TransGraphNet: robust detection of malicious encrypted network traffic via transformer and graph neural models

Feature analysis and selection

Nowadays, malware typically uses the TLS protocol for encrypted communication, which consists of two main phases. The first phase is the handshake, where the client and server negotiate cryptographic algorithms, establish shared keys, and perform certificate verification (Yang et al., 2024b). The second phase involves encrypted data transmission, where data is transmitted in ciphertext. In the handshake phase, the payloads can be parsed into semantically explicit meta-features, including IP addresses, port numbers, SNI fields, certificate chain fingerprints, and other certificate-related information. However, penetration testing tools (e.g., CobaltStrike) can leverage active traffic obfuscation techniques such as DGA algorithms, custom communication configurations, or forged certificates (Wang et al., 2023), rendering this information unreliable. Directly feeding these features into the model may lead to misclassification.

Therefore, we discard certificate and TLS protocol features from encrypted traffic and instead focus on exploring multi-granularity features at the packet, intra-flow, and inter-flow levels. These features include per-flow statistical metrics (such as the minimum, maximum, average and sum of packet lengths and inter-packet arrival times for each flow) (Li et al., 2022), as well as time-series features, including sequences of directed IP packet lengths and inter-arrival times. We also incorporate inter-flow interactive relationships to capture session-window-level patterns. The three categories of features are described below:

• Per-flow temporal statistical features: We extract temporal statistical features at both packet and flow levels, including the standard deviation of all packet arrival times, the average number and maximum arrival time of uplink/downlink packets transmitted in a flow, a total of 103 multi-granularity features.

• IP packet time sequence features: We also extract time series features such as packet lengths and inter-arrival times by analyzing packet headers. These features have been shown to provide significant discriminatory ability in deep learning models (Sirinam et al., 2018; Liu et al., 2019; Yang et al., 2024b).

• Flow interactive behavior features: We capture the concurrent and trigger relationships between traffic flows and model them as a graph structure to represent the interactive behavior of the traffic. This interaction information has been demonstrated to be effective in encrypted traffic analysis in methods such as FG-Net (Jiang et al., 2022) and GraphDApp (Shen et al., 2019).

Packet length standardization by improved PLD algorithm

As discussed in the Related Work section, most network traffic analysis methods primarily rely on learning from time sequences of raw IP packets, such as their directed packet lengths and inter-arrival times (Sirinam et al., 2018; Liu et al., 2019). However, these temporal features can be distorted by both passive and active traffic obfuscation, causing their values to cluster around a limited set of discretized points. To investigate this effect, we analyze the MTA dataset and illustrate the packet length distributions of different categories in Fig. 3. For normal traffic, the packet length distribution is relatively uniform, spanning evenly from 0 to 1,500 bytes. In contrast, non-obfuscated malicious encrypted traffic, such as the Bokbot category, shows a more concentrated distribution. When obfuscation is applied, as in the Bokbot (C.S.) category, the distribution becomes similar to that of normal traffic, with the packet lengths concentrated around discretized values spread across the full 0 $\sim$1,500 range. As a result, directly inputting these distorted time-series features into a model may increase the likelihood of misclassification.

We further analyze the packet length frequency distributions across four malware categories in the MTA dataset. As shown in Fig. 4, different malware types exhibit distinct sets of high-frequency packet lengths. For instance, in Artemis, the 37-byte and 59-byte packet lengths each occur with frequencies exceeding 0.1, whereas in Bokbot (C.S.) under obfuscation, the 31-byte and 51-byte lengths are dominant. However, when traffic is subject to environmental noise and obfuscation, the overall distribution becomes more uniform, and the frequencies of individual packet lengths tend to decrease. This highlights the importance of standardizing packet-level features, such as packet length and inter-arrival time as shown in Fig. 2A2, to enhance the model’s ability to capture discriminative high-frequency patterns while mitigating the impact of low-frequency noise.

Traditional standardization methods tend to focus primarily on top- $k$ high-frequency values, which can result in the loss of semantically meaningful low-frequency variations (Liu et al., 2018; Li et al., 2023). To overcome this limitation, we propose an improved version of the Power Law Division (PLD) algorithm that adopts a hybrid discretization strategy. Specifically, the enhanced PLD defines a set of standardized packet lengths by combining (1) the top- $k$ most frequent packet lengths in the dataset, which preserves dominant traffic characteristics, and (2) regularly spaced values (e.g., every seven bytes), which ensure better coverage of rare but potentially informative patterns. This design not only addresses the bias of traditional methods toward high-frequency bins but also introduces a more balanced and robust standardization scheme that is resilient to obfuscation-induced noise. In contrast to existing PLD or quantization techniques that rely solely on frequency or uniform binning, our enhancement enables the model to more effectively capture both global and subtle structural variations in encrypted traffic.

Let $f$ be an encrypted network traffic flow identified by a five-tuple $⟨\mathrm{c}\mathrm{l}\mathrm{i}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{I}\mathrm{P}$, $\mathrm{s}\mathrm{e}\mathrm{r}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{I}\mathrm{P}$, $\mathrm{c}\mathrm{l}\mathrm{i}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{P}\mathrm{o}\mathrm{r}\mathrm{t}$, $\mathrm{s}\mathrm{e}\mathrm{r}\mathrm{v}\mathrm{e}\mathrm{r}\mathrm{P}\mathrm{o}\mathrm{r}\mathrm{t}$, $\mathrm{P}\mathrm{r}\mathrm{o}\mathrm{t}\mathrm{o}\mathrm{c}\mathrm{o}\mathrm{l}⟩$. By monitoring a network interface, we can collect a sequence of IP packets belonging to flow $f$, ordered by their timestamps: $f={\left[p_i\right]}_{i=1}^T=\left[p_1,p_2,\dots ,p_T\right]$, where $p_i$ denotes the $i$-th packet in the flow and T is the total number of packets in $f$. To extract packet-level features, we apply a function $\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(\cdot )$ to each packet in the sequence. The resulting time sequence of IP packet features is

(1) $$\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(f)=\left[\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_1),\dots ,\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_T)\right],$$where $\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_i)$ is a function to extract packet-level features from $p_i$, such as the directed packet length, which is assigned a positive value if the packet is sent from client to server, and a negative value otherwise.

