Next Article in Journal
Classification of the Human Protein Atlas Single Cell Using Deep Learning
Next Article in Special Issue
A3C System: One-Stop Automated Encrypted Traffic Labeled Sample Collection, Construction and Correlation in Multi-Systems
Previous Article in Journal
A Novel Strategy for Computing Routing Paths for Software-Defined Networks Based on MOCell Optimization
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Applied Sciences
Volume 12
Issue 22
10.3390/app122211585
Review Report
applsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Fine-Grained High-Utility Dynamic Fingerprinting Extraction for Network Traffic Analysis

Appl. Sci. 2022, 12(22), 11585; https://doi.org/10.3390/app122211585
by Xueying Sun 1, Junkai Yi 1,2,*, Fei Yang 1 and Lin Liu 3
Reviewer 1:
Meenu Gupta
Reviewer 2:
Kulvinder Singh
Reviewer 3:
Bhanu Prakash Kolla
Reviewer 4:
G. Sathish Kumar
Appl. Sci. 2022, 12(22), 11585; https://doi.org/10.3390/app122211585
Submission received: 8 October 2022 / Revised: 9 November 2022 / Accepted: 11 November 2022 / Published: 15 November 2022
(This article belongs to the Special Issue Network Traffic Security Analysis)

Round 1

Reviewer 1 Report

The authors have worked on Fine-grained High-utility Dynamic Fingerprinting Extraction 2 for Network Traffic Analysis. Some points need to address

1. In the abstract, the authors mentioned "Anomaly detection...... extraction method of network anomaly detection cannot directly...". This line is not clear the meaning.

2. In the abstract, " This paper", The paper proposes or authors proposed in the paper. They must write In this work, a model is proposed ...... or like the same.

3. A term "High-utility Dynamic Fingerprinting(Huf)" is this abbreviation of it or authors prepared by them as its description specifying something else.

4. In the abstract, the results section is not clearly mentioned.

5. In the Introduction section "Some relevant literatures in recent years" this is not cited although in which years authors talk about.

6. A sentence "N-gram model[8] is a common representation model in natural language processing"... "Therefore, using N-gram model in natural language processing can more accurately" they have not used abbreviations of many words like natural language processing. They must use complete descriptions where it is mentioned the first time, later on, they can use abbreviations.

7. "One of the judging criteria" what criteria.... not clearly mentioned.

8. Figure 2 is not clearly visible.

9. Results are not clear. 

10. Text is not structured and connected with each other

 

The authors do not present their work clearly. It cannot be accepted.

Author Response

Response to Reviewer Comment

 

Firstly, we would like to thank you for your constructive comments concerning our article. These comments are all valuable and helpful for improving our article. All the authors have seriously discussed all these comments. According to the reviewers’ comments, we have tried our best to modify our manuscript to meet the requirements of your journal. In this revised version, changes to our manuscript within the document were all highlighted by marks. Point-by-point responses to the reviewers are listed below this letter.

 

Point 1: In the abstract, the authors mentioned "Anomaly detection...... extraction method of network anomaly detection cannot directly...". This line is not clear the meaning.

 

Response 1: Thank you for your reminder, We have revised the summary as a whole, and expressed the meaning of this sentence more clearly.

 

Point 2: In the abstract, " This paper", The paper proposes or authors proposed in the paper. They must write In this work, a model is proposed ...... or like the same

 

Response 2: Thanks for your suggestion, According to your opinion, we have revised the summary as a whole, explained the existing problems, and emphasized the innovation and experimental results

 

Point 3: A term "High-utility Dynamic Fingerprinting(Huf)" is this abbreviation of it or authors prepared by them as its description specifying something else.

 

Response 3: Thank you for your reminder, "High-utility Dynamic Fingerprinting(Huf)" is the abbreviation of this article, Other abbreviations in this article are also marked for the first time.

 

Point 4: In the abstract, the results section is not clearly mentioned.

 

Response 4: Thank you for your comments. We have completely revised the summary and emphasized the results

 

Point 5: In the Introduction section "Some relevant literatures in recent years" this is not cited although in which years authors talk about.

