traffic-shape   Traffic-shape / statistical fingerprinting

A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).

2026-almutairi-server §3.4, Table 1 detection

The paper identifies a fundamental architectural vulnerability in single-IP circumvention designs: a relay must generate new observable flows (via DNS or TLS SNI) to reach end services after receiving client connections, creating a detectable server-and-client behavioral contrast. A relay accessing user-facing domains (news, social media) scores high on a Relay Suspicion Score (w=0.9) versus infrastructure domains (w=0.1). The paper argues this host-level signal is censorship-invariant and cannot be concealed by link obfuscation.

2026-almutairi-server §2.4, §4 detection

AnyTLS's default padding scheme operates across 8 levels (stop=8), with initial padding fixed at 30 bytes, small-data padding 100–400 bytes, and medium-to-large data padding chains of 400–500 bytes continuing through multiple 500–1000 byte segments. The 'c' (continue) marker allows multi-stage padding sequences within a single connection burst.

2026-anon-anytls-anytls-sing-box-2026 §2.3 defense

AnyTLS implements a persistent idle-session pool with configurable parameters: idle_session_check_interval (default 30s), idle_session_timeout (default 30s), and min_idle_session (default 5). The client maintains at least 5 pre-established TLS sessions at all times to enable fast connection reuse without a new TLS handshake per request.

2026-anon-anytls-anytls-sing-box-2026 §2.4, §5.3 defense

Compared to peer protocols, AnyTLS rates 'medium' performance (vs. VLESS 'high', Hysteria2 'very high', TUIC 'high'), uses TCP/TLS transport (vs. UDP/QUIC for Hysteria2 and TUIC), and relies on padding-based obfuscation vs. REALITY/WebSocket (VLESS) or HTTP/3 framing (Hysteria2). Client ecosystem support is currently limited primarily to sing-box, vs. broad cross-client support for VLESS, Trojan, and Hysteria2.

2026-anon-anytls-anytls-sing-box-2026 §1.5, Table 1.5 evaluation

AnyTLS is a TLS-based proxy protocol maintained by the sing-box team, designed in 2024 and first released in the sing-box dev-next branch. Its core mechanism wraps arbitrary proxy traffic in standard TLS and applies a configurable padding scheme (Padding Scheme) to enhance traffic concealment while maintaining compatibility with standard TLS infrastructure.

2026-anon-anytls-anytls-sing-box-2026 §1.1–1.3 defense

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III detection

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV detection

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V evaluation

Active bandwidth perturbation has an inherent detectability–stability trade-off: overly aggressive low-rate phases cause Tor SENDME-based flow control stalls, retransmissions, timeouts, or circuit replacement before sufficient correlation evidence is collected. The paper selects a 30-second modulation period and an empirically determined minimum shaping rate; the usable shaping range varies with relay load, path length, TCP congestion control behavior, and Tor multiplexing.

2026-fan-activeflowmark-assessing-tor §VII-A detection

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

2026-fan-activeflowmark-assessing-tor §VI-D, Table V detection

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

2026-fan-activeflowmark-assessing-tor §VI.D.2, Table V evaluation

NATA requires no endpoint compromise, no Tor-browser modification, and no payload decryption; it operates solely from (1) an upstream gateway controlling Tor TCP connections via standard Linux tc/wondershaper rate-limiting and (2) one or more adversary-controlled exit relays passively recording packet traces. The shaper identifies Tor connections using flow-level metadata (client IP, relay IP, port, transport protocol), meaning the adversary needs only ISP or AS-level vantage, not host-level access.

2026-fan-activeflowmark-assessing-tor §III-A, §IV-A detection

NATA (Non-invasive Active Traffic-correlation Analysis) requires no endpoint compromise, no Tor-browser modification, and no payload decryption. The adversary controls only an upstream network gateway (ISP/AS level) to impose bandwidth modulation on Tor TCP connections, and observes traffic at adversary-controlled exit relays — a Shaper–Sniffer architecture that operates purely at the network-infrastructure layer.

2026-fan-activeflowmark-assessing-tor §III-A detection

Padding-based client-side defenses including WTF-PAD and Walkie-Talkie are insufficient against active bandwidth perturbation: they reshape packet timing and burst structure but cannot remove the upstream rate limit imposed by the gateway shaper. BM-Net trained on a defense-aware dataset containing both undefended and WTF-PAD/Walkie-Talkie traces still achieves 99.65% F1, and the paper explicitly notes that 'client-side padding and burst reshaping may alter the logical traffic pattern, but they do not directly remove the rate limit imposed by the upstream bottleneck.'

2026-fan-activeflowmark-assessing-tor §VI.E.2, §VII detection

Client-side padding defenses (WTF-PAD and Walkie-Talkie) do not remove active bandwidth watermarks because they operate on packet timing and burst-level structure, not on the upstream rate limit; BM-Net still achieves 99.65% binary detection F1 on a mixed dataset containing both defended and undefended traces. The upstream shaper's rate constraint causes delayed, queued, or dropped packets whose throughput envelope persists at the exit relay regardless of application-layer obfuscation.

2026-fan-activeflowmark-assessing-tor §VI-E, §VII-A detection

An infrastructure-level adversary must balance watermark detectability against connection stability: the paper's threat model requires a minimum shaping rate rmin to prevent Tor circuit stalls, timeouts, or circuit replacement, and notes that repeated poor-throughput events can cause the circuit to be abandoned before sufficient watermark evidence is accumulated. This detectability–stability trade-off constrains the practical attack to macroscopic (30-second) modulation periods rather than fine-grained packet-level timing manipulation.

2026-fan-activeflowmark-assessing-tor §III.A, §VII.A detection

WTF-PAD and Walkie-Talkie client-side defenses — which operate on packet timing, padding, and burst-level structure — do not remove the throughput constraint imposed by an upstream rate limiter. When the shaping rate decreases, excess traffic is delayed, queued, or dropped; exit-side throughput retains the imposed modulation waveform. BM-Net was trained and evaluated on a dataset that includes both undefended and WTF-PAD/Walkie-Talkie-defended traces, confirming detection persists under this mixed condition.

2026-fan-activeflowmark-assessing-tor §VI-E.2 detection

Simulations extending the ENEM19 game-theory framework show that ephemeral proxy schemes (modeled on Snowflake/Lantern) effectively neutralize both the "optimal" and "aggressive" censors from the original framework. In overprovisioned settings (proxies arriving at 250/step vs. 200 clients/step), even the null censor scenario outperforms either censor in equal-arrival settings. Over 90% of waiting users receive a proxy within 1 time step. The critical variable is not censor sophistication but proxy arrival rate relative to client demand—high proxy churn combined with high arrival rate defeats both enumeration strategies tested.

2026-fares-game §4, Fig 1, Fig 2, Table 1 evaluation

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 detection

Multi-censor simulations show that single-censor-optimized distribution strategies perform suboptimally in realistic multi-region deployments. When two networks have different censor strategies (e.g., one optimal, one zig-zag), the distributor cannot detect that a proxy is blocked until all censors have blocked it; this leaves clients without reachable proxies despite the proxy appearing "available" from the distributor's view. The authors conclude that "single-censor evaluation does not accurately predict more realistic deployment performance." A zig-zag censor in one region with 0.25 weight caused 44.4% collateral damage while reducing proxy lifetime to a median of 4 steps.

2026-fares-game §6, Table 4 evaluation

The zig-zag traffic analysis attack (confirmed supported in Geedge TSG leak) rapidly enumerates all static proxy pools. With ζ_watch ∈ {4, 6} steps and a best-quality classifier (ρ_TP=0.99, ρ_FP=0.001), almost total proxy enumeration and user blockage occurs well before step 300. Even ζ_watch=2 leaves ~50% of users blocked. Collateral damage is high across all settings when ζ_watch ≥ 4: eventually ~50% of innocent servers are also blocked. However, Snowflake-style ephemeral proxies resist zig-zag effectively: reachability remains above 95% after 360 steps because churn prevents the censor from expanding its known proxy set beyond agents' direct assignments.

2026-fares-game §5.1, Fig 3, Fig 4 detection

AEGIS, a flow-physics-only ML classifier using a Hyperbolic Liquid State Space Model evaluated on a 400GB adversarial corpus including VLESS Reality, GhostBear, and AMOI-morphed traffic, achieves F1-score 0.9952, 99.50% TPR, and 0.2141% FPR at 262.27 µs inference latency on an RTX 4090. The system discards all payload bytes and classifies traffic exclusively on 6-dimensional flow physics: packet size, inter-arrival time, directionality, TCP window size, TCP flags, and payload ratio.

2026-ferrel-aegis-adversarial-entropy-guided §V, Table III evaluation

Automated proxy engines (e.g., Xray-core running VLESS Reality in automated mode) generate deterministically rigid inter-arrival time distributions because they cannot synthesize the stochastic variance of human-driven IAT, even when volumetrically anchored to benign distributions ('Fat Middle' anchoring via AMOI). The AEGIS Thermodynamic Variance Detector identifies this rigidity via Shannon Entropy of hidden states across 1,000-packet causal windows, rendering volumetric anchoring mathematically distinguishable from genuine human traffic.

2026-ferrel-aegis-adversarial-entropy-guided §III-E, §V-B detection

Gaussian noise injection stress testing shows AEGIS maintains F1-scores of 0.9913 at 5% IAT noise and 0.9753 at 10% IAT noise, but degrades to 0.5939 at 15% Gaussian noise — establishing the 'Manifold Shattering Threshold.' The paper asserts that sustaining 15% IAT noise in practice corrupts the adversary's own C2 channel integrity, making this threshold operationally unachievable for high-throughput tunnels.

2026-ferrel-aegis-adversarial-entropy-guided §V-F detection

Flow-physics classifiers face a fundamental 'Human Entropy Horizon': when VLESS Reality multiplexes true human entropy (a human actively browsing web applications), AEGIS achieves a detection rate of only 1.17%, because XTLS wrappers impart near-zero mechanical overhead and the temporal physics remain entirely stochastic. This implies adversaries operating at human interaction speeds can evade flow-based detection, but must abandon automated high-throughput C2 scripts.

2026-ferrel-aegis-adversarial-entropy-guided §V-G detection

Routing-guided conditional aggregation (CA) that dynamically weights header versus payload contributions using per-sample MoE routing probabilities outperforms static fusion on all six datasets, demonstrating that the relative discriminative utility of headers versus payloads varies by application type — and that classifiers can adaptively shift reliance to whichever modality is less obfuscated.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-E, §IV-B detection

Pretraining on 30 GB of unlabeled mixed traffic via masked language modeling (ISCX-VPN2016 NonVPN, CICIDS2017, WIDE backbone), then fine-tuning, enables TrafficMoE to classify VPN application traffic at 88.72% F1 and VPN service traffic at 92.61% F1, exceeding all fully supervised and prior pretraining baselines without requiring labeled training data for those domains.

2026-he-trafficmoe-heterogeneity-aware-mixture §IV-A, §IV-B, Table III detection

TrafficMoE achieves 97.65% accuracy and F1-score on the ISCX-Tor2016 dataset, substantially outperforming all baselines including the best pretraining-based competitor FlowletFormer (91.16% F1), by separately modeling protocol headers and encrypted payloads via dual-branch sparse Mixture-of-Experts rather than treating them as a unified byte stream.

2026-he-trafficmoe-heterogeneity-aware-mixture §IV-B, Table II detection

Balboa's synchronous leaf-content replacement adds non-negligible timing differences that allow censors to identify its activity with up to ~90% accuracy over different network conditions. The timing anomaly arises because Balboa performs data substitution directly at each data exchange, delaying the server's response while covert data is prepared.

2026-kamali-huma §I (Introduction), §II-A detection

Huma's deferred-reply / double-request receive (DRR) protocol reduces a traffic-fingerprinting XGBoost classifier's accuracy to at most 54% (near random guessing) across geographically distributed clients (San Francisco, Frankfurt, Bangalore). A Kolmogorov-Smirnov test on absolute page-load timing distributions yields D=0.03, p=0.98 for U.S. clients — substantially tighter than Waterfall of Liberty's D=0.11 at p=0.5 — confirming that Huma flows are statistically indistinguishable from benign HTTPS fetches.

2026-kamali-huma §V-D, Table II evaluation

WebSocket, required by HTTPT and WebTunnel to establish covert channels inside TLS connections, had an adoption rate as low as 6.3% of websites in 2021, sharply limiting the pool of volunteer websites that can act as proxies for these tools. By contrast, Huma's traffic replacement scheme embeds covert data in standard HTTP leaf objects (images, scripts, CSS), requiring only that the DW serve HTTP content — a near-universal property.

2026-kamali-huma §II-C evaluation

Early downsampling via striding (stride=4) is the single most damaging ablation, reducing average macro-F1 from 0.9909 to 0.9772 and increasing cross-dataset variance from 4.77×10⁻⁵ to 4.51×10⁻⁴, while the worst-case dataset drops to F1=0.9524 — far larger degradation than any other design choice including Mamba-1 vs Mamba-2.

2026-kulatilleke-mambanetburst-direct-byte-level §V-B, Table IV detection

A censor attempting to block QUICstep by dropping all QUIC connections that arrive without a preceding Initial/Handshake packet would cause significant collateral damage. Analysis of 24-hour campus traces (3,786,050 unique QUIC connections) found 29.1% (1,100,439 connections) lacked QUIC Initial or Handshake packets—representing legitimate connection migration from mobile handoffs and similar events. This high baseline rate means blanket "no handshake" blocking would disrupt roughly 1-in-3 QUIC connections unrelated to circumvention.

2026-lee-quicstep §5 (Blocking all QUIC connection migrated traffic) detection

FreeUp achieves 86.68% AUC on CIC-IoT2023, 85.44% AUC on DoHBrw2020 (malicious DNS-over-HTTPS tunneling), and 95.53% AUC / 93.22% F1 on ISCX-Tor2016 (Tor anonymous traffic), outperforming all nine baselines by more than 3% AUC on the first two datasets. The ISCX-Tor2016 result demonstrates that frequency-decoupled ML classifiers can detect Tor-like anonymous traffic with high confidence under zero-positive (unsupervised) training.

2026-lian-decompose-understand-fuse §V-B, Table I evaluation

Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.

2026-lian-decompose-understand-fuse §II detection

Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.

2026-lian-decompose-understand-fuse §V-C, Table II detection

FreeUp operates under a zero-positive (unsupervised) learning paradigm — trained exclusively on normal traffic with no labeled anomaly examples — yet achieves 95.53% AUC on Tor traffic and 85.44% AUC on DNS-over-HTTPS tunneling detection. This demonstrates that frequency-aware anomaly detectors generalize to novel circumvention protocols without requiring any labeled attack data, eliminating the labeling bottleneck that previously limited ML-based censorship detection.

2026-lian-decompose-understand-fuse §III, §V-B detection

Strong classifiers can be trained from fewer than one third of available traces with gains diminishing rapidly beyond that threshold. At inference time, macro F1 rises sharply within the first 40% of observed actions across all four datasets, meaning model identity can be inferred while the agent is still actively navigating the page.

2026-lugoloobi-known-their-actions §6.2, Figure 6 detection

Passive JavaScript UI traces are sufficient to fingerprint the underlying LLM of a browser agent with up to 96% macro F1 across 14 frontier models, achieving roughly 10× random-chance accuracy. Even the weakest model pair (Qwen3.5-9B on 2WikiMultiHopQA) reaches 63.7% F1 against a ~7% random baseline for 14 classes.

2026-lugoloobi-known-their-actions §5.1, Figure 2 detection

In open-set fingerprinting (leave-one-agent-out protocol), the majority of models exceed AUROC 0.60 for unknown-agent detection, but closed-set and open-set performance are dissociated: Seed-2-lite achieves 96.1% closed-set F1 yet scores below-chance open-set AUROC (0.38–0.47 on three of four datasets), while GPT-5.4 achieves AUROC 0.84 open-set despite ranking third in closed-set F1.

2026-lugoloobi-known-their-actions §5.1, Figure 3 evaluation

SHAP analysis shows timing-based features — IEI standard deviation, mean click IEI, and time to first action — dominate agent identity classification under normal conditions, receiving substantially larger attributions than structural or action-type features. Agents are distinguishable primarily by their tempo: how long they pause before acting and how variable that pause is.

2026-lugoloobi-known-their-actions §6.1, Figure 4 detection

Injecting uniformly sampled random delays between agent actions substantially degrades an unadapted XGBoost classifier, but a classifier retrained on delayed traces largely recovers performance across all four datasets. Under 5-second delay injection, the classifier shifts weight onto structural features (click-coordinate dispersion, structural key ratio, link-click ratio) that survive timing perturbation.

2026-lugoloobi-known-their-actions §6.1, Figure 5 evaluation

ESPRESSO achieves only TPR 0.132 at FPR ≤ 10⁻³ in network-mode for DNS-tunneled traffic—near chance—compared to TPR 0.992 for SSH traffic at the same threshold. The paper attributes this to the polling-based communication mechanism of dnscat2, which disrupts the timing patterns that interval-based flow correlation relies on.

2026-mathews-tracing-chain-deep §V-B, Table III detection

Ablation experiments show that replacing ESPRESSO's transformer backbone with a CNN ('Modified DCF') while retaining time-aligned interval features achieves performance competitive with the full ESPRESSO model across most protocols (e.g., SOCAT network-mode pAUC 0.997 vs. 0.989 at FPR ≤ 10⁻³), demonstrating that the time-interval feature representation—not the transformer architecture—is the primary driver of correlation accuracy.

