Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes

Yu Guo; Mingyue Wang; Cong Wang; Xingliang Yuan; Xiaohua Jia

doi:10.1109/JIOT.2020.2978261

Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes

Yu Guo, Mingyue Wang, Cong Wang, Xingliang Yuan, Xiaohua Jia^*

^*Corresponding author for this work

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

18 Citations (Scopus)

81 Downloads (CityUHK Scholars)

Abstract

The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.

Original language	English
Article number	9024147
Pages (from-to)	5359-5370
Journal	IEEE Internet of Things Journal
Volume	7
Issue number	6
Online published	4 Mar 2020
DOIs	https://doi.org/10.1109/JIOT.2020.2978261
Publication status	Published - Jun 2020

Research Keywords

Intrusion detection
Order-revealing encryption (ORE)
Outsourced middlebox
Searchable encryption

Publisher's Copyright Statement

COPYRIGHT TERMS OF DEPOSITED POSTPRINT FILE: © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. Guo, Y., Wang, M., Wang, C., Yuan, X., & Jia, X. (2020). Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes. IEEE Internet of Things Journal, 7(6), 5359-5370. [9024147]. https://doi.org/10.1109/JIOT.2020.2978261.

Access Output

10.1109/JIOT.2020.2978261

53847934.pdfPost-print, 2.16 MB

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{a8bd3dc7eb9746b9a37b7d6d5e25864e,

title = "Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes",

abstract = "The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.",

keywords = "Intrusion detection, Order-revealing encryption (ORE), Outsourced middlebox, Searchable encryption, Intrusion detection, Order-revealing encryption (ORE), Outsourced middlebox, Searchable encryption, Intrusion detection, Order-revealing encryption (ORE), Outsourced middlebox, Searchable encryption",

author = "Yu Guo and Mingyue Wang and Cong Wang and Xingliang Yuan and Xiaohua Jia",

year = "2020",

month = jun,

doi = "10.1109/JIOT.2020.2978261",

language = "English",

volume = "7",

pages = "5359--5370",

journal = "IEEE Internet of Things Journal",

issn = "2327-4662",

publisher = "IEEE",

number = "6",

}

TY - JOUR

T1 - Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes

AU - Guo, Yu

AU - Wang, Mingyue

AU - Wang, Cong

AU - Yuan, Xingliang

AU - Jia, Xiaohua

PY - 2020/6

Y1 - 2020/6

N2 - The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.

AB - The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.

KW - Intrusion detection

KW - Order-revealing encryption (ORE)

KW - Outsourced middlebox

KW - Searchable encryption

KW - Intrusion detection

KW - Order-revealing encryption (ORE)

KW - Outsourced middlebox

KW - Searchable encryption

KW - Intrusion detection

KW - Order-revealing encryption (ORE)

KW - Outsourced middlebox

KW - Searchable encryption

UR - http://www.scopus.com/inward/record.url?scp=85086594958&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85086594958&origin=recordpage

U2 - 10.1109/JIOT.2020.2978261

DO - 10.1109/JIOT.2020.2978261

M3 - RGC 21 - Publication in refereed journal

SN - 2327-4662

VL - 7

SP - 5359

EP - 5370

JO - IEEE Internet of Things Journal

JF - IEEE Internet of Things Journal

IS - 6

M1 - 9024147

ER -

Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes

Abstract

Research Keywords

Publisher's Copyright Statement

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this