To standardize packet length sequences, we first analyze each traffic category $x$ to extract the top- $k$ most frequent packet lengths. These frequent lengths form the basis of a standardization function applied to each packet length sequence $\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(f)$. Specifically, for each traffic category $x$, we compute the frequency of all observed packet lengths and construct a ranked list ${\mathcal{L}}^x$, sorted in descending order of frequency. Each entry in ${\mathcal{L}}^x$ is a pair $({\ell }_j^x,v_j^x)$, where ${\ell }_j^x$ is the $j$th most frequent packet length and $v_j^x$ is its corresponding frequency count. Formally, the frequency distribution is defined as:

(2) $${\mathcal{L}}^x=\left[\left({\ell }_j^x,v_j^x\right)\right]{|}_{j=1}^{n^x},$$where $n^x$ is the total number of distinct packet lengths observed in category $x$, and the list ${\mathcal{L}}^x$ is sorted in descending order of frequency, such that $v_j^x\ge v_{j+1}^x$, for each $j\in [1,n^x-1]$. Considering both client-to-server and server-to-client directions, the number of distinct packet lengths can be as high as 1,500 $\times$ 2. To focus on the most representative values, we retain only the top- $k$ entries, resulting in a truncated list.

(3) $$\widetilde{{\mathcal{L}}^x}=\left[\left({\ell }_j^x,v_j^x\right)\right]{|}_{j=1}^k.$$

After obtaining the top- $k$ high-frequency packet length list $\widetilde{{\mathcal{L}}^x}$ for each traffic category $x$, we define a function to measure the distance between any packet length and its closest match in $\widetilde{{\mathcal{L}}^x}$. This distance is used to standardize packet lengths not present in the top- $k$ list. Specifically, for each packet $p_i$ in flow $f$, we extract its length using $\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_i)$, and compute its distance to the closest value in the list $\widetilde{{\mathcal{L}}^x}$:

(4) $$dist(p_i,\widetilde{{\mathcal{L}}^x})=\underset{{\ell }_j^x\in \widetilde{{\mathcal{L}}^x}}{min}\left|\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}\left(p_i\right)-{\ell }_j^x\right|.$$

For each packet $p_i$ in the flow $f$, we apply a standardization function $\mathrm{S}\mathrm{t}\mathrm{d}\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}{\mathrm{n}}_x(p_i)$ to its packet length:

(5) $$\mathrm{S}\mathrm{t}\mathrm{d}\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}{\mathrm{n}}^x(p_i)=\{\begin{array}{cc}\underset{{\ell }_j^x\in \widetilde{{\mathcal{L}}^x}}{\arg min}|\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_i)-{\ell }_j^x|,\hfill & \mathrm{i}\mathrm{f}dist(p_i,\widetilde{{\mathcal{L}}^{\mathrm{x}}})\le \mathrm{\Delta }\tau ,\hfill \\ \lceil \frac{\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_i)}{\mathrm{\Delta }{\tau }^{\mathrm{\prime }}}\rceil \times \mathrm{\Delta }{\tau }^{\mathrm{\prime }},\hfill & \mathrm{o}\mathrm{t}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{w}\mathrm{i}\mathrm{s}\mathrm{e}.\hfill \end{array}$$

Equation (5) defines a packet length standardization function. It first extracts the packet length by $\mathrm{P}\mathrm{k}\mathrm{t}\mathrm{L}\mathrm{e}\mathrm{n}(p_i)$ and calculates its closest distance $dist(p_i,\widetilde{{\mathcal{L}}^x})$ to the top- $k$ frequent packet lengths in the list $\widetilde{{\mathcal{L}}^x}$. If the distance is within a threshold $\mathrm{\Delta }\tau$, the packet length is replaced with the nearest top- $k$ frequent value; otherwise, it is rounded to the nearest multiple of $\mathrm{\Delta }{\tau }^{\mathrm{\prime }}$, which is set to 7 by default. By this standardization process, the time series noise interference caused by traffic obfuscation can be effectively mitigated, thus enhancing the model’s ability to learn the high-frequency features of malicious activities.

As shown in Eq. (5), $\mathrm{\Delta }{\tau }^{\mathrm{\prime }}$ is a hyperparameter that controls the granularity of standardizing non-high-frequency packet lengths. We set $\mathrm{\Delta }{\tau }^{\mathrm{\prime }}=7$ by default, striking a practical balance between reducing obfuscation-induced noise and retaining meaningful variation. This choice was empirically found to yield stable performance across multiple datasets. We acknowledge that the model’s sensitivity to $\mathrm{\Delta }{\tau }^{\mathrm{\prime }}$ is an important factor affecting its robustness to different obfuscation strategies, and we will analyze this in detail in the Experiments section of the revised manuscript.

Grouping flows into session windows by adaptive sliding window algorithm

Malware often generates substantial network traffic during its execution, and due to variations in attack tools and techniques, this traffic exhibits diverse behavioral patterns, for example, sudden surges during DDoS attacks, periodic fluctuations in command-and-control (C&C) communications or crypto-mining, and repeated requests in web crawling (Jiang et al., 2022). To better capture these behaviors, we group five-tuple flows that share the same client and server IP addresses into broader two-tuple session windows. Compared to individual five-tuple flows, these session windows span longer durations and offer a more comprehensive view of client-server interactions. Within each session window, multiple flows are organized into a flow-level relation graph, facilitating the detection of malicious encrypted traffic.

