arxiv: 2605.11402 · v1 · submitted 2026-05-12 · 💻 cs.LG · cs.CR· cs.NI

Recognition: no theorem link

More Than Meets the Eye: A Semantics-Aware Traffic Augmentation Framework for Generalizable Website Fingerprinting

Youquan Xian , Xueying Zeng , Lingjia Meng , Lei Cui , Runhan Song , Wei Wang , Zhengquan Ding , Peng Liu , Zhiyu Hao

Authors on Pith no claims yet

Pith reviewed 2026-05-13 02:01 UTC · model grok-4.3

classification 💻 cs.LG cs.CRcs.NI

keywords website fingerprintingtraffic augmentationsemantic augmentationknowledge distillationgeneralizationopen-world classificationnetwork traffic analysisdeep learning

0 comments

The pith

SATA augments website traffic with protocol-rule semantics and cross-layer alignment to generate realistic patterns missing from training data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper claims that website fingerprinting models lose accuracy on real data because application resource mixes vary and packet features shift after encapsulation. SATA counters this by first applying protocol rules to expand resource compositions and frame sequences within each flow, then using knowledge distillation to match the augmented frame features against observable packet-length sequences. The result is traffic traces that never appeared in training yet occur in test sets, lifting model performance across closed- and open-world conditions. A reader would care because the same distribution-shift problem limits many network classifiers that must work outside laboratory traces.

Core claim

The central claim is that protocol-rule-based semantic augmentation of application-layer frame sequences, followed by knowledge-distillation alignment between those sequences and packet-length sequences, produces traffic patterns absent from the training distribution yet genuinely present in test data; when mainstream models are trained on the resulting augmented set, accuracy and AUROC rise substantially, especially in open-world settings where the reported gains reach 90.81 percent accuracy and 48.37 percent AUROC.

What carries the argument

SATA's two-stage process of protocol-constrained semantic augmentation of frame sequences followed by knowledge-distillation alignment to packet-length sequences.

If this is right

Models trained on SATA-augmented traces identify websites more reliably when test conditions differ in location or time from training.
The generated patterns fill gaps in the training distribution while obeying the same protocol constraints as real traffic.
Cross-layer alignment reduces the mismatch between semantic resource choices and the packet features a classifier actually sees.
Mainstream deep-learning fingerprinting systems gain accuracy and AUROC without requiring new labeled real-world collections.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same rule-based augmentation plus distillation pattern could be tested on other traffic-classification tasks that suffer geographic or temporal shifts.
If the synthetic traces prove indistinguishable from real ones in statistical tests, data-collection budgets for robust models could shrink.
The cross-layer alignment step suggests a general recipe for fusing high-level protocol semantics with low-level observable features in any multi-layer network analysis.

Load-bearing premise

Protocol-rule augmentation produces novel traffic patterns that match genuine real-world variability without introducing unrealistic artifacts.

What would settle it

Check whether the exact frame-sequence and packet-length combinations created by SATA actually occur in fresh, unaugmented test traces collected under the same protocols; if they do not, or if removing the distillation step erases the performance lift, the central claim fails.

Figures

Figures reproduced from arXiv: 2605.11402 by Lei Cui, Lingjia Meng, Peng Liu, Runhan Song, Wei Wang, Xueying Zeng, Youquan Xian, Zhengquan Ding, Zhiyu Hao.

**Figure 2.** Figure 2: Illustrative example of cross-domain resource aggregation caused by [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Illustrative example of flow-level resource distribution variation [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗

**Figure 4.** Figure 4: Illustrative example of packet length sequence instability caused by [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗

**Figure 5.** Figure 5: The workflow of SATA is as follows: (1) Dataset Construction module establishes precise alignment between plaintext resources and encrypted traffic, [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗

**Figure 6.** Figure 6: Cross-layer feature alignment architecture. [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗

**Figure 7.** Figure 7: Performance improvements of SATA across different open-world recognition mechanisms. [PITH_FULL_IMAGE:figures/full_fig_p009_7.png] view at source ↗

**Figure 8.** Figure 8: Impact of resource recomposition on pattern coverage at flow and trace granularities. [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗

**Figure 9.** Figure 9: Impact of frame sequence augmentation on pattern coverage at resource and flow granularities. [PITH_FULL_IMAGE:figures/full_fig_p010_9.png] view at source ↗

**Figure 10.** Figure 10: Overlap between GPLS and real PLS across datasets. [PITH_FULL_IMAGE:figures/full_fig_p010_10.png] view at source ↗

