Jie Li,Jinshu Su,Xiaofeng Wang,Hao Sun,Shuhui Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_9

2017-01-01

Abstract:Hardware-based middleboxes are ubiquitous in computer networks, which usually incur high deployment and management expenses. A recently arsing trend aims to address those problems by outsourcing the functions of traditional hardware-based middleboxes to high volume servers in a cloud. This technology is promising but still faces a few challenges. First, the widely adopted data encryption techniques contradict with payload inspection needs of some middleboxes such as DPI and IDS devices. Second, the inspection rules of middleboxes may be commercial properties, thus the middlebox providers want to keep their rules confidential under third-party cloud environments, and this creates hindrances for the cloud to perform outsourced middlebox functions. Third, performance of the outsourced middlebox is an inevitable issue that needs deliberate consideration. In this paper, we propose a cloud-based DPI middlebox implementation which performs payload inspection over encrypted traffic while preserving the privacy of both communication data and inspection rules. Our design employs a modified reversible sketch structure which is used for efficient error-free membership testing, and we utilize unkeyed one-way hash functions instead of complex cryptographic protocols to achieve the privacy preservation requirements. CloudDPI supports a wide range of real-world inspection rules, we conduct evaluations on ClamAV rule set and the experiment results demonstrate the effectiveness of our proposal.

Jianting Ning,Geong Sen Poh,Jia-Chng Loh,Jason Chia,Ee-Chien Chang

DOI: https://doi.org/10.1145/3319535.3354204

2019-01-01

Abstract:Network middleboxes perform deep packet inspection (DPI) to detect anomalies and suspicious activities in network traffic. However, increasingly these traffic are encrypted and middleboxes can no longer make sense of them. A recent proposal by Sherry et al. (SIGCOMM 2015), named BlindBox, enables the middlebox to perform inspection in a privacy-preserving manner. BlindBox deploys garbled circuit to generate encrypted rules for the purpose of inspecting the encrypted traffic directly. However, the setup latency (which could be 97s on a ruleset of 3,000 as reported) and overhead size incurred by garbled circuit are high. Since communication can only be commenced after the encrypted rules being generated, such delay is intolerable in many real-time applications. In this work, we present PrivDPI, which reduces the setup delay while retaining similar privacy guarantee. Compared to BlindBox, for a ruleset of 3,000, our encrypted rule generation is 288x faster and requires 290,227x smaller overhead for the first session, and is even 1,036x faster and requires 3424,505x smaller overhead over 20 consecutive sessions. The performance gain is based on a new technique for generating encrypted rules as well as the idea of reusing intermediate results generated in previous sessions across subsequent sessions. This is in contrast to Blindbox which performs encrypted rule generation from scratch for every session. Nevertheless, PrivDPI is 6x slower in generating the encrypted traffic tokens, yet in our implementation, the token encryption rate of PrivDPI is more than 17,271 per second which is sufficient for many real-time applications. Moreover, the intermediate values generated in each session can be reused across subsequent sessions for repeated tokens, which could further speedup token encryption. Overall, our experiment shows that PrivDPI is practical and especially suitable for connections with short flows.

Hao Ren,Hongwei Li,Dongxiao Liu,Guowen Xu,Nan Cheng,Xuemin Shen,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tcc.2020.2991167

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

computer science, information systems, theory & methods

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Yu -tong Guo,Yang Gao,Yan Wang,Meng-yuan Qin,Yu-jie Pu,Zeng Wang,Dan-dan Liu,Xiang-jun Chen,Tian-fng Gao,Ting-ting Lv,Zhong-chuan Fu

DOI: https://doi.org/10.1016/j.proeng.2017.01.276

2017-01-01

Procedia Engineering

Abstract:A malicious behavior detection approach which combines both the DPI (Deep Packet Inspection) and DFI (Deep Flow Inspection) is proposed, namely DPI & DFI. For the DPI & DFI method an outlier data mining method is employed. The fine-grained DPI is suitable for plaintext traffic, while DFI is a complementary for encrypted or emerging traffic. The collaborative detection approach includes three phases: DPI detection, DFI detection & comparison, and feedback. In present work, the C4.5 data-mining decision tree is adopted as classifier. The KDD Cup’99 benchmark is used and representative attack categories such as Probing, DOS, R2L (Remote to User) and U2R (User to Root) are evaluated. In-depth analysis demonstrates that the U2R and R2L attack categories lead to lower detection rate, and in particular the attack types contribute most are put forward. In future work, some other types of classifiers suitable to R2L and U2R attack categories should be investigated.

