research-article

Free access

BlindBox: Deep Packet Inspection over Encrypted Traffic

Authors:

Justine Sherry,

Raluca Ada Popa,

Sylvia RatnasamyAuthors Info & Claims

SIGCOMM '15: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication

Pages 213 - 226

https://doi.org/10.1145/2785956.2787502

Published: 17 August 2015 Publication History

Abstract

Many network middleboxes perform deep packet inspection (DPI), a set of useful tasks which examine packet payloads. These tasks include intrusion detection (IDS), exfiltration detection, and parental filtering. However, a long-standing issue is that once packets are sent over HTTPS, middleboxes can no longer accomplish their tasks because the payloads are encrypted. Hence, one is faced with the choice of only one of two desirable properties: the functionality of middleboxes and the privacy of encryption. We propose BlindBox, the first system that simultaneously provides {\em both} of these properties. The approach of BlindBox is to perform the deep-packet inspection {\em directly on the encrypted traffic. BlindBox realizes this approach through a new protocol and new encryption schemes.

We demonstrate that BlindBox enables applications such as IDS, exfiltration detection and parental filtering, and supports real rulesets from both open-source and industrial DPI systems. We implemented BlindBox and showed that it is practical for settings with long-lived HTTPS connections. Moreover, its core encryption scheme is 3-6 orders of magnitude faster than existing relevant cryptographic schemes.

Supplementary Material

WEBM File (p213-sherry.webm)

Download
201.77 MB

References

[1]

Alexa Top Sites. http://www.alexa.com/topsites.

[2]

DPDK: Data Plane Development Kit. http://dpdk.org/.

[3]

Emerging Threats: Open Source Signatures. https://rules.emergingthreats.net/open/snort-2.9.0/rules/.

[4]

McAfee Network Security Platform. http://www.mcafee.com/us/products/network-security-platform.aspx.

[5]

OT Extension library. https://github.com/encryptogroup/OTExtension.

[6]

Palo Alto Networks. https://www.paloaltonetworks.com/.

[7]

Qosmos Deep Packet Inspection and Metadata Engine. http://www.qosmos.com/products/deep-packet-inspection-engine/.

[8]

Radisys R220 Network Appliance. http://www.radisys.com/products/network-appliance/.

[9]

Snort. https://www.snort.org/.

[10]

ssldump. http://www.rtfm.com/ssldump/.

[11]

Symantec | Enterprise. http://www.symantec.com/index.jsp.

[12]

The GnuTLS Transport Layer Security Library. http://www.gnutls.org/.

[13]

University of Toulouse Internet Blacklists. http://dsi.ut-capitole.fr/blacklists/.

[14]

G. Asharov, Y. Lindell, T. Schneider, and M. Zohner. More Efficient Oblivious Transfer and Extensions for Faster Secure Computation. In Proc. ACM CCS, 2013.

Digital Library

[15]

M. Bellare, A. Boldyreva, and A. O'Neill. Deterministic and Efficiently Searchable Encryption. In Proc. IACR CRYPTO, 2007.

Digital Library

[16]

M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient Garbling from a Fixed-Key Blockcipher. In Proc. IEEE S&P, 2013.

Digital Library

[17]

BlueCoat. Comparing Explicit and Transparent PRoxies. https://bto.bluecoat.com/webguides/proxysg/security_first_steps/Content/Solutions/SharedTopics/Explicit_Transparent_Proxy_Comparison.htm.

[18]

BlueCoat. SSL Encrypted Traffic Visibility and Management. https://www.bluecoat.com/products/ssl-encrypted-traffic-visibility-and-management.

[19]

D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search. In Proc. IACR EUROCRYPT, 2004.

[20]

S. Cheshire and M. Krochmal. NAT Port Mapping Protocol (NAT-PMP). RFC 6886, Apr. 2013.

[21]

C. Dixon, H. Uppal, V. Brajkovic, D. Brandon, T. Anderson, and A. Krishnamurthy. ETTM: A Scalable Fault Tolerant Network Manager. In Proc. USENIX NSDI, 2011.

