DEMUX: Boundary-Aware Multi-Scale Traffic Demixing for Multi-Tab Website Fingerprinting

A plug-and-play Boundary Preserving Aggregation Module (overlapping window partitioning with joint packet- and burst-level features, W=20ms, stride=10ms) consistently improves existing WF baselines without architectural modification: applied to DF, AUC rises from 0.780 to 0.901 and P@5 from 0.315 to 0.545; applied to ARES'25, P@5 rises from 0.869 to 0.900 in the open-world 5-tab setting. The module's consistent gains across all three tested baselines confirm that fixed non-overlapping window segmentation is a structural vulnerability in prior WF pipelines.

§V-G, Figure 5 detection website-fingerprintml-classifiertraffic-shape generic

DEMUX achieves a P@5 of 0.943 and MAP@5 of 0.961 in the closed-world 5-tab multi-tab website fingerprinting setting, outperforming the strongest prior baseline (ARES'25) by 9.2 and 6.2 percentage points respectively. ARES'25's P@K degrades from 0.900 at 2-tab to 0.851 at 5-tab (a drop of 4.9 pp), while DEMUX improves from 0.926 to 0.943 over the same range, expanding the absolute margin from 2.6 to over 9 points.

§V-B, Table II detection website-fingerprintml-classifiertraffic-shape generic

In the open-world 5-tab setting — where each trace contains one unmonitored site, substantially increasing noise and class imbalance — DEMUX achieves AUC of 0.998, P@5 of 0.951, and MAP@5 of 0.966, while ARES'25 achieves 0.988/0.869/0.911. DEMUX's advantage widens in the open-world setting (the P@5 gap grows from 2.6 pp to 8.2 pp versus closed-world), confirming that state-of-the-art WF attacks are not defeated by open-world conditions or unmonitored co-browsing traffic.

§V-C, Table III detection website-fingerprintml-classifier generic

The Traffic Aggregation Matrix (TAM) representation used by the RF baseline — which counts directional packet counts over fixed time slots rather than tracking per-packet sequences — shows unexpectedly strong robustness under TrafficSliver, achieving P@2 of 0.702, substantially exceeding all other CNN-based methods under that defense. Var-CNN similarly achieves P@2 of 0.826 under TrafficSliver despite mediocre no-defense performance, suggesting that tolerance to partial packet loss is architecturally separable from peak single-observer accuracy.

§V-D, Table IV evaluation website-fingerprintml-classifier generic

Under the TrafficSliver defense — which splits traffic across multiple Tor entry nodes so no single observer sees more than a partial fraction of packets — TMWF collapses to a P@2 of 0.399 and ARES'23 to 0.429, while DEMUX retains a P@2 of 0.940, exceeding the next-best competitor by 2.5 points. WTF-PAD and FRONT are substantially weaker defenses, with most methods maintaining near-baseline performance under WTF-PAD.

§V-D, Table IV evaluation website-fingerprintml-classifier generic