ml-classifier   ML / statistical classifier

Stage 1 of the detection pipeline uses a lightweight heuristic: restrict analysis to IP addresses in "VPS-dense ASNs," which censors already target for resource-intensive inspection of fully-encrypted traffic. This pre-filter dramatically reduces the search space before applying the more expensive dual-role behavioral analysis. The evaluation was conducted without Stages 1 and 3 due to dataset limitations, meaning the reported 23% recall and 0.18% FPR are conservative lower bounds on the full pipeline's performance.

2026-almutairi-server §2.1, §2.2, §3.4 detection

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III detection

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV detection

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V evaluation

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

2026-fan-activeflowmark-assessing-tor §VI-D, Table V detection

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

2026-fan-activeflowmark-assessing-tor §VI.D.2, Table V evaluation

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 detection

Adversarial pre-padding — prepending stochastic byte noise to packets — degrades ET-BERT encrypted traffic classification accuracy from >99% to 25.68%, exposing a structural vulnerability in all payload-byte-dependent detection systems. White-box adversarial attacks (Ayaka AH-MSI) additionally achieve evasion rates exceeding 99.5% against standard continuous-time sequence models via Manifold Shattering, where adversaries align malicious temporal distributions with benign baselines.

2026-ferrel-aegis-adversarial-entropy-guided §II, §VI-A detection

AEGIS, a flow-physics-only ML classifier using a Hyperbolic Liquid State Space Model evaluated on a 400GB adversarial corpus including VLESS Reality, GhostBear, and AMOI-morphed traffic, achieves F1-score 0.9952, 99.50% TPR, and 0.2141% FPR at 262.27 µs inference latency on an RTX 4090. The system discards all payload bytes and classifies traffic exclusively on 6-dimensional flow physics: packet size, inter-arrival time, directionality, TCP window size, TCP flags, and payload ratio.

2026-ferrel-aegis-adversarial-entropy-guided §V, Table III evaluation

Automated proxy engines (e.g., Xray-core running VLESS Reality in automated mode) generate deterministically rigid inter-arrival time distributions because they cannot synthesize the stochastic variance of human-driven IAT, even when volumetrically anchored to benign distributions ('Fat Middle' anchoring via AMOI). The AEGIS Thermodynamic Variance Detector identifies this rigidity via Shannon Entropy of hidden states across 1,000-packet causal windows, rendering volumetric anchoring mathematically distinguishable from genuine human traffic.

2026-ferrel-aegis-adversarial-entropy-guided §III-E, §V-B detection

Gaussian noise injection stress testing shows AEGIS maintains F1-scores of 0.9913 at 5% IAT noise and 0.9753 at 10% IAT noise, but degrades to 0.5939 at 15% Gaussian noise — establishing the 'Manifold Shattering Threshold.' The paper asserts that sustaining 15% IAT noise in practice corrupts the adversary's own C2 channel integrity, making this threshold operationally unachievable for high-throughput tunnels.

2026-ferrel-aegis-adversarial-entropy-guided §V-F detection

Flow-physics classifiers face a fundamental 'Human Entropy Horizon': when VLESS Reality multiplexes true human entropy (a human actively browsing web applications), AEGIS achieves a detection rate of only 1.17%, because XTLS wrappers impart near-zero mechanical overhead and the temporal physics remain entirely stochastic. This implies adversaries operating at human interaction speeds can evade flow-based detection, but must abandon automated high-throughput C2 scripts.

2026-ferrel-aegis-adversarial-entropy-guided §V-G detection

Routing-guided conditional aggregation (CA) that dynamically weights header versus payload contributions using per-sample MoE routing probabilities outperforms static fusion on all six datasets, demonstrating that the relative discriminative utility of headers versus payloads varies by application type — and that classifiers can adaptively shift reliance to whichever modality is less obfuscated.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-E, §IV-B detection

Explicitly disentangling packet headers (structured, low-entropy) from encrypted payloads (high-entropy, stochastic) into separate MoE branches yields consistent gains across six datasets: 86.85% F1 on 120-class TLS 1.3 traffic (CSTNET-TLS), 97.88% F1 on USTC-TFC2016 malware/benign flows, and 92.65% F1 on imbalanced IoT traffic (CIC-IoT2022), demonstrating that headers and payloads carry fundamentally different and independently exploitable discriminative signals.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-A, §IV-B, Tables II–III detection

Pretraining on 30 GB of unlabeled mixed traffic via masked language modeling (ISCX-VPN2016 NonVPN, CICIDS2017, WIDE backbone), then fine-tuning, enables TrafficMoE to classify VPN application traffic at 88.72% F1 and VPN service traffic at 92.61% F1, exceeding all fully supervised and prior pretraining baselines without requiring labeled training data for those domains.

2026-he-trafficmoe-heterogeneity-aware-mixture §IV-A, §IV-B, Table III detection

TrafficMoE achieves 97.65% accuracy and F1-score on the ISCX-Tor2016 dataset, substantially outperforming all baselines including the best pretraining-based competitor FlowletFormer (91.16% F1), by separately modeling protocol headers and encrypted payloads via dual-branch sparse Mixture-of-Experts rather than treating them as a unified byte stream.

2026-he-trafficmoe-heterogeneity-aware-mixture §IV-B, Table II detection

An uncertainty-aware filtering (UF) mechanism quantifies per-token reliability via Shannon entropy of the cross-modal header–payload attention matrix, finding that encrypted payloads still contain low-entropy tokens with stable cross-modal alignment that serve as reliable classification anchors — demonstrating that nominally randomized byte streams retain exploitable low-entropy structure.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-D detection

Balboa's synchronous leaf-content replacement adds non-negligible timing differences that allow censors to identify its activity with up to ~90% accuracy over different network conditions. The timing anomaly arises because Balboa performs data substitution directly at each data exchange, delaying the server's response while covert data is prepared.

2026-kamali-huma §I (Introduction), §II-A detection

Without chunk-based padding, an XGBoost classifier identifies the target website from covert data-chunk sizes with 91% accuracy (Tranco top-100). Chunking at 2 MB reduces accuracy to 12% at a 21.3% bandwidth overhead, while 16 MB chunks reduce accuracy to near random guessing at a 480.3% overhead. Chunks as small as 64 KB already reduce accuracy to 64%, demonstrating a monotonic fingerprinting–overhead tradeoff.

2026-kamali-huma §V-C, Figure 4 evaluation

Huma's deferred-reply / double-request receive (DRR) protocol reduces a traffic-fingerprinting XGBoost classifier's accuracy to at most 54% (near random guessing) across geographically distributed clients (San Francisco, Frankfurt, Bangalore). A Kolmogorov-Smirnov test on absolute page-load timing distributions yields D=0.03, p=0.98 for U.S. clients — substantially tighter than Waterfall of Liberty's D=0.11 at p=0.5 — confirming that Huma flows are statistically indistinguishable from benign HTTPS fetches.

2026-kamali-huma §V-D, Table II evaluation

Striding with factor 4 (early downsampling) produces the largest single-factor degradation in the ablation study: average macro-F1 drops from 0.9909 to 0.9772 and cross-dataset variance increases from 4.77×10⁻⁵ to 4.51×10⁻⁴, with worst-case dataset performance falling to MIN 0.9524. Fine-grained byte order and short-range structure — protocol headers, payload signatures, repeated byte motifs — carry essential discriminative signal that stride-based aggregation destroys.

2026-kulatilleke-mambanetburst-direct-byte-level §V-B, Table IV detection

Early downsampling via striding (stride=4) is the single most damaging ablation, reducing average macro-F1 from 0.9909 to 0.9772 and increasing cross-dataset variance from 4.77×10⁻⁵ to 4.51×10⁻⁴, while the worst-case dataset drops to F1=0.9524 — far larger degradation than any other design choice including Mamba-1 vs Mamba-2.

2026-kulatilleke-mambanetburst-direct-byte-level §V-B, Table IV detection

A burst of just 5 packets truncated to 320 bytes each (1600 bytes total) suffices for macro-F1 ≥0.9824 across all six benchmarks; the classification token reads from the final recurrent state after a 4-layer Mamba-2 stack processing this fixed-length prefix, with no additional flow-level or session-level context required.

2026-kulatilleke-mambanetburst-direct-byte-level §III-A, §V-A detection

Classification from the first 5 packets × 320 bytes (1600-byte burst) achieves near-perfect accuracy across Tor (F1=0.9990), VPN (F1=0.9871), malware (F1=0.9954), and IoT attack traffic (F1=0.9966), with IP addresses masked and only header and initial payload retained. The earliest portion of each packet provides sufficient discriminative information for a classification decision made within the first kilobyte of a flow.

2026-kulatilleke-mambanetburst-direct-byte-level §III-A, §V-A, Table II–III detection

MambaNetBurst classifies Tor traffic (ISCXTor2016) at F1=0.9990 and VPN traffic (ISCXVPN2016) at F1=0.9871 using only the first 5 packets (1600 bytes total) with no pre-training, matching or exceeding pre-trained baselines like ET-BERT (ISCXTor F1=0.9967, ISCXVPN F1=0.9565) and NetMamba (ISCXTor F1=0.9986, ISCXVPN F1=0.9806) at 2.5–2.7M parameters.

2026-kulatilleke-mambanetburst-direct-byte-level §V-A, Table III detection

Mamba-2's constrained scalar-times-identity A-matrix acts as an implicit regularizer for packet-byte sequences: under matched settings it yields higher mean F1 (0.9909 vs 0.9874), better worst-case F1 (0.9824 vs 0.9769), and 48% lower cross-dataset variance (4.77×10⁻⁵ vs 9.21×10⁻⁵) relative to Mamba-1, while delivering 30–60% faster backward passes and 2–4× lower GPU memory usage.

2026-kulatilleke-mambanetburst-direct-byte-level §V-B, §V-C, Table V detection

Mamba-2 (2.5M parameters) is Pareto-optimal on the accuracy-vs-inference-time frontier: it achieves average macro-F1 of 0.9909 with 30-60% faster backward passes than Mamba-1 and 2-3× faster inference than linear Transformers with FlashAttention-2 at medium-to-large batch sizes on a single RTX 3090. Memory usage is 2-4× lower than Transformer-based counterparts, enabling single-GPU operation at sequence length 1600.

2026-kulatilleke-mambanetburst-direct-byte-level §V-C, §V-D, Figure 2 evaluation

Supervised byte-level training without pre-training reduces total compute by an estimated 3–15× in wall-clock training time and 2–4× in training memory footprint compared to pre-trained Transformer baselines (ET-BERT, YaTC, NetMamba), while achieving equivalent or superior classification F1 across six benchmarks spanning encrypted app identification, VPN/Tor, malware, and IoT attack traffic.

2026-kulatilleke-mambanetburst-direct-byte-level §VI-F, §V-A evaluation

Eliminating self-supervised pretraining reduces total wall-clock training time by an estimated 3-15× relative to ET-BERT, YaTC, and NetMamba, while achieving comparable or superior accuracy. Pretraining in representative baselines typically consumes 10-100× more compute than downstream fine-tuning; removing it also eliminates the risk of negative transfer from mismatched pretraining corpora under concept drift.

2026-kulatilleke-mambanetburst-direct-byte-level §VI-F evaluation

MambaNetBurst achieves macro-F1 of 0.9990 on ISCXTor2016 and 0.9871 on ISCXVPN2016 without any pretraining, matching or exceeding heavily pretrained baselines such as ET-BERT (F1=0.9967/0.9565) and YaTC (F1=0.9986/0.9806). High-accuracy Tor and VPN traffic classification is achievable with a compact 2.5M-parameter supervised model requiring no labeled pretraining corpus.

2026-kulatilleke-mambanetburst-direct-byte-level §V-A, Table III detection

FreeUp achieves 86.68% AUC on CIC-IoT2023, 85.44% AUC on DoHBrw2020 (malicious DNS-over-HTTPS tunneling), and 95.53% AUC / 93.22% F1 on ISCX-Tor2016 (Tor anonymous traffic), outperforming all nine baselines by more than 3% AUC on the first two datasets. The ISCX-Tor2016 result demonstrates that frequency-decoupled ML classifiers can detect Tor-like anonymous traffic with high confidence under zero-positive (unsupervised) training.

2026-lian-decompose-understand-fuse §V-B, Table I evaluation

FreeUp's dual-branch architecture requires only 0.73G MACs and 6.46M parameters at inference — comparable to or lower than simpler baselines (MFR: 1.01G MACs / 11.18M params; ARCADE: 0.82G MACs / 6.70M params) — while achieving substantially higher detection accuracy. The two branches can be deployed in parallel with minimal memory usage, making frequency-decoupled ML detection computationally practical for real-time network monitoring at scale.

