website-fingerprint   Website fingerprinting

Without chunk-based padding, an XGBoost classifier identifies the target website from covert data-chunk sizes with 91% accuracy (Tranco top-100). Chunking at 2 MB reduces accuracy to 12% at a 21.3% bandwidth overhead, while 16 MB chunks reduce accuracy to near random guessing at a 480.3% overhead. Chunks as small as 64 KB already reduce accuracy to 64%, demonstrating a monotonic fingerprinting–overhead tradeoff.

2026-kamali-huma §V-C, Figure 4 evaluation

Ephemeral defenses were integrated with a WireGuard fork and deployed as Mullvad VPN's 'DAITA' (Defense Against AI-guided Traffic Analysis) opt-in feature across Android, iOS, macOS, Linux, and Windows for over one year, serving a growing number of thousands of daily users. Individual defenses are derived deterministically from seeds in 43.6 ± 4.7 ms on a commodity laptop, making per-connection unique defenses practical at VPN scale.

2026-pulls-ephemeral-network-layer-fingerprinting §1, §7 deployment

Ephemeral blocking defenses reduce DF accuracy from 89.0% (undefended) to 10.2% and RF from 90.1% to 14.7% with standard 30-epoch training, at 97.5% bandwidth and 68.4% delay overhead; under infinite training, DF rises to only 29.2% and RF to 24.3%, still far below undefended baselines of 92.7% and 94.7%. Defenses are tunable at deployment time by adjusting Maybenot framework-wide limits, enabling overhead-vs-protection trade-offs without redeployment.

2026-pulls-ephemeral-network-layer-fingerprinting §5.2, §5.3, Table 1, Table 2 defense

The ephemeral property — using a unique seed-derived defense per connection — prevents attackers from training classifiers on the exact deployed defense variant. Stacked combinations with height H=5 from N=1,000 base defenses yield 6.88×10^25 unique defenses (polynomial growth O(N^{2H})). Attacks trained on ephemeral defenses also generalize significantly better across other randomized defense families than attacks trained on static defenses.

2026-pulls-ephemeral-network-layer-fingerprinting §3.3, §5.4 defense

With infinite training time, Laserbeak achieves 93.5%, 95.9%, and 95.9% accuracy against ephemeral padding, FRONT, and Interspace respectively, compared to 96.5% undefended — confirming that padding-only defenses provide no meaningful protection against a sufficiently trained deep-learning WF adversary. Only ephemeral blocking defenses retain measurable protection, reducing Laserbeak to 71.8% accuracy under infinite training versus 96.5% undefended.

2026-pulls-ephemeral-network-layer-fingerprinting §5.3, Table 2 evaluation

Joint multi-task training with a combined loss L_joint = L_site + λ·L_pers shows that increasing λ from 0 to 2 raises mixed-site persona accuracy from approximately 45% to approximately 80% while website accuracy declines only from approximately 90% to approximately 75%, demonstrating a wide regime where an attacker can gain strong persona inference at modest cost to existing WFP capability.

2026-song-personafingerprint-measuring-persona §4.4, §5.7.2, Figure 5 detection

Using only 1,000-packet windows of signed packet lengths and inter-arrival times (no payload, no URLs, no cookies), a passive adversary achieves approximately 84% accuracy at inferring behavioral persona in a mixed-site open-world setting spanning 10 modern websites and 15 canonical personas plus an open-world class. Per-site persona macro-F1 typically ranges from about 0.78 to 0.91 across representative platforms including Bilibili, eBay, Yahoo, Zhihu, and LinkedIn.

2026-song-personafingerprint-measuring-persona §5.3, §5.5, Abstract detection

In open-world evaluation, an average of 34.4% of traffic from unseen personas is misattributed to a specific canonical persona (MisAttr@OW), and misattributions concentrate heavily: on average 58.7% of misattributed windows fall into just the top-3 canonical personas, rising to 66.8% and 69.3% on Bilibili and Zhihu respectively. The classifier correctly rejects unseen personas as OW with an average F1 of only 65.6%.

2026-song-personafingerprint-measuring-persona §5.4, Table 2 detection

Attack accuracy scales steeply with persona-labeled training data: mixed-site open-world persona accuracy rises from 55.0% at 500 windows/persona to 65.0% at 1,000, 76.0% at 2,000, and 84.0% at 5,000 windows/persona across 10 sites (results consistent across 3 random seeds with std ≤1.0%). LLM-driven browsing agents make large-scale persona-labeled traffic generation practical for adversaries.