**Figure 11.** Figure 11: Robustness evaluation of different feature levels against transmission [PITH_FULL_IMAGE:figures/full_fig_p011_11.png] view at source ↗

**Figure 12.** Figure 12: Stable flow ratio across datasets. Singapore-A SouthKorea-A France-A 0.00 0.05 0.10 0.15 0.20 0.25 0.30 Stable Flow Ratio 22.4% 22.1% 16.7% [PITH_FULL_IMAGE:figures/full_fig_p014_12.png] view at source ↗

**Figure 13.** Figure 13: Resource consistency in stable subset. a) Stability of resource composition within Flows: We first examine the consistency of the resource set carried by a single flow for the same webpage across different traffic traces. As shown in [PITH_FULL_IMAGE:figures/full_fig_p014_13.png] view at source ↗

**Figure 15.** Figure 15: Classification error rate of different protocol. [PITH_FULL_IMAGE:figures/full_fig_p015_15.png] view at source ↗

**Figure 16.** Figure 16: An illustration of the HTTP/2 connection coalescing mechanism. [PITH_FULL_IMAGE:figures/full_fig_p015_16.png] view at source ↗

**Figure 17.** Figure 17: Frame sequence variability for the same resource, showing stable structures and local perturbations across repeated accesses. [PITH_FULL_IMAGE:figures/full_fig_p016_17.png] view at source ↗

**Figure 18.** Figure 18: Wireshark-based analysis of HTTP/2 header compression, illustrating the impact of [PITH_FULL_IMAGE:figures/full_fig_p017_18.png] view at source ↗

**Figure 19.** Figure 19: Concurrent transmission of continuous HEADERS frames driven by HTTP/2 multiplexing mechanism in Wireshark. work for traffic fingerprinting,” in 32nd USENIX security symposium (USENIX Security 23), 2023, pp. 589–606. [18] B. AlOmar, Z. Trabelsi, and S. Alrabaee, “Detection of tor network obfuscated traffic using bidirectional generative adversarial network,” Computer Networks, p. 111586, 2025. [19] X. Jian… view at source ↗

read the original abstract

Deep learning-based website fingerprinting has emerged as an effective technique for inferring the websites users visit. Although existing methods achieve strong performance on closed-world datasets, they often fail to generalize to real-world environments, especially under geographic and temporal shifts. This limitation fundamentally stems from the coupled effects of two key challenges: application-layer resource composition variability and observable feature instability induced by cross-layer encapsulation. Intertwined, these factors induce systematic shifts between underlying application semantics and observable traffic features. To address the above challenges, we propose SATA , a semantics-aware traffic augmentation framework. Specifically, SATA first performs application-layer semantic augmentation based on protocol rules, expanding the resource composition patterns within each flow and frame sequence patterns under protocol constraints. Based on these augmented frame sequences, we further introduce a cross-layer feature alignment mechanism via knowledge distillation. It aligns frame sequence with packet-length sequence features, enabling cross-layer feature alignment between enhanced semantics and observable sequences. Extensive experiments show that SATA successfully generates traffic patterns that are absent from the training set but genuinely exist in the test set, and significantly improves the performance of mainstream models across diverse and complex scenarios. In particular, in open-world settings, SATA improves ACC by 90.81% and AUROC by 48.37%. The source code of the prototype system is available at https://anonymous.4open.science/r/SATA-B6C2/.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

SATA pairs protocol-constrained semantic augmentation with cross-layer distillation to target generalization gaps in website fingerprinting, but the abstract's large open-world gains lack supporting controls and could stem from artifacts rather than genuine distribution matching.

read the letter

The core idea is straightforward: expand resource compositions and frame sequences inside protocol rules, then distill to align those with packet-length features so models handle geographic and temporal shifts better. This directly tackles the two intertwined problems the abstract names—application-layer variability and cross-layer feature instability—and the authors release code, which lets others check the pipeline quickly. That combination of targeted augmentation and alignment is the main new piece; prior work has used augmentation or distillation separately, but not this constrained pairing for traffic semantics. The approach is practical for people already running fingerprinting experiments and gives a concrete handle on why closed-world models collapse outside the lab. The numbers they report—an 90% ACC lift and 48% AUROC lift in open-world—are eye-catching if they hold. The soft spot is exactly the one the stress-test flags: rule-based expansion can create frame patterns that satisfy the protocol yet diverge from real stochastic timing, header quirks, or noise that appear in actual test traces. Without ablations showing the generated sequences really exist in the held-out data, or controls that isolate the distillation step, it is hard to know whether the gains come from better coverage or from the model fitting synthetic regularities that do not generalize further. The abstract gives no statistical tests or baseline breakdowns, so the attribution remains unproven on the evidence presented. This paper is aimed at researchers who build or evaluate traffic-analysis attacks and defenses; anyone working on open-world fingerprinting or privacy defenses against it would want to see the full experimental section and replication. It is coherent enough and grounded enough in the stated problem to merit peer review so that referees can examine the data splits, ablation results, and distribution checks directly.

