Add detection for "quantum insert" type of attacks. Since the leaked information is classified, I will try to explain in unclassified form what it is about.
The idea is that you have a passive adversary that sniff your TCP sequence numbers and inject its malicious payload faster than the real server.
One of the leaked documents mentions as an alerting mechanism to detect duplicate TCP sequence numbers from same source, where at least 10% of the beginning of the content of the two packets differs.
Handling the "rexmit_inconsistency" event and comparing the mismatched content might be a way to do what you want.
This is already merged into master and is usable from there and will be a standard feature of 2.5.