arxiv: 2605.05887 · v1 · submitted 2026-05-07 · 💻 cs.CR

Recognition: unknown

ActiveFlowMark: Assessing Tor Anonymity under Active Bandwidth Watermarking

Zilve Fan , Zijian Zhang , Yangnan Guo , Jiaqi Gao , Zhen Li , Mengyu Wang , Chengxiang Si , Liehuang Zhu

Authors on Pith no claims yet

Pith reviewed 2026-05-08 09:25 UTC · model grok-4.3

classification 💻 cs.CR

keywords Tor anonymityactive traffic analysisbandwidth watermarkingtraffic correlationneural network detectionside-channel attackinfrastructure-level attackflow marking

0 comments

The pith

Controlled bandwidth perturbations let an adversary mark and detect Tor flows at 99.65% F1 accuracy without endpoint access.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows that an upstream gateway can inject controlled throughput patterns into Tor flows, which an adversary observing exit relays can then detect to link entry and exit traffic. NATA performs the injection while BM-Net learns reusable representations from masked pre-training on traffic traces and adapts them to binary detection plus fine-grained modulation classification. Real Tor measurements yield 99.65% binary F1 and 97.5% macro-F1 for modulation, and simulations estimate exit-observation probability under bandwidth-weighted relay selection. A sympathetic reader would care because the method requires no browser modification, no payload changes, and no decryption, only gateway and exit control. If correct, it establishes active bandwidth perturbation as a practical infrastructure-level side channel for traffic correlation under the stated adversary model.

Core claim

NATA injects distinguishable throughput patterns into Tor flows through controlled bandwidth perturbations at an upstream gateway; BM-Net, a selective state-space framework, first learns traffic representations via masked pre-training on serialized traces and then adapts them to achieve 99.65% F1 on binary perturbation detection and 97.5% macro-F1 on fine-grained modulation classification across real cross-continental Tor paths, indicating that active bandwidth perturbation can function as an infrastructure-level side channel for traffic correlation.

What carries the argument

BM-Net, a selective state-space learning framework that separates self-supervised masked pre-training on traffic traces from supervised adaptation to binary detection and modulation classification.

If this is right

Active bandwidth perturbation works as a detectable side channel observable solely at exit relays without endpoint compromise.
The same patterns support both binary presence detection and classification of multiple modulation types at high accuracy.
Tornettools simulations show non-negligible exit-observation probability under standard bandwidth-weighted relay selection.
The approach remains non-invasive: no Tor-browser changes, no packet decryption, and no payload modification are required.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Tor relay operators or users might counter this by randomizing or smoothing bandwidth allocation at entry points.
The same perturbation-plus-representation-learning pattern could be tested on other low-latency anonymity systems that use similar path selection.
If gateways become common observation points, the effective adversary surface for Tor expands beyond traditional exit-relay control.

Load-bearing premise

The injected bandwidth patterns stay distinguishable from natural network variations on real cross-continental Tor paths without being masked or causing the detector to overfit to the measurement setup.

What would settle it

A new set of Tor path measurements in which BM-Net's binary F1 score falls substantially below 99% when the injected perturbation strength, path length, or background traffic variability is increased beyond the original evaluation settings.

Figures

Figures reproduced from arXiv: 2605.05887 by Chengxiang Si, Jiaqi Gao, Liehuang Zhu, Mengyu Wang, Yangnan Guo, Zhen Li, Zijian Zhang, Zilve Fan.

**Figure 1.** Figure 1: Operational threat model. The adversary shapes Tor-related traffic near the client side and passively observes traffic at adversary-controlled exit relays. view at source ↗

**Figure 2.** Figure 2: Overview of the NATA pipeline. The system operates in four phases: (I) active bandwidth shaping near the client-side gateway, (II) fixed-length view at source ↗

