Privacy-preserving deep packet inspection in outsourced middleboxes

Xingliang Yuan; Xinyu Wang; Jianxiong Lin; Cong Wang

doi:10.1109/INFOCOM.2016.7524526

Privacy-preserving deep packet inspection in outsourced middleboxes

Xingliang Yuan, Xinyu Wang, Jianxiong Lin, Cong Wang

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

65 Citations (Scopus)

Abstract

Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, designing outsourced middleboxes still faces several security challenges. First, many middlebox processing services, like intrusion detection, require packet payload inspection, while the ever-increasing adoption of HTTPS limits the function due to the end-to-end encryption. Second, many packet inspection rules used by middleboxes can be proprietary in nature. They may contain sensitive information of enterprises, and thus need strong protection when configuring middleboxes in untrusted outsourced environments. In this paper, we propose a practical system architecture for outsourced middleboxes to perform deep packet inspection over encrypted traffic, without revealing either packet payloads or inspection rules. Our first design is an encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection. We then elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. We formally analyze the security strength. Implementations at Amazon Cloud show that our system introduces roughly 100 millisecond latency in each connection initialization, with individual processing throughput over 3500 packets/second for 500 concurrent connections.

Original language	English
Title of host publication	IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
Subtitle of host publication	San Francisco, California, USA 10-14 April 2016
Editors	Sung-Ju Lee, Chiara Petrioli, Peng-Jun Wan
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	1764-1772
Number of pages	9
ISBN (Electronic)	9781467399531
ISBN (Print)	9781467399548
DOIs	https://doi.org/10.1109/INFOCOM.2016.7524526
Publication status	Published - 2016
Externally published	Yes
Event	IEEE Conference on Computer Communications 2016 - San Francisco, United States of America Duration: 10 Apr 2016 → 15 Apr 2016 Conference number: 35th http://infocom2016.ieee-infocom.org/

Conference

Conference	IEEE Conference on Computer Communications 2016
Abbreviated title	IEEE INFOCOM 2016
Country/Territory	United States of America
City	San Francisco
Period	10/04/16 → 15/04/16
Internet address	http://infocom2016.ieee-infocom.org/

Access to Document

10.1109/INFOCOM.2016.7524526

Cite this

Yuan, X., Wang, X., Lin, J., & Wang, C. (2016). Privacy-preserving deep packet inspection in outsourced middleboxes. In S.-J. Lee, C. Petrioli, & P.-J. Wan (Eds.), IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications: San Francisco, California, USA 10-14 April 2016 (pp. 1764-1772). Article 7524526 IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/INFOCOM.2016.7524526

Yuan, Xingliang ; Wang, Xinyu ; Lin, Jianxiong et al. / Privacy-preserving deep packet inspection in outsourced middleboxes. IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications: San Francisco, California, USA 10-14 April 2016. editor / Sung-Ju Lee ; Chiara Petrioli ; Peng-Jun Wan. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2016. pp. 1764-1772

@inproceedings{f838b9d64eb34d63962fffecc5fb80cd,

title = "Privacy-preserving deep packet inspection in outsourced middleboxes",

abstract = "Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, designing outsourced middleboxes still faces several security challenges. First, many middlebox processing services, like intrusion detection, require packet payload inspection, while the ever-increasing adoption of HTTPS limits the function due to the end-to-end encryption. Second, many packet inspection rules used by middleboxes can be proprietary in nature. They may contain sensitive information of enterprises, and thus need strong protection when configuring middleboxes in untrusted outsourced environments. In this paper, we propose a practical system architecture for outsourced middleboxes to perform deep packet inspection over encrypted traffic, without revealing either packet payloads or inspection rules. Our first design is an encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection. We then elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. We formally analyze the security strength. Implementations at Amazon Cloud show that our system introduces roughly 100 millisecond latency in each connection initialization, with individual processing throughput over 3500 packets/second for 500 concurrent connections.",

