Methodology

[yeaight7]

This pull request significantly expands and clarifies the methodology chapter, adding detailed explanations of the experimental design, feature schema, reward structure, algorithmic choices, and limitations. The changes improve transparency, reproducibility, and interpretability of the RL-based network intrusion detection pipeline. The most important changes are grouped and summarized below:

Feature Schema and Data Handling

• Added Table~\ref{tab:canonical-groups} and detailed description of the canonical flow feature groups, clarifying the structure and meaning of the 76-feature schema used throughout the pipeline.
• Expanded diagnostics for laboratory flow inference, including new outputs for missingness, feature scaling statistics, and out-of-distribution detection.

Reward Function and Environment Protocol

• Introduced a reward decision matrix (Table~\ref{tab:reward-matrix}) and expanded discussion of the reward structure, including its effect on agent behavior and the rationale for zero true-negative reward.
• Added a detailed protocol for environment state transitions, clarifying how training and evaluation modes are separated and how reproducibility is ensured.

Algorithmic Details and Baseline Comparison

• Added sections on QRDQN’s quantile regression loss and exploration strategy, explaining the distributional RL approach and its implications for cost-sensitive learning.
• Documented class imbalance handling and cost-sensitive weighting for the Random Forest baseline, ensuring fair comparison with the RL agent under asymmetric costs.
• Introduced a training-scale and data-efficiency protocol, describing how learning curves are generated and compared across models and budgets.

Validation and Reproducibility

• Expanded the validation ladder with explanations for each rung, highlighting their roles in detecting leakage, measuring generalization, and testing domain shift.
• Added a new section on implementation framework, including details on core libraries, artifact management, and reproducibility controls for experimental runs.

Methodological Limitations

• Reorganized and elaborated the limitations section into four explicit categories: static environment, binary label mapping, benchmark fragility, and scope of reproducibility. This clarifies the boundaries of the thesis claims and future work required for stronger evidence.

These changes collectively make the methodology more rigorous, auditable, and easier to reproduce or extend.