blindbox deep packet inspection over encrypted traffic
play

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine - PowerPoint PPT Presentation

Nov 15, 2022 •409 likes •851 views

BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley (Work under submission). Intrusion Prevention Deep Packet Inspection Parental Filtering (DPI) In-network

  1. BlindBox: Deep Packet Inspection Over Encrypted Traffic Justine Sherry, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley (Work under submission).

  2. Intrusion Prevention Deep Packet Inspection Parental Filtering (DPI) In-network devices which inspect and modify packet payloads to enforce security Exfiltration Detection policies. Increasingly offered as “network services.” (e.g. NFV, APLOMB)

  3. Alice and Bob Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  4. DPI Usage Today: HTTP Alice Bob BLACKLIST CONNECTIONS WAREZ HACKS %

  5. DPI Usage Today: HTTP To: Bob From:Alice Hello! Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  6. DPI Usage Today: HTTP To: Alice From:Bob Hello! Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  7. DPI Usage Today: HTTP To: Bob From:Alice Want some WAREZ? Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  8. DPI Usage Today: HTTP Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob DENY HACKS %

  9. Many users are switching to HTTPS, specifically to protect their privacy against eavesdroppers.

  10. DPI Usage Today: HTTPS State of the art solution: Man in the middle the SSL To: Bob From:Alice connection! 0xce869fa98e0g… ????? Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW ATTACK MAD HATTER

  11. BlindBox: Goal • Alice and Bob have two very conflicting requirements! • Privacy. • In-network functionality. • Can they have their cake and eat it too?

  12. Short answer: yes!

  13. BlindBox Functionality • The first system to allow DPI middle boxes like IPS and Parental Filtering to operate over traffic without granting the ability to decrypt the entire payload. • “Principle of least privilege”: the middle box learns only what it needs to know to detect an attack or match.

  14. Can’t functional encryption solve this? • Existing schemes don’t fit our needs: • Wrong security model: all parties learn all of the middlebox rules • Missing functionality: no approach to address rules which are regular expressions • Prohibitive performance: Performing IDS detection over a single packet requires over 1 day of computation on our servers!* *J. Katz, A. Sahai, B. Waters. “Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products.” EUROCRYPT 2008.

  15. B Threat Model Summary: Actors and Constraints • Alice and Bob (Clients): • Users who want to protect their privacy from the MB. Also want protection from each other, ie, that their traffic be scanned by the middlebox. • Requirement: at least one client must be honest. • Middlebox (MB): • “Honest but curious” network operator who provides an inspection service. • McAffee (“Rule Generator”): • Trusted by MB and Clients to generate rules. • Does not have the power to actually observe/manipulate client traffic.

  16. Strawman Approach Has many security holes, but gets one thing right: searchable encryption. BB Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  17. Strawman Approach Rules: WAREZ, HACKS, % BB Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  18. Strawman Approach Rules: 0xeaf345, 0x43aa, 0x678ea3 Deterministic AES; no IV, no Salt BB Alice Bob BLACKLIST CONNECTIONS WAREZ Alice:Bob ALLOW HACKS %

  19. Strawman Approach Rules: 0xeaf345, 0x43aa, 0x678ea3 BB Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  20. Strawman Approach To: Bob From:Alice Would you like some CAKE? BB 0xe90326 Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  21. Strawman Approach To: Bob From:Alice Would you like some CAKE? BB 0x592aa5 Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  22. Strawman Approach To: Bob From:Alice Would you like some CAKE? BB …etc Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  23. Strawman Approach To: Bob From:Alice Would you like BB some CAKE? Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  24. Strawman Approach To: Bob From:Alice 0xea453840eaabb90 BB ccdd9032…. Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  25. Strawman Approach To: Bob From:Alice Would you like some WAREZ? BB 0xeaf345 Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob ALLOW HACKS: 0x43aa… %: 0x678ea3…

  26. Strawman Approach To: Bob From:Alice Would you like some WAREZ? BB Alice Bob BLACKLIST CONNECTIONS WAREZ: 0xeaf345… Alice:Bob DENY HACKS: 0x43aa… %: 0x678ea3…

  27. How many bugs did you spot in our Strawman? Let’s fix it.

  28. What was good about the Strawman? The IDS only learns the decrypted value of the text iff there exists a rule for that text. Hence, only text which is “suspicious” can be read by the IDS. The rest remains encrypted.