**Figure 3.** Figure 3: Egress bandwidth modulation patterns. The plot illustrates the captured view at source ↗

**Figure 4.** Figure 4: Feature analysis of the rolling average of inter-arrival times. The plot view at source ↗

**Figure 5.** Figure 5: Statistical feature analysis. The top pane shows raw bandwidth traces, view at source ↗

**Figure 6.** Figure 6: Confusion matrix counts for modulation classification on the 201- view at source ↗

read the original abstract

Low-latency anonymity networks such as Tor remain vulnerable to infrastructure-level traffic analysis that exploits side-channel information observable from encrypted communications. We introduce NATA, a non-invasive active traffic-correlation analysis algorithm that injects distinguishable throughput patterns into traffic flows through controlled bandwidth perturbations. Unlike passive correlation methods, NATA does not require endpoint compromise, Tor-browser modification, or packet-payload decryption or modification. It can be carried out by an adversary that controls an upstream network gateway and observes traffic at adversary-controlled exit relays. To identify perturbed flows under substantial network variability, we develop BM-Net (Bandwidth Modulation Network), a selective state-space learning framework adapted for bandwidth-modulation detection. Given the limited availability of high-fidelity ground truth on real-world cross-continental Tor paths, BM-Net adopts a data-efficient learning strategy that separates self-supervised representation learning from supervised task-specific classification. It first learns reusable traffic representations through masked pre-training on serialized traffic traces, and then adapts these representations to binary perturbation detection and fine-grained modulation classification using task-specific labeled data. Through real Tor traffic measurements, BM-Net achieves a 99.65% binary detection F1 score and a 97.5% macro-F1 score for fine-grained modulation classification under our evaluated settings. In addition, tornettools-based scaled simulations are used to estimate exit-observation probability under bandwidth-weighted relay selection. These results suggest that active bandwidth perturbation can serve as an infrastructure-level side channel for traffic correlation under a clearly defined adversary model.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows a workable active bandwidth perturbation attack on Tor with high reported detection rates from real traces, but the evaluation details are too thin to judge if it generalizes.

read the letter

The main point is that the authors describe an active attack called NATA that injects controlled bandwidth patterns at an upstream gateway and detects them at the exit using BM-Net, a selective state-space model. They report 99.65% binary F1 and 97.5% macro-F1 on real Tor traffic plus some simulation estimates for exit observation probability. If the numbers hold, this would be a practical infrastructure-level side channel without needing endpoint access or decryption.

Referee Report

2 major / 2 minor

Summary. The manuscript introduces NATA, a non-invasive active traffic-correlation algorithm that injects distinguishable throughput patterns into Tor flows via controlled bandwidth perturbations at an upstream gateway, observable at exit relays. It develops BM-Net, a selective state-space model that uses masked pre-training on serialized traces for reusable representations followed by supervised adaptation for binary perturbation detection and fine-grained modulation classification. The central empirical claims are 99.65% binary detection F1 and 97.5% macro-F1 on real Tor measurements, plus tornettools-based simulations estimating exit-observation probability under bandwidth-weighted relay selection, suggesting active bandwidth perturbation as an infrastructure-level side channel under a defined adversary model.

Significance. If the empirical results prove robust, the work would meaningfully advance understanding of Tor anonymity by demonstrating a practical active attack that requires neither endpoint compromise nor payload access. The data-efficient strategy separating self-supervised representation learning from task-specific classification is a clear strength given the acknowledged scarcity of high-fidelity cross-continental ground truth. The combination of real measurements and scaled simulations provides a concrete basis for assessing the attack's feasibility.

major comments (2)

[Abstract and evaluation section] The abstract (and the evaluation section reporting the F1 scores) presents 99.65% binary F1 and 97.5% macro-F1 without any description of data-collection procedures, number of traces collected, path diversity, perturbation parameter ranges, exclusion criteria, error bars, or validation splits. This is load-bearing for the central claim because the distinguishability of controlled perturbations from natural cross-continental jitter and congestion is the key assumption; absent these details it is impossible to determine whether the scores reflect genuine generalization or setup-specific statistics.
[BM-Net architecture and results] The description of BM-Net's masked pre-training and subsequent adaptation provides no ablation studies, feature analysis, or comparison against simpler baselines (e.g., statistical tests on throughput variance) that would demonstrate the model isolates the injected modulations rather than overfitting to the particular measurement traces. This directly affects the claim that the learned representations support an infrastructure-level side channel under the stated adversary model.

