NetEcho: From Real-World Streaming Side-Channels to Full LLM Conversation Recovery
- URL: http://arxiv.org/abs/2510.25472v1
- Date: Wed, 29 Oct 2025 12:47:36 GMT
- Title: NetEcho: From Real-World Streaming Side-Channels to Full LLM Conversation Recovery
- Authors: Zheng Zhang, Guanlong Wu, Sen Deng, Shuai Wang, Yinqian Zhang,
- Abstract summary: NetEcho is designed to recover entire conversations directly from encrypted network traffic.<n>It can recover $sim$70% information of each conversation, demonstrating a critical limitation in current defense mechanisms.
- Score: 21.94698636997114
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: In the rapidly expanding landscape of Large Language Model (LLM) applications, real-time output streaming has become the dominant interaction paradigm. While this enhances user experience, recent research reveals that it exposes a non-trivial attack surface through network side-channels. Adversaries can exploit patterns in encrypted traffic to infer sensitive information and reconstruct private conversations. In response, LLM providers and third-party services are deploying defenses such as traffic padding and obfuscation to mitigate these vulnerabilities. This paper starts by presenting a systematic analysis of contemporary side-channel defenses in mainstream LLM applications, with a focus on services from vendors like OpenAI and DeepSeek. We identify and examine seven representative deployment scenarios, each incorporating active/passive mitigation techniques. Despite these enhanced security measures, our investigation uncovers significant residual information that remains vulnerable to leakage within the network traffic. Building on this discovery, we introduce NetEcho, a novel, LLM-based framework that comprehensively unleashes the network side-channel risks of today's LLM applications. NetEcho is designed to recover entire conversations -- including both user prompts and LLM responses -- directly from encrypted network traffic. It features a deliberate design that ensures high-fidelity text recovery, transferability across different deployment scenarios, and moderate operational cost. In our evaluations on medical and legal applications built upon leading models like DeepSeek-v3 and GPT-4o, NetEcho can recover avg $\sim$70\% information of each conversation, demonstrating a critical limitation in current defense mechanisms. We conclude by discussing the implications of our findings and proposing future directions for augmenting network traffic security.
Related papers
- Whisper Leak: a side-channel attack on Large Language Models [0.2291770711277359]
This paper introduces Whisper Leak, a side-channel attack that infers user prompt topics from encrypted LLM traffic.<n>Despite TLS encryption protecting content, these metadata patterns leak sufficient information to enable topic classification.<n>For many models, we achieve 100% precision in identifying sensitive topics like "money laundering" while recovering 5-20% of target conversations.
arXiv Detail & Related papers (2025-11-05T17:47:46Z) - Web Intellectual Property at Risk: Preventing Unauthorized Real-Time Retrieval by Large Language Models [49.270849415269936]
We propose a novel framework that empowers web content creators to safeguard their web-based IP from unauthorized extraction and redistribution.<n>Our method follows principled motivations and effectively addresses an intractable black-box optimization problem.
arXiv Detail & Related papers (2025-05-19T03:14:08Z) - Large Language Models powered Malicious Traffic Detection: Architecture, Opportunities and Case Study [12.381768120279771]
Large Language Models (LLMs) are trained on a vast corpus of text.<n>We focus on unleashing the full potential of LLMs in malicious traffic detection.<n>We present our design on LLM-powered DDoS detection as a case study.
arXiv Detail & Related papers (2025-03-24T09:40:46Z) - DeepSeek-Inspired Exploration of RL-based LLMs and Synergy with Wireless Networks: A Survey [68.74626395093496]
Reinforcement learning (RL)-based large language models (LLMs) have attracted widespread attention for their capabilities in multimodal data understanding.<n>The open-source DeepSeek models are famous for their innovative designs, such as large-scale pure RL and cost-efficient training.<n>This survey presents a comprehensive exploration of RL-based LLMs in the context of wireless networks.
arXiv Detail & Related papers (2025-03-13T01:59:11Z) - NetSafe: Exploring the Topological Safety of Multi-agent Networks [22.033551405492553]
This paper focuses on the safety of multi-agent networks from a topological perspective.
We identify several critical phenomena when multi-agent networks are exposed to attacks involving misinformation, bias, and harmful information.
We find that highly connected networks are more susceptible to the spread of adversarial attacks, with task performance in a Star Graph Topology decreasing by 29.7%.
arXiv Detail & Related papers (2024-10-21T06:54:27Z) - The Early Bird Catches the Leak: Unveiling Timing Side Channels in LLM Serving Systems [35.51755444106282]
A set of new timing side channels can be exploited to infer confidential system prompts and those issued by other users.<n>These vulnerabilities echo security challenges observed in traditional computing systems.<n>We propose a token-by-token search algorithm to efficiently recover shared prompt prefixes in the caches.
arXiv Detail & Related papers (2024-09-30T06:55:00Z) - A Survey of Attacks on Large Vision-Language Models: Resources, Advances, and Future Trends [78.3201480023907]
Large Vision-Language Models (LVLMs) have demonstrated remarkable capabilities across a wide range of multimodal understanding and reasoning tasks.
The vulnerability of LVLMs is relatively underexplored, posing potential security risks in daily usage.
In this paper, we provide a comprehensive review of the various forms of existing LVLM attacks.
arXiv Detail & Related papers (2024-07-10T06:57:58Z) - Prompt Leakage effect and defense strategies for multi-turn LLM interactions [95.33778028192593]
Leakage of system prompts may compromise intellectual property and act as adversarial reconnaissance for an attacker.
We design a unique threat model which leverages the LLM sycophancy effect and elevates the average attack success rate (ASR) from 17.7% to 86.2% in a multi-turn setting.
We measure the mitigation effect of 7 black-box defense strategies, along with finetuning an open-source model to defend against leakage attempts.
arXiv Detail & Related papers (2024-04-24T23:39:58Z) - A Survey on Detection of LLMs-Generated Content [97.87912800179531]
The ability to detect LLMs-generated content has become of paramount importance.
We aim to provide a detailed overview of existing detection strategies and benchmarks.
We also posit the necessity for a multi-faceted approach to defend against various attacks.
arXiv Detail & Related papers (2023-10-24T09:10:26Z) - A Comprehensive Overview of Backdoor Attacks in Large Language Models within Communication Networks [28.1095109118807]
Large Language Models (LLMs) are poised to offer efficient and intelligent services for future mobile communication networks.
LLMs may be exposed to maliciously manipulated training data and processing, providing an opportunity for attackers to embed a hidden backdoor into the model.
Backdoor attacks are particularly concerning within communication networks where reliability and security are paramount.
arXiv Detail & Related papers (2023-08-28T07:31:43Z) - Not what you've signed up for: Compromising Real-World LLM-Integrated
Applications with Indirect Prompt Injection [64.67495502772866]
Large Language Models (LLMs) are increasingly being integrated into various applications.
We show how attackers can override original instructions and employed controls using Prompt Injection attacks.
We derive a comprehensive taxonomy from a computer security perspective to systematically investigate impacts and vulnerabilities.
arXiv Detail & Related papers (2023-02-23T17:14:38Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.