2026-mathews-tracing-chain-deep §V-B, Table III evaluation

A systematic robustness evaluation found that ESPRESSO is highly robust to packet padding alone but that even modest artificial timing jitter causes significant performance degradation, identifying timing-based perturbations as the primary vulnerability of correlation-based stepping-stone (and by extension, anonymity-network) detectors.

2026-mathews-tracing-chain-deep §I (contributions), Abstract detection

Padding-only defenses that inject bursty traffic cause severe additional delay under realistic network bottlenecks: Break-Pad's delay overhead increases from 0% to 332.6% and FRONT's from 0% to 111.2% under a per-trace simulated PPS bottleneck. Even ephemeral padding defenses induce 43.9% delay overhead under bottleneck conditions, compared to 0% without a bottleneck, due to congestion from dummy packets.

2026-pulls-ephemeral-network-layer-fingerprinting §5.2, Table 1 evaluation

With infinite training time, Laserbeak achieves 93.5%, 95.9%, and 95.9% accuracy against ephemeral padding, FRONT, and Interspace respectively, compared to 96.5% undefended — confirming that padding-only defenses provide no meaningful protection against a sufficiently trained deep-learning WF adversary. Only ephemeral blocking defenses retain measurable protection, reducing Laserbeak to 71.8% accuracy under infinite training versus 96.5% undefended.

2026-pulls-ephemeral-network-layer-fingerprinting §5.3, Table 2 evaluation

Embedding explicit TTL values in mesh-routed messages leaks proximity information — a recipient can infer that a high-TTL message originator was recently nearby. MIRAGE mitigates this with memoryless TTLs: carriers independently discard messages with probability q per epoch, implementing a branching process with replication factor R ≤ nmax·(1−q). Setting q > 1 − 1/nmax ensures sub-critical message extinction with expected lifetime ≈ −ln(nmax)/ln(R) epochs.

2026-ratliff-mirage §VI-C defense

The PPBR (probabilistic profile-based routing) protocol leaks user community membership through observable routing decisions: in a controlled experiment with 800 majority and 200 minority users, a statistical disclosure attack achieved a true positive rate of 100% and false positive rate of 0% when identifying minority users. Even under a conservative PPBR configuration (top 1/3 fraction acceptance), the attack achieved 100% TPR and only 0.4% FPR.

2026-ratliff-mirage §V detection

Banking apps from major Russian institutions (Sber, T-Bank, VTB, Alfa-Bank) combine VPN detection with behavioral biometrics — screen pressure, touch coordinates, and gesture timing — enabling cross-account re-identification of users behind proxies. 11 apps received a "RED" (maximum surveillance) rating. T-Bank, Yandex services, and MAX additionally deploy active anti-analysis features that detect research tooling on the device (rooted devices, emulators, Frida, etc.).

2026-rks-russian-apps-vpn-detection §5, §6 detection

CNN-based passive traffic analysis failed to deanonymize I2P services when transferred from a controlled lab to the public I2P network. Lab-trained models produced mostly unusable results: the 'Without port' variant misclassified Class 2 packets at 71.6–88.4× the true count, and the 'Without payload' variant was only marginally better (12.8–13.2× false positives), demonstrating that lab-learned patterns do not generalize to real-world I2P traffic.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Fourth Experiment / Table VIII detection

Fano's inequality establishes a theoretical lower bound on deanonymization error probability as a function of anonymity set size |Θ|, prior uncertainty H(X), and mutual information leakage I(X;Y). For a network of N sufficiently large nodes with uniform routing, Pe ≥ (log N − 1) / log(N−1), approaching 1 (perfect anonymity). The authors found that closed-form estimation of I(X;Y) from I2P traffic features was analytically intractable, requiring ML approximation — and that ML also failed in practice.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §III-A evaluation

Applying Fano's inequality, the paper proves Pe ≥ (H(X)−1)/log|Θ|, showing that deanonymization error rate approaches 1 (perfect anonymity) when the anonymity set |Θ| is large and mutual information leakage I(X;Y) between observed traffic Y and target identity X is minimized. A uniform default tunnel length of 3 hops across all nodes, for example, contributes no differential leakage because p(y=3)=1, illustrating that standardized network parameters reduce identifiability.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §III-A, Equation (2) detection

Lab-trained CNN models completely failed to generalize to real public I2P network traffic: the 'without payload' variant produced 12.8–13.2× more false positives for the target service class than ground-truth packets actually existed (Table VIII), rendering all models forensically unusable. The authors conclude that heterogeneity and dynamism of real-world I2P traffic prevents lab-derived classifiers from achieving practical deanonymization.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Experiment 4, Table VIII evaluation

Unsupervised k-Means clustering over I2P flow features (port, payload length, protocol) found no natural cluster structure: distortion decreased nearly linearly with k up to k=20 with no elbow, indicating I2P traffic lacks the simple separable patterns that enable clustering-based traffic classification. The 435-packet dataset yielded one cluster of 75 and clusters as small as 3, with no forensically useful groupings.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V First Experiment / Figure 12 detection

Unsupervised k-Means clustering on I2P traffic features (port, payload length, protocol type) produced no natural cluster structure — distortion decreased almost linearly with k showing no elbow point — confirming that I2P's obfuscation successfully destroys simple separable patterns that shallow classifiers rely on. CNNs were required to detect any signal at all.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V First Experiment, Figure 12 evaluation

Under controlled lab conditions, a CNN trained on packet metadata (ports, sizes, TCP sequence numbers) achieved 99.5% accuracy classifying I2P packets with the 'Without payload' variant, versus only 72.5–76.5% using encrypted payload alone. However, when applied to the full recorded dataset, the 'Without payload' model's accuracy for the dominant irrelevant-traffic class dropped to 95.17% while maintaining 100% on target-class packets — but with a high false-positive rate making it forensically unreliable.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Second Experiment / Table IV–V detection

CNN models trained on I2P lab traffic achieved 99.5% validation accuracy using metadata alone (packet sizes, ports, TCP sequence numbers) versus only 72.5–76.5% accuracy when using encrypted payload only. This demonstrates that packet metadata is far more discriminating than payload content for traffic classification in encrypted anonymity networks.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §V Experiment 2, Table IV evaluation

Joint multi-task training with a combined loss L_joint = L_site + λ·L_pers shows that increasing λ from 0 to 2 raises mixed-site persona accuracy from approximately 45% to approximately 80% while website accuracy declines only from approximately 90% to approximately 75%, demonstrating a wide regime where an attacker can gain strong persona inference at modest cost to existing WFP capability.

2026-song-personafingerprint-measuring-persona §4.4, §5.7.2, Figure 5 detection

Using only 1,000-packet windows of signed packet lengths and inter-arrival times (no payload, no URLs, no cookies), a passive adversary achieves approximately 84% accuracy at inferring behavioral persona in a mixed-site open-world setting spanning 10 modern websites and 15 canonical personas plus an open-world class. Per-site persona macro-F1 typically ranges from about 0.78 to 0.91 across representative platforms including Bilibili, eBay, Yahoo, Zhihu, and LinkedIn.

2026-song-personafingerprint-measuring-persona §5.3, §5.5, Abstract detection

Re-testing in 2025 on a Pixel 10 Pro XL running Android 16 with October 2025 security updates confirmed that blind in/on-path VPN inference attacks remain fully viable despite CVE-2019-9461, CVE-2019-14899, and CVE-2024-49734 having been formally closed. All three core attack primitives—VPN-assigned internal IP discovery, active connection inference, and TCP reset injection via sequence/acknowledgment window scanning—succeeded across OpenVPN, WireGuard, and NordLynx.

2026-tolley-architectural §5.1–5.3 evaluation

Six widely deployed VPN and circumvention tools—OpenVPN, WireGuard/NordLynx, NordWhisper, Orbot (Tor on Android), Lantern, and Psiphon—all failed to block internal IP inference, connection-state detection, and TCP reset injection under identical adversarial conditions on fully patched Android 16. Application-layer obfuscation in Lantern and Psiphon did not prevent TCP-layer disruption; Orbot's VPN-style encapsulation of Tor traffic was bypassed via the same tunnel-level side channels.

2026-tolley-architectural §5.2, §5.4–5.5 evaluation

The CVE system is structurally incapable of tracking cross-vendor architectural vulnerabilities: in 2019 MITRE correspondence the authors were told CVE identifiers apply only to specific software implementation mistakes and that CVE-2019-14899 'should not have been assigned,' leaving the architectural VPN inference attack surface permanently untracked. Between CVE-2019-14899 (2019) and CVE-2024-49734 (2024), no new CVE was assigned despite continued reporting and confirmed exploitability, creating a five-year gap in the public record during which vendor patch claims went unchallenged.

2026-tolley-architectural §3.1, §4.1, §6.4 policy

The paper proposes an Internet Freedom vulnerability registry with five design principles: persistent cross-vendor tracking under shared identifiers (e.g., IF-ARCH-2025-001) as long as a risk remains reproducible; human-centered impact ratings anchored to harm potential for journalists and dissidents rather than CVSS-style exploitability scores; timestamped re-verification hooks with linked PCAPs and minimal reproduction scripts; a structured media interface to counter vendor narrative capture; and open public APIs for integration into risk dashboards so that users of tools like Orbot or Lantern can directly query their configuration's exposure to known metadata-based attacks.

2026-tolley-architectural §6.1–6.5 policy

The server-side variant of the blind VPN inference attack—where an in/on-path adversary exploits predictable NAT assignment and tunnel routing semantics to inject spoofed packets indistinguishable from legitimate encrypted traffic—has remained unacknowledged and unmitigated across all tested platforms since its concurrent disclosure in 2019. Unlike the client-side variant, which received partial fixes from Google (CVE-2019-9461, CVE-2024-49734) and Apple (iOS 17.2.1), no vendor has proposed a viable remediation or claimed ownership of the server-side attack surface.

2026-tolley-architectural §2.1, §3.1, §3.4 detection

A differential degradation attack (DDA) that selectively drops RTP packets carrying the last packet of a video frame — exploiting the fact that a single lost packet causes the entire encoded frame to be discarded — reduces Protozoa's covert throughput to single-digit KBps at 1920×1080 with 15% frame loss and at 426×240 with 50% frame loss, while maintaining acceptable video quality for legitimate WebRTC traffic.

2026-vilalonga-obscura-enabling-ephemeral §5.3 detection

Under baseline conditions (0% packet loss, no bandwidth constraint, 115 ms RTT), Obscura achieves average throughputs of 1.79 Mbps for Firefox-to-Firefox, 1.49 Mbps for Chrome-to-Chrome, and 1.32 Mbps for Pion-to-Pion connections; P-P connections collapse when the 2 Mbps target video bitrate exceeds the 1500 Kbps bandwidth constraint, while C-C connections remain usable at 10% packet loss with an average of 460 Kbps.

2026-vilalonga-obscura-enabling-ephemeral §4.3 evaluation

A plug-and-play Boundary Preserving Aggregation Module (overlapping window partitioning with joint packet- and burst-level features, W=20ms, stride=10ms) consistently improves existing WF baselines without architectural modification: applied to DF, AUC rises from 0.780 to 0.901 and P@5 from 0.315 to 0.545; applied to ARES'25, P@5 rises from 0.869 to 0.900 in the open-world 5-tab setting. The module's consistent gains across all three tested baselines confirm that fixed non-overlapping window segmentation is a structural vulnerability in prior WF pipelines.

2026-yuan-demux-boundary-aware-multi-scale §V-G, Figure 5 detection

DEMUX achieves a P@5 of 0.943 and MAP@5 of 0.961 in the closed-world 5-tab multi-tab website fingerprinting setting, outperforming the strongest prior baseline (ARES'25) by 9.2 and 6.2 percentage points respectively. ARES'25's P@K degrades from 0.900 at 2-tab to 0.851 at 5-tab (a drop of 4.9 pp), while DEMUX improves from 0.926 to 0.943 over the same range, expanding the absolute margin from 2.6 to over 9 points.

2026-yuan-demux-boundary-aware-multi-scale §V-B, Table II detection

MCCI (AS197207) blocks proxy IPs proportionally to observed connection volume: the more connections a phantom IP receives, the faster it gets blocked. A controlled experiment with a fresh /27 IPv4 subnet divided into 7 /30 sub-ranges with increasing weights confirmed that higher-weighted subnets were blocked first, demonstrating that the censor infers proxy IP reputation from traffic rate rather than from a static blocklist.

2025-alaraj-iran-refraction §4.2.3 detection

The report documents IMSI-catcher and mobile-network interception deployments in Pakistan that complement fixed-line DPI infrastructure. Mobile broadband users (dominant internet access mode in Pakistan) face surveillance at both the carrier level and via OTT platform coercion, with major platforms (YouTube, Twitter/X, TikTok) receiving and complying with blocking and content takedown orders from PTA, reducing the scope of accessible content even for users not running circumvention tools.

2025-amnesty-pakistan-shadows §6 deployment

Amnesty International's 102-page investigation identifies a multi-vendor surveillance stack deployed in Pakistan: Chinese DPI (Geedge/MESA-derived), Canadian social-media monitoring (Netsweeper), and Emirati commercial spyware (Pegasus and FinFisher). The system enables deep packet inspection, SNI-based filtering, and traffic-shape classification at national scale, including targeted interception of encrypted messaging apps and VPN traffic.

2025-amnesty-pakistan-shadows §3, §5 deployment

VPN search demand in Iran spiked approximately 707% during the June 2025 stealth blackout, as measured by Top10VPN analytics, making it one of the highest-documented circumvention-demand spikes associated with a single shutdown event. Despite this demand, many VPN connections failed because the protocol whitelist eliminated non-HTTPS tunneling methods and HTTP-level filters could detect known VPN signatures on port 443.

2025-aryapour-stealth-blackout §1, §5 evaluation

Internal Geedge documents confirm active contracts to deploy GFW-derived censorship and surveillance infrastructure in Myanmar, Pakistan, Ethiopia, Kazakhstan, and at least one additional unidentified country under the Belt and Road framework, in addition to domestic deployments in Xinjiang, Jiangsu, and Fujian. The exported product (the Tiangou Secure Gateway / TSG line) is not a stripped-down export variant — leaked TSG documentation shows DPI, active-probing, ML classifiers, and granular per-region traffic control rules that mirror the domestic GFW capability set.

2025-geedge-mesa-leak §5, §6 deployment

The freezing threshold is packet-count-based rather than strictly byte-based: the censor typically freezes after 25 packets have been sent in either direction (incoming or outgoing), which averages approximately 16 KB of payload. The limit applies to both TCP and UDP flows, and varies slightly by ISP.

2025-hyperion-cs-censor-has-new upd5 detection

InterSecLab's 76-page analysis of the Geedge/MESA leak (based on nine months of indexing and translating >100,000 documents) characterizes the Tiangou Secure Gateway (TSG) product line as a commercially deployable detection stack that combines deep packet inspection, real-time mobile subscriber monitoring, active probing, ML-based traffic classifiers, and granular per-region rule sets. TSG is not a research prototype — leaked documentation includes deployment timelines and client government interactions for Kazakhstan, Ethiopia, Pakistan, Myanmar, and one unnamed country, with censorship rules explicitly tailored to each region.

2025-interseclab-internet-coup §3–§5 (InterSecLab report) detection

Justice for Myanmar documents that Geedge Networks supplied Myanmar's military junta with GFW-derived surveillance and censorship infrastructure under Belt and Road frameworks following the February 2021 coup. The deployed system (Tiangou Secure Gateway / TSG) incorporates the same DPI, active-probing, and ML-classifier capabilities as the domestic Chinese GFW, giving Myanmar one of the most technically capable censorship systems in Southeast Asia.

2025-jfm-silk-road-surveillance §3, §5 deployment

The report documents that Myanmar's military has used its TSG-based infrastructure to execute targeted throttling and selective shutdowns of specific services and platforms, not only blanket internet shutdowns. This includes selective disruption of VPNs and circumvention tools during periods of civil unrest, demonstrating that Myanmar's censors have operationalized the granular per-service traffic control capabilities documented in the Geedge/MESA leak.

2025-jfm-silk-road-surveillance §5 deployment

Censorship classifiers and traffic analysis attacks consistently exploit the initial seconds of a proxy connection, where packet-size, inter-arrival-time, and burst features are maximally discriminative. Cited work demonstrates that website fingerprinting classifiers trained solely on the first few seconds of Tor traffic achieve high accuracy, and real-world GFW detection of fully-encrypted protocols also targets early-connection bytes.

2025-pereira-extended §1 detection

The framework confines active traffic shaping to the first N seconds of a connection (N is a user-defined parameter, e.g., N=10), after which normal unmodified traffic resumes. The authors hypothesize that this design keeps per-session throughput and latency overhead negligible, since the shaping window is a small fraction of total connection time; N can be extended to the full session if the censor is believed capable of classifying beyond early traffic.

2025-pereira-extended §2.3, §3 defense

The framework's GAN-based schedule generator trains on short session windows (e.g., the first 10 seconds) of real browsing traffic from the Tranco Top 1000 sites, learning joint distributions of packet sizes, inter-arrival times, and burst patterns to produce realistic synthetic schedules. This repurposes GAN architectures previously used for traffic analysis (e.g., GANDaLF) as a defense-side cover-traffic generator.

2025-pereira-extended §2.2 defense

The proposed framework operates as a transparent shim between application and network layers, enforcing a configurable schedule over packet size, timing, and burst patterns. The shaping logic is transport-agnostic — applicable across TCP, UDP, QUIC, and TLS — and activates only after the underlying protocol handshake completes, making it reusable across heterogeneous circumvention stacks.

