NetBurst-X: A Burst-Informed Learning Framework for Detecting Microbursts and Data Exfiltration in NetFlow

Real-time anomaly detection is a core requirement in high-speed networks, yet most intrusion detection systems struggle with short-lived microbursts and stealthy data exfiltration, especially when attackers hide within bursty traffic. This paper proposes NetBurst-X, a hybrid burst–flow learning framework that combines burst-aware traffic statistics with temporal deep learning for NetFlow-based security analytics. The framework introduces a Burst Severity Index (BSI) and derives ByteRate and PacketRate features inside dynamic sliding windows, which are then fused with gated recurrent unit (GRU) representations of NetFlow sequences. Experiments on the NF-UNSW-NB15-V2 and UNSW-NB15 datasets show that NetBurst-X outperforms Random Forest, SVM, XGBoost, BiLSTM, and CNN-GRU baselines in precision, recall, F1-score, ROC-AUC, and Matthews correlation coefficient for both microburst detection and data exfiltration classification. On a combined microburst–exfiltration traffic mix, NetBurst-X achieves an F1-score of 0.950, a ROC-AUC of 0.973, and an MCC of 0.938, with F1-scores of 0.963 for microburst detection and 0.923 for exfiltration alone. Streaming evaluations further indicate low inference latency (27.4 ms per batch) and high throughput (16 920 flows/s), demonstrating that the framework is suitable for deployment in practical high-speed network environments. These results highlight the benefit of combining burst-aware traffic indicators with temporal flow modeling to improve real-time intrusion detection.