Cong Liu,Yong Cui,Kun Tan,Quan Fan,Kui Ren,Jianping Wu

DOI: https://doi.org/10.1109/INFOCOM.2018.8485861

2018-01-01

Abstract:The trends of the increasing middleboxes make the middle network more and more complex. Today, many middlehoxes work on application layer and offer significant network services by the plain-text traffic, such as firewalling, intrusion detecting and application layer gateways. At the same time, more and more network applications arc encrypting their data transmission to protect security and privacy. It is becoming a critical task and hot topic to continue providing application-layer middlehox services in the encrypted Internet, however, the state of the art is far from being able to be deployed in the real network. In this paper, we propose a practical architecture, named PlainBox, to enable session key sharing between the communication client and the middleboxes in the network path. It employs Attribute-Based Encryption (ABE) in the key sharing protocol to support multiple chaining middleboxes efficiently and securely. We develop a prototype system and apply it to popular security protocols such as TLS and SSH. We have tested our prototype system in a lab testhed as well as real-world websites. Our result shows PlainBox introduces very little overhead and the performance is practically deployable.

Huayi Duan,Cong Wang,Xingliang Yuan,Yajin Zhou,Qian Wang,Kui Ren

DOI: https://doi.org/10.48550/arXiv.1706.06261

2017-06-20

Cryptography and Security

Abstract:Running off-site software middleboxes at third-party service providers has been a popular practice. However, routing large volumes of raw traffic, which may carry sensitive information, to a remote site for processing raises severe security concerns. Prior solutions often abstract away important factors pertinent to real-world deployment. In particular, they overlook the significance of metadata protection and stateful processing. Unprotected traffic metadata like low-level headers, size and count, can be exploited to learn supposedly encrypted application contents. Meanwhile, tracking the states of 100,000s of flows concurrently is often indispensable in production-level middleboxes deployed at real networks. We present LightBox, the first system that can drive off-site middleboxes at near-native speed with stateful processing and the most comprehensive protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox is the product of our systematic investigation of how to overcome the inherent limitations of secure enclaves using domain knowledge and customization. First, we introduce an elegant virtual network interface that allows convenient access to fully protected packets at line rate without leaving the enclave, as if from the trusted source network. Second, we provide complete flow state management for efficient stateful processing, by tailoring a set of data structures and algorithms optimized for the highly constrained enclave space. Extensive evaluations demonstrate that LightBox, with all security benefits, can achieve 10Gbps packet I/O, and that with case studies on three stateful middleboxes, it can operate at near-native speed.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Jingyuan Fan,Chaowen Guan,Kui Ren,Yong Cui,Chunming Qiao

DOI: https://doi.org/10.1109/tnet.2017.2753044

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Widely used over the Internet to encrypt traffic, HTTPS provides secure and private data communication between clients and servers. However, to cope with rapidly changing and sophisticated security attacks, network operators often deploy middleboxes to perform deep packet inspection (DPI) to detect attacks and potential security breaches, using techniques ranging from simple keyword matching to more advanced machine learning and data mining analysis. But this creates a problem: how can middleboxes, which employ DPI, work over HTTPS connections with encrypted traffic while preserving privacy? In this paper, we present SPABox, a middlebox-based system that supports both keyword-based and data analysis-based DPI functions over encrypted traffic. SPABox preserves privacy by using a novel protocol with a limited connection setup overhead. We implement SPABox on a standard server and show that SPABox is practical for both long-lived and short-lived connection. Compared with the state-of-the-art Blindbox system, SPABox is more than five orders of magnitude faster and requires seven orders of magnitude less bandwidth for connection setup while SPABox can achieve a higher security level.

