MeeDet: Efficient Malicious Traffic Detection Method via Mamba-Based Early-Exit Mechanism in IIoT Scenarios

Malicious traffic detection in the Industrial Internet of Things (IIoT) faces significant challenges, primarily due to the scarcity of labeled data, high inference latency on resource-constrained edge devices, and the lack of comprehensibility in deep learning models. To overcome these limitations, this paper proposes MeeDet, a novel detection framework that integrates Mamba-based state-space modeling, a dynamic early-exit mechanism, and Large Language Model (LLM)-driven comprehensibility. The proposed MeeDet operates through a four-stage pipeline. First, raw packet captures are preprocessed into header-only, standardized stride-based sequences. Second, a 12-layer unidirectional Mamba backbone is pretrained on unlabeled data using two complementary tasks: Masked Byte Modeling for byte-level semantics and Next-Flow Prediction for long-range flow-level temporal coherence. Third, the model is fine-tuned by attaching lightweight binary heads to each Mamba layer, allowing for the early termination of high-confidence benign samples and adaptive routing of ambiguous flows to deeper layers. Finally, for detected malicious samples, structured prompts containing key network traffic features are processed by an LLM to generate human-readable diagnostic reports, without affecting real-time detection latency. Extensive experiments on five public IIoT datasets demonstrate the superiority of MeeDet over existing baselines. MeeDet achieves F1-scores exceeding 0.98 on key benchmarks while significantly reducing computational overhead. Specifically, at a 1% malicious traffic ratio, MeeDet requires only 1.7 MFLOPs and 1.58 ms of average inference latency, representing a reduction of over 70% in computational cost compared to strong pretrained baselines.