{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,17]],"date-time":"2026-06-17T00:32:25Z","timestamp":1781656345057,"version":"3.54.5"},"reference-count":54,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T00:00:00Z","timestamp":1764806400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026,1,27]]},"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>The constant increase of devices connected to the Internet, and therefore of cyber-attacks, makes it necessary to analyse network traffic in order to recognize malicious activity. Traditional packet-based analysis methods are insufficient because in large networks the amount of traffic is so high that it is unfeasible to review all communications. For this reason, network flows is a suitable approach for this situation, which in future 5G networks will have to be used, as the number of packets will increase dramatically. If this is also combined with unsupervised learning models, it can detect new threats for which it has not been trained. This paper presents a systematic review of the literature on unsupervised learning algorithms for detecting anomalies in network flows, following the PRISMA guideline. A total of 63 scientific articles have been reviewed, analysing 15 of them in depth. The results obtained show that autoencoder is the most used option, followed by SVM, ALAD, or SOM. On the other hand, all the datasets used for anomaly detection have been collected, including some specialised in IoT or with real data collected from honeypots.<\/jats:p>","DOI":"10.1093\/jigpal\/jzaf020","type":"journal-article","created":{"date-parts":[[2025,4,24]],"date-time":"2025-04-24T09:50:59Z","timestamp":1745488259000},"source":"Crossref","is-referenced-by-count":5,"title":["A systematic literature review of unsupervised learning algorithms for anomalous traffic detection based on flows"],"prefix":"10.1093","volume":"34","author":[{"given":"Alberto","family":"Miguel-Diez","sequence":"first","affiliation":[{"name":"Robotics Group, University of Le\u00f3n, Campus de Vegazana S\/N , 24071 Le\u00f3n, Spain"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Adri\u00e1n","family":"Campazas-Vega","sequence":"additional","affiliation":[{"name":"Robotics Group, University of Le\u00f3n, Campus de Vegazana S\/N , 24071 Le\u00f3n, Spain"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Claudia","family":"\u00c1lvarez-Aparicio","sequence":"additional","affiliation":[{"name":"Robotics Group, University of Le\u00f3n, Campus de Vegazana S\/N , 24071 Le\u00f3n, Spain"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Gonzalo","family":"Esteban-Costales","sequence":"additional","affiliation":[{"name":"Robotics Group, University of Le\u00f3n, Campus de Vegazana S\/N , 24071 Le\u00f3n, Spain"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"\u00c1ngel Manuel","family":"Guerrero-Higueras","sequence":"additional","affiliation":[{"name":"Robotics Group, University of Le\u00f3n, Campus de Vegazana S\/N , 24071 Le\u00f3n, Spain"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"286","published-online":{"date-parts":[[2025,12,4]]},"reference":[{"key":"2025120404325167000_ref1","article-title":"Specification of the IP flow information export (IPFIX) protocol for the exchange of flow information","volume":"7011","author":"Aitken","year":"2013","journal-title":"RFC"},{"key":"2025120404325167000_ref2","doi-asserted-by":"publisher","first-page":"81","DOI":"10.1145\/380995.381030","article-title":"The uci kdd archive of large data sets for data mining research and experimentation","volume":"2","author":"Bay","year":"2000","journal-title":"SIGKDD Explor Newsl"},{"key":"2025120404325167000_ref3","doi-asserted-by":"publisher","first-page":"2059","DOI":"10.1007\/s11192-014-1506-1","article-title":"What is the best database for computer science journal articles","volume":"102","author":"Cavacini","year":"2015","journal-title":"Scientometrics"},{"key":"2025120404325167000_ref4","doi-asserted-by":"crossref","first-page":"947","DOI":"10.23919\/INM.2017.7987417","article-title":"Exploring a service-based normal behaviour profiling system for botnet detection","volume-title":"2017 IFIP\/IEEE Symposium on Integrated Network and Service Management (IM)","author":"Chen","year":"2017"},{"key":"2025120404325167000_ref5","article-title":"Netflow version 9 flow-record format","author":"Cisco","year":"2011"},{"key":"2025120404325167000_ref6","doi-asserted-by":"crossref","DOI":"10.17487\/rfc3954","article-title":"Cisco systems netflow services export version 9","author":"Claise","year":"2004"},{"key":"2025120404325167000_ref7","article-title":"Netflow anomaly detection; finding covert channels on the