Evasion · Part 6 of 7·Anonymity Engineering·2026-05-03·9 min read·advanced

Traffic shaping for camouflage

How burst scheduling, half-duplex shaping, and target-traffic mimicry try to make tunnels look like something else.

The Track 4 padding module covered defenses that obscure the shape of encrypted traffic from passive observers. Track 6 returns to the same problem from the circumvention angle: how do circumvention transports actively shape their traffic to mimic benign traffic, defeating both passive classification and active probing? The shift in framing matters: padding hides what you're doing; camouflage tries to make you look like you're doing something else.

This module covers the design space: burst-scheduled transmission, half-duplex shaping, target-traffic mimicry (Walkie-Talkie's matched-page-load approach), and the operational realities of making one application's traffic look like another's. The thesis: shaping helps but doesn't solve the problem; behavioral and contextual mismatches survive even careful shape mimicry.

Prerequisites

padding-strategies-and-cover-traffic — the defensive padding side this module's offensive shaping mirrors.
encrypted-traffic-classification-with-ml — the ML classifiers that shaping defenses target.
traffic-analysis-fundamentals — for the attack-side knowledge motivating the shaping work.

Learning objectives

Distinguish defensive padding (hide your activity) from camouflage shaping (look like a different activity).
Describe burst-shaping, half-duplex shaping, and target-traffic mimicry as design families.
Identify what shaping defenses can and cannot disguise.
Evaluate the latency/bandwidth/effectiveness tradeoffs of major shaping schemes.

Defensive padding vs. camouflage shaping

The difference matters:

Defensive padding (Track 4): given that you have some traffic to send, hide its specific shape from observers. Make all your packets the same size; emit at constant rate; randomize timing. The observer learns less about what you're doing.

Camouflage shaping (this module): make your traffic look like a different activity. Specifically: make your circumvention traffic look like browsing, or like video streaming, or like a video call. The observer not only learns less about what you're doing — they're misled about what activity is happening at all.

The technical mechanisms overlap (both use padding, both manipulate timing) but the design goal differs. Defensive padding aims for indistinguishability among many possible activities; camouflage targets indistinguishability from one specific benign activity.

Burst-shaped transmission

A common shaping technique: instead of emitting packets as the application generates them, batch into bursts and emit at intervals. This produces a distinctive burst-shaped pattern that can be tuned to match a target activity's burst structure.

Example: web-browsing traffic has a characteristic burst pattern. Initial page load is one large burst (HTML + immediate resources), then smaller bursts for additional resources, then idle. A circumvention transport that buffers data and emits in similar burst patterns could be visually similar to browsing.

The cost: latency. Buffering for a 200ms window before emitting adds 200ms to each round trip. For interactive applications this is noticeable; for bulk transfer it's acceptable.

The benefit: the tunneled application's natural timing pattern (which might be very different from web browsing) is replaced with a target-shaped pattern.

Half-duplex shaping

Some target activities are essentially half-duplex — bursts go in one direction at a time. Web browsing is mostly request → response, with the response carrying most of the bytes. A tunnel that's full-duplex (continuous bidirectional traffic) doesn't match.

Half-duplex shaping artificially limits the tunnel to one direction at a time:

Buffer outbound data; only emit when inbound activity has settled.
Buffer inbound data; only deliver when outbound has been idle.
Insert artificial response cycles to maintain a request-response rhythm.

The cost: throughput halved (or worse — actually less than half, because of the directional switching overhead).

The benefit: traffic pattern matches a half-duplex target activity better.

For high-stakes camouflage (matching a specific browsing pattern), half-duplex shaping can substantially improve mimicry. For everyday use, the bandwidth cost is rarely justified.

Target-traffic mimicry: Walkie-Talkie

Walkie-Talkie (Wang et al., 2017) takes mimicry to its logical conclusion: instead of generic burst-shaping, choose a specific real webpage as the "target" and shape the traffic to match that page's load pattern exactly.

The mechanism:

Pre-select a set of "decoy" webpages with known load patterns.
For each circumvention session, pick one decoy.
Shape the circumvention traffic to match the decoy's exact burst structure: same packet sizes in same order, same inter-arrival timings, same total volume.
The classifier observing the circumvention traffic sees an exact match for the decoy page; concludes the user is loading that page.

The cost: substantial overhead (you have to send all the bytes the decoy would send, plus your real traffic gets crammed into that envelope), and significant latency (you have to wait for the decoy's natural pacing).

The benefit: against website-fingerprinting classifiers, Walkie-Talkie was demonstrated to dramatically reduce accuracy. The classifier was confidently misled.

The catch: Walkie-Talkie was demonstrated against specific classifiers; subsequent classifiers (Deep Fingerprinting in particular) defeated it by learning features that distinguished real-decoy-loads from Walkie-Talkie-shaped fakes. The arms race continues.

What shaping cannot fix

Even careful shaping leaves observable mismatches:

Behavioral context. Real users browsing have specific sequences: open page A, click link to page B, scroll, idle, click another link. A circumvention user shaping to look like browsing doesn't have this behavioral context — the "browsing" is fake. Observers tracking longer-term patterns can flag the difference.