Xiaoli Zhang,Wei Geng,Yiqiao Song,Hongbing Cheng,Ke Xu,Qi Li

DOI: https://doi.org/10.1109/tnet.2023.3282100

2024-01-01

Abstract:In the trend of network middleboxes as a service, enterprise customers adopt in-the-cloud deep packet inspection (DPI) services to protect networks. As network misconfigurations and hardware failures notoriously exist, recent efforts envision to ensure the execution integrity of DPI services in untrusted clouds. However, they either require enterprise customers to know proprietary DPI rulesets of cloud providers or introduce forbidden overhead in the network context. In the paper, we propose a privacy-preserving and lightweight verification scheme that efficiently checks whether in-the-cloud DPI services run correctly without leaking private DPI rulesets. Particularly, our design introduces one trusted third party to perform privacy-preserving and trustworthy ruleset evaluation and DPI execution verification. Meanwhile, it devises a novel DPI ruleset authentication method that enables tamper-proof DPI operations and facilitates fast proof generation. The proofs can be verified without requiring the verifier to always maintain all rulesets. To further reduce the verification costs while resisting cloud cheating behaviors like bias treatments of packets, it employs a commitment-based delayed sampling mechanism which requires the DPI services to first demonstrate that all packets have been processed before receiving sampling decisions. Moreover, extensive experiments are conducted based on Click modules. The results show that the proposed scheme is practical and only incurs the real-time overhead of 10-20 microseconds.

Zhengyan Zhou,Hanze Chen,Lingfei Chen,Dong Zhang,Chunming Wu,Xuan Liu,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tgcn.2024.3432781

2024-01-01

IEEE Transactions on Green Communications and Networking

Abstract:Radio access network (RAN) enables large-scale collection of sensitive data. Privacy-preserving techniques aim to learn knowledge from sensitive data to improve services without compromising privacy. However, as the data scale increases, enforcing privacy-preserving techniques on sensitive data may consume a considerable amount of system resources and impose performance penalties. To reduce system resource consumption, we present NetDP, an in-network architecture for privacy-preserving techniques by leveraging programmable switches to improve resource efficiency (i.e., CPU cycles, network bandwidth, and privacy budgets). The key idea of NetDP is to accommodate and exploit cryptographic operators to reduce resource consumption rather than repetitively and exhaustively suppressing the impact of these techniques. To the best of our knowledge, this is the first time that privacy-preserving techniques in a large-scale data processing system have been enforced on programmable switches. Our experiments based on Tofino switches indicate that NetDP significantly reduces computation latency (e.g., 40.2%-55.8% latency in computations) without impacting fidelity.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Longlong Zhu,Jiashuo Yu,Long Huang,Linying Zheng,Jinpfeng Pan,Zhengyan Zhou,Hanze Chen,Dong Zhang,Xiang Chen,Chunming Wu

DOI: https://doi.org/10.1109/icc45041.2023.10278977

2023-01-01

Abstract:Packet classification is a crucial component in computer networking. To achieve high throughput and low memory consumption, existing solutions apply different heuristics in each construction stage to build efficient decision trees. However, previous studies divide the tree construction process based on the scale of rule subsets which is indirect to the performance goal, leading to massive rule replication and high tree depth. In this paper, we propose MiCuts, a fine-grained framework for packet classification with both high speed and low memory footprint. Its key idea is directly utilizing rule replication and tree depth to divide the tree-building process into three stages, each with suitable optimization goals. First, it partitions rules and builds shallow semi-trees without rule replication via selecting effective bits. Second, it transforms the switching problem of heuristics into an ILP problem and aims to minimize memory consumption while ensuring high lookup speed. Third, it merges some nodes to eliminate memory explosion caused by splitting, where MiCuts combines splitting and linear search. Extensive experimental results on ClassBench show that MiCuts outperforms state-of-the-art approaches, improving lookup speed by 1.71× while reducing memory footprint by 74.4% on average.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Jingyuan Fan,Chaowen Guan,Kui Ren,Yong Cui,Chunming Qiao