network","author":"Dreijer","year":"2014"},{"key":"2025120404325167000_ref8","doi-asserted-by":"crossref","DOI":"10.1145\/1921168.1921179","volume-title":"MAWILab: Combining Diverse Anomaly Detectors for Automated Anomaly Labeling and Performance Benchmarking","author":"Fontugne","year":"2010"},{"key":"2025120404325167000_ref9","doi-asserted-by":"publisher","first-page":"100466","DOI":"10.1016\/j.jii.2023.100466","article-title":"Anomaly detection in netflow network traffic using supervised machine learning algorithms","volume":"33","author":"Fosi\u0107","year":"2023","journal-title":"J Ind Inf Integr"},{"key":"2025120404325167000_ref10","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1016\/j.cose.2014.05.011","article-title":"An empirical comparison of botnet detection methods","volume":"45","author":"Garc\u00eda","year":"2014","journal-title":"Comput Secur"},{"key":"2025120404325167000_ref11","doi-asserted-by":"crossref","first-page":"317","DOI":"10.1109\/PST.2016.7906980","article-title":"Analyzing flow-based anomaly intrusion detection using replicator neural networks","volume-title":"2016 14th Annual Conference on Privacy, Security and Trust (PST)","author":"Garc\u00eda Cordero","year":"2016"},{"key":"2025120404325167000_ref12","article-title":"Iot-23: a labeled dataset with malicious and benign iot network traffic","author":"Garcia","year":"2020"},{"key":"2025120404325167000_ref13","doi-asserted-by":"crossref","first-page":"568","DOI":"10.5220\/0010573700002998","article-title":"An improved live anomaly detection system (i-lads) based on deep learning algorithms","volume-title":"Proceedings of the 18th International Conference on Security and Cryptography\u2014SECRYPT","author":"Gonzalez-Granadillo","year":"2021"},{"key":"2025120404325167000_ref14","doi-asserted-by":"crossref","first-page":"143","DOI":"10.1007\/978-3-031-10684-2_9","article-title":"Local intrinsic dimensionality of iot networks for unsupervised intrusion detection","volume-title":"Data and Applications Security and Privacy XXXVI","author":"Gorbett","year":"2022"},{"key":"2025120404325167000_ref15","doi-asserted-by":"publisher","first-page":"1860","DOI":"10.1126\/science.269.5232.1860","article-title":"Replicator neural networks for universal optimal source coding","volume":"269","author":"Hecht-Nielsen","year":"1995","journal-title":"Science"},{"key":"2025120404325167000_ref16","doi-asserted-by":"publisher","first-page":"2037","DOI":"10.1109\/COMST.2014.2321898","article-title":"Flow monitoring explained: from packet capture to data analysis with netflow and ipfix","volume":"16","author":"Hofstede","year":"2014","journal-title":"IEEE Commun Surv Tutor"},{"key":"2025120404325167000_ref17","doi-asserted-by":"publisher","first-page":"2467","DOI":"10.1007\/s00170-021-08001-6","article-title":"Automated detection-in-depth in industrial control systems","volume":"118","author":"Jadidi","year":"2022","journal-title":"Int J Adv Manuf Technol"},{"key":"2025120404325167000_ref18","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1109\/BigDataService49289.2020.00032","article-title":"Unsupervised learning for network flow based anomaly detection in the era of deep learning","volume-title":"2020 IEEE Sixth International Conference on Big Data Computing Service and Applications (BigDataService)","author":"Kabir","year":"2020"},{"key":"2025120404325167000_ref19","doi-asserted-by":"crossref","DOI":"10.1201\/b19467","volume-title":"Evidence-Based Software Engineering and Systematic Reviews","author":"Kitchenham","year":"2015"},{"key":"2025120404325167000_ref20","doi-asserted-by":"crossref","first-page":"506","DOI":"10.1109\/MeditCom49071.2021.9647639","article-title":"Iot botnet detection on flow data using autoencoders","volume-title":"2021 IEEE International Mediterranean Conference on Communications and Networking (MeditCom)","author":"Kompougias","year":"2021"},{"key":"2025120404325167000_ref21","doi-asserted-by":"crossref","first-page":"35","DOI":"10.1109\/ICDMW.2018.00013","article-title":"Unsupervised scanning behavior detection based on distribution of network traffic features using robust autoencoders","volume-title":"2018 IEEE International Conference on Data Mining Workshops (ICDMW)","author":"Kotani","year":"2018"},{"key":"2025120404325167000_ref22","article-title":"A study on nsl-kdd dataset for intrusion detection system based on classification algorithms","author":"Dhanabal","year":"2015"},{"key":"2025120404325167000_ref23","doi-asserted-by":"publisher","first-page":"58","DOI":"10.23919\/cje.2022.00.173","article-title":"Flowgananomaly: flow-based anomaly network intrusion detection with adversarial learning","volume":"33","author":"Li","year":"2024","journal-title":"Chin J Electron"},{"key":"2025120404325167000_ref24","volume-title":"DARPA Intrusion Detection Evaluation Dataset","author":"Lincoln Laboratory","year":"1999"},{"key":"2025120404325167000_ref25","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1016\/j.cose.2017.11.004","article-title":"Ugr\u201916: a new dataset for the evaluation of cyclostationarity-based network idss","volume":"73","author":"Maci\u00e1-Fern\u00e1ndez","year":"2018","journal-title":"Comput Secur"},{"key":"2025120404325167000_ref26","doi-asserted-by":"crossref","first-page":"893","DOI":"10.1109\/ICCNC.2018.8390278","article-title":"An empirical evaluation of deep learning for network anomaly detection","volume-title":"2018 International Conference on Computing, Networking and Communications (ICNC)","author":"Malaiya","year":"2018"},{"key":"2025120404325167000_ref27","article-title":"Mininet\u2014an instant virtual network on your laptop (or other pc)","author":"Mininet"},{"key":"2025120404325167000_ref28","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1371\/journal.pmed.1000097","article-title":"Preferred reporting items for systematic reviews and meta-analyses: the prisma statement","volume":"6","author":"Moher","year":"2009","journal-title":"PLoS Med"},{"key":"2025120404325167000_ref29","article-title":"New generations of internet of things datasets for cybersecurity applications based machine learning: Ton_iot datasets","author":"Moustafa","year":"2019"},{"key":"2025120404325167000_ref30","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/MilCIS.2015.7348942","article-title":"Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set)","volume-title":"2015 Military Communications and Information Systems Conference (MilCIS)","author":"Moustafa","year":"2015"},{"key":"2025120404325167000_ref31","doi-asserted-by":"crossref","first-page":"91","DOI":"10.1109\/CNS.2019.8802833","article-title":"Gee: a gradient-based explainable variational autoencoder for network anomaly detection","volume-title":"2019 IEEE Conference on Communications and Network Security (CNS)","author":"Nguyen","year":"2019"},{"key":"2025120404325167000_ref32","doi-asserted-by":"publisher","first-page":"3369","DOI":"10.1109\/COMST.2018.2854724","article-title":"From intrusion detection to attacker attribution: a comprehensive survey of unsupervised methods","volume":"20","author":"Nisioti","year":"2018","journal-title":"IEEE Commun Surv Tutor"},{"key":"2025120404325167000_ref33","article-title":"Traffic monitoring with packet-based sampling for defense against security threats","author":"Panchen","year":"2002"},{"key":"2025120404325167000_ref34","first-page":"40","article-title":"Creation of flow-based data sets for intrusion detection","volume":"16","author":"Ring","year":"2017","journal-title":"J Inf Warfare"},{"key":"2025120404325167000_ref35","first-page":"361","article-title":"Flow-based benchmark data sets for intrusion detection","volume-title":"Proceedings of the 16th European Conference on Cyber Warfare and Security (ECCWS)","author":"Ring","year":"2017"},{"key":"2025120404325167000_ref36","doi-asserted-by":"publisher","first-page":"e13","DOI":"10.2196\/jmir.5876","article-title":"Personal health records: a systematic literature review","volume":"19","author":"Roehrs","year":"2017","journal-title":"J Med Internet Res"},{"key":"2025120404325167000_ref37","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1007\/978-3-030-72802-1_9","article-title":"Netflow datasets for machine learning-based network intrusion detection systems","volume-title":"Big Data Technologies and Applications","author":"Sarhan","year":"2021"},{"key":"2025120404325167000_ref38","doi-asserted-by":"publisher","DOI":"10.1186\/1472-6947-7-16","article-title":"Utilization of the PICO framework to improve searching PubMed for clinical questions","volume":"7","author":"Schardt","year":"2007","journal-title":"BMC Med Inform Decis Mak"},{"key":"2025120404325167000_ref39","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ATNAC.2018.8615255","article-title":"A hierarchical intrusion detection system using support vector machine for sdn network in cloud data center","volume-title":"2018 28th International Telecommunication Networks and Applications Conference (ITNAC)","author":"Schueller","year":"2018"},{"key":"2025120404325167000_ref40","doi-asserted-by":"crossref","DOI":"10.5220\/0006639801080116","article-title":"Toward generating a new intrusion detection dataset and intrusion traffic characterization","volume-title":"International Conference on Information Systems Security and Privacy","author":"Sharafaldin","year":"2018"},{"key":"2025120404325167000_ref41","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/CCST.2019.8888419","article-title":"Developing