Countmamba: A Generalized Website Fingerprinting Attack via Coarse-Grained Representation and Fine-Grained Prediction

Tor is the leading low-latency anonymous communication network, widely used to protect users' privacy through mechanisms such as random relay selection. However, despite these defenses, Tor traffic remains susceptible to website finger-printing (WF) attacks, where attackers analyze side-channel information (e.g., packet size, direction, inter-packet timing) to infer visited websites. Although WF attacks have shown high success rates in controlled settings, they rely on complete, unperturbed traffic, making them vulnerable to real-world de-fense mechanisms. Traditional WF approaches, which typically employ Machine Learning (ML) or Deep Learning (DL) to classify packet sequences as a single-label prediction, struggle to generalize in practical scenarios, especially under defenses that alter packet patterns or in environments requiring multi-label, early-stage analysis. In this work, we introduce Countmamba, a robust and adaptable WF attack framework designed to address the challenges posed by real-world defenses, early-stage traffic analysis, and multi-tab browsing. Countmamba employs a Windowed Traffic Counting Matrix (WTCM) to create re-silient, coarse-grained traffic representations by aggregating packet events within fixed time intervals, allowing it to with-stand moderate perturbations from defenses. Additionally, a state-space-oriented (SSO) classifier incrementally generates fine-grained predictions from partial traffic data, maintaining high attack accuracy while enabling early-stage and multi-tab attack capabilities. Unlike prior WF methods, Countmamba iteratively updates predictions as new data arrives, eliminating the need for complete traffic capture and enabling reliable inference even in complex, multi-tab environments. Extensive experiments demonstrate that Countmamba outperforms state-of-the-art WF attacks across robust, early-stage, and multi-tab scenarios, highlighting its applicability for realistic, adaptive WF analysis in Tor networks. The source code as well as the experiment data is available at https://github.com/SJTU-dxw/CountMamba-WF.