Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalpeer-review

9 Scopus Citations
View graph of relations


Original languageEnglish
Article number9024147
Pages (from-to)5359-5370
Journal / PublicationIEEE Internet of Things Journal
Issue number6
Online published4 Mar 2020
Publication statusPublished - Jun 2020


The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.

Research Area(s)

  • Intrusion detection, Order-revealing encryption (ORE), Outsourced middlebox, Searchable encryption