MalFlows: Flow-Centric Approaches in Security & Sampling
- MalFlows is a term for a family of flow-centric approaches that detect malicious activity using summarized network flows, Android program flows, or latent-space methods.
- It integrates fixed-size flow summaries, sequential packet streams, and graph-based representations to capture detailed characteristics of malicious behaviors.
- Practical applications include early DDoS detection, unsupervised TLS flow clustering, and context-aware Android malware analysis that yield high detection accuracy.
Searching arXiv for papers that use the term “MalFlows” or closely related usage. I’ll check arXiv for “MalFlows” and closely related papers to ground the article in the current literature. MalFlows is a term that appears in several arXiv works with different referents. In network-security research, it is used for malicious network flows represented as NetFlow-compatible records, TLS feature vectors, packet streams, or communication graphs; in Android malware analysis, it names a technique for context-aware fusion of control flows, data flows, and inter-component communications; and in an unrelated generative-modeling setting, it denotes a Metropolis–adjusted Langevin sampler operating in the latent space of a pre-trained normalizing flow (Kim et al., 2018, Gomez et al., 2021, Busch et al., 2021, Giryes et al., 2024, Meng et al., 5 Aug 2025, Coeurdoux et al., 2023). The shared label therefore refers less to a single standardized framework than to a family of flow-centric formulations for maliciousness detection, representation learning, or sampling.
1. Terminological scope
Across the cited literature, “MalFlows” names at least three distinct classes of objects. First, it denotes malicious network flows as targets for detection or labeling, including DDoS flows, malicious TLS flows, and broader malware-generated traffic flows (Giryes et al., 2024, Gomez et al., 2021, Chen et al., 2018). Second, it denotes a specific Android malware detection system that aggregates heterogeneous program-flow semantics in a heterogeneous information network (HIN) and classifies apps with a channel-attention-based deep neural network (Meng et al., 5 Aug 2025). Third, it denotes a latent-space MALA procedure for sampling from a pre-trained normalizing flow without retraining (Coeurdoux et al., 2023).
| Usage of “MalFlows” | Paper | Characterization |
|---|---|---|
| Malicious network flows | (Kim et al., 2018, Chen et al., 2018, Gomez et al., 2021, Busch et al., 2021, Giryes et al., 2024) | Flows as labeled records, packet streams, TLS vectors, or graphs |
| Android malware detection system | (Meng et al., 5 Aug 2025) | HIN over control flows, data flows, and ICCs |
| Latent-space sampler for normalizing flows | (Coeurdoux et al., 2023) | MALA on -space for a pre-trained invertible flow |
A recurring misconception is that MalFlows denotes one canonical malware-detection architecture. The literature instead shows a terminological collision across network intrusion detection, Android static analysis, and normalizing-flow sampling. This suggests that the technically meaningful unit of comparison is not the label itself but the underlying flow abstraction: packet stream, summarized network flow, TLS session, communication graph, program-flow HIN, or latent density on -space.
2. Flow as the primary representation
A central divide in malicious-flow research is between fixed-size flow summaries and richer sequential or structured representations. In the MAWILab labeling pipeline, a flow is a NetFlow v9–style tuple
with derived features such as duration, throughput, and packet rate (Kim et al., 2018). This representation is compatible with routers and switches that export NetFlow records from raw traffic, and it supports rule-based labeling against IDS logs.
The DDoS-oriented Set-Tree formulation replaces fixed-size aggregate records with a stream structure. Each flow is represented as
where the 15 header features include direction, well-known ports, packet index in flow, relative timestamp, protocol, total length, TCP flags, initial window bytes, and four inter-arrival times (Giryes et al., 2024). The stated motivation is that aggregated flow records cannot model the precise order of individual packets, fine-grained temporal relations, or early sub-flow detection.
TLS-oriented MalFlows uses a different featureization. Each TLS flow is encoded by 90 features spanning client-side TLS handshake, server-side TLS handshake, certificate properties, and encrypted payload behavior (Gomez et al., 2021). Numerical features are z-score normalized and categorical features are one-hot×TF-IDF. The payload block includes per-flow totals, direction maxima, ratios, and the first 3 request-response pairs.
Graph-based formulations aggregate flows at the application level rather than treating them independently. NF-GNN records all observed TCP/UDP flows during an application execution, identifies each flow by a 5-tuple, summarizes each raw flow by an 80-dimensional vector, and then constructs a directed graph whose vertices are IP endpoints and whose edges aggregate multiple flows between endpoints by mean, standard deviation, skewness, kurtosis, and median, yielding for each edge (Busch et al., 2021).
The deep-learning study on malicious flow detection adopts a six-minute window of all packets observed in sandbox and concatenates connection-level records, packet payload representations, and flow-behavior features such as inter-arrival statistics and a Markov transition matrix over discretized packet-size or inter-arrival bins (Chen et al., 2018). Taken together, these works show that “flow” ranges from a compact export record to a temporally ordered packet sequence or a graph-embedded relation among endpoints.