minor comments (2)

[Introduction] Clarify the exact adversary model (e.g., which relays or gateways are assumed controlled) in the introduction so readers can immediately map the threat model to the reported probabilities.
[Abstract] The phrase 'under our evaluated settings' in the abstract should be expanded or cross-referenced to a table summarizing the concrete parameters (bandwidth perturbation amplitudes, trace lengths, number of paths) used for the F1 measurements.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments highlight important aspects of how our empirical claims are presented, and we will revise the manuscript to improve clarity and provide additional supporting analyses while preserving the core contributions.

read point-by-point responses

Referee: [Abstract and evaluation section] The abstract (and the evaluation section reporting the F1 scores) presents 99.65% binary F1 and 97.5% macro-F1 without any description of data-collection procedures, number of traces collected, path diversity, perturbation parameter ranges, exclusion criteria, error bars, or validation splits. This is load-bearing for the central claim because the distinguishability of controlled perturbations from natural cross-continental jitter and congestion is the key assumption; absent these details it is impossible to determine whether the scores reflect genuine generalization or setup-specific statistics.

Authors: We agree that the abstract is concise by nature and that the evaluation section would benefit from a more explicit, consolidated summary of the experimental methodology to allow readers to evaluate the robustness of the reported F1 scores against natural network variability. The full manuscript describes the real-world Tor measurement setup in Section 4 (including cross-continental paths, controlled bandwidth perturbations at an upstream gateway, and collection of perturbed versus unperturbed flows) and reports 5-fold cross-validation results in Section 5. However, we acknowledge that a dedicated summary of trace counts, path diversity, parameter ranges, exclusion criteria, and error bars is not presented at a level that makes these elements immediately accessible. In the revised manuscript we will add a summary table and expanded text in Section 5 detailing the number of traces collected, the diversity of paths used, the specific perturbation parameter ranges, how anomalous traces were excluded, and the validation procedure. We will also briefly reference these elements in the abstract. This revision will directly address the concern about distinguishing injected modulations from natural jitter without changing the reported performance numbers. revision: yes
Referee: [BM-Net architecture and results] The description of BM-Net's masked pre-training and subsequent adaptation provides no ablation studies, feature analysis, or comparison against simpler baselines (e.g., statistical tests on throughput variance) that would demonstrate the model isolates the injected modulations rather than overfitting to the particular measurement traces. This directly affects the claim that the learned representations support an infrastructure-level side channel under the stated adversary model.

Authors: We agree that ablation studies, feature analysis, and baseline comparisons are necessary to substantiate that BM-Net's performance derives from learning the controlled bandwidth modulations rather than dataset-specific artifacts. The current manuscript focuses on describing the selective state-space architecture, the masked pre-training strategy for reusable representations, and the subsequent supervised adaptation, but does not include the requested ablations or comparisons. In the revision we will add (1) an ablation removing the masked pre-training stage to quantify its contribution, (2) a comparison against simpler statistical baselines such as variance-based or autocorrelation tests on throughput traces, and (3) a feature analysis or visualization of the learned state-space representations to illustrate that they capture the injected perturbation patterns. These additions will strengthen the evidence that the approach generalizes beyond the specific measurement traces and supports the infrastructure-level side-channel claim under the defined adversary model. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical ML detection results are measured outcomes, not derivations reducing to inputs

full rationale

The paper reports direct empirical results from real Tor traffic measurements and a data-efficient ML pipeline (masked pre-training on serialized traces followed by supervised classification on labeled data). The 99.65% binary F1 and 97.5% macro-F1 scores are performance metrics obtained on held-out test traces under the evaluated settings, not quantities derived by construction from fitted parameters or prior self-citations. No equations, uniqueness theorems, or ansatzes are invoked that loop back to the input data or model choices. The simulation estimates using tornettools are likewise separate scaled experiments. The work is self-contained against external benchmarks (real cross-continental traces) with no load-bearing self-referential steps.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available, so the ledger reflects components described at high level: the NATA perturbation injection and BM-Net learning pipeline. No explicit free parameters, axioms, or invented physical entities are stated.

