EL-GNN: A Continual-Learning-Based Graph Neural Network for Task-Incremental Intrusion Detection Systems

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This manuscript addresses the use of Graph Neural Networks (GNNs) in Intrusion Detection Systems (IDS) under a continual learning (CL) setting. The authors propose a model named EL-GNN that integrates Elastic Weight Consolidation (EWC) with GCNs to mitigate Catastrophic Forgetting (CF). Here are some suggestions.

 

1. In the abstract, please clearly state the problem (CF in GNN-based IDS), and concisely describe the proposed method to highlight key experimental findings.
   
   
2. The name EL-GNN does not clearly reflect its core mechanism. Is it based only on EWC? Is it compatible with other regularization methods like MAS or SI? A more detailed algorithm block or pseudocode is necessary.

 

3. The paper lacks clear description of hyperparameters and setups for baseline models like FN-GNN, SPIDER, PAPA. Please provide a comparison table outlining training parameters to ensure fairness.

 

4. Many grammatical errors and awkward phrases are present. For example: “a method leverage the effectiveness...” → should be “a method that leverages...” Thorough proofreading is needed.

Author Response

Please see the attachment

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

This article studies the application of continuous learning based on graph neural networks  in IDS systems, which solves the problem of catastrophic forgetting. However, some details still need to be modified. The review comments are as follows:

 

1. The edge between two nodes in Figure 7 has directional arrows, but the meaning of the edge with arrows is not explained in the text. The edges between nodes in Figure 8 do not have directional arrows, and the right half of the graph lacks necessary legends to illustrate whether solid and dashed lines have special meanings.
2. Please provide more explanation for Formula 9 on pages 15 and 16, such as the difference between this formula and the EWC formula mentioned in the background introduction, as well as the formula for λ (importance).
3. In the simulation experiment, only the CICIDS-2017 and UNSW-NB15 datasets were used, and the incremental task was based solely on the partitioning of the two datasets, without considering more complex scenarios. Please add other mainstream IDS datasets for cross validation, or design finer grained incremental tasks.
4. Please further explain why the formula proposed in the simulation experiment performs the best.
5. In terms of article format, on page 8, line 276 "Figure 4" displays "??", while on page 15, lines 465 to 475 and 476 to 486 are identical paragraphs.

 

 

Comments on the Quality of English Language

This paper proposes the EL-GNN model for continuous learning based on graph neural networks in the field of intrusion detection system. However, there are currently shortcomings in the theoretical depth and experimental rigor of the paper. If the above review comments can be taken into account during the revision, it can be reviewed again.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

This paper tackles a meaningful problem by combining Graph neural Networks (GNNs) with continual learning (CL) for intrusion detection systems (IDS).

Strengths:

1) Modeling network flow as a graph is well justified. Prior work shows mapping flow endpoints to graph nodes and flows to edges lets a GNN exploit topological and edge-feature information.

2) Incorporating a weight penalty into the GNN is a sensible way to address catastrophic forgetting (CF) in a sequential-learning IDS, since CF is known to occur when neural nets learn new tasks.

3) The authors validate EL-GNN on two realistic datasets and report strong results. Eg. in single task case, their model achieves 96% accuracy on both benchmarks and in the continual setting attains 85.7% accuracy after learning both tasks. It is good that they compare against both standard GNN models and a variety of state-of-the-art continual learning baselines. This thorough experimental setup helps confirm that EL-GNNs fusion of graph representation and CL is effective in practice.

Weaknesses:

1) The paper states that “graph nodes correspond to a set of critical flow features…..”, with edges linking flows by shared IP addresses. This description is confusing. It appears each node represents a feature, whereas the usual approach is to let each node represent a network flow. The authors should clarify exactly how the graph is constructed and why they chose this design. Similarly, the correlation based feature selection is mentioned but not detailed. It is unclear what correlation is used, i.e. feature-feature or feature-label, or how many features are kept. Without this clarity, its hard to judge or reproduce the preprocessing.

