Cross-Domain Elephant Flow Detection: A Unified Machine Learning Approach with Application-Aware and Security Features

Most of the traffic comes encrypted and thus early classification approaches that relied on port-based identification and deep packet inspection face limitations [2].

The application of machine learning to network traffic classification has gained significant attention. Nguyen and Armitage [3] provided a comprehensive survey of ML techniques for internet traffic classification. More recent work by Liu et al. [4] addressed multiclass imbalanced traffic classification with concept drift.

Gómez et al. [1] presented a pioneering approach for elephant and mice flow classification using machine learning techniques in final systems. Their work achieved 100% accuracy using decision trees with dynamic threshold calculation based on Chebyshev’s inequality (mean + 3×standard deviation). The study evaluated seven machine learning algorithms (Logistic Regression, SVM, Random Forest, Linear Discriminant Analysis, KNN, Gaussian Naive Bayes, and Decision Tree) on a single campus network dataset, with optimized Decision Trees emerging as the best performer through GridSearchCV hyperparameter tuning.

While this work established a strong foundation for ML-based traffic classification and demonstrated the viability of automated elephant flow detection, it primarily focused on single-domain performance using six basic features (src_port, dst_port, bidirectional_first_seen_ms, bidirectional_last_seen_ms, bidirectional_bytes, size_traffic). This study didn’t focus on any security aspect or cross-domain generalization that could enhance robustness in diverse deployment scenarios.

Recent advances in software-defined networking (SDN) have enabled more sophisticated traffic classification approaches. Serag et al. [5] integrated SDN with ML for improved network performance, while Salau et al. [6] explored SDN-based traffic classification using deep learning.

While domain adaptation has been extensively studied in computer vision and natural language processing, its application to network traffic classification remains limited. Most work focuses solely on single dataset, disregarding generalization across different network environment which creates a significant gap.

Let $D_{s}=\{(x_{i}^{s},y_{i}^{s})\}_{i=1}^{n_{s}}$ and $D_{t}=\{(x_{j}^{t},y_{j}^{t})\}_{j=1}^{n_{t}}$ represent source and target domain datasets, respectively, where $x$ denotes feature vectors and $y\in\{0,1\}$ represents binary labels (0: mice flow, 1: elephant flow). The cross-domain elephant flow detection problem aims to learn a classifier $f:X\rightarrow Y$ that performs well on target domain $D_{t}$ when trained primarily on source domain $D_{s}$.

Our proposed framework consists of five main components:

Campus Network: This dataset was prepared inside university to capture diverse network traffic patterns including web browsing, file transfers, streaming, etc using NFstream [7]. After adaptive thresholding at the 85th percentile (threshold: 2,011.70 bytes), 15.0% of flows were classified as elephant flows.

UNSW-NB15: This dataset was created by the Australian Centre for Cyber Security [8]. It focused on network intrusion detection, useful for the security-focused network monitoring and identifying malicious incoming traffic patterns. The dataset contains 82,332 flows with both normal and attack traffic.

CIC-IDS2018: This is another dataset based on modern intrusion detection from the Canadian Institute for Cybersecurity containing various attack scenarios, also useful for security-focused network monitoring [9]. This was a big dataset, from which we sampled 100,000 flows. This domain represents contemporary network security challenges including DoS attacks, infiltration attempts, and various exploitation techniques.

The variation between these datasets demonstrates the difference in traffic characteristics, justifying the need for adaptive thresholding and cross-domain evaluation.

All experiments were conducted on a computational environment with the following specifications:

• •

  Python 3.11

• •

  scikit-learn 1.7.2

• •

  imbalanced-learn 0.14.0

• •

  NFStream 6.5.4 for flow extraction

• •

  NumPy 1.24+ and Pandas 2.0+ for data manipulation

Random Forest classifiers were configured with 100 estimators for cross-domain experiments and 200 estimators for the unified model, with balanced class weights to handle imbalanced datasets. Feature scaling was performed using RobustScaler to handle outliers common in network traffic data. SMOTE with Tomek links was applied for class balancing in the unified model training phase, generating synthetic minority class samples while removing borderline examples.

The random state was fixed at 42 for all experiments to ensure reproducibility. Cross-validation was performed using 5-fold stratified splits to maintain class distributions across folds.

Table I presents the characteristics of each domain, revealing significant differences in elephant flow distributions across network environments.