pith-pipeline@v0.9.0 · 5587 in / 1190 out tokens · 34025 ms · 2026-05-08T09:25:55.294612+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

52 extracted references · 4 canonical work pages

[1]

Com- promising anonymity using packet spinning,

V . Pappas, E. Athanasopoulos, S. Ioannidis, and E. P. Markatos, “Com- promising anonymity using packet spinning,” inProceedings of the 12th Information Security Conference (ISC), 2008, pp. 161–174

2008
[2]

Denial of service or denial of security? How attacks on reliability can compromise anonymity,

N. Borisov, G. Danezis, P. Mittal, and P. Tabriz, “Denial of service or denial of security? How attacks on reliability can compromise anonymity,” inProceedings of the 14th ACM Conference on Computer and Communications Security (CCS), 2007, pp. 92–102

2007
[3]

Trawling for Tor hidden services: Detection, measurement, deanonymization,

A. Biryukov, I. Pustogarov, and R.-P. Weinmann, “Trawling for Tor hidden services: Detection, measurement, deanonymization,” inPro- ceedings of the IEEE Symposium on Security and Privacy (S&P), 2013, pp. 80–94

2013
[4]

Dropping on the edge: Flexibility and traffic confirmation in onion routing protocols,

F. Rochet and O. Pereira, “Dropping on the edge: Flexibility and traffic confirmation in onion routing protocols,”Proceedings on Privacy Enhancing Technologies (PoPETs), vol. 2018, no. 2, pp. 27–46, 2018

2018
[5]

RAINBOW: A robust and invisible non-blind watermark for network flows,

A. Houmansadr, N. Kiyavash, and N. Borisov, “RAINBOW: A robust and invisible non-blind watermark for network flows,” inProceedings of the 16th Network and Distributed System Security Symposium (NDSS), 2009

2009
[6]

Tracing traffic through intermediate hosts that repacketize flows,

Y . J. Pyun, Y . H. Park, X. Wang, D. S. Reeves, and P. Ning, “Tracing traffic through intermediate hosts that repacketize flows,” inProceedings of the IEEE INFOCOM, 2007, pp. 634–642

2007
[7]

Tracking anonymous peer-to-peer V oIP calls on the internet,

X. Wang, S. Chen, and S. Jajodia, “Tracking anonymous peer-to-peer V oIP calls on the internet,” inProceedings of the 12th ACM Conference on Computer and Communications Security (CCS), 2005, pp. 81–91

2005
[8]

SWIRL: A scalable watermark to detect correlated network flows,

A. Houmansadr and N. Borisov, “SWIRL: A scalable watermark to detect correlated network flows,” inProceedings of the 18th Network and Distributed System Security Symposium (NDSS), 2011

2011
[9]

Sliding window based ON/OFF flow watermarking on Tor,

K. Yang, Z. Liu, Y . Zeng, and J. Ma, “Sliding window based ON/OFF flow watermarking on Tor,”Computer Communications, vol. 196, pp. 66–75, 2022

2022
[10]

The DUSTER attack: Tor onion service attribution based on flow watermarking with track hiding,

A. Iacovazzi, D. Frassinelli, and Y . Elovici, “The DUSTER attack: Tor onion service attribution based on flow watermarking with track hiding,” inProceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2019, pp. 213–225

2019
[11]

AttCorr: A novel deep learning model for flow correlation attacks on Tor,

J. Li, C. Gu, X. Zhang, X. Chen, and W. Liu, “AttCorr: A novel deep learning model for flow correlation attacks on Tor,” inProceedings of the IEEE International Conference on Consumer Electronics and Computer Engineering (ICCECE), 2021, pp. 427–430

2021
[12]

DeepCoFFEA: Improved flow correlation attacks on Tor via metric learning and amplification,

