Unveiling Malicious Network Flows Using Benford’s Law

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

1. How many numbers of features are considered in the proposed model?

2. What methodology is used for feature selection?

3. There are many versions of CIC IDS dataset. Why specifically used CIC IDs2017 dataset? How it is differed from other datasets?

Author Response

Dear reviewer.
Please see the attachment.

Author Response File: Author Response.docx

Reviewer 2 Report

Comments and Suggestions for Authors

Below are my detailed comments and suggestions to help improve your manuscript:

- Consider simplifying sections that explain complex statistical concepts to make them more accessible to readers who may not have a strong background in statistics. Adding more diagrams or visual aids could also help clarify these concepts.

-Provide more detailed explanations and justifications for selecting specific distance functions. Elaborate on why these functions are particularly suitable for your study and how they compare to other possible methods.

- Include a brief comparison of the performance of different distance functions in detecting anomalies, if data is available. This comparison could strengthen your argument for the chosen methods.

- Include more information on how you preprocessed the dataset and the specific experimental configurations you used. Discuss any limitations or biases in the dataset and how they might affect your results.

- Enhance the interpretation of your results by providing a comparative analysis with existing anomaly detection methods. Discuss the practical implications of false positives and false negatives in more detail.

-Include more information on how you preprocessed the dataset. For example, specify any data cleaning, normalization, or transformation steps you took before applying your method.

-Provide the specific configurations used in your experiments, such as parameter settings for the statistical tests and any threshold values for anomaly detection.

-Discuss any limitations or biases in the dataset and how they might affect your results. For instance, if the dataset is heavily skewed towards certain types of network traffic or attacks, this could impact the generalizability of your findings.

-Enhance the interpretation of your results by providing a comparative analysis with existing anomaly detection methods. Highlight how your method performs relative to these methods in terms of accuracy, recall, and computational efficiency.

-Discuss the practical implications of false positives and false negatives. For instance, explain how frequent false positives might impact network administrators and how your method mitigates this issue. Similarly, discuss the potential consequences of false negatives and how they can be minimized.

- Emphasize how your method can be integrated with existing security systems. Discuss potential implementation strategies, such as integration with intrusion detection systems (IDS) or security information and event management (SIEM) systems.

- Highlight the practical applications and potential impact of your findings on real-world network security. For example, discuss how your method can improve threat detection in various types of networks, such as enterprise networks, industrial control systems, or critical infrastructure.

 

I look forward to seeing the revised version of your manuscript.

Comments on the Quality of English Language

 Address minor grammatical errors and improve the readability of sections that discuss complex statistical methods. For example, consider breaking down long sentences, using bullet points for lists, and adding definitions for technical terms.

Author Response

Dear reviewer.
Please see the attachment.

Author Response File: Author Response.docx