Privacy-Preserving Packet Header Checking Over in-the-Cloud Middleboxes
|Journal / Publication||IEEE Internet of Things Journal|
|Online published||4 Mar 2020|
|Publication status||Published - Jun 2020|
|Link to Scopus||https://www.scopus.com/record/display.uri?eid=2-s2.0-85086594958&origin=recordpage|
The explosive growth of network traffic is pushing forward the paradigm of cloud-based middlebox services today. However, due to the increasing attacking surfaces, redirecting enterprises traffic to outsourced middleboxes inevitably raises new privacy concerns about packet content exposure and unauthorized rulesets access. To address these issues, recent efforts have been made toward enabling middlebox services through encrypted traffic and middlebox rules. Following this direction, in this article, we investigate the issue of privacy-preserving header checking, which is an indispensable service of middlebox applications. Specifically, we propose two new encrypted header-matching schemes that significantly improve security and efficiency. Our main idea is to formulate the problem of encrypted header checking as range-based pattern matching, and carefully craft security designs to enable efficient header inspection in the ciphertext domain. Our first design is carefully tailored to generic range-based functions, while our second design is highly customized for contiguous rulesets to further improve the checking efficiency. We formally analyze the security strengths and implement a fully functional system prototype. The extensive experiments over the real-world rulesets demonstrate the practicality of our designs.
- Intrusion detection, Order-revealing encryption (ORE), Outsourced middlebox, Searchable encryption
IEEE Internet of Things Journal, Vol. 7, No. 6, 9024147, 06.2020, p. 5359-5370.
Research output: Journal Publications and Reviews (RGC: 21, 22, 62) › 21_Publication in refereed journal › peer-review