S. E. Oh, T. Yang, N. Mathews, J. K. Holland, M. S. Rahman, N. Hopper, and M. Wright, “DeepCoFFEA: Improved flow correlation attacks on Tor via metric learning and amplification,” inProceedings of the IEEE Symposium on Security and Privacy (S&P), 2022, pp. 1915–1932

2022
[13]

FlowTracker: Improved flow correlation attacks with denoising and contrastive learning,

Z. Guan, C. Liu, G. Xiong, J. Li, and L. Zhu, “FlowTracker: Improved flow correlation attacks with denoising and contrastive learning,”Com- puters & Security, vol. 125, p. 103018, 2023

2023
[14]

DeepCorr: Strong flow correlation attacks on Tor using deep learning,

M. Nasr, A. Bahramali, and A. Houmansadr, “DeepCorr: Strong flow correlation attacks on Tor using deep learning,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018, pp. 1927–1940

2018
[15]

Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,

P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,” in Proceedings of the ACM SIGSAC Conference on Computer and Com- munications Security (CCS), 2018, pp. 1928–1943. 14

2018
[16]

Mockingbird: Defending against deep-learning-based website finger- printing attacks with adversarial traces,

M. S. Rahman, P. Srijith, K. Mathews, N. Hopper, and M. Wright, “Mockingbird: Defending against deep-learning-based website finger- printing attacks with adversarial traces,”IEEE Transactions on Infor- mation Forensics and Security, vol. 16, pp. 1594–1609, 2021

2021
[17]

Zero-delay lightweight defenses against website fingerprinting,

J. Gong and T. Wang, “Zero-delay lightweight defenses against website fingerprinting,” inProceedings of the USENIX Security Symposium, 2020, pp. 717–734

2020
[18]

A critical evaluation of website fingerprinting attacks,

M. Juarez, S. Afroz, G. Acar, C. Diaz, and R. Greenstadt, “A critical evaluation of website fingerprinting attacks,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2014, pp. 263–274

2014
[19]

k-fingerprinting: A robust scalable website fingerprinting technique,

J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable website fingerprinting technique,” inProceedings of the USENIX Security Sym- posium, 2016, pp. 1187–1203

2016
[20]

Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial Na¨ıve-Bayes classifier,

D. Herrmann, R. Wendolsky, and H. Federrath, “Website fingerprinting: Attacking popular privacy enhancing technologies with the multinomial Na¨ıve-Bayes classifier,” inProceedings of the ACM Cloud Computing Security Workshop (CCSW), 2009, pp. 31–42

2009
[21]

RAPTOR: Routing attacks on privacy in Tor,

Y . Sun, A. Edmundson, L. Vanbever, O. Li, J. Rexford, M. Chiang, and P. Mittal, “RAPTOR: Routing attacks on privacy in Tor,” inProceedings of the USENIX Security Symposium, 2015, pp. 271–286

2015
[22]

Counter- RAPTOR: Safeguarding Tor against active routing attacks,

Y . Sun, A. Edmundson, N. Feamster, M. Chiang, and P. Mittal, “Counter- RAPTOR: Safeguarding Tor against active routing attacks,” inProceed- ings of the IEEE Symposium on Security and Privacy (S&P), 2017, pp. 376–392

2017
[23]

Measuring and mitigating AS-level adversaries against Tor,

R. Nithyanand, O. Starov, A. Zair, P. Gill, and M. Schapira, “Measuring and mitigating AS-level adversaries against Tor,” inProceedings of the Network and Distributed System Security Symposium (NDSS), 2016

2016
[24]

CLAPS: Client location-aware path selection in Tor,

F. Rochet, R. Wails, A. Johnson, P. Mittal, and O. Pereira, “CLAPS: Client location-aware path selection in Tor,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2020, pp. 1681–1698

2020
[25]

LASTor: A low-latency AS-aware Tor client,

M. Akhoondi, C. Yu, and H. V . Madhyastha, “LASTor: A low-latency AS-aware Tor client,” inProceedings of the IEEE Symposium on Security and Privacy (S&P), 2012, pp. 476–490

2012
[26]