Mike Kosek,Benedikt Spies,Jörg Ott

DOI: https://doi.org/10.23919/IFIPNetworking57963.2023.10186363

2023-07-28

Abstract:While the evolution of the Internet was driven by the end-to-end model, it has been challenged by many flavors of middleboxes over the decades. Yet, the basic idea is still fundamental: reliability and security are usually realized end-to-end, where the strong trend towards ubiquitous traffic protection supports this notion. However, reasons to break up, or redefine the ends of, end-to-end connections have always been put forward in order to improve transport layer performance. Yet, the consolidation of the transport layer with the end-to-end security model as introduced by QUIC protects most protocol information from the network, thereby eliminating the ability to modify protocol exchanges. In this paper, we enhance QUIC to selectively expose information to intermediaries, thereby enabling endpoints to consciously insert middleboxes into an end-to-end encrypted QUIC connection while preserving its privacy, integrity, and authenticity. We evaluate our design in a distributed Performance Enhancing Proxy environment over satellite networks, finding that the performance improvements are dependent on the path and application layer properties: the higher the round-trip time and loss, and the more data is transferred over a connection, the higher the benefits of Secure Middlebox-Assisted QUIC.

Networking and Internet Architecture

Eric Wagner,David Heye,Martin Serror,Ike Kunze,Klaus Wehrle,Martin Henze

DOI: https://doi.org/10.1145/3634737.3637640

2023-12-15

Abstract:Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.

Cryptography and Security,Networking and Internet Architecture

Xiyang Zhang,Yongze Ma,Yanqing Zhao,Yanxin Li,Yi Hu

DOI: https://doi.org/10.1109/ICTech58362.2023.00073

2023-04-01

Abstract:Aiming at the problem that the existing application layer protocols (http, smtp, ftp) are difficult to fully meet the communication and transmission of industrial data in the network, this paper proposes an industrial Internet application layer protocol QSHQ (Quick-Security-HQ) that supports multiple underlying bearer protocols (MQTT, WebSocket) based on various factors such as security, real-time, versatility, and scalability. QSHQ (Quick-Security-HQ) unifies the format and message structure of industrial data in network transmission, avoids repeated design in industrial Internet development, and at the same time, addresses the security issues of transmission in industrial data networks. In the process of QSHQ message transmission, AES and RSA hybrid encryption technology is used to realize the encryption and decryption of data. Based on this, a set of CNC machine tool security interaction system is designed. The system shows that the protocol can avoid reading and tampering data in network transmission, avoid the network risk caused by the interconnection between CNC network and other networks, and has good real-time performance and versatility, which can provide basic support for industrial data in network transmission.

Engineering,Computer Science

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2021.3103765

IF: 12.3

2021-01-01

IEEE Transactions on Industrial Informatics

Abstract:Recently, data-driven industrial monitoring systems have been rapidly developed and significantly improved the performance on industrial monitoring tasks. However, the widely deployed data-driven models expose industrial data to more unsecured links, which significantly increase the safety risk of safe-critical industrial systems. The research about adversarial attacks has shown that the potential attackers can utilize tiny crafted perturbations on the input data to mislead the machine learning models’ output. In this article, a novel cross-domain data protection scheme named “Data Guardian” is proposed to authenticate and correct industrial data under potential attacks on data-driven monitoring systems. “Data Guardian” embeds designed redundancy information into the data least significant bits, based on $q$ -ary low-density parity-check (LDPC) codes over the Galois field (finite field). The data are encoded at the secured industrial sites and then decoded before being input into the monitoring systems, in which the security risk is usually higher. The decoding capability of $q$ -ary LDPC codes is improved by the data statistical characteristics, with a new proposed prior estimation method. In the experiments, “Data Guardian” is tested under the attacks to the fault diagnosis models on the Tennessee Eastman process and rolling element bearing from Case Western Reserve University. The results show that “Data Guardian” can efficiently reduce the success rate of adversarial attacks, especially when the attack variable ratio is small.

Yaxing Chen,Qinghua Zheng,Dan Liu,Zheng Yan,Wenhai Sun,Ning Zhang,Wenjing Lou,Y. Thomas Hou

DOI: https://doi.org/10.48550/arxiv.1912.08454

2019-01-01

Abstract:While the security of the cloud remains a concern, a common practice is to encrypt data before outsourcing them for utilization. One key challenging issue is how to efficiently perform queries over the ciphertext. Conventional crypto-based solutions, e.g. partially/fully homomorphic encryption and searchable encryption, suffer from low performance, poor expressiveness and weak compatibility. An alternative method that utilizes hardware-assisted trusted execution environment, i.e., Intel SGX, has emerged recently. On one hand, such work lacks of supporting scalable access control over multiple data users. On the other hand, existing solutions are subjected to the key revocation problem and knowledge extractor vulnerability. In this work, we leverage the newly hardware-assisted methodology and propose a secure, scalable and efficient SQL-like query framework named QShield. Building upon Intel SGX, QShield can guarantee the confidentiality and integrity of sensitive data when being processed on an untrusted cloud platform. Moreover, we present a novel lightweight secret sharing method to enable multi-user access control in QShield, while tackling the key revocation problem. Furthermore, with an additional trust proof mechanism, QShield guarantees the correctness of queries and significantly alleviates the possibility to build a knowledge extractor. We implemented a prototype for QShield and show that QShield incurs minimum performance cost.

Geong Sen Poh,Dinil Mon Divakaran,Hoon Wei Lim,Jianting Ning,Achintya Desai

DOI: https://doi.org/10.48550/arXiv.2101.04338

2021-01-12

Cryptography and Security

Abstract:Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow between two endpoints is interrupted, decrypted and analysed by the middleboxes. The MitM approach is straightforward and is used by many organisations, but there are both practical and privacy concerns. Due to the cost of the MitM appliances and the latency incurred in the encrypt-decrypt processes, enterprises continue to seek solutions that are less costly. There were discussion on the many efforts required to configure MitM. Besides, MitM violates end-to-end privacy guarantee, raising privacy concerns and issues on compliance especially with the rising awareness on user privacy. Furthermore, some of the MitM implementations were found to be flawed. Consequently, new practical and privacy-preserving techniques for inspection over encrypted traffic were proposed. We examine them to compare their advantages, limitations and challenges. We categorise them into four main categories by defining a framework that consist of system architectures, use cases, trust and threat models. These are searchable encryption, access control, machine learning and trusted hardware. We first discuss the man-in-the-middle approach as a baseline, then discuss in details each of them, and provide an in-depth comparisons of their advantages and limitations. By doing so we describe practical constraints, advantages and pitfalls towards adopting the techniques. We also give insights on the gaps between research work and industrial deployment, which leads us to the discussion on the challenges and research directions.

Yuxia Cheng,Qing Wu,Bei Wang,Wenzhi Chen

DOI: https://doi.org/10.1007/978-3-319-69471-9_4

2017-01-01

Abstract:Protecting data security and privacy is one of the top concerns in the public cloud. As the cloud infrastructure is complex, and it is difficult for cloud users to gain trust. Particularly, how to guarantee the confidentiality and integrity of in-memory user private data in untrusted cloud faces big challenges. The in-memory data is typically used for online processing that requires high performance and plaintext access in CPU, therefore simple data encryption is infeasible for in-memory data security protection. In this paper, we propose a secure in-memory data cache scheme based on the memcached key-value store system and leverage the new trusted Intel SGX processors to protect sensitive operations. Firstly, we build a secure enclave and design a trusted channel protocol using remote attestation mechanism. Secondly, we propose a cache server partitioning method that decouples the sensitive key-value operations with enclave protection. Thirdly, we implement a secure client library to maintain the original cache semantics for application compatibility. The experimental result showed that the proposed solutions achieves comparable performance with the traditional key-value store systems, while improves the level of data security in untrusted cloud.

Hao Ren,Hongwei Li,Dongxiao Liu,Guowen Xu,Nan Cheng,Xuemin Shen,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tcc.2020.2991167

