FreeUp achieves 86.68% AUC on CIC-IoT2023, 85.44% AUC on DoHBrw2020 (malicious DNS-over-HTTPS tunneling), and 95.53% AUC / 93.22% F1 on ISCX-Tor2016 (Tor anonymous traffic), outperforming all nine baselines by more than 3% AUC on the first two datasets. The ISCX-Tor2016 result demonstrates that frequency-decoupled ML classifiers can detect Tor-like anonymous traffic with high confidence under zero-positive (unsupervised) training.

FreeUp's dual-branch architecture requires only 0.73G MACs and 6.46M parameters at inference — comparable to or lower than simpler baselines (MFR: 1.01G MACs / 11.18M params; ARCADE: 0.82G MACs / 6.70M params) — while achieving substantially higher detection accuracy. The two branches can be deployed in parallel with minimal memory usage, making frequency-decoupled ML detection computationally practical for real-time network monitoring at scale.

§V-F, Table IV evaluation

Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.

§II detection

Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.

§V-C, Table II detection

FreeUp operates under a zero-positive (unsupervised) learning paradigm — trained exclusively on normal traffic with no labeled anomaly examples — yet achieves 95.53% AUC on Tor traffic and 85.44% AUC on DNS-over-HTTPS tunneling detection. This demonstrates that frequency-aware anomaly detectors generalize to novel circumvention protocols without requiring any labeled attack data, eliminating the labeling bottleneck that previously limited ML-based censorship detection.

§III, §V-B detection

NATA (Non-invasive Active Traffic-correlation Analysis) injects low-frequency bandwidth waveforms (sinusoidal, square-wave, triangular) into Tor TCP connections at an upstream gateway without endpoint compromise, payload decryption, or Tor-browser modification. BM-Net, a selective state-space classifier trained on the exit-side observations, achieves a 99.65% binary detection F1 score distinguishing watermarked from natural traffic on a 20,000-trace real-world dataset.

2026-fan-activeflowmark-assessing-tor §IV, §VI.D, Table III flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score for distinguishing bandwidth-watermarked Tor flows from natural traffic, outperforming all evaluated baselines (next best: TikTok at 75.96% F1). The accuracy gap stems from active perturbation imposing a deterministic low-frequency throughput constraint rather than relying on subtle natural metadata, making the detection task fundamentally easier than passive website fingerprinting.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III–IV flow-correlationtraffic-shapeml-classifier

BM-Net achieves a 99.65% binary detection F1 score distinguishing watermarked from natural Tor flows, and a 97.5% macro-F1 score for fine-grained modulation classification across sinusoidal, square-wave, and triangular patterns. The fine-grained test set contains 201 held-out samples collected from ten clients across five geographic regions (Europe, North America, Australia, Southeast Asia, East Asia), with training traces including traffic collected under WTF-PAD and Walkie-Talkie defenses.

2026-fan-activeflowmark-assessing-tor §VI-D, Table III, Table V flow-correlationml-classifiertraffic-shape

BM-Net achieves a 97.5% macro-F1 score for fine-grained classification of three modulation geometries (sinusoidal, square-wave, triangular) from noisy exit-side Tor observations using only 201 labeled test samples collected across cross-continental Tor paths. Residual errors concentrate between natural traffic and square-wave modulation, as abrupt low-rate transitions are partially smoothed by Tor multiplexing and network jitter.

2026-fan-activeflowmark-assessing-tor §VI-D, Table V flow-correlationml-classifiertraffic-shape

Fine-grained modulation classification (natural vs. sinusoidal vs. square-wave vs. triangular) achieves 97.5% macro-F1 on a 201-sample held-out test set. Square-wave waveforms are the hardest class (F1 = 95.7%), while sinusoidal and triangular each reach 99.0% F1, because abrupt square-wave transitions are partially smoothed by Tor multiplexing and network dynamics.

2026-fan-activeflowmark-assessing-tor §VI.D.2, Table V flow-correlationtraffic-shapeml-classifier

The host-profiling censor (passive traffic analysis: count connections per server, block those exceeding a threshold τ within a window w) blocks essentially all circumvention user traffic within 30 time steps for all classifier qualities tested (ρ_TP ∈ {0.9, 0.95, 0.99}), while causing far less collateral damage than zig-zag (never exceeding ~30% innocent server blocking). Snowflake resists this attack well: with w=3, τ=3, over 94.48% of users receive a proxy within 2 steps even with worst-classifier rules, and final unblocked server rates are 91.24–99.04%. The host profiling approach is feasible for passive censors who cannot enumerate the distribution channel.

2026-fares-game §5.2, Table 2, Table 3 traffic-shapeml-classifier