To construct these flow graphs more effectively, we propose an adaptive sliding window algorithm. The intuition behind this heuristic is that malicious flows tend to occur in concentrated bursts. Fixed-size windows may fragment these bursts or inadvertently include unrelated flows, thereby disrupting the temporal coherence of flow sequences. Our adaptive sliding window addresses this by dynamically adjusting its size based on the average inter-flow time within the current window. This average acts as a data-driven threshold to determine whether subsequent flows should be incorporated, allowing the window to adapt to local traffic density and better preserve temporal consistency. We also acknowledge the potential limitations of this approach. In highly bursty or irregular traffic, the average inter-arrival time may serve as an unstable or non-discriminative threshold. In future work, we plan to explore alternative strategies, such as using median-based or percentile-based thresholds, to improve robustness.

In contrast, prior methods for building flow-level relation graphs use fixed-size time windows (Jiang et al., 2022; Yang et al., 2024a), which are inadequate for capturing dynamic traffic behaviors. These static approaches may miss burst events or extended anomalies that fall outside the rigid window boundaries, leading to reduced detection accuracy. Our adaptive strategy mitigates this issue by flexibly capturing temporal variations and preserving interaction information critical for identifying malicious behavior.

The pseudocode is presented in Algorithm 1, whose detailed steps are explained below. First, Line 1 inserts the input traffic flow $f_i$ to the sliding window $W_t$ within a same two-tuple session window, if $W_t$ is now empty. The set of flows contained in the current sliding window $W_t$ is defined as:

(6) $$W_t=\{f_i\mid t_i<t_1+T_{init}\vee (t_i\le t_{i-1}+{\overline{\mathrm{\Delta }t}}_{1,|W_t|}\wedge t_i\le t_1+T_{max})\},$$where $t_i$ is the start timestamp of the $i$-th flow $f_i$, $T_{init}$ is the initial size of the sliding window, and $T_{max}$ is the maximum allowable size of the sliding window. For each flow $f_i$, in Line 3, we calculate the time interval $\mathrm{\Delta }{T}_i$ between $f_i$ and the first flow $W_t[1]$ in the sliding window. If the interval $\mathrm{\Delta }{T}_i$ is smaller than the threshold $T_{init}$, then the flow is appended to the sliding window $W_t$ in Line 4. Otherwise, the time interval $\mathrm{\Delta }{t}_{\mathrm{i}}$ between $f_i$ and the last flow in $W_t$ is calculated, followed by computing the average time interval ${\overline{\mathrm{\Delta }t}}_{1,|W_t|}$ across all intervals in Line 6 and as Eq. (7):

(7) $${\overline{\mathrm{\Delta }t}}_{1,|W_t|}=\frac{1}{|W_t|-1}\sum _{i=2}^{|W_t|}\mathrm{\Delta }{t}_i,\mathrm{w}\mathrm{i}\mathrm{t}\mathrm{h}\mathrm{\Delta }{t}_i=t_i-t_{i-1},$$where $\left|W_t\right|$ is the number of flows in the current sliding window, and $\mathrm{\Delta }{t}_i$ is the time interval between the $i$-th flow and its previous flow. The average time interval ${\overline{\mathrm{\Delta }t}}_{1,|W_t|}$ serves as a threshold to determine whether a new flow $f_i$ can be appended to the sliding window. This criterion ensures that $f_i$ is temporally close to the preceding flows, suggesting that it is part of the same bursty behavior. Additionally, it guarantees that the inclusion of $f_i$ reduces the average time interval within the the session window, reinforcing its temporal cohesion. Next, we compute the time interval between the new flow $f_i$ and the last flow in the current window as $\mathrm{\Delta }{t}_i=t_i-t_{i-1}$ in Line 7. If $\mathrm{\Delta }{t}_i\le {\overline{\mathrm{\Delta }t}}_{1,|W_t|}$ and the time interval of the window $\mathrm{\Delta }{T}_i=t_i-t_1$ does not exceed the preset maximum window size $T_{max}$, the window slides in Line 8. Otherwise, the algorithm return NIL in Line 9, indicating the current window $W_t$ has ended and a new window should begin.

An example is illustrated in the bottom part of Fig. 2B1. The flows $f_1$, $f_2$, and $f_3$ are directly loaded as their cumulative time span $t_3-t_1$ is smaller than the initial window size $T_{init}$. Subsequently, the flows $f_4$ through $f_8$ are appended one by one, as the time intervals between each new flow and its preceding flow ( $\mathrm{\Delta }{t}_i=t_i-t_{i-1}$) is smaller than the current average interval within the window ( ${\overline{\mathrm{\Delta }t}}_{1,|W_t|}$). This results in a non-increasing trend in the average interval, i.e., ${\overline{\mathrm{\Delta }t}}_{1,3}\ge {\overline{\mathrm{\Delta }t}}_{1,4}\ge \dots \ge {\overline{\mathrm{\Delta }t}}_{1,8}$, after appending flows $f_3,f_4,\dots ,f_8$. As ${\overline{\mathrm{\Delta }t}}_{1,9}>{\overline{\mathrm{\Delta }t}}_{1,8}$, the inclusion condition is no longer satisfied, and flows $f_1$ to $f_8$ are thus grouped into a single session window. Through this algorithm, we can more accurately reveal the behavioral patterns of malicious encrypted traffic and improve the model’s representational capability.

From a theoretical perspective, this adaptive sliding window algorithm operates in a single pass over all captured flows sorted by their start timestamps. Since no backtracking, sorting, or pairwise comparison is involved, this algorithm only computes a dynamic threshold to determine window boundaries based on local burst characteristics. So, its time cost is $O(n)$ with respect to the number of flows $n$ observed in the traffic and inserted by this algorithm. This design ensures high efficiency on large-scale traffic datasets.