2026-song-personafingerprint-measuring-persona §5.6, Table 3 evaluation

A site-only WFP encoder trained without any persona labels already encodes substantial persona information: attaching a lightweight MLP probe to its frozen representations recovers persona accuracy roughly 20–30 percentage points above a random-encoder baseline across all 10 sites (e.g., approximately 53% vs. 21% on Amazon, 49% vs. 27% on YouTube, using the same probe architecture and training budget).

2026-song-personafingerprint-measuring-persona §4.5, §5.7.1, Figure 4 detection

A plug-and-play Boundary Preserving Aggregation Module (overlapping window partitioning with joint packet- and burst-level features, W=20ms, stride=10ms) consistently improves existing WF baselines without architectural modification: applied to DF, AUC rises from 0.780 to 0.901 and P@5 from 0.315 to 0.545; applied to ARES'25, P@5 rises from 0.869 to 0.900 in the open-world 5-tab setting. The module's consistent gains across all three tested baselines confirm that fixed non-overlapping window segmentation is a structural vulnerability in prior WF pipelines.

2026-yuan-demux-boundary-aware-multi-scale §V-G, Figure 5 detection

DEMUX achieves a P@5 of 0.943 and MAP@5 of 0.961 in the closed-world 5-tab multi-tab website fingerprinting setting, outperforming the strongest prior baseline (ARES'25) by 9.2 and 6.2 percentage points respectively. ARES'25's P@K degrades from 0.900 at 2-tab to 0.851 at 5-tab (a drop of 4.9 pp), while DEMUX improves from 0.926 to 0.943 over the same range, expanding the absolute margin from 2.6 to over 9 points.

2026-yuan-demux-boundary-aware-multi-scale §V-B, Table II detection

In the open-world 5-tab setting — where each trace contains one unmonitored site, substantially increasing noise and class imbalance — DEMUX achieves AUC of 0.998, P@5 of 0.951, and MAP@5 of 0.966, while ARES'25 achieves 0.988/0.869/0.911. DEMUX's advantage widens in the open-world setting (the P@5 gap grows from 2.6 pp to 8.2 pp versus closed-world), confirming that state-of-the-art WF attacks are not defeated by open-world conditions or unmonitored co-browsing traffic.

2026-yuan-demux-boundary-aware-multi-scale §V-C, Table III detection

The Traffic Aggregation Matrix (TAM) representation used by the RF baseline — which counts directional packet counts over fixed time slots rather than tracking per-packet sequences — shows unexpectedly strong robustness under TrafficSliver, achieving P@2 of 0.702, substantially exceeding all other CNN-based methods under that defense. Var-CNN similarly achieves P@2 of 0.826 under TrafficSliver despite mediocre no-defense performance, suggesting that tolerance to partial packet loss is architecturally separable from peak single-observer accuracy.

2026-yuan-demux-boundary-aware-multi-scale §V-D, Table IV evaluation

Under the TrafficSliver defense — which splits traffic across multiple Tor entry nodes so no single observer sees more than a partial fraction of packets — TMWF collapses to a P@2 of 0.399 and ARES'23 to 0.429, while DEMUX retains a P@2 of 0.940, exceeding the next-best competitor by 2.5 points. WTF-PAD and FRONT are substantially weaker defenses, with most methods maintaining near-baseline performance under WTF-PAD.

2026-yuan-demux-boundary-aware-multi-scale §V-D, Table IV evaluation

CenTor's anonymity scoring function quantifies the privacy cost of geographic shadow selection using six parameters (client density, AS-level and country-level entropy, relay density, exit density, guard density). Prior work establishes that reducing the client anonymity set by 20x—retaining at least 5% of total Tor users—still provides strong anonymity; accordingly, CenTor recommends minimum thresholds of CD, EL, EC ≥ 0.05 and RD, ED ≥ 0.2 for safe shadow operation.

2025-arora-improving-performance-security §4.1, §4.2, Table 2 defense

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 detection

The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.

2025-pereira-extended §2.2 defense

Local onion association—periodically downloading the full set of onion associations from a CT-log-based API and performing each lookup locally—produces a traffic pattern from the guard's perspective that is indistinguishable from generic onion service access, eliminating both the OLF fingerprint and the DNS-based Website Oracle attack vector. This approach requires no per-connection clearnet exit circuit and imposes negligible overhead given the current ~1,500 stable O-L site count.

