The proliferation of global censorship has led to the development of a plethora of measurement platforms to monitor and expose it. Censorship of the domain name system (DNS) is a key mechanism used across different countries. It is currently detected by applying heuristics to samples of DNS queries and responses (probes) for specific destinations. These heuristics, however, are both platform-specific and have been found to be brittle when censors change their blocking behavior, necessitating a more reliable automated process for detecting censorship. In this paper, we explore how machine learning (ML) models can (1) help streamline the detection process, (2) improve the potential of using large-scale datasets for censorship detection, and (3) discover new censorship instances and blocking signatures missed by existing heuristic methods. Our study shows that supervised models, trained using expert-derived labels on instances of known anomalies and possible censorship, can learn the detection heuristics employed by different measurement platforms. More crucially, we find that unsupervised models, trained solely on uncensored instances, can identify new instances and variations of censorship missed by existing heuristics. Moreover, both methods demonstrate the capability to uncover a substantial number of new DNS blocking signatures, i.e., injected fake IP addresses overlooked by existing heuristics. These results are underpinned by an important methodological finding: comparing the outputs of models trained using the same probes but with labels arising from independent processes allows us to more reliably detect cases of censorship in the absence of ground-truth labels of censorship.

翻译：全球审查的蔓延催生了众多用于监测和揭露审查行为的测量平台。域名系统（DNS）审查是不同国家使用的关键机制之一。目前，通过对特定目的地的DNS查询与响应（探针）样本应用启发式规则来检测审查。然而，这些启发式规则既具有平台特异性，又在审查方改变封锁行为时表现出脆弱性，因此需要更可靠的自动化审查检测流程。本文探讨了机器学习（ML）模型如何：(1) 简化检测流程，(2) 提升利用大规模数据集进行审查检测的潜力，(3) 发现现有启发式方法遗漏的新型审查实例与封锁特征。研究表明，使用专家标注的已知异常与疑似审查实例训练的监督模型，能够学习不同测量平台采用的检测启发式规则。更重要的是，我们发现仅基于未审查实例训练的无监督模型，可以识别出现有启发式规则遗漏的新型审查实例及其变体。此外，两种方法均展现出挖掘大量新型DNS封锁特征（即被现有启发式规则忽视的注入虚假IP地址）的能力。这些结果得益于一项重要方法学发现：通过比较基于相同探针但不同独立标注过程训练的模型输出，我们能在缺乏审查真实标签的情况下更可靠地检测审查案例。