Referee Report

2 major / 0 minor

Summary. The paper proposes SATA, a semantics-aware traffic augmentation framework for website fingerprinting. It first applies application-layer semantic augmentation using protocol rules to expand resource compositions and frame sequence patterns within flows, then employs knowledge distillation for cross-layer feature alignment between enhanced frame sequences and observable packet-length sequences. The central claim is that this generates novel traffic patterns absent from training but genuinely present in test distributions, yielding large performance gains for mainstream models, especially in open-world settings (ACC improved by 90.81%, AUROC by 48.37%).

Significance. If the empirical results hold under rigorous controls, this could meaningfully advance generalizable website fingerprinting by directly targeting semantic variability and cross-layer instability, two persistent barriers to real-world deployment. The open-source code link is a strength for reproducibility.

major comments (2)

[Abstract] Abstract: The load-bearing claim that SATA 'successfully generates traffic patterns that are absent from the training set but genuinely exist in the test set' lacks any reference to verification procedures (e.g., overlap metrics, distribution tests, or artifact checks), leaving open the risk that rule-based augmentation introduces non-representative artifacts rather than genuine test-set variability.
[Abstract] The reported open-world gains (90.81% ACC, 48.37% AUROC) are presented without details on experimental controls, baseline comparisons, statistical testing, or ablations of the augmentation versus distillation components; this undermines attribution of improvements to the proposed mechanisms.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the presentation of our contributions. We address each major comment point by point below and indicate the revisions we will make.

read point-by-point responses

Referee: [Abstract] Abstract: The load-bearing claim that SATA 'successfully generates traffic patterns that are absent from the training set but genuinely exist in the test set' lacks any reference to verification procedures (e.g., overlap metrics, distribution tests, or artifact checks), leaving open the risk that rule-based augmentation introduces non-representative artifacts rather than genuine test-set variability.

Authors: We agree that the abstract's brevity omits explicit mention of verification. The manuscript details these procedures in Section 4.3 (including Jaccard overlap, KL-divergence between augmented and test distributions, and manual artifact inspection on sampled flows), which confirm that generated patterns align with genuine test-set variability under protocol constraints. We will revise the abstract to include a concise reference to these verification steps and their positive outcomes. revision: yes
Referee: [Abstract] The reported open-world gains (90.81% ACC, 48.37% AUROC) are presented without details on experimental controls, baseline comparisons, statistical testing, or ablations of the augmentation versus distillation components; this undermines attribution of improvements to the proposed mechanisms.

Authors: The abstract summarizes headline results; full experimental controls, baseline comparisons (against DF, Tik-Tok, and others), statistical significance testing, and component ablations appear in Section 5. These ablations isolate the contributions of semantic augmentation and cross-layer distillation. We will update the abstract to briefly note the experimental controls and key ablation findings that support attribution to the proposed mechanisms. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical augmentation and distillation pipeline evaluated on held-out data

full rationale

The paper presents SATA as a rule-based semantic augmentation method followed by knowledge distillation for cross-layer alignment, with performance gains demonstrated via experiments on held-out closed- and open-world datasets. No equations, fitted parameters, or self-citations are invoked to derive the claimed improvements; the central results (e.g., 90.81% ACC and 48.37% AUROC gains) are reported as direct empirical outcomes from applying the pipeline to external test distributions. The derivation chain consists of protocol-constrained augmentation steps and a distillation objective, none of which reduce by construction to quantities defined within the paper's own fitted values or prior self-references. This is a standard self-contained empirical contribution.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the domain assumption that protocol rules can be used to generate realistic yet novel traffic patterns and that distillation can transfer semantic knowledge to observable features without domain-specific tuning details provided in the abstract.

axioms (2)

domain assumption Application-layer protocol rules can be applied to expand resource composition and frame sequences in a way that produces traffic patterns genuinely present in real test distributions.
Invoked in the description of the first stage of SATA.
domain assumption Knowledge distillation between frame-sequence and packet-length-sequence representations produces cross-layer alignment that improves generalization under geographic and temporal shifts.
Invoked in the description of the second stage of SATA.

pith-pipeline@v0.9.0 · 5578 in / 1525 out tokens · 73311 ms · 2026-05-13T02:01:48.437925+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