2026-lian-decompose-understand-fuse §V-F, Table IV evaluation

Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.

2026-lian-decompose-understand-fuse §II detection

Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.

2026-lian-decompose-understand-fuse §V-C, Table II detection

FreeUp operates under a zero-positive (unsupervised) learning paradigm — trained exclusively on normal traffic with no labeled anomaly examples — yet achieves 95.53% AUC on Tor traffic and 85.44% AUC on DNS-over-HTTPS tunneling detection. This demonstrates that frequency-aware anomaly detectors generalize to novel circumvention protocols without requiring any labeled attack data, eliminating the labeling bottleneck that previously limited ML-based censorship detection.

2026-lian-decompose-understand-fuse §III, §V-B detection

When the researchers attempted to use Gemini 2.5 Flash as a third independent LLM judge via its API for evaluating moderation decisions, Gemini automatically blocked all judging attempts citing safety reasons. This occurred even though the research task (judging whether a response is more or less moderated) does not itself produce harmful content. The incident illustrates that LLM safety systems can over-block legitimate research use cases, and that different LLM providers have different thresholds— Claude Haiku 4.5 and GPT-4o completed all judging tasks without safety refusals.

2026-lipphardt-dual §3.3.3 detection

Category-level analysis of 100 statements across 5 sensitive content categories found that interface-based moderation gaps vary significantly by topic. Sexuality showed the strongest WebUI/API gap (WebUI 7.0× more likely to be moderated than API per GPT-4o judge for Gemini). Political ideology followed at 2.0×, then hate speech at 1.0×. Miscellaneous offensive topics showed the inverse pattern (API more moderated at 0.3×). Religious content showed WebUI moderation with no API moderation. The pattern suggests public-facing WebUI interfaces prioritize reputational risk management for high-scrutiny categories.

2026-lipphardt-dual §4.5, Figure 8 evaluation

API and WebUI interfaces show statistically significant response length differences in opposite directions across models. Gemini API responses averaged 2,333 characters vs. 1,746 for WebUI (34% longer API; t=5.028, p<0.0001, Cohen's d=0.50). ChatGPT WebUI responses averaged 2,752 characters vs. 1,389 for API (98% longer WebUI; t=-9.800, p<0.0001, d=-0.98). The divergent direction across models suggests fundamentally different generation parameters rather than simple post-hoc filtering, indicating architectural or policy-level differences at the provider level.

2026-lipphardt-dual §4.6 evaluation

An empirical study of 100 sensitive statements tested on Gemini (2.5 Flash) and ChatGPT (GPT-5) found that WebUI interfaces are systematically more restrictive than their API counterparts. According to GPT-4o judge: WebUI was moderated 18% of the time vs. 9% (Gemini API) and 13% (ChatGPT API). DeBERTa classifier found 82% of WebUI responses moderated vs. 58% of API responses. The Gemini WebUI:API ratio ranged from 2.0:1 (GPT-4o) to 7.0:1 (Claude), and ChatGPT from 1.4:1 (GPT-4o) to 15.6:1 (Claude). Neither Google nor OpenAI discloses these interface-specific policies.

2026-lipphardt-dual §4.3, Table 2 evaluation

Strong classifiers can be trained from fewer than one third of available traces with gains diminishing rapidly beyond that threshold. At inference time, macro F1 rises sharply within the first 40% of observed actions across all four datasets, meaning model identity can be inferred while the agent is still actively navigating the page.

2026-lugoloobi-known-their-actions §6.2, Figure 6 detection

Passive JavaScript UI traces are sufficient to fingerprint the underlying LLM of a browser agent with up to 96% macro F1 across 14 frontier models, achieving roughly 10× random-chance accuracy. Even the weakest model pair (Qwen3.5-9B on 2WikiMultiHopQA) reaches 63.7% F1 against a ~7% random baseline for 14 classes.

2026-lugoloobi-known-their-actions §5.1, Figure 2 detection

In open-set fingerprinting (leave-one-agent-out protocol), the majority of models exceed AUROC 0.60 for unknown-agent detection, but closed-set and open-set performance are dissociated: Seed-2-lite achieves 96.1% closed-set F1 yet scores below-chance open-set AUROC (0.38–0.47 on three of four datasets), while GPT-5.4 achieves AUROC 0.84 open-set despite ranking third in closed-set F1.

2026-lugoloobi-known-their-actions §5.1, Figure 3 evaluation

SHAP analysis shows timing-based features — IEI standard deviation, mean click IEI, and time to first action — dominate agent identity classification under normal conditions, receiving substantially larger attributions than structural or action-type features. Agents are distinguishable primarily by their tempo: how long they pause before acting and how variable that pause is.

2026-lugoloobi-known-their-actions §6.1, Figure 4 detection

Injecting uniformly sampled random delays between agent actions substantially degrades an unadapted XGBoost classifier, but a classifier retrained on delayed traces largely recovers performance across all four datasets. Under 5-second delay injection, the classifier shifts weight onto structural features (click-coordinate dispersion, structural key ratio, link-click ratio) that survive timing perturbation.

2026-lugoloobi-known-their-actions §6.1, Figure 5 evaluation

At operationally realistic base rates—1 million connection pairs per hour with only 10 true stepping-stone chains—a detector with a 1% FPR generates approximately 10,000 false alarms per hour while correctly flagging all 10 intrusions, making classical statistical methods (which cannot reach FPR ≪ 10⁻²) operationally unusable; deep learning methods must target FPR ≤ 10⁻³ to be viable.

2026-mathews-tracing-chain-deep §I evaluation

ESPRESSO, a deep learning flow correlator combining a transformer backbone with time-aligned interval features and online triplet mining, achieves TPR >0.99 at FPR ≤ 10⁻³ for SSH, SOCAT, and ICMP stepping-stone traffic in network-mode detection, versus DCF's TPR of 0.320–0.956 across those same protocols at the same threshold. On the harder mixed-protocol dataset in network-mode, ESPRESSO achieves TPR 0.748 at FPR ≤ 10⁻³, more than double DCF's 0.334.

2026-mathews-tracing-chain-deep §V-B, Table III evaluation

Ablation experiments show that replacing ESPRESSO's transformer backbone with a CNN ('Modified DCF') while retaining time-aligned interval features achieves performance competitive with the full ESPRESSO model across most protocols (e.g., SOCAT network-mode pAUC 0.997 vs. 0.989 at FPR ≤ 10⁻³), demonstrating that the time-interval feature representation—not the transformer architecture—is the primary driver of correlation accuracy.

2026-mathews-tracing-chain-deep §V-B, Table III evaluation

Ephemeral defenses were integrated with a WireGuard fork and deployed as Mullvad VPN's 'DAITA' (Defense Against AI-guided Traffic Analysis) opt-in feature across Android, iOS, macOS, Linux, and Windows for over one year, serving a growing number of thousands of daily users. Individual defenses are derived deterministically from seeds in 43.6 ± 4.7 ms on a commodity laptop, making per-connection unique defenses practical at VPN scale.

2026-pulls-ephemeral-network-layer-fingerprinting §1, §7 deployment

Ephemeral blocking defenses reduce DF accuracy from 89.0% (undefended) to 10.2% and RF from 90.1% to 14.7% with standard 30-epoch training, at 97.5% bandwidth and 68.4% delay overhead; under infinite training, DF rises to only 29.2% and RF to 24.3%, still far below undefended baselines of 92.7% and 94.7%. Defenses are tunable at deployment time by adjusting Maybenot framework-wide limits, enabling overhead-vs-protection trade-offs without redeployment.

2026-pulls-ephemeral-network-layer-fingerprinting §5.2, §5.3, Table 1, Table 2 defense

The ephemeral property — using a unique seed-derived defense per connection — prevents attackers from training classifiers on the exact deployed defense variant. Stacked combinations with height H=5 from N=1,000 base defenses yield 6.88×10^25 unique defenses (polynomial growth O(N^{2H})). Attacks trained on ephemeral defenses also generalize significantly better across other randomized defense families than attacks trained on static defenses.

2026-pulls-ephemeral-network-layer-fingerprinting §3.3, §5.4 defense

Padding-only defenses that inject bursty traffic cause severe additional delay under realistic network bottlenecks: Break-Pad's delay overhead increases from 0% to 332.6% and FRONT's from 0% to 111.2% under a per-trace simulated PPS bottleneck. Even ephemeral padding defenses induce 43.9% delay overhead under bottleneck conditions, compared to 0% without a bottleneck, due to congestion from dummy packets.

2026-pulls-ephemeral-network-layer-fingerprinting §5.2, Table 1 evaluation

With infinite training time, Laserbeak achieves 93.5%, 95.9%, and 95.9% accuracy against ephemeral padding, FRONT, and Interspace respectively, compared to 96.5% undefended — confirming that padding-only defenses provide no meaningful protection against a sufficiently trained deep-learning WF adversary. Only ephemeral blocking defenses retain measurable protection, reducing Laserbeak to 71.8% accuracy under infinite training versus 96.5% undefended.

2026-pulls-ephemeral-network-layer-fingerprinting §5.3, Table 2 evaluation

The PPBR (probabilistic profile-based routing) protocol leaks user community membership through observable routing decisions: in a controlled experiment with 800 majority and 200 minority users, a statistical disclosure attack achieved a true positive rate of 100% and false positive rate of 0% when identifying minority users. Even under a conservative PPBR configuration (top 1/3 fraction acceptance), the attack achieved 100% TPR and only 0.4% FPR.

2026-ratliff-mirage §V detection

Russia's Ministry of Digital Development issued guidelines effective April 15, 2026 requiring popular apps to detect and restrict access from VPN-using devices. RKS Global's analysis of 30 popular Russian Android apps found that 22 of 30 implement VPN detection, and 19 of those transmit the detected VPN status to their servers. This represents a shift from network-layer blocking (TSPU) to app-layer enforcement as an additional censorship vector.

2026-rks-russian-apps-vpn-detection §3, §4 policy

Banking apps from major Russian institutions (Sber, T-Bank, VTB, Alfa-Bank) combine VPN detection with behavioral biometrics — screen pressure, touch coordinates, and gesture timing — enabling cross-account re-identification of users behind proxies. 11 apps received a "RED" (maximum surveillance) rating. T-Bank, Yandex services, and MAX additionally deploy active anti-analysis features that detect research tooling on the device (rooted devices, emulators, Frida, etc.).

2026-rks-russian-apps-vpn-detection §5, §6 detection

The RKS Global report documents a two-tier Russian censorship architecture: TSPU network-layer blocking (documented by Xue et al. 2024) at the ISP level, now supplemented by mandated app-layer VPN detection in the 30 most popular Russian Android apps. This layered approach means a circumvention tool that successfully bypasses TSPU at the network layer can still be detected and reported by the app layer, closing the gap that network-only circumvention leaves open.

2026-rks-russian-apps-vpn-detection §2, §7 deployment

CNN-based passive traffic analysis failed to deanonymize I2P services when transferred from a controlled lab to the public I2P network. Lab-trained models produced mostly unusable results: the 'Without port' variant misclassified Class 2 packets at 71.6–88.4× the true count, and the 'Without payload' variant was only marginally better (12.8–13.2× false positives), demonstrating that lab-learned patterns do not generalize to real-world I2P traffic.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Fourth Experiment / Table VIII detection

Applying Fano's inequality, the paper proves Pe ≥ (H(X)−1)/log|Θ|, showing that deanonymization error rate approaches 1 (perfect anonymity) when the anonymity set |Θ| is large and mutual information leakage I(X;Y) between observed traffic Y and target identity X is minimized. A uniform default tunnel length of 3 hops across all nodes, for example, contributes no differential leakage because p(y=3)=1, illustrating that standardized network parameters reduce identifiability.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §III-A, Equation (2) detection

Lab-trained CNN models completely failed to generalize to real public I2P network traffic: the 'without payload' variant produced 12.8–13.2× more false positives for the target service class than ground-truth packets actually existed (Table VIII), rendering all models forensically unusable. The authors conclude that heterogeneity and dynamism of real-world I2P traffic prevents lab-derived classifiers from achieving practical deanonymization.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Experiment 4, Table VIII evaluation

I2P payload entropy is close to 8 bits per packet (Figure 9), confirming strong encryption that renders payload content analytically unusable. Across all CNN experiments, models trained on payload data alone achieved 72.5–76.5% accuracy versus 95.17–99.5% for metadata-only variants; encrypted payload acted as 'noise that confused the model' rather than as a signal.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §IV-A, §V Experiment 2, Table IV detection

Unsupervised k-Means clustering over I2P flow features (port, payload length, protocol) found no natural cluster structure: distortion decreased nearly linearly with k up to k=20 with no elbow, indicating I2P traffic lacks the simple separable patterns that enable clustering-based traffic classification. The 435-packet dataset yielded one cluster of 75 and clusters as small as 3, with no forensically useful groupings.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V First Experiment / Figure 12 detection

Unsupervised k-Means clustering on I2P traffic features (port, payload length, protocol type) produced no natural cluster structure — distortion decreased almost linearly with k showing no elbow point — confirming that I2P's obfuscation successfully destroys simple separable patterns that shallow classifiers rely on. CNNs were required to detect any signal at all.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V First Experiment, Figure 12 evaluation

Under controlled lab conditions, a CNN trained on packet metadata (ports, sizes, TCP sequence numbers) achieved 99.5% accuracy classifying I2P packets with the 'Without payload' variant, versus only 72.5–76.5% using encrypted payload alone. However, when applied to the full recorded dataset, the 'Without payload' model's accuracy for the dominant irrelevant-traffic class dropped to 95.17% while maintaining 100% on target-class packets — but with a high false-positive rate making it forensically unreliable.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Second Experiment / Table IV–V detection

CNN models trained on I2P lab traffic achieved 99.5% validation accuracy using metadata alone (packet sizes, ports, TCP sequence numbers) versus only 72.5–76.5% accuracy when using encrypted payload only. This demonstrates that packet metadata is far more discriminating than payload content for traffic classification in encrypted anonymity networks.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Experiment 2, Table IV evaluation

Joint multi-task training with a combined loss L_joint = L_site + λ·L_pers shows that increasing λ from 0 to 2 raises mixed-site persona accuracy from approximately 45% to approximately 80% while website accuracy declines only from approximately 90% to approximately 75%, demonstrating a wide regime where an attacker can gain strong persona inference at modest cost to existing WFP capability.