Digital Library

[22]

S. Even, O. Goldreich, and A. Lempel. A Randomized Protocol for Signing Contracts. Commun. ACM, 28(6):637--647, June 1985.

Digital Library

[23]

S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In Proc. IEEE FOCS, 2013.

Digital Library

[24]

C. Gentry. Fully Homomorphic Encryption using Ideal Lattices. In Proc. ACM STOC, 2009.

Digital Library

[25]

C. Gentry, S. Halevi, and N. P. Smart. Homomorphic Evaluation of the AES Circuit. In Proc. IACR CRYPTO, 2012.

Digital Library

[26]

S. Goldwasser, Y. Kalai, R. A. Popa, V. Vaikuntanathan, and N. Zeldovich. Reusable Garbled Circuits and Succinct Functional Encryption. In Proc. ACM STOC, 2013.

Digital Library

[27]

L.-S. Huang, A. Rice, E. Ellingsen, and C. Jackson. Analyzing Forged SSL Certificates in the Wild. In Proc. IEEE S&P, 2014.

Digital Library

[28]

J. Jarmoc. SSL/TLS Interception Proxies and Transitive Trust. Presentation at Black Hat Europe, 2012.

[29]

S. Kamara, C. Papamanthou, and T. Roeder. Dynamic Searchable Symmetric Encryption. In Proc. ACM CCS, 2012.

Digital Library

[30]

J. Katz, A. Sahai, and B. Waters. Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products. In Proc. IACR EUROCRYPT, 2008.

Digital Library

[31]

A. Kingsley-Hughes. Gogo in-flight Wi-Fi serving spoofed SSL certificates. ZDNet, 2015.

[32]

E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kaashoek. The Click Modular Router. ACM Trans. Comput. Syst., 18(3):263--297, Aug. 2000.

Digital Library

[33]

Y. Lindell and B. Pinkas. A Proof of Security of Yao's Protocol for Two-Party Computation. J. Cryptol., 22:161--188, April 2009.

Digital Library

[34]

M. Naor and B. Pinkas. Oblivious Transfer with Adaptive Queries. In Proc. IACR CRYPTO, 1999.

Digital Library

[35]

D. Naylor, A. Finamore, I. Leontiadis, Y. Grunenberger, M. Mellia, M. Munafò, K. Papagiannaki, and P. Steenkiste. The Cost of the "S" in HTTPS. In Proc. ACM CoNeXT, 2014.

Digital Library

[36]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-time. Comput. Netw., 31(23--24):2435--2463, Dec. 1999.

Digital Library

[37]

R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In Proc. ACM SOSP, 2013.

Digital Library

[38]

R. A. Popa, E. Stark, S. Valdez, J. Helfer, N. Zeldovich, M. F. Kaashoek, and H. Balakrishnan. Building Web Applications on Top of Encrypted Data using Mylar. In Proc. USENIX NSDI, 2014.

Digital Library

[39]

M. O. Rabin. How to Exchange Secrets with Oblivious Transfer. TR-81, Aiken Computation Lab, Harvard University http://eprint.iacr.org/2005/187.pdf, 1981.

[40]

A. Rao, J. Sherry, A. Legout, W. Dabbout, A. Krishnamurthy, and D. Choffnes. Meddle: Middleboxes for Increased Transparency and Control of Mobile Traffic. In Proc. CoNEXT Student Workshop, 2012.

Digital Library

[41]

Runa. Security vulnerability found in Cyberoam DPI devices (CVE-2012--3372). Tor Project Blog, 2012.

[42]

J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. Making Middleboxes Someone Else's Problem: Network Processing As a Cloud Service. In Proc. ACM SIGCOMM, 2012.

Digital Library

[43]

J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. Blindbox: Deep packet inspection over encrypted traffic. Cryptology ePrint Archive, Report 2015/264, 2015. http://eprint.iacr.org/.

