The understanding of realistic censorship threats enables the development of more resilient censorship circumvention systems, which are vitally important for advancing human rights and fundamental freedoms. The state-of-the-art method for detecting circumventing flows in Tor is overwhelmed with false positives (\textgreater94%) when considering even conservatively high base rates (10^β3) and protocol distributions. In this paper, we present a new methodology for detecting censorship circumvention in which a deep-learning flow-based classifier is augmented with a novel host-based detection strategy that incorporates information from multiple flows over time. Using over 60M real-world network flows to over 600k destinations, we demonstrate how our detection methods become more precise as they temporally accumulate information, allowing us to detect Tor circumvention servers with perfect recall and no false positives. Our evaluation considers a range of circumventing flow base rates spanning six orders of magnitude and real-world protocol distributions, yielding important insights for the future design and evaluation of censorship circumvention systems.
@inproceedings{wails_precisely_2024,
title = {On {Precisely} {Detecting} {Censorship} {Circumvention} in {Real}-{World} {Networks}},
booktitle = {Network and {Distributed} {System} {Security} {Symposium} ({NDSS})},
author = {Wails, Ryan and Sullivan, George Arnold and Sherr, Micah and Jansen, Rob},
year = {2024}
}