Two-Layer Architecture for Signature-Based Attacks Detection over Encrypted Network Traffic

The rapid development of network function virtualization (NFV) technology on a large scale and the explosive growth of network traffic in enterprises has made it necessary to move to the paradigm of middlebox services (MB) in the cloud. Intrusion detection system (IDS) is one of these middlebox services that needs to be deployed in the cloud. However, with the growth of network attacks, redirecting enterprise traffic to external middleboxes inevitably raises new concerns related to packet content security and unauthorized access to the ruleset used for detection. To address these concerns, many research efforts targeted the design and development of IDS that operate over encrypted traffic (secure IDS) by looking for ways to make matching possible over encrypted data (aka secure/encrypted pattern matching) without any leakage while maintaining the same level of efficiency. However, most of the existing designs are communication inefficient and too slow to be deployed to support 5G network traffic that requires high throughput. Furthermore, the majority of real network traffic is legitimate and needs to be filtered quickly. Therefore, in order to improve the inspection delay, we propose in this paper a fast and efficient secure IDS that performs detection over encrypted network traffic based on the Searchable Encryption (SE) class of methods using a two-layer architecture in which the first layer is used to quickly filter out the majority of legitimate traffic and the second layer is used to further inspect only unfiltered malicious traffic. We implemented our solution and a recent powerful secure IDS and showed how our approach provides better results and outperforms it.