2025-pereira-extended §2.1 defense

The framework is designed for adoption into existing censorship-resistant systems in the same manner as uTLS — as a drop-in Go library requiring minimal code changes. Primary integration targets are Tor pluggable transports and WireGuard-based VPNs that currently lack built-in traffic obfuscation. Predefined hand-crafted schedules are provided alongside GAN-generated ones to enable developer stress-testing without model inference.

2025-pereira-extended §2.3 defense

Security arguments for existing circumvention systems are based on ad-hoc adversary models that are often incomplete or unrepresentative of real-world adversaries, leading to allegedly secure designs that fail against relatively straightforward attacks. Protocols that substitute or parasitize a cover application's encrypted traffic channel fail against application-aware adversaries who observe or induce violations of application-specific behavioral invariants — a weakness that pre-trained classifiers on custom traces fail to surface.

2025-pereira-position §1, §2 defense

A machine-checked EasyCrypt proof demonstrates that a conjunctive SNI + traffic-profile adversary achieves a true positive rate of 1.0 against meek, with a false positive rate bounded by Pr[Game0(MeekEnc).main()=true] ≤ (1/10000) × (1/1000) ≈ 10⁻⁷, under the assumption that meek traffic follows a normal distribution centered at 512 bytes and background traffic a Poisson-like distribution centered at 1024 bytes. The proof is fully machine-checked in EasyCrypt.

2025-pereira-position §4.2 detection

An adversary's false positive rate against a circumvention tool depends critically on the statistical properties of background traffic; if background traffic is modeled inaccurately (e.g., with toy uniform distributions), formal detection bounds are not meaningful. The paper proposes a hybrid pipeline: train NetDiffusion on real packet-level traces from campus networks or backbone providers, sample synthetic background traffic, extract empirical mean/variance, and integrate those distributions into EasyCrypt formal models to produce statistically grounded detectability proofs.

2025-pereira-position §3 evaluation

The paper proposes modeling HCS undetectability as a simulation-based cryptographic distinguishability problem: if traces produced by the real-world HCS channel are computationally indistinguishable from ideal-world application-channel traces (T_HCS ∼ T_simulator), the HCS achieves provable security against any adversary — passive or active. The simulation paradigm is parametric in adversary capability, meaning a single proof covers the full spectrum from passive SNI monitoring to active DPI.

2025-pereira-position §1, §2 defense

Chinese browsers transmit GPS coordinates alongside persistent user IDs (IMEI, GAID, CUID) and client IPs to vendor servers with poor transport security; an attacker with access to this stream can trivially detect VPN use without any DPI—GPS coordinates placing a user inside China combined with a non-Chinese client IP is an unambiguous VPN-use signal. This correlation attack succeeds against VPNs with perfect traffic obfuscation because the detection side-channel is entirely outside the encrypted tunnel.

2025-rodriguez-revisiting §5, §6 detection

Local onion association—periodically downloading the full set of onion associations from a CT-log-based API and performing each lookup locally—produces a traffic pattern from the guard's perspective that is indistinguishable from generic onion service access, eliminating both the OLF fingerprint and the DNS-based Website Oracle attack vector. This approach requires no per-connection clearnet exit circuit and imposes negligible overhead given the current ~1,500 stable O-L site count.

2025-syverson-onion-location-measurements-fingerprinting §2.2.4, §6 defense

OLF reduces an adversary's target anonymity set from roughly 10,000 active onionsites to the ~1,500 stably available O-L sites—nearly an order of magnitude. Because O-L requires an exit circuit with a DNS lookup, a DNS-based Website Oracle further collapses the false-positive rate, making OLF effectively a closed-world attack on the enumerated O-L site list.

2025-syverson-onion-location-measurements-fingerprinting §2.3, §3 detection

Circuit fingerprinting from a guard-relay position achieves ≥99.9% accuracy with FPR ≤0.1% for all four Tor circuit types (general, HSDir, introductory, rendezvous) using the Deep Fingerprinting classifier on the first 512 cells, despite Tor's deployed partial defenses. Onion-Location fingerprinting (OLF) combining these circuit classifiers then achieves 98.81–99.87% accuracy (FPR 0.16–1.23%) distinguishing O-L sessions from ordinary clearnet or onion-only visits.

2025-syverson-onion-location-measurements-fingerprinting §5.1–5.2 detection

Automatic Onion-Location redirect was disabled in Tor Browser 13.0.12 as a direct result of this research, because automatic redirect forces the distinguishable clearnet-then-onion circuit pattern on every visit without user awareness. Manual O-L remains in Tor Browser but is still fingerprintable with the same near-perfect accuracy since the exit→onion circuit sequence is identical whether the redirect is automatic or manually triggered.

2025-syverson-onion-location-measurements-fingerprinting §2.2, footnote 1; §6 evaluation

MinecruftPT encodes circumvention traffic steganographically inside the Minecraft Java Edition network protocol, making a censored connection appear to a network observer as an ordinary online Minecraft game session. The cover channel is a high-volume, varied-packet-size TCP protocol with a large and active user population, making statistical fingerprinting harder than for lower-volume cover protocols.

2025-tusing-minecraft-tunnels §1, §3 defense

MinecruftPT achieves mimicry by implementing enough of the Minecraft protocol to pass as a real client-server game session, not just in header structure but in behavioral sequence. The paper evaluates it under DPI and traffic-shape analysis, finding that faithful protocol mimicry at the behavioral level (packet sequence, message types, timing) is necessary to defeat classifiers that go beyond simple byte-pattern matching.

2025-tusing-minecraft-tunnels §3, §4 defense

MinecruftPT uses the TCP-based Minecraft protocol rather than a WebRTC/UDP approach. The paper notes this gives it an availability advantage in environments where WebRTC is filtered or where UDP is blocked — a common configuration in corporate or institutional networks and some national censorship regimes. This positions it as complementary to Snowflake in the circumvention transport portfolio.

2025-tusing-minecraft-tunnels §4, §5 defense

The proposed system adopts the turbo tunnel architecture to provide a reliability layer over lossy TURN relay paths and to allow traffic reassembly at a single bridge across multiple TURN proxies. Three encapsulation modes are specified: direct application data inside TURN messages, DTLS datagrams via WebRTC data channels, and video frames inside WebRTC media streams — the latter two mimicking the encapsulation strategies of existing WebRTC circumvention systems such as Snowflake and TorKameleon.

2025-vilalonga-extended §2 System Design defense

The system targets a threat model where the censor performs passive DPI to fingerprint and block the client-to-TURN-proxy channel, and also conducts active enumeration attacks to discover and block proxy endpoints. The paper explicitly notes that traffic splitting may introduce distinct fingerprints of its own that require empirical evaluation — acknowledging that multi-path approaches are not fingerprint-free.

2025-vilalonga-extended §3.1 Threat Model defense

State-of-the-art ML classifiers (Deep Fingerprinting, Decision Tree, Random Forest, nPrintML) trained on known UPGen protocols and benign traffic always incur high out-of-distribution false-positive rates when attempting to block unknown UPGen protocols — in the vast majority of experiments the OOD FPR is 100%. The one exception (SSH OOD, Deep Fingerprinting) achieved a UPGen TPR of only 20%. By contrast, identical classifiers successfully generalize to block unknown Obfs4 flows with near-zero collateral damage in 3 of 4 cases.

2025-wails-censorship §4.3.3, Table 3, Table 4 evaluation

Combinations of Bayesian methods, data augmentation with mixup, and NOTA defensive padding cut the open-world false positive rate by up to 92% at 0.5 recall on HTTPS-only traffic and 75% on Tor traffic relative to the deterministic MSP baseline. Even with these improvements, sustaining a world size in the hundreds of millions (approaching YouTube-scale) requires accepting recall of 0.5–0.6 and precision of only 0.1–0.2; at precision 0.5 and recall 0.5, the maximum workable world size is only 37.5M for HTTPS-only (Table 3), far below YouTube's ~10 billion video catalog.

2025-walsh-improved-open-world-fingerprinting §4.5, Tables 1–3 evaluation

When a fingerprinting model is trained on traffic collected from one geographic vantage point and tested on traffic from a different continent, the HTTPS-only open-world FPR at 0.5 recall increased by factors ranging from 2.8x (EU-West-2) to 50.3x (Africa) relative to the same-vantage baseline — despite 60-way closed-world accuracy remaining above 0.99 across all vantage-point pairs (Table 5). For Tor traffic the effect was weaker but still reached 25.2x (Asia-Pacific Southeast-1), showing path diversity also disrupts Tor-based fingerprinting.

2025-walsh-improved-open-world-fingerprinting §5.1, Table 5 evaluation

The paper establishes, for the first time in a large open-world scenario (64,000 unmonitored test videos), that HTTPS-only video stream fingerprinting is significantly easier than Tor-based fingerprinting because DASH adaptive bitrate selection introduces a second-order network-condition effect: clients request entirely different video segments at different quality levels depending on path conditions, causing traffic traces from different geographic vantage points to diverge at the application layer even when network conditions are nominally similar. This makes NOTA and synthetic training sample techniques less effective on Tor data due to inherent trace noisiness.

2025-walsh-improved-open-world-fingerprinting §4.5, §5.1 evaluation

Active mid-connection bandwidth throttling (e.g., 100 Mbps → 50 Mbps) cleanly separates BBR from Hysteria and TCP-Brutal: BBR converges to the new rate within a few probing cycles, while Hysteria and Brutal interpret reduced bandwidth as increased packet loss and raise their sending rate further. This active probing technique resolves the BBR ambiguity that passive measurement alone cannot.

2025-wang-custom §4.4 detection

BBR, a rate-based CCA already available in the Linux kernel, comes close to Hysteria's throughput performance when packet loss is below 20% — the typical range for cross-border Chinese links (5–15%, peak up to 50% per prior studies). Above 20% loss, Hysteria and Brutal maintain a significant throughput advantage over BBR, but the paper finds no compelling justification for custom CCAs given the marginal gains in that regime versus the fingerprinting cost.

2025-wang-custom §4.2, §6 defense

Custom CCAs that deviate from standard TCP/QUIC congestion response fundamentally contradict the core circumvention principle of traffic indistinguishability: by failing to back off under congestion signals, they produce traffic patterns that diverge from the vast majority of Internet flows that censors value, eliminating the collateral-damage protection that makes circumvention tools hard to block wholesale.

2025-wang-custom §1, §6 detection

Hysteria and TCP-Brutal maintain fixed sending rates regardless of packet loss, causing them to transmit at rates several orders of magnitude higher than loss-based CCAs (TCP/QUIC Cubic) at a 5% packet loss rate on a 100 Mbps link with 60ms RTT. This non-compliance with standard congestion backoff is reliably detectable across RTTs from 15ms to 300ms and loss rates from 0.1% to 20%.

2025-wang-custom §4.1 detection

A two-stage threshold classifier evaluated on 10,080 synthetic flows across 1,260 network condition combinations (20 RTTs × 21 loss rates × 3 bandwidths) achieved 100% accuracy in Stage 1 separating loss-based from non-loss-based CCAs, and produced only 16 false positives from BBR flows in Stage 2, correctly flagging all 1,257 Hysteria and 1,257 Brutal flows as custom CCAs.

2025-wang-custom §5, Table 1 evaluation

The GFW detects fully encrypted protocols using ad-hoc rules including the percentage of printable ASCII characters per packet (threshold: over 50%) and the observation that FEP entropy is considerably higher than normal encrypted TLS traffic. These rules are subject to frequent changes, making rigid FEP designs unable to adapt.

2025-wilson-extended §1 detection

Packet timings are a distinct detection vector for circumvention tools beyond payload content and packet lengths, as demonstrated by Wails et al. 2024. Prior FEP-specific shaping work (Fenske et al.) addressed packet lengths but explicitly left timing shaping for future work, leaving a known gap in detection resistance.

2025-wilson-extended §1 detection

Shaperd introduces a constraint-agnostic traffic shaping system that operates on both packet content and timing in real time, designed for drop-in integration with any existing FEP. The system uses a four-component constraint definition (function, value, comparison operator, target packets) capable of expressing any rule based on a computable deterministic function over packet contents.

2025-wilson-extended §2 defense

Per-flow RTTdiff detection rates are only ~20% because the majority of proxy flows connect to CDN-cached content (Cloudflare, Google, Fastly) that sits within 5ms of the proxy, suppressing the discrepancy. However, aggregating across flows per website visit yields detection rates exceeding 70%—and from the abstract, approximately 80% of top-5K domains generate at least one detectable flow—with half of those detections made within the first 60 packets. This means an adversary can reliably expose client and proxy IPs after just a few website visits.

2025-xue-discriminative §VI-C-2, Table II detection

The paper evaluates two short-term mitigations—TCP delayed ACK on the proxy server and connection multiplexing—but finds both are limited: delayed ACK produces atypical ACK timing that may itself be fingerprintable, and multiplexing only adds entropy without eliminating the RTTdiff signal. Critically, obfs4 and ScrambleSuit's delay-based timing obfuscation are described as 'fundamentally limited' because they manipulate inter-arrival times without eliminating the underlying transport/application-layer session misalignment. The paper concludes no existing obfuscation scheme provides a principled defense against timing-based proxy fingerprinting.

2025-xue-discriminative §VII, §I defense

IMAP/SSL traffic on port 993 constitutes less than 1% of total ISP traffic but accounts for nearly one third of all false positives in the RTTdiff exploit, because IMAP's non-RESTful multi-connection pattern violates the request-response correlation assumption. The overall per-flow FPR is bounded at 0.6–0.7% (on par with GFW's estimated FPR against fully-encrypted proxies), but implementing a pre-filter to whitelist IMAP traffic reduces the FPR by approximately one third, making the fingerprint substantially more precise.

2025-xue-discriminative §VI-C-3, Table III detection

Proxy users who resolve DNS locally (at the client) are approximately twice as susceptible to RTTdiff fingerprinting compared to users who resolve DNS at the proxy, across all tested client/proxy location combinations. Local DNS returns IPs optimally reachable from the client's region, which may be geographically distant from the proxy, increasing the proxy-to-server path distance and thus the RTTdiff discrepancy.

2025-xue-discriminative §VI-C-2 detection

Cross-layer RTT discrepancy (RTTdiff) is a protocol-agnostic fingerprint that exploits an inherent architectural property of all proxy setups: transport-layer sessions terminate at the proxy while application-layer sessions remain end-to-end. Evaluation across 10 proxy protocols—including VMess, Shadowsocks, VLESS, Trojan, XTLS-Vision, and obfs4-wrapped SOCKS—shows near-identical detection rates for all except obfs4, confirming the fingerprint is not tied to any specific obfuscation scheme. At FPR=0.01, per-website detection rates exceed 70% across all tested client and proxy location combinations.

2025-xue-discriminative §I, §VI-C detection

WATER (WebAssembly Transport Executables at Runtime) defines a pluggable-transport architecture in which the transport logic is compiled to a WASM module that is loaded and executed at runtime by a thin Go host process. This separates the stable host ABI (dial, accept, read, write) from the rapidly-evolving transport logic, allowing new or updated transports to be delivered as small WASM binaries without recompiling or redeploying the host application.

2017-frolov-water-pluggable §2–3 defense

IoT devices pose the primary false-positive risk: many IoT devices (printers, smart bulbs, cameras, vacuum cleaners) maintain very few sessions with a small number of fixed cloud IPs — behaviorally similar to a VPN client. In the CIC IoT 2022 dataset, only 2 devices were misclassified (a Google Nest Cam connecting to nexusapi-us1.dropcam.com and a device using Alibaba cloud) out of the full dataset with WINDOW=300 s and T=500 packets.

2024-almutairi-fingerprinting §IV-B, §IV-C detection

The threat model requires no DPI and was fully implemented as a Linux kernel module on a NETGEAR R6120 with only a 580 MHz processor, 16 MB ROM, and 64 MB RAM, adding negligible overhead. Unlike ML-based or DPI-based VPN classifiers, the statistical model operates pre-NAT on per-device private IP flows, making it immune to obfuscation techniques that alter packet payloads or disguise protocol handshakes.

2024-almutairi-fingerprinting §I, §IV detection

A passive, router-level VPN fingerprinting technique exploits the design convention that all user traffic is tunneled to a single VPN server IP. By counting packets per device-to-IP session at the home router and flagging sessions where PACKETS_COUNT exceeds threshold T=500 within WINDOW=300 seconds, the method achieved a 100% detection rate for all VPN implementations that route all traffic through one server, with zero false positives across uncontrolled 4-day experiments.

2024-almutairi-fingerprinting §III–IV detection

The authors propose two countermeasures: (1) widespread adoption of traffic splitting so not all user traffic is routed through a single VPN tunnel, neutralizing the single-destination session signature; and (2) VPN servers should rotate at random intervals so that no prolonged session to one IP accumulates enough packets to trigger the threshold T.

2024-almutairi-fingerprinting §VI defense

Testing 9 popular VPN providers (ProtonVPN, Hide.me, Turbo VPN, Kaspersky VPN, Hotspot Shield, Secure VPN, Fast VPN Pro, VPN Super, VPN Gate), 7 were successfully detected. KasperskyVPN evaded detection because it exchanged keepalive packets with a secondary server exactly every 300 seconds, matching the chosen WINDOW, causing the session counter to reset. Hotspot Shield evaded because of previously documented traffic leakage where not all traffic is tunneled.