  29. Fixing Bug #1 • What if there are duplicate substrings in the flow? Won’t deterministic encryption leak that there are multiple matches, even for substrings that aren’t in the ruleset? Challenge: How Solution: Just add to do so with fast Salt! MB data structures?

  30. Fixing Bug #2 • If Alice knows what all the rules are, doesn’t she know how to evade detection now?* • Also, many IDS rules are trade secrets that they are unwilling to share with users/vendors. • Solution: Yao’s Garbled Circuits + Oblivious Transfer *V. Paxson. “Bro: A System for Detecting Network Intruders in Real Time.” Computer Networks 1999.

  31. Fixing Bug #2 • Result: • Middlebox learns the encrypted value of the rules, without learning Alice’s key. • Alice doesn’t learn what the rules are. • Operation only works if Middlebox’s rules have been signed by the rule generator.

  32. Fixing Bug #3 • Some rules are regular expressions (or even in some cases, scripts), not exact matches. • Solution: “Probable Cause Encryption”, a new form of attribute based encryption (ABE). • Key Idea: A second protocol by which MB gains the ability to decrypt the payload only if a set of exact matches have already been detected.

  33. More details in our paper! • Optimizations to reduce bandwidth overhead. • Details on GC + OH Transfer. • How to do fast matching at the middlebox, despite random salts. • Rule generation, regular expressions, probable cause decryption…

  34. Evaluation Highlights • Three main performance figures: • Detection Time: competitive with existing IDSes • 186Mbps with BB (Snort Achieves 85Mbps) • Transmission Time: practical overhead • Page load completion time increases by 0.15-1x • Setup Time: not yet competitive Cloud Provider Tunneled 4 Unencrypted External Site 5 3 (Internet) 2 • 414s for 3000 rules. 1 6 APLOMB Enterprise Fine for NFV & APLOMB where connections are persistent.

  35. Conclusion • BlindBox is the first system to allow network appliances to perform deep packet inspection over traffic without needing to decrypt the entire stream. • Alice and Bob can “have their cake and eat it too”, keeping the communications private , while receiving the benefits of network services like IDS.

  36. Old/Backup Slides

  37. BlindBox Wishlist & Future Work • Faster setup time (<1second) setup time. • “All or nothing property”: leaks only whether or not a complete rule matched (not substrings) • “Maliciously” -> “Maliciou” + “iciously” • General regular expression support.

  38. Generalizing to More Middleboxes • Follow-on work looks at cloud case in general and more middle boxes — including firewalls, NATs, proxies, etc. • C. Lan, J. Sherry, R. A. Popa, S. Ratnasamy. “Securely Outsourcing Middleboxes to the Cloud.”

  39. Non-Usage Scenario • Charlie is a political dissident in a country which deploys DPI devices for censorship. • Charlie is afraid of political repercussions for the things that he reads and writes on the web. • Charlie should not opt-in to BlindBox. • Even if he trusts his Rule Generator, there Charlie is no guarantee that the Rule Generator has not been co-opted by the government! • Charlie should use a strong encryption scheme instead.

  40. Usage Scenario #1 • Alice is a university student connecting her laptop to the campus network. • Campus policy requires that all traffic be monitored by an IDS to prevent botnet and malware activity from spreading at the university. • Alice likes the idea of having her laptop protected by these mechanisms, but she is worried by the idea of someone being able Alice to read her traffic and private Facebook messages.

