CELLSHIFT: RTT-Aware Trace Transduction for Real-World Website Fingerprinting
Rob Jansen
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Network Security
Rob Jansen from the **US Naval Research Laboratory** presents CellShift, a method for transforming Tor exit-side traffic traces into entry-side traces to improve website fingerprinting attack evaluation using real user data. Website fingerprinting attacks attempt to break Tor anonymity by observing traffic patterns on the entry side of a Tor circuit and predicting which website the user is visiting. The core problem: adversaries need labeled training data, but using synthetic data (automated browser crawls) overestimates attack accuracy because it does not capture real user behavior diversity. CellShift uses **round-trip time (RTT) estimates** extracted from existing cell metadata to rewrite timestamps, simulating the shift from exit to entry observation point. Using only **addition, subtraction, and division**, CellShift improves attack accuracy by **1-36 percentage points** across 10 classifiers, processes **tens of millions of traces per hour** (five orders of magnitude faster than simulation-based approaches), and is validated against a genuine dataset of **13 million real Tor user traces** from the GTT23 dataset.
AI review
An operationally relevant method for making website fingerprinting attacks against Tor work with real user data instead of synthetic crawls. The simplicity is its strength -- RTT-based timestamp rewriting using only basic math achieves better results than full network simulation, while being five orders of magnitude faster. Validated on 13 million genuine Tor traces. This is how you do applied anonymity research.