{"id":"https://openalex.org/W4414479840","doi":"https://doi.org/10.3390/computers14100407","title":"Network Data Flow Collection Methods for Cybersecurity: A Systematic Literature Review","display_name":"Network Data Flow Collection Methods for Cybersecurity: A Systematic Literature Review","publication_year":2025,"publication_date":"2025-09-24","ids":{"openalex":"https://openalex.org/W4414479840","doi":"https://doi.org/10.3390/computers14100407"},"language":"en","primary_location":{"id":"doi:10.3390/computers14100407","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14100407","pdf_url":"https://www.mdpi.com/2073-431X/14/10/407/pdf?version=1758699546","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/2073-431X/14/10/407/pdf?version=1758699546","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5119330693","display_name":"Alessandro Carvalho Coutinho","orcid":"https://orcid.org/0000-0002-7951-7066"},"institutions":[{"id":"https://openalex.org/I17974374","display_name":"Universidade de S\u00e3o Paulo","ror":"https://ror.org/036rp1748","country_code":"BR","type":"education","lineage":["https://openalex.org/I17974374"]}],"countries":["BR"],"is_corresponding":true,"raw_author_name":"Alessandro Carvalho Coutinho","raw_affiliation_strings":["School of Arts, Sciences and Humanities, University of S\u00e3o Paulo, S\u00e3o Paulo 03828-000, Brazil"],"affiliations":[{"raw_affiliation_string":"School of Arts, Sciences and Humanities, University of S\u00e3o Paulo, S\u00e3o Paulo 03828-000, Brazil","institution_ids":["https://openalex.org/I17974374"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5082580140","display_name":"Luciano Vieira de Ara\u00fajo","orcid":"https://orcid.org/0000-0002-9687-5367"},"institutions":[{"id":"https://openalex.org/I17974374","display_name":"Universidade de S\u00e3o Paulo","ror":"https://ror.org/036rp1748","country_code":"BR","type":"education","lineage":["https://openalex.org/I17974374"]}],"countries":["BR"],"is_corresponding":true,"raw_author_name":"Luciano Vieira de Ara\u00fajo","raw_affiliation_strings":["School of Arts, Sciences and Humanities, University of S\u00e3o Paulo, S\u00e3o Paulo 03828-000, Brazil"],"affiliations":[{"raw_affiliation_string":"School of Arts, Sciences and Humanities, University of S\u00e3o Paulo, S\u00e3o Paulo 03828-000, Brazil","institution_ids":["https://openalex.org/I17974374"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5082580140","https://openalex.org/A5119330693"],"corresponding_institution_ids":["https://openalex.org/I17974374"],"apc_list":{"value":1600,"currency":"CHF","value_usd":1732},"apc_paid":{"value":1600,"currency":"CHF","value_usd":1732},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.29735661,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"14","issue":"10","first_page":"407","last_page":"407"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11598","display_name":"Internet Traffic Analysis and Secure E-voting","score":0.9997000098228455,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/systematic-review","display_name":"Systematic review","score":0.6833000183105469},{"id":"https://openalex.org/keywords/netflow","display_name":"NetFlow","score":0.6607000231742859},{"id":"https://openalex.org/keywords/mirroring","display_name":"Mirroring","score":0.5332000255584717},{"id":"https://openalex.org/keywords/data-extraction","display_name":"Data extraction","score":0.5163000226020813},{"id":"https://openalex.org/keywords/visibility","display_name":"Visibility","score":0.5156000256538391},{"id":"https://openalex.org/keywords/cornerstone","display_name":"Cornerstone","score":0.5059999823570251},{"id":"https://openalex.org/keywords/point","display_name":"Point (geometry)","score":0.4458000063896179},{"id":"https://openalex.org/keywords/traceroute","display_name":"traceroute","score":0.444599986076355},{"id":"https://openalex.org/keywords/data-collection","display_name":"Data collection","score":0.44279998540878296}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.707099974155426},{"id":"https://openalex.org/C189708586","wikidata":"https://www.wikidata.org/wiki/Q1504425","display_name":"Systematic review","level":3,"score":0.6833000183105469},{"id":"https://openalex.org/C188067584","wikidata":"https://www.wikidata.org/wiki/Q219363","display_name":"NetFlow","level":2,"score":0.6607000231742859},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.5983999967575073},{"id":"https://openalex.org/C189645446","wikidata":"https://www.wikidata.org/wiki/Q350865","display_name":"Mirroring","level":2,"score":0.5332000255584717},{"id":"https://openalex.org/C2777466982","wikidata":"https://www.wikidata.org/wiki/Q5227287","display_name":"Data