The adversarial landscape has undergone a phase transition. Fraud toolkits are no longer crude scripts wielded by isolated actors — they are polished commercial products, sold via subscription, with documentation, customer support, and regular feature releases. This paper provides a formal taxonomy of evasion techniques and maps each to the specific Titan detection layer designed to neutralize it.
Threat Model
We define three adversary tiers based on capability and resources:
Tier 1: Script-Level Adversary
Uses off-the-shelf automation tools (Puppeteer, Playwright, Selenium) with minimal customization. Capable of basic header spoofing and cookie manipulation.
Tier 2: Toolkit Adversary
Employs commercial anti-detect browsers (Genesis, Multilogin, GoLogin) with full fingerprint management. Capable of canvas spoofing, WebGL masking, and residential proxy rotation.
Tier 3: State-Level / Organized Adversary
Operates custom browser forks, hardware farms, AI-driven behavioral mimicry, and SIM farms. Capable of defeating any single detection signal in isolation.
The critical insight: Tier 3 adversaries can defeat any individual signal, but defeating 26 independent signals simultaneously — each drawing on different physical modalities — is computationally and economically prohibitive.
Evasion Taxonomy
Category A: Browser-API Spoofing (12 techniques)
| ID | Technique | Titan Countermeasure |
|---|---|---|
| A-1 | User-Agent override | Cross-modality correlation (UA vs. GPU shader timing) |
| A-2 | Canvas noise injection | FFT spectral analysis detects non-natural noise distributions |
| A-3 | WebGL renderer masking | GPU shader timing validates claimed renderer |
| A-4 | AudioContext spoofing | DAC oscillator fingerprint (256-point spectral hash) |
| A-5 | Navigator property injection | WASM micro-architecture profiling contradicts claimed platform |
| A-6 | Screen resolution spoofing | CSS media-query side-channel cross-validation |
| A-7 | Timezone manipulation | Crystal oscillator drift reveals true clock source |
| A-8 | Language/locale spoofing | Font sub-pixel rendering analysis (locale-specific glyphs) |
| A-9 | Plugin enumeration blocking | Hardware acceleration detection via StealthToken |
| A-10 | Battery API masking | Inference from power-management timing characteristics |
| A-11 | Memory/CPU core spoofing | WASM ALU throughput reveals true core count |
| A-12 | Touch-event simulation | Behavioral-physics jerk-curvature deviation analysis |
Category B: Network-Layer Evasion (8 techniques)
| ID | Technique | Titan Countermeasure |
|---|---|---|
| B-1 | Residential proxy rotation | IP–device binding consistency (graph layer) |
| B-2 | VPN tunnel masking | WebRTC ICE candidate leak detection + timing analysis |
| B-3 | TOR exit-node rotation | Exit-node fingerprinting via threat intelligence feed |
| B-4 | DNS-over-HTTPS spoofing | DNS resolution timing analysis |
| B-5 | IP geolocation manipulation | Crystal oscillator temperature correlation (climate inference) |
| B-6 | ASN hop patterns | Velocity layer detects impossible geographic transitions |
| B-7 | CDN-bounced requests | Edge-PoP request-path analysis |
| B-8 | IPv6 rotation | /64 prefix stability analysis |
Category C: Behavioral Mimicry (9 techniques)
| ID | Technique | Titan Countermeasure |
|---|---|---|
| C-1 | Recorded mouse replay | Hurst exponent R/S analysis (H < 0.3 = synthetic) |
| C-2 | Synthetic keystroke timing | Shannon entropy H(X) of flight-time distribution |
| C-3 | Scroll velocity smoothing | Jerk-curvature Bézier deviation detection |
| C-4 | Click-pattern randomization | Micro-tremor spectral analysis (8–12 Hz band) |
| C-5 | Session-duration padding | Temporal scoring layer (non-Poisson inter-event timing) |
| C-6 | Form-fill delay injection | Keystroke dwell-time variance analysis |
| C-7 | AI-generated mouse paths | Fractal dimension analysis (D_f ≠ 1.2–1.5 for humans) |
| C-8 | Touch-pressure simulation | Accelerometer zero-G calibration bias cross-check |
| C-9 | Gaze-pattern mimicry | Pupil-dilation inference via interaction latency correlation |
Category D: Infrastructure Evasion (10 techniques)
These include virtual machine detection evasion, headless browser cloaking, cloud-instance fingerprint masking, and device-farm rotation strategies. Each is addressed by a combination of the micro-architecture profiling, steganographic honeypot, and distributed-attack-correlation layers.
The Information-Theoretic Argument for Multi-Layer Fusion
Why 151 techniques across 12 analyzers? The answer is information-theoretic. Each independent detection technique contributes entropy to the joint decision. If an adversary must defeat all techniques simultaneously, the evasion cost grows exponentially with the number of independent modalities:
Cost(evasion) ≈ ∏ᵢ Cost(defeating layer i)
For 151 techniques with average per-technique evasion cost of $50, the total evasion cost is astronomically prohibitive — a number larger than the estimated atoms in the observable universe.
This is the fundamental design principle behind Titan's Fusion Core: make evasion economically irrational, not merely technically difficult.
Practical Implications
For Security Teams
Deploy the full 12-analyzer, 151-technique pipeline. Partial deployments create predictable blind spots that Tier 2+ adversaries will discover through systematic probing.
For Product Teams
The deterministic nature of Titan's scoring means every decision is reproducible and auditable via the Evidence ID (evi_…). This is not a black-box ML model — it is a transparent, bounded evidence-accumulation system that satisfies both regulatory scrutiny and engineering debugging requirements.
For Adversaries Reading This
We publish our methodology because security through obscurity is not security. The strength of this system lies in physics and information theory, not in secrecy.
Former red-team principal at a Fortune 50 financial institution. OSCP, OSCE, GXPN certified. Designed VerifyStack's steganographic honeypot layer and proof-of-work challenge framework. Focuses on adversarial game-theory modeling and evasion-resistant detection.