EPS
← All batches·2605.11034

MambaNetBurst: Direct Byte-level Network Traffic Classification without Tokenization or Pretraining

topic: othertop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Gayan K. Kulatilleke, Siamak Layeghy, Mahsa Baktashmotlagh et al.

arXiv · PDF

Summary

MambaNetBurst classifies network traffic (malware, VPN, IoT attacks) by feeding raw packet bytes directly into a Mamba-2 state-space model, skipping tokenization, patching, multimodal feature engineering, and self-supervised pretraining. The model takes the first few packets of a flow, embeds the byte sequence with a learnable CLS token, and runs it through stacked Mamba-2 blocks for supervised classification. Across six public benchmarks it matches or beats much heavier pretrained baselines, and ablations show that preserving byte-level resolution (no early downsampling) is critical.

Main takeaways:

  • Operates on raw packet bytes with no tokenizer, no patching, no heavy feature engineering, and no pretraining stage.
  • Uses Mamba-2 state-space blocks to process byte sequences end-to-end for supervised traffic classification.
  • Matches or beats substantially larger, often pretrained baselines on six public benchmarks (app identification, VPN/Tor, malware, IoT attacks).
  • Ablations reveal that early downsampling via striding hurts performance and that preserving full byte-level temporal resolution is critical.
  • Mamba-2's simpler transition structure (vs. Mamba-1) works well for packet bytes and trains faster.

Relevance

Not related to my persona or midtraining work—this is a domain-specific application (network traffic) of state-space models. Included because it's a rare example of byte-level end-to-end learning without tokenization, which could be a useful reference if I ever explore low-level byte or character representations in language models.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.

Abstract

arXiv:2605.11034v1 Announce Type: new Abstract: We present MambaNetBurst, a compact tokenizer-free byte-level sequence classifier for network burst classification based on a Mamba-2 backbone. In contrast to most recent strong traffic-classification and intrusion-detection approaches, our method operates directly on raw packet bytes, avoids tokenization, patching, and heavy engineered multimodal representations, and does not require any self-supervised pre-training stage. Given a packet flow, we form a fixed-length burst from the first few packets, embed the resulting byte sequence appending a learnable CLS token, and process it with a stack of residual pre-normalized Mamba-2 blocks for end-to-end supervised classification. Across six public benchmarks spanning encrypted mobile app identification, VPN/Tor traffic classification, malware traffic classification, and IoT attack traffic, MambaNetBurst achieves consistently strong results and is competitive with, or outperforms, substantially heavier and often pre-trained baselines. Our ablation study shows that preserving byte-level temporal resolution is critical, that early downsampling through striding is consistently harmful, and that moderate state sizes are sufficient for robust generalization. We further show that Mamba-2, despite its more constrained transition structure relative to Mamba-1, remains highly effective for packet-byte modeling while providing clear efficiency advantages, particularly in training speed. Overall, our results demonstrate that direct undiluted byte-to-classification learning with compact selective state space models is a practical, effective and novel direction for efficient, deployable traffic analysis that bypasses the complexity of pre-training pipelines even over highly optimized linear attention architectures.