NetEcho: From Real-World Streaming Side-Channels to Full LLM Conversation Recovery

Authors: Zheng Zhang, Guanlong Wu, Sen Deng, Shuai Wang, Yinqian Zhang | Published: 2025-10-29

2025.10.292025.10.31

Authors: Zheng Zhang, Guanlong Wu, Sen Deng, Shuai Wang, Yinqian Zhang
Published: 2025-10-29

Source: https://arxiv.org/abs/2510.25472

PDF: https://arxiv.org/pdf/2510.25472

Labels Predicted by AI

Model Extraction Attack Network Traffic Analysis Defense Method

Please note that these labels were automatically added by AI. Therefore, they may not be entirely accurate.
For more details, please see the About the Literature Database page.

Abstract

In the rapidly expanding landscape of Large Language Model (LLM) applications, real-time output streaming has become the dominant interaction paradigm. While this enhances user experience, recent research reveals that it exposes a non-trivial attack surface through network side-channels. Adversaries can exploit patterns in encrypted traffic to infer sensitive information and reconstruct private conversations. In response, LLM providers and third-party services are deploying defenses such as traffic padding and obfuscation to mitigate these vulnerabilities. This paper starts by presenting a systematic analysis of contemporary side-channel defenses in mainstream LLM applications, with a focus on services from vendors like OpenAI and DeepSeek. We identify and examine seven representative deployment scenarios, each incorporating active/passive mitigation techniques. Despite these enhanced security measures, our investigation uncovers significant residual information that remains vulnerable to leakage within the network traffic. Building on this discovery, we introduce NetEcho, a novel, LLM-based framework that comprehensively unleashes the network side-channel risks of today’s LLM applications. NetEcho is designed to recover entire conversations – including both user prompts and LLM responses – directly from encrypted network traffic. It features a deliberate design that ensures high-fidelity text recovery, transferability across different deployment scenarios, and moderate operational cost. In our evaluations on medical and legal applications built upon leading models like DeepSeek-v3 and GPT-4o, NetEcho can recover avg ∼70% information of each conversation, demonstrating a critical limitation in current defense mechanisms. We conclude by discussing the implications of our findings and proposing future directions for augmenting network traffic security.