2024-almutairi-fingerprinting §IV-D, Table II evaluation

Snowflake's blocking resistance rests on a large, constantly changing pool of volunteer WebRTC proxies implemented as lightweight JavaScript browser extensions or web pages. Because the proxy population is in constant churn and new addresses appear faster than censors can enumerate and block them, IP-list blocking is structurally ineffective. The system is designed so that when an in-use proxy goes offline, the client seamlessly migrates to another with no disruption to upper network layers.

2024-bocovich-snowflake §1, §2 defense

Prior circumvention transports that tunneled over VoIP or voice-conferencing software were identifiable to censors by their TCP retransmission fingerprint: real VoIP applications do not retransmit dropped packets in the same way, making the covert channel's reliability mechanisms a distinguishing artifact. DTLS and QUIC avoid this because they natively support both fault-tolerant and sequential delivery modes without external indicators of which mode is active.

2024-chen-extended §2 The Case for UDP detection

WATER (WebAssembly Transport Executables Runtime) separates transport logic from the host application by compiling it to a WASM module (WATM) that is distributed and loaded independently at runtime. Deploying a new or updated circumvention technique requires only distributing the new WATM binary and optional configuration — no change to the host application and no app-store update cycle is required.

2024-chi-just §1, §3 defense

Traditional circumvention tool development and deployment is slow because new strategies must be developed, integrated into each tool separately, and then distributed via platform app-stores. WATER's WASM module architecture specifically addresses this asymmetry: censors evolve blocking techniques quickly, while circumventors are bottlenecked by binary release cycles. The paper argues that dynamic WATM delivery breaks this bottleneck by decoupling transport updates from application releases.

2024-chi-just §1 defense

The encapsulated TCP three-way handshake (3WHS) is detected in 80.59% of VPN flows but only 0.33% of plain UDP flows, making it—on its own—a near-practical VPN detector with 0.33% FPR; its presence is required by the classifier regardless of the compliance-rate threshold t.

2024-hanlon-detecting §4.2 Feature Importance detection

ML-based VPN classifiers report FPRs of 1.4–5.5%, all exceeding the GFW's estimated practical threshold of 0.6%, while the simple RFC-heuristic approach achieves 0.11%; this indicates that real-world censors are more likely to adopt lightweight heuristic detectors than opaque ML pipelines.

2024-hanlon-detecting §4.2 Overall Classifier Results evaluation

Random padding alone raises the classifier FPR only slightly (0.11% to 0.15%), and connection multiplexing alone raises it to 0.53%; however, combining both defenses raises FPR to 2.57%, making the detector impractical for a real-world censor and yielding TPR of 93.40%.

2024-hanlon-detecting §4.2 Robustness of 3WHS / Table 3 defense

A protocol-agnostic classifier that identifies RFC-mandated TCP behaviors (three-way handshake, 500ms ACK, 2×RMSS acknowledgement) leaking through UDP-based VPN tunnels achieves a false positive rate of 0.11–0.29% on real campus traffic, an order of magnitude lower than ML-based VPN detection techniques (FPR 1.4–5.5%) and on par with the GFW's estimated heuristic FPR of 0.6%.

2024-hanlon-detecting §3–§4.2 detection

Web browsing VPN traffic achieves only 32.35–42.44% TPR—far below SSH (99.43–99.56%) and file transfer (83.95–99.73%)—because DNS queries interleaved with TCP streams disrupt detection of the encapsulated 3WHS, confirming that connection multiplexing is a naturally occurring and effective evasion for web-browsing workloads.

2024-hanlon-detecting §4.2 Overall Classifier Results evaluation

DeTorrent exhibits strong diminishing returns in the bandwidth-performance tradeoff: increasing the dummy-download budget from N=1,000 to N=3,000 reduces Tik-Tok accuracy by ~19.1 percentage points, while a further increase from N=5,000 to N=7,000 yields only an additional 4.9-point reduction (accuracy floor near 20.8% at ~210% overhead). At the lowest tested budget (~40% overhead) Tik-Tok accuracy is still only 52.8%.

2024-holland-detorrent §6.2, Figure 6 evaluation

DeTorrent is implemented as a Tor pluggable transport on top of the WFPadTools/Obfsproxy framework and deployed against live Tor traffic; a modest VPS with 4 GB RAM and 2 vCPUs running at under 50% CPU utilization can defend five simultaneous connections in real time with no GPU required. Performance drops only 0.7% when the generator is trained on one dataset partition and tested on another.

2024-holland-detorrent §5.4 deployment

SpotProxy adapts both WireGuard and Snowflake to work with its active proxy migration mechanism, demonstrating that the approach is protocol-agnostic. The active migration mechanism allows clients to move between proxies seamlessly without performance degradation or connection disruption when a proxy is replaced — a requirement for any high-churn proxy infrastructure.

2024-kon-spotproxy §3, §5 defense

Censors employing deep learning can use DTLS connection duration as a precise identifier to classify and block Snowflake traffic. The paper proposes switching PT connections after a variable time limit as a countermeasure to prevent duration-based classification.

2024-lorimer-extended §4.3 detection

Because traffic splitting is not ubiquitous network behavior, split PT traffic may appear anomalous to a censor, allowing them to distinguish normal PT use from split PT use even without classifying the underlying protocol. The authors flag this as a key open risk to be evaluated empirically and note that splitting across multiple bridges or multiple PT types may simultaneously raise and lower different detection signals.

2024-lorimer-extended §4.3 defense

When a user splits traffic across N paths, a censor observing a single path sees only a partial trace, substantially reducing the accuracy of classifiers trained on complete network traces. Prior Tor traffic-splitting work (TrafficSliver, CoMPS, multipath Tor studies) has validated this defense against website fingerprinting outside the PT context.

2024-lorimer-extended §1, §4.2 defense

Using Google Pub/Sub as a rendezvous channel adds 7.17 seconds of bootstrapping overhead vs. a 1.32-second direct baseline when establishing a TorKameleon WebRTC bridge connection (total: 8.49s vs. 1.32s). The dominant bottleneck is subscription creation time (5.23s), not the message exchange itself (3.26s), averaged across 10 samples with 113 ms cross-Atlantic latency.

2024-vilalonga-looking §4.2, Table 1 evaluation

The system uses a shared Pub/Sub topic for all users, where session IDs (SIDs) are visible to all subscribers on the broker topic. The paper argues this does not compromise user anonymity because SIDs are randomly generated per-session by client-side software with no link to user identity, and all subsequent bridge-info payloads are encrypted under a session-specific symmetric key exchanged via asymmetric encryption.

2024-vilalonga-looking §3.2 defense

The paper documents that bridge distribution across major circumvention tools (Tor Browser's Moat, Snowflake) relies entirely on domain fronting (meek) for automated, user-friendly bootstrapping. This concentration means a censor that defeats domain fronting — or that pressures CDN providers to stop offering it — removes essentially all automated bridge-discovery pathways simultaneously, leaving only manual out-of-band methods (email/Telegram accounts) that require many user interactions.

2024-vines-communication §2.1 evaluation

Raceboat formalizes a decomposition of application-protocol-tunneling channels into three reusable components (Transport, User Model, Encoding) and a channel manager that supports mixing unidirectional channels. By composing seven different channels from these modular components (including email, AWS S3, and Redis variants), the paper demonstrates that the current ad-hoc one-protocol-one-implementation model wastes significant re-implementation effort: the same transport or encoding logic is duplicated across Snowflake, meek, CloudTransport, and others.

2024-vines-communication §1–§5 defense

The paper argues that a greater diversity of signaling channels reduces the censor's leverage: when many independent services (cloud storage, email, push notifications, domain fronting) can each bootstrap a circumvention connection, a censor must block all of them to prevent access, and the collateral damage of blocking each may deter action. Skyhook specifically targets cloud storage as an additional independent pathway alongside existing channels like meek, Raven (email), and PushRSS.

2024-vines-ten §1 defense

Skyhook redesigns the 2014 CloudTransport concept as a signaling channel for bridge/proxy bootstrapping rather than a general-purpose browsing channel. By scoping to two-message exchanges (~1KB per direction, ~1 minute latency tolerance), Skyhook eliminates the requirement for censored users to create paid cloud storage accounts — the key usability barrier in the original design — and uses unilateral permissioning over AWS S3 objects so blocking Skyhook requires blocking all HTTPS traffic to an entire AWS S3 region.

2024-vines-ten §2, §4 defense

CNN-based deep learning reduces obfs4 false positive rate by an order of magnitude versus the best decision tree (FPR 2.9×10⁻³ vs. 3×10⁻²) while maintaining 100% recall, and achieves near-perfect Snowflake data-flow detection (Precλ=1k = 0.95, Fλ=1k = 0.97). However, at realistic base rates λ > 10⁶ all CNN classifiers still yield near-zero precision, leaving per-flow deep learning alone insufficient for nation-state-scale deployment.

2024-wails-precisely §V-C, Table IV, Figure 5 detection

obfs4 and obfs⋆ produce characteristic wire patterns—bursts of roughly MTU-sized payloads followed by a randomly-sized chaff packet—that CNN classifiers detect purely from packet-size sequences without payload inspection. A trivial per-bridge entropy-biasing re-encoding (obfs⋆) completely defeats the hand-tuned decision tree (0% precision, 0% recall) but does not reduce CNN detectability, because the CNN generalizes across size-distribution variants.

2024-wails-precisely §V-E, §IV-D-3, Figure 4 detection

While stream multiplexing reduces the visibility of encapsulated TLS handshakes by merging inner connections, the paper cautions that multiplexing plus random padding alone is "inherently limited" as a long-term countermeasure. Censors can adapt by monitoring burst sizes and round-trip counts at the outer-connection level, which remain correlated with the number of inner TLS sessions regardless of padding.

2024-xue-fingerprinting §7 (Limitations and Future Work) detection

Geneva packet-manipulation probing traffic exhibits distinctive features — corrupt data-offset fields, smaller packet sizes, overlapping TCP segments, TTL variance, and non-zero SYN packets — that allow simple ML classifiers (Decision Trees, Random Forests, Logistic Regression, SVM) to detect it with AUC > 0.99. A subsequent TRW-based IP-level detector can then block the source IP with high confidence after inspecting only 2 Geneva probing flows.

2023-amich-deresistor §4.1–§4.2 detection

All prior provably-secure steganography methods introduce measurable distribution distortion: ADG achieves Max KLD of 4.54E-02 to 6.76E-02 bits/token, and Meteor with its heuristic sorting reaches Max KLD up to 9.01E+00 bits/token (Table II, GPT-2, p=0.80). These non-zero KL divergences give any statistical steganalyzer a non-negligible distinguishing advantage, violating the security definition even when average divergence appears small.

2023-ding-discop §V, Table II evaluation

Shadowsocks transmits a fixed-size AEAD-encrypted length field followed by the AEAD-encrypted payload with no support for reducing ciphertext size via fragmentation, while Obfs4 permits input-side padding but not output fragmentation. These designs impose distinct minimum output message lengths, allowing a passive adversary to distinguish between them — and identify short-message sessions — based solely on the minimum observed message length.

2023-fenske-security §2.4 detection

No existing fully encrypted protocol — including Obfs4, Shadowsocks, VMess, and Obfuscated OpenSSH — simultaneously satisfies passive indistinguishability (FEP-CPFA), active-manipulation resistance (FEP-CCFA), and output-length shaping. The paper presents a novel stream-based construction that provably satisfies all three using AEAD-authenticated length blocks, an output buffer supporting arbitrary fragmentation, and a padding mechanism allowing the sender to emit exactly p output bytes on demand.

2023-fenske-security §2–3 defense

Censors optimize for utility under asymmetric misclassification costs rather than raw accuracy: false positives (blocking legitimate traffic) carry economic and political costs that make censors conservative about deploying classifiers with high false-positive rates. Multi-flow stateful classifiers — such as the obfs4 Elligator probabilistic distinguisher, which requires correlating observations across multiple connections — are operationally more expensive than single-packet or connection-initiation classifiers, which the author suggests explains why probabilistic multi-flow distinguishers have not been exploited in practice even when theoretically available.

2023-fifield-comments §5 evaluation

Three independent implementation flaws in obfs4proxy's Elligator encoding made obfs4 public-key representatives passively distinguishable from uniform random bytes: (1) non-canonical square roots allowed a square-then-root test matching 100% of obfs4 outputs but only ~50% of random strings; (2) bit 255 was always zero; (3) only large prime-order subgroup points were encoded. A classifier exploiting these achieves 100% sensitivity (obfs4 never falsely marked as random) at less-than-100% specificity. All three were fixed in obfs4proxy-0.0.12 (December 2021) and 0.0.14 (September 2022).

2023-fifield-comments §3 detection

Variable bitrate encoding (e.g., the OPUS codec's 6–510 kbps range) in VoIP protocols leaks content properties through packet timing, enabling ML classifiers to distinguish protocol tunnels from real conversations. An audio tunnel without timing shaping was identifiable with auROC 0.981 and aucPR 0.959 by an AutoGluon-Tabular classifier examining 1000-packet flow windows.

2023-jia-voiceover §2, §4.2 detection

Voiceover's DCGAN, trained on ~400 hours of two-person telephone conversations, generates conversation timing templates that constrain when the tunnel transmits audio. This reduces ML classifier performance from auROC 0.981/aucPR 0.959 (unshaped baseline) to auROC 0.682/aucPR 0.482, and the improvement holds at 500-packet windows (auROC 0.68/aucPR 0.50), suggesting robustness to memory-limited adversaries.

2023-jia-voiceover §3, §4.2, Table 2 defense

Protocol mimicry that replicates only statistical or syntactic traffic properties is insufficient for unobservability: Houmansadr et al. (2013) showed SkypeMorph was trivially detectable by the absence of Skype control channels, missing login-server communication, and failure to replicate implementation-specific bugs present in real Skype—demonstrating that full behavioral replication, not just traffic shaping, is required to withstand scrutiny.

2023-jia-voiceover §2 detection

Skype for Web normalizes packet sizes such that Voiceover transmissions and genuine audio conversations produce nearly identical packet size CDFs across Ubuntu 18.04 and Windows 10, across all tested modulation parameters (carrier frequency, sampling frequency, baud rate, frame length). This makes the Skype-based tunnel inherently immune to packet-size fingerprinting without requiring explicit size shaping.

2023-jia-voiceover §4.4 evaluation

Protocol fingerprinting — including DPI-based identification of VPNs, circumvention tools, and E2EE messengers — was active in only 6% of countries during the measurement period (13% all-time), but all confirmed instances came from focused individual studies, not from mass measurement platforms like OONI or Censored Planet. The authors flag encrypted traffic analysis (ETA) tools and next-generation firewalls (NGFWs) capable of blocking Signal or Tor Browser as an emerging threat to freedom of expression.

2023-master-worldwide §4.3 detection

FSK-encoded Dolphin audio is distinguishable from normal human speech via offline amplitude analysis: Dolphin's mean signal amplitude is 0.4 (std 224) versus 205 (std 1590) for natural speech — approximately an order of magnitude lower — enabling classification by a telecom operator who records calls. The paper also notes that standard CRC checksums appearing periodically every chunk provide a unique detectable signature if the adversary attempts to decode the audio.

2023-sharma-dolphin §6.5, Figs. 11–12 detection

Relying on third-party email providers to verify users was demonstrated by Ling et al. to leave Tor's BridgeDB vulnerable to censors capable of creating multiple accounts, enabling bridge enumeration via sock-puppet attacks at scale. Active and passive detection techniques — including traffic flow analysis, DPI, website fingerprinting, and active probing — have been demonstrated in prior work to reveal Tor bridges, making Tor inaccessible for the majority of users in some regions.

2023-tulloch-lox §2.2.1 detection

PushProxy's high-frequency downstream channel generates over 100 push notifications to load a typical webpage, contrasting sharply with the daily average of 46 push notifications received by a smartphone. This statistical anomaly makes PushProxy flows identifiable by simple rule-based filters without requiring sophisticated traffic analysis.

2023-xue-use §6.2 detection

PushProxy with N=100 parallel push receivers achieves a median 10 MB download time of 16.46s (~4.86 Mbps) without exceeding FCM's 5,000 messages/hour per-deviceToken rate limit, compared to 2.70s for Shadowsocks and 9.68s for OpenVPN (UDP). This throughput significantly exceeds other service-tunneling systems: dnstt (1.5 Mbps) and CensorSpoofer (64 Kbps).

2023-xue-use §5.2, Figure 6 evaluation

PushProxy decouples upstream (XOR-obfuscated UDP) from downstream (FCM push notifications), implementing triangular routing that prevents per-flow traffic analysis: a network adversary with limited visibility cannot correlate upload and download flows since they use different transport protocols and paths. Median TTFB was 572ms versus 492ms (Shadowsocks) and 508ms (OpenVPN), while performance remained stable during Chinese peak hours (20:00–02:00 GMT+8) when Shadowsocks download times increased from 3s to over 100s.

2023-xue-use §4, §5.2, Figure 7–8 defense

OpenVPN's application-layer P_ACK packets — uniform in size and concentrated only in the handshake phase — provide a timing and count fingerprint detectable via threshold comparison over 10-packet bins. Tunnel-based obfuscation wrappers (Stunnel, SSH, obfs2/3, Shadowsocks) that do not add random padding preserve the 1:1 packet correspondence with the underlying OpenVPN stream, leaving 16 of 20 tested tunnel-based obfuscated configurations vulnerable to ACK fingerprinting.

2022-xue-openvpn §6.2, §9.1 detection

A two-phase passive-filter-plus-active-probing framework deployed at a 1-million-user ISP identified 85.90% of vanilla OpenVPN flows (1,718/2,000) and 72.67% of obfuscated flows (1,468/2,020), with an upper-bound false positive rate of 0.0039% across over 10 million flows — three orders of magnitude lower than prior ML-based approaches (1.4–5.5%). The system processed 15 TB and 2 billion flows per day on a single commodity server.