Construction of flow-level burst graph for each session window

As mentioned previously, malware often generates multiple network flows during attack activities, with some flows occurring concurrently within a short time window to fulfill a coordinated purpose, thereby forming one or more bursts (Oudah et al., 2019). Recent studies have shown that such multi-flow burst behavior is crucial for analyzing encrypted traffic (Jiang et al., 2022; Zhu et al., 2023). Constructing a flow relation graph that captures multiple bursts is essential for uncovering complex interactions between client and server hosts. In this graph, both the number of concurrent flows within each burst and the frequency of bursts are closely linked to underlying attack patterns. Constructing inter-flow relationships in this way enhances model’s representational capability and helps mitigate the impact of traffic obfuscation.

As inspired by FG-Net (Jiang et al., 2022), our flow-level burst graph is designed to capture both concurrent and trigger relationships among five-tuple flows within a session window, which shares a common pair of client and server IPs and have proximate flow start times. In this graph, flows within the same burst are considered to share a concurrent relationship, while the bursts, ordered by their starting timestamps, are linked through trigger relationships between adjacent pairs. This trigger information is closely tied to the behavioral patterns of malicious encrypted traffic. Unlike traditional flow-level relationship graph, our flow-level burst graph is built based on the adaptive sliding window algorithm, which dynamically adjusts the window size to better capture bursts behaviors.

An example of AFG: An example of the AFG is illustrated in Fig. 5A. Eight flows are collected from the adaptive sliding window $W_t$: flows 1 and 2 belong to burst 1, flow 3 to burst 2, flows 4, 5, and 6 to burst 3, and flows 7 and 8 to burst 4. In the corresponding AFG shown in Fig. 5B, each vertex represents a traffic flow and is characterized by statistical and time-series features. For concurrent relationships, vertex 1 connects to vertex 2 within burst 1, and vertices 4, 5, and 6 are connected sequentially within burst 3, indicating intra-burst concurrency. For trigger relationships, vertices 1 and 2 connect to vertex 3, reflecting the trigger relationship from burst 1 to burst 2. Similarly, vertices 4 and 6 connect to vertices 7 and 8, indicating the trigger relationship between bursts 3 and 4.

We present the pseudocode in Algorithm 2 for constructing the flow-level burst graph. We first collect all traffic flows generated between a client-server pair and arrange them in ascending order based on their start timestamps, forming the sequence $F=\left\{f_1,f_2,\dots f_i\dots \right\}$. For all flows $f_i\in F$, we process them by the adaptive sliding window, splitting them into bursts and constructing an AFG. This graph consider both the concurrent relationship among flows within a same burst and the trigger relationship between bursts.

• Partition a client-server session into session windows: The construction of the current session window $W_t$ terminates when the input flow $f_i$ is NIL, or when the function InsertFlow2AdaptiveSlidingWindow() returns NIL in Line 11, which subsequently triggers the start of the next session window. For each completed session window, we construct an AFG in Lines 6 to 16, which contains two type of edges for concurrent and trigger relationships, respectively.

• Concurrent relationship: Assume $W_t=\{f_1,f_2,\dots ,f_n\}$ is a session window of five-tuple flows collected between a pair of client and server hosts and ordered by their starting timestamps. We partition them into bursts according to the proximaty of these flows’ start times. If the time interval between a pair of adjacent flows $\mathrm{\Delta }{t}_i$ is less than the pre-configured threshold $\delta$, these two flows are considered concurrent and are grouped into the same burst by Lines 6 to 11.

• Trigger relationship: The termination of the current burst $\{f_1,f_2,\dots ,f_k\}$ is detected, when the time interval between $f_k$ and $f_{k+1}$ exceeds the threshold $\delta$, which subsequently triggers the initiation of the next burst $\{f_{k+1},f_{k+2},\dots ,f_{k+j}\}$ in Line 14. A trigger relationship is then established between these two time-adjacent bursts by invoking the InsertEdges() function in Line 13. This relationship is encoded using two directed edges, as shown in Lines 18 to 20: one from the first flow of the previous burst to the first flow of the next burst, and another from the last flow of the previous burst to the last flow of the next burst, which have been illustrated in Fig. 5B.

Additionally, this flow-level burst graph construction algorithm processes flows sequentially within each session window. It performs constant-time operations for vertex insertion and edge creation without requiring backtracking or global sorting. Thus, its time cost is $O(n)$ with respect to the number of flows $n$ in the session window. This ensures efficient graph construction even under large-scale traffic datasets.

Summarizing advantages of AFG

AFG offers a more precise and comprehensive approach to detecting malicious encrypted traffic by dynamically adjusting time windows, thereby capturing bursts and anomalous behavior in network traffic. Compared to traditional flow relation graphs, AFG has several notable advantages:

• Time window size adjustment ability:Traditional flow relation graphs rely on fixed time windows (Jiang et al., 2022; Yang et al., 2024a), which struggle to handle dynamic changes in traffic. While AFG employs an adaptive sliding window algorithm to automatically adjust the window size based on traffic fluctuations, enabling a more flexible capture of dynamic behavior in network flows. This addresses the issue of missing interaction topology information when using fixed time windows.

• Rich intra-flow features: In AFG, each traffic flow contains rich multi-granularity features, such as per-flow statistical features, temporal packet length sequences, and inter-packet arrival time sequences. These features are preserved through the vertices of the graph, enabling the flow-level burst graph not only to capture the inter-flow relations but also to delve into the detailed characteristics of each flow.

• Enhanced inter-flow relational information: Malicious encrypted traffic often exhibits bursty patterns and trigger relationships. AFG enhances flow-level modeling using directed edges to represent concurrent and trigger relations between traffic flows. Through the adaptive sliding window mechanism, AFG explicitly captures these relationships, allowing them reflect the actual traffic patterns more accurately.

