In some examples, a system for decorating network traffic flows with outlier scores includes a processor and a memory device to store traffic flows received from a network. The processor is configured to receive a set of traffic flows from the memory device and generate a tree model to split the traffic flows into clusters of traffic flows. Each cluster corresponds with a leaf of the tree model. The processor is further configured to generate machine learning models for each of the clusters of traffic flows separately. For a new traffic flow, the processor is configured to identify a specific one of the machine learning models that corresponds with the new traffic flow, compute an outlier score for the new traffic flow using the identified specific one of the machine learning models, and decorate the new traffic flow with the outlier score.