2022-xue-openvpn §9, Table 3 evaluation

Meteor is proven secure against chosen-hiddentext attacks: any PPT adversary distinguishing Meteor output from honest model output can be reduced to breaking the underlying PRG. The scheme produces stegotext provably indistinguishable from the generative model's own output distribution, and requires only a shared public model — not a secret channel — making the model analogous to a common random string. On GPU the encoding overhead is ~1× model-load time; on CPU ~4.6×; on mobile ~49.5×.

2021-kaptchuk-meteor §5.2 / §6 / Table 2 defense

OUStralopithecus (OUStral), a Selenium-based OUS implementing empirically-derived human browsing distributions — Weibull dwell times (λ=30s, k=0.75), Von der Weth action probabilities (45.1% internal-link clicks, 33% new-URL navigations), and Dubroy tab-switching rates — generated 471 requests with all Cloudflare Bot Management scores above the recommended blocking threshold of 30, while Slitheen and Waterfall consistently scored 1. Because Cloudflare has full HTTP-layer visibility (unavailable to a passive network censor), the paper argues a censor observing only encrypted traffic would be even less able to flag OUStral.

2021-lorimer-oustralopithecus §3.1, §5.2.1, Figure 6 defense

Traffic replacement systems that only shape individual HTTPS flows remain vulnerable to censors monitoring inter-connection patterns over time. Waterfall's OUS (reloading the same page every second), Slitheen's OUS (naïve PhantomJS with no crawling), and Slitheen++'s OUS all produced non-human connection patterns detectable at the session level even when per-flow content is well-concealed. OUStral addresses this by shaping the distribution and sequencing of connections across an entire browsing session.

2021-lorimer-oustralopithecus §1, §2.2, §3, §6 defense

Prior overt user simulators (OUS) using PhantomJS — including Slitheen, Waterfall, and Slitheen++ — received Cloudflare Bot Management scores of 1 (certainly bot-generated) and would be blocked by any operator following Cloudflare's recommended cut-off of 30. Slitheen++ improved marginally by adding user-agent randomization and brief inter-request pauses, but all PhantomJS-based OUS implementations were trivially detectable as bots.

2021-lorimer-oustralopithecus §5.2.1, Figure 6 detection

Across tunnelling systems that apply traffic shaping against ML adversaries, a clear throughput cost emerges: Slitheen + OUStral with WebM replacement achieves up to 2.2 Mbps with 4.7x overhead; Protozoa (WebRTC, end-to-end) achieves up to 1.4 Mbps; DeltaShaper (VoIP) achieves only 7 kbps at 2x overhead. By contrast, Conjure (no traffic shaping) reaches 100 Mbps. Additionally, end-to-middle decoy-routing deployments incur a throughput penalty from packet-boundary parsing at the relay station that end-to-end systems (Protozoa, DeltaShaper) avoid.

2021-lorimer-oustralopithecus §5.3.2, Table 2 evaluation

Extending Slitheen to replace WebM video/audio frames reduced mean overhead from ~20x (image-only Slitheen) to 4.7x (±1.6) over 100 ten-minute sessions, while raising throughput to a mean of 581.7 kbps in video-only mode (max 2023.3 kbps, min 78.2 kbps) and 721.6 kbps in background-video mode (max 1528 kbps). This compares favorably to DeltaShaper's 2x overhead at only 7 kbps and Protozoa's up to 1.4 Mbps, while preserving Slitheen's resistance to traffic-analysis attacks.

2021-lorimer-oustralopithecus §5.2.2, §5.3, Table 2, Figures 7–9 evaluation

Balboa runs unmodified application binaries on standard inputs, intercepting TLS via dynamic library injection (LD_PRELOAD / DYLD_INSERT_LIBRARIES) to replace plaintext with covert data while preserving all TLS record lengths and non-timing characteristics. This yields goodput of 145 kbps for audio streaming and up to 8 Mbps for web browsing, versus 2.56 kbps for DeltaShaper and 19 kbps for Freewave, both of which run real applications on non-standard inputs.

2021-rosen-balboa §1.1, Table 1 defense

Balboa currently supports only TLS 1.2 stream cipher suites, covering approximately 81% of TLS connections; an active censor can force non-stream cipher suite negotiation, causing Balboa to silently enter pass-through mode—a potential denial-of-service vector. Separately, if the server's traffic model deviates from the local baseline (e.g., the same audio file streamed repeatedly), a sufficiently powerful censor can detect the anomaly independently of whether Balboa is running.

2021-rosen-balboa §5, §2.5.1 detection

A random-forest classifier trained on TCP statistics distinguishes Balboa-enabled traffic from baseline with 66–84% accuracy at zero network latency (key features: average TCP window advertisement and data transmit time), but accuracy falls to near-random (50–57%) once realistic latency is introduced (≥5 ms mean). Adding four additional innocent clients to the classification task further reduces accuracy—e.g., VLC at zero latency drops from 84% to 66%.

2021-rosen-balboa §6.3, Table 2, Table 3 evaluation

Large-file transfers via Camoufler (using Telegram as the IM channel) show modest overhead compared to direct wget: a 10 MB file takes 13.6s vs. 7.9s direct, 50 MB takes 52.1s vs. 35s, and 100 MB takes 93.3s vs. 68s. The overhead stems from the server downloading the complete file before forwarding it, but performance still substantially exceeds prior tunneling systems such as SWEET (email-based) and CovertCast (video-based), which the authors describe as incurring >10s even for small webpage loads.

2021-sharma-camoufler §4, Table 1 evaluation

Traffic analysis comparing Camoufler clients (fetching blocked websites) to regular IM clients (exchanging multimedia) shows indistinguishable packet-exchange rates and packet-size distributions: a 1.3 MB document download via Camoufler peaked at >700 packets/s, matching the >800 packets/s spike from a 1.5 MB video download by a regular IM client. Packet sizes cluster identically in two bins (<100 bytes for ACKs; >1,200 bytes for data) regardless of whether the underlying content is a web page or a video.

2021-sharma-camoufler §5.1 evaluation

Camoufler tunnels censored web traffic through real Instant Messaging applications (Signal, Telegram, WhatsApp, Slack, Skype), achieving a median page-load time of 3.6s (average 4.1s) over Signal and 2.3s median (average 2.7s) over Telegram for Alexa top-1,000 sites — compared to 120s for CovertCast loading BBC News and only 2.56 Kbps throughput for DeltaShaper. Over 90% of TTFB trials across 10 popular sites completed under 2s, with 50% under 1s.

2021-sharma-camoufler §4 defense

The GFW's passive classifier uses two features of the first data packet to flag probable Shadowsocks traffic: (1) high Shannon entropy (per-byte entropy > ~7 bits strongly correlates with replay probability, which is nearly 4x higher at entropy 7.2 than at 3.0) and (2) packet length in the range 160–700 bytes with specific remainders mod 16. A single data packet after the TCP handshake is sufficient to trigger the downstream active-probing pipeline.

2020-alice-shadowsocks-detection §4.2 detection

Protozoa's encoded media tunneling embeds covert IP packets directly into VP8-encoded frame bitstream partitions (EFBP) after lossy compression, rather than into raw pixel data. Because SRTP uses a stream cipher that preserves plaintext size, overwriting EFBP bits leaves encrypted packet sizes identical to legitimate sessions, and the covert channel achieves 98.8% utilization of available frame space at an average throughput of 1422 Kbps—a 3× improvement over Facet and roughly three orders of magnitude over DeltaShaper's 7 Kbps maximum.

2020-barradas-poking §4.4, §6.2 defense

Protozoa's encoded media tunneling achieves an AUC of 0.59 against a state-of-the-art ML traffic classifier using packet-size and inter-arrival-time features—near the 0.5 random-guessing baseline—compared to >99% detection rates for prior tools such as Facet and DeltaShaper. To block 80% of Protozoa flows (TPR=0.8), a censor would erroneously flag approximately 60% of legitimate WebRTC flows (FPR=0.6). This resistance holds across trace durations from 10–60 seconds (AUC range 0.56–0.61) and across RTT, bandwidth, and packet-loss variations.

2020-barradas-poking §6.2, Table 1, Figure 8 evaluation

Protozoa's covert channel throughput degrades gracefully under bandwidth constraints but remains usable for common applications: average throughput is 975 Kbps at 1500 Kbps cap, 460 Kbps at 750 Kbps, and 91 Kbps at 250 Kbps. Under 2% and 5% packet loss the channel sustains 1130 Kbps and 360 Kbps, respectively, while 10% loss (near WebRTC tear-down threshold) still yields 160 Kbps without breaking the connection. Traffic analysis resistance is preserved across all these conditions, with AUC peaking at 0.65.

2020-barradas-poking §6.3, Figures 9–10 evaluation

CRON restricts multi-hop covert circuits (N≥1 relays) to delay-tolerant traffic only, because establishing multiple simultaneous WebRTC video calls is 'highly atypical in normal user profiles' and would trigger S1 behavioral anomaly detection. Real-time interactive tunneling is limited to direct circuits (N=0) within pre-existing calls, and active mode introduces only bounded variability in call times and frequency to stay within plausible user-profile ranges.

2020-barradas-towards §4.1 defense

Protozoa creates a ≈1.4 Mbps covert channel over WebRTC by replacing encoded video frames with covert payload while preserving SRTP packet size and timing properties, making Protozoa flows 'hardly distinguishable from unmodified WebRTC streams using existing ML-based traffic classifiers.' Since all unencrypted packet fields remain intact, DPI cannot detect the tunnel either.

2020-barradas-towards §2 defense

Even when individual WebRTC flows pass traffic analysis, a censor can identify CRON users via three long-term statistical attack types: S1 (simultaneous video calls, atypical for normal users), S2 (sudden connections to previously unknown parties), and S3 (calls at anomalous times, frequencies, or durations). Relay nodes in multi-hop circuits are particularly exposed via S1 because conducting multiple simultaneous video calls is highly atypical in normal user profiles.

2020-barradas-towards §4.1 detection

Slitheen++ achieves a median covert site loading time of 7 seconds in the naive setup, rising to 8 seconds with crawling and 13 seconds with a 1-second thinking-time (TT) delay. The Baseline-to-Covert factor ranges from 3.7–8.5 without TT and from 7.6–21.4 when crawling and 1-second TT are combined, reflecting the fundamental tradeoff between stealth overt behavior and covert throughput.

2020-birtel-slitheen §5 (Figure 1, Figure 2) evaluation

Slitheen++ embeds covert upstream data by applying HTTP/2-like header field compression to overt HTTP requests, using the recovered space for covert data placement. This ensures that neither timing information nor observable changes to packet sizes or delays can reveal decoy routing use to an omni-scientist passive censor. GZIP compression was explicitly avoided to prevent the CRIME side-channel attack.

2020-birtel-slitheen §4 defense

Slitheen++'s relay station introduces minimal overt forwarding overhead: 95% of setups saw downstream per-packet delays between 1 ms and a maximum of 4 ms, with on average only 0.0029% of downstream packets affected (peak 0.006% in any single scenario). Upstream delays were similarly low except for a single outlier near 60 ms caused by thread contention during crawling-induced relay load spikes.

2020-birtel-slitheen §5 (Table 1) evaluation

The original Slitheen appended covert upstream data directly to overt HTTP requests, significantly changing upstream traffic patterns and enabling censor identification even when traffic is encrypted. This upstream traffic analysis vulnerability—absent from Slitheen's original threat model—is the primary weakness Slitheen++ addresses.

2020-birtel-slitheen §1, §4 detection

A censor can identify Slitheen relay connections by observing that all packets in a suspected overt flow arrive in strict order while flows from the same source naturally exhibit out-of-order delivery: the relay station's traffic-server component reorders TCP segments to enable TLS record decryption, creating a statistically anomalous per-connection ordering pattern. The reordering buffer also increases per-packet round-trip times, providing a secondary timing signal.

2020-birtel-slitheen §4, §6 detection

Geddes et al. demonstrated that acknowledgement packets in covert-channel circumvention systems can be identified through timing characteristics and selectively interfered with to disrupt the tunnel [§4.3, CCS 2013]. A Turbo Tunnel session layer adds fixed-overhead headers and periodic ACK/keepalive traffic that may produce distinctive timing patterns absent in legitimate flows, potentially increasing susceptibility to traffic-shape classifiers.

2020-fifield-turbo §2 detection

Frolov et al. (2020) found that over 94% of Internet servers respond with data to at least one popular protocol probe, making probe-resistant proxies that remain entirely silent statistically anomalous. Censors can further fingerprint silent proxies by their unique timeout or data-limit behaviors before connection close (e.g., Lampshade closes immediately after 256 bytes of unrecognized data, or waits exactly 90 seconds before timing out).

2020-frolov-httpt §2 Background detection

At a round-trip time of 50 ms, MIMIQ incurs only a 10% throughput drop when migrating every 25 packets (frequency = 4 per 100 packets). Per-migration latency ranges from 7–64 ms at 10 ms RTT and 43–99 ms at 50 ms RTT as migration frequency scales from 0 to 50 migrations per 100 packets.

2020-govil-mimiq §4.2 evaluation

MIMIQ leverages QUIC's connection migration to change a client's IP address mid-connection without disrupting ongoing transfers. QUIC's specification requires that endpoints never reuse connection IDs during migration and that migration tokens are encrypted; this makes migration events indistinguishable from a second distinct client initiating a new connection from a fresh IP address.

2020-govil-mimiq §3.1 defense

Against censors that detect blacklisted application protocols by examining only the first 30 packets of a flow (e.g., the technique in Wang et al. 2015), a single IP migration after 30 packets have been exchanged is sufficient to defeat detection while incurring minimal performance overhead—the client continues the connection normally on the new address.

2020-govil-mimiq §5 defense

Sibling transaction analysis across 45 million Bitcoin transactions (blocks 580,000–600,000, June–Oct 2019) shows 32% use the Pay2PKeyHash + Pay2ScriptHash combination MoneyMorph employs. In Monero, the two-input two-output structure matches 42% of all transactions. In Zcash, only 11–19% of transactions are shielded, giving it the lowest sibling rate despite the highest bandwidth.

2020-minaei-moneymorph §5.1, §5.3, §5.5, Table 1 evaluation

Protocol Proxy uses 'protected static protocols' — UDP-based protocols whose blocking causes severe collateral damage (e.g., Synchrophasor power-grid traffic, NTP) — as cover channels. Because any detection rule that fires on Protocol Proxy traffic also fires on legitimate PMU traffic, censors face a forced trade-off between blocking circumvention and disrupting critical infrastructure.

2020-oakley-protocol §3, §5 defense

A deterministic Hidden Markov Model trained on 770,000+ real Synchrophasor samples produces interpacket timing that is statistically indistinguishable from the host protocol: the two-sample Kolmogorov–Smirnov test yields p = 0.21 (threshold 0.05, fail to reject null), and χ² homogeneity p-values for all three timing states are 0.82, 0.37, and 0.15 respectively.

2020-oakley-protocol §4, §7 evaluation

The Protocol Proxy achieves an observed goodput of only 182 bps against a 54 Mbps baseline link (>99.99% reduction), well below the theoretical ceiling of 15,477 bps; the gap is attributed to TCP retransmission overhead and the TCP header transiting the proxy. Tor baseline goodput measured at 7.31 Mbps by comparison.

2020-oakley-protocol §7, Table 2 evaluation

Static protocols — UDP-based with no application-layer handshake — are immune to stateful protocol analysis that defeated SkypeMorph: without a handshake state machine, a censor cannot flag discrepancies between observed and expected protocol states. This eliminates the detection vector that Houmansadr et al. (2013) exploited to identify SkypeMorph via handshake mismatch.

2020-oakley-protocol §3 defense

SiegeBreaker explicitly acknowledges two unresolved attack vectors: (1) latency-based traffic analysis attacks (forced-asymmetry / RAD-style), which the system does not mitigate, and (2) website fingerprinting attacks against the proxied traffic, for which no defense is implemented. Additionally, the email-based control channel is vulnerable to a censor who can delay or block emails to the controller's address, disrupting rule installation before the client's SYN packet arrives.

2020-sharma-siegebreaker §3, §4.1, §4.3 detection

The bottleneck exhibits strong and consistent diurnal patterns: 80–95% of receiver–sender pairs show a standard deviation of less than 3 hours in daily slowdown duration, and the patterns persist unchanged across weekends and national holidays (May 1–2 and October 1 national day). Packet loss is strictly asymmetric — occurring only for traffic entering China (inbound data and outbound ACK packets), not for traffic leaving China.

2020-zhu-characterizing §4.2 Observation 2, Observation 3, Figure 10 evaluation

Beyond the ClientHello, circumvention tools diverge from real browsers in TLS record-layer behavior: Go's crypto/tls splits the first application-data write differently than NSS or BoringSSL, and Go does not send a TLS ChangeCipherSpec in the same byte sequence as Chrome. These post-handshake divergences are detectable even when the ClientHello has been patched with uTLS, requiring record-layer mimicry in addition to hello-field mimicry for full fingerprint resistance.

2015-frolov-the-use-of-tls §4.3 detection

A GAN-based adversarial transformer applied to Meek traffic signatures increases mean classifier FPR from 0.183 to 0.834 and decreases mean area under the precision-recall curve (PR-AUC) from 0.990 to 0.414 across naive neural network, informed neural network, and CART decision tree classifiers evaluated on three geographically distinct datasets (residential, university, AWS).

