Network elements, such as routers and switches, provide network connectivity for a wide range of computing devices. Malware on the endpoint computing devices may use the network connectivity provided by the connected network elements, e.g., to compromise information on the endpoint computing device or to direct Denial of Service attacks. In some distributed network monitoring systems, such as Network as a Sensor or Encrypted Traffic Analytics provided by Cisco Systems, Inc., the network elements report characteristics of the network traffic to a central security appliance. The central security appliance analyzes the network traffic characteristics to determine whether any particular network traffic includes anomalous traffic that may be indicative of malware.