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

computer science, information systems, theory & methods

Yubin Xia,Yutao Liu,Haibo Chen

DOI: https://doi.org/10.1109/HPCA.2013.6522323

2013-01-01

Abstract:The privacy and integrity of tenant's data highly rely on the infrastructure of multi-tenant cloud being secure. However, with both hardware and software being controlled by potentially curious or even malicious cloud operators, it is no surprise to see frequent reports of data leakages or abuses in cloud. Unfortunately, most prior solutions require intrusive changes to the cloud platform and none can protect a VM against adversaries controlling the physical machine. This paper analyzes the challenges of transparent VM protection against sophisticated adversaries controlling the whole software and hardware stack. Based on the analysis, this paper proposes HyperCoffer, a hardware-software framework that guards the privacy and integrity of tenant's VMs. HyperCoffer only trusts the processor chip and makes no security assumption on external memory and devices. Hyper-Coffer extends existing processor virtualization with memory encryption and integrity checking to secure data communication with off-chip memory. Unlike prior hardware-based approaches, HyperCoffer retains transparency with existing virtual machines (i.e., operating systems) and requires very few changes to the (untrusted) hypervisor. HyperCoffer introduces a mechanism called VM-Shim that runs in-between a guest VM and the hypervisor. Each VM-Shim instance for a VM runs in a separate protected context and only declassifies necessary information designated by the VM to the hypervisor and external environments (e.g., through NICs). We have implemented a prototype of HyperCoffer in a QEMU-based full-system emulator and the VM-Shim mechanism in a real machine. Performance measurement using trace-based simulation and on a real hardware platform shows that the performance overhead is small (ranging from 0.6% to 13.9% on simulated platform and 0.3% to 6.8% on real hardware for the VM-Shim mechanism).

Ruoyu Wu,Guanzhong Tian,Longhua Ma,Zhishan Li,Shanqi Liu

DOI: https://doi.org/10.1109/smc53992.2023.10394345

2023-01-01

Abstract:With the development of modern communication technology, traditional Internet of Things systems could not provide sufficient support for large data flow, hardware resource, power consumption, and security during transmission. Especially when it comes to the Industrial Internet of Things (IIoT), where the limitations of hardware resource and power consumption are more strict; the requirements of network security and hardware security are much higher. This paper implements a User Datagram Protocol (UDP) communication system, which is encrypted with one of the Lightweight Cryptography, Xoodyak. We aim to design a lightweight encrypted communication platform. Compared with a public key encryption system, our implementation costs much less hardware resource and power consumption, while providing excellent side-channel attack (SCA) protection. Besides, when there is a large burst length of data flow, two asynchronous FIFO can restore those data respectively, so our design can maintain throughput and data integrity in extreme cases. Based on the above properties, our design is relatively ideal in IIoT encryption scenarios.

Shangqi Lai,Xingliang Yuan,Shi-Feng Sun,Joseph K. Liu,Ron Steinfeld,Amin Sakzad,Dongxi Liu

DOI: https://doi.org/10.48550/arXiv.2001.01848

2020-01-07

Cryptography and Security

Abstract:Network Function Virtualisation (NFV) advances the adoption of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require the enterprise gateway to tokenise packet payloads via sliding windows. Such tokenisation induces a considerable communication overhead, which can be over 100$\times$ to the packet size. To overcome this bottleneck, in this paper, we propose the first bandwidth-efficient encrypted pattern matching protocol for secure middleboxes. We resort to a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to achieve constant and moderate communication cost. To speed up, we devise encrypted filters to reduce the number of accesses to SHVE+ during matching highly. We formalise the security of our proposed protocol and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20k rules within 100 $\mu$s. Compared to prior work, it brings a saving of $94\%$ in bandwidth consumption.

Yaxing Chen,Qinghua Zheng,Zheng Yan,Dan Liu

DOI: https://doi.org/10.1109/tpds.2020.3024880

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Due to the concern on cloud security, digital encryption is applied before outsourcing data to the cloud for utilization. This introduces a challenge about how to efficiently perform queries over ciphertexts. Crypto-based solutions currently suffer from limited operation support, high computational complexity, weak generality, and poor verifiability. An alternative method that utilizes hardware-assisted Trusted Execution Environment (TEE), i.e., Intel SGX, has emerged to offer high computational efficiency, generality and flexibility. However, SGX-based solutions lack support on multi-user query control and suffer from security compromises caused by untrustworthy TEE function invocation, e.g., key revocation failure, incorrect query results, and sensitive information leakage. In this article, we leverage SGX and propose a secure and efficient SQL-style query framework named QShield. Notably, we propose a novel lightweight secret sharing scheme in QShield to enable multi-user query control; it effectively circumvents key revocation and avoids cumbersome remote attestation for authentication. We further embed a trust-proof mechanism into QShield to guarantee the trustworthiness of TEE function invocation; it ensures the correctness of query results and alleviates side-channel attacks. Through formal security analysis, proof-of-concept implementation and performance evaluation, we show that QShield can securely query over outsourced data with high efficiency and scalable multi-user support.