The variation in elephant flow ratios (9.4% to 15.0%) demonstrates the inherent differences between network domains. The Campus domain shows relatively higher elephant flow ratio, likely due to academic activities involving large file transfers and video streaming. The network intrusion datasets show lower ratios, reflecting more balanced traffic patterns typical of monitored enterprise networks.

The threshold values also vary significantly (2,011.70 to 3,851.60 bytes), with the Campus network having the lowest threshold. This indicates a more extreme distribution of flow sizes in the campus environment, where most flows are small (web requests, API calls) while a significant minority are very large (video streaming, dataset downloads).

The variation in elephant flow ratios (9.4% to 15.0%)

Table II presents the comprehensive cross-domain evaluation results, revealing significant performance variations across domain pairs.

The results reveal several critical insights:

Best Performance: The security dataset transfers (UNSW → CIC: 0.9650, CIC → UNSW: 0.9630) achieve the highest F1-scores with balanced precision and recall. UNSW → CIC demonstrates perfect precision (1.0000) with strong recall (0.9324), while CIC → UNSW shows perfect recall (1.0000) with excellent precision (0.9286). This strong bidirectional performance suggests that models trained on security-focused datasets generalize well to other security contexts, likely because both datasets share similar attack traffic patterns and feature distributions.

Worst Performance: UNSW → Campus shows the lowest F1-score (0.3710), despite perfect precision (1.0000). The extremely low recall (0.2277) indicates that models trained on the security-focused UNSW dataset are overly conservative when applied to general campus traffic, missing 77% of actual elephant flows. This represents a 62.78-percentage-point drop from the UNSW baseline (F1=0.9999), highlighting the most severe domain shift challenge in our evaluation.

Precision-Recall Trade-offs: Transfers to the Campus domain consistently show perfect precision (1.0000) but reduced recall (0.2277-0.6064), indicating conservative classification behavior. Models trained on larger, more diverse datasets only flag the most obvious elephant flows when applied to campus networks, avoiding false positives at the cost of missing many true positives. Conversely, transfers from Campus to larger datasets (Campus → UNSW: 0.7127, Campus → CIC: 0.6836) show perfect recall (1.0000) but moderate precision (0.5193-0.5536), suggesting aggressive classification that captures all elephants but generates false alarms.

Domain Size Effect: Transfers between large datasets (CIC $\leftrightarrow$ UNSW, both ¿80K samples) maintain excellent performance (¿0.96 F1), while transfers involving the smaller Campus dataset (5,382 samples) show degraded performance (0.37-0.76 F1). This 20-59 percentage point gap demonstrates that training set size and diversity significantly impact cross-domain generalization.

Single-domain baseline evaluations using 5-fold stratified cross-validation demonstrate near-perfect performance:

• •

  Campus baseline: F1 = 0.9988 (±0.0030), 5,382 samples, 24 features

• •

  UNSW baseline: F1 = 0.9999 (±0.0002), 82,332 samples, 24 features

• •

  CIC baseline: F1 = 0.9999 (±0.0002), 100,000 samples, 24 features

These results confirm that the classification task is well-defined within individual domains. The extremely high baseline performance (F1 ¿ 0.99) demonstrates that our feature engineering and adaptive thresholding create clear decision boundaries for elephant flow detection. However, the dramatic performance drop in cross-domain scenarios (F1 as low as 0.67) highlights the severity of domain shift effects that cannot be addressed by simply improving within-domain accuracy.

The Campus domain shows slightly lower baseline performance and higher standard deviation (±0.0030 vs ±0.0002), reflecting its smaller size and more variable traffic patterns. The larger UNSW and CIC datasets achieve nearly perfect scores with minimal variance, benefiting from more comprehensive coverage of traffic scenarios.

Table III presents the top 15 features from the unified model trained on all domains after SMOTE balancing (338,576 total samples, 169,288 elephants), demonstrating the contribution of different feature categories.

The analysis reveals several key patterns:

Size Feature Dominance: The most important feature, the total flow by size (33.80%), is not surprising considering that the concept of elephant flows is determined essentially by size. Nevertheless, it is not hugely significant, and the other 66.20 percent of the predictive power is associated with the other features, which proves the significance of full-scale feature engineering.

Flow Categorization Features: The binary flow size indicators (is_small_flow: 18.21%, is_large_flow: 12.97%, is_medium_flow: 1.80%) collectively contribute 32.98% importance. These categorical features help the model learn thresholds and decision boundaries more effectively than continuous size values alone.

Statistical Features: Features like avg_packet_size (13.81%) and bytes_per_second (10.28%) provide 24.09% combined importance, capturing traffic intensity and packet structure patterns that distinguish different application types and network behaviors.

Security Features: Security features have low individual significance in the datasets (e.g. the value of potent scan is 0.30%), but they are vital in cross-domain robustness and helps in exonerating aberrant traffic patterns, which might be handled differently in different domains.

Application Features: Application aspects like application others, like app other (0.20%) are not of much significance in the unified model indicating that flow size behaviour might be more universal than application aspects across domains. However, these properties can still be used as the features of interpretability and more particular applications.

The final unified model, trained on all three domains combined with SMOTE balancing, achieves:

• •

  Cross-validation F1-score: 0.9907 (±0.0373)

• •

  Total training samples: 338,576 (after SMOTE from original 187,714)

• •

  Balanced class distribution: 169,288 elephants, 169,288 mice

• •

  Feature count: 11 common features (aligned across domains)

The unified model is very effective (F1 = 0.99) though it was trained on unrelated domains which indicates the usefulness of our feature engineering and adaptive thresholding method. The standard deviation (±0.0373) is greater than that of the single-domain baselines, which is the indicator of greater complexity of multiple-domain learning due to the difference in the properties of traffic. This process of aggressive SMOTE balancing (where the minority class is multiplied by 20 fold) is to make sure that the model learns strong decision boundaries in all domains.

In order to assess the efficiency of various machine-learning methods, we implemented an overall comparison on the enriched campus dataset through the consideration of the improved feature engineering (18 features including derived statistical metrics). Table IV presents the results.

The results reveal several important insights:

Perfect Performance with Enhanced Pipeline: With SMOTE-Tomek resampling (balancing 3,873 samples per class out of the original 4305 samples in the training set) and sophisticated feature engineering, all ensemble and gradient-boosting approaches obtained ideal classification (100 percent of all metrics). It proves that under the condition of an appropriate preprocessing of data and feature-engineering, the modern machine-learning algorithms can be effective to distinguish between the flows of an elephant and mice even in a complicated situation.

Gradient Boosting Advantages: XGBoost and LightGBM were as accurate as Random Forest is, and they have a computational advantage. The regularisation methods of XGBoost and LightGBM offer efficient training with massive datasets; thus, they are applicable when using it as a real-time deployment system.

Traditional Methods Performance: On the original approach of the paper [1] (augmented dataset with simple features), traditional methods had 92-94% F1-scores on most algorithms. Random Forest was the strongest conventional actor (F1 = 0.9371), which confirms the results of the base paper about the superiority of an ensemble.

Class Imbalance Handling: Gaussian Naive Bayes showed high recall (98.52%) but lower precision (80.48%), indicating aggressive classification that captures most elephant flows at the cost of false positives. LDA performed poorly (F1=0.2212) due to its linear assumptions and extreme class imbalance sensitivity.

Impact of Resampling: The reason why dramatic performance gains were noted between traditional and enhanced pipeline are due to the SMOTE-Tomek resampling which works to balance the classes by generating synthetic minority samples as well as eliminating borderline cases.

Table V compares our approach with the seminal work by Gómez et al. [1].

Feature Engineering Evolution: The paper [1] used six simple features that were extracted using NFStream and this achieved perfect accuracy in a single domain. We further elaborate it in the current work to a range of eleven to thirty-one features, depending on the availability of the domain, and we include such items as application-aware features (e.g. web, DNS, mail, remote access, file transfer, streaming), security indicators (e.g. suspicious ports, scan detection, protocol anomalies), and statistical features (such as bytes per second, packet ratios, and flow size categories). The single model works on eleven standard features with the harmonisation of all areas in the effort to reach cross-domain compatibility.

Threshold Selection: Gomez et al. used the inequality of Chebyshev (mean plus three standard deviations) as a thresholding policy, which only allowed the classification of 0.87% elephant flows in the campus data, which is not an optimal thresholding policy. The percentile-based methodology, which is adaptive with the calibration between the 85 th and 90 th percentile and varies by domain, ensures flow ratios in the elephants to be in the range of 9% to 15%, and accordingly a more balanced training distribution and realistic operational profile are achieved.

