DCDPI: Dynamic and Continuous Deep Packet Inspection in Secure Outsourced Middleboxes

Secure outsourced middleboxes are deployed in network function virtualization services that detect malicious activities on communications, which provides privacy-preserving deep packet inspection (DPI) over encrypted traffic. To boost filtering efficiency of packets, the two-layer middlebox architecture has been adopted in recent DPI systems. Nevertheless, state-of-the-art solutions based on two-layer architecture mainly suffer from two limitations: i) cannot support dynamic rule addition; ii) failed to inspect discontinuous token for rule matching. To address these limitations, this work proposes an efficient, dynamic and continuous DPI (DCDPI) system in secure outsourced middleboxes. To achieve dynamic rule addition with forward privacy, we refine a data structure called virtual binary tree (VBTree) and further introduce a variant of VBTree for DCDPI, termed VBTree+. VBTree+ supports two new desirable features: i) taking the rule action information into consideration; ii) achieving both rule identifier and rule action hiding. By introducing a token continuity check mechanism, DCDPI can effectively identify discontinuous tokens and categorize continuous tokens into one group. The extensive experiment over the real dataset and rule set confirms the practicality and efficiency of DCDPI. Compared to state-of-the-art works with same setting, DCDPI is 18%similar to 110% more efficient for a connection establishment between gateway/client and server.