 

Response 5: Thank you for your suggestion. We have added Literature 8 and Literature 9 to more clearly describe the research in recent years

Literature 8: 8. Shim K S, Ham J H, Sija B D, et al. Application traffic classification using payload size sequence signature[J]. International Journal of Network Management, 2017, 27(5):e1981.

Literature 9: 9. Sisodia D S , Khandal V , Singhal R . Fast prediction of web user browsing behaviours using most interesting patterns[J]. Journal of Information Science, 2018,44(1):74-90.

 

Point 6: A sentence "N-gram model[8] is a common representation model in natural language processing"... "Therefore, using the N-gram model in natural language processing can more accurately" they have not used abbreviations of many words like natural language processing. They must use complete descriptions where it is mentioned the first time, later on, they can use abbreviations.

 

Response 6: Thanks for your suggestion, N-garm is every substring of a larger string, of a fixed length n. The definition of N-garm reference is Reference 23 and has been added in the text.

Reference 23:Santos I, Penya Y K, Devesa J, et al.N-Grams-based file signatures for malware detection[C]. In Proceedings of the 11th International Conference on Enterprise Information Systems (ICEIS), 2009, pp: 317-320.

 

Point 7: "One of the judging criteria" what criteria.... not clearly mentioned.

 

Response 7: Thank you for your suggestion. It has been corrected in the introduction of section 1, which shows that the characteristics of network behavior analysis in recent years are from coarse particles to fine particles.

 

Point 8: Figure 2 is not clearly visible.

Response 8: Thanks for your suggestion, Picture 2 has been replaced with a clear picture

 

Point 9: Results are not clear. 

 

Response 9: Thank you for your suggestions. We have made changes in front of Section III, Section IV, and Section 5, and behind Section 6, which not only show the results but also show the relationship between them.

 

Point 10: Text is not structured and connected with each other

 

Response 10: Thank you for your suggestions. We have revised Sections III, IV, and V to explain the relationship between these sections.

 

Finally, thank the reviewers again for your hard work.

Reviewer 2 Report

·         The level of English language used in this paper is not up to the standards that are required for publication in an international research journal. A lot of spelling mistakes are there. The authors are advised to perform a substantial revision in this regard.

·         A number of abbreviations are used in the paper without using proper terminology to define/describe the physical terms for example IAT, SSL/TLS etc..

·         In the Introduction, the author described past work by using Literature [9], and Literature [10], this is not a good way to write the literature survey. The authors are advised to perform a substantial revision in this regard and write the author's names.

·         In section 3, A numbers of mistakes are there, for example- First bullet etc. ; these must be avoided.

·         Figure 2, 3. is not clear. The authors are advised to improve the quality of images.

·         In Figure 4 , a reference is needed from where the author has taken this figure.

·         Authors must argue how the equation (2) –(6) was obtained, or indicate a bibliographic reference for their original form.

·         Author is advised to provide the physical meaning of t ,IPsrc,  IPdst prt l Info  etc used in the different equations

·         It is not clear how was obtained the equation (15).

·         Details on obtaining the equation  (22) are required.

·         Please highlight how the work advances or increments the field from the present state of knowledge and provide a clear justification for your work. A little comment on the contribution and shortcoming. Author need to provide critical comments.

 

I recommend the paper for publications after application of the above comments.

Author Response

Response to Reviewer Comment

 

Firstly, we would like to thank you for your constructive comments concerning our article. These comments are all valuable and helpful for improving our article. All the authors have seriously discussed all these comments. According to the reviewers’ comments, we have tried our best to modify our manuscript to meet the requirements of your journal. In this revised version, changes to our manuscript within the document were all highlighted by marks. Point-by-point responses to the reviewers are listed below this letter.

 

Point 1: The level of English language used in this paper is not up to the standards that are required for publication in an international research journal. A lot of spelling mistakes are there. The authors are advised to perform a substantial revision in this regard.