2019-sheffey-improving §5 Results, Tables 1–2 evaluation

The paper identifies that Meek traffic is compared against average HTTPS traffic across all domains rather than against traffic specific to the CDN fronting host (e.g., ajax.aspnetcdn.com for meek-azure), meaning a transformed signature that mimics generic HTTPS may still appear anomalous relative to expected traffic to that specific CDN host. This dataset construction limitation means real-world GAN-guided shaping must target host-specific traffic baselines, not population-wide HTTPS baselines.

2019-sheffey-improving §6 Discussion defense

Prior ML classifiers achieve near-perfect detection of unmodified Meek traffic using side-channel features: Wang et al. attain a false positive rate (FPR) as low as 0.0002 with a CART decision tree, Yao et al. achieve 99.98% accuracy with a hidden Markov model, and Nasr et al. deanonymize Meek flows with FPR of 0.0005 using a neural network. The distinguishing features are TCP payload size distributions (Meek concentrates 60–70 byte payloads) and inter-arrival time distributions (higher latency).

2019-sheffey-improving §1 Introduction, §3 Feature Extraction detection

Incorporating perturbation loss — the mean absolute difference between original and transformed traffic signatures — into the GAN's training objective constrains the transformer to make minimal modifications, reducing the implementation overhead a real-time traffic shaper would require. The perturbation loss is weighted at 10× relative to classification losses, enforcing sparse modifications while still fooling the discriminator.

2019-sheffey-improving §4.2 Training defense

Capturing as little as 30 seconds of a multimedia-tunneling flow is sufficient for XGBoost to reach the same AUC achieved with a 60-second window (AUC=0.99 for Facet s=50%, AUC=0.95 for DeltaShaper h320×240, 8×8, 6, 1i at 30s). Classification performance degrades monotonically below 30 seconds, reaching AUC≈0.81 (Facet) and 0.75 (DeltaShaper) at 1 second.

2018-barradas-effective §4.6, Table 4 detection

CovertCast — which scrapes web content into colored-matrix frames broadcast over YouTube live streams — is fully detected by the χ² similarity classifier with TPR=100% and FPR=2%. The KL and EMD classifiers achieve TPR>96.5%, indicating the system provides essentially no unobservability in practice.

2018-barradas-effective §3, Table 1 detection

Decision tree classifiers (XGBoost) can flag 90% of Facet multimedia-tunneling traffic while erroneously flagging only 2% of legitimate Skype connections (FPR=2%). Against DeltaShaper at its most conservative configuration (h160×120, 4×4, 6, 1i), XGBoost achieves AUC=0.85, demonstrating that existing unobservability claims for all three systems (Facet, CovertCast, DeltaShaper) were flawed.

2018-barradas-effective §4, Table 3 detection

A censor using latency analysis to classify decoy routing sessions achieves a maximum F-score that drops to nearly 0 when the base rate of decoy routing falls below 10^-4 (one in 10,000 connections). Even at higher adoption rates the F-score remains below 0.5 for most overt sites, making reliable detection infeasible without unacceptable false-positive rates on legitimate traffic.

2018-bocovich-secure §4.2 evaluation

I2P obfuscates payload content to prevent protocol identification, but flow analysis can still fingerprint I2P traffic because the first four handshake messages between I2P routers have fixed lengths of exactly 288, 304, 448, and 48 bytes. The I2P team acknowledged this and was developing an authenticated key agreement protocol to resist automated identification.

2018-hoang-empirical §2 detection

MultiFlow's tunnel operates as a virtual message board: the client and decoy router never exchange covert data within the same TCP connection. The decoy router uploads responses to a URI or email address specified by the client; the client downloads independently on a separate connection. This design eliminates the forged-packet and rewritten-traffic vectors that make TapDance and Rebound vulnerable to traffic analysis and decoy-host probing.

2018-manfredi-multiflow §3.2 defense

MultiFlow's stencil-coding capacity is constrained by TLS record sizes: hiding 1 byte per 16-byte block requires a 1568-byte TLS record to exfiltrate 98 bytes of key material. The paper notes that many websites' initial GET requests produce TLS 1.3 application records under 100 bytes, meaning MultiFlow would need to span multiple records or adopt the more efficient chosen-ciphertext steganography used by TapDance. No implementation exists at time of publication; session resumption from a different source IP was verified feasible using OpenSSL 1.1.1-pre2 and Scapy.

2018-manfredi-multiflow §3.1, §3.4 evaluation

DeltaShaper embeds covert TCP/IP data into Skype's encrypted video stream using a virtual camera interface, treating Skype as a black box rather than mimicking its protocol. This approach provides active-attack resistance by design: any in-path perturbation affects covert and legitimate streams identically, because real Skype software processes both. The system achieves a goodput of 2.56 Kbps (with Reed-Solomon ECC) or 3.12 Kbps (without ECC) at optimal encoding parameters (320x240 area, 8x8 cell size, 6 bits/cell, 1 fps), with RTT of approximately 3 seconds.

2017-barradas-deltashaper §4, §5, Table 2 defense

Packet-length frequency distributions reliably distinguish regular Skype calls from irregular streams using Earth Mover's Distance (EMD): regular streams consistently produce EMD < 0.1 against a reference stream, while irregular streams range from 0.025 to 0.25. At the breakeven threshold ∆I = 0.066, an EMD classifier achieves 83% accuracy (equal sensitivity and specificity). An aggressive policy (∆A) blocks 95% of legitimate calls to catch all irregular streams; a conservative policy (∆C = 0.11) passes 80% of irregular streams to avoid false positives.

2017-barradas-deltashaper §6.1, Figure 7 detection

Encoding parameters must be jointly tuned to remain unobservable: only specific combinations stay below the intermediate blocking threshold ∆I. Valid configurations at 1 fps include (160x120, 4x4) and (320x240, 8x8) areas/cell sizes; increasing frame rate above 1 fps pushes EMD above ∆ for all multi-bit encodings. As bits per cell increase, video compression introduces more decoding errors — error rates become unacceptable above 6 bits/cell for the (320x240, 8x8) configuration, yielding the candidate encoding: 320x240 area, 8x8 cells, 6 bits/cell, 1 fps.

2017-barradas-deltashaper §6.2, §6.3, Figures 9–12 evaluation

Across eight combinations of traffic features (packet length, bi-gram packet length, inter-packet time, bi-gram inter-packet time) and two similarity metrics (EMD, KS), adversarial classification accuracy against DeltaShaper streams ranges from 72–90% in unperturbed conditions. Bi-gram inter-packet times with EMD achieves 88% accuracy, matching packet-length/EMD, but requires roughly 10x the computation (~64s vs ~6s). Bandwidth throttling to 300 Kbps degrades classifier accuracy from 88% to 75%, but also drops Skype frame rate from 30 to 5 FPS, creating collateral damage that limits censor deployment of throttling as a detection aid.

2017-barradas-deltashaper §6.4, §6.5, Table 3 detection

FreeWave, the VoIP-based predecessor, was vulnerable to passive traffic analysis because its covert Skype streams exhibited packet-size distributions different from legitimate calls, enabling detection with high probability. DeltaShaper's video-based approach with EMD-constrained encoding addresses this specific failure mode, but at a severe throughput cost: FreeWave achieves 18.75 Kbps vs DeltaShaper's 2.56–3.12 Kbps goodput. Competing systems benchmark: CovertCast ~168 Kbps (no unobservability constraints), Castle 3.48 Kbps, SkypeLine 0.064 Kbps, Rook 0.024–0.04 Kbps.

2017-barradas-deltashaper §6.3, §2 evaluation

The classifier uses a 3,000-dimension binary vector recording which upstream and downstream packet sizes appear across the full session, combined with aggregate biflow statistics (total packets, burst length, transmission time, incoming/outgoing fractions). This packet-size histogram is the highest-dimensionality feature in the set.

2017-deng-random §IV.B, Table 1 detection

DeTor circuits have significantly lower end-to-end RTTs than standard Tor circuits because high-RTT paths cannot satisfy avoidance proofs, effectively self-selecting for shorter routes. Bandwidth distributions are similar to standard Tor. However, intentional packet-delay defenses proposed for Tor (to defeat timing attacks) would increase effective δ and reduce DeTor proof coverage, creating a tension between delay-based anonymity defenses and RTT-based geographic avoidance.

2017-li-detor §6.2.3, §6.2.1 (δ discussion) evaluation

Never-twice avoidance — ensuring no country appears on both the entry leg (source→entry) and exit leg (exit→destination) of a Tor circuit — succeeds for 98.6% of source-destination pairs not in the same country, using only client-side RTT measurements. This directly defeats traffic-correlation deanonymization attacks that require an adversary on both legs of the circuit simultaneously.

2017-li-detor §4.2, §6.3.1 defense

Waterfall's Overt User Simulator caches previously loaded overt-website responses and replays them to generate cover traffic, overcoming Slitheen's 40% downstream throughput ceiling (caused by restricting covert replacement to leaf HTTP objects only). Because downstream-only decoy routers intercept all downstream TLS records — not just leaf content — Waterfall achieves higher covert capacity while perfectly mimicking overt browsing patterns against traffic analysis.

2017-nasr-waterfall §9 defense

DNS-sly encodes downstream data by selecting A records from the IP address pool of CDN-hosted domains. For the top 25% of Alexa Top 500 domains, approximately one third of DNS responses contain more than 8 A records and ~15% contain 15 A records; the global IP pool has a median of ~2,000 IPs per domain (maximum ~16,000), enabling b = floor(log2(s!/(s-c)!)) bits per response.

2016-akbar-dns-sly §2.2 defense

DNS-sly achieves statistical deniability by profiling each user's organic DNS behavior — recording accessed domains, semantic topics, and resolver-specific IP addresses — and constructing upstream requests that semantically overlap with that profile. Upstream communication is indistinguishable from normal DNS traffic in volume, frequency, and semantics; all DNS headers are fully legitimate with no unusual record types.

2016-akbar-dns-sly §3.1, §4.1 defense

Schuchard et al. demonstrated that latency differences caused by a decoy routing proxy communicating with a distant covert destination are sufficient not only to detect the use of decoy routing but also to fingerprint which specific censored webpage the client accessed. All prior decoy routing systems (Telex, Cirripede, Curveball, TapDance, Rebound) remained vulnerable to this attack at time of publication.

2016-bocovich-slitheen §4.1 detection

Slitheen replaces only 'leaf' HTTP resources (images, video) in overt-site responses with covert content, reusing all TCP/IP headers verbatim and forwarding packets immediately on arrival. This forces every observable feature—packet size, direction, inter-arrival timing—to be identical to a genuine access of the overt page, eliminating the censor's ability to apply latency analysis, website fingerprinting, or protocol fingerprinting to distinguish decoy sessions from normal traffic.

2016-bocovich-slitheen §3.1, §4.1 defense

Table 1 shows Slitheen is the first decoy routing system to simultaneously defend against latency analysis, website fingerprinting, and protocol fingerprinting attacks, while also resisting TCP replay and Crazy Ivan active attacks. This security is achieved at the cost of requiring symmetric flows and inline blocking—requirements previously considered prohibitive—which the authors argue are increasingly met by commercial DPI traffic-shaping appliances (e.g., Sandvine) already deployed by ISPs.

2016-bocovich-slitheen §4.5, Table 1 evaluation

Snowflake exclusively uses WebRTC data channels (on-wire protocol: DTLS), whereas the majority of WebRTC applications use media channels (DTLS-SRTP or SRTP/SDES); a censor can therefore block Snowflake by filtering data-channel flows alone without blocking WebRTC media applications, incurring minimal collateral damage and reducing the overblocking deterrent.

2016-fifield-fingerprintability §6 detection

STUN and TURN packets carry a SOFTWARE attribute that explicitly names the server implementation (e.g., 'Citrix-3.2.5.1 Marshal West' for OpenTokRTC), and the choice of STUN servers, forced-TURN usage, and STUN message-type sequence (Binding-only vs. Allocate+CreatePermission vs. send-indication) differ across applications, providing a passive censor with reliable application-level fingerprints orthogonal to the DTLS layer.

2016-fifield-fingerprintability §2, §4.1–§4.5 detection

A DTLS fingerprinting script run on one full day of network traffic at Lawrence Berkeley National Laboratory found only 7 DTLS handshakes with 3 unique client fingerprints and 3 unique server fingerprints, suggesting there may not be enough naturally occurring WebRTC traffic to provide meaningful cover for a WebRTC-based circumvention system.

2016-fifield-fingerprintability §5 evaluation

Castle structurally avoids all three covert-channel pitfalls identified by Geddes et al.: architecture mismatch is avoided by supporting both client-server and P2P modes; channel mismatch is avoided because RTS games implement application-layer reliability over UDP (matching proxied TCP requirements, unlike VoIP), blocking selective-drop denial-of-service attacks; content mismatch is avoided because legitimate RTS traffic has high natural variance driven by map, strategy, and player count.

2016-hahn-games §6.3 defense

Castle's packet-size and inter-packet-time distributions (measured via Kolmogorov-Smirnov statistic) fall within the variance observed between legitimate human-game sessions when using ≤50 units/command at ~1 command/second; the best-performing classifier (Herrmann) achieved only ~60% accuracy—roughly 10% above random guessing—against multiple Castle configurations, while two other classifiers (Liberatore, Shmatikov timing) performed near chance.

2016-hahn-games §6.1, Figures 3–5 defense

A naive active-probing resistance scheme that embeds a fixed-length token in the initial request is vulnerable to flow fingerprinting because the censor can detect connections that always begin with a fixed byte count; pseudo-random padding removes this length-based signature. Separately, obfuscating-service schemes that reveal server aliveness by completing TCP expose the server IP to enumeration even before the application-layer challenge fires.

2016-khattak-sok §5.5 defense

Wiley's Bayesian classifier against obfuscated protocols (Dust, SSL, obfs-openssh) found that entropy detection achieved 94% accuracy using only the first packet, timing-based detection achieved 89% accuracy over entire packet streams, and length-based detection achieved only 16% accuracy.

2016-khattak-sok §2.4.1 detection

χ² homogeneity tests on 70 audio signal pairs show that at SNR ≥ 25 dB the probability that a statistical test distinguishes modulated from original signals falls to 77.13% (i.e., the rate of successful discrimination is below 23%). Crucially, this analysis requires access to the original unmodulated signal; for live voice transmissions no such pairing is feasible for the censor, rendering statistical detection unrealizable in practice.

2016-kohls-skypeline §6.3.2, Table 6 defense

The paper's threat model explicitly assumes censors can enforce client-side VoIP software (e.g., TOM-Skype in China) giving the adversary access to the pre-encoding audio signal at both endpoints. Despite this, SkypeLine forces the censor into an all-or-nothing position: intercepting hidden data requires blocking the entire VoIP service, since no network-layer observable (packet headers, timing, encrypted payload) distinguishes steganographic from legitimate calls.

2016-kohls-skypeline §3.1, §6.1 detection

SkypeLine's m-ary modulation (Mode B using 128-bit Hadamard sequences) achieves a peak data rate of 2,407 bps, representing a 12,035% improvement over FHSS-based DSSS (Takahashi et al., 20.5 bps) and 19,256% over phase-coding techniques (Nutzinger et al., 12.5 bps). Four-layer parallel binary modulation (Mode A, Quattro) achieves a peak of 224 bps and mean of 106.61 bps at ≥99% reconstruction accuracy.

2016-kohls-skypeline Table 1, Table 2 evaluation

Wireshark captures of Skype traffic with and without hidden information at inaudible SNR show no statistically significant differences in inter-arrival times (mean IAT 0.019 s in all conditions) and only a 2.6% difference in mean packet length (130.34 bytes unmodulated vs. 126.98 bytes at inaudible SNR), well within one standard deviation (SD ≈ 12–14 bytes) and insufficient for reliable content-mismatch detection.

2016-kohls-skypeline §6.1, Table 4 evaluation

By transmitting application-level social media content over genuine SMTP/IMAP connections rather than imitating email protocols, Mailet achieves channel and content consistency, making it immune to the differential channel attacks — channel mismatch and content mismatch — that defeated earlier hide-within systems such as StegoTorus and Freewave.

2016-li-mailet §6.1 defense

Mailet clients' daily email traffic patterns remained within the normal range of genuine email users, validated against the Enron dataset (517,425 emails, 151 users) combined with simulated Twitter usage patterns from 100 randomly sampled accounts, demonstrating that per-user daily email frequency is a poor Mailet detector with high false-positive and false-negative rates.

2016-li-mailet §6.3 evaluation

A KL-divergence classifier trained to distinguish CovertCast streams from real YouTube streams achieved only 33–45% true positive rate on packet-size distributions and 36–41% on inter-packet timing distributions — below random guessing — while maintaining 86–98% true negative rates. Overall classifier accuracy was approximately 65–68%, driven entirely by the high true negative rate rather than genuine detection capability.

2016-mcpherson-covertcast §7.5, Table 1 evaluation

CovertCast uses the identical video codecs, streaming protocols (RTMP/HTTPS), and server endpoints as any other YouTube live stream, making it indistinguishable from regular streaming traffic to both passive protocol-analysis and active traffic-manipulation attacks. Any active attack that disrupts CovertCast connections — such as selective packet dropping — would equally disrupt all non-circumvention viewers of the same streaming service, imposing prohibitive collateral damage.

2016-mcpherson-covertcast §7.4, §7.5, §7.6 defense

To match legitimate user behavior, the Camouflage dispatcher enforces empirically derived per-protocol session time limits: email 1–3 minutes, file sharing 5–10 minutes, instant messaging 15–20 minutes, and VoIP 20–30 minutes (Table 1). Sessions exceeding these windows produce a detectable deviation from population-level usage norms.

