Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : bib : networking : entries : dusi08tunnel.xml
Bibliography Details
M. Dusi, M. Crotti, F. Gringoli, and L. Salgarelli, "Tunnel Hunter: Detecting Application-Layer Tunnels with Statistical Fingerprinting", in Computer Networks 2008, Sep 2008.
Tunnel Hunter: Detecting Application-Layer Tunnels with Statistical Fingerprinting
Authors: M. Dusi
M. Crotti
F. Gringoli
L. Salgarelli
Published: Computer Networks, 2008
Entry Dates: 2009-02-11
Abstract: Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection. In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH.
  • datasets: part payload, campus, Edge/Border, 2007
  • provides a behavioral description of an application protocol, that named fingerprint, by considering three simple properties of IP packets: their size, interl-arrival time and arrival order;
  • it can be configured to achieve nearly zero false-negative rates;
  Last Modified: Wed Jun-13-2018 11:38:22 PDT
  Page URL: