PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules

Network middleboxes perform deep packet inspection (DPI) to detect anomalies and suspicious activities in network traffic. However, increasingly these traffic are encrypted and middleboxes can no longer make sense of them. A recent proposal by Sherry et al. (SIGCOMM 2015), named BlindBox, enables the middlebox to perform inspection in a privacy-preserving manner. BlindBox deploys garbled circuit to generate encrypted rules for the purpose of inspecting the encrypted traffic directly. However, the setup latency (which could be 97s on a ruleset of 3,000 as reported) and overhead size incurred by garbled circuit are high. Since communication can only be commenced after the encrypted rules being generated, such delay is intolerable in many real-time applications. In this work, we present PrivDPI, which reduces the setup delay while retaining similar privacy guarantee. Compared to BlindBox, for a ruleset of 3,000, our encrypted rule generation is 288x faster and requires 290,227x smaller overhead for the first session, and is even 1,036x faster and requires 3424,505x smaller overhead over 20 consecutive sessions. The performance gain is based on a new technique for generating encrypted rules as well as the idea of reusing intermediate results generated in previous sessions across subsequent sessions. This is in contrast to Blindbox which performs encrypted rule generation from scratch for every session. Nevertheless, PrivDPI is 6x slower in generating the encrypted traffic tokens, yet in our implementation, the token encryption rate of PrivDPI is more than 17,271 per second which is sufficient for many real-time applications. Moreover, the intermediate values generated in each session can be reused across subsequent sessions for repeated tokens, which could further speedup token encryption. Overall, our experiment shows that PrivDPI is practical and especially suitable for connections with short flows.

[1]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[2]  Blake Anderson,et al.  Identifying Encrypted Malware Traffic with Contextual Flow Data , 2016, AISec@CCS.

[3]  Subharthi Paul,et al.  Deciphering malware’s use of TLS (without decryption) , 2016, Journal of Computer Virology and Hacking Techniques.

[4]  Nick Sullivan,et al.  The Security Impact of HTTPS Interception , 2017, NDSS.

[5]  Chunming Qiao,et al.  SPABox: Safeguarding Privacy During Deep Packet Inspection at a MiddleBox , 2017, IEEE/ACM Transactions on Networking.

[6]  Christos Gkantsidis,et al.  And Then There Were More: Secure Communication for More Than Two Parties , 2017, CoNEXT.

[7]  Cong Wang,et al.  Privacy-preserving deep packet inspection in outsourced middleboxes , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[8]  Justine Sherry,et al.  Middleboxes as a Cloud Service , 2016 .

[9]  Sébastien Canard,et al.  BlindIDS: Market-Compliant and Privacy-Friendly Intrusion Detection System over Encrypted Traffic , 2017, AsiaCCS.

[10]  Jeff Jarmoc,et al.  SSL/TLS Interception Proxies and Transitive Trust , 2012 .

[11]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[12]  Emiliano De Cristofaro,et al.  SplitBox: Toward Efficient Private Network Function Virtualization , 2016, HotMiddlebox@SIGCOMM.

[13]  Amr M. Youssef,et al.  The Sorry State of TLS Security in Enterprise Interception Appliances , 2018, ArXiv.

[14]  Claudio Orlandi,et al.  The Simplest Protocol for Oblivious Transfer , 2015, IACR Cryptol. ePrint Arch..

[15]  Blake Anderson,et al.  Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity , 2017, KDD.

[16]  S. Rajsbaum Foundations of Cryptography , 2014 .

[17]  Pablo Rodriguez,et al.  Multi-Context TLS (mcTLS): Enabling Secure In-Network Functionality in TLS , 2015, Comput. Commun. Rev..

[18]  Sylvia Ratnasamy,et al.  BlindBox: Deep Packet Inspection over Encrypted Traffic , 2015, SIGCOMM.

[19]  Mohammad Mannan,et al.  Killed by Proxy: Analyzing Client-end TLS Interce , 2016, NDSS.

[20]  Dongsu Han,et al.  SGX-Box: Enabling Visibility on Encrypted Traffic using a Secure Middlebox Module , 2017, APNet.

[21]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Zhi Liu,et al.  Embark: Securely Outsourcing Middleboxes to the Cloud , 2016, NSDI.

[23]  Sylvia Ratnasamy,et al.  SafeBricks: Shielding Network Functions in the Cloud , 2018, NSDI.

[24]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[25]  Cong Wang,et al.  LightBox: SGX-assisted Secure Network Functions at Near-native Speed , 2017, ArXiv.

[26]  Christof Fetzer,et al.  ShieldBox: Secure Middleboxes using Shielded Execution , 2018, SOSR.

[27]  Karthikeyan Bhargavan,et al.  A Formal Treatment of Accountable Proxying Over TLS , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[28]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .