Tunnel Hunter: Detecting application-layer tunnels with statistical fingerprinting

  • Dusi M
  • Crotti M
  • Gringoli F
 et al. 
  • 52


    Mendeley users who have this article in their library.
  • 58


    Citations of this article.


Application-layer tunnels nowadays represent a significant security threat for any network protected by firewalls and Application Layer Gateways. The encapsulation of protocols subject to security policies such as peer-to-peer, e-mail, chat and others into protocols that are deemed as safe or necessary, such as HTTP, SSH or even DNS, can bypass any network-boundary security policy, even those based on stateful packet inspection. In this paper we propose a statistical classification mechanism that could represent an important step towards new techniques for securing network boundaries. The mechanism, called Tunnel Hunter, relies on the statistical characterization at the IP-layer of the traffic that is allowed by a given security policy, such as HTTP or SSH. The statistical profiles of the allowed usages of those protocols can then be dynamically checked against traffic flows crossing the network boundaries, identifying with great accuracy when a flow is being used to tunnel another protocol. Results from experiments conducted on a live network suggest that the technique can be very effective, even when the application-layer protocol used as a tunnel is encrypted, such as in the case of SSH. © 2008 Elsevier B.V. All rights reserved.

Author-supplied keywords

  • Encrypted traffic
  • Network security
  • Traffic identification

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document


  • M. Dusi

  • M. Crotti

  • F. Gringoli

  • L. Salgarelli

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free