Intra-flow statistical features modeling

For each flow, we extract its statistical feature vector, resulting in a total of $d_f=103$ statistical features. To project them into lower-dimensional embeddings, we apply convolutional neural networks (CNNs), which enhance feature expressiveness by capturing local patterns and inter-feature relationships through convolution operations. Prior studies have shown that incorporating CNNs to process temporal statistical features can significantly improve model performance (Hnamte & Hussain, 2023; Mo et al., 2024).

Before constructing the feature extraction model, We first normalize the temporal statistical feature vector $X_f\in {\mathbb{R}}^{d_f}$ to ensure compatibility with the input format of the neural network, as shown in Eq. (8).

(8) $${\mathbf{x}}_f^{(1)}=({\mathbf{x}}_f-{\mu }_f)/{\sigma }_f,$$where ${\mathbf{x}}_f^{(1)}$ is the normalized feature vector, ${\mu }_f$ and ${\sigma }_f$ are the mean and standard deviation of the feature vector, respectively. The normalized feature vector is then input into CNN for modeling.

As shown in Fig. 2C2, the embedding model has three layers. The first layer is a convolutional layer, where we apply filters to perform convolution operations on the input features ${\mathbf{x}}_f^{(1)}$, expressed as follows:

(9) $${\mathbf{h}}_f^{(1)}=\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left(\mathrm{B}\mathrm{N}(\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{v}1\mathrm{D}({\mathbf{x}}_f^{(1)},{\mathbf{W}}_f^{(1)})+{\mathbf{b}}_f^{(1)})\right),$$where $\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{v}1\mathrm{D}\left({\mathbf{x}}_f^{(1)},{\mathbf{W}}_f^{(1)}\right)$ is the convolution operation, ${\mathbf{W}}_f^{(1)}$ is the weight matrix of the first convolutional layer, ${\mathbf{b}}_f^{(1)}$ is the bias term, and $\mathrm{B}\mathrm{N}$ is batch normalization. The convolution operation extracts local feature patterns, with the $\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}$ activation function enhancing non-linear capacity.

The second layer repeats the above process but employs a second convolutional filter with the same kernel sizes but different parameters ${\mathbf{W}}_f^{(2)}$ and ${\mathbf{b}}_f^{(2)}$ to extract higher-level features ${\mathbf{h}}_f^{(2)}$. This is followed by a downsampling pooling layer, to reduce feature dimensionality and improve computational efficiency.

(10) $${\mathbf{h}}_f^{(3)}=\mathrm{M}\mathrm{a}\mathrm{x}\mathrm{P}\mathrm{o}\mathrm{o}\mathrm{l}\mathrm{i}\mathrm{n}\mathrm{g}1\mathrm{D}\left({\mathbf{h}}_f^{(2)}\right).$$

After two layers of convolution and pooling, the final feature map ${\mathbf{h}}_f^{(3)}$ is flattened and mapped to the target dimension through a fully connected layer, as expressed in Eq. (11),

(11) $${\mathbf{z}}_f=\mathrm{T}\mathrm{a}\mathrm{n}\mathrm{h}\left(\mathrm{B}\mathrm{N}({\mathbf{W}}_f^{(3)}\mathrm{F}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{t}\mathrm{e}\mathrm{n}({\mathbf{h}}_f^{(3)})+{\mathbf{b}}_f^{(3)})\right),$$where $\mathrm{F}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{t}\mathrm{e}\mathrm{n}()$ is a function for reshaping the input tensor into a one-dimensional vector ${\mathbf{h}}_f^{(2)}$ by concatenating all elements in a fixed order, ${\mathbf{W}}_f^{(3)}$ and ${\mathbf{b}}_f^{(3)}$ denote the weight matrix and bias vector of the fully connected layer, respectively, $\mathrm{B}\mathrm{N}$ is batch normalization operation, $\mathrm{T}\mathrm{a}\mathrm{n}\mathrm{h}()$ is the hyperbolic tangent activation function, and ${\mathbf{z}}_f$ is a representation of the statistical features of the given five-tuple flow. Later, ${\mathbf{z}}_f$ is also treated as the vertex feature of an AFG containing this flow.

Intra-flow IP packet sequence features modeling

In addition to temporal statistical features, the time series features, such as packet length and inter-packet arrival times, are also valuable for classifying malicious encrypted traffic. To model the time series features, we use the BERT model due to its self-attention mechanism, which effectively captures long-range dependencies and complex temporal patterns in packet-level time series data. This mechanism has been proven in prior work like ET-BERT (Lin et al., 2022) to enhance the detection of encrypted traffic.

Before modeling the time series features, the packet length sequence needs to be standardized by the improved PLD algorithm. Since Transformer-based models are good at word embedding for textual data (Koroteev, 2021), we need to map the raw numerical features (e.g., packet length sequences) into a high-dimensional embedding space $h_i$ through a fully connected layer (Yang et al., 2024b). As shown in Fig. 2C1, for the packet length example, $L=\left\{L_1,L_2,\dots ,L_m\right\}$, where $m$ represents the sequence length, its mapping process can be expressed as Eq. (12). Let $d$ be the dimension of the high-dimensional embedding space, ${\mathbf{X}}_s$ be the matrix $\in {\mathbb{R}}^{1\times m}$ for the packet-length feature vector counted in bytes, ${\mathbf{X}}_a$ be the matrix $\in {\mathbb{R}}^{1\times m}$ for the inter-arrival time features for each of the $m$ packets. Then,