Yazhe Tang,Zixin Xu,Jie Han

DOI: https://doi.org/10.1109/iccis59958.2023.10453777

2023-01-01

Abstract:Encrypting sensitive information such as IP address and port number of data stream can improve the detection resistance of data during network transmission and reduce security threats. The challenge is that the process of achieving sensitive information obfuscation is complex in traditional network environments with limited network node capabilities. Existing work is mostly based on the principles of traditional cryptography to attain secure end-to-end encrypted authentication and transmission. However, it suffers from high time and space costs, complex and inefficient terminal systems, and the inability to encrypt the aforementioned sensitive information. In this paper, we propose to use the P4(Programming Protocol-independent Packet Processors Procedure, one domain-specific language for data plane) to empower network nodes with encryption and decryption of sensitive identification information in a programmable network environment, combined with a control plane to embed traffic security efforts inside the network and ensure the process is transparent to the end system. Experimental results demonstrate that the P4-based encryption and obfuscation mechanism can ensure data transmission in a hybrid network environment of traditional and programmable networks, obfuscating sensitive information without causing performance burden in terms of transmission delay and throughput.

Cong Wang,Xingliang Yuan,Yong Cui,Kui Ren

DOI: https://doi.org/10.1109/mnet.2017.1700060

IF: 10.294

2017-01-01

IEEE Network

Abstract:Modern enterprise networks heavily rely on ubiquitous network middleboxes for advanced traffic processing such as deep packet inspection, traffic classification, and load balancing. Recent advances in NFV have pushed forward the paradigm of migrating in-house middleboxes to third-party providers as software-based services for reduced cost yet increased scalability. Despite its potential, this new service model also raises new security and privacy concerns, as traffic is now redirected and processed in an untrusted environment. In this article, we survey recent efforts in the direction of enabling secure outsourced middlebox functions, and identify open challenges for researchers and practitioners to further investigate solutions toward secure middlebox services.

Wei Liu,Jun Yan,Xingshen Wei,Haiqing Wang,Shishun Zhu

DOI: https://doi.org/10.1109/cieec50170.2021.9510589

2021-05-28

Abstract:In recent years, due to the elastic container technical characteristics and active open source community support, container technology has become an important basic technology for the new digital infrastructure of power. Now, the container technology is very popular and widely used in power cloud platform, but the problem of power system security risk caused by container can’t be ignored. Aiming at the problem of container security, this paper proposes a lightweight container security enhancement framework. Based on the methods of lightweight hardware virtualization isolation, cloud trust, and transparent encryption and decryption of container data, we implemented the container framework in the power cloud platform. Experiments show that the mechanism has played a practical role and has little impact on the business in terms of performance.

Zinuo Cai,Bojun Ren,Ruhui Ma,Haibing Guan,Mengke Tian,Yong Wang

DOI: https://doi.org/10.1109/tcss.2023.3262289

2023-01-01

IEEE Transactions on Computational Social Systems

Abstract:The ubiquity of artificial intelligence (AI) has led to its extensive research and application in various fields, such as computer vision, natural language processing, and medical image analysis. However, responsible AI faces severe security challenges, including the leakage of pretrained models and valuable training data. The existing solutions adopt new algorithm designs (such as federated learning) or cryptography (such as homomorphic encryption) to prevent possible security vulnerabilities. We observe that hardware-assisted trusted execution environments (TEEs) can further improve machine learning responsibility. Intel Software Guard Extension (SGX) is a popular, trusted execution hardware that enables users’ programs to run in an untrusted execution environment, such as a malicious operating system, but ensures the confidentiality and integrity of data. Therefore, we have designed GUARDIAN, a hardware-assisted secure machine learning training framework that protects data security during the training process. We have analyzed the typical characteristics of machine learning applications and characterized GUARDIAN through extensive experiments. Our findings demonstrate that introducing security guarantees causes performance degradation, which provides a feasible optimization direction in the near future.