extraction","level":3,"score":0.5163000226020813},{"id":"https://openalex.org/C123403432","wikidata":"https://www.wikidata.org/wiki/Q654068","display_name":"Visibility","level":2,"score":0.5156000256538391},{"id":"https://openalex.org/C2780616401","wikidata":"https://www.wikidata.org/wiki/Q1133673","display_name":"Cornerstone","level":2,"score":0.5059999823570251},{"id":"https://openalex.org/C28719098","wikidata":"https://www.wikidata.org/wiki/Q44946","display_name":"Point (geometry)","level":2,"score":0.4458000063896179},{"id":"https://openalex.org/C157497606","wikidata":"https://www.wikidata.org/wiki/Q603227","display_name":"traceroute","level":3,"score":0.444599986076355},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4440000057220459},{"id":"https://openalex.org/C133462117","wikidata":"https://www.wikidata.org/wiki/Q4929239","display_name":"Data collection","level":2,"score":0.44279998540878296},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.4375999867916107},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.37450000643730164},{"id":"https://openalex.org/C165064840","wikidata":"https://www.wikidata.org/wiki/Q1321061","display_name":"Matching (statistics)","level":2,"score":0.37209999561309814},{"id":"https://openalex.org/C100253034","wikidata":"https://www.wikidata.org/wiki/Q196372","display_name":"Systematic error","level":2,"score":0.3481000065803528},{"id":"https://openalex.org/C192697461","wikidata":"https://www.wikidata.org/wiki/Q4045918","display_name":"OpenFlow","level":3,"score":0.30660000443458557},{"id":"https://openalex.org/C153740404","wikidata":"https://www.wikidata.org/wiki/Q671224","display_name":"Data center","level":2,"score":0.3046000003814697},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.3034999966621399},{"id":"https://openalex.org/C25516864","wikidata":"https://www.wikidata.org/wiki/Q1665949","display_name":"Interconnectivity","level":2,"score":0.29829999804496765},{"id":"https://openalex.org/C75684735","wikidata":"https://www.wikidata.org/wiki/Q858810","display_name":"Big data","level":2,"score":0.2865999937057495},{"id":"https://openalex.org/C42629822","wikidata":"https://www.wikidata.org/wiki/Q1346408","display_name":"Geocoding","level":2,"score":0.2842999994754791},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.27730000019073486},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.27129998803138733},{"id":"https://openalex.org/C3020493868","wikidata":"https://www.wikidata.org/wiki/Q55631277","display_name":"Real world data","level":2,"score":0.2572999894618988},{"id":"https://openalex.org/C2777601897","wikidata":"https://www.wikidata.org/wiki/Q3409113","display_name":"Presentation (obstetrics)","level":2,"score":0.2533999979496002}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.3390/computers14100407","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14100407","pdf_url":"https://www.mdpi.com/2073-431X/14/10/407/pdf?version=1758699546","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},{"id":"pmh:oai:share.osf.io:0668f762-e418-484e-ab14-88f4be04e329","is_oa":false,"landing_page_url":"https://osf.io/mj4xp","pdf_url":null,"source":{"id":"https://openalex.org/S4306401127","display_name":"OSF Preprints (OSF Preprints)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I2799848540","host_organization_name":"Center for Open Science","host_organization_lineage":["https://openalex.org/I2799848540"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"acceptedVersion","is_accepted":true,"is_published":false,"raw_source_name":null,"raw_type":"Project"},{"id":"pmh:oai:doaj.org/article:caaa51155aaa4d17b61212be0b404420","is_oa":true,"landing_page_url":"https://doaj.org/article/caaa51155aaa4d17b61212be0b404420","pdf_url":null,"source":{"id":"https://openalex.org/S112646816","display_name":"SHILAP Revista de lepidopterolog\u00eda","issn_l":"0300-5267","issn":["0300-5267","2340-4078"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Computers, Vol 14, Iss 10, p 407 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/computers14100407","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14100407","pdf_url":"https://www.mdpi.com/2073-431X/14/10/407/pdf?version=1758699546","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[{"id":"https://openalex.org/F4320322468","display_name":"Petrobras","ror":"https://ror.org/0235kyq22"},{"id":"https://openalex.org/F4320323339","display_name":"Universidade de S\u00e3o