 

Response 1: Thank you for your suggestion. We have revised the whole article and corrected many words or grammatical errors. I hope it can meet your requirements.

 

Point 2:  A number of abbreviations are used in the paper without using proper terminology to define/describe the physical terms for example IAT, SSL/TLS, etc.

 

Response 2: Thank you for your reminder. We have revised the abbreviation of the article. For example: Fine-grained High-utility dynamic fingerprinting (Huf), Transport Layer Security(TLS), Transport Control Protocol/User Data Protocol(TCP/UDP), Hyper Text Transfer Protocol(HTTP) et al.

 

Point 3: In the Introduction, the author described past work by using Literature [9], and Literature [10], this is not a good way to write the literature survey. The authors are advised to perform a substantial revision in this regard and write the author's names.

 

Response 3: Thank you very much for your comments. We have made changes to the introduction, which has now been changed to Duessel et al[11] adopting the N-gram model, with HTTP Requests as elements in the model, and representing the N-gram model in the form of a tree. Wang et al[12] also adopt the N-gram model to express network behavior and also use HTTP requests as elements to express the N-gram model in the form of sequence.

 

Point 4: In section 3, A numbers of mistakes are there, for example- First bullet etc. ; these must be avoided.

 

Response 4: Thank you very much for your reminder. We have corrected the error.

 

Point 5: Figure 2, 3. is not clear. The authors are advised to improve the quality of images.

 

Response 5: Thank you very much for your suggestion. We have replaced the unclear pictures in Figure 2 and Figure 3 with clearer pictures.

 

Point 6:  In Figure 4 , a reference is needed from where the author has taken this figure.

 

Response 6: Thank you very much for your suggestion. We have redrawn Figure 4 to ensure that the boundary line of Figure 4 is clear.

 

Point 7:  Authors must argue how the equation (2) –(6) was obtained, or indicate a bibliographic reference for their original form.

 

Response 7: Thank you very much for your suggestions. The book referred to in Formulas (2) - (6) is Machine Learning published by Tsinghua University Press by Zhou Zhihua, and Machine Learning Practice published by People's Posts and Telecommunications Press by Peter Harrington.

 

Point 8:  Author is advised to provide the physical meaning of t ,IPsrc,  IPdst prt l Info  etc used in the different equations

 

Response 8: Thank you very much for your suggestions.  are respectively,  Time, Source, Destination, Protocol, Length and Info.They are extracted from the fixed attributes of data packets and they are revised in Section 3.

 

Point 9:  It is not clear how was obtained the equation (15).

 

Response 9: Thank you very much for your comments. Formula (15) is defined as follows:

Because there are many words with very high frequency in natural language, but they do not help the algorithm.

The main idea of the tf-idf algorithm is that if a word or phrase appears frequently in an article and rarely appears in other articles, it is considered that the word or phrase has good classification ability and is suitable for classification.

We believe that the tf-idf algorithm can solve the problems encountered very well, so we define Utility by combining the tf-idf algorithm, which evaluates the importance of words in natural language processing.

 

Point 10: Details on obtaining the equation  (22) are required.

 

Response 10: Thank you very much for your comments. First, the obtained fingerprints must be accurate. It is required that the obtained application fingerprints should include the results of the manual analysis as much as possible. Second, the retention of a small number of application fingerprints is important; Finally, there are cases that are not included in the manual analysis samples in the obtained application fingerprints. The wrong fingerprints should be as few as possible, otherwise, it will have a certain impact on future traffic classification. This paper uses these three criteria to evaluate the above three types of cases. Formula (22) is based on this. The application fingerprints obtained by manual analysis are divided into two parts,  containing encrypted messages and not containing encrypted messages. ,  and  are the total number of application fingerprints obtained according to the Huf algorithm, the number of correct classifications, and the number of encrypted messages. The larger the  value, the better the Huf algorithm.

 

Point 11: Please highlight how the work advances or increments the field from the present state of knowledge and provide a clear justification for your work. A little comment on the contribution and shortcoming. Author need to provide critical comments.