2016-zarras-leveraging §5.2, Table 1 defense

Protocol imitation systems (SkypeMorph, CensorSpoofer, StegoTorus) fail to achieve unobservability because they implement the target protocol only partially, creating statistical discrepancies that censors can detect. Houmansadr et al. (2013) demonstrated this as a fundamental flaw: unobservability by imitation is categorically insufficient as a circumvention design principle.

2016-zarras-leveraging §1, §6 detection

A single-protocol circumvention system creates a detectable anomaly: when the system is active, the traffic pattern on that protocol diverges from the same user's baseline behavior, which anomaly-based detectors can classify. Users who also legitimately use the tunneled service in daily life produce two distinct signatures — one with and one without the circumvention layer — further compounding detectability.

2016-zarras-leveraging §5.2 detection

Marionette is the first programmable obfuscation system to simultaneously satisfy all five threat-model dimensions evaluated in Figure 2: resistance to blacklist DPI, whitelist DPI, statistical-test DPI, protocol-enforcing proxy traversal, and multi-layer traffic control, while sustaining throughput above 1 Mbps (up to 6.7 Mbps). Every prior system (obfs4, ScrambleSuit, SkypeMorph, StegoTorus, FTE, JumpBox, etc.) fails at least one dimension, most commonly stateful proxy traversal or statistical-feature control.

2015-dyer-marionette §2, Figure 2 defense

High-fidelity statistical mimicry of Amazon.com traffic — simultaneously matching HTTP response payload length distributions, request-response pairs per TCP connection, and simultaneously active connection counts — reduced goodput to 0.45 Mbps downstream and 0.32 Mbps upstream, versus 6.6/6.7 Mbps for simple RFC-compliant FTP mimicry. The bottleneck was the prevalence of very short payloads (most common length: 43 bytes) forcing frequent TCP connection setup and teardown, with the server blocked on network I/O 98.8% of the time.

2015-dyer-marionette §7.4, §7.6 evaluation

Rebound's mole protocol generates a characteristic traffic pattern — a steady stream of long HTTP GET requests followed by 404-style error responses — that may be identifiable via traffic analysis even though the channel is TLS-encrypted; the paper acknowledges this as an unmitigated vulnerability and notes that intermingling with ordinary requests reduces observability but further lowers effective throughput.

2015-ellard-rebound §VIII-B detection

Rook achieves 34 bits/second client-to-server and 26 bits/second server-to-client within Team Fortress 2, sufficient for OTR-encrypted real-time chat. Rook use did not trigger Valve Anti-Cheat warnings and did not noticeably degrade gameplay for co-located legitimate players.

2015-vines-rook §4.1 defense

Kolmogorov-Smirnov two-sample tests on packet-size distributions and inter-packet timing show that standard Rook (altering ~1-in-10 packets) is statistically indistinguishable from normal TF2 gameplay across 20 samples each. High-bandwidth Rook (1-in-2 packets) shows a slightly higher average bandwidth but remains difficult to distinguish on traffic-shape metrics.

2015-vines-rook §4.3 Traffic Shape Analysis evaluation

Format-transforming encryption (FTE) as deployed in the Tor Browser Bundle is detected by combining a URI Shannon-entropy threshold (≥5.5 bits) with an exact URI length check (239 bytes) on the first HTTP GET request. This embellished test produces only 264 false positives across approximately 10 million HTTP URIs in three campus datasets, while a length-only test causes roughly 15% false-positive rate over the same flows.

2015-wang-seeing §5.2, Figure 6 detection

CART decision-tree classifiers trained on entropy-based and packet-header features detect all five Tor pluggable transports (obfsproxy3/4, FTE, meek-amazon, meek-google) with average PR-AUC=0.987, TPR=0.986, and FPR=0.003 on synthetic traces. On 14 million real campus flows the highest per-obfuscator FPR is 0.65%, and meek-google yields only 842 false positives across all three datasets. However, cross-environment portability is poor: classifiers trained on an Ubuntu/campus setup and tested on a Windows/home network achieve true-positive rates as low as 52% with false-positive rates reaching 12%.

2015-wang-seeing §6.1, Tables 8–9 detection

Obfsproxy3 and obfsproxy4 are reliably detected by an entropy-distribution test (KS test, block size k=8) applied to the first 2,048 bytes of the first client-to-server packet, combined with a minimum payload-length check of 149 bytes. On three university campus datasets totaling over 14 million TCP flows, the test achieves TPR=1.0 with FPR ranging from 0.24% to 0.33%. Omitting the length check raises the SSL/TLS false-positive rate to approximately 23%.

2015-wang-seeing §5.1, Table 5 detection

Because CloudTransport uses the same network servers as legitimate cloud services, blocking it requires statistical classification of every cloud connection; false positives will disrupt popular and business-critical cloud applications (enterprise software, games, file backups), raising the economic and social costs of censorship. Empirical evidence shows that Chinese censors declined to block Amazon S3 even after it was used to mirror censored websites because doing so would disrupt 'thousands of services in China' with significant economic consequences. Due to the base-rate fallacy, even an accurate classifier will either miss many CloudTransport connections or cause collateral damage to non-circumventing cloud users.

2014-brubaker-cloudtransport §4.1, §7 defense

Facade encodes 78.04 bits per HTTP GET request using search-query terms, compared to Infranet's 3 bits per URL — a ~26× improvement — while maintaining comparable statistical deniability. StegoTorus encodes 12,000 bits per URL but offers no statistical deniability against traffic-pattern analysis.

2014-jones-facade §5.2, Table 1 evaluation

Facade faces an inverse tradeoff between upstream throughput and deniability: pure search encoding maximizes bits per request (78.04 bits) but does not reflect real user click behavior, while mixing in click-range mapping (lg(k) bits per URL, k=8 → 3 bits) reduces throughput but better models normal browsing. Neither pure strategy is optimal; the design requires tuning the search-to-click ratio.

2014-jones-facade §5.2 evaluation

Analysis of the AOL search corpus shows an average search query length of 17.42 bytes with an entropy of 4.48 bits/byte, yielding 78.04 bits of deniable information per HTTP GET request. This entropy matches real user search behavior, making entropy-based traffic analysis unable to distinguish Facade traffic from genuine search sessions.

2014-jones-facade §5.2 defense

Content inconsistency — transmitting non-native payloads (e.g., modem signals or general web traffic) over VBR-encoded VoIP/video channels — is sufficient for censors to detect camouflage systems via packet-length traffic analysis. Channel inconsistency — requiring reliable transport over a loss-tolerant UDP channel — allows selective disruption: dropping 5% of packets stalls SkypeMorph indefinitely, and dropping 90% for under one second desynchronizes the FreeWave modem.

2014-li-facet §3.3 detection

Without traffic morphing, a χ² packet-length classifier can identify 90% of Facet (video-over-Skype) sessions with only a 10% false positive rate on genuine videoconferencing. To block 80% of Facet connections, the censor need only disrupt 4% of genuine Skype calls; blocking 70% requires disrupting only 2%.

2014-li-facet §6, Figure 4 detection

Facet's video morphing — embedding the requested video in a fraction s of H.264 macroblocks within a randomly chosen chat video — raises the censor's required false positive rate dramatically. At steganography level s=0.125, blocking 90% of Facet connections requires disrupting over 40% of genuine videoconferencing traffic; blocking 80% requires disrupting at least 20% of legitimate calls.

2014-li-facet §7.2, §9.3–9.4, Figure 9 defense

The paper argues that the advantage in the censor-vs-circumvention arms race lies with the censor due to fundamental asymmetry: a nation state controls centralized communication infrastructure while dissidents depend on it. Standalone anti-censorship tools therefore face a structurally disadvantaged security posture that iterative patching cannot overcome.

2014-tan-censorship §1 defense

The paper sketches a decentralized DHT-based communication protocol where all payloads are encrypted in TLS and explicit redirection enables a form of onion routing. Because the censor cannot distinguish censored from non-censored streams, it is forced into a binary choice: block all protocol traffic (overblocking) or allow all of it.

2014-tan-censorship §2.2 defense

Known attacks on existing circumvention tools include steganographic detection, enumeration of decoy-router locations, and machine-learning traffic classifiers. The paper acknowledges these defeat current approaches (Infranet, Collage, Telex, SkypeMorph, Freewave) and argues that no iterative patch can neutralize the censor's long-term structural advantage.

2014-tan-censorship §1 defense

GNS encrypts all DHT queries and responses using a zone-private-key-derived symmetric key (h = x·l mod n; query = H(hG)) such that a passive DHT observer can only mount a confirmation attack — requiring simultaneous knowledge of both the zone's public key and the specific label. Without both values, an adversary observing DHT traffic cannot determine the label, zone, or record data; even fully participating malicious DHT nodes see only opaque signed blobs unlinkable to their originating query.

2014-wachs-censorship-resistant §4 defense

GoHop without traffic shaping achieved 76.8–78.5 Mbps (virtual NIC) on a 1 Gbps LAN; traffic shaping reduced this to 58.1 Mbps (~26% overhead from fragmentation). In a Beijing-to-Seattle real-world download test, GoHop delivered 960–999 KB/s against a 1,544 KB/s direct baseline, with the 96.7 Mbps WAN link—not GoHop—as the bottleneck. This compares to Tor's 40–300 KB/s (30–80 KB/s with obfuscation plugins such as SkypeMorph).

2014-wang-gohop §V.B, Table II, Table III evaluation

Packet padding alone is insufficient to defeat statistical traffic analysis unless every packet is padded to MTU; small-size padding has minimal effect on classifier accuracy (citing Hjelmvik & John 2010). Traffic shaping that also fragments large packets—transforming the full packet-size CDF to match a target distribution rather than merely inflating small packets—is required to statistically impersonate a target traffic class.

2014-wang-gohop §III.B defense

Spreading UDP datagrams across a randomized port range breaks traditional 5-tuple-based session tracking, randomizes per-port inter-arrival times, and reduces per-port throughput to a small fraction of the aggregate—making per-flow statistical analysis significantly harder. Critically, the number of random ports does not reduce aggregate throughput: GoHop measured 76.8 Mbps (1 port) versus 78.5 Mbps (100 ports) at the virtual NIC.

2014-wang-gohop §III.C, §V.A, Table II defense

GoHop's naïve traffic shaping targeting a uniform packet-size distribution (0–MTU) successfully morphed both HTTP and SSH flows: K-S test D values were 0.019 (HTTP) and 0.022 (SSH), both below the 0.025 rejection threshold, with p-values of 0.20 and 0.11 respectively. After shaping, packet-size CDFs and statistical metrics (mean ~782–783 bytes, variance ~163,600) for both protocols became nearly identical, eliminating the size signals that distinguish them.

2014-wang-gohop §V.A, Table I evaluation

Asymmetric IP routing is a fundamental constraint on prior E2M designs: tier-2 ISPs typically see around 25% of packets on asymmetric paths, while tier-1 ISPs can have up to 90% of packets on asymmetric flows. Because Telex requires observing both directions of a connection to derive the client-server TLS master secret, this asymmetry severely constrains where it can be deployed. TapDance resolves this by using chosen-ciphertext steganography to leak the master secret from client to station in a single upstream packet, making it functional under fully asymmetric routing.

2014-wustrow-tapdance §1, §6 evaluation

Scanning a 1% sample of the IPv4 address space and the Alexa top-1-million domains, the authors found that over half of all TLS hosts will leave an incomplete HTTP request connection open for at least 60 seconds before sending data or closing the connection; many had timeouts exceeding 5 minutes. The 16-core TapDance station prototype processes over 12,000 tag verifications per second per core, with approximately 90% of CPU time consumed by a single ECC point multiplication on Curve25519. The station adds a median latency of 270 milliseconds to page downloads versus direct connections, and a single station instance can be overwhelmed by approximately 1.2 Gbps of TLS application-layer traffic.

2014-wustrow-tapdance §7.3, §8, Figure 5 evaluation

SSH transfers utilized only 15% of available bandwidth versus 85–89% for HTTP/HTTPS. When SSH was obfuscated by XORing payloads with a constant key (hiding the plaintext handshake), throughput dropped to near-zero during all trials. Applying the same obfuscation to HTTP transfers produced the same near-zero result, supporting the hypothesis that Iran whitelists known-approved protocols rather than blacklisting specific ones, which would preemptively block any unrecognized or randomized transport including Tor's obfsproxy.

2013-aryan-internet §4.4 detection

FreeWave's modem synchronization depends on a preamble transmitted only at connection start (approximately 0.25 seconds for a 2048-symbol preamble); a censor applying 95% packet loss for under one second at the beginning of the session reliably prevents synchronization and breaks the connection, while reducing VoIP MOS only briefly and leaving the remainder of the session intact (Figure 2). With fixed data-frame designs, the censor can repeat preamble-targeted drops on every frame, achieving complete desynchronization at low average packet loss rates tolerable to legitimate VoIP.

2013-geddes-cover §4.2, Figure 2 detection

SkypeMorph and FreeWave both overlay a client-proxy communication model onto a peer-to-peer VoIP network; because Skype clients attempt direct peer contact before falling back to supernodes, initiating a call to a FreeWave proxy reveals its IP address directly to the caller, and proxy nodes accumulate user-to-bridge ratios that reached 8–12× in Syria/Iran and up to 120:1 in China (Figure 8), producing concentration signatures uncharacteristic of normal P2P call distributions. These architectural mismatches allow enumeration and fingerprinting attacks independent of traffic-content analysis.

2013-geddes-cover §5, Figure 8 detection

By targeting SkypeMorph's deterministic ACK-flagging schedule (one ACK every ~100 ms) and capping overall packet loss at 5–20%, a censor can drop up to 47% of ACK packets, reducing SkypeMorph throughput from its normal ~200 KB/s to 5–10 KB/s (a 90–95% reduction) while VoIP call quality remains within acceptable MOS thresholds. The attack exploits the reliability mismatch between the loss-tolerant UDP cover channel and the TCP-like retransmission layer SkypeMorph builds over it.

2013-geddes-cover §4.3.2, Figure 4 detection

FreeWave's modem generates audio whose packet-length distribution has dramatically lower variance than human speech, even when transmitted through Skype's variable-bit-rate encoder; Figure 9 shows that English and Portuguese speech samples produce high-variance packet-length sequences while modem audio produces a narrow, nearly constant distribution, providing a reliable passive classifier for modem-over-VoIP traffic. This content mismatch persists even with perfect emulation of the VoIP protocol framing.

2013-geddes-cover §6, Figure 9 detection

Protocol mimicry approaches (SkypeMorph, StegoTorus, CensorSpoofer) do not execute the target protocol in full and leave detectable discrepancies: SkypeMorph fails to replicate Skype's TCP handshake, and CensorSpoofer's IP-spoofing downstream channel enables active traffic analysis by censors who can inject manipulated packets and observe whether the purported VoIP endpoint reacts. The authors state that morphing approaches provide no provable indistinguishability, and protocol evolution further invalidates mimicry over time.

2013-houmansadr-i §IX / §X detection

FreeWave-over-Skype produces traffic statistically indistinguishable from genuine Skype-Speak state: average packet rate 49.91 pps vs. 50.31 pps for Skype-Speak, and average packet size 148.64 bytes vs. 146.50 bytes. However, the Skype-Silent state generates distinctly lower rates (49.57 pps, 103.97 bytes avg), creating a detectable anomaly when both FreeWave endpoints appear to be 'speaking' simultaneously rather than alternating.

2013-houmansadr-i §VIII-C / Table II evaluation

The authors enumerate 12 requirements a parrot system must satisfy simultaneously (Correct, SideProtocols, IntraDepend, InterDepend, Err, Network, Content, Patterns, Users, Geo, Soft, OS) while a censor need detect only one failure. They conclude 'unobservability by imitation is a fundamentally flawed approach' and recommend embedding covert traffic in genuine encrypted payloads of a real running protocol (e.g., FreeWave in Skype voice, SWEET in email), which constrains detection to OM adversaries performing large-scale multi-flow analysis.

2013-houmansadr-parrot §XI defense

SkypeMorph and StegoTorus-Embed fail 5 of 9 standard Skype identification tests (Table I), including the TCP control channel (T9), SoM packet headers (T3), and periodic message exchanges (T6/T7). All failures are detectable by a local (LO) passive censor at line speed without requiring ISP-scale statistical analysis.

2013-houmansadr-parrot §VII-A, Table I detection

ScrambleSuit's prototype achieves a mean goodput of 148 KB/s (σ=61 KB/s) versus Tor's 286 KB/s (σ=227 KB/s) over a 100 Mbit/s LAN — roughly half Tor's throughput — with 45–50% total protocol overhead compared to Tor's 19.6%. Disabling inter-arrival time obfuscation raises goodput to 321 KB/s (σ=231 KB/s), demonstrating that artificial delays are the dominant cost rather than padding or cryptography.

2013-winter-scramblesuit §5.2, Table 2 evaluation

ScrambleSuit achieves polymorphism by seeding each server's PRNG with a randomly generated 256-bit value, which generates server-specific probability distributions over packet lengths (up to 100 bins) and inter-arrival times (bins in [0, 10) ms). The seed is shared with clients after authentication, so both sides shape traffic identically; a censor monitoring two distinct ScrambleSuit servers observes different distributions and cannot build a single universal classifier.