2026-song-personafingerprint-measuring-persona §4.4, §5.7.2, Figure 5 detection

Using only 1,000-packet windows of signed packet lengths and inter-arrival times (no payload, no URLs, no cookies), a passive adversary achieves approximately 84% accuracy at inferring behavioral persona in a mixed-site open-world setting spanning 10 modern websites and 15 canonical personas plus an open-world class. Per-site persona macro-F1 typically ranges from about 0.78 to 0.91 across representative platforms including Bilibili, eBay, Yahoo, Zhihu, and LinkedIn.

2026-song-personafingerprint-measuring-persona §5.3, §5.5, Abstract detection

In open-world evaluation, an average of 34.4% of traffic from unseen personas is misattributed to a specific canonical persona (MisAttr@OW), and misattributions concentrate heavily: on average 58.7% of misattributed windows fall into just the top-3 canonical personas, rising to 66.8% and 69.3% on Bilibili and Zhihu respectively. The classifier correctly rejects unseen personas as OW with an average F1 of only 65.6%.

2026-song-personafingerprint-measuring-persona §5.4, Table 2 detection

Attack accuracy scales steeply with persona-labeled training data: mixed-site open-world persona accuracy rises from 55.0% at 500 windows/persona to 65.0% at 1,000, 76.0% at 2,000, and 84.0% at 5,000 windows/persona across 10 sites (results consistent across 3 random seeds with std ≤1.0%). LLM-driven browsing agents make large-scale persona-labeled traffic generation practical for adversaries.

2026-song-personafingerprint-measuring-persona §5.6, Table 3 evaluation

A site-only WFP encoder trained without any persona labels already encodes substantial persona information: attaching a lightweight MLP probe to its frozen representations recovers persona accuracy roughly 20–30 percentage points above a random-encoder baseline across all 10 sites (e.g., approximately 53% vs. 21% on Amazon, 49% vs. 27% on YouTube, using the same probe architecture and training budget).

2026-song-personafingerprint-measuring-persona §4.5, §5.7.1, Figure 4 detection

The vanilla range-coding baseline suffers from two provable security failures that RRC corrects: (1) distortion of the token probability distribution because interval boundaries do not align with token probabilities, and (2) randomness reuse across sampling steps, which exposes detectable statistical bias. The rotation mechanism specifically addresses both by introducing fresh PRNG-seeded randomness o~U(0,1) at each step and applying a modulo rotation to the decimal state.

2026-yan-efficient-provably-secure §3.2, §4 defense

Rotation Range-Coding (RRC) steganography achieves approximately 100% entropy utilization (99.98% on GPT-2) while maintaining zero KL divergence at every generative step, outperforming all prior provably-secure baselines: SparSamp at 96.76%, Discop w/ sort at 95.17%, iMEC at 71.44%. The rotation mechanism transforms the discrete uniform random variable into a continuous uniform at each step, preserving the original LM probability distribution exactly.

2026-yan-efficient-provably-secure §5.3, Table 1 defense

Fine-tuned BERT and RoBERTa steganalysis discriminators achieve only 47.8–50.6% detection accuracy across GPT-2, OPT-1.3B, and Llama-2-7B stegotext — indistinguishable from random guessing. Human evaluators perform similarly poorly (46.6–50.6% accuracy, F1 ≤ 51.5%), while the paper notes statistical classifiers already outperform humans on this discrimination task.

2026-yan-efficient-provably-secure §6.5, §6.6, Table 3, Table 8 evaluation

A plug-and-play Boundary Preserving Aggregation Module (overlapping window partitioning with joint packet- and burst-level features, W=20ms, stride=10ms) consistently improves existing WF baselines without architectural modification: applied to DF, AUC rises from 0.780 to 0.901 and P@5 from 0.315 to 0.545; applied to ARES'25, P@5 rises from 0.869 to 0.900 in the open-world 5-tab setting. The module's consistent gains across all three tested baselines confirm that fixed non-overlapping window segmentation is a structural vulnerability in prior WF pipelines.

2026-yuan-demux-boundary-aware-multi-scale §V-G, Figure 5 detection

DEMUX achieves a P@5 of 0.943 and MAP@5 of 0.961 in the closed-world 5-tab multi-tab website fingerprinting setting, outperforming the strongest prior baseline (ARES'25) by 9.2 and 6.2 percentage points respectively. ARES'25's P@K degrades from 0.900 at 2-tab to 0.851 at 5-tab (a drop of 4.9 pp), while DEMUX improves from 0.926 to 0.943 over the same range, expanding the absolute margin from 2.6 to over 9 points.

2026-yuan-demux-boundary-aware-multi-scale §V-B, Table II detection

In the open-world 5-tab setting — where each trace contains one unmonitored site, substantially increasing noise and class imbalance — DEMUX achieves AUC of 0.998, P@5 of 0.951, and MAP@5 of 0.966, while ARES'25 achieves 0.988/0.869/0.911. DEMUX's advantage widens in the open-world setting (the P@5 gap grows from 2.6 pp to 8.2 pp versus closed-world), confirming that state-of-the-art WF attacks are not defeated by open-world conditions or unmonitored co-browsing traffic.

2026-yuan-demux-boundary-aware-multi-scale §V-C, Table III detection

The Traffic Aggregation Matrix (TAM) representation used by the RF baseline — which counts directional packet counts over fixed time slots rather than tracking per-packet sequences — shows unexpectedly strong robustness under TrafficSliver, achieving P@2 of 0.702, substantially exceeding all other CNN-based methods under that defense. Var-CNN similarly achieves P@2 of 0.826 under TrafficSliver despite mediocre no-defense performance, suggesting that tolerance to partial packet loss is architecturally separable from peak single-observer accuracy.

2026-yuan-demux-boundary-aware-multi-scale §V-D, Table IV evaluation

Under the TrafficSliver defense — which splits traffic across multiple Tor entry nodes so no single observer sees more than a partial fraction of packets — TMWF collapses to a P@2 of 0.399 and ARES'23 to 0.429, while DEMUX retains a P@2 of 0.940, exceeding the next-best competitor by 2.5 points. WTF-PAD and FRONT are substantially weaker defenses, with most methods maintaining near-baseline performance under WTF-PAD.

2026-yuan-demux-boundary-aware-multi-scale §V-D, Table IV evaluation

Across all 7 LLMs tested (GPT 4o, GPT 4o Mini, Gemini 1.5 Flash, Gemini 1.5 Pro, Llama 3.2, Claude 3.5 Haiku, Claude 3.5 Sonnet), statistically significant evidence of censorship bias was found in at least one evaluation metric per model: responses to Simplified Chinese prompts were more neutral, more similar to sanitized text, and less opinionated than semantically identical Traditional Chinese prompts (p < 0.05 across refusal-rate, sentiment, CensorshipDetector classification, and word-embedding analyses).

2025-ahmed-llm-censorship-bias Table 4, §6 evaluation

CensorshipDetector, an XLM-RoBERTa model fine-tuned on 587,819 Baidu Baike articles (censored) and Chinese Wikipedia (uncensored), achieved 91% accuracy on a held-out validation set of Chinese news articles, correctly classifying 93% of Chinese state media articles as censored and 87% of New York Times Chinese articles as uncensored, with average censorship scores of 0.93 and 0.13 respectively.

2025-ahmed-llm-censorship-bias §4.7, §4.7.2 evaluation

Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.

2025-amnesty-pakistan-shadows §3, §5 deployment

Simulating a shift from a 0% to 100% male dataset sample changes Shannon entropy estimates by more than 10% for User-Agent (downward) and more than 68% for WebGL Renderer (upward), revealing that prior large fingerprinting studies — Panopticlick (83.6–94.2% unique, predominantly reached via tech-oriented channels) and AmIUnique (90% desktop unique) — likely misrepresent real-world risk due to uncontrolled male bias, as confirmed by a directly comparable study showing 76.5% male participants.

2025-berke-unique-whose-web §6, Figure 4 evaluation

A simple three-hidden-layer MLP trained on only 13 standard browser attributes achieves AUROC above 0.5 for every tested demographic group: gender 0.663–0.679, age 55+ 0.644, Hispanic ethnicity 0.60, Asian race 0.698, Black race 0.677, and high-income bracket 0.617. Because the model used only attributes already collected by mainstream fingerprinting scripts (e.g., FingerprintJS), richer real-world attribute sets would yield substantially higher demographic inference accuracy.

2025-berke-unique-whose-web §7.1, Table 5 detection

Screen resolution (572 distinct values, 4.5% unique, entropy 5.51), WebGL Unmasked Renderer (654 distinct values, 3.2% unique, entropy 6.833), and User-Agent (434 distinct values, 2.8% unique, entropy 4.613) are simultaneously the most uniquely identifying individual attributes and the strongest demographic predictors by normalized mutual information across all five demographic categories tested (gender, age, income, Hispanic ethnicity, race).

2025-berke-unique-whose-web §7.2, Figure 6, Table 1 detection

The September 2025 leak of ~600 GB from Geedge Networks and the MESA Lab (Institute of Information Engineering, Chinese Academy of Sciences) is the largest known document disclosure from the GFW vendor ecosystem. It establishes a direct lineage: MESA Lab (founded 2012 by Fang Binxing's team, annual contracted revenue >35M RMB by 2016) spun out Geedge Networks in 2018, with MESA alumni filling key engineering roles (e.g. Zheng Chao as CTO). The leak includes ~64 GB of MESA git repositories, ~35 GB of MESA internal documents, ~15 GB of Geedge internal documents, and a ~3 GB Jira export — providing direct access to source code, work logs, and internal communications behind GFW R&D.

2025-geedge-mesa-leak §4 deployment

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 deployment

InterSecLab frames the Geedge/TSG export program as the commoditization of national firewall capability: rather than each censor state independently developing detection infrastructure, they contract Geedge for a turnkey system incorporating the cumulative R&D of MESA Lab (>10 years, National Science and Technology Progress Award winners). This structural shift means the marginal cost for an autocratic government to acquire GFW-grade censorship is now a procurement decision, not a multi-year engineering program. The report identifies that Geedge's relationship with the MESA Lab gives customer states indirect access to ongoing academic R&D improvements, not just a static product.

2025-interseclab-internet-coup §2, §6–§7 (InterSecLab report) policy

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) detection

The report traces the specific corporate pathway through which Geedge Networks exported GFW-derived technology to Myanmar: via front companies, shell entities, and Belt and Road Initiative contract frameworks that obscure the Chinese state's direct involvement. The report names at least three intermediary entities used to transfer equipment and technical personnel to the Myanmar military, and documents that the same export channel was used for ongoing product updates post-deployment.

2025-jfm-silk-road-surveillance §4, §6 policy

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 deployment

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 detection

The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.

2025-pereira-extended §2.2 defense

Security arguments for existing circumvention systems are based on ad-hoc adversary models that are often incomplete or unrepresentative of real-world adversaries, leading to allegedly secure designs that fail against relatively straightforward attacks. Protocols that substitute or parasitize a cover application's encrypted traffic channel fail against application-aware adversaries who observe or induce violations of application-specific behavioral invariants — a weakness that pre-trained classifiers on custom traces fail to surface.

