Wiley's Bayesian classifier against obfuscated protocols (Dust, SSL, obfs-openssh) found that entropy detection achieved 94% accuracy using only the first packet, timing-based detection achieved 89% accuracy over entire packet streams, and length-based detection achieved only 16% accuracy.

A naive active-probing resistance scheme that embeds a fixed-length token in the initial request is vulnerable to flow fingerprinting because the censor can detect connections that always begin with a fixed byte count; pseudo-random padding removes this length-based signature. Separately, obfuscating-service schemes that reveal server aliveness by completing TCP expose the server IP to enumeration even before the application-layer challenge fires.

§5.5 defense

Of 73 censorship resistance systems surveyed through February 2016, only 11 address the Communication Establishment phase versus 62 for Conversation, even though Tschantz et al. document that real censorship attacks concentrate on Communication Establishment rather than on the Conversation tunnel.

§5.5 evaluation

The Great Firewall detects Tor bridges through a two-stage active-probing pipeline: GFW DPI first flags a flow as a potential Tor connection, then random Chinese IP addresses initiate Tor handshakes to the suspected bridge; if the handshake succeeds, the bridge IP:port combination is blocked.

§2.4.1 detection

Anderson's analysis of Iran's network connectivity from January 2010 to 2013 uncovered two extended throttling periods with 77% and 69% decreases in download throughput respectively, plus eight to nine shorter periods; these often coincided with holidays, protest events, international political turmoils, and important anniversaries.

§2.4.2 detection

Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.

2026-lian-decompose-understand-fuse §II ml-classifiertraffic-shaperandom-payload-detectfully-encrypted-detect

Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.

2026-lian-decompose-understand-fuse §V-C, Table II ml-classifiertraffic-shaperandom-payload-detect

obfs4 and obfs⋆ produce characteristic wire patterns—bursts of roughly MTU-sized payloads followed by a randomly-sized chaff packet—that CNN classifiers detect purely from packet-size sequences without payload inspection. A trivial per-bridge entropy-biasing re-encoding (obfs⋆) completely defeats the hand-tuned decision tree (0% precision, 0% recall) but does not reduce CNN detectability, because the CNN generalizes across size-distribution variants.

2024-wails-precisely §V-E, §IV-D-3, Figure 4 traffic-shapeml-classifierrandom-payload-detect

Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.

2021-kaptchuk-meteor §5.2 / §6 / Table 2 random-payload-detectml-classifiertraffic-shape

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV flow-correlationtraffic-shapeml-classifier