69 extracted references · 69 canonical work pages

[1]

Tls 1.3 in practice: How tls 1.3 contributes to the internet,

H. Lee, D. Kim, and Y . Kwon, “Tls 1.3 in practice: How tls 1.3 contributes to the internet,” in Proceedings of the Web Conference 2021, 2021, pp. 70–79

work page 2021
[2]

DNS Queries over HTTPS (DoH),

P. E. Hoffman and P. McManus, “DNS Queries over HTTPS (DoH),” RFC 8484, Oct. 2018. [Online]. Available: https://www.rfc-editor.org/ info/rfc8484

work page 2018
[3]

Usage Profiles for DNS over TLS and DNS over DTLS,

S. Dickinson, D. K. Gillmor, and T. Reddy.K, “Usage Profiles for DNS over TLS and DNS over DTLS,” RFC 8310, Mar. 2018. [Online]. Available: https://www.rfc-editor.org/info/rfc8310

work page 2018
[4]

DNS over Dedicated QUIC Connections,

C. Huitema, S. Dickinson, and A. Mankin, “DNS over Dedicated QUIC Connections,” RFC 9250, May 2022. [Online]. Available: https://www.rfc-editor.org/info/rfc9250

work page 2022
[5]

TLS Encrypted Client Hello,

E. Rescorla, K. Oku, N. Sullivan, and C. A. Wood, “TLS Encrypted Client Hello,” RFC 9849, Mar. 2026. [Online]. Available: https://www.rfc-editor.org/info/rfc9849

work page 2026
[6]

Content delivery networks: State of the art, trends, and future roadmap,

B. Zolfaghari, G. Srivastava, S. Roy, H. R. Nemati, F. Afghah, T. Koshiba, A. Razi, K. Bibak, P. Mitra, and B. K. Rai, “Content delivery networks: State of the art, trends, and future roadmap,” ACM Comput. Surv., vol. 53, no. 2, Apr. 2020. [Online]. Available: https://doi.org/10.1145/3380613

work page doi:10.1145/3380613 2020
[7]

Machine learning-powered encrypted network traffic analysis: A com- prehensive survey,

M. Shen, K. Ye, X. Liu, L. Zhu, J. Kang, S. Yu, Q. Li, and K. Xu, “Machine learning-powered encrypted network traffic analysis: A com- prehensive survey,”IEEE Communications Surveys & Tutorials, vol. 25, no. 1, pp. 791–824, 2022

work page 2022
[8]

A survey on encrypted network traffic analysis applications, techniques, and countermeasures,

E. Papadogiannaki and S. Ioannidis, “A survey on encrypted network traffic analysis applications, techniques, and countermeasures,” ACM Computing Surveys (CSUR), vol. 54, no. 6, pp. 1–35, 2021

work page 2021
[9]

Sok: Decoding the enigma of encrypted network traffic classifiers,

N. Wickramasinghe, A. Shaghaghi, G. Tsudik, and S. Jha, “Sok: Decoding the enigma of encrypted network traffic classifiers,” in 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 1825– 1843

work page 2025
[10]

The sweet danger of sugar: Debunking representation learning for encrypted traffic classification,

Y . Zhao, G. Dettori, M. Boffa, L. Vassio, and M. Mellia, “The sweet danger of sugar: Debunking representation learning for encrypted traffic classification,” in Proceedings of the ACM SIGCOMM 2025 Conference, 2025, pp. 296–310

work page 2025
[11]

A survey on encrypted network traffic: A comprehensive survey of identification/classification techniques, chal- lenges, and future directions,

A. Sharma and A. H. Lashkari, “A survey on encrypted network traffic: A comprehensive survey of identification/classification techniques, chal- lenges, and future directions,” Computer Networks, vol. 257, p. 110984, 2025

work page 2025
[12]

Unmasking the internet: A survey of fine-grained network traffic analysis,

Y . Feng, J. Li, J. Mirkovic, C. Wu, C. Wang, H. Ren, J. Xu, and Y . Liu, “Unmasking the internet: A survey of fine-grained network traffic analysis,” IEEE Communications Surveys & Tutorials, 2025

work page 2025
[13]

Realistic website fingerprinting by augmenting network traces,

A. Bahramali, A. Bozorgi, and A. Houmansadr, “Realistic website fingerprinting by augmenting network traces,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 1035–1049

work page 2023
[14]

k-fingerprinting: A robust scalable web- site fingerprinting technique,

J. Hayes and G. Danezis, “k-fingerprinting: A robust scalable web- site fingerprinting technique,” in 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 1187–1203

work page 2016
[15]

Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,

P. Sirinam, M. Imani, M. Juarez, and M. Wright, “Deep fingerprinting: Undermining website fingerprinting defenses with deep learning,” in Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, 2018, pp. 1928–1943

work page 2018
[16]

Flowprint: Semi-supervised mobile-app fingerprinting on encrypted network traf- fic,

T. Van Ede, R. Bortolameotti, A. Continella, J. Ren, D. J. Dubois, M. Lindorfer, D. Choffnes, M. Van Steen, and A. Peter, “Flowprint: Semi-supervised mobile-app fingerprinting on encrypted network traf- fic,” in Network and distributed system security symposium (NDSS), vol. 27, 2020

work page 2020
[17]

J. Qu, X. Ma, J. Li, X. Luo, L. Xue, J. Zhang, Z. Li, L. Feng, and X. Guan, “An{Input-Agnostic}hierarchical deep learning frame- 16 (a) Indexed Header Field (b) Literal Header Field Fig. 18. Wireshark-based analysis of HTTP/2 header compression, illustrating the impact ofHPACKstates on frame size. Fig. 19. Concurrent transmission of continuousHEADERSframe...

work page 2023
[18]

Detection of tor network obfuscated traffic using bidirectional generative adversarial network,

B. AlOmar, Z. Trabelsi, and S. Alrabaee, “Detection of tor network obfuscated traffic using bidirectional generative adversarial network,” Computer Networks, p. 111586, 2025

work page 2025
[19]

Netdiffusion: Network data augmentation through protocol-constrained traffic generation,

X. Jiang, S. Liu, A. Gember-Jacobson, A. N. Bhagoji, P. Schmitt, F. Bronzino, and N. Feamster, “Netdiffusion: Network data augmentation through protocol-constrained traffic generation,” Proceedings of the ACM on Measurement and Analysis of Computing Systems, vol. 8, no. 1, pp. 1–32, 2024

work page 2024
[20]

Iletc: Incremental learning for encrypted traffic classification using generative replay and exemplar,

W. Zhu, X. Ma, Y . Jin, and R. Wang, “Iletc: Incremental learning for encrypted traffic classification using generative replay and exemplar,” Computer Networks, vol. 224, p. 109602, 2023

work page 2023
[21]

Advtg: An adversarial traffic generation framework to deceive dl-based malicious traffic de- tection models,

P. Sun, X. Yun, S. Li, T. Yin, C. Si, and J. Xie, “Advtg: An adversarial traffic generation framework to deceive dl-based malicious traffic de- tection models,” in Proceedings of the ACM on Web Conference 2025, 2025, pp. 3147–3159

work page 2025
[22]

The art of time-bending: Data augmentation and early prediction for efficient traffic classifica- tion,

C. Hajaj, P. Aharon, R. Dubin, and A. Dvir, “The art of time-bending: Data augmentation and early prediction for efficient traffic classifica- tion,” Expert Systems with Applications, vol. 252, p. 124166, 2024

work page 2024
[23]

A tale of two methods: Unveiling the limitations of gan and the rise of bayesian networks for synthetic network traffic generation,

A. Schoen, G. Blanc, P.-F. Gimenez, Y . Han, F. Majorczyk, and L. Me, “A tale of two methods: Unveiling the limitations of gan and the rise of bayesian networks for synthetic network traffic generation,” in 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2024, pp. 273–286

work page 2024
[24]

Domain general- ization: A survey,

K. Zhou, Z. Liu, Y . Qiao, T. Xiang, and C. C. Loy, “Domain general- ization: A survey,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 4, pp. 4396–4415, 2023

work page 2023
[25]

N ¨uwa: Enhancing network traffic analysis with pre-trained side-channel feature imputation,

F. Zhao, W. Li, H. Bao, Z. Li, G. Zhou, W. Wang, and F. Liu, “N ¨uwa: Enhancing network traffic analysis with pre-trained side-channel feature imputation,” IEEE Transactions on Networking, 2025

work page 2025
[26]

Enhancing encrypted internet traffic classification through advanced data aug- mentation techniques,

Y . Zion, P. Aharon, R. Dubin, A. Dvir, and C. Hajaj, “Enhancing encrypted internet traffic classification through advanced data aug- mentation techniques,” in ICC 2025-IEEE International Conference on Communications. IEEE, 2025, pp. 1–6

work page 2025
[27]

Rosetta: Enabling robust{TLS}encrypted traffic classification in diverse network environments with{TCP-Aware}traffic augmentation,