DOI: https://doi.org/10.1109/tnet.2017.2753044

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Widely used over the Internet to encrypt traffic, HTTPS provides secure and private data communication between clients and servers. However, to cope with rapidly changing and sophisticated security attacks, network operators often deploy middleboxes to perform deep packet inspection (DPI) to detect attacks and potential security breaches, using techniques ranging from simple keyword matching to more advanced machine learning and data mining analysis. But this creates a problem: how can middleboxes, which employ DPI, work over HTTPS connections with encrypted traffic while preserving privacy? In this paper, we present SPABox, a middlebox-based system that supports both keyword-based and data analysis-based DPI functions over encrypted traffic. SPABox preserves privacy by using a novel protocol with a limited connection setup overhead. We implement SPABox on a standard server and show that SPABox is practical for both long-lived and short-lived connection. Compared with the state-of-the-art Blindbox system, SPABox is more than five orders of magnitude faster and requires seven orders of magnitude less bandwidth for connection setup while SPABox can achieve a higher security level.

Kai Zhang,Minjun Deng,Bei Gong,Yinbin Miao,Jianting Ning

DOI: https://doi.org/10.1109/jiot.2023.3297601

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Blockchain-based Industrial Internet-of-Things (IIoT) integrates the blockchain technology into the traditional IIoT infrastructure to provide secure and collaborative services. In IIoT, the traffic is usually encrypted using cipher suite (SSL/TLS) for secure communication, which makes it hard for middleboxes to detect malicious activity in the traffic. To address this problem, secure middleboxes that directly perform encrypted traffic inspection have been presented. Recently, a new privacy-preserving deep packet inspection (DPI) system on middlebox for IoT scenarios was proposed, but it suffered from the following two limitations: (i) no support for fast token detection; (ii) no support for tracing abnormal sources. To address the two limitations, we propose BTDPI, a privacy-preserving traceable DPI system that efficiently performs inspection over encrypted traffic in Blockchain-based IIoT. Technically, we adopt a two-layer filter architecture to improve the efficiency of detection, and moreover introduce a new online-offline certificateless aggregate signature with smart contract to design an identity traceability mechanism. The experiment result shows that BTDPI runs 26.7× faster for token detection with 3,000 tokens and 3,000 rules than the state-of-the-art work.

computer science, information systems,telecommunications,engineering, electrical & electronic

Likun Liu,Jiantao Shi,Hongli Zhang,Xiangzhan Yu

DOI: https://doi.org/10.1109/bdcloud.2018.00113

2018-01-01

Abstract:Deep Packet Inspection (DPI) is the core of security devices, such as NIDS, NIPS, which is also an important target of the adversary. The vulnerability of DPI engine is that it relies heavily on pattern matching algorithms, which consume a lot of system resources. In order to make denial of service of DPI, the adversary leverages string repetitions to perform algorithmic complexity attacks. In this paper, we propose an attack identification method for automata and design three defensive strategies. Our attack identification method adopts a two-step threshold detection method, while defensive mechanisms include dropping, transferring and rescheduling the traffic. And the rescheduling traffic based on multi-core platform is a parallelization problem. To solve this problem, this paper proposes a traffic exchange strategy between threads, so that the attack traffic is allocated to dedicated threads. We demonstrate the effectiveness of our method by checking the packet loss rate of NIC and monitoring the utilization of CPU and memory. Upon different attack intensity, our experiments show a throughput boost of up to 11%-60% by comparing with the original system, and 4%-14% with the Level-1 threshold detection. In addition, the false negative rate under the diversified attack scenarios is lower than the original system and Level-1 threshold detection.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Dezhang Kong,Dong Zhang,Junchi Xing,Wei Ruan

