A Hybrid Online Classifier System for Internet Traffic Based on Statistical Machine Learning Approach and Flow Port Number
Round 1
Reviewer 1 Report
1 Figure 4 The algorithm picture is not clear;
2 The article enumerates the shortcomings of many methods, but does not elaborate on the shortcomings of the algorithm proposed in the article;
3 The article only introduces the important role of statistical algorithms in the system, and does not introduce how to use statistical algorithms in classification;
4 The author introduces the advantages of the algorithm in this article and the current mainstream algorithm. More data sets should be added and proved by experiments at the same time;
5 It is recommended to increase the scheme to reduce the complexity of the algorithm;
6 The content of the chart is too simple and does not reflect professionalism;
7 Insufficient research on relevant literature;
8 Check whether the sentence has spelling errors and grammatical problems;
Author Response
A great thank for your valuable comments which comes from one of expert of our research area. We try to do our best to achieve your instructions and we make some changes in our article based on reviewer comments.
Note: the article with track change was attached
Response to Reviewer 1 Comments
Comment 1: Figure 4 The algorithm picture is not clear.. 

Response 1: You totally correct . The figure was updated.
Comment 2: The article enumerates the shortcomings of many methods, but does not elaborate on the shortcomings of the algorithm proposed in the article.
Response 2: One paragraph which includes the limitation of our work was added to the conclusion
Comment 3: The article only introduces the important role of statistical algorithms in the system, and does not introduce how to use statistical algorithms in classification.
Response 3: Section 3.3 (ML Partial Classifier) discussed ML statistical algorithms and its role in HOC system. In addition, section 3.4 highlight how HOC statistical algorithms take his classification decision
Comment 4: The author introduces the advantages of the algorithm in this article and the current mainstream algorithm. More data sets should be added and proved by experiments at the same time;.
Response 4: The limitation of our work, was added to the conclusion
Comment 5: It is recommended to increase the scheme to reduce the complexity of the algorithm;
Response 5: The article try to use real network environment by collect internet traffic from one of campus router. We look in our next study to increase the scheme to cover big part of our campus network
Comment 6: The content of the chart is too simple and does not reflect professionalism;
Response 6: The article try to use real network environment by collect internet traffic from one of campus router. We look in our next study to increase the scheme to cover big part of our campus network
Comment 7: Insufficient research on relevant literature;
Response 7: about 7 new studies was added and its references was cited
Comment 8: Check whether the sentence has spelling errors and grammatical problems;
Response 8: Some expert of native English checks the spelling and grammar and make some language changes
Author Response File: Author Response.docx
Reviewer 2 Report
The author presents a hybrid machine learning classifier that uses online-port-based alongside statistical feature classification. They suggest the online approach because of speed. The idea is very new and exciting, but the lack of online port rules learned are not discussed as I would compare with a decision tree classifier. I think this approach of lack of details can be overcome by using standard datasets known in cybersecurity. The authors mention WhatsApp is encrypted but not in enough fact about how anomaly was simulated in WhatsApp or the training and validation set, which seems to be the shortcoming to appreciate how the hybrid classifier can have an accuracy of 89%. As the results are quite good, it will be good for the authors to describe how false alarms can often be handled high in anomaly detection classifiers. For the results to be useful to cybersecurity researchers, the paper needs to add use-cases that can be similar to pen-testing in the context of the Mitre Instruction Detection Model.
Author Response
A great thank for your valuable comments which comes from one of expert of our research area. We try to do our best to achieve your instructions and we make some changes in our article based on reviewers comments.
Note: the article with track change was attached
Response to Reviewer2 Comments
Point 1: ……. but the lack of online port rules learned are not discussed as I would compare with a decision tree classifier... 

Response 1: You totally right, port number method did not have the same discussion like ML method. However, Section 3.3 (ML Partial Classifier) discussed ML statistical algorithms and its role in HOC system. In addition, section 3.4 highlight how HOC statistical algorithms take his classification decision
Point 2: I think this approach of lack of details can be overcome by using standard datasets known in cybersecurity.
Response 2: Always standard datasets have a fair judgment of models accuracy. We try to follow the same path of previous works in the area of internet traffic classification. Most of them generate their own datasets because of differentiate networks environment.
Point 3: The authors mention WhatsApp is encrypted but not in enough fact about how anomaly was simulated in WhatsApp or the training and validation set, which seems to be the shortcoming to appreciate how the hybrid classifier can have an accuracy of 89%..
Response 3: Small paragraph was added which may highlights WhatsApp encryption. The article try to use real network environment by collect internet traffic from one of campus router. We look in our next study to increase the scheme to cover big part of our campus network
Point 4:As the results are quite good, it will be good for the authors to describe how false alarms can often be handled high in anomaly detection classifiers.
Response 4: The article try to use real network environment by collect internet traffic from one of campus router. We look in our next study to increase the scheme to cover big part of our campus network and FP will be considered
Point 5: the paper needs to add use-cases that can be similar to pen-testing in the context of the Mitre Instruction Detection Model.
Response 5: figure 4 was updated which is doing the same role of use-case diagram.
Author Response File: Author Response.docx
Reviewer 3 Report
There are too many references older than 5 years and in this subject that makes them history.
Remove phrases, 'internet explosion' style as inappropriate.
Conclusion is too long and in part more of an analysis - separate.
Statistical argument needs to include the limitations of the results too.
Author Response
A great thank for your valuable comments which comes from one of the expert in our research area. We try to do our best to achieve your instructions
Note: article with track changes was attached
Response to Reviewer 3 Comments
Comments 1: There are too many references older than 5 years and in this subject that makes them history.. 

Response 1: You totally correct, there are some older references
The older reference was updated by newer ones and all related date as well updated. However, some references which includes specific case (such as three stage classifier) was kept. That because most of the new hybrid works used two stages classifier.
Point 2: Remove phrases, 'internet explosion' style as inappropriate.
Response 2: we did not found this phrases “internet explosion” in our paper
Point 3: Conclusion is too long and in part more of an analysis - separate.
Response 3: We partly summarize the conclusion, but as some other reviewer ask us to add the limitation of our work, we added to the conclusion another small paragraph
Point 4: Statistical argument needs to include the limitations of the results too.
Response 4: The limitations of our work, was added to the conclusion
Author Response File: Author Response.docx
Round 2
Reviewer 1 Report
The article is revised reasonably. I suggest to modify the table structure and pictures appropriately to make the article more professional and beautiful.