 

Response 11: Thank you very much for your valuable comments. We have made changes to Section 6, which explains our specific shortcomings at present. At the same time, we will make efforts in these areas in the future.

 

Finally, thank the reviewers again for your hard work.

Author Response File: Author Response.pdf

Reviewer 3 Report

Good contribution with detailed analysis and mathematical interpretation.

Author Response

Response to Reviewer Comment

 

Firstly, we would like to thank you for your constructive comments concerning our article. These comments are all valuable and helpful for improving our article. All the authors have seriously discussed all these comments. According to the reviewers’ comments, we have tried our best to modify our manuscript to meet the requirements of your journal. In this revised version, changes to our manuscript within the document were all highlighted by marks. Point-by-point responses to the reviewers are listed below this letter.

 

Point 1: Good contribution with detailed analysis and mathematical interpretation.

Response 1: Thank you very much for your affirmation. We will continue to work hard in this regard, and thank you very much for your contribution. We will try our best to revise the manuscript according to your comments.

Author Response File: Author Response.pdf

Reviewer 4 Report

The technical content in the paper sounds good. Some minor correction stated below should be done by the author.

1).  In the abstract, the below sentence provides no meaning (line number 14 & 15).

                 This paper proposes a fine-grained and highly practical dynamic to apply the fingerprint extraction 15 method.

2). Below sentence is incomplete (line num: 18)

                     through the Utility of fin.

3).  Need through proof reading for the entire manuscript. Manuscript contains many grammatical and sentence errors.

4). Explanation for the figures are expected. Ex: Figure 2, the author can give the short explanation about the figure. If applicable, it can be done for all the figures in the manuscript.

5). Author has cited only 19 papers. It is so minimal. Authors can add some papers in the reference and the same can be sited in the text.

Author Response

Response to Reviewer Comment

 

Firstly, we would like to thank you for your constructive comments concerning our article. These comments are all valuable and helpful for improving our article. All the authors have seriously discussed all these comments. According to the reviewers’ comments, we have tried our best to modify our manuscript to meet the requirements of your journal. In this revised version, changes to our manuscript within the document were all highlighted by marks. Point-by-point responses to the reviewers are listed below this letter.

 

Point 1: In the abstract, the below sentence provides no meaning (line number 14 & 15).

This paper proposes a fine-grained and highly practical dynamic to apply the fingerprint extraction 15 method.

 

Response 1: Thank you very much for your suggestion. We have made changes to the overall part of the summary, deleted many unnecessary words, and highlighted the key points as much as possible.

 

Point 2: Below sentence is incomplete (line num: 18)

through the Utility of fin.

 

Response 2: Thanks for your suggestion, we corrected the error on line 18.

 

Point 3: Need through proof reading for the entire manuscript. Manuscript contains many grammatical and sentence errors.

 

Response 3: Thank you very much for your comments. We have made an overall revision of the article and corrected many mistakes. I hope it can meet your requirements.

 

Point 4: Explanation for the figures are expected. Ex: Figure 2, the author can give the short explanation about the figure. If applicable, it can be done for all the figures in the manuscript.

 

Response 4: Thank you very much for your comments. Our description of all pictures: Fig, has been changed to Figure or figure.

 

Point 5: Author has cited only 19 papers. It is so minimal. Authors can add some papers in the reference and the same can be sited in the text.

 

Response 5: Thank you for your suggestions. We have added 25 references in total. We think these 25 references are helpful and hope to meet your requirements.

 

Finally, thank the reviewers again for your hard work.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

I did not recognize that the comments are seriously considered by the authors and did change.

 

1. In the abstract, a statement "To solve the problems that the previous network feature extraction methods for network 10 anomaly detection cannot directly extract features from the original network traffic or can only ex- 11 tract coarse-grained features, and highly rely on manual analysis, this paper proposes an approach 12 to the fine-grained and high-utility dynamic application fingerprint extraction" too complex.

