The paper acknowledges that modern blind steganalysis tools combining first- and second-order statistical classifiers (e.g., SVM-based universal steganalysis) are likely capable of detecting TRIST-embedded images, though this was not experimentally verified. The authors note these attacks rely on large feature vectors and are computationally more expensive than histogram or blockiness attacks, but do not claim invulnerability.

TRIST evades the self-calibrated blockiness detector — proven effective against OutGuess — by embedding at JPEG quality 30 and then transcoding the steg image up to quality 90 before transmission. This renders the blockiness-based message length estimator unreliable across the full range of message lengths from 0 to approximately 39 KB, as shown over 20 cover images from the BOSS dataset.

§7 defense

By embedding messages in heavily quantized DCT frequency components at base JPEG quality 30, TRIST achieves near-zero bit error rates when images are transcoded to higher quality levels and back. The quantization mapping is many-to-one, so noise introduced by re-encoding tends to be stabilized on output, making the message robust against commodity transcoding proxies that re-encode images in-flight.

§4–§5 defense

Using low DCT frequency components (indices 10, 9, 8, 3) at JPEG quality 30 achieves near-zero message error rates for image rescaling in the 75–95% range across a wide range of sharpening sigma values. Higher-frequency component sets (indices 18, 17, 16, 10) only survive rescaling above 100%, making them unsuitable for scenarios where censors reduce image dimensions.

§5 defense

TRIST integrated with StegoTorus as a one-hop SOCKS proxy introduces minimal additional bandwidth overhead: JPEG steganography throughput falls between StegoTorus's PDF and JSON schemes across link delays of 20–400 ms and 1–4 parallel circuits. The steganographic expansion factor is 1:6 to 1:12 (message bytes to cover JPEG file length), adequate for basic web surfing.

§6 evaluation

Stage 1 of the detection pipeline uses a lightweight heuristic: restrict analysis to IP addresses in "VPS-dense ASNs," which censors already target for resource-intensive inspection of fully-encrypted traffic. This pre-filter dramatically reduces the search space before applying the more expensive dual-role behavioral analysis. The evaluation was conducted without Stages 1 and 3 due to dataset limitations, meaning the reported 23% recall and 0.18% FPR are conservative lower bounds on the full pipeline's performance.

2026-almutairi-server §2.1, §2.2, §3.4 fully-encrypted-detectdpiml-classifier

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 traffic-shapeml-classifier

Balboa's synchronous leaf-content replacement adds non-negligible timing differences that allow censors to identify its activity with up to ~90% accuracy over different network conditions. The timing anomaly arises because Balboa performs data substitution directly at each data exchange, delaying the server's response while covert data is prepared.

2026-kamali-huma §I (Introduction), §II-A traffic-shapeml-classifier

Without chunk-based padding, an XGBoost classifier identifies the target website from covert data-chunk sizes with 91% accuracy (Tranco top-100). Chunking at 2 MB reduces accuracy to 12% at a 21.3% bandwidth overhead, while 16 MB chunks reduce accuracy to near random guessing at a 480.3% overhead. Chunks as small as 64 KB already reduce accuracy to 64%, demonstrating a monotonic fingerprinting–overhead tradeoff.

2026-kamali-huma §V-C, Figure 4 website-fingerprintml-classifier

Huma's deferred-reply / double-request receive (DRR) protocol reduces a traffic-fingerprinting XGBoost classifier's accuracy to at most 54% (near random guessing) across geographically distributed clients (San Francisco, Frankfurt, Bangalore). A Kolmogorov-Smirnov test on absolute page-load timing distributions yields D=0.03, p=0.98 for U.S. clients — substantially tighter than Waterfall of Liberty's D=0.11 at p=0.5 — confirming that Huma flows are statistically indistinguishable from benign HTTPS fetches.

2026-kamali-huma §V-D, Table II traffic-shapeml-classifier

When the researchers attempted to use Gemini 2.5 Flash as a third independent LLM judge via its API for evaluating moderation decisions, Gemini automatically blocked all judging attempts citing safety reasons. This occurred even though the research task (judging whether a response is more or less moderated) does not itself produce harmful content. The incident illustrates that LLM safety systems can over-block legitimate research use cases, and that different LLM providers have different thresholds— Claude Haiku 4.5 and GPT-4o completed all judging tasks without safety refusals.

2026-lipphardt-dual §3.3.3 ml-classifierkeyword-filtering