(12) $${\mathbf{H}}_s^{(1)}=\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}({\mathbf{W}}_s{\mathbf{X}}_s+{\mathbf{b}}_s\otimes {\mathbf{1}}_m^{\mathrm{\top }}),{\mathbf{H}}_a^{(1)}=\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}({\mathbf{W}}_a{\mathbf{X}}_a+{\mathbf{b}}_a\otimes {\mathbf{1}}_m^{\mathrm{\top }}),$$where ${\mathbf{W}}_s,{\mathbf{W}}_a\in {\mathbb{R}}^{d\times 1}$ are the weight matrices that project each scalar input into a $d$-dimensional embedding space; ${\mathbf{b}}_s,{\mathbf{b}}_a\in {\mathbb{R}}^d$ are the bias vectors; ${\mathbf{1}}_m\in {\mathbb{R}}^m$ is an all-ones vector used to broadcast the bias across the sequence dimension; $\otimes$ denotes the outer product. ${\mathbf{H}}_s^{(1)},{\mathbf{H}}_a^{(1)}\in {\mathbb{R}}^{d\times m}$ are the resulting high-dimensional embeddings for each packet’s length and inter-arrival time, respectively, where each column corresponds to one packet.

To process the packet length embedding sequence ${\mathbf{H}}_l^{(1)}$, we use it as the input sequence of the BERT model. This model captures long-range dependencies within the time series through its multi-head self-attention mechanism (Koroteev, 2021). Its computational process is as follows:

(13) $$\begin{array}{c}{\mathbf{Q}}^{(l)}={\mathbf{H}}_s^{(l-1)}{\mathbf{W}}_Q^{(l)},{\mathbf{K}}^{(l)}={\mathbf{H}}_s^{(l-1)}{\mathbf{W}}_K^{(l)},{\mathbf{V}}^{(l)}={\mathbf{H}}_s^{(l-1)}{\mathbf{W}}_V^{(l)},\hfill \\ \mathrm{A}\mathrm{t}\mathrm{t}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{i}\mathrm{o}{\mathrm{n}}^{(l)}({\mathbf{H}}_s^{(l-1)})=\mathrm{S}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}\mathrm{x}\left({\mathbf{Q}}^{(l)}{({\mathbf{K}}^{(l)})}^{\mathrm{\top }}/\sqrt{d_k}\right){\mathbf{V}}^{(l)},\hfill \\ {\mathbf{H}}_s^{(l)}=\mathrm{L}\mathrm{a}\mathrm{y}\mathrm{e}\mathrm{r}\mathrm{N}\mathrm{o}\mathrm{r}\mathrm{m}\left(\mathrm{A}\mathrm{t}\mathrm{t}\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{i}\mathrm{o}{\mathrm{n}}^{(l)}({\mathbf{H}}_s^{(l-1)})+{\mathbf{H}}_s^{(l-1)}\right),\hfill \end{array}$$where ${\mathbf{W}}_Q^{(l)},{\mathbf{W}}_K^{(l)},{\mathbf{W}}_V^{(l)}\in {\mathbb{R}}^{d\times d_k}$ are the weight matrices of the linear projections used to compute the queries, keys, and values at the $l$-th Transformer layer; $d_k$ is the dimensionality of the query/key space, typically set to $d/h$, where $h$ is the number of attention heads (for single-head attention, $d_k=d$); and $\mathrm{L}\mathrm{a}\mathrm{y}\mathrm{e}\mathrm{r}\mathrm{N}\mathrm{o}\mathrm{r}\mathrm{m}(\cdot )$ is the layer normalization operation applied after the residual connection. This multi-layer BERT model outputs the representations of the $m$ tokens in the sequence ${\mathbf{H}}_s^{(l)}=\left[{\mathbf{h}}_{\mathrm{c}\mathrm{l}\mathrm{s}},{\mathbf{h}}_1,{\mathbf{h}}_2,\dots ,{\mathbf{h}}_m\right]$ along with a classification token ${\mathbf{h}}_{\mathrm{c}\mathrm{l}\mathrm{s}}$ in the front, which aggregates information of the entire sequence. The vector ${\mathbf{h}}_{\mathrm{c}\mathrm{l}\mathrm{s}}$ will be renamed as ${\mathbf{z}}_s$ and used as the five-tuple flow’s IP packet length sequence representations:

(14) $${\mathbf{z}}_s={\mathbf{H}}_s^{(l)}.{\mathbf{h}}_{\mathrm{c}\mathrm{l}\mathrm{s}},{\mathbf{z}}_a={\mathbf{H}}_a^{(l)}.{\mathbf{h}}_{\mathrm{c}\mathrm{l}\mathrm{s}}.$$

To process the packet inter-arrival time embedding sequence ${\mathbf{H}}_a^{(1)}$, we use it as the input sequence of another BERT model. This model processes ${\mathbf{H}}_a^{(1)}$ in the same way as Eq. (13), resulting in high-dimensional representations ${\mathbf{H}}_a^{(l)}$ for the inter-arrival time sequence. From its output, we also extract the classification token as the vector ${\mathbf{z}}_a$, which is used for inter-arrival time sequence embeddings. Finally, for each five-tuple flow, we obtain three embedding vectors: ${\mathbf{z}}_f$, derived from the flow’s statistical features; ${\mathbf{z}}_s$, derived from its IP packet length sequence; and ${\mathbf{z}}_a$, derived from its inter-arrival time sequence.

Inter-flow relational feature modelling for each client-server session window

After modeling the statistical and time series features, TransGraphNet employs a Graph Attention Network (GAT) to capture inter-flow relational information within the AFG. By aggregating temporal features of the vertices in a spatial graph structure, GAT produces a global representation of the AFG, which is then used for the downstream session window classification task. The core idea of GAT is to dynamically assign attention weights to each vertex via a self-attention mechanism (Veličković et al., 2017), enabling the model to focus on the most relevant relationships and features within each vertex’s neighborhood.