Application semantics. Real browsing has timing tied to user actions (click → request, response received, idle while reading). A shaped tunnel doesn't have user-action timing; the "responses" come at scheduled intervals regardless of fake-user activity.

Cross-flow correlation. Real browsing produces correlated flows (load page → fetch CSS → fetch JS → fetch images, all from the same source within seconds). A single-flow circumvention tunnel doesn't have this multi-flow structure.

IP-level destination. No amount of shaping changes the destination IP. If the circumvention destination is a non-CDN single IP, that's observable regardless of traffic shape.

Protocol-level mismatch. A shaped tunnel that uses TCP can't perfectly mimic a video-call's UDP-based traffic. The L4 protocol choice constrains what targets are achievable.

The honest picture: shaping reduces the distinguishability of circumvention traffic from a specific target activity, but doesn't eliminate it. Sophisticated classifiers exploit the residual differences.

Cover-target comparison

Target activity	Easy to mimic	Hard to mimic	Best application
Web browsing	Burst pattern, request/response	Multi-flow context, click pattern	Bulk circumvention
Video streaming	Sustained high-bandwidth pattern	Adaptive bitrate behavior	Bulk circumvention
Video calling	Symmetric continuous traffic	UDP-based protocol details	Real-time circumvention
Software updates	Single-direction long downloads	Specific protocol patterns	Large file transfer
Online gaming	Low-latency small-packet bursts	Game-specific protocols	Real-time interactive

Choosing the right target depends on the user's actual activity profile. Bulk circumvention can mimic browsing or streaming; real-time circumvention needs targets with similar latency profiles. Picking the wrong target produces shape mismatch that's worse than not shaping at all.

Hands-on exercise

Burst-shaping scheduler pseudocode.

class BurstShapingScheduler:
    def __init__(self, target_pattern):
        # target_pattern is a sequence of (delay, byte_count) describing
        # the cover activity's natural traffic pattern.
        self.pattern = target_pattern
        self.buffer = bytearray()
        self.position = 0

    def application_data_arrives(self, data):
        self.buffer.extend(data)

    def scheduler_loop(self):
        while True:
            delay, bytes_to_emit = self.pattern[self.position]
            sleep(delay)

            if len(self.buffer) >= bytes_to_emit:
                emit(self.buffer[:bytes_to_emit])
                self.buffer = self.buffer[bytes_to_emit:]
            else:
                # Pad with random data to maintain the pattern
                emit(self.buffer + random_bytes(bytes_to_emit - len(self.buffer)))
                self.buffer = bytearray()

            self.position = (self.position + 1) % len(self.pattern)

The exercise: identify the latency and bandwidth costs.

Latency: each application packet waits for the next scheduled emit slot. Average wait = pattern delay / 2.
Bandwidth: the pattern emits the target's bytes regardless of real data; idle periods send dummies. Overhead depends on real-traffic-to-pattern-bytes ratio.

Cover-target comparison table.

Refer to the table above. For your own threat model, ask:

What's your real traffic shape? (Bursty browsing? Continuous streaming? Real-time?)
What activities are common on your network that could serve as cover? (HTTPS browsing is universal; video calling is common in many environments; gaming may not be common in restricted networks.)
What latency/bandwidth costs can you accept?

The right choice depends on combining your traffic profile with the available cover activities and the cost you can pay.

Common misconceptions and traps

"Shaping makes circumvention undetectable." It makes detection harder for specific classifiers. Behavioral, contextual, and protocol-level mismatches survive shape mimicry.

"Picking any benign target works." Wrong target makes things worse. A circumvention tunnel shaped to look like web browsing but with sustained high throughput sticks out as "browsing-shaped traffic with weird volume."

"Walkie-Talkie was the right answer." It was the right answer for the classifiers it was designed against (2017-era classifiers). Deep Fingerprinting (2018) defeated it. The arms race continues.

"Half-duplex shaping is always overkill." For high-stakes camouflage, the bandwidth cost may be justified. For everyday use, full-duplex with looser shaping is usually appropriate.

"Shaping doesn't help against active probing." Shaping affects passive classification; active probing still works on the protocol-state level. The two defenses are complementary.

Wrapping up

Traffic shaping for camouflage tries to make circumvention traffic look like a specific benign activity. Burst-shaping addresses gross flow patterns; half-duplex shaping mimics request-response activities; Walkie-Talkie-style mimicry targets specific decoy pages.

The cost is latency, bandwidth, or both. The benefit is reduced classifier accuracy against pattern-matching detection. The residual is significant: behavioral context, multi-flow patterns, and protocol-level mismatches survive shaping.

For circumvention designers, shaping is one defense layer among several. Combined with TLS camouflage (REALITY), volunteer-distributed bridges (Snowflake), and good operational practices, shaping contributes to a defense-in-depth strategy. Used alone, it's insufficient.

The next module (operational-anonymity-for-engineers — coming soon) is the capstone that ties everything together: how to operationalize the techniques covered across Tracks 1-6 into a survivable daily anonymity practice.