Tornettools-based simulations with a 1%-scaled Tor network show that with 1 adversary-controlled exit relay (148 Mbps), the exit-observation probability pexit ≈ 2.13%; with 5 adversary-controlled relays, pexit exceeds 10%. Tor's bandwidth-weighted path selection means high-bandwidth malicious exits attract a disproportionate share of circuits, and repeated observations over multiple circuits compound correlation risk multiplicatively even at modest relay counts.

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

§IV, §VI.D, Table III detection

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

§VI-D, Table III–IV detection

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

§VI-D, Table III, Table V evaluation

Active bandwidth perturbation has an inherent detectability–stability trade-off: overly aggressive low-rate phases cause Tor SENDME-based flow control stalls, retransmissions, timeouts, or circuit replacement before sufficient correlation evidence is collected. The paper selects a 30-second modulation period and an empirically determined minimum shaping rate; the usable shaping range varies with relay load, path length, TCP congestion control behavior, and Tor multiplexing.

§VII-A detection

Using a 1%-scaled tornettools simulation with historical Tor consensus data, a single adversary-controlled exit relay at 148 Mbps yields an exit-observation probability of approximately 2.13%; deploying 5 adversary-controlled exit relays pushes observation probability above 10%. The aggregation effect is concave — repeated observations across T independent windows compound via 1 − (1 − Pcorr)^T.

§VI-A evaluation

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

§VI-D, Table V detection

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

§VI.D.2, Table V evaluation

NATA requires no endpoint compromise, no Tor-browser modification, and no payload decryption; it operates solely from (1) an upstream gateway controlling Tor TCP connections via standard Linux tc/wondershaper rate-limiting and (2) one or more adversary-controlled exit relays passively recording packet traces. The shaper identifies Tor connections using flow-level metadata (client IP, relay IP, port, transport protocol), meaning the adversary needs only ISP or AS-level vantage, not host-level access.

§III-A, §IV-A detection

NATA (Non-invasive Active Traffic-correlation Analysis) requires no endpoint compromise, no Tor-browser modification, and no payload decryption. The adversary controls only an upstream network gateway (ISP/AS level) to impose bandwidth modulation on Tor TCP connections, and observes traffic at adversary-controlled exit relays — a Shaper–Sniffer architecture that operates purely at the network-infrastructure layer.

§III-A detection

Padding-based client-side defenses including WTF-PAD and Walkie-Talkie are insufficient against active bandwidth perturbation: they reshape packet timing and burst structure but cannot remove the upstream rate limit imposed by the gateway shaper. BM-Net trained on a defense-aware dataset containing both undefended and WTF-PAD/Walkie-Talkie traces still achieves 99.65% F1, and the paper explicitly notes that 'client-side padding and burst reshaping may alter the logical traffic pattern, but they do not directly remove the rate limit imposed by the upstream bottleneck.'

§VI.E.2, §VII detection

Client-side padding defenses (WTF-PAD and Walkie-Talkie) do not remove active bandwidth watermarks because they operate on packet timing and burst-level structure, not on the upstream rate limit; BM-Net still achieves 99.65% binary detection F1 on a mixed dataset containing both defended and undefended traces. The upstream shaper's rate constraint causes delayed, queued, or dropped packets whose throughput envelope persists at the exit relay regardless of application-layer obfuscation.

§VI-E, §VII-A detection

Using tornettools-based simulations with historical Tor consensus data scaled to 1% of the real network (80 relays), the adversary's exit-observation probability p̂exit grows monotonically with adversary-controlled bandwidth: a single exit relay at 148 Mbps yields p̂exit ≈ 2.13%, and 5 adversary-controlled exit relays push p̂exit above 10%.

§V.B, §VI.A evaluation

An infrastructure-level adversary must balance watermark detectability against connection stability: the paper's threat model requires a minimum shaping rate rmin to prevent Tor circuit stalls, timeouts, or circuit replacement, and notes that repeated poor-throughput events can cause the circuit to be abandoned before sufficient watermark evidence is accumulated. This detectability–stability trade-off constrains the practical attack to macroscopic (30-second) modulation periods rather than fine-grained packet-level timing manipulation.

