Table 2: Comparison of the surveyed works.

Name Ref.DomainGranul.Time of detect.SourcesMain Detect. technique

Beehive[23]ITBatchNonrealProxy logs-means
Bumgardner and Marek[24]ITBothRealNetwork flowsEstablished thresholds
Camacho et al.[17]ITBothNonrealFirewall & IDS logsPCA
Dromard et al.[25]ITBatchNonrealNetwork flowsDBSCAN
Difallah et al.[26]INBothRealProcess dataLISA
Giura and Wang[27]ITBatchNonrealNetwork and application dataThreshold establishing
Gupta and Kulariya[28]ITBatchNonrealNetwork capturesSeveral feature extraction and classification algorithms
Gonçalves et al.[29]ITBatchNonrealDHCP, Authentication and Firewall logsEM
Hadžiosmanović et al.[30]INBatchNonrealSCADA logsFP-Graph
Hashdoop[31]ITBatchNonrealNetwork traffic (textual format)None
Hurst et al.[32]INBatchNonrealProcess dataMultiple classification algs.
Iturbe et al.[33]INBatchNonrealNetwork flowsWhitelisting
Kiss et al.[34]INBatchNonrealProcess data-means
Marchal et al.[35]ITBatchNonrealHoneypot, DNS, HTTP and Network flow dataThreshold establishing
MATATABI[36]ITBatchNonrealDNS records, Network flows, Spam emailMultiple
Rathore et al.[37]ITBatchNonrealNetwork flowsC4.5, RepTree
Ratner and Kelly[38]ITBatchNonrealNetwork packetsManual data querying
Therdphapiyanak and Piromsopa[39]ITBatchNonrealNetwork logs-means
TADOOP[40]ITBatchNonrealNetwork flowsDTE-FP
Wallace et al.[18]INContinuousRealProcess dataCumulative Probability Distribution
Wang et al.[41]ITContinuousRealNetwork flowsIntergroup entropy, LMS
Xu et al.[42]ITBatchNonrealConsole logsPCA