Intrusion Detection Systems (IDSs) automatically analyze event logs and network traffic in order to detect malicious activity and policy violations. Because IDSs have a large number of false positives and false negatives and the technical nature of their alerts requires a lot of manual analysis, the researchers proposed approaches that automate the analysis of alerts to detect large-scale attacks and predict the attacker’s next steps. Unfortunately, many such approaches use unique datasets and success metrics, making comparison difficult. This survey provides an overview of the state of the art in detecting and projecting cyberattack scenarios, with a focus on evaluation and the corresponding metrics. Representative papers are collected while using Google Scholar and Scopus searches. Mutually comparable success metrics are calculated and several comparison tables are provided. Our results show that commonly used metrics are saturated on popular datasets and cannot assess the practical usability of the approaches. In addition, approaches with knowledge bases require constant maintenance, while data mining and ML approaches depend on the quality of available datasets, which, at the time of writing, are not representative enough to provide general knowledge regarding attack scenarios, so more emphasis needs to be placed on researching the behavior of attackers.

中文翻译：

---

网络攻击场景检测与预测的系统回顾与定量比较

入侵检测系统（IDS）自动分析事件日志和网络流量，以检测恶意活动和违反策略的行为。由于IDS具有大量的误报和误报，并且其警报的技术性质需要大量的手动分析，因此研究人员提出了使警报分析自动化的方法，以检测大规模攻击并预测攻击者的下一步行动。不幸的是，许多这样的方法使用唯一的数据集和成功指标，使得比较变得困难。这项调查概述了检测和预测网络攻击场景的最新状态，重点是评估和相应的指标。使用Google学术搜索和Scopus搜索时会收集代表性论文。计算相互可比较的成功指标，并提供几个比较表。我们的结果表明，常用指标在流行数据集上已经饱和，无法评估这些方法的实际可用性。此外，具有知识库的方法需要不断维护，而数据挖掘和ML方法则取决于可用数据集的质量，在撰写本文时，这些数据的代表性不足以提供有关攻击情形的一般知识，因此需要重点关注放在研究攻击者的行为上。