The proliferation of global censorship has led to the development of a plethora of measurement platforms to monitor and expose it. Censorship of the domain name system (DNS) is a key mechanism used across different countries. It is currently detected by applying heuristics to samples of DNS queries and responses (probes) for specific destinations. These heuristics, however, are both platform-specific and have been found to be brittle when censors change their blocking behavior, necessitating a more reliable automated process for detecting censorship. In this paper, we explore how machine learning (ML) models can (1) help streamline the detection process, (2) improve the usability of large-scale datasets for censorship detection, and (3) discover new censorship instances and blocking signatures missed by existing heuristic methods. Our study shows that supervised models, trained using expert-derived labels on instances of known anomalies and possible censorship, can learn the detection heuristics employed by different measurement platforms. More crucially, we find that unsupervised models, trained solely on uncensored instances, can identify new instances and variations of censorship missed by existing heuristics. Moreover, both methods demonstrate the capability to uncover a substantial number of new DNS blocking signatures, i.e., injected fake IP addresses overlooked by existing heuristics. These results are underpinned by an important methodological finding: comparing the outputs of models trained using the same probes but with labels arising from independent processes allows us to more reliably detect cases of censorship in the absence of ground-truth labels of censorship.

翻译：全球审查制度的扩散催生了大量监测与揭露审查行为的测量平台。域名系统（DNS）审查是不同国家采用的关键机制之一。目前，这一机制通过将启发式方法应用于特定目标DNS查询与响应（探测）样本来进行检测。然而，这些启发式方法不仅具有平台特异性，还发现当审查者改变其拦截行为时显得脆弱，因此需要更可靠的自动化审查检测流程。本文探讨了机器学习（ML）模型如何（1）优化检测流程，（2）提升大规模数据集在审查检测中的可用性，以及（3）发现现有启发式方法遗漏的新审查实例与拦截特征。研究表明，使用专家标注的已知异常与潜在审查实例标签训练的监督模型，能够学习不同测量平台采用的检测启发式方法。更重要的是，我们发现仅使用未受审查实例训练的无监督模型，能够识别现有启发式方法遗漏的新审查实例与变体。此外，两种方法均展现出发现大量新DNS拦截特征的能力，即现有启发式方法忽视的注入虚假IP地址。这些结果基于一项重要方法论发现：比较使用相同探测数据但由独立过程生成标签训练的模型输出，使我们能够在缺乏审查真实标签的情况下更可靠地检测审查案例。