[44]

Shira Levine. Operators look to embed deep packet inspection (DPI) in apps; Market growing to$2B by 2018. Infonetics Research. http://www.infonetics.com/pr/2014/2H13-Service-Provider-DPI-Products-Market-Highlights.asp.

[45]

G. J. Silowash, T. Lewellen, J. W. Burns, and D. L. Costa. Detecting and Preventing Data Exfiltration Through Encrypted Web Sessions via Traffic Inspection. Technical Report Carnegie Mellon University/SEI-2013-TN-012.

[46]

D. X. Song, D. Wagner, and A. Perrig. Practical Techniques for Searches on Encrypted Data. In Proc. IEEE S&P, 2000.

Digital Library

[47]

The Snort Project. Snort users manual, 2014. Version 2.9.7.

[48]

N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, N. Weaver, and V. Paxson. Beyond the Radio: Illuminating the Higher Layers of Mobile Networks. In Proc. ACM MobiSys, 2015.

Digital Library

[49]

G. Vigna. ICTF Data. https://ictf.cs.ucsb.edu/#/.

[50]

A. C. Yao. How to Generate and Exchange Secrets. In Proc. IEEE FOCS, 1986.

Digital Library

[51]

K. Zetter. The Feds Cut a Deal With In-Flight Wi-Fi Providers, and Privacy Groups Are Worried. Wired Magazine, 2014.

Cited By

Bkakria AIzabachène M(2024)Efficient Post-Quantum Pattern Matching on Encrypted DataIACR Communications in Cryptology10.62056/a09qxrxqiOnline publication date: 8-Jul-2024
https://doi.org/10.62056/a09qxrxqi
Kim HPark SHong HPark JKim S(2024)A Transferable Deep Learning Framework for Improving the Accuracy of Internet of Things Intrusion DetectionFuture Internet10.3390/fi1603008016:3(80)Online publication date: 28-Feb-2024
https://doi.org/10.3390/fi16030080
Brown LMarx EBali DAmaro ESur DKissel EMonga IKatz-Bassett EKrishnamurthy AMcCauley JNarechania TPanda AShenker SSekar VYu MSeneviratne AVeitch D(2024)An Architecture For Edge Networking ServicesProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672261(645-660)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672261
Show More Cited By

Index Terms

BlindBox: Deep Packet Inspection over Encrypted Traffic
1. Networks
  1. Network components
    1. Middle boxes / network appliances
2. Security and privacy
  1. Cryptography
  2. Network security
    1. Security protocols

Recommendations

PrivDPI: Privacy-Preserving Encrypted Traffic Inspection with Reusable Obfuscated Rules
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Network middleboxes perform deep packet inspection (DPI) to detect anomalies and suspicious activities in network traffic. However, increasingly these traffic are encrypted and middleboxes can no longer make sense of them. A recent proposal by Sherry et ...
BlindBox: Deep Packet Inspection over Encrypted Traffic
SIGCOMM'15

Many network middleboxes perform deep packet inspection (DPI), a set of useful tasks which examine packet payloads. These tasks include intrusion detection (IDS), exfiltration detection, and parental filtering. However, a long-standing issue is that ...
Identity-based encryption with outsourced equality test in cloud computing

It is the first time to integrate identity-based encryption into public key encryption with equality test.It extends identity-based encryption with keyword search to yield a general function: equality test.It is proven to be one-way chosen-ciphertext ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '15: Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication

August 2015

684 pages

ISBN:9781450335423

DOI:10.1145/2785956

General Chairs:
Steve Uhlig
Queen Mary University of London, UK
,
Olaf Maennel
Tallinn U. of Technology in Estonia, Estonia
,
Program Chairs:
Brad Karp
University College London, UK
,
Jitendra Padhye
Microsoft, USA