2013-winter-scramblesuit §4.3 defense

Tor's traffic contains a characteristic prevalence of 586-byte packets (Tor's 512-byte cells plus TLS header overhead) that form a strong flow-level fingerprint detectable from a few dozen captured packets. ScrambleSuit's packet length morphing eliminates this signature and shifts the distribution toward MTU-sized packets, but the authors note that a censor using the VNG++ classifier — which relies on coarse features like connection duration, total bytes, and burstiness — would still require only a marginal increase in ScrambleSuit's overhead to defeat.

2013-winter-scramblesuit §4.3.1, §5.1, Figure 10 detection

SWEET argues that mimicking complex protocols (SkypeMorph, CensorSpoofer, StegoTorus) is fundamentally breakable because comprehensive imitation of today's protocols is infeasible. The paper instead advocates tunneling inside genuine traffic from actual, widely-used protocol providers — in this case real email services — so the censor observes authentic protocol behavior rather than a simulation.

2013-zhou-sweet §1 defense

Traffic analysis poses a concrete throughput ceiling: a conservative SWEET user can perform only 35–70 web downloads per day or 10–20 interactive web sessions while staying within the bounds of normal email volume (2012 averages: 35 sent, 75 received daily). Most websites require fewer than 3 SWEET emails in each direction, with Yahoo as an outlier due to its many hosted objects.

2013-zhou-sweet §5.2 evaluation

OONI's traffic manipulation test suite uses bidirectional traceroute comparison: asymmetry between inbound and outbound paths for specific source/destination port pairs is treated as an indicator that traffic is being diverted to an interception device. Additional per-flow indicators include timing differences in packets directed at specific ports and layer-7 header field manipulation detectable at the receiving endpoint.

2012-filast-ooni §5.5 Traffic Manipulation detection

SkypeMorph's packet size and inter-packet delay distributions are statistically indistinguishable from real Skype video calls: Kolmogorov-Smirnov tests on both the naïve traffic-shaping and enhanced Traffic Morphing outputs report p > 0.5, indicating no significant difference from the Skype target distribution. The original Tor traffic distribution, by contrast, is considerably different from Skype, validating the need for the morphing layer.

2012-moghaddam-skypemorph §7, Figure 6 evaluation

SkypeMorph achieves a goodput of 33.9 ± 0.8 KB/s (naïve shaping) and 34 ± 1 KB/s (enhanced Traffic Morphing) versus 200 ± 100 KB/s for a normal Tor bridge, with overhead of ~28% compared to 12% for normal Tor. The two traffic-shaping methods perform statistically identically (KS p > 0.5), but the overhead grows during silent periods because the transport must transmit padding to maintain Skype's constant bitrate even when the Tor buffer is empty.

2012-moghaddam-skypemorph Table 1, §8 evaluation

Encrypted channels expose only two statistical features to an external observer: packet sizes and inter-packet arrival times. Original Traffic Morphing (Wright et al. 2009) shaped only packet-size distributions, leaving inter-packet timing as an unobfuscated fingerprint identical to the source (Tor) distribution. SkypeMorph extends Traffic Morphing to jointly sample from nth-order conditional distributions of both packet sizes and inter-packet delays (tested up to n = 3), closing the timing gap.

2012-moghaddam-skypemorph §4.3, §4.4 defense

BTP's wire protocol contains no handshakes, timeouts, or plaintext headers. Connections open with a pseudo-random b-byte tag that the recipient can compute in advance from its key state, making BTP frames indistinguishable from random data to a passive observer who does not know the shared secret.

2012-rogers-secure §2, §3.2 defense

A warden can fingerprint the specific covert destination a Telex user is visiting by comparing observed latency distributions against a pre-built database of covert-destination latencies. With an intelligently filtered database of only 10 distributions (K-S inter-entry threshold 0.8), the AUC is 0.868, and with approximately 12 collected samples the false positive rate drops below 10%. Larger databases (size 50) degrade to AUC 0.537 due to distribution similarity, but threshold-based filtering restores substantial discriminative power.

2012-schuchard-routing §5.3, Figures 7, 9 detection

A passive timing attack using the Kolmogorov-Smirnov test on connection latency distributions reliably distinguishes Telex users from honest hosts: K-S scores against the overt destination max out at 0.26, while scores against covert destinations (even those within 10 ms of the Telex station) range from 0.3–1.0 with a median of 0.7 for nearby servers and 1.0 for Alexa top-100 sites. The attack is effective even for clients 50–250 ms from the Telex station, with no K-S score below 0.26 observed across 40 PlanetLab hosts.

2012-schuchard-routing §5.1–5.2, Figures 5–8 detection

Using G.711 or G.722-64 codecs (64 Kbps downstream), CensorSpoofer clients in China downloaded Wikipedia's HTML file in approximately 6 seconds and the full 160 KB page in approximately 27 seconds; Tor and a proxy-based system (NetShade) were measurably faster. The iLBC codec limits downstream throughput to 15.6 Kbps, and all codecs impose equivalent dummy-traffic cost on the dummy host (G.711 consumes 87.2 Kbps at the dummy host).

2012-wang-censorspoofer §7.2.1, Table 1 evaluation

The StegoTorus HTTP module degrades severely with network latency: it can sustain only a 50 kB/s stream at latencies below 200 ms and fails entirely at higher rates or latencies, because the HTTP request-response pattern transfers only one or two 512-byte Tor cells per round-trip. Plain Tor and chopper-only StegoTorus show no measurable throughput degradation at latencies up to 450 ms. Increasing parallel HTTP connections improves low-latency throughput but does not recover high-latency performance.

2012-weinberg-stegotorus §6, Figure 6 evaluation

HTTP steganography in StegoTorus expands upstream traffic by a factor of 41× and downstream by 12× compared to a direct connection (uploading 966,964 bytes vs. 23,643 bytes to transfer a 1 MB file). Chopper-only operation adds only ~2.7× upstream overhead, comparable to plain Tor. Maximum achievable goodput with the HTTP module is ~27 kB/s (~4× a 56 kbps modem), which the authors attribute to a minimum expansion factor of 8× inherent in contemporary steganographic schemes.

2012-weinberg-stegotorus §6, Table 3, Figure 7 evaluation

A naive-Bayes website-fingerprinting classifier achieves AUC > 0.94 against vanilla Tor for 8 of 9 Alexa top-ten sites (e.g., Wikipedia 0.9991, YouTube 0.9947). Against StegoTorus-HTTP, AUC drops to ≤ 0.75 for 7 of 9 sites (YouTube 0.4125, Facebook 0.5413, Google 0.6928), which the authors argue is too low for practical perimeter-scale deployment where near-perfect precision is required to avoid error floods.

2012-weinberg-stegotorus §5.2, Table 2 evaluation

Tor's fixed 512-byte cells packed into TLS 1.0 records produce a characteristic TCP payload of 586 bytes (512 + 74 bytes of TLS overhead). A perimeter filter running a simple exponential moving average (τ ← ατ + (1−α)1ₗ₌₅₈₆, α=0.1, T=0.4) identifies Tor flows within a few dozen packets; this attack succeeds at backbone rates of ~540,000 packets/second on commodity hardware. Obfsproxy does not alter packet sizes or timings and therefore does not defeat this classifier.

2012-weinberg-stegotorus §5.1, Figure 3 detection

StegoTorus distributes a fixed set of packet traces and HTTP covertext databases with the software, but allows users to record their own; classifiers trained on the distributed covertext will not generalize to user-generated databases. The paper further notes that reusing a small number of traces repeatedly creates a statistical fingerprint because censors can learn conversation patterns from packet sizes and timings alone, implying that trace diversity must be maintained over time.

2012-weinberg-stegotorus §4.1.1, §5.2 defense

Even with end-to-end encrypted messages, a censor observing subscription queries can detect anomalous interest in a short tag (e.g., a sudden domestic surge in followers of a foreign pop star's hashtag) and use timing/size traffic analysis to distinguish #h00t subscriptions from ordinary hashtag follows. The paper flags this as an open threat and proposes two mitigations: (1) push cover traffic for randomly selected short tags to all clients regardless of their actual subscriptions, or (2) silently redirect normal clients' hashtag follows to the corresponding #h00t short tags.

2011-bachrach-h00t §6.1 detection

A passive observer of BridgeSPA traffic sees only a TCP connection timeout on failed authorization or a successful TLS connection on success—exactly what they would observe with an unmodified Tor bridge. The ConnectionTag is indistinguishable from the normally-random ISN and timestamp fields in Linux 2.6, so no new observable artifact is introduced. However, BridgeSPA does not address the separate problem that Tor traffic itself remains fingerprint-distinguishable from HTTPS; this is an orthogonal concern.

2011-smits-bridgespa §4, §6.2.1 defense

Measured over 5,000 SYN/SYN-ACK pairs on a shared physical network hub—the best-case vantage for an adversary—BridgeSPA's DoorKeeper adds a mean latency of approximately 90 µs (280±20 µs baseline vs. 370±80 µs with BridgeSPA). This overhead is consistent with prior SilentKnock analysis concluding that an adversary would need hundreds of observed connections before gaining statistical advantage in distinguishing SPA-protected hosts from dynamic-firewall behavior.

2011-smits-bridgespa §6.2, Table 3 evaluation

Dust defeats DPI fingerprinting by constructing all packets from entirely encrypted or single-use random bytes (defeating static string matching), appending a random number of random padding bytes to every packet (defeating length matching), and permitting a complete client–server conversation to be encoded in a single UDP or TCP packet (defeating timing analysis for sufficiently small payloads).

2011-wiley-dust §3, §3 Discussion defense

BitTorrent's Message Stream Encryption (MSE), despite omitting static strings from the handshake, can be identified with 96% accuracy using packet-size analysis and direction-of-packet-flow; MSE also uses a cleartext Diffie-Hellman key exchange, leaving an additional fingerprint surface.

2011-wiley-dust §2.2 detection

The obfuscated-openssh handshake encrypts SSH with a key derived from an iterated-hash PBKDF whose slowness was intended to prevent real-time censor analysis; Wiley argues this defense fails because modern censors use statistical packet sampling with offline processing, and the slow key generation itself introduces a timing side-channel detectable from the inter-packet delay between the first and second packets.

2011-wiley-dust §2.2 detection

Censors responding to encryption-based circumvention have two escalation options: block all encrypted connections outright, or identify the underlying protocol via traffic signatures that persist even inside encrypted tunnels. The paper frames these as the two dominant censor responses to DPI being defeated by encryption.

2011-wright-fine-grained §3 detection

The paper identifies two unresolved fingerprinting surfaces: (1) traffic-shape analysis of packet sizes and inter-arrival times could distinguish Telex flows from normal TLS, and (2) the prototype exhibits detectable deviations from real servers at the IP layer (stale IP ID fields), TCP layer (incorrect congestion windows detectable by early acknowledgements), and TLS layer (different compression methods and cipher-suite extensions). Convincingly mimicking a diverse population of TCP/TLS server implementations is flagged as requiring substantial engineering effort.

2011-wustrow-telex §9 detection

Collage's threat model identifies the censor's two most dangerous capabilities as: (1) aggregate traffic-flow analysis (e.g., NetFlow statistics) to detect anomalous access patterns to specific content hosts, and (2) joining the system as a sender or receiver to discover content locations and mount denial-of-service or deniability attacks. The censor is assumed to monitor all egress traffic but is modeled as computationally limited against joint statistical distributions across arbitrary user pairs.

2010-burnett-chipping §3.1 detection

The paper demonstrates that no single steganographic algorithm can provide both availability and deniability, since almost all production algorithms have been broken and steganography alone does not hide the identities of communicating parties. Collage addresses this by treating the embedding algorithm as a swappable component in a layered architecture—vector layer, message layer, application layer—so that compromise of the embedding scheme does not compromise the system, and stronger algorithms (e.g., digital watermarking) can be substituted as they mature.

2010-burnett-chipping §4.1, §2 defense

Production steganography tools achieve encoding rates of 0.01–0.05 (fraction of cover-medium bytes available for hidden data), yielding 20–100× increases in storage, traffic, and transfer time relative to the raw message. A 23 KB one-day news summary requires approximately 9 JPEG photos (~3 KB data per photo plus encoding overhead) and takes under 1 minute to retrieve over a fast connection; over an unreliable broadband wireless link the same message was received in under 5 minutes with sender time under 1 minute.

2010-burnett-chipping §5, Figure 5 evaluation

Global anonymity is maximized when the anonymity set is large and behavior is uniformly distributed: 'global anonymity is maximal iff all subjects within the anonymity set are equally likely.' Strong global anonymity does not protect individual 'likely suspects' — even in a strong-anonymity system, one user with distinctive behavior may have weak individual anonymity. Strong or even maximal global anonymity does not imply strong anonymity of each particular subject.

2010-pfitzmann-terminology §3 defense

Adding dummy traffic to any anonymity mechanism yields the corresponding kind of unobservability: 'A mechanism to achieve some kind of anonymity appropriately combined with dummy traffic yields the corresponding kind of unobservability.' DC-nets achieve sender anonymity and MIX-nets achieve relationship anonymity; with dummy traffic both achieve the corresponding sender and relationship unobservability respectively.

2010-pfitzmann-terminology §8 defense

The paper establishes a strict property hierarchy: unobservability ⇒ anonymity, and sender/recipient anonymity ⇒ relationship anonymity. Unobservability is strictly stronger than anonymity because it additionally requires undetectability against all uninvolved subjects — the IOI's very existence must be hidden — while anonymity only hides the subject's relationship to the IOI.

2010-pfitzmann-terminology §7 defense

Website fingerprinting attacks that match file sizes and access patterns against a database of known sites remain applicable to SkyF2F, but are limited to the granularity of 512-byte fixed-size stream cells, since streams are multiplexed within a single tunnel circuit. The authors note this is less effective than against SafeWeb, where full request/response sizes are directly observable.

2009-cao-skyf2f §V.A detection

A censor hosting Skype supernodes can perform passive traffic-flow analysis on relayed streams even without breaking encryption, since supernode-relayed conversations expose traffic metadata. However, with thousands of supernodes in the Skype network, the probability that any censor-controlled supernode relays a specific SkyF2F tunnel is low, making large-scale correlation high-cost.

2009-cao-skyf2f §V.A detection

A circuit-clogging attack against bridge operators—using median-normalized latency correlations—achieved an AUC of 0.884 and an equal error rate of 0.2 when distinguishing the victim bridge from innocent bridges in PlanetLab experiments with 180 victim and 180 disjoint runs. With 10 repeated clogging experiments and a majority-vote threshold, the false positive (and false negative) rate drops below 0.033, confirming a bridge operator's identity with high confidence given a candidate set of ≤4.4 bridges from the winnowing stage.

2009-mclachlan-risks §3.4 detection

Cross-referencing the online/offline status of 87 monitored bridges against 186,935 Wikipedia users' edit sessions showed that 95.7% of users with 50 or more sessions matched zero bridges after winnowing. For users with 180 or more sessions (a surrogate for long-term pseudonymous activity), only 89 false positives remained among 2,329 users—a false positive rate of 0.000439—meaning that even if 10,000 Tor clients volunteer to bridge, on average only 4.4 bridges remain after the winnowing stage.

2009-mclachlan-risks §3.3 detection

Tor encrypts payload but does not obscure traffic volume, leaving a residual publisher-vs-reader asymmetry: a user publishing a home video generates a markedly different upload/download ratio than one reading news. The paper also notes that website fingerprinting attacks — where the adversary pre-downloads hundreds of popular sites and matches traffic patterns to a Tor client's stream — remain possible even through bridge circuits, and are exacerbated by Tor's varying supported protocols (web vs. IM produce different timing signatures).

2006-dingledine-design §8.2 detection

The paper presents a systematic taxonomy of blocking criteria across ISO/OSI layers: circumstance-based (addresses including sender/receiver/kind/physical location; timing including send time, receive time, duration, frequency; data-transfer properties; services including protocols, names, addresses) and content-based (file type/MIME, statistical detection of encrypted or compressed data, pattern matching for keywords or phrases, and website fingerprinting via request-count/byte-volume signatures).

2004-k-psell-achieve §4, Appendix A defense

For a secure steganographic system the embedding ratio is at least 1:10, meaning 1 MB of web content requires 10 MB of transmitted cover data; for a system robust against active attacks (e.g., StirMark bilinear distortions) the ratio is probably 1:100. A censor need not break the steganographic algorithm with high accuracy — suspicion alone is sufficient, since the censor can probe suspected nodes directly by acting as a blockee.

2004-k-psell-achieve §5.1 evaluation

The protocol between blockee and volunteer forwarder is designed to be transport-layer independent from the outset, allowing substitution of plain TCP with SSL tunnels, SMTP, or steganographic channels as the censor escalates detection. The system is intentionally deployed in a weak initial form to observe how quickly and in what manner the censor adapts, then hardened iteratively based on measured censor behavior.

2004-k-psell-achieve §6.2 defense

An attacker can conduct stealth port scans against a victim without revealing their own IP by exploiting a 'patsy' host whose OS uses a globally incrementing IP Identifier: the attacker observes ID increments of 2 (rather than 1) in the patsy's traffic when the victim sends a RST to the patsy in response to a spoofed SYN, revealing open ports. Choosing a different patsy for each port makes the scan very hard to detect.

2001-handley-network §5.1 detection

Publius provides source anonymity once content is published but offers no connection-based anonymity at upload time. A network-layer eavesdropper between the publisher and the servers, or a server's connection log, can reveal the publisher's IP address. The paper explicitly states that Publius must be combined with a mix-network or crowd-anonymity tool (e.g., Crowds, Onion Routing) to protect publisher identity during the upload phase.

2000-waldman-publius §5.4 evaluation