Line 61: Please define your understanding of the term "hybrid deep learning".

Response 2: "Hybrid deep learning models" explained in one sentence, a new reference was made.

“Hybrid deep learning models combine multiple neural network architectures or integrate traditional machine learning approaches to enhance predictive performance across various applications. Such methodologies leverage the strengths of distinct algorithms to address the shortcomings found in their isolated use [13].”

Comments 3: Line 61ff: Please put the references directly after the authors of the reference; e.g., "Marzouk et al. [14] ..." (Line 70). Please address this throughout the manuscript.

Response 3: Citations for the entire article edited.

Comments 4: Line 128-133: This should be moved to the conclusions.

Response 4: Line 128-133: Moved to the Conclusions section.

Comments 5: Line 134-136: Suggestion to remove, as this is incomprehensible.

Response 5: This paragraph was removed.

Comments 6: Research questions are not formulated. E.g., "Which is the best model ... WUSTL-IIOT-2021 ... regarding the parameters precision, recall, F1-score, accuracy", or similar.

Response 6: Thanks for the suggestion. Research questions were added to the end of the introduction to be clearer.

This study sought to answer the following research questions:

•          To strengthen cybersecurity in Industrial Internet of Things (IIoT) environments, which machine learning, deep learning, and hybrid models exhibit the highest performance in cyberattack detection?

•          How are these models compared and evaluated regarding key performance metrics such as accuracy, F1-score, precision, and recall?

Comments 7: Table 1: Why is reference [43] in the list, since there are no results, it seems?

Response 7: Removed from the comparison list in the table because it is a review article.

Comments 8: Figure 1: Please increase the contrast in Figure 1. White font on a middle blue, green, and red background is difficult to read. Why do you need these background colors?

Response 8: Figure 1 was redrawn. I think it happened this time.

Comments 9: Line 336: Why do you use "our developed dataset"? As you use the WUSTL-IIOT-2021 as a dataset, it is unclear why you use "our". It does not seem that you made changes to the dataset. It is unclear whether you did. Also, the information about the data set is statistics for  WUSTL-IIOT-2021 and should be available from the dataset producer(s). Or did I misunderstand something? Please clarify.

Response 9: This table shows the values obtained from the data received from the dataset producer. In other words, it is the state of the dataset before any processing. I changed the title of the table to avoid any confusion. Thank you for your attention.

Table3. Statistical information about traffic types in the dataset

Comments 10: Line 421ff: Please put this into a table (instead of a subsection). (A bulleted list here gives an unfinished impression).

Response 10: I agree. I didn't like it very much either. I converted it to a table. It turned out much better. Thank you.

Comments 11: I still don't understand Figure 4. It looks like an idealized curve, not something from the results.

Response 11: As a result of the findings, since the MLP model reached a high accuracy value of 99.99%, it is expected to have a near-ideal ROC curve. All results in this study were performed in the Google Colab environment. I have encountered near-ideal ROC curves in my previous studies.

Comments 12: Lines 597-610 are incomprehensible and are not related to the results or the future work. Instead, please write about the future work that is based on the outcome of your research, such as what further research you want to do. Or what do your results mean for other work and the verification of this? Etc.

Response 12: I updated the Future Studies paragraph according to your suggestions.

Future studies can improve model performance by examining hybrid models and applying data-balancing techniques. Class imbalance problems can be addressed by investigating the effects of over- and under-sampling methods. In addition, validating the developed models on different IIoT datasets is important to assess their generalizability. Integrating techniques such as hyperparameter optimization and automatic feature selection can increase the reliability and effectiveness of intrusion detection systems.

4. Response to Comments on the Quality of English Language

Point 1: The English is fine and does not require any improvement.

Response 1: I worked to fix the spelling and grammatical errors. It is much better now.

Author Response File: Author Response.pdf

Back to TopTop