2025-syverson-onion-location-measurements-fingerprinting §2.2.4, §6 defense

OLF reduces an adversary's target anonymity set from roughly 10,000 active onionsites to the ~1,500 stably available O-L sites—nearly an order of magnitude. Because O-L requires an exit circuit with a DNS lookup, a DNS-based Website Oracle further collapses the false-positive rate, making OLF effectively a closed-world attack on the enumerated O-L site list.

2025-syverson-onion-location-measurements-fingerprinting §2.3, §3 detection

Circuit fingerprinting from a guard-relay position achieves ≥99.9% accuracy with FPR ≤0.1% for all four Tor circuit types (general, HSDir, introductory, rendezvous) using the Deep Fingerprinting classifier on the first 512 cells, despite Tor's deployed partial defenses. Onion-Location fingerprinting (OLF) combining these circuit classifiers then achieves 98.81–99.87% accuracy (FPR 0.16–1.23%) distinguishing O-L sessions from ordinary clearnet or onion-only visits.

2025-syverson-onion-location-measurements-fingerprinting §5.1–5.2 detection

Automatic Onion-Location redirect was disabled in Tor Browser 13.0.12 as a direct result of this research, because automatic redirect forces the distinguishable clearnet-then-onion circuit pattern on every visit without user awareness. Manual O-L remains in Tor Browser but is still fingerprintable with the same near-perfect accuracy since the exit→onion circuit sequence is identical whether the redirect is automatic or manually triggered.

2025-syverson-onion-location-measurements-fingerprinting §2.2, footnote 1; §6 evaluation

Combinations of Bayesian methods, data augmentation with mixup, and NOTA defensive padding cut the open-world false positive rate by up to 92% at 0.5 recall on HTTPS-only traffic and 75% on Tor traffic relative to the deterministic MSP baseline. Even with these improvements, sustaining a world size in the hundreds of millions (approaching YouTube-scale) requires accepting recall of 0.5–0.6 and precision of only 0.1–0.2; at precision 0.5 and recall 0.5, the maximum workable world size is only 37.5M for HTTPS-only (Table 3), far below YouTube's ~10 billion video catalog.

2025-walsh-improved-open-world-fingerprinting §4.5, Tables 1–3 evaluation

Extrapolating empirical FPRs using Wang's base-rate-adjusted precision formula (𝜋_r), the best HTTPS-only approach can sustain precision 0.5 at recall 0.5 only up to a world size of 37.5M videos; precision 0.1 at recall 0.5 extends to 337.5M — still short of YouTube's ~10 billion catalog (Table 3). For Tor, the corresponding limits are 4.8M and 42.9M, making dragnet surveillance of unselected users on large platforms effectively infeasible at any acceptable precision with current techniques.

2025-walsh-improved-open-world-fingerprinting §4.5.1, Tables 3–4 evaluation

When a fingerprinting model is trained on traffic collected from one geographic vantage point and tested on traffic from a different continent, the HTTPS-only open-world FPR at 0.5 recall increased by factors ranging from 2.8x (EU-West-2) to 50.3x (Africa) relative to the same-vantage baseline — despite 60-way closed-world accuracy remaining above 0.99 across all vantage-point pairs (Table 5). For Tor traffic the effect was weaker but still reached 25.2x (Asia-Pacific Southeast-1), showing path diversity also disrupts Tor-based fingerprinting.

2025-walsh-improved-open-world-fingerprinting §5.1, Table 5 evaluation

The paper establishes, for the first time in a large open-world scenario (64,000 unmonitored test videos), that HTTPS-only video stream fingerprinting is significantly easier than Tor-based fingerprinting because DASH adaptive bitrate selection introduces a second-order network-condition effect: clients request entirely different video segments at different quality levels depending on path conditions, causing traffic traces from different geographic vantage points to diverge at the application layer even when network conditions are nominally similar. This makes NOTA and synthetic training sample techniques less effective on Tor data due to inherent trace noisiness.

2025-walsh-improved-open-world-fingerprinting §4.5, §5.1 evaluation

Tor provides substantial and measurable protection against video stream fingerprinting: the best-case FPR at 0.5 recall is 0.0000063 for Tor versus 0.0000008 for HTTPS-only connections, roughly an 8x increase. Translating to world sizes, at 0.5 recall and 0.1 precision the maximum viable platform catalog is 42.9M videos over Tor versus 337.5M over HTTPS-only (Tables 3–4), confirming Tor degrades adversary capability even after an assumed prior website-fingerprinting step that identifies video platform visits.