2. The authors used Fine-grained High-utility dynamic fingerprinting, although Huf algorithm is not used for dynamic.

3. In conclusion, the statement used by authors "In this paper, we use the association analysis algorithm in data mining to mine the 795 relationship between independent data packets. We build a Huf-Tree to realize dynamic 796 application fingerprint mining and calculate the utility of fingerprints to obtain more val- 797 uable fingerprints. There are also some problems in this paper. The IAT in this paper is 798 only divided based on IP addresses, and there is a lot of room for improvement. If the data 799 flow is divided accurately, the subsequent algorithm will get better results. For fine- 800 grained anomaly detection methods, the analysis of outlier types needs further research." is very destructive. 

They mentioned some problems in the paper. How it is possible that authors mentioned a problem in their paper.

They need to check and revise the paper again 

Author Response

Response to Reviewer Comment

 

We quite appreciate your favorite consideration and the reviewer’s insightful comments. Now we have revised the applsci-1987731 exactly according to the reviewer’s comments and found these comments very helpful. These changes will not influence the content and framework of the paper. And here we did not list the changes but marked them in red in the revised paper. We hope this revision can make my paper more acceptable. The revisions were addressed point by point below.

 

Point 1: In the abstract, a statement "To solve the problems that the previous network feature extraction methods for network 10 anomaly detection cannot directly extract features from the original network traffic or can only ex- 11 tract coarse-grained features, and highly rely on manual analysis, this paper proposes an approach 12 to the fine-grained and high-utility dynamic application fingerprint extraction" too complex.

 

Response 1: Thank you very much for your valuable comments. We have modified the summary, changed the complex sentences into shorter words, and marked them in red on the paper.

 

Point 2: The authors used Fine-grained High-utility dynamic fingerprinting, although Huf algorithm is not used for dynamic.

 

Response 2: Thank you very much for your valuable opinion. Huf algorithm can be used to process dynamic fingerprints. The Huf algorithm includes three parts: data preprocessing, constructing Huf-Tree, and calculating fingerprint utility. Section 3 mainly deals with data processing. Section 4 calculates the utility of the processed data first, and then divides the N-gram model so that a relatively complete application fingerprint is retained. Then the dynamic data stream is processed by constructing Huf-tree, and finally the dynamic application fingerprint is extracted by the Huf algorithm.

 

Point 3:In conclusion, the statement used by authors "In this paper, we use the association analysis algorithm in data mining to mine the 795 relationship between independent data packets. We build a Huf-Tree to realize dynamic 796 application fingerprint mining and calculate the utility of fingerprints to obtain more val- 797 uable fingerprints. There are also some problems in this paper. The IAT in this paper is 798 only divided based on IP addresses, and there is a lot of room for improvement. If the data 799 flow is divided accurately, the subsequent algorithm will get better results. For fine- 800 grained anomaly detection methods, the analysis of outlier types needs further research." is very destructive.

 

They mentioned some problems in the paper. How it is possible that authors mentioned a problem in their paper.

 

Response 3: Thank you very much for your suggestion. I'm sorry that we made a mistake. It has been revised in Section 6. The problems we put forward are the problems existing in our article at present, and we hope that future research can solve them.

 

In all, we found the reviewer’s comments quite helpful, and we revised our paper point-by-point. Thank you and the review again for your help!

Author Response File: Author Response.docx

Reviewer 2 Report

My comments are addressed sufficiently, I have no further comments.

Author Response

Response to Reviewer Comment

 

我们非常感谢您最喜欢的考虑和审稿人的深刻评论。现在,我们完全根据审稿人的评论修改了applsci-1987731,发现这些评论非常有帮助。这些变化不会影响论文的内容和框架。在这里,我们没有列出更改,而是在修订后的文件中用红色标记了它们。我们希望这次修订能让我的论文更容易被接受。下文逐点讨论了这些修订。

 

要点 1:我的评论已得到充分处理,我没有进一步的评论。

响应 1:非常感谢您的肯定。我们将继续为此努力,非常感谢您的贡献。我们将尽力根据您的意见修改稿件。

Author Response File: Author Response.docx

Back to TopTop