2025-pereira-position §1, §2 defense

An adversary's false positive rate against a circumvention tool depends critically on the statistical properties of background traffic; if background traffic is modeled inaccurately (e.g., with toy uniform distributions), formal detection bounds are not meaningful. The paper proposes a hybrid pipeline: train NetDiffusion on real packet-level traces from campus networks or backbone providers, sample synthetic background traffic, extract empirical mean/variance, and integrate those distributions into EasyCrypt formal models to produce statistically grounded detectability proofs.

2025-pereira-position §3 evaluation

A Random Forest classifier trained solely on structural features of third-party request trees achieves ROC AUC of 0.81 and 72% balanced accuracy across 4,660 news domains with ≥50 daily observations. Performance degrades to ROC AUC 0.78 and 0.68 for domains requiring ≥100 and ≥150 daily observations respectively, driven by reduced training-set size rather than feature quality.

2025-sivan-sevilla-probing §5.1, Table 3 evaluation

The five most important predictive features are: (1) average children per non-leaf tree node, (2) 7-day rolling average of maximum tree breadth, (3) 7-day rolling average of average breadth, (4) average children per parent, and (5) 7-day rolling average of third-party requests. Temporal stability features (rolling means and daily deltas) rank ahead of most static snapshot features, indicating that behavioral consistency over time is more discriminative than point-in-time structure.

2025-sivan-sevilla-probing §5.1, Figure 4 detection

Of 8,004 unique third-party domains identified across 3,410 crawled news sites, 997 appear exclusively on untrustworthy websites and 2,992 appear exclusively on trustworthy ones. Domains disproportionately associated with untrustworthy sites include Yandex, Zamanta, and PayPal; domains exclusive to trustworthy sites are predominantly small-to-medium advertising and analytics actors rather than major platform giants.

2025-sivan-sevilla-probing §5.2 evaluation

Trustworthy news sites show dramatically more complex third-party structures than untrustworthy ones: mean MaxBreadth 39.22 vs 19.63, mean ThirdPartyRequests 137.45 vs 74.12, and mean unique third-party domains 44.15 vs 20.31. This finding reverses prior work (Han et al. 2022) and the authors attribute it to untrustworthy sites being under-resourced and optimized for content spread rather than user experience.

2025-sivan-sevilla-probing §5, Table 1 detection

Circuit fingerprinting from a guard-relay position achieves ≥99.9% accuracy with FPR ≤0.1% for all four Tor circuit types (general, HSDir, introductory, rendezvous) using the Deep Fingerprinting classifier on the first 512 cells, despite Tor's deployed partial defenses. Onion-Location fingerprinting (OLF) combining these circuit classifiers then achieves 98.81–99.87% accuracy (FPR 0.16–1.23%) distinguishing O-L sessions from ordinary clearnet or onion-only visits.

2025-syverson-onion-location-measurements-fingerprinting §5.1–5.2 detection

The paper enumerates five adversarial attack surfaces against a video-steganography UP channel: (1) wholesale blocking of the hosting platform, (2) mass-scanning and blocking encoded videos (noted as generally cost-prohibitive per the steganography literature), (3) enumerating videos via pseudorandom tags (feasible but hampered by tag-list overlap with unrelated content and time-window dynamics), (4) banning accounts posting encoded videos, and (5) tracking anticensorship users viewing encoded content. The pseudorandom tag window design specifically prevents preemptive enumeration because the top-n results for a tag at epoch t differ from those at t±1.

2025-vines-extended §2.1 detection

State-of-the-art ML classifiers (Deep Fingerprinting, Decision Tree, Random Forest, nPrintML) trained on known UPGen protocols and benign traffic always incur high out-of-distribution false-positive rates when attempting to block unknown UPGen protocols — in the vast majority of experiments the OOD FPR is 100%. The one exception (SSH OOD, Deep Fingerprinting) achieved a UPGen TPR of only 20%. By contrast, identical classifiers successfully generalize to block unknown Obfs4 flows with near-zero collateral damage in 3 of 4 cases.

2025-wails-censorship §4.3.3, Table 3, Table 4 evaluation

UPGen's generator samples 18 independent parameters to produce 4.2×10^22 distinct structured encrypted protocols (entropy 38.4 bits). Each proxy is assigned a unique generated protocol, so identifying one protocol exposes only a single proxy. The generator was designed by studying 27 real-world encrypted protocols and sampling from observed structural patterns (greeting strings, handshake patterns, field orderings, key encodings).

2025-wails-censorship §2.4, Table 1 defense

Combinations of Bayesian methods, data augmentation with mixup, and NOTA defensive padding cut the open-world false positive rate by up to 92% at 0.5 recall on HTTPS-only traffic and 75% on Tor traffic relative to the deterministic MSP baseline. Even with these improvements, sustaining a world size in the hundreds of millions (approaching YouTube-scale) requires accepting recall of 0.5–0.6 and precision of only 0.1–0.2; at precision 0.5 and recall 0.5, the maximum workable world size is only 37.5M for HTTPS-only (Table 3), far below YouTube's ~10 billion video catalog.

2025-walsh-improved-open-world-fingerprinting §4.5, Tables 1–3 evaluation

Extrapolating empirical FPRs using Wang's base-rate-adjusted precision formula (𝜋_r), the best HTTPS-only approach can sustain precision 0.5 at recall 0.5 only up to a world size of 37.5M videos; precision 0.1 at recall 0.5 extends to 337.5M — still short of YouTube's ~10 billion catalog (Table 3). For Tor, the corresponding limits are 4.8M and 42.9M, making dragnet surveillance of unselected users on large platforms effectively infeasible at any acceptable precision with current techniques.

2025-walsh-improved-open-world-fingerprinting §4.5.1, Tables 3–4 evaluation

When a fingerprinting model is trained on traffic collected from one geographic vantage point and tested on traffic from a different continent, the HTTPS-only open-world FPR at 0.5 recall increased by factors ranging from 2.8x (EU-West-2) to 50.3x (Africa) relative to the same-vantage baseline — despite 60-way closed-world accuracy remaining above 0.99 across all vantage-point pairs (Table 5). For Tor traffic the effect was weaker but still reached 25.2x (Asia-Pacific Southeast-1), showing path diversity also disrupts Tor-based fingerprinting.

2025-walsh-improved-open-world-fingerprinting §5.1, Table 5 evaluation

The paper establishes, for the first time in a large open-world scenario (64,000 unmonitored test videos), that HTTPS-only video stream fingerprinting is significantly easier than Tor-based fingerprinting because DASH adaptive bitrate selection introduces a second-order network-condition effect: clients request entirely different video segments at different quality levels depending on path conditions, causing traffic traces from different geographic vantage points to diverge at the application layer even when network conditions are nominally similar. This makes NOTA and synthetic training sample techniques less effective on Tor data due to inherent trace noisiness.

2025-walsh-improved-open-world-fingerprinting §4.5, §5.1 evaluation

Tor provides substantial and measurable protection against video stream fingerprinting: the best-case FPR at 0.5 recall is 0.0000063 for Tor versus 0.0000008 for HTTPS-only connections, roughly an 8x increase. Translating to world sizes, at 0.5 recall and 0.1 precision the maximum viable platform catalog is 42.9M videos over Tor versus 337.5M over HTTPS-only (Tables 3–4), confirming Tor degrades adversary capability even after an assumed prior website-fingerprinting step that identifies video platform visits.

2025-walsh-improved-open-world-fingerprinting §4.5.1, Tables 3–4 evaluation

Hysteria and TCP-Brutal maintain fixed sending rates regardless of packet loss, causing them to transmit at rates several orders of magnitude higher than loss-based CCAs (TCP/QUIC Cubic) at a 5% packet loss rate on a 100 Mbps link with 60ms RTT. This non-compliance with standard congestion backoff is reliably detectable across RTTs from 15ms to 300ms and loss rates from 0.1% to 20%.

2025-wang-custom §4.1 detection

A two-stage threshold classifier evaluated on 10,080 synthetic flows across 1,260 network condition combinations (20 RTTs × 21 loss rates × 3 bandwidths) achieved 100% accuracy in Stage 1 separating loss-based from non-loss-based CCAs, and produced only 16 false positives from BBR flows in Stage 2, correctly flagging all 1,257 Hysteria and 1,257 Brutal flows as custom CCAs.

2025-wang-custom §5, Table 1 evaluation

The paper proposes a black-box methodology for detecting censorship bias in LLMs by comparing responses to identical prompts in Simplified vs. Traditional Chinese — scripts for the same spoken language — controlling for translation quality while exploiting that Simplified Chinese training data is disproportionately sourced from mainland China's censored internet. Each prompt is repeated ten times and scored for similarity to censored text using an XLM-RoBERTa classifier fine-tuned on Baidu Baike (censored) vs. Chinese Wikipedia (uncensored) with scores from 0 to 1.

2024-ahmed-extended §2 / §2.4 evaluation

Majority-vote ML inference (OCSVM + IF) over OONI data uncovered at least 5 previously undocumented DNS injection IPs active in Russia (e.g., 195.19.90.226, 95.167.13.51, 61.95.167.13.50, 188.19.132.154, 144.85.142.29.248) absent from OONI's existing blocking-fingerprints database, along with novel fingerprints in Italy, Czech Republic, and the UK. Records with fewer than 50 instances were excluded as a conservative false-positive filter.

2024-calle-toward §4.3, Table 5 detection

XGBoost trained on a single month of OONI data achieves near-optimal performance; expanding the training window to 24 months produces deviations of only 0–5 percentage points for FNR, 0.07 PP for FPR, and 0.10 PP for accuracy — suggesting that larger windows introduce noise and overfitting rather than improving detection. Isolation Forest performance degrades more sharply, with accuracy dropping ~5 PP as training data grows beyond 6 months.

2024-calle-toward §4.2, Figure 3 evaluation

For the Isolation Forest model, resolver ASN (SHAP importance 0.237) and probe ASN (0.220) are the two most predictive features for DNS tampering, reflecting that censorship is topologically concentrated at specific network vantage points. For XGBoost, headers_match dominates (0.317), followed by asn_control_match (0.177), indicating that supervised models rely more on cross-layer consistency signals. DNS tampering represents only 0.5–0.8% of all OONI measurements across 2022–2023 (Figure 2), creating severe class imbalance in any training set.

2024-calle-toward §4.1, Table 4, Figure 2 detection

XGBoost achieves a False Positive Rate of 0.0005, True Positive Rate of 0.9403, and overall accuracy of 0.9991 on OONI global DNS measurement data (2.5% stratified sample), vastly outperforming unsupervised alternatives: Isolation Forest achieves FPR 0.1321 / ACC 0.8699, and One-Class SVM degrades to FPR 0.9711 / ACC 0.0598, making OCSVM effectively unusable for this task.

2024-calle-toward §4.1, Table 3 evaluation

CenDTect (Tsai et al., NDSS 2024) uses decision trees and a novel clustering method on Censored Planet plus OONI data to identify blocking policies and provide interpretable insights at local and country levels. A separate approach (Duncan & Chen, 2023) applies sequence-to-sequence models and CNN image classification — treating network reachability data as grayscale images — to distinguish censored from uncensored content.

2024-gao-extended §2 Related Works evaluation

Brown et al. (2023) combined supervised ML models trained on expert-labeled data with unsupervised models establishing a baseline of 'normal' behavior to detect DNS-based censorship from Satellite and OONI datasets, achieving high true-positive rates for both known and new DNS censorship instances. The hybrid supervised/unsupervised approach is proposed as a template for the LLM-based system.

2024-gao-extended §2 Related Works evaluation

The proposed LLM-based censorship detection system plans to use ICLab as the primary dataset for its semantic richness across all network-stack levels, then cross-reference with OONI and Censored Planet to reduce false negatives. The paper explicitly notes ICLab lacks the scale and geographic coverage of OONI/Censored Planet but offers richer per-measurement context suited to LLM feature learning.

2024-gao-extended §4 Proposed Future Works evaluation

The daily volume of network reachability data collected by censorship monitoring platforms such as ICLab, OONI, and Censored Planet surpasses the 16 GB Books Corpus and English Wikipedia that BERT was trained on. This scale mismatch motivates applying LLMs — which thrive on large unlabeled corpora — to censorship measurement data rather than hand-labeling for rule-based systems.

2024-gao-extended §2 Related Works evaluation

Rule-based censorship detection systems rely on predefined regular expressions designed by human experts and fail to adapt to evolving censor techniques, leading to false negatives and poor scalability as data volume grows. In contrast, learning-based models are described as thriving on large data volumes and offering contextual understanding that rule-based systems lack.

