SD-WAN control planes employ encrypted cluster management protocols to achieve logical centralization with physical distribution; however, encrypted control traffic still exhibits timing patterns and flow-direction correlations, enabling inference of network topology and protocol dependencies—posing a critical information leakage risk. This paper proposes the first end-to-end deep learning framework that jointly models temporal sequences and bidirectional flow-direction context from encrypted control traffic to perform protocol identification, topology inference, and architecture fingerprinting—without decryption and with native support for heterogeneous, multi-source traffic. The method significantly enhances discriminability of operational and periodic patterns. Evaluated on real-world SD-WAN deployments, it achieves >93% control-traffic classification accuracy, a macro-F1 score of 80.2% for protocol identification, and 71.5% structural similarity in topology inference. This work establishes a novel paradigm for side-channel analysis of encrypted traffic and security assessment of SD-WAN infrastructures.

Software-defined wide area network (SD-WAN) has emerged as a new paradigm for steering a large-scale network flexibly by adopting distributed software-defined network (SDN) controllers. The key to building a logically centralized but physically distributed control-plane is running diverse cluster management protocols to achieve consistency through an exchange of control traffic. Meanwhile, we observe that the control traffic exposes unique time-series patterns and directional relationships due to the operational structure even though the traffic is encrypted, and this pattern can disclose confidential information such as control-plane topology and protocol dependencies, which can be exploited for severe attacks. With this insight, we propose a new SD-WAN fingerprinting system, called Heimdallr. It analyzes periodical and operational patterns of SD-WAN cluster management protocols and the context of flow directions from the collected control traffic utilizing a deep learning-based approach, so that it can classify the cluster management protocols automatically from miscellaneous control traffic datasets. Our evaluation, which is performed in a realistic SD-WAN environment consisting of geographically distant three campus networks and one enterprise network shows that Heimdallr can classify SD-WAN control traffic with $geq$ 93%, identify individual protocols with $geq$ 80% macro F-1 scores, and finally can infer control-plane topology with $geq$ 70% similarity.