PersonaFingerprint: Measuring Persona Inference on Modern Websites with LLM-Driven Browsing

Joint multi-task training with a combined loss L_joint = L_site + λ·L_pers shows that increasing λ from 0 to 2 raises mixed-site persona accuracy from approximately 45% to approximately 80% while website accuracy declines only from approximately 90% to approximately 75%, demonstrating a wide regime where an attacker can gain strong persona inference at modest cost to existing WFP capability.

§4.4, §5.7.2, Figure 5 detection website-fingerprintml-classifiertraffic-shape generic

Using only 1,000-packet windows of signed packet lengths and inter-arrival times (no payload, no URLs, no cookies), a passive adversary achieves approximately 84% accuracy at inferring behavioral persona in a mixed-site open-world setting spanning 10 modern websites and 15 canonical personas plus an open-world class. Per-site persona macro-F1 typically ranges from about 0.78 to 0.91 across representative platforms including Bilibili, eBay, Yahoo, Zhihu, and LinkedIn.

§5.3, §5.5, Abstract detection website-fingerprinttraffic-shapeml-classifier generic

In open-world evaluation, an average of 34.4% of traffic from unseen personas is misattributed to a specific canonical persona (MisAttr@OW), and misattributions concentrate heavily: on average 58.7% of misattributed windows fall into just the top-3 canonical personas, rising to 66.8% and 69.3% on Bilibili and Zhihu respectively. The classifier correctly rejects unseen personas as OW with an average F1 of only 65.6%.

§5.4, Table 2 detection website-fingerprintml-classifier generic

Attack accuracy scales steeply with persona-labeled training data: mixed-site open-world persona accuracy rises from 55.0% at 500 windows/persona to 65.0% at 1,000, 76.0% at 2,000, and 84.0% at 5,000 windows/persona across 10 sites (results consistent across 3 random seeds with std ≤1.0%). LLM-driven browsing agents make large-scale persona-labeled traffic generation practical for adversaries.

§5.6, Table 3 evaluation website-fingerprintml-classifier generic

A site-only WFP encoder trained without any persona labels already encodes substantial persona information: attaching a lightweight MLP probe to its frozen representations recovers persona accuracy roughly 20–30 percentage points above a random-encoder baseline across all 10 sites (e.g., approximately 53% vs. 21% on Amazon, 49% vs. 27% on YouTube, using the same probe architecture and training budget).

§4.5, §5.7.1, Figure 4 detection website-fingerprintml-classifier generic