Side-Channel Analysis for Detecting Protocol Tunneling
Protocol tunneling is widely used to add security and/or privacy to Internet applications. Recent research has exposed side channel vulnerabilities that leak information about tunneled protocols. The authors first discuss the timing side channels that have been found in protocol tunneling tools. They then show how to infer Hidden Markov Models (HMMs) of network protocols from timing data and use the HMMs to detect when protocols are active. Unlike previous work, the HMM approach the present requires no a priori knowledge of the Protocol. To illustrate the utility of this approach, they detect the use of English or Italian in interactive SSH sessions. For this example application, keystroke-timing data associates inter-packet delays with keystrokes.