Abstract
Hardware-based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arsing trend aims to address those problems by outsourcing the functions of traditional hardware-based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges. First, the widely adopted data encryption techniques contradict with payload inspection needs of some middleboxes such as DPI and IDS devices. Second, the inspection rules of middleboxes may be commercial properties, thus the middlebox providers want to keep their rules confidential under third-party cloud environments, and this creates hindrances for the cloud to perform outsourced middlebox functions. Third, performance of the outsourced middlebox is an inevitable issue that needs deliberate consideration. In this paper, we propose a cloud-based DPI middlebox implementation which performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our design employs a modified reversible sketch structure which is used for efficient error-free membership testing, and we utilize unkeyed one-way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. CloudDPI supports a wide range of real-world inspection rules, we conduct evaluations on ClamAV rule set and the experiment results demonstrate the effectiveness of our proposal.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Network functions virtualization, an introduction, benefits, enablers, challenges and call for action. N Operators - SDN and OpenFlow SDN and OpenFlow World Congress (2012)
Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)
Wikipedia: Wannacry ransomware attack — wikipedia, the free encyclopedia (2017). [Online; Accessed 19 June 2017]
Sherry, J., Lan, C., Popa, R.A., Ratnasamy, S.: Blindbox: deep packet inspection over encrypted traffic. ACM SIGCOMM Comput. Commun. Rev. 45, 213–226 (2015). ACM
Yao, A.C.C.: How to generate and exchange secrets. In: 27th Annual Symposium on Foundations of Computer Science, pp. 162–167. IEEE (1986)
Lindell, Y., Pinkas, B.: A proof of security of yaos protocol for two-party computation. J. Cryptology 22(2), 161–188 (2009)
Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 573–590. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_36
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 535–548. ACM (2013)
Yuan, X., Wang, X., Lin, J., Wang, C.: Privacy-preserving deep packet inspection in outsourced middleboxes. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, pp. 1–9. IEEE (2016)
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_40
Bruce, S.: Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley & Sons, Inc., New York (1996)
Schweller, R., Li, Z., Chen, Y., Gao, Y., Gupta, A., Zhang, Y., Dinda, P.A., Kao, M.Y., Memik, G.: Reversible sketches: enabling monitoring and analysis over high-speed data streams. IEEE/ACM Trans. Networking (ToN) 15(5), 1059–1072 (2007)
Sun, H., Wang, X., Buyya, R., Su, J.: Cloudeyes: Cloud-based malware detection with reversible sketch for resource-constrained internet of things (IoT) devices. Softw. Pract. Exp. 47, 421–441 (2016)
Shi, J., Zhang, Y., Zhong, S.: Privacy-preserving network functionality outsourcing (2015). arXiv preprint: arXiv:1502.00389
Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46800-5_1
Melis, L., Asghar, H.J., De Cristofaro, E., Kaafar, M.A.: Private processing of outsourced network functions: feasibility and constructions. In: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, pp. 39–44. ACM (2016)
Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_30
Huang, L.S., Rice, A., Ellingsen, E., Jackson, C.: Analyzing forged SSL certificates in the wild. In: 2014 IEEE symposium on Security and Privacy (SP), pp. 83–97. IEEE (2014)
Lan, C., Sherry, J., Popa, R.A., Ratnasamy, S., Liu, Z.: Embark: securely outsourcing middleboxes to the cloud. In: 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2016), pp. 255–273. USENIX Association (2016)
Wikipedia: Clam antivirus — wikipedia, the free encyclopedia (2017). [Online; Accessed 20 June 2017]
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Li, J., Su, J., Wang, X., Sun, H., Chen, S. (2017). CloudDPI: Cloud-Based Privacy-Preserving Deep Packet Inspection via Reversible Sketch. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)