realistic distributed denial of service (ddos) attack dataset and taxonomy","volume-title":"2019 International Carnahan Conference on Security Technology (ICCST)","author":"Sharafaldin","year":"2019"},{"key":"2025120404325167000_ref42","doi-asserted-by":"publisher","first-page":"220","DOI":"10.1504\/IJCNDS.2018.094221","article-title":"An overview of flow-based anomaly detection","volume":"21","author":"Sharma","year":"2018","journal-title":"Int J Commun Netw Distrib Syst"},{"key":"2025120404325167000_ref43","doi-asserted-by":"publisher","first-page":"357","DOI":"10.1016\/j.cose.2011.12.012","article-title":"Toward developing a systematic approach to generate benchmark datasets for intrusion detection","volume":"31","author":"Shiravi","year":"2012","journal-title":"Comput Secur"},{"key":"2025120404325167000_ref44","article-title":"Digital 2024 report","author":"We Are Social","year":"2024"},{"key":"2025120404325167000_ref45","doi-asserted-by":"publisher","first-page":"343","DOI":"10.1109\/SURV.2010.032210.00054","article-title":"An overview of ip flow-based intrusion detection","volume":"12","author":"Sperotto","year":"2010","journal-title":"IEEE Commun Surv Tutor"},{"key":"2025120404325167000_ref46","article-title":"Stratosphere laboratory datasets","author":"Stratosphere","year":"2015"},{"key":"2025120404325167000_ref47","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/TELFOR56187.2022.9983780","article-title":"Hybrid machine learning traffic flows analysis for network attacks detection","volume-title":"2022 30th Telecommunications Forum (TELFOR)","author":"Timcenko","year":"2022"},{"key":"2025120404325167000_ref48","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1145\/3385003.3410924","article-title":"An empirical study on unsupervised network anomaly detection using generative adversarial networks","volume-title":"Proceedings of the 1st ACM Workshop on Security and Privacy on Artificial Intelligence, SPAI \u201920","author":"Truong-Huu","year":"2020"},{"key":"2025120404325167000_ref49","article-title":"Traffic data from Kyoto university\u2019s honeypots","author":"Kyoto University"},{"key":"2025120404325167000_ref50","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/CSNet50428.2020.9265461","article-title":"Unsupervised machine learning techniques for network intrusion detection on modern data","volume-title":"2020 4th Cyber Security in Networking Conference (CSNet)","author":"Verkerken","year":"2020"},{"key":"2025120404325167000_ref51","doi-asserted-by":"publisher","first-page":"284","DOI":"10.1016\/j.ins.2019.09.024","article-title":"Botmark: automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors","volume":"511","author":"Wang","year":"2020","journal-title":"Inform Sci"},{"key":"2025120404325167000_ref52","doi-asserted-by":"publisher","first-page":"102675","DOI":"10.1016\/j.cose.2022.102675","article-title":"A systematic literature review of methods and datasets for anomaly-based network intrusion detection","volume":"116","author":"Yang","year":"2022","journal-title":"Comput Secur"},{"key":"2025120404325167000_ref53","doi-asserted-by":"publisher","first-page":"625","DOI":"10.1016\/j.infsof.2010.12.010","article-title":"Identifying relevant studies in software engineering","volume":"53","author":"Zhang","year":"2011","journal-title":"Inf Softw Technol"},{"key":"2025120404325167000_ref54","doi-asserted-by":"crossref","first-page":"122","DOI":"10.1109\/SIEDS.2017.7937701","article-title":"Comparing unsupervised learning approaches to detect network intrusion using netflow data","volume-title":"2017 Systems and Information Engineering Design Symposium (SIEDS)","author":"Zhang","year":"2017"}],"container-title":["Logic Journal of the IGPL"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/jigpal\/article-pdf\/34\/1\/jzaf020\/65735847\/jzaf020.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/jigpal\/article-pdf\/34\/1\/jzaf020\/65735847\/jzaf020.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,4]],"date-time":"2025-12-04T09:33:07Z","timestamp":1764840787000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/jigpal\/article\/doi\/10.1093\/jigpal\/jzaf020\/8363934"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,4]]},"references-count":54,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,1,27]]}},"URL":"https:\/\/doi.org\/10.1093\/jigpal\/jzaf020","relation":{},"ISSN":["1367-0751","1368-9894"],"issn-type":[{"value":"1367-0751","type":"print"},{"value":"1368-9894","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2026,2]]},"published":{"date-parts":[[2025,12,4]]},"article-number":"jzaf020"}}