AI and ML in VPN detection: what works, what's hype
“AI-powered” is on every IP-intelligence landing page this year. Some of those claims describe real machine learning; most describe ordinary signature matching, ASN classification, and hand-tuned weights with a marketing layer. This guide separates the categories, points at the published research worth reading, and explains why IPLogs ships a deterministic weighted pipeline rather than a trained model.
What people actually mean by “AI” in this space
Four different things hide under the same label:
- Signature matching. JA3/JA4 fingerprint hashes against a known database. Useful, not AI. The technique is decades old. The hash is computed from fixed fields in the TLS ClientHello; there is no model to train.
- Hand-tuned weighted scoring. A set of signals — provider-list match, ASN class, active probe, threat-intel hit — combined with weights an engineer chose. IPLogs sits here. Verdicts are deterministic and auditable.
- Statistical heuristics. Algorithms like the SNITCH paper's TCP-vs-TLS RTT differential. Mathematical models with published thresholds from peer-reviewed research, not models trained on a labelled corpus. The line between “heuristic” and “ML” is fuzzy, but transparency is the test — if you can explain the model in a paper, it isn't a black box.
- Trained classifiers. A model that learned its weights from a labelled corpus, typically a gradient-boosted tree or a small neural net over behavioural features. This is the only category that honestly deserves the “ML” label. A few vendors ship this well; many ship it badly and don't publish error rates against any independent benchmark.
Where ML actually helps
Trained classifiers earn their place when the relationship between input and answer is too noisy to capture with hand-written weights. Three honest examples:
- Behavioural velocity scoring. Per-account request rate, geographical jumps per session, ratio of failed-to-successful login attempts. The features interact non-linearly and the right thresholds vary by product. A gradient-boosted tree over a labelled corpus typically beats a hand-tuned rule set here.
- Behavioural residential-proxy detection. The IP-layer signals for a residential proxy and a real consumer are identical. Telling them apart requires session-level patterns — concurrent country jumps for the same account, IP-velocity, session-fingerprint mismatch. That's ML territory, and the vendors investing in it are real.
- Anomaly detection on traffic patterns. CDN-scale providers train models that flag unusual access patterns against a baseline of normal traffic. Useful, but hard to do correctly outside the data-volume bracket of large CDNs.
Where ML hurts: the black-box-score problem
An ML model that returns a single score with no per-signal provenance creates a real product problem. When your fraud team blocks a customer because “the model said so,” they cannot tell whether the cause was a CGNAT collision, an Apple Private Relay miss, a residential proxy on a neighbour's router, or a real fraud signal. The customer cannot dispute usefully and your operator cannot triage. The same critique applies to opaque IP-reputation scores — a number is not a decision, and a decision without a reason is hard to defend.
Why IPLogs uses deterministic weighted signals
IPLogs ships a multi-source pipeline with hand-tuned weights:
| Approach | Auditable per verdict | Drift over time | Published error rate |
|---|---|---|---|
| Black-box ML score | No | Yes, hard to detect | Usually no |
| Transparent ML with feature importance | Partial | Yes, slower | Sometimes |
| Deterministic weighted signals (IPLogs) | Yes, per-signal provenance | Only when weights change, which is a deliberate PR | Yes — /accuracy |
The trade-off is real. A trained classifier can capture interactions that hand-written weights cannot, particularly once you add behavioural signals at session granularity. The counter-argument is that an IP-level detector with published weights and a published false-positive rate is auditable; a trained classifier with no per-decision explanation is not. Where the right balance sits is product-specific. IPLogs chooses the auditable end because consumers of the API are also engineers who need to defend the decisions to their own users.
Cited research worth reading directly
- SNITCH (NDSS 2025) — TCP vs TLS RTT differential. Background reading on the timing-based detection that IPLogs integrates. Verify any specific claim against the published paper before treating it as fact.
- JA3 and JA4 fingerprint specifications. JA3 was originally published by Salesforce engineering; JA4 is the newer FoxIO format with a richer hash. Read the specs, not vendor blog posts about them.
- Anti-censorship protocol papers. The IPLogs blog covers REALITY, Xray, and AmneziaWG at the implementation level. The underlying protocol papers are the right primary source if you're building detection for them.
FAQ
Does IPLogs use a machine-learning model?
No. IPLogs ships a deterministic, weighted multi-source pipeline. Each signal (provider list match, ASN classification, active protocol probe, RTT, JA3/JA4 fingerprint match) has a documented weight; the verdict is the weighted sum mapped to a bucket. There is no trained classifier in the loop. That's a deliberate choice for auditability — every verdict can be traced back to specific signals, not to a black-box score.
Are JA3 and JA4 fingerprints 'AI'?
No. JA3 and JA4 are deterministic hashes of fields in the TLS ClientHello. Matching a fingerprint against a known database is signature matching, the same family of technique as antivirus has used for decades. Calling fingerprint matching 'AI' is marketing inflation. The technique is useful; the label is a stretch.
When is ML actually useful in IP intelligence?
Where the relationship between input features and the answer is too noisy to capture with hand-written weights — for example, behavioural-velocity scoring that combines per-IP request rates, geographical jumps per user, and account-takeover signals over time. A few vendors do this well. Many ship a black-box score and call the marketing AI.
Why does transparency matter for AI in detection?
Because the user being flagged has no way to dispute a black-box score. If your fraud team blocks a customer because 'the model said so', you cannot tell whether the cause was a CGNAT collision, an Apple Private Relay mistake, or a real fraud signal. A multi-signal verdict with per-signal provenance lets the team triage; a single ML score does not.
What public research is worth reading on detection accuracy?
The SNITCH paper at NDSS 2025 (Section 5 covers the TCP-vs-TLS RTT differential used to detect middle-box relays). It's worth verifying any specific claim against the published paper before relying on it. JA3 and JA4 have their own published specifications worth reading directly. Beyond that, vendor blog posts about 'AI' tend to be marketing; published research is the only reliable signal.
See the accuracy benchmark for IPLogs' published false-positive rate, the JA3/JA4 glossary entry for the fingerprint primer, and the related blog post JA3 / JA4 TLS fingerprinting explained.