Data Exfiltration Detection on Network Metadata with Autoencoders
Round 1
Reviewer 1 Report
The advantages of this publication are as follows:
1. The authors have developed, implemented, and evaluated the effectiveness of their own original product of intellectual labor. This product is a system of real-world data leakage detection. Real aggregated metadata of network sessions were considered as the data set.
2. The performed monitoring system showed that session metadata aggregation is an effective way to intercept traffic between two unique hosts. It was observed that aggregation significantly improves the detection of possible data leakage. Monitoring was performed over multiple sessions, based on DNS tunneling.
3. As elements of novelty, the use of autoencoders that are trained by unsupervised learning can be considered.
4. The work can be accepted for open printing after minor corrections.
Language is understandable, but some corrections and misprints should be checked
Author Response
Please see the attachment
Author Response File: Author Response.pdf
Reviewer 2 Report
This work esigned a Network Exfiltration Detection System (NEDS) to detect data exfiltration as occurring in ransomware attacks. Experimental results show that aggregation significantly increases detection performance of exfiltration that happens over longer time, most notably DNS tunnels. The paper appears to have certain results and can achieve good results. However, there are many issues that need further elaboration by the author.
1.The author uses the idea of aggregation to manipulate different inputs using the AE model, which can easily cause confusion for readers. Why not input these inputs simultaneously into the AE model or other networks?
2.The author only describes the experimental results of proposed method, and does not compare with the existing SOTA method, so it is difficult to reflect the progressiveness of the algorithm mentioned in the article.
3.What is the threshold checker? The author needs to elaborate in detail.
4.There are many excellent deep learning models available, why did you choose the AE model?
5.There are many formatting issues in the article that require further editing. For example, the first formula does not have a number.
There are many formatting issues in the article that require further editing. For example, the first formula does not have a number.
Author Response
Please see the attachment
Author Response File: Author Response.pdf
Reviewer 3 Report
Review for Manuscript ID 2395702
In this paper, they designed a Network Exfiltration Detection System (NEDS) to detect data exfiltration as occurring in ransomware attacks. However, I think that major revisions are required prior to publish this manuscript. To this end, the reviewer has the following comments:
1. The experimental conditions and system parameters are not given, and this is necessary for evaluating the effect of the method.
2. There is no equivalence comparison between experiment and practical application.
3. The application conditions of the approach are not given, and this is necessary for evaluating the effect of the method.
4. The authors have not provided the references for most of the equations.
5. The quality of figures needs to be improved, and the size of font is very small.
6. There are no horizontal or vertical coordinates in the figure, such as Figure 6.
English needs to be revised and improved
Author Response
We improved the figures, but they are not marked specifically. All other changes are marked
Please see the attachment for the response.
Author Response File: Author Response.pdf
Reviewer 4 Report
I have following observations and recommendations.
1. Research contributions are not inline with research motivation and comparison with baseline works, please revise.
2. Detailed description of the dataset is missing.
3. Related work needs improvement, enrich it with the following:
(i) APMSA: Adversarial Perturbation Against Model Stealing Attacks. IEEE Transactions on Information Forensics and Security, 18. doi: 10.1109/TIFS.2023.3246766
(ii) Dynamic event-triggered security control for networked control systems with cyber-attacks: A model predictive control approach. Information Sciences, 612, 384-398. doi: https://doi.org/10.1016/j.ins.2022.08.093
(iii) Improving Physical Layer Security of Uplink NOMA via Energy Harvesting Jammers. IEEE transactions on information forensics and security, 16, 786-799. doi: 10.1109/TIFS.2020.3023277
(iv) H∞ Consensus for Multiagent-Based Supply Chain Systems Under Switching Topology and Uncertain Demands. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 50(12), 4905-4918. doi: 10.1109/TSMC.2018.2884510
4. Authors are advised to perform detailed complexity analysis, i.e. time complexity, space complexity etc.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Round 2
Reviewer 3 Report
All work is fine