Privacy-preserving deep packet inspection in outsourced middleboxes

Xingliang Yuan, Xinyu Wang, Jianxiong Lin, Cong Wang

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

36 Citations (Scopus)

Abstract

Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, designing outsourced middleboxes still faces several security challenges. First, many middlebox processing services, like intrusion detection, require packet payload inspection, while the ever-increasing adoption of HTTPS limits the function due to the end-to-end encryption. Second, many packet inspection rules used by middleboxes can be proprietary in nature. They may contain sensitive information of enterprises, and thus need strong protection when configuring middleboxes in untrusted outsourced environments. In this paper, we propose a practical system architecture for outsourced middleboxes to perform deep packet inspection over encrypted traffic, without revealing either packet payloads or inspection rules. Our first design is an encrypted high-performance rule filter that takes randomized tokens from packet payloads for encrypted inspection. We then elaborate through carefully tailored techniques how to comprehensively support open-source real rulesets. We formally analyze the security strength. Implementations at Amazon Cloud show that our system introduces roughly 100 millisecond latency in each connection initialization, with individual processing throughput over 3500 packets/second for 500 concurrent connections.

Original languageEnglish
Title of host publicationIEEE INFOCOM 2016 - 35th Annual IEEE International Conference on Computer Communications
Subtitle of host publicationSan Francisco, California, USA 10-14 April 2016
EditorsSung-Ju Lee, Chiara Petrioli, Peng-Jun Wan
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages1764-1772
Number of pages9
ISBN (Electronic)9781467399531
ISBN (Print)9781467399548
DOIs
Publication statusPublished - 2016
Externally publishedYes
EventIEEE Conference on Computer Communications 2016 - San Francisco, United States of America
Duration: 10 Apr 201615 Apr 2016
Conference number: 35th
http://infocom2016.ieee-infocom.org/

Conference

ConferenceIEEE Conference on Computer Communications 2016
Abbreviated titleIEEE INFOCOM 2016
Country/TerritoryUnited States of America
CitySan Francisco
Period10/04/1615/04/16
Internet address

Cite this