author = "Xingliang Yuan and Xinyu Wang and Jianxiong Lin and Cong Wang",

year = "2016",

doi = "10.1109/INFOCOM.2016.7524526",

language = "English",

isbn = "9781467399548",

pages = "1764--1772",

editor = "Lee, {Sung-Ju } and Petrioli, {Chiara } and Wan, {Peng-Jun }",

booktitle = "IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "IEEE Conference on Computer Communications 2016, IEEE INFOCOM 2016 ; Conference date: 10-04-2016 Through 15-04-2016",

url = "http://infocom2016.ieee-infocom.org/",

}

Yuan, X, Wang, X, Lin, J & Wang, C 2016, Privacy-preserving deep packet inspection in outsourced middleboxes. in S-J Lee, C Petrioli & P-J Wan (eds), IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications: San Francisco, California, USA 10-14 April 2016., 7524526, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 1764-1772, IEEE Conference on Computer Communications 2016, San Francisco, California, United States of America, 10/04/16. https://doi.org/10.1109/INFOCOM.2016.7524526

Privacy-preserving deep packet inspection in outsourced middleboxes. / Yuan, Xingliang; Wang, Xinyu; Lin, Jianxiong et al.
IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications: San Francisco, California, USA 10-14 April 2016. ed. / Sung-Ju Lee; Chiara Petrioli; Peng-Jun Wan. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2016. p. 1764-1772 7524526.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Privacy-preserving deep packet inspection in outsourced middleboxes

AU - Yuan, Xingliang

AU - Wang, Xinyu

AU - Lin, Jianxiong

AU - Wang, Cong

N1 - Conference code: 35th

PY - 2016

Y1 - 2016

N2 - Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, designing outsourced middleboxes still faces several security challenges. First, many middlebox processing services, like intrusion detection, require packet payload inspection, while the ever-increasing adoption of HTTPS limits the function due to the end-to-end encryption. Second, many packet inspection rules used by middleboxes can be proprietary in nature. They may contain sensitive information of enterprises, and thus need strong protection when configuring middleboxes in untrusted outsourced environments. In this paper, we propose a practical system architecture for outsourced middleboxes to perform deep packet inspection over encrypted traffic, without revealing either packet payloads or inspection rules. Our first design is an encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection. We then elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. We formally analyze the security strength. Implementations at Amazon Cloud show that our system introduces roughly 100 millisecond latency in each connection initialization, with individual processing throughput over 3500 packets/second for 500 concurrent connections.

AB - Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, designing outsourced middleboxes still faces several security challenges. First, many middlebox processing services, like intrusion detection, require packet payload inspection, while the ever-increasing adoption of HTTPS limits the function due to the end-to-end encryption. Second, many packet inspection rules used by middleboxes can be proprietary in nature. They may contain sensitive information of enterprises, and thus need strong protection when configuring middleboxes in untrusted outsourced environments. In this paper, we propose a practical system architecture for outsourced middleboxes to perform deep packet inspection over encrypted traffic, without revealing either packet payloads or inspection rules. Our first design is an encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection. We then elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. We formally analyze the security strength. Implementations at Amazon Cloud show that our system introduces roughly 100 millisecond latency in each connection initialization, with individual processing throughput over 3500 packets/second for 500 concurrent connections.

UR - http://www.scopus.com/inward/record.url?scp=84983370777&partnerID=8YFLogxK

U2 - 10.1109/INFOCOM.2016.7524526

DO - 10.1109/INFOCOM.2016.7524526

M3 - Conference Paper

AN - SCOPUS:84983370777

SN - 9781467399548

SP - 1764

EP - 1772

BT - IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications

A2 - Lee, Sung-Ju

A2 - Petrioli, Chiara

A2 - Wan, Peng-Jun

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE Conference on Computer Communications 2016

Y2 - 10 April 2016 through 15 April 2016

ER -

Yuan X, Wang X, Lin J, Wang C. Privacy-preserving deep packet inspection in outsourced middleboxes. In Lee SJ, Petrioli C, Wan PJ, editors, IEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications: San Francisco, California, USA 10-14 April 2016. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2016. p. 1764-1772. 7524526 doi: 10.1109/INFOCOM.2016.7524526

Privacy-preserving deep packet inspection in outsourced middleboxes

Abstract

Conference

Access to Document

Other files and links

Cite this