For each vertex $v_i$, GAT aggregates features by learning the importance weights ${\alpha }_{ij}^{(l)}$ of its neighbor vertices $v_j$. This process can be expressed by Eq. (15):

(15) $${\alpha }_{ij}^{(l)}={\mathrm{S}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}\mathrm{x}}_j\left(\mathrm{L}\mathrm{e}\mathrm{a}\mathrm{k}\mathrm{y}\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}\left(⟨{\mathbf{a}}^{(l)},[{\mathbf{W}}_r^{(l)}{\mathbf{h}}_i^{(l)}||{\mathbf{W}}_r^{(l)}{\mathbf{h}}_j^{(l)}]⟩\right)\right),$$where ${\mathbf{h}}_i^{(l)}$ is the input feature of vertex $v_i$ at the $l$-th GAT layer, ${\mathbf{W}}_r^{(l)}$ is the learnable linear transformation matrix at layer $l$, ${\mathbf{a}}^{(l)}$ is the trainable vector used to compute attention scores, and ∥ is vector concatenation. The coefficient ${\alpha }_{ij}^{(l)}$ denotes the normalized attention weight from neighbor vertex $v_j$ to $v_i$ at layer $l$. The subscript $j$ in $\mathrm{S}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}{\mathrm{x}}_j$ indicates that the softmax normalization is performed over all neighbor vertices $v_j\in \mathcal{N}(i)$, so that the attention weights ${\alpha }_{ij}^{(l)}$ for a given vertex $v_i$ sum to 1. After applying the weights ${\alpha }_{ij}^{(l)}$, GAT generates a new feature representation ${\mathbf{h}}_i^{(l+1)}$ for each vertex as shown in Eq. (16):

(16) $${\mathbf{h}}_i^{(l+1)}=\sigma \left(\sum _{j\in \mathcal{N}(i)}{\alpha }_{ij}^{(l)}{\mathbf{W}}_r^{(l)}{\mathbf{h}}_j^{(l)}\right),$$where $\sigma$ is the activation function (e.g., $\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}$), and $\mathcal{N}(i)$ denotes the set of neighbor vertices for vertex $v_i$.

To enhance the model’s expressiveness, GAT utilizes a multi-head attention mechanism, in which multiple attention heads operate in parallel (Veličković et al., 2017). The outputs of these heads are concatenated or averaged to generate the final vertex representation, as expressed in Eq. (17):

(17) $${\mathbf{h}}_i^{(l+1)}=\sum _{k=1}^K\sigma \left(\sum _{j\in \mathcal{N}(i)}{\alpha }_{ij}^{(l)}[k]{\mathbf{W}}_r^{(l)}[k]{\mathbf{h}}_j^{(l)}\right),$$where ${\mathbf{h}}_i^{(l)}$ is the input feature of vertex $v_i$ at the $l$-th layer, ${\mathbf{h}}_i^{(l+1)}$ is the updated feature at the $(l+1)$-th layer, $\mathcal{N}(i)$ is the set of neighbors of vertex $v_i$, K is the number of attention heads, ${\alpha }_{ij}^{(l)}[k]$ is the normalized attention coefficient from neighbor $v_j$ to $v_i$ computed by the $k$-th head, ${\mathbf{W}}_r^{(l)}[k]$ is the trainable weight matrix for the $k$-th attention head at layer $l$, and $\sigma (\cdot )$ is a non-linear activation function such as ReLU.

For spatiotemporal feature fusion, the per-flow statistical feature embeddings ${\mathbf{z}}_f$ in Eq. (11), packet length sequence embeddings ${\mathbf{z}}_s$, and packet inter-arrival time embeddings ${\mathbf{z}}_a$ in Eq. (14) are each fed into a separate GAT model. The output vertex embeddings from the three GATs are stacked to form the updated vertex representations ${\mathbf{H}}_f$, ${\mathbf{H}}_s$, and ${\mathbf{H}}_a$, respectively. These representations are concatenated and subsequently aggregated via a mean-pooling operation to produce a global feature vector ${\mathbf{H}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}$, which summarizes the characteristics of the AFG and the associated client-server session window. By leveraging the expressive capabilities of GAT, the model effectively captures both vertex-level semantics and the structural relationships within the graph.

(18) $${\mathbf{H}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}=\mathrm{M}\mathrm{e}\mathrm{a}\mathrm{n}\mathrm{P}\mathrm{o}\mathrm{o}\mathrm{l}({\mathbf{H}}_f||{\mathbf{H}}_s||{\mathbf{H}}_a).$$

The global feature embeddings ${\mathbf{H}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}$ is fed into a fully connected layer for transformation as Eq. (19),

(19) $${\mathbf{z}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}=\mathrm{R}\mathrm{e}\mathrm{L}\mathrm{U}({\mathbf{W}}_o{\mathbf{H}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}+{\mathbf{b}}_o),$$where ${\mathbf{W}}_o$ represents the weight matrices for the fully connected layer, while ${\mathbf{b}}_o$ is the corresponding bias. By employing this method, GAT effectively integrates both spatial and temporal dimension information from the traffic flows, providing the model with more comprehensive representation capabilities.

