Secure outsourced middleboxes provide deep packet inspection (DPI) for encrypted traffic that enables the detection of malicious activities in communications. However, existing DPI systems generally support only a single rule service provider (RSP), whose rule sets are limited to specific attack types. This constraint reduces inspection coverage and diminishes the accuracy of detecting diverse malicious traffic. In this paper, we present MRv-DPI, a new privacy-preserving DPI system that supports inspection rules from multiple RSPs, enabling targeted inspection for any type of attack pattern. Additionally, by considering that the middleboxes may only use partial subscribed RSPs’ rule sets to inspect each packet, our system also provides inspection results verification. To support multiple RSPs, MRv-DPI employs a key-homomorphic pseudo-random function, allowing matching between rules encrypted under distinct keys and packets encrypted under a shared key. For result verification, we design a temporal-hashed substring search trie based on trusted hardware, ensuring tamper-resistant verification against untrusted cloud-based middleboxes. To address efficiency challenges arising from increased rule sets across multiple RSPs, MRv-DPI segments both packets and rules, and assigns each rule a main sub-segment to facilitate fast filtering of benign packets. We evaluate MRv-DPI through comprehensive experiments using four public rule sets in a real client-to-server environment. Compared to existing DPI solutions, MRv-DPI not only enhances both security and functionality but also achieves up to 2 \(\times \) faster packet inspection and reduces communication overhead by 36.1% – 57.4%.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Verifiable and Privacy-Preserving Deep Packet Inspection for Multiple Rule Service Providers

  • Zhentao Long,
  • Pengfei Wu,
  • Kai Zhang,
  • Junqing Gong,
  • Jianting Ning

摘要

Secure outsourced middleboxes provide deep packet inspection (DPI) for encrypted traffic that enables the detection of malicious activities in communications. However, existing DPI systems generally support only a single rule service provider (RSP), whose rule sets are limited to specific attack types. This constraint reduces inspection coverage and diminishes the accuracy of detecting diverse malicious traffic. In this paper, we present MRv-DPI, a new privacy-preserving DPI system that supports inspection rules from multiple RSPs, enabling targeted inspection for any type of attack pattern. Additionally, by considering that the middleboxes may only use partial subscribed RSPs’ rule sets to inspect each packet, our system also provides inspection results verification. To support multiple RSPs, MRv-DPI employs a key-homomorphic pseudo-random function, allowing matching between rules encrypted under distinct keys and packets encrypted under a shared key. For result verification, we design a temporal-hashed substring search trie based on trusted hardware, ensuring tamper-resistant verification against untrusted cloud-based middleboxes. To address efficiency challenges arising from increased rule sets across multiple RSPs, MRv-DPI segments both packets and rules, and assigns each rule a main sub-segment to facilitate fast filtering of benign packets. We evaluate MRv-DPI through comprehensive experiments using four public rule sets in a real client-to-server environment. Compared to existing DPI solutions, MRv-DPI not only enhances both security and functionality but also achieves up to 2 \(\times \) faster packet inspection and reduces communication overhead by 36.1% – 57.4%.