2025-walsh-improved-open-world-fingerprinting §4.5.1, Tables 3–4 evaluation

An attacker who generates 10 defended copies of each training trace (re-sampling noise each time) improves Tik-Tok accuracy against DeTorrent from 31.9% to 48.2%, demonstrating that dataset augmentation with multiple defended samples is a practical countermeasure against randomized padding defenses including DeTorrent and FRONT.

2024-holland-detorrent §6.4 detection

DeTorrent exhibits strong diminishing returns in the bandwidth-performance tradeoff: increasing the dummy-download budget from N=1,000 to N=3,000 reduces Tik-Tok accuracy by ~19.1 percentage points, while a further increase from N=5,000 to N=7,000 yields only an additional 4.9-point reduction (accuracy floor near 20.8% at ~210% overhead). At the lowest tested budget (~40% overhead) Tik-Tok accuracy is still only 52.8%.

2024-holland-detorrent §6.2, Figure 6 evaluation

DeTorrent is implemented as a Tor pluggable transport on top of the WFPadTools/Obfsproxy framework and deployed against live Tor traffic; a modest VPS with 4 GB RAM and 2 vCPUs running at under 50% CPU utilization can defend five simultaneous connections in real time with no GPU required. Performance drops only 0.7% when the generator is trained on one dataset partition and tested on another.

2024-holland-detorrent §5.4 deployment

DeTorrent reduces closed-world Tik-Tok attack accuracy from 93.4% to 31.9% on the BE dataset — 10.5 percentage points better than the next-best padding-only defense (FRONT at 42.4%) — and reduces Deep Fingerprinting accuracy from 94.3% to 30.0%, at a bandwidth overhead of 98.9%. On the larger DF dataset, Tik-Tok accuracy falls from 97.7% to 79.5%.

2024-holland-detorrent §6.1, Table 4 evaluation

The authors propose a 'shim' pluggable transport that splits client traffic across N PT connections using unmodified existing PT bridges as proxies and a gateway bridge that correlates streams back into a Tor circuit via the Turbo Tunnel reliability pattern. This architecture enables all existing and future PTs to benefit from traffic splitting without modifying each PT's client or server code individually.

2024-lorimer-extended §3 defense

When a user splits traffic across N paths, a censor observing a single path sees only a partial trace, substantially reducing the accuracy of classifiers trained on complete network traces. Prior Tor traffic-splitting work (TrafficSliver, CoMPS, multipath Tor studies) has validated this defense against website fingerprinting outside the PT context.

2024-lorimer-extended §1, §4.2 defense

DeTorOS enables provable geographic avoidance for Tor onion services by running a TEE-backed Bento function as a trusted middlebox: both the client and the onion service upload their respective 3-hop circuit halves to this enclave, which computes the never-once or never-twice avoidance proof without revealing either party's circuit to the other.

2023-arora-detor-onion §3 defense

Relying on third-party email providers to verify users was demonstrated by Ling et al. to leave Tor's BridgeDB vulnerable to censors capable of creating multiple accounts, enabling bridge enumeration via sock-puppet attacks at scale. Active and passive detection techniques — including traffic flow analysis, DPI, website fingerprinting, and active probing — have been demonstrated in prior work to reveal Tor bridges, making Tor inaccessible for the majority of users in some regions.

2023-tulloch-lox §2.2.1 detection

Migrating the client IP address every 25–100 packets reduces state-of-the-art website fingerprinting attack accuracy to below 10% in the closed-world setting, outperforming advanced dedicated defenses such as HyWF multipathing. The mechanism works because most fingerprinting classifiers rely on as many packets per flow as possible, and flow splitting degrades feature quality.

2020-govil-mimiq §5 defense

SiegeBreaker explicitly acknowledges two unresolved attack vectors: (1) latency-based traffic analysis attacks (forced-asymmetry / RAD-style), which the system does not mitigate, and (2) website fingerprinting attacks against the proxied traffic, for which no defense is implemented. Additionally, the email-based control channel is vulnerable to a censor who can delay or block emails to the controller's address, disrupting rule installation before the client's SYN packet arrives.

2020-sharma-siegebreaker §3, §4.1, §4.3 detection

Waterfall's Overt User Simulator caches previously loaded overt-website responses and replays them to generate cover traffic, overcoming Slitheen's 40% downstream throughput ceiling (caused by restricting covert replacement to leaf HTTP objects only). Because downstream-only decoy routers intercept all downstream TLS records — not just leaf content — Waterfall achieves higher covert capacity while perfectly mimicking overt browsing patterns against traffic analysis.

2017-nasr-waterfall §9 defense

Schuchard et al. demonstrated that latency differences caused by a decoy routing proxy communicating with a distant covert destination are sufficient not only to detect the use of decoy routing but also to fingerprint which specific censored webpage the client accessed. All prior decoy routing systems (Telex, Cirripede, Curveball, TapDance, Rebound) remained vulnerable to this attack at time of publication.

2016-bocovich-slitheen §4.1 detection

Slitheen replaces only 'leaf' HTTP resources (images, video) in overt-site responses with covert content, reusing all TCP/IP headers verbatim and forwarding packets immediately on arrival. This forces every observable feature—packet size, direction, inter-arrival timing—to be identical to a genuine access of the overt page, eliminating the censor's ability to apply latency analysis, website fingerprinting, or protocol fingerprinting to distinguish decoy sessions from normal traffic.

2016-bocovich-slitheen §3.1, §4.1 defense

Table 1 shows Slitheen is the first decoy routing system to simultaneously defend against latency analysis, website fingerprinting, and protocol fingerprinting attacks, while also resisting TCP replay and Crazy Ivan active attacks. This security is achieved at the cost of requiring symmetric flows and inline blocking—requirements previously considered prohibitive—which the authors argue are increasingly met by commercial DPI traffic-shaping appliances (e.g., Sandvine) already deployed by ISPs.

2016-bocovich-slitheen §4.5, Table 1 evaluation

A domain-based website fingerprinting attack against CDNBrowsing traffic — using the per-domain packet volume exchanged during a browsing session as a decision-tree feature vector — achieves 0.991 ± 0.002 accuracy against CacheBrowser on 100 China/Iran-blocked HTTPS pages, modestly outperforming the state-of-the-art k-NN classifier of Wang et al. (0.94 ± 0.002) while being two orders of magnitude faster: 0.60 CPU-seconds training and 10 µs classification versus 90 CPU-seconds and 0.05 CPU-seconds on an Intel Xeon 3.5 GHz processor.

2016-zolfaghari-practical §3.2 detection

CDNReaper's Scrambler defeats domain-based and Wang et al. k-NN fingerprinting by injecting decoy requests uniformly distributed across ndom popular domains and dropping ~24% of advertisement/analytics requests (which constitute on average 24% of top-1000 Alexa page requests); even at low traffic overheads, fingerprinting accuracy drops significantly from the 0.991/0.94 baseline, with dropping traffic providing more benefit at lower overhead budgets.

2016-zolfaghari-practical §4.4 defense

A warden can fingerprint the specific covert destination a Telex user is visiting by comparing observed latency distributions against a pre-built database of covert-destination latencies. With an intelligently filtered database of only 10 distributions (K-S inter-entry threshold 0.8), the AUC is 0.868, and with approximately 12 collected samples the false positive rate drops below 10%. Larger databases (size 50) degrade to AUC 0.537 due to distribution similarity, but threshold-based filtering restores substantial discriminative power.

2012-schuchard-routing §5.3, Figures 7, 9 detection

A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.

2012-weinberg-stegotorus §5.2, Table 2 evaluation

Website fingerprinting attacks that match file sizes and access patterns against a database of known sites remain applicable to SkyF2F, but are limited to the granularity of 512-byte fixed-size stream cells, since streams are multiplexed within a single tunnel circuit. The authors note this is less effective than against SafeWeb, where full request/response sizes are directly observable.

2009-cao-skyf2f §V.A detection

Tor encrypts payload but does not obscure traffic volume, leaving a residual publisher-vs-reader asymmetry: a user publishing a home video generates a markedly different upload/download ratio than one reading news. The paper also notes that website fingerprinting attacks — where the adversary pre-downloads hundreds of popular sites and matches traffic patterns to a Tor client's stream — remain possible even through bridge circuits, and are exacerbated by Tor's varying supported protocols (web vs. IM produce different timing signatures).

2006-dingledine-design §8.2 detection