Privacy-preserving deep packet inspection in outsourced middleboxes
作者: Xingliang Yuan , Xinyu Wang , Jianxiong Lin , Cong Wang
DOI: 10.1109/INFOCOM.2016.7524526
关键词:
摘要: Middleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend deploying middleboxes cloud as virtualized services further expands potential benefits while avoiding local maintenance burdens. Despite promising, designing outsourced still faces several security challenges. First, many middlebox services, like intrusion detection, require packet payload inspection, the ever-increasing adoption HTTPS limits function due to end-to-end encryption. Second, inspection rules used by can be proprietary nature. They may contain sensitive information enterprises, and thus need strong protection when configuring untrusted environments. In this paper, we propose practical system architecture perform deep over encrypted traffic, without revealing either payloads or rules. Our first design is an high-performance rule filter that takes randomized tokens from inspection. We then elaborate through carefully tailored techniques how comprehensively support open-source real rulesets. formally analyze strength. Implementations at Amazon Cloud show our introduces roughly 100 millisecond latency each connection initialization, with individual throughput 3500 packets/second 500 concurrent connections.
sci-hub.se 参考文章(21)
Junjie Shi, Yuan Zhang, Sheng Zhong, Privacy-preserving Network Functionality Outsourcing. arXiv: Cryptography and Security. ,(2015)
Bruce Schneier, Phil Sutherland, Applied Cryptography: Protocols, Algorithms, and Source Code in C ,(1993)
Seyed Kaveh Fayazbakhsh, Michael K. Reiter, Vyas Sekar, Verifiable network function outsourcing: requirements, challenges, and roadmap workshop on hot topics in middleboxes and network function virtualization. pp. 25- 30 ,(2013) , 10.1145/2535828.2535831
Bin Fan, Dave G. Andersen, Michael Kaminsky, Michael D. Mitzenmacher, Cuckoo Filter: Practically Better Than Bloom conference on emerging network experiment and technology. pp. 75- 88 ,(2014) , 10.1145/2674005.2674994
Zhenyu Zhou, Theophilus Benson, Towards a Safe Playground for HTTPS and Middle Boxes with QoS2 workshop on hot topics in middleboxes and network function virtualization. pp. 7- 12 ,(2015) , 10.1145/2785989.2785998
Akira Yamada, Yutaka Miyake, Keisuke Takemori, Ahren Studer, Adrian Perrig, Intrusion Detection for Encrypted Web Accesses advanced information networking and applications. ,vol. 1, pp. 569- 576 ,(2007) , 10.1109/AINAW.2007.212
Aaron Gember, Robert Grandl, Junaid Khalid, Aditya Akella, Design and implementation of a framework for software-defined middlebox networking acm special interest group on data communication. ,vol. 43, pp. 467- 468 ,(2013) , 10.1145/2486001.2491686
Lin Shung Huang, Alex Rice, Erling Ellingsen, Collin Jackson, Analyzing Forged SSL Certificates in the Wild ieee symposium on security and privacy. pp. 83- 97 ,(2014) , 10.1109/SP.2014.13
Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy, BlindBox: Deep Packet Inspection over Encrypted Traffic acm special interest group on data communication. ,vol. 45, pp. 213- 226 ,(2015) , 10.1145/2785956.2787502
David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit Jutla, Hugo Krawczyk, Marcel-Cătălin Roşu, Michael Steiner, Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation network and distributed system security symposium. ,(2014) , 10.14722/NDSS.2014.23264