2) In the experiments, the continual learning scenario is quite limited, only two sequential tasks are considered. While this is a reasonable first step, it is fairly simplistic and may not reflect real-world incremental learning where many tasks arrive over time.

3) The authors only use overall accuracy as the evaluation metric. If classes are imbalanced, other metric would help assess detection quality.

4) Although the authors compare against many CL baselines, all of those are generic methods not specifically designed for graph data. It would strengthen the work to include a replay-based baseline on the same GNN architecture, or at least discuss why those methods were chosen.

5) The technical novelty is also somewhat incremental. Applying EWC to a GNN is logical but not a deep innovation. Also, elastic consolidation itself is a well known technique.

6) The manuscript claims surpassing state-of-the-art in CL-IDS, but the improvement is mainly on the continual task. On each dataset alone EL-GNNs accuracy is actually slightly below some published results. The authors should be careful with such claims and ensure all comparisons are fair.

Minor edits: Typos, clear phrases, polished grammar and fluency.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 4 Report

Comments and Suggestions for Authors

The EL-GNN system proposed in this paper demonstrates strong performance on the CIC-IDS-2017 and UNSW-NB15 datasets, achieving high accuracies of 95.9% and 96.4%, respectively. These results are promising and provide valuable insights for advancing intrusion detection techniques in continual learning (CL) environments. However, to meet the standards of high-impact international journals, several aspects of the manuscript could be further improved. The following suggestions are offered for the authors’ consideration:

1. Abstract Composition
It is recommended that the abstract clearly present the study’s motivation, the proposed framework, and key performance metrics (e.g., accuracy, F1-score). Including these details will allow readers to quickly understand the main contributions and impact of the work.

2. Definition of Abbreviations and Technical Terms
The acronym “NIDS” first appears in Figure 1 without prior explanation. It is advisable to define such terms upon their first mention to ensure clarity and accessibility, particularly for readers unfamiliar with domain-specific terminology.

3. Chapter Structure Optimization
Chapters 1 and 3 contain overlapping introductory material that may cause confusion. Merging and reorganizing these chapters is recommended to improve narrative coherence and logical flow.

4. Structured Literature Comparison
Although Chapter 2 presents a broad literature review, the inclusion of a structured comparison table, highlighting the characteristics, performance, advantages, limitations, and catastrophic forgetting (CF) mitigation capabilities of existing approaches, would better contextualize the proposed EL-GNN model and emphasize its contributions.

5. Experimental Design and Parameter Transparency
Section 5 outlines some hyperparameter settings, these details are helpful for reproducibility. However, to strengthen the experimental rigor, we recommend clarifying the following points:

(1)Was the EL-GNN model tuned separately for the CIC-IDS-2017 and UNSW-NB15 datasets? If so, please specify the differing parameters and the rationale behind these choices.

(2)Please include additional hyperparameters relevant to model training, such as the regularization coefficient (λ) used in the EWC component.

6. Reference Formatting Consistency
The reference list should be reviewed for formatting inconsistencies. For example, duplicated "https" entries in Lines 668 and 766 should be removed, and publication years should be consistently formatted according to the journal’s citation style.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 2 Report

Comments and Suggestions for Authors

The authors have thoroughly addressed all reviewer concerns. I have no remaining reservations and formally recommend acceptance of the manuscript for publication.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 4 Report

Comments and Suggestions for Authors

I would like to commend the authors for their efforts in revising the manuscript within a limited timeframe. The updated version has substantially enhanced the experimental explanations and has reached a publishable standard. The revised abstract now includes mentions of accuracy and F1-score, which is a positive improvement. To further strengthen the clarity of the paper’s impact, I recommend presenting these performance metrics in numerical form so that readers can more concretely understand the practical benefits of the proposed method.

Author Response

Please see the attachment

Author Response File: Author Response.pdf