2024-gao-extended §1 Introduction evaluation

ML-based VPN classifiers report FPRs of 1.4–5.5%, all exceeding the GFW's estimated practical threshold of 0.6%, while the simple RFC-heuristic approach achieves 0.11%; this indicates that real-world censors are more likely to adopt lightweight heuristic detectors than opaque ML pipelines.

2024-hanlon-detecting §4.2 Overall Classifier Results evaluation

An attacker who generates 10 defended copies of each training trace (re-sampling noise each time) improves Tik-Tok accuracy against DeTorrent from 31.9% to 48.2%, demonstrating that dataset augmentation with multiple defended samples is a practical countermeasure against randomized padding defenses including DeTorrent and FRONT.

2024-holland-detorrent §6.4 detection

Against the state-of-the-art DeepCoFFEA flow-correlation attacker, FC-DeTorrent reduces the true positive rate at a 10^-5 false positive rate to approximately 0.12 — less than half that of the next-best defense Decaf (TPR ≈ 0.29) — while using 97.3% bandwidth overhead, without delaying any real traffic packets.

2024-holland-detorrent §4.2, §6, Table 5 evaluation

DeTorrent reduces closed-world Tik-Tok attack accuracy from 93.4% to 31.9% on the BE dataset — 10.5 percentage points better than the next-best padding-only defense (FRONT at 42.4%) — and reduces Deep Fingerprinting accuracy from 94.3% to 30.0%, at a bandwidth overhead of 98.9%. On the larger DF dataset, Tik-Tok accuracy falls from 97.7% to 79.5%.

2024-holland-detorrent §6.1, Table 4 evaluation

Censors employing deep learning can use DTLS connection duration as a precise identifier to classify and block Snowflake traffic. The paper proposes switching PT connections after a variable time limit as a countermeasure to prevent duration-based classification.

2024-lorimer-extended §4.3 detection

The authors propose a 'shim' pluggable transport that splits client traffic across N PT connections using unmodified existing PT bridges as proxies and a gateway bridge that correlates streams back into a Tor circuit via the Turbo Tunnel reliability pattern. This architecture enables all existing and future PTs to benefit from traffic splitting without modifying each PT's client or server code individually.

2024-lorimer-extended §3 defense

Because traffic splitting is not ubiquitous network behavior, split PT traffic may appear anomalous to a censor, allowing them to distinguish normal PT use from split PT use even without classifying the underlying protocol. The authors flag this as a key open risk to be evaluated empirically and note that splitting across multiple bridges or multiple PT types may simultaneously raise and lower different detection signals.

2024-lorimer-extended §4.3 defense

When a user splits traffic across N paths, a censor observing a single path sees only a partial trace, substantially reducing the accuracy of classifiers trained on complete network traces. Prior Tor traffic-splitting work (TrafficSliver, CoMPS, multipath Tor studies) has validated this defense against website fingerprinting outside the PT context.

2024-lorimer-extended §1, §4.2 defense

Across five popular translation services available in China (Alibaba, Baidu, Tencent, Youdao, and Microsoft Bing), researchers discovered 11,634 unique censorship rules in total. Every service — including the American-operated Bing Translate — implemented automatic censorship that silently omits content, with only Alibaba displaying any notification ('Query csi check not pass') to the user.

2024-ruo-lost §6 Results / Table 2 evaluation

Evidence from Youdao Translate suggests it deploys a machine-learning or NLP-based classifier alongside keyword rules: measured rules included repeated components (e.g., 螺+螺+螺+螺+螺+螺+蟢+D+哒+大) and nonsensical multi-token sequences that no human rule author would write, yet which consistently triggered censorship. Youdao returned 9,414 unique rules from the general test set — the most of any service — while also producing the most structurally anomalous rule patterns.

2024-ruo-lost §6 Results / §10 Future Work evaluation

CenDTect uses cross-classification accuracy — how well a decision tree trained on one domain's blocking pattern predicts another domain's blocking — as a distance metric to cluster domains that share the same blocking policy. This metric outperforms prior time-series approaches because it is interpretable (the resulting decision tree directly reveals the blocking mechanism: which ISP, which port, which protocol) rather than producing opaque anomaly scores. The approach scales to planetary-measurement volumes without requiring labelled training data.

2024-tsai-modeling §3 (CenDTect Design), §5.3 evaluation

CNN-based deep learning reduces obfs4 false positive rate by an order of magnitude versus the best decision tree (FPR 2.9×10⁻³ vs. 3×10⁻²) while maintaining 100% recall, and achieves near-perfect Snowflake data-flow detection (Precλ=1k = 0.95, Fλ=1k = 0.97). However, at realistic base rates λ > 10⁶ all CNN classifiers still yield near-zero precision, leaving per-flow deep learning alone insufficient for nation-state-scale deployment.

2024-wails-precisely §V-C, Table IV, Figure 5 detection

The paper identifies that circumvention systems relying on long-lived, consistent proxy servers are fundamentally vulnerable to host-based temporal detection regardless of per-flow obfuscation quality, and recommends adversarial examples, ephemeral obfuscation servers, and programmable or polymorphic protocols as countermeasures. Snowflake's volunteer-browser proxy architecture—where proxies are ephemeral and addresses are not reused—is highlighted as inherently more resistant to host-based classification than static bridge designs like obfs4.

2024-wails-precisely §I, §VI discussion, §VII defense

State-of-the-art ML-based obfs4 detection (Wang et al. decision tree) achieves 97% precision at equal base rates (λ=1) but precision collapses to 3% at a still-conservative λ=1,000; at λ=10⁶ precision approaches zero for all classifiers tested. This base-rate failure was previously uncharacterized because prior evaluations only considered balanced or near-balanced datasets.

2024-wails-precisely §IV-D (Scalability), Figure 3, Table I detection

Combining a CNN flow classifier with host-based temporal accumulation eliminates all false positive classifications after observing at most 38 flows per host while maintaining perfect recall for all obfs4 and obfs⋆ bridges. The scheme requires only 14 bits of state per (IP, port) pair; tracking 4×10⁹ destination services requires no more than 50 GiB of storage, feasible on commodity hardware.

2024-wails-precisely §VI-A–B, Algorithm 1, Table VI detection

obfs4 and obfs⋆ produce characteristic wire patterns—bursts of roughly MTU-sized payloads followed by a randomly-sized chaff packet—that CNN classifiers detect purely from packet-size sequences without payload inspection. A trivial per-bridge entropy-biasing re-encoding (obfs⋆) completely defeats the hand-tuned decision tree (0% precision, 0% recall) but does not reduce CNN detectability, because the CNN generalizes across size-distribution variants.

2024-wails-precisely §V-E, §IV-D-3, Figure 4 detection

Obfuscated proxy traffic (including Shadowsocks, VMess, VLESS, Trojan, obfs4, and REALITY) can be reliably fingerprinted by detecting encapsulated TLS handshakes — the inner TLS ClientHello that appears inside an outer encrypted tunnel. This fingerprint is protocol-agnostic: any proxy that wraps TLS-bearing application traffic will produce it. The authors deployed a similarity-based classifier within a mid-size ISP serving over one million users and demonstrated detection with minimal collateral damage.

2024-xue-fingerprinting Abstract, §5, §7 detection

China's local censorship operates through 'extra-institutional governance' (EIG) — practices that transgress the official identity and authorized means of the CAO system, including outsourced private surveillance, unpaid personnel secondment, and mass reporting via personal accounts — which upper-level offices tolerate but do not formally authorize, preserving plausible deniability when practices are ethically or legally questionable. The paper documents these as widespread implicit norms across China, not isolated to District T.

2024-zhang-toothless §Discussion and Conclusion policy

A county-level CAO in east China (District T, ~500,000 residents) operated with only 7 formal employees yet was tasked with monitoring more than 60 social media platforms, detecting unwanted voices in text, image, video, and audio formats, and submitting hourly reports to upper-level offices — a workload the authors characterize as a 'mission impossible' for a county-level office.

2024-zhang-toothless §The case: the CAO in District T deployment

The District T CAO outsourced surveillance to a commercial SaaS platform ('Public Opinion Assistant') capable of scanning 180 million social media posts per day, processing 20 million posts per minute, and using supervised learning to classify 'negative voices' with performance comparable to human moderators. The platform generates ready-to-submit bureaucratic reports and maintains localized keyword lists that include euphemisms and homophones of censored terms as netizens update evasion strategies.

2024-zhang-toothless §Coping strategy 1: outsourcing surveillance to private service providers deployment

DeResistor's two-objective fitness function (balancing evasion success and detection probability) reduces flow-level detection rates from 96.27% → 45.06% against China's GFW, 99.50% → 34.93% against India, and 99.50% → 49.22% against Kazakhstan over 5 training generations, while in all cases preventing TRW from reaching an IP-block decision that would terminate training.

2023-amich-deresistor §5.1, §6.2, Table 1 defense

Geneva packet-manipulation probing traffic exhibits distinctive features — corrupt data-offset fields, smaller packet sizes, overlapping TCP segments, TTL variance, and non-zero SYN packets — that allow simple ML classifiers (Decision Trees, Random Forests, Logistic Regression, SVM) to detect it with AUC > 0.99. A subsequent TRW-based IP-level detector can then block the source IP with high confidence after inspecting only 2 Geneva probing flows.

2023-amich-deresistor §4.1–§4.2 detection

Interleaving a single normal benign flow (jump size J=1) after each detected probe prevents the TRW likelihood ratio from converging to the IP-block threshold across all 11 simulated censors and all three real-world censors tested; setting J>1 risks triggering a history-aware TRW reset that can paradoxically accelerate IP-level detection.

2023-amich-deresistor §5.2, §6.2 defense

DNS censorship complexity varies sharply by country: Iran injects static forged IPs exclusively from 10.0.0.0/8 and Turkmenistan uses only 127.0.0.1, making detection trivial, while China's constant fake-IP churn across ASes demands dynamic ML approaches; models trained without country-specific ASN features still perform well, enabling transfer to countries where GFWatch-equivalent infrastructure does not exist.

2023-brown-augmenting §5 detection

By mapping ML-predicted censored probes back to their DNS response IPs, the authors discovered 748 forged IP addresses used by China's GFW as DNS blocking signatures that OONI's heuristics missed; supervised and unsupervised models also identified several ISP-specific injected IPs absent from even GFWatch's comprehensive signature list, demonstrating that static signature lists substantially undercount active GFW DNS censorship.

2023-brown-augmenting §4.2, Table 4 evaluation

XGBoost supervised models trained on DNS probe features achieve TPRs of 100% (Satellite) and 99.8% (OONI) at FPRs of 0.0% and 0.2% respectively when using platform-native anomaly labels; cross-source training with GFWatch labels applied to the same records yields 99.4% TPR for Satellite and 86.7% TPR for OONI, with SHAP analysis confirming that ASN and organization name of the returned DNS response IPs are the dominant predictive signal.

2023-brown-augmenting §4.1, Table 2 evaluation

Unsupervised one-class SVM models trained only on clean (uncensored) records detect GFW DNS censorship with 99.1% TPR at 17.4% FPR on Satellite data; over half of apparent false negatives are truly uncensored probes where the GFW transiently failed to inject a forged response, confirming that GFW DNS injection is not perfectly consistent at the individual probe level.

2023-brown-augmenting §4.1, Table 3 evaluation

Discop achieves provably perfect steganographic security (DKL(Pc‖Ps) = 0) by constructing multiple 'distribution copies' of a generative model's predicted distribution and using the copy index to encode the secret message. Because all copies share identical token probabilities, the stego distribution is exactly equal to the cover distribution and no steganalyzer can perform better than random guessing.

2023-ding-discop §III defense

All prior provably-secure steganography methods introduce measurable distribution distortion: ADG achieves Max KLD of 4.54E-02 to 6.76E-02 bits/token, and Meteor with its heuristic sorting reaches Max KLD up to 9.01E+00 bits/token (Table II, GPT-2, p=0.80). These non-zero KL divergences give any statistical steganalyzer a non-negligible distinguishing advantage, violating the security definition even when average divergence appears small.

2023-ding-discop §V, Table II evaluation

Censors optimize for utility under asymmetric misclassification costs rather than raw accuracy: false positives (blocking legitimate traffic) carry economic and political costs that make censors conservative about deploying classifiers with high false-positive rates. Multi-flow stateful classifiers — such as the obfs4 Elligator probabilistic distinguisher, which requires correlating observations across multiple connections — are operationally more expensive than single-packet or connection-initiation classifiers, which the author suggests explains why probabilistic multi-flow distinguishers have not been exploited in practice even when theoretically available.

