Temoor Ali (Qatar Computing Research Institute), Shehel Yoosuf (Hamad Bin Khalifa University), Mouna Rabhi (Qatar Computing Research Institute), Mashael Al-Sabah (Qatar Computing Research Institute), Hao Yun (Qatar Computing Research Institute)
Residential IP proxy networks have reached unprecedented scale, yet they pose significant security risks by enabling malicious activities such as fraud, web scraping, and sophisticated cyberattacks while masking traffic behind legitimate home addresses. Existing detection approaches rely primarily on cross-layer Round-Trip Time (RTT) discrepancies, but we demonstrate these methods are fundamentally flawed: simple traffic scheduling attacks can reduce detection recall from 99% to just 8%, rendering state-of-the-art techniques unreliable against basic adversarial evasion. To address this critical vulnerability, we introduce novel traffic analysis and flow-correlation features that accurately capture the characteristics of gateway and relayed traffic, moving beyond vulnerable timing-based approaches. We further develop textit{CorrTransform}, a Transformer-based deep learning architecture engineered for maximum adversarial resilience. This enables two complementary detection strategies: a lightweight approach using engineered features for efficient large-scale detection, and a heavyweight deep learning approach for high-assurance in adversarial settings. We validate our methods through a comprehensive analysis of Bright Data's EarnApp using 15 months of traffic data (900GB) encompassing over 110,000 proxy connections. Our two-tiered framework enables ISPs to identify proxyware devices with >98% precision/recall and classify individual connections with 99% precision/recall under normal conditions, while maintaining >92% F1 score against sophisticated attacks, including scheduling, padding, and packet reshaping where existing methods completely fail. For content providers, our approach achieves near-perfect recall with <0.2% false positive rate for distinguishing direct from proxy traffic. This work shifts proxy detection from vulnerable timing-based approaches to resilient architectural fingerprinting, providing immediately deployable tools to combat the growing threat of malicious residential proxy usage.