MambaNetBurst classifies network traffic (malware, VPN, IoT attacks) by feeding raw packet bytes directly into a Mamba-2 state-space model, skipping tokenization, patching, multimodal feature engineering, and self-supervised pretraining. The model takes the first few packets of a flow, embeds the byte sequence with a learnable CLS token, and runs it through stacked Mamba-2 blocks for supervised classification. Across six public benchmarks it matches or beats much heavier pretrained baselines, and ablations show that preserving byte-level resolution (no early downsampling) is critical.
Main takeaways:
- Operates on raw packet bytes with no tokenizer, no patching, no heavy feature engineering, and no pretraining stage.
- Uses Mamba-2 state-space blocks to process byte sequences end-to-end for supervised traffic classification.
- Matches or beats substantially larger, often pretrained baselines on six public benchmarks (app identification, VPN/Tor, malware, IoT attacks).
- Ablations reveal that early downsampling via striding hurts performance and that preserving full byte-level temporal resolution is critical.
- Mamba-2's simpler transition structure (vs. Mamba-1) works well for packet bytes and trains faster.