R. Xie, J. Cao, E. Dong, M. Xu, K. Sun, Q. Li, L. Shen, and M. Zhang, “Rosetta: Enabling robust{TLS}encrypted traffic classification in diverse network environments with{TCP-Aware}traffic augmentation,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 625–642

work page 2023
[28]

A few shots traffic classification with mini-flowpic augmentations,

E. Horowicz, T. Shapira, and Y . Shavitt, “A few shots traffic classification with mini-flowpic augmentations,” in Proceedings of the 22nd ACM internet measurement conference, 2022, pp. 647–654

work page 2022
[29]

Evolution and challenges of dns- based cdns,

Z. Wang, J. Huang, and S. Rose, “Evolution and challenges of dns- based cdns,” Digital Communications and Networks, vol. 4, no. 4, pp. 235–243, 2018

work page 2018
[30]

Akamai dns: Providing authoritative answers to the world’s queries,

K. Schomp, O. Bhardwaj, E. Kurdoglu, M. Muhaimen, and R. K. Sitaraman, “Akamai dns: Providing authoritative answers to the world’s queries,” in Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication, 2020, pp. 465–478

work page 2020
[31]

Hypertext Transfer Protocol Version 2 (HTTP/2),

M. Belshe, R. Peon, and M. Thomson, “Hypertext Transfer Protocol Version 2 (HTTP/2),” RFC 7540, May 2015. [Online]. Available: https://www.rfc-editor.org/info/rfc7540

work page 2015
[32]

HPACK: Header Compression for HTTP/2,

R. Peon and H. Ruellan, “HPACK: Header Compression for HTTP/2,” RFC 7541, May 2015. [Online]. Available: https://www.rfc-editor.org/ info/rfc7541

work page 2015
[33]

Transmission Control Protocol (TCP),

W. Eddy, “Transmission Control Protocol (TCP),” RFC 9293, Aug

work page
[34]

Available: https://www.rfc-editor.org/info/rfc9293

[Online]. Available: https://www.rfc-editor.org/info/rfc9293

work page
[35]

The Transport Layer Security (TLS) Protocol Version 1.2,

E. Rescorla and T. Dierks, “The Transport Layer Security (TLS) Protocol Version 1.2,” RFC 5246, Aug. 2008. [Online]. Available: https://www.rfc-editor.org/info/rfc5246

work page 2008
[36]

Appscanner: Automatic fingerprinting of smartphone apps from encrypted network traffic,

V . F. Taylor, R. Spolaor, M. Conti, and I. Martinovic, “Appscanner: Automatic fingerprinting of smartphone apps from encrypted network traffic,” in 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2016, pp. 439–454

work page 2016
[37]

Encrypted traffic classification of decentralized applications on ethereum using feature fusion,

M. Shen, J. Zhang, L. Zhu, K. Xu, X. Du, and Y . Liu, “Encrypted traffic classification of decentralized applications on ethereum using feature fusion,” in Proceedings of the International Symposium on Quality of Service, 2019, pp. 1–10

work page 2019
[38]

Et-bert: A contextualized datagram representation with pre-training transformers for encrypted traffic classification,

X. Lin, G. Xiong, G. Gou, Z. Li, J. Shi, and J. Yu, “Et-bert: A contextualized datagram representation with pre-training transformers for encrypted traffic classification,” in Proceedings of the ACM Web Conference 2022, 2022, pp. 633–642

work page 2022
[39]

Ptu: Pre-trained model for network traffic understanding,

L. Peng, X. Xie, S. Huang, Z. Wang, and Y . Cui, “Ptu: Pre-trained model for network traffic understanding,” in 2024 IEEE 32nd International Conference on Network Protocols (ICNP). IEEE, 2024, pp. 1–12

work page 2024
[40]

Netmamba: Efficient network traffic classification via pre-training unidirectional mamba,

T. Wang, X. Xie, W. Wang, C. Wang, Y . Zhao, and Y . Cui, “Netmamba: Efficient network traffic classification via pre-training unidirectional mamba,” in 2024 IEEE 32nd International Conference on Network Protocols (ICNP). IEEE, 2024, pp. 1–11

work page 2024
[41]

Miett: Multi-instance encrypted traffic transformer for encrypted traffic classification,

X.-Y . Chen, L. Han, D.-C. Zhan, and H.-J. Ye, “Miett: Multi-instance encrypted traffic transformer for encrypted traffic classification,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 15, 2025, pp. 15 922–15 929

work page 2025
[42]

Trafficformer: an efficient pre-trained model for traffic data,

G. Zhou, X. Guo, Z. Liu, T. Li, Q. Li, and K. Xu, “Trafficformer: an efficient pre-trained model for traffic data,” in 2025 IEEE Symposium on Security and Privacy (SP). IEEE, 2025, pp. 1844–1860

work page 2025
[43]