Paulo","ror":"https://ror.org/036rp1748"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4414479840.pdf","grobid_xml":"https://content.openalex.org/works/W4414479840.grobid-xml"},"referenced_works_count":47,"referenced_works":["https://openalex.org/W2970289707","https://openalex.org/W2989255594","https://openalex.org/W2999192262","https://openalex.org/W3005108641","https://openalex.org/W3006503311","https://openalex.org/W3023077051","https://openalex.org/W3034220885","https://openalex.org/W3034488116","https://openalex.org/W3035172199","https://openalex.org/W3091841023","https://openalex.org/W3093581242","https://openalex.org/W3109249135","https://openalex.org/W3110894687","https://openalex.org/W3120695945","https://openalex.org/W3128525289","https://openalex.org/W3139512517","https://openalex.org/W3160111572","https://openalex.org/W3196148918","https://openalex.org/W3207309283","https://openalex.org/W3214395749","https://openalex.org/W4200079038","https://openalex.org/W4205711033","https://openalex.org/W4206768881","https://openalex.org/W4210879846","https://openalex.org/W4220901202","https://openalex.org/W4230806641","https://openalex.org/W4281551315","https://openalex.org/W4283218652","https://openalex.org/W4309346656","https://openalex.org/W4324007055","https://openalex.org/W4378373689","https://openalex.org/W4385329461","https://openalex.org/W4385336666","https://openalex.org/W4385451644","https://openalex.org/W4385834603","https://openalex.org/W4387308682","https://openalex.org/W4389988649","https://openalex.org/W4390546166","https://openalex.org/W4392825767","https://openalex.org/W4396909833","https://openalex.org/W4396978551","https://openalex.org/W4400814557","https://openalex.org/W4402896454","https://openalex.org/W4405287609","https://openalex.org/W4406263705","https://openalex.org/W4408515928","https://openalex.org/W4413279457"],"related_works":[],"abstract_inverted_index":{"Network":[0],"flow":[1],"collection":[2],"has":[3],"become":[4],"a":[5,15,30,127,216],"cornerstone":[6],"of":[7,18,33,47,67,96,104,192,228],"cyber":[8],"defence,":[9],"yet":[10],"the":[11,68,97,190,226],"literature":[12],"still":[13],"lacks":[14],"consolidated":[16],"view":[17],"which":[19,48,196],"technologies":[20],"are":[21,58,168],"effective":[22,169],"across":[23],"different":[24],"environments":[25],"and":[26,44,79,124,140,149,198,211,223],"conditions.":[27],"We":[28],"conducted":[29],"systematic":[31],"review":[32,214],"362":[34],"publications":[35],"indexed":[36],"in":[37,65,71,77,81,112,146],"six":[38],"digital":[39],"libraries":[40],"between":[41,135],"January":[42],"2019":[43],"July":[45],"2025,":[46],"51":[49,98],"met":[50],"PRISMA":[51],"2020":[52],"eligibility":[53],"criteria.":[54],"All":[55],"extraction":[56],"materials":[57],"archived":[59],"on":[60],"OSF.":[61],"NetFlow":[62],"derivatives":[63],"appear":[64],"62.7%":[66],"studies,":[69],"IPFIX":[70],"45.1%,":[72],"INT/P4":[73],"or":[74,121,184,203],"OpenFlow":[75],"mirroring":[76],"17.6%,":[78],"sFlow":[80],"9.8%,":[82],"with":[83],"totals":[84],"exceeding":[85],"100%":[86],"because":[87],"several":[88],"papers":[89],"evaluate":[90],"multiple":[91],"protocols.":[92],"In":[93,187],"total,":[94],"17":[95],"studies":[99],"(33.3%)":[100],"tested":[101],"production":[102],"links":[103],"at":[105],"least":[106],"40":[107],"Gbps,":[108],"while":[109,176],"others":[110,177],"remained":[111],"laboratory":[113],"settings.":[114],"Fewer":[115],"than":[116],"half":[117],"reported":[118],"packet-loss":[119],"thresholds":[120],"privacy":[122],"controls,":[123],"none":[125],"adopted":[126],"shared":[128],"benchmark":[129],"suite.":[130],"These":[131],"findings":[132],"highlight":[133],"trade-offs":[134],"throughput,":[136],"fidelity,":[137],"computational":[138],"cost,":[139],"privacy,":[141],"as":[142,144,174],"well":[143],"gaps":[145],"encrypted-traffic":[147],"support":[148],"GDPR-compliant":[150],"anonymisation.":[151],"Most":[152],"importantly,":[153],"our":[154],"synthesis":[155],"demonstrates":[156],"that":[157],"flow-collection":[158],"methods":[159],"directly":[160],"shape":[161],"what":[162],"can":[163],"be":[164],"detected:":[165],"some":[166],"exporters":[167],"for":[170,220],"volumetric":[171],"attacks":[172],"such":[173],"DDoS,":[175],"enable":[178],"visibility":[179],"into":[180],"brute-force":[181],"authentication,":[182],"botnets,":[183],"IoT":[185],"malware.":[186],"other":[188],"words,":[189],"choice":[191],"telemetry":[193],"technology":[194],"determines":[195],"threats":[197],"anomalous":[199],"behaviours":[200],"remain":[201],"visible":[202],"hidden":[204],"to":[205],"defenders.":[206],"By":[207],"mapping":[208],"technologies,":[209],"metrics,":[210],"gaps,":[212],"this":[213],"provides":[215],"single":[217],"reference":[218],"point":[219],"researchers,":[221],"engineers,":[222],"regulators":[224],"facing":[225],"challenges":[227],"flow-aware":[229],"cybersecurity.":[230]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2025-10-10T00:00:00"}