Circuit fingerprinting attacks: Passive deanonymization of Tor hidden services,

A. Kwon, M. AlSabah, D. Lazar, M. Dacier, and S. Devadas, “Circuit fingerprinting attacks: Passive deanonymization of Tor hidden services,” inProceedings of the USENIX Security Symposium, 2015, pp. 287–302

2015
[27]

How unique is your .onion?: An analysis of the fingerprintability of Tor onion services,

R. Overdorf, M. Juarez, G. Acar, R. Greenstadt, and C. Diaz, “How unique is your .onion?: An analysis of the fingerprintability of Tor onion services,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2017, pp. 2021–2036

2017
[28]

De- anonymisation attacks on Tor: A survey,

I. Karunanayake, N. Ahmed, R. Malaney, R. Islam, and S. K. Jha, “De- anonymisation attacks on Tor: A survey,”IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2324–2351, 2021

2021
[29]

Traffic analysis attacks on Tor: A survey,

L. Basyoni, N. Fetais, A. Erbad, A. Mohamed, and M. Guizani, “Traffic analysis attacks on Tor: A survey,” inProceedings of the IEEE Inter- national Conference on Informatics, IoT, and Enabling Technologies (ICIoT), 2020, pp. 183–188

2020
[30]

Low-cost traffic analysis of Tor,

S. J. Murdoch and G. Danezis, “Low-cost traffic analysis of Tor,” in Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2005, pp. 183–195

2005
[31]

Spoiled onions: Exposing malicious Tor exit relays,

P. Winter, R. K ¨ower, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lind- skog, and E. Weippl, “Spoiled onions: Exposing malicious Tor exit relays,” inProceedings on Privacy Enhancing Technologies (PoPETs), vol. 2014, no. 1, pp. 304–331, 2014

2014
[32]

Website fingerprinting defenses at the application layer,

G. Cherubin, J. Hayes, and M. Juarez, “Website fingerprinting defenses at the application layer,” inProceedings on Privacy Enhancing Tech- nologies (PoPETs), vol. 2017, no. 2, pp. 186–203, 2017

2017
[33]

Traffic morphing: An efficient defense against statistical traffic analysis,

C. V . Wright, S. E. Coull, and F. Monrose, “Traffic morphing: An efficient defense against statistical traffic analysis,” inProceedings of the 16th Network and Distributed System Security Symposium (NDSS), 2009

2009
[34]

Tor: The second- generation onion router,

R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second- generation onion router,” inProceedings of the USENIX Security Sym- posium, 2004, pp. 303–320

2004
[35]

Privacy-preserving dynamic learning of Tor network traffic,

R. Jansen, M. Traudt, and N. Hopper, “Privacy-preserving dynamic learning of Tor network traffic,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2018, pp. 1914–1929

2018
[36]

Shadow: Running Tor in a box for accurate and efficient experimentation,

R. Jansen and N. Hopper, “Shadow: Running Tor in a box for accurate and efficient experimentation,” inProceedings of the 19th Network and Distributed System Security Symposium (NDSS), 2012

2012
[37]

Content and popularity analysis of Tor hidden services,

A. Biryukov, I. Pustogarov, F. Thill, and R.-P. Weinmann, “Content and popularity analysis of Tor hidden services,” inProceedings of the IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW), 2014, pp. 188–193

2014
[38]

Hot or not: Revealing hidden services by their clock skew,

S. J. Murdoch, “Hot or not: Revealing hidden services by their clock skew,” inProceedings of the ACM Conference on Computer and Communications Security (CCS), 2006, pp. 27–36

2006
[39]

Locating hidden servers,

L. Overlier and P. Syverson, “Locating hidden servers,”2006 IEEE Symposium on Security and Privacy (S&P’06), Berkeley/Oakland, CA, USA, 2006, pp. 100–114, doi: 10.1109/SP.2006.24

work page doi:10.1109/sp.2006.24 2006
[40]

AS-awareness in Tor path selection,

M. Edman and P. Syverson, “AS-awareness in Tor path selection,” in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2009, pp. 380–389

2009
[41]