DOI: https://doi.org/10.1016/j.jnca.2021.103186

IF: 7.574

2021-10-01

Journal of Network and Computer Applications

Abstract:Deep packet inspection (DPI) has been extensively investigated in software-defined networking (SDN) as complicated attacks may intractably inject malicious payloads in the packets. Existing proprietary pattern-based or port-based third-party DPI tools can suffer from limitations in efficiently processing a large volume of data traffic. In this paper, a novel OpenFlow-enabled deep packet inspection (OFDPI) approach is proposed based on the SDN paradigm to provide adaptive and efficient packet inspection. First, OFDPI prescribes an early detection at the flow-level granularity by checking the IP addresses of each new flow via OpenFlow protocols. Then, OFDPI allows for deep packet inspection at the packet-level granularity: (i) for unencrypted packets, OFDPI extracts the features of accessible payloads, including tri-gram frequency based on Term Frequency and Inverted Document Frequency (TF–IDF) and linguistic features. These features are concatenated into a sparse matrix representation and are then applied to train a binary classifier with logistic regression rather than matching with specific pattern combinations. In order to balance the detection accuracy and performance bottleneck of the SDN controller, OFDPI introduces an adaptive packet sampling window based on the linear prediction; and (ii) for encrypted packets, OFDPI extracts notable features of packets and then trains a binary classifier with a decision tree, instead of decrypting the encrypted traffic to weaken user privacy. A prototype of OFDPI is implemented on the Ryu SDN controller and the Mininet platform. The performance and the overhead of the proposed solution are assessed using the real-world datasets through experiments. The numerical results indicate that OFDPI can provide a significant improvement in detection accuracy with acceptable overheads.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Yixuan Zhang,Meiting Xue,Huan Zhang,Shubiao Liu,Bei Zhao

DOI: https://doi.org/10.1587/transfun.2022eap1062

2023-01-01

IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences

Abstract:Network traffic control and classification have become increasingly dependent on deep packet inspection (DPI) approaches, which are the most precise techniques for intrusion detection and prevention. However, the increasing traffic volumes and link speed exert considerable pressure on DPI techniques to process packets with high performance in restricted available memory. To overcome this problem, we proposed dual cuckoo filter (DCF) as a data structure based on cuckoo filter (CF). The CF can be extended to the parallel mode called parallel Cuckoo Filter (PCF). The proposed data structure employs an extra hash function to obtain two potential indices of entries. The DCF magnifies the superiority of the CF with no additional memory. Moreover, it can be extended to the parallel mode, resulting in a data structure referred to as parallel Dual Cuckoo filter (PDCF). The implementation results show that using the DCF and PDCF as identification tools in a DPI system results in time improvements of up to 2% and 30% over the CF and PCF, respectively.

Jianting Ning,Xinyi Huang,Geong Sen Poh,Shengmin Xu,Jia-Ch'ng Loh,Robert H. Deng,Jian Weng

DOI: https://doi.org/10.1007/978-3-030-58951-6_1

2020-01-01

Abstract:Transport Layer Security Inspection (TLSI) enables enterprises to decrypt, inspect and then re-encrypt users’ traffic before it is routed to the destination. This breaks the end-to-end security guarantee of the TLS specification and implementation. It also raises privacy concerns since users’ traffic is now known by the enterprises, and third-party middlebox providers providing the inspection services may additionally learn the inspection or attack rules, policies of the enterprises. Two recent works, BlindBox (SIGCOMM 2015) and PrivDPI (CCS 2019) propose privacy-preserving approaches that inspect encrypted traffic directly to address the privacy concern of users’ traffic. However, BlindBox incurs high preprocessing overhead during TLS connection establishment, and while PrivDPI reduces the overhead substantially, it is still notable compared to that of TLSI. Furthermore, the underlying assumption in both approaches is that the middlebox knows the rule sets. Nevertheless, with the services increasingly migrating to third-party cloud-based setting, rule privacy should be preserved. Also, both approaches are static in nature in the sense that addition of any rules requires significant amount of preprocessing and re-instantiation of the protocols.