  41. Usage Scenario #2 • Bob is a father with two small children at home. • His ISP offers a parental filtering service to block access to pornography. • Bob would like to opt-in to this service. • However, Bob read a news article about ISPs selling user data to marketers, and does not want to allow his ISP read all his Bob traffic and sell it to marketers.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used

Leveraging Traffic Repetitions for High-Speed Deep Packet Inspection INFOCOM 2015 Paper #54 used to enhance the scanning process. Specifically, even if the Abstract Deep Packet Inspection (DPI) plays a major role in contemporary networks, and

479 views • 9 slides
DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced

Bram C.M. Cappers Jarke J. van Wijk b.c.m.cappers@tue.nl j.j.v.wijk@tue.nl SEMANTIC NETWORK TRAFFIC ANALYSIS USING DEEP PACKET INSPECTION AND VISUAL ANALYTICS More Info: www.bramcappers.nl 1 of 5 Advanced Persistent Threats (APTs)

240 views • 5 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017

Deep Packet Inspection Using GPUs Qian Gong, Wenji Wu, Phil DeMar GPU Technology Conference 2017 May 2017 Background Main uses for network traffic analysis Operations &amp; management Capacity planning Performance troubleshooting

520 views • 24 slides
Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer

Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer

Spicy: A Unified Deep Packet Inspection Framework Dissecting All Your Data Robin Sommer International Computer Science Institute, &amp; Corelight, Inc. robin@icsi.berkeley.edu robin@corelight.io http://www.icir.org/robin Deep Packet

931 views • 68 slides
Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy

Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy

CPS-SR CPS-IoT Week 2019 April 15 - 18, 2019 Montreal, Canada Intrusion Detection of Networked Cyber-Physical Systems via Three-Level Deep Packet Inspection Jianghai LI, Wen Si, Xiaojin Huang Institute of Nuclear Energy Technology (INET)

611 views • 32 slides
Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections

Chair for Network Architectures and Services Technical University of Munich (TUM) Active Probing and Deep Packet Inspection detection resistant tunneling through HTTPS connections Intermediate Talk Julien Schmidt May 30, 2016 Chair for

384 views • 16 slides
Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy

1 Stateful Firewalls Hank and Foo Types of firewalls Packet filter (stateless) Proxy firewalls Stateful inspection Deep packet inspection 2 Packet filter (Access Control Lists) Treats each packet in isolation

510 views • 30 slides
CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik

CONTROLLER AREA NETWORK (CAN) DEEP PACKET INSPECTION Grkem Batmaz , Systems Engineer Ildik Pete , Systems Engineer 28 th March, 2018 Car Hacking Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the

371 views • 35 slides
StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang

StriD 2 FA: Scalable Regular Expression Matching for Deep Packet Inspection Xiaofei Wang Junchen Jiang Yi Tang Yi Wang Bin Liu Xiaojun Wang School of Electronic Engineering, Dublin City University, Dublin, Ireland

81 views • 5 slides
Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He,

Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He,

Deep-Q: Traffic-driven QoS Inference using Deep Generative Network Shihan Xiao , Dongdong He, Zhibo Gong Network Technology Lab, Huawei Technologies Co., Ltd., Beijing, China 1 Background What is a QoS Model? Traffic D elay, jitter, packet

464 views • 27 slides
Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and

Head-Body Partitioned String Matching for Deep Packet Inspection with Scalable and Attack-Resilient Performance* Yi-Hua E. Yang Viktor K. Prasanna Chenqian Jiang Ming Hsieh Dept. of Electrical Eng. Ming Hsieh Dept. of Electrical Eng. Ming

432 views • 11 slides
SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department

SWM: Simplified Wu-Manber for GPU-based Deep Packet Inspection Lucas Vespa Ning Weng Department of Computer Science Department of Electrical and Computer Engineering University of Illinois at Springfield Southern Illinois University