Timing analysis in low-latency mix networks: Attacks and defenses,

V . Shmatikov and M.-H. Wang, “Timing analysis in low-latency mix networks: Attacks and defenses,” inProceedings of the European Symposium on Research in Computer Security (ESORICS), 2006, pp. 18–33

2006
[42]

Automated website fingerprinting through deep learning,

V . Rimmer, D. Preuveneers, M. Juarez, T. Van Goethem, and W. Joosen, “Automated website fingerprinting through deep learning,” inProceed- ings of the Network and Distributed System Security Symposium (NDSS), 2018

2018
[43]

Tik-Tok: The utility of packet timing in website fingerprint- ing attacks,

M. S. Rahman, P. Sirinam, N. Mathews, K. G. Gangadhara, and M. Wright, “Tik-Tok: The utility of packet timing in website fingerprint- ing attacks,”Proceedings on Privacy Enhancing Technologies, vol. 2020, no. 3, pp. 5–24, 2020

2020
[44]

Var-CNN: A data-efficient website fingerprinting attack based on deep learning,

S. Bhat, D. Lu, A. Kwon, and S. Devadas, “Var-CNN: A data-efficient website fingerprinting attack based on deep learning,”Proceedings on Privacy Enhancing Technologies, vol. 2019, no. 4, pp. 292–310, 2019

2019
[45]

Triplet fingerprinting: More practical and portable website fingerprinting with N-shot learning,

P. Sirinam, N. Mathews, M. S. Rahman, and M. Wright, “Triplet fingerprinting: More practical and portable website fingerprinting with N-shot learning,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2019, pp. 1131–1148

2019
[46]

Robust multi-tab website fingerprinting attacks in the wild,

X. Deng, Q. Yin, Z. Liu, X. Zhao, Q. Li, M. Xu, K. Xu, and J. Wu, “Robust multi-tab website fingerprinting attacks in the wild,” inProceedings of the IEEE Symposium on Security and Privacy (S&P), 2023, pp. 1005–1022

2023
[47]

Subverting website fingerprinting defenses with robust traffic representation,

M. Shen, K. Ji, Z. Gao, Q. Li, L. Zhu, and K. Xu, “Subverting website fingerprinting defenses with robust traffic representation,” inProceedings of the 32nd USENIX Security Symposium (USENIX Security), 2023, pp. 607–624

2023
[48]

Realistic website fingerprinting by augmenting network traces,

A. Bahramali, A. Bozorgi, and A. Houmansadr, “Realistic website fingerprinting by augmenting network traces,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023, doi: 10.1145/3576915.3616639

work page doi:10.1145/3576915.3616639 2023
[49]

Transformer-based model for multi- tab website fingerprinting attack,

Z. Jin, T. Lu, S. Luo, and J. Shang, “Transformer-based model for multi- tab website fingerprinting attack,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2023, pp. 1050–1064, doi: 10.1145/3576915.3623107

work page doi:10.1145/3576915.3623107 2023
[50]

Robust and reliable early-stage web- site fingerprinting attacks via spatial-temporal distribution analysis,

X. Deng, Q. Li, and K. Xu, “Robust and reliable early-stage web- site fingerprinting attacks via spatial-temporal distribution analysis,” inProceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), 2024

2024
[51]

BAPM: Block attention profiling model for multi-tab website fingerprinting attacks on Tor,

Z. Guan, G. Xiong, G. Gou, Z. Li, M. Cui, and C. Liu, “BAPM: Block attention profiling model for multi-tab website fingerprinting attacks on Tor,” inProceedings of the Annual Computer Security Applications Con- ference (ACSAC), 2021, pp. 248–259, doi: 10.1145/3485832.3485891

work page doi:10.1145/3485832.3485891 2021
[52]

NetMamba: Efficient network traffic classification via pre-training unidirectional Mamba,

T. Wang, X. Xie, W. Wang, C. Wang, Y . Zhao, and Y . Cui, “NetMamba: Efficient network traffic classification via pre-training unidirectional Mamba,” inProceedings of the IEEE International Conference on Network Protocols (ICNP), 2024, pp. 1–11

2024