2023-fifield-comments §5 evaluation

Variable bitrate encoding (e.g., the OPUS codec's 6–510 kbps range) in VoIP protocols leaks content properties through packet timing, enabling ML classifiers to distinguish protocol tunnels from real conversations. An audio tunnel without timing shaping was identifiable with auROC 0.981 and aucPR 0.959 by an AutoGluon-Tabular classifier examining 1000-packet flow windows.

2023-jia-voiceover §2, §4.2 detection

Voiceover's DCGAN, trained on ~400 hours of two-person telephone conversations, generates conversation timing templates that constrain when the tunnel transmits audio. This reduces ML classifier performance from auROC 0.981/aucPR 0.959 (unshaped baseline) to auROC 0.682/aucPR 0.482, and the improvement holds at 500-packet windows (auROC 0.68/aucPR 0.50), suggesting robustness to memory-limited adversaries.

2023-jia-voiceover §3, §4.2, Table 2 defense

Protocol fingerprinting — including DPI-based identification of VPNs, circumvention tools, and E2EE messengers — was active in only 6% of countries during the measurement period (13% all-time), but all confirmed instances came from focused individual studies, not from mass measurement platforms like OONI or Censored Planet. The authors flag encrypted traffic analysis (ETA) tools and next-generation firewalls (NGFWs) capable of blocking Signal or Tor Browser as an emerging threat to freedom of expression.

2023-master-worldwide §4.3 detection

Classical public-key steganography (Algorithm 1 from [54]) has a 100% failure rate when encoding a 16-byte message using GPT-2, because GPT-2's per-token entropy drops near zero frequently and standard rejection sampling cannot find an acceptable token. Entropy bounding reduces failure to 0–10% but introduces detectable statistical bias: selected tokens come from a visibly different probability distribution than baseline samples.

2021-kaptchuk-meteor §4 Adapting Classical Steganographic Schemes / Figure 2b evaluation

Meteor encodes bits by embedding a PRG-masked random value into the token-sampling randomness of a generative model, recovering bits proportional to the shared prefix length of the sampled interval. Expected throughput per sampling event is asymptotically within 1/2 of the Shannon entropy of the channel (proven in Appendix A), so Meteor automatically adapts to high entropy variability without explicit signaling or padding.

2021-kaptchuk-meteor §5 Meteor / §5.2 defense

Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.

2021-kaptchuk-meteor §5.2 / §6 / Table 2 defense

OUStralopithecus (OUStral), a Selenium-based OUS implementing empirically-derived human browsing distributions — Weibull dwell times (λ=30s, k=0.75), Von der Weth action probabilities (45.1% internal-link clicks, 33% new-URL navigations), and Dubroy tab-switching rates — generated 471 requests with all Cloudflare Bot Management scores above the recommended blocking threshold of 30, while Slitheen and Waterfall consistently scored 1. Because Cloudflare has full HTTP-layer visibility (unavailable to a passive network censor), the paper argues a censor observing only encrypted traffic would be even less able to flag OUStral.

2021-lorimer-oustralopithecus §3.1, §5.2.1, Figure 6 defense

Traffic replacement systems that only shape individual HTTPS flows remain vulnerable to censors monitoring inter-connection patterns over time. Waterfall's OUS (reloading the same page every second), Slitheen's OUS (naïve PhantomJS with no crawling), and Slitheen++'s OUS all produced non-human connection patterns detectable at the session level even when per-flow content is well-concealed. OUStral addresses this by shaping the distribution and sequencing of connections across an entire browsing session.

2021-lorimer-oustralopithecus §1, §2.2, §3, §6 defense

Prior overt user simulators (OUS) using PhantomJS — including Slitheen, Waterfall, and Slitheen++ — received Cloudflare Bot Management scores of 1 (certainly bot-generated) and would be blocked by any operator following Cloudflare's recommended cut-off of 30. Slitheen++ improved marginally by adding user-agent randomization and brief inter-request pauses, but all PhantomJS-based OUS implementations were trivially detectable as bots.

2021-lorimer-oustralopithecus §5.2.1, Figure 6 detection

Across tunnelling systems that apply traffic shaping against ML adversaries, a clear throughput cost emerges: Slitheen + OUStral with WebM replacement achieves up to 2.2 Mbps with 4.7x overhead; Protozoa (WebRTC, end-to-end) achieves up to 1.4 Mbps; DeltaShaper (VoIP) achieves only 7 kbps at 2x overhead. By contrast, Conjure (no traffic shaping) reaches 100 Mbps. Additionally, end-to-middle decoy-routing deployments incur a throughput penalty from packet-boundary parsing at the relay station that end-to-end systems (Protozoa, DeltaShaper) avoid.

2021-lorimer-oustralopithecus §5.3.2, Table 2 evaluation

Extending Slitheen to replace WebM video/audio frames reduced mean overhead from ~20x (image-only Slitheen) to 4.7x (±1.6) over 100 ten-minute sessions, while raising throughput to a mean of 581.7 kbps in video-only mode (max 2023.3 kbps, min 78.2 kbps) and 721.6 kbps in background-video mode (max 1528 kbps). This compares favorably to DeltaShaper's 2x overhead at only 7 kbps and Protozoa's up to 1.4 Mbps, while preserving Slitheen's resistance to traffic-analysis attacks.

2021-lorimer-oustralopithecus §5.2.2, §5.3, Table 2, Figures 7–9 evaluation

A random-forest classifier trained on TCP statistics distinguishes Balboa-enabled traffic from baseline with 66–84% accuracy at zero network latency (key features: average TCP window advertisement and data transmit time), but accuracy falls to near-random (50–57%) once realistic latency is introduced (≥5 ms mean). Adding four additional innocent clients to the classification task further reduces accuracy—e.g., VLC at zero latency drops from 84% to 66%.

2021-rosen-balboa §6.3, Table 2, Table 3 evaluation

Traffic analysis comparing Camoufler clients (fetching blocked websites) to regular IM clients (exchanging multimedia) shows indistinguishable packet-exchange rates and packet-size distributions: a 1.3 MB document download via Camoufler peaked at >700 packets/s, matching the >800 packets/s spike from a 1.5 MB video download by a regular IM client. Packet sizes cluster identically in two bins (<100 bytes for ACKs; >1,200 bytes for data) regardless of whether the underlying content is a web page or a video.

2021-sharma-camoufler §5.1 evaluation

Protozoa's encoded media tunneling achieves an AUC of 0.59 against a state-of-the-art ML traffic classifier using packet-size and inter-arrival-time features—near the 0.5 random-guessing baseline—compared to >99% detection rates for prior tools such as Facet and DeltaShaper. To block 80% of Protozoa flows (TPR=0.8), a censor would erroneously flag approximately 60% of legitimate WebRTC flows (FPR=0.6). This resistance holds across trace durations from 10–60 seconds (AUC range 0.56–0.61) and across RTT, bandwidth, and packet-loss variations.

2020-barradas-poking §6.2, Table 1, Figure 8 evaluation

Protozoa creates a ≈1.4 Mbps covert channel over WebRTC by replacing encoded video frames with covert payload while preserving SRTP packet size and timing properties, making Protozoa flows 'hardly distinguishable from unmodified WebRTC streams using existing ML-based traffic classifiers.' Since all unencrypted packet fields remain intact, DPI cannot detect the tunnel either.

2020-barradas-towards §2 defense

Even when individual WebRTC flows pass traffic analysis, a censor can identify CRON users via three long-term statistical attack types: S1 (simultaneous video calls, atypical for normal users), S2 (sudden connections to previously unknown parties), and S3 (calls at anomalous times, frequencies, or durations). Relay nodes in multi-hop circuits are particularly exposed via S1 because conducting multiple simultaneous video calls is highly atypical in normal user profiles.

2020-barradas-towards §4.1 detection

Migrating the client IP address every 25–100 packets reduces state-of-the-art website fingerprinting attack accuracy to below 10% in the closed-world setting, outperforming advanced dedicated defenses such as HyWF multipathing. The mechanism works because most fingerprinting classifiers rely on as many packets per flow as possible, and flow splitting degrades feature quality.

2020-govil-mimiq §5 defense

Sibling transaction analysis across 45 million Bitcoin transactions (blocks 580,000–600,000, June–Oct 2019) shows 32% use the Pay2PKeyHash + Pay2ScriptHash combination MoneyMorph employs. In Monero, the two-input two-output structure matches 42% of all transactions. In Zcash, only 11–19% of transactions are shielded, giving it the lowest sibling rate despite the highest bandwidth.

2020-minaei-moneymorph §5.1, §5.3, §5.5, Table 1 evaluation

V2Ray clients emitted TLS ClientHello messages with a hardcoded, rarely-seen ciphersuite (fingerprint ID 8c48b95f67260663 on tlsfingerprint.io) that allowed a machine-learning classifier to identify V2Ray TLS traffic with 0.9999 accuracy; the same classifier could not accurately identify the traffic after the fingerprint was changed. The blocking rule based on the unique ciphersuite could be expressed in a single iptables line.

2020-v2ray-weaknesses §Unique TLS ClientHello Fingerprints detection

Frolov and Wustrow show that every major TLS-based circumvention tool (Tor Browser, Lantern, OpenVPN, Psiphon, etc.) produces a TLS ClientHello fingerprint that is statistically distinguishable from real Chrome or Firefox: differences include cipher-suite ordering, extension set, extension ordering, ALPN values, and curve preferences. A passive observer with a classifier over ClientHello fields can identify the tool with high precision without decrypting any traffic.

2015-frolov-the-use-of-tls §3–4 detection

An adaptive censor that retrains classifiers on both unmodified and GAN-transformed Meek traffic ('informed NN') partially recovers detection capability: informed NN achieves a PR-AUC of 0.440 against modified traffic versus 0.309 for the naive NN, and achieves FPR of 0.667 versus 1.000 for the naive NN. However, the informed NN suffers from catastrophic interference and performs worse on FPR than the naive classifier on unmodified data (0.545 vs. 0.002).

2019-sheffey-improving §5 Results, §6 Discussion detection

A GAN-based adversarial transformer applied to Meek traffic signatures increases mean classifier FPR from 0.183 to 0.834 and decreases mean area under the precision-recall curve (PR-AUC) from 0.990 to 0.414 across naive neural network, informed neural network, and CART decision tree classifiers evaluated on three geographically distinct datasets (residential, university, AWS).

2019-sheffey-improving §5 Results, Tables 1–2 evaluation

The paper identifies that Meek traffic is compared against average HTTPS traffic across all domains rather than against traffic specific to the CDN fronting host (e.g., ajax.aspnetcdn.com for meek-azure), meaning a transformed signature that mimics generic HTTPS may still appear anomalous relative to expected traffic to that specific CDN host. This dataset construction limitation means real-world GAN-guided shaping must target host-specific traffic baselines, not population-wide HTTPS baselines.

2019-sheffey-improving §6 Discussion defense

Prior ML classifiers achieve near-perfect detection of unmodified Meek traffic using side-channel features: Wang et al. attain a false positive rate (FPR) as low as 0.0002 with a CART decision tree, Yao et al. achieve 99.98% accuracy with a hidden Markov model, and Nasr et al. deanonymize Meek flows with FPR of 0.0005 using a neural network. The distinguishing features are TCP payload size distributions (Meek concentrates 60–70 byte payloads) and inter-arrival time distributions (higher latency).

2019-sheffey-improving §1 Introduction, §3 Feature Extraction detection

Incorporating perturbation loss — the mean absolute difference between original and transformed traffic signatures — into the GAN's training objective constrains the transformer to make minimal modifications, reducing the implementation overhead a real-time traffic shaper would require. The perturbation loss is weighted at 10× relative to classification losses, enforcing sparse modifications while still fooling the discriminator.

2019-sheffey-improving §4.2 Training defense

Capturing as little as 30 seconds of a multimedia-tunneling flow is sufficient for XGBoost to reach the same AUC achieved with a 60-second window (AUC=0.99 for Facet s=50%, AUC=0.95 for DeltaShaper h320×240, 8×8, 6, 1i at 30s). Classification performance degrades monotonically below 30 seconds, reaching AUC≈0.81 (Facet) and 0.75 (DeltaShaper) at 1 second.

2018-barradas-effective §4.6, Table 4 detection

CovertCast — which scrapes web content into colored-matrix frames broadcast over YouTube live streams — is fully detected by the χ² similarity classifier with TPR=100% and FPR=2%. The KL and EMD classifiers achieve TPR>96.5%, indicating the system provides essentially no unobservability in practice.