Bottom aggregating, top separating: An aggregator and separator network for encrypted traffic understanding,

W. Peng, L. Cui, W. Cai, W. Wang, X. Cui, Z. Hao, and X. Yun, “Bottom aggregating, top separating: An aggregator and separator network for encrypted traffic understanding,” IEEE Transactions on Information Forensics and Security, 2025

work page 2025
[44]

Yet another traffic classifier: A masked autoencoder based traffic transformer 17 with multi-level flow representation,

R. Zhao, M. Zhan, X. Deng, Y . Wang, Y . Wang, G. Gui, and Z. Xue, “Yet another traffic classifier: A masked autoencoder based traffic transformer 17 with multi-level flow representation,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 37, no. 4, 2023, pp. 5420– 5427

work page 2023
[45]

Atvitsc: A novel encrypted traffic classification method based on deep learning,

Y . Liu, X. Wang, B. Qu, and F. Zhao, “Atvitsc: A novel encrypted traffic classification method based on deep learning,” IEEE Transactions on Information Forensics and Security, 2024

work page 2024
[46]

Tfe-gnn: A temporal fusion encoder using graph neural networks for fine-grained encrypted traffic classification,

H. Zhang, L. Yu, X. Xiao, Q. Li, F. Mercaldo, X. Luo, and Q. Liu, “Tfe-gnn: A temporal fusion encoder using graph neural networks for fine-grained encrypted traffic classification,” inProceedings of the ACM web conference 2023, 2023, pp. 2066–2075

work page 2023
[47]

Sat-net: A staggered attention network using graph neural networks for encrypted traffic classification,

Z. Li, H. Zhao, J. Zhao, Y . Jiang, and F. Bu, “Sat-net: A staggered attention network using graph neural networks for encrypted traffic classification,”Journal of Network and Computer Applications, vol. 233, p. 104069, 2025

work page 2025
[48]

De- gnn: Dual embedding with graph neural network for fine-grained en- crypted traffic classification,

X. Han, G. Xu, M. Zhang, Z. Yang, Z. Yu, W. Huang, and C. Meng, “De- gnn: Dual embedding with graph neural network for fine-grained en- crypted traffic classification,” Computer Networks, vol. 245, p. 110372, 2024

work page 2024
[49]

Rev- olutionizing encrypted traffic classification with mh-net: A multi-view heterogeneous graph model,

H. Zhang, H. Yue, X. Xiao, L. Yu, Q. Li, Z. Ling, and Y . Zhang, “Rev- olutionizing encrypted traffic classification with mh-net: A multi-view heterogeneous graph model,” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 39, no. 1, 2025, pp. 1048–1056

work page 2025
[50]

Fs-net: A flow se- quence network for encrypted traffic classification,

C. Liu, L. He, G. Xiong, Z. Cao, and Z. Li, “Fs-net: A flow se- quence network for encrypted traffic classification,” in IEEE INFOCOM 2019-IEEE Conference On Computer Communications. IEEE, 2019, pp. 1171–1179

work page 2019
[51]

Ggfast: Automating generation of flexible network traffic classifiers,

J. Piet, D. Nwoji, and V . Paxson, “Ggfast: Automating generation of flexible network traffic classifiers,” in Proceedings of the ACM SIGCOMM 2023 Conference, 2023, pp. 850–866

work page 2023
[52]

Length matters: Fast internet encrypted traffic service classification based on multi-pdu lengths,

Z. Chen, G. Cheng, B. Jiang, S. Tang, S. Guo, and Y . Zhou, “Length matters: Fast internet encrypted traffic service classification based on multi-pdu lengths,” in 2020 16th International Conference on Mobility, Sensing and Networking (MSN). IEEE, 2020, pp. 531–538

work page 2020
[53]

Length matters: Scalable fast encrypted internet traffic service classification based on multiple protocol data unit length sequence with composite deep learning,

Z. Chen, G. Cheng, Z. Xu, S. Guo, Y . Zhou, and Y . Zhao, “Length matters: Scalable fast encrypted internet traffic service classification based on multiple protocol data unit length sequence with composite deep learning,” Digital Communications and Networks, vol. 8, no. 3, pp. 289–302, 2022

work page 2022
[54]

Online multimedia traffic classification from the qos perspective using deep learning,

Z. Wu, Y .-n. Dong, X. Qiu, and J. Jin, “Online multimedia traffic classification from the qos perspective using deep learning,” Computer Networks, vol. 204, p. 108716, 2022

work page 2022
[55]

