Selected Projects I am Involved
Secure Outsourced Middleboxes
Middleboxes are essential for a wide range of advanced traffic processing in enterprise networks. The trend of deploying middleboxes in public clouds as virtualized services further expands potential benefits of middleboxes while avoiding local maintenance burdens. Despite promising, middlebox outsourcing is facing crucial security challenges. Traffic now is redirect to cloud, where the traffic content and proprietary middlebox rules are exposed. On the other hand, these boxes are no longer under the direct control of enterprises. It is desirable to ensure that these boxes function as intended.
Cloud Middlebox Service Architecture
- How to design a secure middlebox system that performs network functions without revealing either packet payloads or rules?
- How to devise practical mechanisms that provide runtime execution assurance of outsourced middleboxes with high confidence?
Fulfilling those requirements will ease enterprises privacy and security concerns, extend their visibility into remote middleboxes, and promote further adoption of NFV services. Preliminary results that address the above questions are published in IEEE INFOCOM’16 and IEEE ICNP’16.
Credit: Huayi Duan, Xingliang Yuan, and Cong Wang.
Encrypted Distributed Data Store
In order to manage the persistently growing amount of data, distributed data stores have become the backbone of many public cloud services. However, with increasing data breaches, privacy concerns in data outsourcing become even more pressing than before. To address those concerns, we start from the most widely adopted data store, i.e., key-value stores, and build an encrypted, distributed, and searchable key-value store. Specifically, we cope with the following challenges so that the proposed system will not sacrifice the benefits of existing systems.
- How to securely distribute encrypted data across distributed nodes?
- How to design an overlay that supports multiple data models with strong security guarantees?
- How to design a framework for encrypted and distributed indexes that enable secure queries on secondary attributes of data?
Encrypted Key-value Store Architecture
Our proposed encrypted key-value store achieves strong protection on data privacy while preserving prominent features of key-value stores. It is built on a secure data partition algorithm that distributes encrypted data evenly across a cluster of nodes. It also supports multiple data models in a privacy-preserving manner. To enable secure queries for encrypted secondary attributes of data, our design provides searchable encryption based encrypted secondary indexes which consider security, efficiency, and data locality simultaneously. The results are published in ACM ASIACCS’16 and ACM ASIACCS’17.
Credit: Xinyu Wang, Jianxiong Lin, Xingliang Yuan, Yu Guo, and Cong Wang.
Privacy-assured Similarity Search for Large-scale Applications
Big data are usually drawn from varieties of forms: not just texts, but also images, audio, video, and other information-rich content, which are usually represented as high-dimensional data records. In this context, similarity queries are more desired than exact-match queries. Meanwhile, multimedia data often contain sensitive or personal information. Thus, enabling secure content-aware query processing over encrypted multimedia data is very demanding. Yet, most prior solutions on encrypted search are for exact-match queries.
Privacy-preserving Image Querying Service
To bridge the gap, we first note that this problem could be theoretically handled by a direct combination of locality-sensitive hashing (LSH) and searchable symmetric encryption (SSE), where LSH is a well-studied algorithm for fast similarity search, and SSE is a widely adopted security framework for encrypted search. By treating LSH hash value(s) as keyword(s), one may apply known SSE schemes to realize secure similarity search. However, we observed that such a straightforward solution does not achieve practical scalability and efficiency as the sizes of datasets are continuously growing. Rather than just assembling off-the-shelf designs in a blackbox manner, we consider challenges and requirements in different scenarios, e.g., applications that need to support low latency queries, applications that need to handle streaming data in high rates, and applications deployed in distributed systems. To serve these needs, we develop new constructions from the ground up. The results are published in IEEE ICDCS’14, ESORICS’15, IEEE TMM, and IEEE/ACM IWQoS’17.
Secure Content Delivery via Encrypted In-network Caching
To handle the exponential growth of media content, emerging network architectures along the direction of Information-Centric Networking (ICN) have been proposed. Storing data in advanced network devices such as cache-enabled routers, benefits like reduced content access latency are well appreciated. However, due to potentially wide attacking surfaces, caching data in the increasingly untrustworthy networked environment raises new concerns on user privacy exposure and unauthorized data access.
Content Delivery Service via Encrypted In-network Caching
To address these concerns, we designed new networked systems for secure and efficient content dissemination through encrypted in-network caching. To move one-step further towards practice, we consider the effective support of content dissemination from multiple providers to authorized users, and study how to efficiently enable authorized search across encrypted in-network content from multiple providers under their own different keys. To broaden the application scenarios, our system also supports advanced content-aware data dissemination scenarios by incorporating the content near-duplicate detection into our encrypted in-network cache system. Preliminary results are published in IEEE JSAC and IEEE INFOCOM’16.