Client-server session window classification

Finally, the transformed global feature vector $\mathbf{z}$ is input into a classification layer to predict the class label of the client-server session window. The classification layer applies a softmax function to output the probability distribution over all possible classes, as shown in Eq. (20):

(20) $$\hat{y}=\mathrm{S}\mathrm{o}\mathrm{f}\mathrm{t}\mathrm{m}\mathrm{a}\mathrm{x}({\mathbf{W}}_c{\mathbf{z}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}+{\mathbf{b}}_c),$$where ${\mathbf{W}}_c$ represents the weight matrices for the classification layer, while ${\mathbf{b}}_c$ is the corresponding bias. The final classification prediction is noted as $\hat{y}$. We formulate a multi-class classification task, where the true label of a session window is denoted by $y$. A session window is labeled as malicious if it contains at least one malicious flow; otherwise, it is labeled as benign. In cases where an AFG contains multiple vertices associated with different attack classes, the label $y$ is assigned to the dominant attack class, i.e., the class with the largest number of associated vertices. The model is trained to minimize the cross-entropy loss between the predicted label $\hat{y}$ and the actual label $y$, as shown in Eq. (21). The cross-entropy loss is:

(21) $${\mathcal{L}}_{\mathrm{C}\mathrm{E}}=-\sum _{i=1}^C{y}_i\log ({\hat{y}}_i),$$where C is the total number of benign and attacking classes, $y_i\in \{0,1\}$ is the one-hot encoded ground-truth label for class $i$, and ${\hat{y}}_i$ is the predicted probability for class $i$ computed by the softmax function. The loss ${\mathcal{L}}_{\mathrm{C}\mathrm{E}}$ measures the discrepancy between the predicted distribution $\hat{y}$ and the true distribution $y$.

Implementation and training details

Our model is built on Pytorch, Transformers, and DGL frameworks, and it runs on an NVIDIA RTX 3090 GPU (24 GB VRAM) with the Ubuntu 22.04 operating system.

We implement TransGraphNet using PyTorch and DGL. The model comprises three encoding components, followed by a GAT-based spatiotemporal feature integrator and a linear classifier. (1) Statistical feature encoder: Each flow’s 103-dimensional statistical vector is normalized and passed through two 1D convolutional layers (kernel size 8, 32 output channels), followed by batch normalization, ReLU activation, and max pooling. The output is flattened and transformed into a 256-dimensional embedding ${\mathbf{z}}_f$ via a dense layer. (2) Time series feature encoder: Packet length and inter-arrival time sequences ( ${\mathbf{X}}_s$, ${\mathbf{X}}_a\in {\mathbb{R}}^{1\times 25}$) are separately projected into 256-dimensional embeddings using linear layers with ReLU activation. These are then fed into a 4-layer BERT encoder (hidden size 256, four attention heads, head dimension 64), with the final [CLS] token outputs used as ${\mathbf{z}}_s$ and ${\mathbf{z}}_a$. (3) Spatiotemporal feature integrator and linear classifier: The embeddings ${\mathbf{z}}_f$, ${\mathbf{z}}_s$, and ${\mathbf{z}}_a$ are assigned to nodes in separate AFGs and processed using two-layer GATs (2 heads in the first layer, one head in the second). The resulting node features ${\mathbf{H}}_f$, ${\mathbf{H}}_s$, and ${\mathbf{H}}_a$ are concatenated and mean-pooled to form a global representation ${\mathbf{H}}_{\mathrm{g}\mathrm{l}\mathrm{o}\mathrm{b}\mathrm{a}\mathrm{l}}$, which is passed through a dense layer with ReLU and a final linear classifier. The model is trained using softmax cross-entropy loss.

We train the model using the Adam optimizer with a learning rate of $1\times {10}^{-4}$ and a batch size of 32. A dropout rate of 0.7 is applied to the fully connected layer preceding the BERT encoder, while a rate of 0.5 is used for the rest of the network. Early stopping is employed based on validation loss. The detailed hyperparameter settings are summarized in Table 2.

To evaluate the computational cost and deployment feasibility of our model, we measured the average running time, CPU memory usage, and GPU memory consumption during both training and inference. The results are summarized in Table 4. During training, each batch required approximately 0.0215 s, with a GPU memory consumption of 3,453 MB and CPU memory usage around 5,462 MB. For inference, the model achieved high efficiency, averaging 0.0065 s per batch while maintaining similar resource usage, making it suitable for large-scale graph-based applications. We also analyzed the contributions of the two main components, BERT and GAT, to the overall resource profile. In the first forward pass, the BERT module accounted for a GPU memory increase of 56 MB, totaling 1,191 MB used, and took 0.3891 s to execute. The GAT module added approximately 14 MB to the GPU memory (total 1,205 MB) and ran in 0.1949 s. Due to PyTorch’s memory caching mechanism, these values represent initial memory allocation and are not repeated in subsequent iterations.

The model demonstrates strong inference performance and manageable memory usage, indicating that it is well-suited for deployment in GPU-enabled environments. These findings provide a valuable reference for future work involving real-time systems or deployment on resource-constrained platforms.

Evaluation metrics

Since this article’s primary focus is identifying multi-category malicious encrypted traffic, we employ macro-averaged accuracy, precision, recall, and F1-score as evaluation metrics for the multi-category classification task. The formulas for these metrics are as follows:

(22) $$\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}=\frac{1}{N}\sum _{i=1}^N\frac{T{P}_i+T{N}_i}{T{P}_i+T{N}_i+F{P}_i+F{N}_i},$$

(23) $$\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}=\frac{1}{N}\sum _{i=1}^N\frac{T{P}_i}{T{P}_i+F{P}_i},$$

(24) $$\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}=\frac{1}{N}\sum _{i=1}^N\frac{T{P}_i}{T{P}_i+F{N}_i},$$

(25) $$\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{F}1=\frac{2\times \mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\times \mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}}{\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}+\mathrm{M}\mathrm{a}\mathrm{c}\mathrm{r}\mathrm{o}\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}},$$where N is the number of categories of malicious encrypted traffic, $T{P}_i$ denotes the number of samples correctly classified as class $i$, $F{P}_i$ represents the number of samples incorrectly classified as class $i$, $F{N}_i$ refers to the number of class $i$ samples misclassified as other classes, and $T{N}_i$ is the number of correctly classified samples excluding class $i$. The macro-averaging approach calculates the evaluation metrics for each class and then averages them, ensuring that each class contributes equally to the final result.