§III.A, §VII.A detection

WTF-PAD and Walkie-Talkie client-side defenses — which operate on packet timing, padding, and burst-level structure — do not remove the throughput constraint imposed by an upstream rate limiter. When the shaping rate decreases, excess traffic is delayed, queued, or dropped; exit-side throughput retains the imposed modulation waveform. BM-Net was trained and evaluated on a dataset that includes both undefended and WTF-PAD/Walkie-Talkie-defended traces, confirming detection persists under this mixed condition.

§VI-E.2 detection

A three-stage detection pipeline exploiting the "dual-role" behavioral fingerprint of single-IP circumvention relays achieved 23.2% recall (96/414 ground-truth relays) with a 0.18% false-positive rate against 97,651 benign TLS servers, for an overall accuracy of 99.5%. The ground-truth set covered OpenVPN, WireGuard, and SOCKS relays identified in a 17 TB single-day backbone trace (WIDE Project, April 9, 2025).

2026-almutairi-server §3.4, Table 1 traffic-shapedpiflow-correlation

Multi-censor simulations show that single-censor-optimized distribution strategies perform suboptimally in realistic multi-region deployments. When two networks have different censor strategies (e.g., one optimal, one zig-zag), the distributor cannot detect that a proxy is blocked until all censors have blocked it; this leaves clients without reachable proxies despite the proxy appearing "available" from the distributor's view. The authors conclude that "single-censor evaluation does not accurately predict more realistic deployment performance." A zig-zag censor in one region with 0.25 weight caused 44.4% collateral damage while reducing proxy lifetime to a median of 4 steps.

2026-fares-game §6, Table 4 traffic-shapeflow-correlation

The zig-zag traffic analysis attack (confirmed supported in Geedge TSG leak) rapidly enumerates all static proxy pools. With ζ_watch ∈ {4, 6} steps and a best-quality classifier (ρ_TP=0.99, ρ_FP=0.001), almost total proxy enumeration and user blockage occurs well before step 300. Even ζ_watch=2 leaves ~50% of users blocked. Collateral damage is high across all settings when ζ_watch ≥ 4: eventually ~50% of innocent servers are also blocked. However, Snowflake-style ephemeral proxies resist zig-zag effectively: reachability remains above 95% after 360 steps because churn prevents the censor from expanding its known proxy set beyond agents' direct assignments.

2026-fares-game §5.1, Fig 3, Fig 4 traffic-shapeflow-correlation

Automated proxy engines (e.g., Xray-core running VLESS Reality in automated mode) generate deterministically rigid inter-arrival time distributions because they cannot synthesize the stochastic variance of human-driven IAT, even when volumetrically anchored to benign distributions ('Fat Middle' anchoring via AMOI). The AEGIS Thermodynamic Variance Detector identifies this rigidity via Shannon Entropy of hidden states across 1,000-packet causal windows, rendering volumetric anchoring mathematically distinguishable from genuine human traffic.

2026-ferrel-aegis-adversarial-entropy-guided §III-E, §V-B ml-classifiertraffic-shapeflow-correlation

At operationally realistic base rates—1 million connection pairs per hour with only 10 true stepping-stone chains—a detector with a 1% FPR generates approximately 10,000 false alarms per hour while correctly flagging all 10 intrusions, making classical statistical methods (which cannot reach FPR ≪ 10⁻²) operationally unusable; deep learning methods must target FPR ≤ 10⁻³ to be viable.

2026-mathews-tracing-chain-deep §I flow-correlationml-classifier

ESPRESSO achieves only TPR 0.132 at FPR ≤ 10⁻³ in network-mode for DNS-tunneled traffic—near chance—compared to TPR 0.992 for SSH traffic at the same threshold. The paper attributes this to the polling-based communication mechanism of dnscat2, which disrupts the timing patterns that interval-based flow correlation relies on.

2026-mathews-tracing-chain-deep §V-B, Table III flow-correlationtraffic-shape