From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods

Antonia Nisioti, Alexios Mylonas, Paul D. Yoo, Vasilios Katos

Research output: Contribution to journalArticlepeer-review

57 Citations (Scopus)
54 Downloads (Pure)


Over the last five years there has been an increase in the frequency and diversity of network attacks. This holds true, as more and more organizations admit compromises on a daily basis. Many misuse and anomaly based intrusion detection systems (IDSs) that rely on either signatures, supervised or statistical methods have been proposed in the literature, but their trustworthiness is debatable. Moreover, as this paper uncovers, the current IDSs are based on obsolete attack classes that do not reflect the current attack trends. For these reasons, this paper provides a comprehensive overview of unsupervised and hybrid methods for intrusion detection, discussing their potential in the domain. We also present and highlight the importance of feature engineering techniques that have been proposed for intrusion detection. Furthermore, we discuss that current IDSs should evolve from simple detection to correlation and attribution. We descant how IDS data could be used to reconstruct and correlate attacks to identify attackers, with the use of advanced data analytics techniques. Finally, we argue how the present IDS attack classes can be extended to match the modern attacks and propose three new classes regarding the outgoing network communication.
Original languageEnglish
Article number8410366
Pages (from-to)3369-3388
Number of pages20
JournalIEEE Communications Surveys & Tutorials
Issue number4
Early online date12 Jul 2018
Publication statusPublished - 1 Oct 2018


  • Anomaly IDS
  • Attack reconstruction
  • Correlation and attribution
  • Data analytics
  • Digital forensics
  • Feature selection
  • Network forensics
  • Unsupervised learning


Dive into the research topics of 'From intrusion detection to attacker attribution: A comprehensive survey of unsupervised methods'. Together they form a unique fingerprint.

Cite this