Model Selection: The two studies conclude that ensemble methods are better than traditional classifiers. The baseline work reached an absolute 100 percentage point performance using a finely tuned Decision Tree (optimised using GridSearchCV with criterion=entropy, max-depth=10, min-samples-leaf=10), however, the improved pipeline shows that modern ensemble algorithms such as Random Forest, XGBoost, LightGBM, and a calibrated Decision Tree can all attain perfect within-domain performance. More importantly, the unified model maintains 99.07% F1 -score in a wide and heterogeneous range of environments highlighting cross-domain generalisation ability

Generalization Challenge: The critical contribution beyond the base paper is quantifying domain shift effects. While single-domain evaluation shows near-perfect performance (99.88-99.99% F1), cross-domain transfer reveals significant degradation (37-97% F1 depending on source-target pair). The worst case (UNSW → Campus: 37%) represents a 62.89 percentage point drop from baseline, while the best case (UNSW → CIC: 96.50%) shows only 3.49 percentage point degradation. This 60-percentage-point range in cross-domain performance represents a fundamental deployment risk not addressed in single-domain studies.

Data Handling: The two approaches address class imbalance using different approaches. The original experiment used synthetic data augmentation, which uses 50,000 samples by 5,382 genuine observations and a ten-fold augmentation factor. In contrast, our method uses SMOTE, which generates 338576 balanced samples out of 187714 samples by interpolating the minority-class samples and thus prevents the random variation. The acute 20-fold minority-class growth is also guaranteed to make the learning robust in highly imbalanced areas typified by the elephant-flow ratios of 9.4-15.0% imbalanced areas.

The significant observed performance differences between the domain pairs with the F1-scores of 0.37 to 0.97 are quantitative indicators of the issue of domain shift in the problem of elephant flow detection. Such a 60-percentage-point difference in performance has dramatic implications on actual implementation:

Deployment Risk: Models with 99.9% accuracy in test scenarios can get down to F1-scores of between 37% and 76% in different network settings. UNSW → Campus transfer, which provides the F1 of 37, is the worst-case scenario in the model, and the model loses around 62.89 percent points when compared with the base performance. This underscores a very important blind spot in the existing assessment methods which only focus on within-domain measures..

Transfer Learning Potential: The security dataset transfers (UNSW → CIC: 96.50%, CIC → UNSW: 96.30%) demonstrate that domain shift can be minimal when source and target domains share similar characteristics. Both being security-focused datasets with attack traffic, they maintain 96%+ F1-scores—only 3-4 percentage points below baseline. This suggests that strategic selection of training domains based on operational similarity can dramatically improve deployment success.

Conservative vs. Aggressive Trade-offs: Perfect precision scenarios (UNSW → Campus: 1.0000 precision, 0.2277 recall; CIC → Campus: 1.0000 precision, 0.6064 recall) indicate models that are too conservative, missing 40-77% of true elephants to avoid false positives. Conversely, perfect recall scenarios (Campus → UNSW: 1.0000 recall, 0.5536 precision; Campus → CIC: 1.0000 recall, 0.5193 precision) suggest aggressive classification with 45-48% false positive rates. Network operators must choose training strategies based on their specific tolerance for missed detections vs. false alarms.

While size-based features remain dominant for elephant flow detection (total_bytes: 38.55%), the inclusion of application-aware and security features provides additional context that enhances model robustness:

Cross-Domain Robustness: The features like potential_scan (0.44% importance) and security_score did not dominate but helped the model to identify patterns of anomalies which could be indicative of domain-specific behavior. The features act as tie-breakers in cases where features based on size are unclear.

Interpretability: Application-aware features (app_web, app_dns, etc.) enable network administrators to understand why certain flows are classified as elephants, linking them to specific services. This interpretability is crucial for operational troubleshooting and capacity planning.

Security Integration: With security support (suspicious ports, protocol anomalies), the elephant flow detection system can also be used as a security monitoring device to detect both capacity consuming flows and potentially hostile traffic.

The cross-domain evaluation framework provides a systematic approach for assessing model generalization in real-world scenarios:

Network Operators: The model has the capability of estimating the expected performance degradation since it can be trained on a single dataset and tested on many domains. Afterward, it enables the use of detection of elephant flows in operational networks.

Traffic Engineering: Understanding which features transfer well across domains (size-based features) vs which are domain-specific helps in a more robust design for traffic engineering policies. Figure 6 reveals that while byte distributions vary significantly across domains, the relative patterns remain consistent, supporting the use of percentile-based adaptive thresholding.

Incremental Deployment: The varying performance across domain pairs suggests a staged deployment strategy: start with conservative thresholds (trained on security datasets → operational networks) to avoid disruptions, then refine using operational data over time. Figure 2 can guide deployment decisions by identifying which source domains provide the best initial performance for specific target environments.