ABSTRACT
Network monitoring is vital to the administration and operation of networks, but it requires privileged access that only highly trusted parties are granted. This severely limits the opportunity for external parties, such as service or equipment providers, auditors, or even clients, to measure the health or operation of a network in which they are stakeholders, but do not have access to its internal structure.
In this position paper we propose the use of middleboxes to open up network monitoring to external parties using privacy-preserving technology. This will allow distrusted parties to make more inferences about the network state than currently possible, without learning any precise information about the network or the data that crosses it.
Thus the state of the network will be more transparent to external stakeholders, who will be empowered to verify claims made by network operators. Network operators will be able to provide more information about their network without compromising security or privacy.
- 1.K. Argyraki, P. Maniatis, et al. Verifiable Network-Performance Measurements. In CoNEXT. ACM, 2010. Google ScholarDigital Library
- 2.M. Backes, M. Barbosa, et al. ADSNARK: nearly practical and privacy-preserving proofs on authenticated data. In Security and Privacy, pp. 271–286. IEEE, 2015. Google ScholarDigital Library
- 3.J. Bacon, D. Evans, et al. Middleware 2010, chap. Enforcing End-to-End Application Security in the Cloud, pp. 293–312. Springer, 2010. Google ScholarDigital Library
- 4.E. Ben Sasson, A. Chiesa, et al. Zerocash: Decentralized anonymous payments from bitcoin. In Security and Privacy, pp. 459–474. IEEE, 2014. Google ScholarDigital Library
- 5.F. Bonomi, R. Milito, et al. Fog Computing and Its Role in the Internet of Things. MCC '12, pp. 13–16. ACM, 2012. Google ScholarDigital Library
- 6.D. F. Brewer and M. J. Nash. The Chinese Wall Security Policy. In Security and Privacy, pp. 206–214. IEEE, 1989.Google Scholar
- 7.L. Carata, S. Akoush, et al. A primer on provenance. Commun. ACM, 57(5):52–60, May 2014. Google ScholarDigital Library
- 8.J. C. Corbett, J. Dean, et al. Spanner: Google's Globally Distributed Database. ACM Trans. Comput. Syst., 31(3):8:1–8:22, Aug. 2013. Google ScholarDigital Library
- 9.M. Costa, J. Crowcroft, et al. Vigilante: End-to-end containment of internet worm epidemics. ACM Trans. Comput. Syst., 26(4):9:1–9:68, Dec. 2008. Google ScholarDigital Library
- 10.C. Costello, C. Fournet, et al. Geppetto: Versatile verifiable computation. In Security and Privacy, pp. 253–270. IEEE, 2015. Google ScholarDigital Library
- 11.S. K. Fayazbakhsh, M. K. Reiter, et al. Verifiable network function outsourcing: Requirements, challenges, and roadmap. HotMiddlebox '13, pp. 25–30. ACM, 2013. Google ScholarDigital Library
- 12.S. K. Fayazbakhsh, V. Sekar, et al. Flowtags: Enforcing network-wide policies in the presence of dynamic middlebox actions. HotSDN '13, pp. 19–24. ACM, 2013. Google ScholarDigital Library
- 13.C. Fournet, M. Kohlweiss, et al. ZQL: A Compiler for Privacy-Preserving Data Processing. In USENIX Security, pp. 163–178. Citeseer, 2013. Google ScholarDigital Library
- 14.M. Fredrikson and B. Livshits. ZØ: An Optimizing Distributing Zero-knowledge Compiler. In USENIX Security Symposium, pp. 909–924. 2014. Google ScholarDigital Library
- 15.V. Jeyakumar, M. Alizadeh, et al. Tiny packet programs for low-latency network control and monitoring. HotNets-XII, pp. 8:1–8:7. ACM, 2013. Google ScholarDigital Library
- 16.E. Keller, R. B. Lee, et al. Accountability in Hosted Virtual Networks. VISA '09, pp. 29–36. ACM, 2009. Google ScholarDigital Library
- 17.M. Lennon. Cisco Reviewing Code After Juniper Backdoor Hack. Securityweek.com, Dec 2015.Google Scholar
- 18.I. Miers, C. Garman, et al. Zerocoin: Anonymous distributed e-cash from bitcoin. In Security and Privacy, pp. 397–411. IEEE, 2013. Google ScholarDigital Library
- 19.J. Naous, M. Walfish, et al. Verifying and Enforcing Network Paths with Icing. CoNEXT '11, pp. 30:1–30:12. ACM, 2011. Google ScholarDigital Library
- 20.B. Parno, J. Howell, et al. Pinocchio: Nearly Practical Verifiable Computation. In Security and Privacy, pp. 238–252. IEEE, 2013. Google ScholarDigital Library
- 21.A. Rial and G. Danezis. Privacy-preserving smart metering. WPES '11, pp. 49–60. ACM, 2011. Google ScholarDigital Library
- 22.B. Schneier and J. Kelsey. Secure audit logs to support computer forensics. ACM Trans. Inf. Syst. Secur., 2(2):159–176, May 1999. Google ScholarDigital Library
- 23.V. Sekar and P. Maniatis. Verifiable resource accounting for cloud computing services. CCSW '11, pp. 21–26. ACM, 2011. Google ScholarDigital Library
- 24.J. Sommers, P. Barford, et al. Accurate and Efficient SLA Compliance Monitoring. SIGCOMM Comput. Commun. Rev., 37(4):109–120, Aug. 2007. Google ScholarDigital Library
- 25.R. N. Staff. RIPE Atlas. The Internet Protocol Journal, 18(3):2–26, Sept 2015.Google Scholar
- 26.Y. Zhang, C. Papamanthou, et al. ALITHEIA: towards practical verifiable graph processing. In G. Ahn, M. Yung, et al., eds., Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pp. 856–867. ACM, 2014. Google ScholarDigital Library
Index Terms
- Light at the middle of the tunnel: middleboxes for selective disclosure of network monitoring to distrusted parties
Recommendations
An enhanced approach to supporting controlled access to EPRs with three levels of identity privacy preservations
USAB'11: Proceedings of the 7th conference on Workgroup Human-Computer Interaction and Usability Engineering of the Austrian Computer Society: information Quality in e-HealthThe emergence of e-health has put an enormous amount of sensitive data in the hands of service providers or other third parties, where privacy risks might exist when accessing sensitive data stored in electronic patient records (EPRs). EPRs support ...
Anti-cloning protocol suitable to EPCglobal Class-1 Generation-2 RFID systems
Radio frequency Identification (RFID) systems are used to identify remote objects equipped with RFID tags by wireless scanning without manual intervention. Recently, EPCglobal proposed the Electronic Product Code (EPC) that is a coding scheme considered ...
RFID system with fairness within the framework of security and privacy
ESAS'05: Proceedings of the Second European conference on Security and Privacy in Ad-Hoc and Sensor NetworksRadio Frequency Identification (RFID) systems are expected to be widely deployed in automated identification and supply-chain applications. Although RFID systems have several advantages, the technology may also create new threats to user privacy. In ...
Comments