2018-barradas-effective §3, Table 1 detection

Feature importance analysis of XGBoost models reveals that Facet covert channels are identifiable primarily through packets in the 115–195 byte range (dominated by Skype audio packets), while DeltaShaper is identifiable through two distinct packet-length clusters: 85–100 bytes and 1105–1205 bytes. XGBoost assigns non-zero importance to only ~58% of the 300 quantized packet-length bins for Facet and ~42% of 600 bins for DeltaShaper, indicating that leakage is concentrated in a narrow portion of the packet-size distribution.

2018-barradas-effective §4.4, Figure 4 detection

Unsupervised and semi-supervised anomaly detection methods (OCSVM, Isolation Forest, shallow autoencoders) perform near-random when attempting to detect multimedia protocol tunneling: OCSVM achieves average AUC between 0.518–0.584 across all tested configurations, Isolation Forest between 0.519–0.557, and autoencoders reach a maximum AUC of 0.702 only under optimal hyperparameter search. The paper concludes that labeled training data is a hard requirement for effective covert-channel detection.

2018-barradas-effective §5, Table 5 detection

Decision tree classifiers (XGBoost) can flag 90% of Facet multimedia-tunneling traffic while erroneously flagging only 2% of legitimate Skype connections (FPR=2%). Against DeltaShaper at its most conservative configuration (h160×120, 4×4, 6, 1i), XGBoost achieves AUC=0.85, demonstrating that existing unobservability claims for all three systems (Facet, CovertCast, DeltaShaper) were flawed.

2018-barradas-effective §4, Table 3 detection

Information Gain feature selection from 408 candidates identified informal language markers (informal, nonflu, swear), Chinese modal and general particles signaling mood and relational framing, and physical-feeling words used metaphorically as the top predictors of censored Weibo content — all with statistically significant differences between censored and uncensored classes.

2018-ng-detecting §5, §6 detection

A Naive Bayes classifier built on 17 LIWC-derived and keyword features achieved 79.34% accuracy (10-fold cross-validation) predicting censorship of Sina Weibo posts, with precision 0.80 and recall 0.85 for the censored class — outperforming all single-domain feature sets including the full 408-feature combination (0.69 accuracy).

2018-ng-detecting §5, Table 1 detection

Sentiment analysis features (Baidu and Boson tools) achieved only 57% accuracy individually; censored posts averaged 53.9% negative sentiment (General model) versus 49.3% for uncensored — a difference too small to be operationally useful — indicating that sentiment polarity does not reliably distinguish censorable content from permitted content on Weibo.

2018-ng-detecting §4.3–4.5, §6, Table 1 detection

Ukraine and Scotland both used the same VPN provider yet Ukraine received 1,874 CAPTCHA challenges vs. 309 for Scotland, and 1,519 browser verification challenges vs. 1,091 — a roughly 6× and 1.4× difference respectively. Only Ukraine was flagged as a VPN or Tor node by OctoNet's HTTP filter, indicating that IP/ASN reputation drives security-motivated blocking independently of the transport protocol used.

2018-tschantz-bestiary §5, Table 2 detection

Packet-length frequency distributions reliably distinguish regular Skype calls from irregular streams using Earth Mover's Distance (EMD): regular streams consistently produce EMD < 0.1 against a reference stream, while irregular streams range from 0.025 to 0.25. At the breakeven threshold ∆I = 0.066, an EMD classifier achieves 83% accuracy (equal sensitivity and specificity). An aggressive policy (∆A) blocks 95% of legitimate calls to catch all irregular streams; a conservative policy (∆C = 0.11) passes 80% of irregular streams to avoid false positives.

2017-barradas-deltashaper §6.1, Figure 7 detection

Across eight combinations of traffic features (packet length, bi-gram packet length, inter-packet time, bi-gram inter-packet time) and two similarity metrics (EMD, KS), adversarial classification accuracy against DeltaShaper streams ranges from 72–90% in unperturbed conditions. Bi-gram inter-packet times with EMD achieves 88% accuracy, matching packet-length/EMD, but requires roughly 10x the computation (~64s vs ~6s). Bandwidth throttling to 300 Kbps degrades classifier accuracy from 88% to 75%, but also drops Skype frame rate from 30 to 5 FPS, creating collateral damage that limits censor deployment of throttling as a detection aid.

2017-barradas-deltashaper §6.4, §6.5, Table 3 detection

The classifier uses a 3,000-dimension binary vector recording which upstream and downstream packet sizes appear across the full session, combined with aggregate biflow statistics (total packets, burst length, transmission time, incoming/outgoing fractions). This packet-size histogram is the highest-dimensionality feature in the set.

2017-deng-random §IV.B, Table 1 detection

The authors trained on 1 GB of captured Shadowsocks traffic and 1 GB of non-Shadowsocks traffic from a single host, then tested on over 1 GB of each from 26 randomly selected hosts. The cross-host generalization of the model is demonstrated but no explicit false-positive or false-negative rates are reported.

2017-deng-random §V.B–C evaluation

A Random Forest classifier with 100 CART trees and a sqrt(C) feature-selection strategy achieves over 85% accuracy detecting Shadowsocks traffic from biflow statistics. Accuracy increases monotonically with train-set and test-set size before plateauing.

2017-deng-random §V, Abstract detection

The paper identifies that Shadowsocks can also serve as a transport layer for Tor and VPN connections, meaning a Shadowsocks flow detector functions as a first-stage classifier that unmasks compounded anonymity systems. The authors explicitly cite this as a motivation for detection.

2017-deng-random §II detection

Adding a DPI apparatus with true positive rate TPR and false positive rate FPR creates three ordered thresholds Fam ≤ Fab ≤ Fmb governing censor strategy: allow all traffic (CTP ≤ Fam), deploy the apparatus (Fam < CTP ≤ Fmb), or block all traffic (CTP > Fmb). The apparatus does not qualitatively change the Nash equilibrium structure; it only shrinks the CTP range the circumventor can sustain, with the ordering Fmb ≥ Fab ≥ Fam holding whenever TPR ≥ FPR.

2016-elahi-framework §4.3 detection

In a single-round censorship game the only Nash equilibrium that keeps the channel open requires the circumvention traffic proportion (CTP) satisfy CTP ≤ F, where F = (βant+βbnt)/(αact+αbct+βant+βbnt). In repeated indefinite games a stable equilibrium exists at CTP = Z = (1−p)·CTPmax, where p is the per-round continuation probability, allowing a non-zero proportion of circumvention traffic to flow indefinitely without triggering shutdown.

2016-elahi-framework §4.1–4.2 defense

Castle's packet-size and inter-packet-time distributions (measured via Kolmogorov-Smirnov statistic) fall within the variance observed between legitimate human-game sessions when using ≤50 units/command at ~1 command/second; the best-performing classifier (Herrmann) achieved only ~60% accuracy—roughly 10% above random guessing—against multiple Castle configurations, while two other classifiers (Liberatore, Shmatikov timing) performed near chance.

2016-hahn-games §6.1, Figures 3–5 defense

Wiley's Bayesian classifier against obfuscated protocols (Dust, SSL, obfs-openssh) found that entropy detection achieved 94% accuracy using only the first packet, timing-based detection achieved 89% accuracy over entire packet streams, and length-based detection achieved only 16% accuracy.

2016-khattak-sok §2.4.1 detection

A KL-divergence classifier trained to distinguish CovertCast streams from real YouTube streams achieved only 33–45% true positive rate on packet-size distributions and 36–41% on inter-packet timing distributions — below random guessing — while maintaining 86–98% true negative rates. Overall classifier accuracy was approximately 65–68%, driven entirely by the high true negative rate rather than genuine detection capability.

2016-mcpherson-covertcast §7.5, Table 1 evaluation

Matryoshka achieves an average covert rate of ~3 bits/word after human enhancement; for a 5-word hidden message averaging 5.5 characters per word, the final enhanced stegotext is approximately 73 words. This is roughly 10× the covert rate of Spammimic (~0.3 bits/word), the prior leading approach.

2016-safaka-matryoshka §5 evaluation

After crowdsourced (MTurk) enhancement, 88% of stegotexts on average pass a One-Class SVM trained on 150K sentences from Wikipedia, Brown, and Reuters corpora as natural language; pre-enhancement, only 25–58% pass. For calibration, the same classifier correctly rejects 97% of randomly generated sentences as non-natural-language.

2016-safaka-matryoshka §5 evaluation

Users required 4.0–5.8 minutes on average to enhance a stegotext into natural language across three experiments, inserting 4–8 extra words per sentence; this is comparable to the time required to write a short email. The random-word-selection baseline consistently required more time and inserted more words, confirming that n-gram-guided word choice meaningfully reduces human editing burden.

2016-safaka-matryoshka §5 evaluation

A decision tree with linear regression at leaves (DTLR) trained on AS-topology features for 168 countries predicts Freedom House freedom category (Free/Partly Free/Not Free) with 95% accuracy. Average FPI prediction error was 3.47%, and prediction error remained ≤8 points (on a 0–100 scale) 90% of the time under leave-one-out cross-validation.

2016-singh-politics §3.3 evaluation

IP density (number of IP addresses per person) is the single most predictive feature of a country's Freedom of Press Index. A normalized IP density value of ≥0.167 reliably predicts high freedom of expression, while normalized maximum BGP policy-compliant path length ≥0.643 reliably predicts low freedom.

2016-singh-politics §4, Figure 2 evaluation

A single-protocol circumvention system creates a detectable anomaly: when the system is active, the traffic pattern on that protocol diverges from the same user's baseline behavior, which anomaly-based detectors can classify. Users who also legitimately use the tunneled service in daily life produce two distinct signatures — one with and one without the circumvention layer — further compounding detectability.

2016-zarras-leveraging §5.2 detection

A domain-based website fingerprinting attack against CDNBrowsing traffic — using the per-domain packet volume exchanged during a browsing session as a decision-tree feature vector — achieves 0.991 ± 0.002 accuracy against CacheBrowser on 100 China/Iran-blocked HTTPS pages, modestly outperforming the state-of-the-art k-NN classifier of Wang et al. (0.94 ± 0.002) while being two orders of magnitude faster: 0.60 CPU-seconds training and 10 µs classification versus 90 CPU-seconds and 0.05 CPU-seconds on an Intel Xeon 3.5 GHz processor.

2016-zolfaghari-practical §3.2 detection

Surveillance systems are fundamentally more selective than censorship systems due to storage constraints: as of 2009 the NSA could store only 7.5% of received traffic across 592 tapped 10 Gbps links with only 69 10 Gbps backhaul links, and the authors' campus network retains non-alert metadata for ~36 hours and IDS alerts for ~1 year. Censorship systems by contrast are transaction-focused and retain only enough data to process real-time requests. This asymmetry creates an exploitable gap: traffic that does not stand out from the population is discarded before reaching human analysts.

2015-jones-can §2.1–§2.2 evaluation

Game-specific trigram analysis of mutable fields distinguishes high-bandwidth Rook (1-in-2 substitution rate) in server-side packet counts, showing clearly reduced distinct-trigram counts versus baseline. Standard Rook (1-in-10) produces only a few outliers and is not reliably distinguishable; any detector would face a high false-negative or false-positive rate against normal-rate Rook.

2015-vines-rook §4.3 Game-Specific n-gram Analysis evaluation

CART decision-tree classifiers trained on entropy-based and packet-header features detect all five Tor pluggable transports (obfsproxy3/4, FTE, meek-amazon, meek-google) with average PR-AUC=0.987, TPR=0.986, and FPR=0.003 on synthetic traces. On 14 million real campus flows the highest per-obfuscator FPR is 0.65%, and meek-google yields only 842 false positives across all three datasets. However, cross-environment portability is poor: classifiers trained on an Ubuntu/campus setup and tested on a Windows/home network achieve true-positive rates as low as 52% with false-positive rates reaching 12%.

2015-wang-seeing §6.1, Tables 8–9 detection

Because CloudTransport uses the same network servers as legitimate cloud services, blocking it requires statistical classification of every cloud connection; false positives will disrupt popular and business-critical cloud applications (enterprise software, games, file backups), raising the economic and social costs of censorship. Empirical evidence shows that Chinese censors declined to block Amazon S3 even after it was used to mirror censored websites because doing so would disrupt 'thousands of services in China' with significant economic consequences. Due to the base-rate fallacy, even an accurate classifier will either miss many CloudTransport connections or cause collateral damage to non-circumventing cloud users.

2014-brubaker-cloudtransport §4.1, §7 defense

The paper acknowledges that modern blind steganalysis tools combining first- and second-order statistical classifiers (e.g., SVM-based universal steganalysis) are likely capable of detecting TRIST-embedded images, though this was not experimentally verified. The authors note these attacks rely on large feature vectors and are computationally more expensive than histogram or blockiness attacks, but do not claim invulnerability.

