Under controlled lab conditions, a CNN trained on packet metadata (ports, sizes, TCP sequence numbers) achieved 99.5% accuracy classifying I2P packets with the 'Without payload' variant, versus only 72.5–76.5% using encrypted payload alone. However, when applied to the full recorded dataset, the 'Without payload' model's accuracy for the dominant irrelevant-traffic class dropped to 95.17% while maintaining 100% on target-class packets — but with a high false-positive rate making it forensically unreliable.

CNN-based passive traffic analysis failed to deanonymize I2P services when transferred from a controlled lab to the public I2P network. Lab-trained models produced mostly unusable results: the 'Without port' variant misclassified Class 2 packets at 71.6–88.4× the true count, and the 'Without payload' variant was only marginally better (12.8–13.2× false positives), demonstrating that lab-learned patterns do not generalize to real-world I2P traffic.

§V Fourth Experiment / Table VIII detection

Fano's inequality establishes a theoretical lower bound on deanonymization error probability as a function of anonymity set size |Θ|, prior uncertainty H(X), and mutual information leakage I(X;Y). For a network of N sufficiently large nodes with uniform routing, Pe ≥ (log N − 1) / log(N−1), approaching 1 (perfect anonymity). The authors found that closed-form estimation of I(X;Y) from I2P traffic features was analytically intractable, requiring ML approximation — and that ML also failed in practice.

§III-A evaluation

Applying Fano's inequality, the paper proves Pe ≥ (H(X)−1)/log|Θ|, showing that deanonymization error rate approaches 1 (perfect anonymity) when the anonymity set |Θ| is large and mutual information leakage I(X;Y) between observed traffic Y and target identity X is minimized. A uniform default tunnel length of 3 hops across all nodes, for example, contributes no differential leakage because p(y=3)=1, illustrating that standardized network parameters reduce identifiability.

§III-A, Equation (2) detection

Lab-trained CNN models completely failed to generalize to real public I2P network traffic: the 'without payload' variant produced 12.8–13.2× more false positives for the target service class than ground-truth packets actually existed (Table VIII), rendering all models forensically unusable. The authors conclude that heterogeneity and dynamism of real-world I2P traffic prevents lab-derived classifiers from achieving practical deanonymization.

§V Experiment 4, Table VIII evaluation

I2P payload entropy is close to 8 bits per packet (Figure 9), confirming strong encryption that renders payload content analytically unusable. Across all CNN experiments, models trained on payload data alone achieved 72.5–76.5% accuracy versus 95.17–99.5% for metadata-only variants; encrypted payload acted as 'noise that confused the model' rather than as a signal.

§IV-A, §V Experiment 2, Table IV detection

I2P payload entropy was measured at close to 8 bits per byte across sampled packets (Figure 9), confirming that payload content is cryptographically indistinguishable from random noise and provides no usable signal for classification. All experimental variants using raw payload alone achieved poor and high-variance accuracy (72.5–76.5%), while excluding payload improved accuracy to 99.5% in lab conditions.

§IV-A / §V Discussions detection

Unsupervised k-Means clustering over I2P flow features (port, payload length, protocol) found no natural cluster structure: distortion decreased nearly linearly with k up to k=20 with no elbow, indicating I2P traffic lacks the simple separable patterns that enable clustering-based traffic classification. The 435-packet dataset yielded one cluster of 75 and clusters as small as 3, with no forensically useful groupings.

§V First Experiment / Figure 12 detection

Unsupervised k-Means clustering on I2P traffic features (port, payload length, protocol type) produced no natural cluster structure — distortion decreased almost linearly with k showing no elbow point — confirming that I2P's obfuscation successfully destroys simple separable patterns that shallow classifiers rely on. CNNs were required to detect any signal at all.

§V First Experiment, Figure 12 evaluation

CNN models trained on I2P lab traffic achieved 99.5% validation accuracy using metadata alone (packet sizes, ports, TCP sequence numbers) versus only 72.5–76.5% accuracy when using encrypted payload only. This demonstrates that packet metadata is far more discriminating than payload content for traffic classification in encrypted anonymity networks.

§V Experiment 2, Table IV evaluation

Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.

2025-amnesty-pakistan-shadows §3, §5 dpisni-blockingip-blockingtraffic-shapeml-classifier

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 dpiactive-probingml-classifiersni-blockingdns-poisoningfully-encrypted-detecttraffic-shape

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) dpiactive-probingml-classifiersni-blockingip-blockingtraffic-shapefully-encrypted-detect

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 dpisni-blockingip-blockingtraffic-shapeml-classifieractive-probing

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 traffic-shapewebsite-fingerprintml-classifierdpifully-encrypted-detect

Security arguments for existing circumvention systems are based on ad-hoc adversary models that are often incomplete or unrepresentative of real-world adversaries, leading to allegedly secure designs that fail against relatively straightforward attacks. Protocols that substitute or parasitize a cover application's encrypted traffic channel fail against application-aware adversaries who observe or induce violations of application-specific behavioral invariants — a weakness that pre-trained classifiers on custom traces fail to surface.

2025-pereira-position §1, §2 ml-classifiertraffic-shapedpi