3. Detection architectures on malicious network flows
The stream-structured DDoS detector employs the Set-Tree model, which extends classical decision trees to operate directly on sets or streams of items (Giryes et al., 2024). At tree node , the split criterion is
with and . The model also constructs an attention subset
allowing descendant nodes to split on 0, 1, or the original 2. Because set functions are order-invariant, the packet’s ordinal Index is included among the 15 features to recover discrimination between early and late packets. Training uses a gradient-boosted ensemble of 10 Set-Trees on complete flows from CICDDoS2019 or CICIDS2017, with benign/attack majority vote at inference (Giryes et al., 2024).
The empirical emphasis of that work is early detection. On CICDDoS2019, using the first 2 packets yields accuracy 0.99975, essentially matching full-flow accuracy 0.99980, with 3 ms versus 4 s and a 99.79% time-saving; on CICIDS2017, 5 packets gives accuracy 6 versus full-flow 0.9965, with 75.3% time-saving (Giryes et al., 2024). The paper further states that packet header streams consume 4–6% of raw traffic, on par with standard flow records.
The tree-shaped deep neural network (TSDNN) addresses a different axis of the problem: severe class imbalance (Chen et al., 2018). It decomposes a 12-way task into three stages—binary benign-versus-malicious, 5-way malicious behavior categories, and 7-way ransomware family classification—with stage inputs augmented by preceding softmax outputs. Quantity Dependent Backpropagation reweights per-sample gradients by
7
so that
8
In the reported full 12-way experiment, TSDNN + QDBP achieves 99.63% accuracy and 85.40% average precision, compared with 98.90% accuracy and 68.25% average precision for Random Forest and 84.56% accuracy and 62.30% average precision for DNN + QDBP (Chen et al., 2018). The same study reports that with only the first 5% of packets, approximately 18 s, Stage 1 alone achieves approximately 95% malicious detection accuracy.
NF-GNN instead treats the complete communication graph as the primary object (Busch et al., 2021). It alternates edge and node updates using normalized incidence matrices, beginning with 9, aggregating in- and out-edges into node features, and then performing residual edge and node updates. A permutation-invariant readout produces 0, which supports supervised classification, graph autoencoding, or one-class learning. On CICAndMal2017, NF-GNN-CLF reports binary recall 99.42 ± 0.45% and precision 99.44 ± 0.44%, category recall 95.41 ± 1.48% and precision 96.14 ± 1.07%, and family recall 91.37 ± 8.39% and precision 93.62 ± 2.52% (Busch et al., 2021).
These architectures differ sharply in inductive bias. Set-Tree emphasizes interpretable prefix-level packet relations; TSDNN emphasizes hierarchical decomposition under imbalance; NF-GNN emphasizes collective communication structure. A plausible implication is that “MalFlows” research is less unified by model family than by the decision to encode maliciousness at the flow level rather than at the packet, host, or payload-signature level.
4. Unsupervised detection and clustering of malicious TLS flows
The TLS-specific MalFlows pipeline is explicitly unsupervised and consists of four stages: collect network traces from sandboxes, extract 90 TLS features and filter known benign flows, cluster the remaining flows with HDBSCAN, and deploy a detector that assigns a flow to the nearest malicious cluster or declares it benign (Gomez et al., 2021). The clustering stage uses a mixed numerical-categorical distance
1
where 2 is the fraction of numeric dimensions. HDBSCAN is configured with 3, 4, and 5.
Detection is nearest-neighbor thresholding over the learned clusters. For a new flow 6, the detector computes 7, selects 8, and assigns 9 to cluster 0 if 1; otherwise it declares the flow benign (Gomez et al., 2021). A variable-threshold alternative uses per-cluster thresholds 2.
The reported evaluation spans 972K traces from a commercial sandbox and 35M TLS flows from a research network (Gomez et al., 2021). On the clustering ground-truth subset, the no-cert configuration attains precision 0.996, recall 0.990, and 3. For benign traffic, fixed 4 yields 2 alarms per day and 5, while the full 4-month evaluation at 6 produces 708 alarms over 111 days and 7. Against supervised Joy, MalFlows at 8 reports precision 0.89, recall 0.92, and 9, compared with Joy’s 0.82 0 under the benign-labeled setting; against Kitsune, MalFlows reports 0.99 precision, 0.99 recall, and 0.99 1, versus 0.59 2 for Kitsune on the mapped TLS subset (Gomez et al., 2021).