2014-connolly-trist §7 detection

TRIST evades the self-calibrated blockiness detector — proven effective against OutGuess — by embedding at JPEG quality 30 and then transcoding the steg image up to quality 90 before transmission. This renders the blockiness-based message length estimator unreliable across the full range of message lengths from 0 to approximately 39 KB, as shown over 20 cover images from the BOSS dataset.

2014-connolly-trist §7 defense

Term frequency clustering of block pages achieves an F-1 measure of 0.98, correctly recovering manually identified block-page templates; page-length clustering performs far worse at F-1 of 0.64. Across the full ONI dataset, only 37 distinct term frequency vectors were found from five years of measurements, indicating that filtering vendors rarely change block-page HTML structure.

2014-jones-automated §5.1, §5.2 evaluation

Chinese censorship does not primarily target criticism of the state or its leaders — vitriol against top officials is routinely published. The decisive variable is collective action potential: posts that organize, incite, or reference crowd formation outside the Internet are censored regardless of whether they are pro- or anti-government, a distinction the authors formally establish and experimentally test for the first time.

2014-king-reverse-engineering Results detection

The Chinese censorship apparatus detects collective action potential through volume-burst monitoring: it identifies a spike in social media posts about a topic area, traces the spike to a real-world event, classifies the event as having collective action potential, and then censors all posts in that burst — regardless of individual post stance or content.

2014-king-reverse-engineering Theory / Collective Action Potential Hypothesis detection

Without traffic morphing, a χ² packet-length classifier can identify 90% of Facet (video-over-Skype) sessions with only a 10% false positive rate on genuine videoconferencing. To block 80% of Facet connections, the censor need only disrupt 4% of genuine Skype calls; blocking 70% requires disrupting only 2%.

2014-li-facet §6, Figure 4 detection

Facet's video morphing — embedding the requested video in a fraction s of H.264 macroblocks within a randomly chosen chat video — raises the censor's required false positive rate dramatically. At steganography level s=0.125, blocking 90% of Facet connections requires disrupting over 40% of genuine videoconferencing traffic; blocking 80% requires disrupting at least 20% of legitimate calls.

2014-li-facet §7.2, §9.3–9.4, Figure 9 defense

Cascade-based censorship (ICM model) and uniform random deletion produce measurably different topological signatures: cascade removal causes greater increases in network diameter and radius as the censorship fraction γ increases and a substantial increase in assortativity at mid-removal levels (γ=0.2–0.5), whereas uniform deletion shows slower, more gradual changes across these same metrics.

2014-morrison-toward §4.1 evaluation

An SVM classifier using a 60-dimensional feature vector — 10 topological network metrics (assortativity, clustering coefficient, diameter, radius, betweenness centrality, degree distribution exponents) plus 50 Laplacian eigenvalues — can detect network-level censorship without any content analysis. The classifier successfully distinguishes censored from uncensored reply-graphs even at the lowest tested censorship level of γ=0.1 (10% edge removal), using 10-fold cross-validation repeated 10 times.

2014-morrison-toward §3–4 detection

The paper argues that the advantage in the censor-vs-circumvention arms race lies with the censor due to fundamental asymmetry: a nation state controls centralized communication infrastructure while dissidents depend on it. Standalone anti-censorship tools therefore face a structurally disadvantaged security posture that iterative patching cannot overcome.

2014-tan-censorship §1 defense

Known attacks on existing circumvention tools include steganographic detection, enumeration of decoy-router locations, and machine-learning traffic classifiers. The paper acknowledges these defeat current approaches (Infranet, Collage, Telex, SkypeMorph, Freewave) and argues that no iterative patch can neutralize the censor's long-term structural advantage.

2014-tan-censorship §1 defense

Packet padding alone is insufficient to defeat statistical traffic analysis unless every packet is padded to MTU; small-size padding has minimal effect on classifier accuracy (citing Hjelmvik & John 2010). Traffic shaping that also fragments large packets—transforming the full packet-size CDF to match a target distribution rather than merely inflating small packets—is required to statistically impersonate a target traffic class.

2014-wang-gohop §III.B defense

GoHop's naïve traffic shaping targeting a uniform packet-size distribution (0–MTU) successfully morphed both HTTP and SSH flows: K-S test D values were 0.019 (HTTP) and 0.022 (SSH), both below the 0.025 rejection threshold, with p-values of 0.20 and 0.11 respectively. After shaping, packet-size CDFs and statistical metrics (mean ~782–783 bytes, variance ~163,600) for both protocols became nearly identical, eliminating the size signals that distinguish them.

2014-wang-gohop §V.A, Table I evaluation

Manually-generated FTE regexes achieve a 100% misclassification rate against all six tested DPI systems — appid, l7-filter, YAF, bro, nProbe, and the proprietary enterprise-grade DPI-X — for HTTP, SSH, and SMB target protocols. Each regex took less than 30 minutes to specify and debug against known classifiers.

2013-dyer-protocol §4.2, Figure 4 defense

Regex-based DPI is fundamentally vulnerable to format-transforming encryption: because every tested system (including the proprietary enterprise-grade DPI-X, rated for 1.5 Gbps at $8,000) classifies protocols solely by membership in a regular language, any ciphertext can be guaranteed to match any chosen regex. The paper argues this forces DPI to adopt machine learning, active probing, or non-regular semantic checks — but notes that making such checks fast, scalable, and low-false-positive at line rate for arbitrary target protocols remains an open problem.

2013-dyer-protocol §3, §7 detection

The authors enumerate 12 requirements a parrot system must satisfy simultaneously (Correct, SideProtocols, IntraDepend, InterDepend, Err, Network, Content, Patterns, Users, Geo, Soft, OS) while a censor need detect only one failure. They conclude 'unobservability by imitation is a fundamentally flawed approach' and recommend embedding covert traffic in genuine encrypted payloads of a real running protocol (e.g., FreeWave in Skype voice, SWEET in email), which constrains detection to OM adversaries performing large-scale multi-flow analysis.

2013-houmansadr-parrot §XI defense

All trained ML classifiers (K-NN, Naive Bayes, ANN, SVM, vote ensemble) performed at near-chance levels when distinguishing RSA-encrypted stego messages from clean photos — best precision 52.05%, best meaningful recall 61.52% (K-NN on clean class). The authors attribute this to embedding only a few hundred bytes into cover photos hundreds of KB in size, with natural image entropy in noisy pixel regions being empirically indistinguishable from RSA-ciphertext statistics.

2013-invernizzi-message §5.1, Table 1 defense

In the Russia and Mexico incidents, spam tweets showed statistically significant spikes at fixed sub-hour intervals (5 and 15 minutes past the hour respectively), consistent with cron-job automation. Despite this automation, both campaigns deliberately mimicked human diurnal activity patterns — spam volume peaked at the same hours as legitimate traffic — to evade time-based anomaly detection.

2013-verkamp-five §3.2, Figures 2–3 detection

Default-profile usage was significantly elevated among spam accounts in China'11 (89.4% spam vs 51.2% non-spam), Russia (57.8% vs 34.7%), and China'12 (95.1% vs 47.8%); however, Mexico inverted this trend with only 1.7% of spam accounts using default profiles vs 27.0% of non-spam accounts, indicating that newer campaigns actively customize profiles to evade appearance-based detection.

2013-verkamp-five §4.2, Table 7 detection

Across five political spam incidents, spam constituted 62–73% of all tweets in the Russia, China'12, and Mexico incidents, while Syria had only 6% spam. In the China'12 incident, 1,700 spam accounts (14% of all accounts) generated 600,000 spam tweets (73% of total), with 10 individual accounts each producing over 5,000 tweets before shutdown; in Mexico, 50 accounts sustained 1,000 spam tweets per day throughout the incident.

2013-verkamp-five §2, Table 2 evaluation

Twitter's existing automated spam-filtering mechanisms caught only approximately 50% of politically motivated spam in the Russian parliamentary election incident, as reported by Thomas et al. (2012) and noted as the baseline for this study. Spammer behavior varied sufficiently across incidents (targeting strategy, URL usage, mention patterns, default-profile adoption) that supervised machine-learning classifiers trained on one incident are unlikely to generalize to others.

2013-verkamp-five §1, §5 evaluation

ScrambleSuit's prototype achieves a mean goodput of 148 KB/s (σ=61 KB/s) versus Tor's 286 KB/s (σ=227 KB/s) over a 100 Mbit/s LAN — roughly half Tor's throughput — with 45–50% total protocol overhead compared to Tor's 19.6%. Disabling inter-arrival time obfuscation raises goodput to 321 KB/s (σ=231 KB/s), demonstrating that artificial delays are the dominant cost rather than padding or cryptography.

2013-winter-scramblesuit §5.2, Table 2 evaluation

ScrambleSuit achieves polymorphism by seeding each server's PRNG with a randomly generated 256-bit value, which generates server-specific probability distributions over packet lengths (up to 100 bins) and inter-arrival times (bins in [0, 10) ms). The seed is shared with clients after authentication, so both sides shape traffic identically; a censor monitoring two distinct ScrambleSuit servers observes different distributions and cannot build a single universal classifier.

2013-winter-scramblesuit §4.3 defense

Tor's traffic contains a characteristic prevalence of 586-byte packets (Tor's 512-byte cells plus TLS header overhead) that form a strong flow-level fingerprint detectable from a few dozen captured packets. ScrambleSuit's packet length morphing eliminates this signature and shifts the distribution toward MTU-sized packets, but the authors note that a censor using the VNG++ classifier — which relies on coarse features like connection duration, total bytes, and burstiness — would still require only a marginal increase in ScrambleSuit's overhead to defeat.

2013-winter-scramblesuit §4.3.1, §5.1, Figure 10 detection

SWEET argues that mimicking complex protocols (SkypeMorph, CensorSpoofer, StegoTorus) is fundamentally breakable because comprehensive imitation of today's protocols is infeasible. The paper instead advocates tunneling inside genuine traffic from actual, widely-used protocol providers — in this case real email services — so the censor observes authentic protocol behavior rather than a simulation.

2013-zhou-sweet §1 defense

Censors apply categorical event-level judgment — whether a post is associated with a collective action topic — rather than per-post sentiment classification. The paper explicitly states that no known statistical or machine-learning technology can achieve the accuracy required for this task, and the authors obtained 98.9% intercoder agreement (86/87 events) using human coders applying the same five-category scheme.

2012-king-censorship Analysis Strategy / Central Hypothesis; Coding Rules detection

Researchers identified four distinct account-registration patterns using regular expressions on mail.ru email addresses and screenname naming conventions; these patterns flagged 975,283 spam accounts with only 4% false positives on manual validation of 150 accounts. The 25,860 accounts deployed in the attack represent just 3% of the flagged pool, indicating a centralized spam-as-a-service vendor provisioned accounts in bulk and sold access.

2012-thomas-adapting §4.2 evaluation

An unknown attacker leveraged 25,860 fraudulent Twitter accounts to send 440,793 tweets targeting 20 election-related hashtags, peaking at 1,846 tweets per minute, in an attempt to dilute political conversations following Russia's December 2011 parliamentary election. The accounts were drawn from a pool of approximately 975,283 fraudulent accounts identified by the researchers, 80% of which remained dormant with zero friends, followers, or tweets.

2012-thomas-adapting §1, §4.1 detection

A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.

2012-weinberg-stegotorus §5.2, Table 2 evaluation

StegoTorus distributes a fixed set of packet traces and HTTP covertext databases with the software, but allows users to record their own; classifiers trained on the distributed covertext will not generalize to user-generated databases. The paper further notes that reusing a small number of traces repeatedly creates a statistical fingerprint because censors can learn conversation patterns from packet sizes and timings alone, implying that trace diversity must be maintained over time.

2012-weinberg-stegotorus §4.1.1, §5.2 defense

The proposed multi-stage scrambling composes four orthogonal layers: (a) 128-bit AES with 20 bits stripped, requiring brute-force search; (b) an AES key derived from a CAPTCHA solution; (c) a memory-bound function key; and (d) blocks whose de-scrambling exploits JavaScript floating-point and string-processing quirks. Each layer independently forces a censor to build or emulate a distinct acceleration environment, multiplying total reverse-engineering cost.

2011-bonneau-scrambling §3 defense

Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.

2010-burnett-chipping §3.1 detection

Global anonymity is maximized when the anonymity set is large and behavior is uniformly distributed: 'global anonymity is maximal iff all subjects within the anonymity set are equally likely.' Strong global anonymity does not protect individual 'likely suspects' — even in a strong-anonymity system, one user with distinctive behavior may have weak individual anonymity. Strong or even maximal global anonymity does not imply strong anonymity of each particular subject.

2010-pfitzmann-terminology §3 defense