Privacy-Preserving Efficient Verifiable Deep Packet Inspection for Cloud-Assisted Middlebox

With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

Automated summary

In this paper, an efficient verifiable deep packet inspection (EV-DPI) scheme is proposed to address privacy concerns in outsourced middlebox services. The scheme utilizes a two-layer architecture with non-collusion cloud servers, preserving packet privacy and confidentiality of inspection rules. Experimental results on the Amazon Cloud demonstrate the high efficiency and strong control of the proposed EV-DPI scheme.