ACM SIGCOMM Computer Communication Review Volume 45, Issue 4
SIGCOMM'15
October 2015
659 pages
ISSN:0146-4833
DOI:10.1145/2829988
Editors:
Konstantina Papagiannaki
Telefonica Research, Barcelona, Spain
,
Katerina Argyraki
EPFL, Switzerland
,
Hitesh Ballani
Microsoft Research Cambridge, UK
,
Fabián Bustamante
Northwestern University, USA
,
Joseph Camp
SMU, USA
,
Augustin Chaintreau
Columbia University, USA
,
Phillipa Gill
Stony Brook University, USA
,
Marco Mellia
Politecnico di Torino, Italy
,
Bhaskaran Raman
IIT Bombay, India
,
Joel Sommers
Colgate University, USA
,
Aline Carneiro Viana
INRIA, France
Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Intel Research
National Science Foundation

Conference

SIGCOMM '15

Sponsor:

SIGCOMM

SIGCOMM '15: ACM SIGCOMM 2015 Conference

August 17 - 21, 2015

London, United Kingdom

Acceptance Rates

SIGCOMM '15 Paper Acceptance Rate 40 of 242 submissions, 17%;

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

258
Total Citations
View Citations
4,092
Total Downloads

Downloads (Last 12 months)673
Downloads (Last 6 weeks)34

Reflects downloads up to 10 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bkakria AIzabachène M(2024)Efficient Post-Quantum Pattern Matching on Encrypted DataIACR Communications in Cryptology10.62056/a09qxrxqiOnline publication date: 8-Jul-2024
https://doi.org/10.62056/a09qxrxqi
Kim HPark SHong HPark JKim S(2024)A Transferable Deep Learning Framework for Improving the Accuracy of Internet of Things Intrusion DetectionFuture Internet10.3390/fi1603008016:3(80)Online publication date: 28-Feb-2024
https://doi.org/10.3390/fi16030080
Brown LMarx EBali DAmaro ESur DKissel EMonga IKatz-Bassett EKrishnamurthy AMcCauley JNarechania TPanda AShenker SSekar VYu MSeneviratne AVeitch D(2024)An Architecture For Edge Networking ServicesProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672261(645-660)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672261
Wagner EHeye DSerror MKunze IWehrle KHenze MQuek TGao DZhou JCardenas A(2024)Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial CommunicationProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637640(962-976)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637640
Geiginger LZseby THong JPark J(2024)Evading Botnet DetectionProceedings of the 39th ACM/SIGAPP Symposium on Applied Computing10.1145/3605098.3635921(1331-1340)Online publication date: 8-Apr-2024
https://dl.acm.org/doi/10.1145/3605098.3635921
Wu HLiu YCheng GHu X(2024)RT-CBCH: Real-Time VPN Traffic Service Identification Based on Sampled Data in High-Speed NetworksIEEE Transactions on Network and Service Management10.1109/TNSM.2023.328644621:1(88-107)Online publication date: Feb-2024
https://doi.org/10.1109/TNSM.2023.3286446
Wu ZLi HQian YHua YGan H(2024)Poison-Resilient Anomaly Detection: Mitigating Poisoning Attacks in Semi-Supervised Encrypted Traffic Anomaly DetectionIEEE Transactions on Network Science and Engineering10.1109/TNSE.2024.339771911:5(4744-4757)Online publication date: Sep-2024
https://doi.org/10.1109/TNSE.2024.3397719
Li HDang YSun GWu CZhang PShan DPan THu C(2024)Programming Network Stack for Physical Middleboxes and Virtualized Network FunctionsIEEE/ACM Transactions on Networking10.1109/TNET.2023.330764132:2(971-986)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3307641
Zhang XGeng WSong YCheng HXu KLi Q(2024)Privacy-Preserving and Lightweight Verification of Deep Packet Inspection in CloudsIEEE/ACM Transactions on Networking10.1109/TNET.2023.328210032:1(159-174)Online publication date: Feb-2024
https://doi.org/10.1109/TNET.2023.3282100
Zhang KDeng MGong BMiao YNing J(2024)Privacy-Preserving Traceable Encrypted Traffic Inspection in Blockchain-Based Industrial IoTIEEE Internet of Things Journal10.1109/JIOT.2023.329760111:2(3484-3496)Online publication date: 15-Jan-2024
https://doi.org/10.1109/JIOT.2023.3297601
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents