Human-in-the-Loop Support

• Human-in-the-Loop (HITL) support is a framework that integrates explicit human consent and oversight into cybersecurity systems to enhance trust and compliance.
• Architectural principles include OTP-based authentication, clear consent screens, audit logging, and immediate revocation to ensure ethical monitoring.
• Integration with machine learning pipelines enables real-time intrusion detection and automated mitigation while maintaining human review and control.

Human-in-the-Loop (HITL) Support is an operational paradigm integrating explicit human intervention, consent, and oversight within technical workflows and algorithmic decision-making processes to enhance security, trust, and compliance in cyber-defense and network operations. HITL support mandates mechanisms for transparent user authorization, auditability, immediate control revocation, and interpretable system responses, thereby addressing limitations of fully autonomous agents in dynamic or sensitive network environments.

1. Architectural Principles of HITL in CyberOps-Bots

HITL support in the CyberOps-Bots framework is explicit in the design and implementation of edge network security modules. The system architecture deploys a Raspberry Pi Model 5 to create a virtual network layer using RaspAP (WPA2, DHCP) and Nodogsplash captive portal to launch a chatbot user interface upon connection. New users are prompted to provide phone numbers, verify via OTP (using Twilio API), and explicitly review and accept network monitoring policies via human-readable consent screens. OTP transactions and consent approvals are logged for thorough auditability, and ethical monitoring is not enabled until user consent is obtained. Users can revoke consent in real time, and monitoring is immediately ceased for the affected device (Asif et al., 2024).

This approach reflects best practices of HITL:

• Explicit Consent and Transparency: Consent forms must be reviewed and accepted prior to any packet capture or monitoring. Systems log acceptance and authentication events for audit.
• Immediate Revocation Controls: HITL mechanisms facilitate dynamic opt-out by users, reinforcing trust and reducing risk of covert surveillance.
• Boundary Enforcement: Only metadata and network header fields are analyzed; application payloads are never stored and logs are purged per retention policies, further mitigating privacy risks.

2. Integration of HITL with Machine-Learning Decision Pipelines

The HITL paradigm directly interfaces with the ML-driven inference engine operating on edge devices. Packet-capture agents extract features (protocol_type, service, flag, src_bytes, dst_bytes, count, srv_count) and apply one-hot encoding and min–max normalization per NSL-KDD guidelines. ML classifiers (Decision Tree and Random Forest, with hyperparameters tuned by cross-validation) score network flows as "benign" or "intrusion" using established metrics:

$$\mathrm{Accuracy} = \frac{TP + TN}{TP + TN + FP + FN}$$

$\mathrm{Precision} = \frac{TP}{TP + FP}$

$\mathrm{Recall} = \frac{TP}{TP + FN}$

$$F_1 = 2 \times \frac{\mathrm{Precision}\times\mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}$$

$$\mathrm{AUC} = \int_0^1 \mathrm{TPR}(t)\,d\mathrm{FPR}(t)$$

HITL elements ensure that inference results are both actionable and interpretable:

• Alerts are issued in real-time upon detection, appearing in system logs and optionally in chatbot notifications.
• Mitigation suggestions (blocking IP/MAC, throttling, network isolation) are subject to further human review and escalation (e.g., forward to SIEM/SOC for deeper intervention).
• All classified events, user logs, and feature aggregates are retained locally for periodic retraining, reflecting continuous human involvement in system tuning (Asif et al., 2024).

3. Workflow Dynamics: Interaction between Human Consent and Automated Mitigation

HITL support orchestrates the user–system interaction workflow:

1. User connects; captive portal redirects DNS/HTTP to chatbot UI.
2. OTP authentication and explicit consent—no network access or monitoring until steps are completed.
3. Packet capture and feature extraction commence only after policy acceptance.
4. ML inference flags intrusions; alerts and mitigations (e.g., IP block) can be executed automatically, but policies may require manual confirmation or escalation to an analyst interface.
5. Consent withdrawal via web interface triggers immediate monitoring cessation for the corresponding device.

This delineated workflow ensures ethical separation between automated security enforcement and user liberty, consistent with privacy regimes and audit requirements.

4. HITL’s Role in Data Privacy, Transparency, and Trust

The paper prescribes a three-pronged HITL approach to privacy and transparency:

• Analysis is limited to non-payload metadata and headers, strictly excluding application data.
• Consent logs (phone number, OTP timestamp, policy-acceptance time) are maintained and older logs are purged periodically (default 30 days).
• User control is prioritized—revocation is immediate, and network monitoring cannot continue for non-consenting devices.

This framework operationalizes compliance with transparency and ethical monitoring mandates and ensures direct, real-time human control over surveillance boundaries in edge environments (Asif et al., 2024).

5. Performance Evaluation, Limitations, and Implications of Human Agency

Empirical evaluation on NSL-KDD data demonstrates:

• For Decision Tree (TP=9465, FP=2730, TN=10000, FN=246): Accuracy=86.84%, Precision=77.60%, Recall=97.45%, F1=86.30%, FPR≈21.5%
• For Random Forest (TP=9442, FP=3584, TN=9248, FN=269): Accuracy=83.48%, Precision=72.50%, Recall=97.23%, F1=83.85%, FPR≈27.9%

Scalability on Raspberry Pi Model 5:

• DT: ~500 inferences/sec, ~5 MB RAM
• RF: ~200 inferences/sec, ~30 MB RAM, CPU utilization ≈ 60% under peak load

HITL integration introduces operational constraints:

• Moderate false-positive rates can lead to alert fatigue; human oversight is critical for triage.
• Edge devices as HITL gateways may be availability risks if physically compromised.
• HITL applicability is presently evaluated within NSL-KDD paradigm; real-world encrypted flows and zero-day patterns may require more adaptive human–machine co-monitoring (Asif et al., 2024).

6. Strategic Integration and Future Enhancements for HITL Support

Planned enhancements to HITL support include:

• Federated learning across multiple edge nodes, allowing shared model updates without raw data exchange while requiring human oversight for distributed consent mechanisms.
• Deep-learning and ensemble expansions (autoencoders for anomaly detection) that introduce interpretable interfaces for human action.
• Behavioral profiling and context-aware classification methods factoring user-agent and time-of-day analytics subject to user opt-in.
• Hardware acceleration yielding higher throughput without sacrificing human consent protocols.
• End-to-end encrypted channel capture with in-memory feature extraction to align with HITL-driven privacy mandates under GDPR/CCPA.

Dynamic adjustment of anomaly thresholds via integration with threat-intelligence feeds remains a HITL-governed process (SOC analyst reviews, on-demand chatbot queries). These developments strengthen both the adaptive and ethical capacities of HITL-enabled security systems in CyberOps-Bots (Asif et al., 2024).

---

In summary, Human-in-the-Loop support in CyberOps-Bots frames an operationally robust and ethically stringent edge security model: all automated intrusion detection and mitigation workflows are subordinated to explicit user consent, real-time auditability, revocable controls, and interpretable interfaces, with measurable performance and a planned trajectory for federated, scalable, and privacy-preserving future deployments (Asif et al., 2024).