181 views • 6 slides
Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet

Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet

Class- -based Traffic Aggregation In Optical Packet based Traffic Aggregation In Optical Packet Class Switched WDM Networks Switched WDM Networks Reza Nejabati, Dimitra Simeonidou Photonic Network Research Center Department of Electronic

276 views • 14 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS &gt; Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
Using Packet Symmetry to Curtail Malicious Traffic Christian Kreibich

Using Packet Symmetry to Curtail Malicious Traffic Christian Kreibich

Using Packet Symmetry to Curtail Malicious Traffic Christian Kreibich christian.kreibich@cl.cam.ac.uk Andrew Warfield Jon Crowcroft Steven Hand Ian Pratt The Bad Traffic Problem * Malicious traffic abounds on the Internet *

192 views • 17 slides
Its 2050: What am I reading? Kim Marrio7 Monash University

Its 2050: What am I reading? Kim Marrio7 Monash University

Its 2050: What am I reading? Kim Marrio7 Monash University Magical Books The Future eBooks should not be digital copies of print books--we

288 views • 6 slides
Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski,

Anonymous IBE, Leakage Resilience and Circular Security from New Assumptions Zvika Brakerski, Alex Lombardi, Gil Segev, and Vinod Vaikuntanathan Identity-Based Encryption [Sha84, BF03, Coc01] Identity-Based Encryption [Sha84, BF03, Coc01]

1.01k views • 64 slides
Algorithms for Matching and Clustering Using only Ordinal Information Elliot Anshelevich

Algorithms for Matching and Clustering Using only Ordinal Information Elliot Anshelevich

Blind, Greedy, and Random: Algorithms for Matching and Clustering Using only Ordinal Information Elliot Anshelevich (together with Shreyas Sekar) Rensselaer Polytechnic Institute (RPI), Troy, NY Maximum Utility Matching Edges have

953 views • 35 slides
Slides for Staff Meetings &amp; CAC Meetings Name Title Use 44 Point Font Use 36 point font

Slides for Staff Meetings &amp; CAC Meetings Name Title Use 44 Point Font Use 36 point font

Slides for Staff Meetings &amp; CAC Meetings Name Title Use 44 Point Font Use 36 point font Atl Text How would you describe this object and its context to someone who is blind or has low vision? Be mindful of contrast with

255 views • 4 slides
Supporting accessibility in your distribution Some feedback from Debian

Supporting accessibility in your distribution Some feedback from Debian

Supporting accessibility in your distribution Some feedback from Debian Samuel Thibault Slides &amp; stuff on http://brl.thefreecat.org/ http://liberte0.org/ 1 Outline Introduction to

917 views • 46 slides
Musical Source Separation: Principles and State of the Art Juan Jos Burred quipe

Musical Source Separation: Principles and State of the Art Juan Jos Burred quipe

Musical Source Separation: Principles and State of the Art Juan Jos Burred quipe Analyse/Synthse, IRCAM burred@ircam.fr 2nd International Workshop on Learning Semantics of Audio Signals (LSAS), Paris, 21st June 2008 Presentation

847 views • 36 slides
God Hates? By: Steve Morgan Proverbs 6:16-19 (NIV) There are six things the Lord hates,

God Hates? By: Steve Morgan Proverbs 6:16-19 (NIV) There are six things the Lord hates,

God Hates? By: Steve Morgan Proverbs 6:16-19 (NIV) There are six things the Lord hates, seven that are detestable to him: 17 haughty eyes, a lying tongue, hands that shed innocent blood, 18 a heart that devises wicked schemes, feet that are

594 views • 23 slides
The cost of global trade is estimated at $1.8 trillion annually 1 with potential savings from more

The cost of global trade is estimated at $1.8 trillion annually 1 with potential savings from more

The cost of global trade is estimated at $1.8 trillion annually 1 with potential savings from more efficient processes of ~10% Border related costs are higher than transport costs for international trade 2 Export Production Cost 35 37

493 views • 4 slides

More recommend