Because traffic splitting is not ubiquitous network behavior, split PT traffic may appear anomalous to a censor, allowing them to distinguish normal PT use from split PT use even without classifying the underlying protocol. The authors flag this as a key open risk to be evaluated empirically and note that splitting across multiple bridges or multiple PT types may simultaneously raise and lower different detection signals.
From 2024-lorimer-extended — Extended Abstract: Traffic Splitting for Pluggable Transports
· §4.3
· 2024
· Free and Open Communications on the Internet
Implications
Evaluate split-traffic flows against anomaly-detection baselines (not just WF classifiers) before deploying: the split pattern itself may be a stronger signal than the per-path protocol fingerprint.
Consider cover-traffic normalization or mimicking multi-path TCP behaviors present in legitimate CDN traffic to reduce the anomaly signal introduced by splitting.