The paper’s limitations are also flow-specific. Sandbox bias toward Windows 7 leaves 93% TLS 1.0 and causes 64% of malicious-flow candidates to be dropped a priori; certificate features lose value for TLS 1.3 and padded SNI; timing features were tested but proved too sensitive to network conditions; and pure TLS-only detection ignores malware that mixes HTTP, DNS, or non-TLS protocols (Gomez et al., 2021). This establishes a distinct branch of MalFlows research in which clustering quality and false detection rate are prioritized over end-to-end supervised accuracy.
5. Dataset construction, labeling, and benchmark environments
The MAWILab-derived MalFlows dataset addresses a persistent bottleneck in intrusion-detection research: the shortage of publicly available, relevant datasets with label information (Kim et al., 2018). Its pipeline has two stages. Flow extraction converts a 15-minute pcap file into SiLK flow records via rwptoflow and rwcut. Label assignment then matches each flow against the MAWILab IDS log using the four attributes 3. For an IDS record 4, specificity is
5
and matching requires agreement on every specified attribute. Among all matches, the selected record maximizes 6, with ties broken by
7
Flows are labeled anomaly if 8, unsure if 9, and normal otherwise (Kim et al., 2018).
For the example trace 2018-07-01 14:00, the paper reports approximately 68M flows, of which approximately 23.5% matched only 0 and were labeled unsure, 1–2M flows on the order of approximately 3% were labeled anomaly, and the rest, approximately 50M, were labeled normal (Kim et al., 2018). The paper recommends that downstream users may drop the unsure bucket, undersample normal flows, oversample anomaly flows, or use weighted losses to handle the 50:1 imbalance.
Other MalFlows-related works rely on benchmark environments rather than constructing new labeled corpora. The stream-structured Set-Tree study evaluates on CICDDoS2019 and CICIDS2017 (Giryes et al., 2024). NF-GNN extracts 2126 graphs from CICAndMal2017 (Busch et al., 2021). The Android-system MalFlows uses 31,301 real apps from AndroZoo, comprising 16,667 benign and 14,634 malware samples, with approximately 20 million extracted flow instances (Meng et al., 5 Aug 2025). The diversity of these environments underscores a second misconception: there is no single MalFlows benchmark. Instead, the literature spans packet traces, network flows, TLS sessions, application-execution graphs, and program-analysis artifacts.
6. Android-flow semantics and the distinct normalizing-flow usage
In Android malware detection, MalFlows is a specific architecture for context-aware fusion of heterogeneous flow semantics (Meng et al., 5 Aug 2025). It builds a HIN with five node types—App, Cond, API, Comp, and Action—and seven edge types encoding inclusion, triggering, data-flow, ICC, and manifest relations. Six metapaths are grouped into three views: control flows, data flows, and ICC. The proposed flow2vec refines the HIN by splitting anchor nodes into context-specific copies when required by metapath-group constraints, generates meta-path-group-guided random walks with switching probability 1, and applies skip-gram to learn node embeddings with 2 (Meng et al., 5 Aug 2025).
The three view embeddings are then fused by a channel-attention mechanism. Given 3, the system computes 4, 5, 6, applies 7, obtains channel weights 8, and forms the weighted sum 9. A five-hidden-layer MLP with dropout(0.5) on layers 1, 3, and 5 performs binary classification with sigmoid output and binary cross-entropy loss (Meng et al., 5 Aug 2025). On the 80/20 split averaged over 5 runs, the paper reports 98.34% accuracy, 98.98% precision, 98.64% recall, and 0, outperforming Drebin, MaMaDroid, AppPoet, HinDroid-rec, DeepWalk, LINE, node2vec, metapath2vec, and HAN (Meng et al., 5 Aug 2025). Without context-aware refinement, accuracy drops to 84.30% and 1 to 0.8733; channel attention yields 2, compared with 0.9597 for add-hybrid and 0.8300 for self-attention over channels (Meng et al., 5 Aug 2025).
A separate and unrelated usage appears in normalizing-flow sampling (Coeurdoux et al., 2023). There, MalFlows denotes an MCMC algorithm in latent space for a pre-trained invertible flow 3, with latent target
4
score
5
and MALA proposal
6
The method applies a standard Metropolis–Hastings correction, preserves tractable likelihoods, requires no retraining, and can be used with any pre-trained NF network regardless of architecture (Coeurdoux et al., 2023). This usage is not a malware-detection system; it is a latent-space sampling scheme whose name happens to collide with the security-oriented uses of MalFlows.
Taken together, these works show that the term has become attached to multiple flow-centric research programs. In security applications, the dominant theme is that maliciousness can be characterized at the level of flows—whether summarized, sequential, encrypted, or graph-structured—without requiring packet payload inspection in every case (Giryes et al., 2024, Gomez et al., 2021, Busch et al., 2021). In Android analysis, the term extends from network flows to static program flows (Meng et al., 5 Aug 2025). In generative modeling, it is detached from malicious traffic entirely and instead denotes a latent MCMC correction for normalizing flows (Coeurdoux et al., 2023).