Privacy-Preserving Cross-Domain Network Reachability Quantification

1
Privacy-Preserving Cross-Domain Network
Reachability Quantification
Fei Chen Computer Science and Engineering Michigan
State University Joint work with Bezawada
Bruhadeshwar and Alex X. Liu
2
Background

• Network reachability can be defined as
• What packets can pass through a given network
  path
• Network reachability quantification is very
  important for
• Understanding end-to-end network behavior
• Detecting the violation of security policies

3
Motivation (1/2)

• Many solutions have been proposed to quantify the
  network reachability
• The main assumption of these solutions
• All the reachability information from these
  network devices is known
• Collecting such information could be very
  difficult
• Due to the privacy and security concerns

4
Motivation (2/2)

• Can we achieve the two following goals at the
  same time?
• Quantify the network reachability for a given
  path, and
• Preserve privacy of reachability information
  belong to different parties

5
Problem Statement

• Assumption
• For each party, the reachability information is
  converted to an ACL
• Static reachability information
• Employ the network reachability approach
  Khakpour et al., 2010
• Let M(A) denote the set of packets that are
  accepted by ACL A
• We aim to design a privacy preserving protocol
  which
• Enables User1 to compute M(A1) n M(A2) n M(A3)
• No party can reveal the ACLs of other parties

6
Threat Model

• We consider semi-honest model
• Each party must follow our protocol correctly
• Input its ACL to our protocol without cheating
• Follow the process of our protocol
• Each party may try to learn the ACL rules of
  other parties
• Analyze the intermediate messages when running
  the protocol

7
Related work

• Probing
• Current practice of verifying reachability
• Expensive to quantify network reachability
• Because it needs to generate and send significant
  amount of packets.
• Inaccurate
• E.g., it cannot probe the open ports with no
  server listening on them.
• Network reachability quantificaiton
• Estimate bounds of network reachability
• Xie et al. 2005, Ingols et al. 2006,
  Matousek et al. 2008
• Quantify the network reachability
• Al-Shaer et al. 2009, Sung et al. 2009,
  Khakpour et al. 2010
• Major assumption is not practical
• All reachability information is known
• No prior work studies privacy preserving
  reachability quantification

8
Basic building blocks (1/2)

• Prefix membership verification

P1
P2
3, 7
5
Prefix family
Prefix format
S(3,7)011, 1
T(5)101, 10,1,
Prefix numericalization
Prefix numericalization
N(S(3,7))0111, 1100
N(T(5))1011,1010, 1100,1000
If N(S(3,7))nN(T(5)) ? ?, then 5?3, 7
9
Basic building blocks (2/2)

• Range intersection
• Suppose the domain of this field is 0, 7

P1
P2
3, 7
2, 5
Generate ranges
Retrieve boundaries
0, 2 , 3, 7
2, 5
Prefix family and numericalize
Prefix format and numericalize
N(S(0,2)) , N(S(3,7))
N(T(2)), N(T(5))
Because (1) N(S(0,2))nN(T(2)) ? ?, then 2?0,
2 (2) N(S(3,7))nN(T(5)) ? ?,
then 5?3, 7
From 2?0, 2 and 5?3, 7, we have 3, 7 n
2, 5 3, 5
10
Privacy preserving range intersection

• Employ commutative encryption
• For a number x, ((x)K1)K2 ((x)K2)K1
• For ease of presentation, let (x) K12 denote
  ((x)K1)K2

P1 (K1)
P2 (K2)
3, 7
2, 5
N(S(0,2)) , N(S(3,7))
N(T(2)), N(T(5))
(1) Encrypt by P1 (2) Encrypt by P2
(1) Encrypt by P2 (2) Encrypt by P1
N(T(2)) K21 , N(T(5)) K21
N(S(0,2))K12 , N(S(3,7)) K12
If P1 does the comparison, it can conclude that
3,7 n 2, 5 3, the original number of
N(T(5)) K21
11
Range intersection of multiple parties
P2 (K2)
P3 (K3)
P1 (K1)
3, 7
4, 7
2, 5
N(S(0,2)) N(S(3,7))
N(T(2)) N(T(5))
N(S(0,3)) N(S(4,7))
(1) Encrypt by P1 (2) Encrypt by P2 (3) Encrypt
by P3
(1) Encrypt by P2 (2) Encrypt by P3
(1) Encrypt by P3 (2) Encrypt by P2
N(S(0,2))K23 N(S(3,7)) K23
N(T(2)) K32 N(T(5)) K32
N(S(0,3))K123 N(S(4,7)) K123
Comparison
Prepare for further comparison
3, N(T(5)) K32
N(T(3)) K231 N(T(5)) K321
Comparison
4, N(T(5)) K321
12
Decryption of the comparison result
N(T(5)) K321
Decrypt by P3
N(T(5)) K21
Decrypt by P2
N(T(5)) K1
Decrypt by P1
N(T(5))
Decode
5
4
4, 5
4, 7 n 3, 7 n 2, 5
13
ACL preprocessing

• ACL consists of multi-dimensional overlapping
  rules
• Convert it to non-overlapping rules with accept
  decision

FDD construction
Extract non-overlapping rules with the accept
decision
14
Experiment Setup

• We conducted experiments on both real and
  synthetic ACLs
• Each ACL examine five fields,
• Source and destination IPs, source and
  destination ports, protocol type
• The number of rules ranges from dozens to
  thousands
• For effectiveness, we verified the correctness
• For efficiency, we evaluate the computation and
  communication costs of the core operations
• Processing each ACL
• Comparing every two ACLs

15
Experimental Results (1/3)

• For real ACLs with the average number of rules
  806
• Both offline and online Computation costs are
  less than 2 seconds
• Communication cost is less than 60 KB
• Comparison cost is less than 1 second
• Our approach is efficient for the conversion and
  comparison of two real ACLs

Processing real ACLs
16
Experimental Results (2/3)

• For synthetic ACLs with number of rules from 200
  to 2000
• One-time offline computation cost is less than
  400 seconds
• The online computation cost is less than 5
  seconds
• Communication cost is less than 450 KB

Processing synthetic ACLs
17
Experimental Results (3/3)

• For synthetic ACLs with number of rules from 200
  to 2000
• The comparison time of two synthetic firewalls is
  less than 4 seconds

Comparing synthetic ACLs
18
Conclusion

• Investigate privacy preserving quantification of
  network reachability for the first time
• Propose an efficient and secure protocol to
  quantify the network reachability accurately
• Conduct experiments on both real and synthetic
  ACLs to demonstrate the effectiveness and
  efficiently of our protocol

19
Future work

• Dynamic routing information
• Dynamic routing table
• Topological variations
• Links go down
• New links get added
• Malicious model
• Some party cheats its ACL

20
Questions
Thank you!