Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting

Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necess...

Full description

Saved in:
Bibliographic Details
Published inComputer networks (Amsterdam, Netherlands : 1999) Vol. 53; no. 1; pp. 81 - 97
Main Authors Dusi, M., Crotti, M., Gringoli, F., Salgarelli, L.
Format Journal Article
LanguageEnglish
Published Kidlington Elsevier B.V 16.01.2009
Elsevier
Elsevier Sequoia S.A
Subjects
Access methods and protocols, osi model
Applied sciences
Encrypted traffic
Exact sciences and technology
Fingerprinting
Gateways
Internet Protocol
Miscellaneous
Network security
Studies
Systems, networks and services of telecommunications
Telecommunications
Telecommunications and information theory
Teleprocessing networks. Isdn
Teletraffic
Traffic flow
Traffic identification
Valuation and optimization of characteristics. Simulation
Network security
Encrypted traffic
Traffic identification
Peer to peer
Internet protocol
Teletraffic
Resource sharing
HTTP
Electronic mail
Encryption
Addressing
Firewall
Statistical method
Accuracy
Traffic flow
Computer network
Fingerprint method
Security of data
Information gateway
Computer security
Online AccessGet full text

Cover

More Information
Summary:Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection. In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH.
Bibliography:SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ISSN:1389-1286
1872-7069
DOI:10.1016/j.comnet.2008.09.010