Metc-mvae: Mobile encrypted traffic classification with masked variational autoencoders,

W. Cai, Z. Li, P. Fu, C. Hou, G. Xiong, and G. Gou, “Metc-mvae: Mobile encrypted traffic classification with masked variational autoencoders,” in 2022 IEEE 24th Int Conf on High Performance Computing & Communications; 8th Int Conf on Data Science & Systems; 20th Int Conf on Smart City; 8th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Ap...

work page 2022
[56]

Robustness matters: Pre-training can enhance the performance of encrypted traffic analysis,

L. Yang, L. Liu, J.-J. Huang, J. Shi, S. Fu, Y . Wang, and J. Su, “Robustness matters: Pre-training can enhance the performance of encrypted traffic analysis,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 10 588–10 603, 2025

work page 2025
[57]

Rltree: Website fingerprinting through resource loading tree,

C. Li, L. Nie, and L. Zhao, “Rltree: Website fingerprinting through resource loading tree,” in International Conference on Network and System Security. Springer, 2021, pp. 3–16

work page 2021
[58]

Classify traffic rather than flow: Versatile multi-flow encrypted traffic classification with flow clustering,

Z. Chen, G. Cheng, Z. Wei, D. Niu, and N. Fu, “Classify traffic rather than flow: Versatile multi-flow encrypted traffic classification with flow clustering,” IEEE Transactions on Network and Service Management, vol. 21, no. 2, pp. 1446–1466, 2023

work page 2023
[59]

Detecting tunneled flood- ing traffic via deep semantic analysis of packet length patterns,

C. Fu, Q. Li, M. Shen, and K. Xu, “Detecting tunneled flood- ing traffic via deep semantic analysis of packet length patterns,” in Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 3659–3673

work page 2024
[60]

Udfs: Lightweight representation-driven robust network traffic classification,

Y . Xian, X. Zeng, M. Huang, A. Zhou, X. Cui, P. Liu, and L. Cui, “Udfs: Lightweight representation-driven robust network traffic classification,” arXiv preprint arXiv:2509.11157, 2025

work page arXiv 2025
[61]

Deep learning and pre- training technology for encrypted traffic classification: A comprehensive review,

W. Dong, J. Yu, X. Lin, G. Gou, and G. Xiong, “Deep learning and pre- training technology for encrypted traffic classification: A comprehensive review,”Neurocomputing, vol. 617, p. 128444, 2025

work page 2025
[62]

Nginx: the high-performance web server and reverse proxy,

W. Reese, “Nginx: the high-performance web server and reverse proxy,” Linux Journal, vol. 2008, no. 173, p. 2, 2008

work page 2008
[63]

Thomson and C

M. Thomson and C. Benfield, “HTTP/2,” RFC 9113, Jun. 2022. [Online]. Available: https://www.rfc-editor.org/info/rfc9113

work page 2022
[64]

The TCP Maximum Segment Size and Related Topics,

“The TCP Maximum Segment Size and Related Topics,” RFC 879, Nov. 1983. [Online]. Available: https://www.rfc-editor.org/info/rfc879

work page 1983
[65]

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,

S. Boeyen, S. Santesson, T. Polk, R. Housley, S. Farrell, and D. Cooper, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile,” RFC 5280, May 2008. [Online]. Available: https://www.rfc-editor.org/info/rfc5280

work page 2008
[66]

Sequential quadratic programming methods,

P. E. Gill and E. Wong, “Sequential quadratic programming methods,” in Mixed integer nonlinear programming. Springer, 2011, pp. 147–224

work page 2011
[67]

Knowledge distillation: A survey,

J. Gou, B. Yu, S. J. Maybank, and D. Tao, “Knowledge distillation: A survey,” International journal of computer vision, vol. 129, no. 6, pp. 1789–1819, 2021

work page 2021
[68]

Deep learning and zero-day traffic classification: Lessons learned from a commercial-grade dataset,

L. Yang, A. Finamore, F. Jun, and D. Rossi, “Deep learning and zero-day traffic classification: Lessons learned from a commercial-grade dataset,” IEEE Transactions on Network and Service Management, vol. 18, no. 4, pp. 4103–4118, 2021

work page 2021
[69]

Robust open-set classification for encrypted traffic fingerprinting,

T. Dahanayaka, Y . Ginige, Y . Huang, G. Jourjon, and S. Seneviratne, “Robust open-set classification for encrypted traffic fingerprinting,” Computer Networks, vol. 236, p. 109991, 2023. 18

work page 2023