Xiaoming Lu,Weihua Cao,Xusheng Huang,Feiyi Huang,Liwen He,Wenhong Yang,Shaobin Wang,Xiaotong Zhang,Hongsong Chen

DOI: https://doi.org/10.1109/GLOCOM.2010.5684117

2010-01-01

Abstract:In 3G mobile communication system, mobile broadband data services create great opportunities on revenue growth for network carriers. In the mean time, the dramatically increased subscribers make the access and core network more and more over-loaded everyday. Unfortunately, majority of wireless bandwidth is consumed by non revenue driven application traffic such as the P2P downloading, illegal VoIP and file sharing that launched by minority of subscribers. This phenomenon seriously affects the experience of normal users. From the perspective of network carriers, network performance and user behavior should be monitored to detect mis-conducts and abnormal utilization in real time so as to achieve utilization fairness and efficiency. In this paper, we implement the deep packet inspection (DPI) technology into the CDMA 1x EV DO mobile network packet switch (PS) domain and construct a DPI based network traffic monitoring, analysis and management system. With the system, subscriber, cell, base station, PCF and PDSN based traffic monitoring and control, and application based traffic management is enabled. As a result, network capacity has been fully utilized by setting the application rate threshold, customer satisfaction has been greatly improved by keeping fair bandwidth utilization.

Ren Yue,Chen Miao,Li Bo,Wang Xueyuan,Li Xingzhi,Liao Zijun

DOI: https://doi.org/10.1109/cac53003.2021.9727422

2021-10-22

Abstract:With the rapid development of the Internet, network traffic is becoming more complex and diverse. At the same time, malicious traffic is growing. This seriously threatens the security of networks and information. However, the current DPI (Deep Packet Inspect) engine based on x86 architecture is slow in monitoring speed, which cannot meet the needs. Generally, two factors affect the detection rate: CPU and memory; The efficiency of data packet acquisition, and multi regular expression matching. Under these circumstances, this paper presents an efficient implementation of the DPI engine based on a generic x86 platform. DPDK is used as the platform of network data packets acquisition and processing. Using the multi-queue of the NIC (network interface controller) and the customized symmetric RSS key, the network traffic is divided and reorganized in the form of conversation. The core of traffic identification is hyperscan, which uses a flow pattern to match the packets load of a single conversation efficiently. It greatly reduces memory requirements. The method makes full use of the system resources and takes into account the advantages of high efficiency of hardware implementation. And it has a remarkable improvement in the efficiency of recognition.

Hao Xu,Harry Chang,Kun Qiu,Yang Hong,Wenjun Zhu,Xiang Wang,Baoqian Li,Jin Zhao

DOI: https://doi.org/10.1109/tnsm.2024.3354985

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Deep Packet Inspection (DPI) has been one of the most significant network security techniques. It is widely used to identify and classify network traffic in various applications such as web application firewall and intrusion detection. Different from traditional packet filtering that only examines packet headers, DPI detects payloads as well by comparing them with an existing signature database. The literal matching engine, which plays a key role in DPI, is the primary determinant of the system performance. FDR, an engine that utilizes 3 SIMD operations to match 1 character with multiple literals, has been developed and is currently one of the fastest literal matching engines. However, FDR has significant performance drop-off when faced with small-scale literal rule sets, whose proportion is more than 90% in modern databases. In this paper, we designed Teddy, an engine that is highly optimized for small-scale literal rule sets. Compared with FDR, Teddy significantly improves the matching efficiency by a novel shift-or matching algorithm that can simultaneously match up to 64 characters with only 15 SIMD operations. We evaluate Teddy with real-world traffic and rule sets. Experimental results show that its performance is up to 43.07x that of Aho-corasick (AC) and 2.17x that of FDR. Teddy has been successfully integrated into Hyperscan, together with which it is widely deployed in modern popular DPI applications such as Snort and Suricata.

computer science, information systems

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.