Reviewer has chosen not to be Anonymous

Overall Impression: Good

Content:
Technical Quality of the paper: Good
Originality of the paper: Yes
Adequacy of the bibliography: Yes

Presentation:
Adequacy of the abstract: Yes
Introduction: background and motivation: Good
Organization of the paper: Satisfactory
Level of English: Satisfactory
Overall presentation: Good

Detailed Comments:

The paper presents an insightful exploration of neurosymbolic AI (NeSy) as a hybrid approach to addressing challenges in cybersecurity, particularly in incident detection and response within Security Operations Centers (SOCs). By combining symbolic reasoning with neural network-based learning, the authors effectively argue for the relevance of NeSy in overcoming the limitations of standalone connectionist or symbolic systems.

The paper is significant in its focus on cybersecurity using NeSy, especially from the perspective of transparency, a challenge that connectionist systems alone cannot adequately address. The authors clearly articulate their points and present their efforts coherently, supported by initial case studies. The integration of domain knowledge into NeSy pipelines highlights their dedication to bridging theoretical advancements with real-world applications.

The main limitation of the paper lies in the lack of extensive experiments. However, this is not unique to this work; the application of NeSy in cybersecurity is still in its infancy, and further research will require time to mature.

Overall, the paper is well-written, coherent, and concise. While the inclusion of more real-world case studies would strengthen its impact, it is acknowledged that this is a complex and challenging task.

Reviewer has chosen to be Anonymous

Overall Impression: Good

Content:
Technical Quality of the paper: Average
Originality of the paper: Yes, but limited
Adequacy of the bibliography: Yes, but see detailed comments

Presentation:
Adequacy of the abstract: Yes
Introduction: background and motivation: Good
Organization of the paper: Satisfactory
Level of English: Satisfactory
Overall presentation: Average

Detailed Comments:

This paper is an extended version of a conference paper.

This paper focusses on neurosymbolic approaches in the domain of cybersecurity. The authors identify a set of challenges, and propose a set of neurosymbolic use-cases.
The notion of "SOC" (security operation centre) plays an important role in this paper: "A SOC consists of people, processes, and tools. One of the objective of SOC is to detect and respond to threats and attacks...". In fact, the paper initially describes the typical use of AI in a SOC, and it identifies challenges in such a context. Use-cases are about applying NeSy in the context of a SOC.
Experiments with neurosymbolic methods in cyber security challenges are included.
Overall, studying neurosymbolic approaches to detect and react to cyber attacks is novel and of interesest for the NeSy community.

The 9 challenges are well described, and summarizing them offers a useful description that can be helpful to the average reader. However, overall, they are pretty shallow descriptions, and they might be of limited interest to people in the field.

Compared to the conference version, this paper includes more experimental activity, thus going beyond a major limitation of the original paper.

I found the experiments interesting, even if some of them sound very artificial. Given the lack of maturity of NeSy in this field, I still find them useful.

Considering LLM (in some challenges) is attacting, given their current popularity.

- Use some colors to highlight the syntax in fig 10 and 11, for better readability.

- Conclusions: check ref 83, there might be a typo (I see a question mark there).

- The authors are expected to cite and mention earlier work in the context of defending to adversarial attacks by neurosymbolic approaches: Melacci, S., Ciravegna, G., Sotgiu, A., Demontis, A., Biggio, B., Gori, M., & Roli, F. (2021). Domain knowledge alleviates adversarial attacks in multi-label classifiers. IEEE Transactions on Pattern Analysis and Machine Intelligence, 44(12), 9944-9959.

Reviewer has chosen to be Anonymous

Overall Impression: Average

Content:
Technical Quality of the paper: Average
Originality of the paper: Yes, but limited
Adequacy of the bibliography: Yes, but see detailed comments

Presentation:
Adequacy of the abstract: Yes
Introduction: background and motivation: Good
Organization of the paper: Needs improvement
Level of English: Satisfactory
Overall presentation: Average

Detailed Comments:

This paper is an extension of a study previously presented at the Nesy conference. The additional content, however, is not entirely new, as it builds on some of the experiments introduced at the conference and incorporates a review of another recent paper authored by the same researchers (ref 101). Overall, the paper presents an interesting cyber-security scenario for neuro-symbolic techniques. However, it falls short of convincingly demonstrating the suitability of these techniques for the chosen experiments.

Let's organize my main concerns and comments with the ordering of the paper.

* Abstract. The abstract is too short and it must include the main hypothesis and conclusions.

* Section 2:
- It must include subsections for the different phases of MAPE-K, namely: 2.1. Monitor, 2.2. Analyze, etc.
- The reference to ENISA only needs to be cited once.
- Challenge 3 his challenge does not include any reference. Are there any existing approaches related to this challenge that could be cited?
- Include a comment about the maintenance of the ontologies, especially SEPSES, which appears to be inactive or stuck as of 2023.
- In Plan&execute there should be some comment about recommendation systems in cyber-security.This topic is addressed in section 4.5, so a connection should be made here.

* Section 3:
- Authors must include a paragraph or table explaining the different types of neuro-symbolic AI. Specifically, describe the different ways large language models (LLMs) and symbolic approaches can be combined to solve problems. The introduction to neuro-symbolic (nesy) approaches should be more formal, clearly describing the techniques that fall into each category and how they can be combined.
- It is recommended to include a final table relating the challenges to the use cases.
- Similar to Section 2, this section must include subsections for the different phases of MAPE-K, namely: 3.1. Monitor, 3.2. Analyze, etc.

* Section 4:
-Authors must justify the selection of the experiments. Why have these specific use cases been chosen over others?

* Section 4.1.
- The results of Figure 2 should be presented as a table instead of a figure.
- Does the training data for the baseline neural network (NN) include the NWS vs. IT feature? If not, then the results are not fair, and this should be addressed.
- Since this is a binary classification problem, the reported precision and F1 scores are poor. What are the state-of-the-art scores for this dataset in the literature? This comparison is essential.

* Section 4.2.
- It is recommended to use the same example in the prompt and in Figures 4, 5, and 6 for better clarity and coherence.
- Authors must discuss the treatability and complexity of Tlingo programs. Can this technique scale in real-world scenarios with hundreds of thousands of alarms?

* Section 4.3.
- In Figure 8, which labels are assigned to the classifier? It is not explained in the text.
- Page 16, lines 29-39. These paragraphs must be rewritten, is quite difficult to understand the ideas here exposed.
- Page 17, lines 1-2. What are the nodes and edges of these graphs (log and alarm graphs)? Some example us needed here.
- Page 19, again, authors should discuss scalability isssues. In this small example, execution times are around 100s. Can this technique be applied to large-scale logs of alerts?

* Section 4.4.
This experiment is based on the previous work of authors in references [19] and [21]. Notice that reference [20] (unplublished) looks like the same than [21].
- Page 20, lines 33-47, this part is unreadable. Sentences are not well written and there are new concepts that have not been explained before, so it is very difficult to understand this part.
- Authors must explain what LM-1A, LM-1B and DF-1A in order to understand the SWRL rules at page 23. In this page, there are also unreadable sentences because of their syntax.

*Section 4.5.
This section is mainly a review of a previous paper [101] with little contribution in the context of this paper.

Apart from these comments, the paper needs a careful reading for fixing numerous typos and syntax errors. Also the references need a lot of polishment. There are many incomplete references, some duplicates and missing citations in the text.