Lab-trained CNN models completely failed to generalize to real public I2P network traffic: the 'without payload' variant produced 12.8–13.2× more false positives for the target service class than ground-truth packets actually existed (Table VIII), rendering all models forensically unusable. The authors conclude that heterogeneity and dynamism of real-world I2P traffic prevents lab-derived classifiers from achieving practical deanonymization.

CNN-based passive traffic analysis failed to deanonymize I2P services when transferred from a controlled lab to the public I2P network. Lab-trained models produced mostly unusable results: the 'Without port' variant misclassified Class 2 packets at 71.6–88.4× the true count, and the 'Without payload' variant was only marginally better (12.8–13.2× false positives), demonstrating that lab-learned patterns do not generalize to real-world I2P traffic.

§V Fourth Experiment / Table VIII detection

Fano's inequality establishes a theoretical lower bound on deanonymization error probability as a function of anonymity set size |Θ|, prior uncertainty H(X), and mutual information leakage I(X;Y). For a network of N sufficiently large nodes with uniform routing, Pe ≥ (log N − 1) / log(N−1), approaching 1 (perfect anonymity). The authors found that closed-form estimation of I(X;Y) from I2P traffic features was analytically intractable, requiring ML approximation — and that ML also failed in practice.

§III-A evaluation

Applying Fano's inequality, the paper proves Pe ≥ (H(X)−1)/log|Θ|, showing that deanonymization error rate approaches 1 (perfect anonymity) when the anonymity set |Θ| is large and mutual information leakage I(X;Y) between observed traffic Y and target identity X is minimized. A uniform default tunnel length of 3 hops across all nodes, for example, contributes no differential leakage because p(y=3)=1, illustrating that standardized network parameters reduce identifiability.

§III-A, Equation (2) detection

I2P payload entropy is close to 8 bits per packet (Figure 9), confirming strong encryption that renders payload content analytically unusable. Across all CNN experiments, models trained on payload data alone achieved 72.5–76.5% accuracy versus 95.17–99.5% for metadata-only variants; encrypted payload acted as 'noise that confused the model' rather than as a signal.

§IV-A, §V Experiment 2, Table IV detection

I2P payload entropy was measured at close to 8 bits per byte across sampled packets (Figure 9), confirming that payload content is cryptographically indistinguishable from random noise and provides no usable signal for classification. All experimental variants using raw payload alone achieved poor and high-variance accuracy (72.5–76.5%), while excluding payload improved accuracy to 99.5% in lab conditions.

§IV-A / §V Discussions detection

Unsupervised k-Means clustering over I2P flow features (port, payload length, protocol) found no natural cluster structure: distortion decreased nearly linearly with k up to k=20 with no elbow, indicating I2P traffic lacks the simple separable patterns that enable clustering-based traffic classification. The 435-packet dataset yielded one cluster of 75 and clusters as small as 3, with no forensically useful groupings.

§V First Experiment / Figure 12 detection

Unsupervised k-Means clustering on I2P traffic features (port, payload length, protocol type) produced no natural cluster structure — distortion decreased almost linearly with k showing no elbow point — confirming that I2P's obfuscation successfully destroys simple separable patterns that shallow classifiers rely on. CNNs were required to detect any signal at all.

§V First Experiment, Figure 12 evaluation

Under controlled lab conditions, a CNN trained on packet metadata (ports, sizes, TCP sequence numbers) achieved 99.5% accuracy classifying I2P packets with the 'Without payload' variant, versus only 72.5–76.5% using encrypted payload alone. However, when applied to the full recorded dataset, the 'Without payload' model's accuracy for the dominant irrelevant-traffic class dropped to 95.17% while maintaining 100% on target-class packets — but with a high false-positive rate making it forensically unreliable.

§V Second Experiment / Table IV–V detection

CNN models trained on I2P lab traffic achieved 99.5% validation accuracy using metadata alone (packet sizes, ports, TCP sequence numbers) versus only 72.5–76.5% accuracy when using encrypted payload only. This demonstrates that packet metadata is far more discriminating than payload content for traffic classification in encrypted anonymity networks.

§V Experiment 2, Table IV evaluation

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V flow-correlationml-classifiertraffic-shape

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

2026-fan-activeflowmark-assessing-tor §VI-D, Table V flow-correlationml-classifiertraffic-shape

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

2026-fan-activeflowmark-assessing-tor §VI.D.2, Table V flow-correlationtraffic-shapeml-classifier

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 traffic-shapeml-classifier