MambaNetBurst: Direct Byte-level Network Traffic Classification without Tokenization or Pretraining
Authors: Gayan K. Kulatilleke, Siamak Layeghy, Mahsa Baktashmotlagh et al.
Summary
MambaNetBurst classifies network traffic (malware, VPN, IoT attacks) by feeding raw packet bytes directly into a Mamba-2 state-space model, skipping tokenization, patching, multimodal feature engineering, and self-supervised pretraining. The model takes the first few packets of a flow, embeds the byte sequence with a learnable CLS token, and runs it through stacked Mamba-2 blocks for supervised classification. Across six public benchmarks it matches or beats much heavier pretrained baselines, and ablations show that preserving byte-level resolution (no early downsampling) is critical.
Main takeaways:
- Operates on raw packet bytes with no tokenizer, no patching, no heavy feature engineering, and no pretraining stage.
- Uses Mamba-2 state-space blocks to process byte sequences end-to-end for supervised traffic classification.
- Matches or beats substantially larger, often pretrained baselines on six public benchmarks (app identification, VPN/Tor, malware, IoT attacks).
- Ablations reveal that early downsampling via striding hurts performance and that preserving full byte-level temporal resolution is critical.
- Mamba-2's simpler transition structure (vs. Mamba-1) works well for packet bytes and trains faster.
Relevance
Not related to my persona or midtraining work—this is a domain-specific application (network traffic) of state-space models. Included because it's a rare example of byte-level end-to-end learning without tokenization, which could be a useful reference if I ever explore low-level byte or character representations in language models.
Threat model
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
Abstract
arXiv:2605.11034v1 Announce Type: new Abstract: We present MambaNetBurst, a compact tokenizer-free byte-level sequence classifier for network burst classification based on a Mamba-2 backbone. In contrast to most recent strong traffic-classification and intrusion-detection approaches, our method operates directly on raw packet bytes, avoids tokenization, patching, and heavy engineered multimodal representations, and does not require any self-supervised pre-training stage. Given a packet flow, we form a fixed-length burst from the first few packets, embed the resulting byte sequence appending a learnable CLS token, and process it with a stack of residual pre-normalized Mamba-2 blocks for end-to-end supervised classification. Across six public benchmarks spanning encrypted mobile app identification, VPN/Tor traffic classification, malware traffic classification, and IoT attack traffic, MambaNetBurst achieves consistently strong results and is competitive with, or outperforms, substantially heavier and often pre-trained baselines. Our ablation study shows that preserving byte-level temporal resolution is critical, that early downsampling through striding is consistently harmful, and that moderate state sizes are sufficient for robust generalization. We further show that Mamba-2, despite its more constrained transition structure relative to Mamba-1, remains highly effective for packet-byte modeling while providing clear efficiency advantages, particularly in training speed. Overall, our results demonstrate that direct undiluted byte-to-classification learning with compact selective state space models is a practical, effective and novel direction for efficient, deployable traffic analysis that bypasses the complexity of pre-training pipelines even over highly optimized linear attention architectures.