Existing NIDS benchmarks predominantly rely on synthetic traffic, failing to capture statistical variability and temporal drift inherent in real-world networks—leading to distorted model evaluation. To address this, we propose MAWIFlow: the first flow-level intrusion detection benchmark built exclusively on real backbone network traffic collected across three years (2011, 2016, 2021). MAWIFlow explicitly models temporal drift while preserving original ground-truth labels. We publicly release a standardized preprocessing pipeline, a reproducible PCAP-to-flow conversion tool, and temporally aligned multi-year datasets. Experimental results reveal that conventional tree-based models suffer over 40% performance degradation when evaluated across years, whereas CNN-BiLSTM maintains stable accuracy—demonstrating the critical necessity of long-term, realistic temporal benchmarks for assessing model generalization. This work pioneers the systematic integration of longitudinally evolving real-world network traffic into NIDS benchmark design.

Benchmark datasets for network intrusion detection commonly rely on synthetically generated traffic, which fails to reflect the statistical variability and temporal drift encountered in operational environments. This paper introduces MAWIFlow, a flow-based benchmark derived from the MAWILAB v1.1 dataset, designed to enable realistic and reproducible evaluation of anomaly detection methods. A reproducible preprocessing pipeline is presented that transforms raw packet captures into flow representations conforming to the CICFlowMeter format, while preserving MAWILab's original anomaly labels. The resulting datasets comprise temporally distinct samples from January 2011, 2016, and 2021, drawn from trans-Pacific backbone traffic. To establish reference baselines, traditional machine learning methods, including Decision Trees, Random Forests, XGBoost, and Logistic Regression, are compared to a deep learning model based on a CNN-BiLSTM architecture. Empirical results demonstrate that tree-based classifiers perform well on temporally static data but experience significant performance degradation over time. In contrast, the CNN-BiLSTM model maintains better performance, thus showing improved generalization. These findings underscore the limitations of synthetic benchmarks and static models, and motivate the adoption of realistic datasets with explicit temporal structure. All datasets, pipeline code, and model implementations are made publicly available to foster transparency and reproducibility.