Website fingerprinting (WF) models in anonymous networks are highly vulnerable to backdoor poisoning attacks, leading to severe performance degradation. To address this, this work pioneers the application of machine unlearning to WF defense, proposing a lightweight backdoor detection and purification method based on influence functions. Our approach quantifies gradient sensitivity and dynamically reweights model parameters to automatically localize poisoned samples and perform parameter-level model purification—requiring only a small number of known poisoned instances to debias the training set and eliminate backdoors. Evaluated on the CW and OW public datasets, our method achieves stable poisoning and test accuracy of 80%, significantly outperforming baseline defenses. Moreover, it improves runtime efficiency by 2–3× while maintaining robustness, discriminative capability, and resilience against interference under open-world assumptions.

Website Fingerprinting (WF) is an effective tool for regulating and governing the dark web. However, its performance can be significantly degraded by backdoor poisoning attacks in practical deployments. This paper aims to address the problem of hidden backdoor poisoning attacks faced by Website Fingerprinting attack, and designs a feasible mothed that integrates unlearning technology to realize detection of automatic poisoned points and complete removal of its destructive effects, requiring only a small number of known poisoned test points. Taking Tor onion routing as an example, our method evaluates the influence value of each training sample on these known poisoned test points as the basis for judgment. We optimize the use of influence scores to identify poisoned samples within the training dataset. Furthermore, by quantifying the difference between the contribution of model parameters on the taining data and the clean data, the target parameters are dynamically adjusted to eliminate the impact of the backdoor attacks. Experiments on public datasets under the assumptions of closed-world (CW) and open-world (OW) verify the effectiveness of the proposed method. In complex scenes containing both clean website fingerprinting features and backdoor triggers, the accuracy of the model on the poisoned dataset and the test dataset is stable at about 80%, significantly outperforming the traditional WF attack models. In addition, the proposed method achieves a 2-3 times speedup in runtime efficiency compared to baseline methods. By incorporating machine unlearning, we realize a WF attack model that exhibits enhanced resistance to backdoor poisoning and faster execution speeds in adversarial settings.