TY - GEN
T1 - FlowShredder
T2 - 22nd International Conference on Service-Oriented Computing, ICSOC 2024
AU - Song, Bin
AU - Sun, Bin
AU - Fu, Qiang
AU - Li, Hao
N1 - Publisher Copyright:
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.
PY - 2025
Y1 - 2025
N2 - Cloud services increasingly generates enormous Internet traffic. Much of it such as rich media traffic is not highly sensitive, but prefers some sort of protection. The traditional end-to-end encryption such as TLS is costly and has issues such as increased latency, while the simple anonymity solutions cannot resist traffic analysis attacks. In this paper, we propose FlowShredder, a protocol-independent and in-network service to secure such traffic in the cloud. FlowShredder aims to break the association between packets, data flow and hosts by obfuscating the packet header (some payload if needed). Without the context of flow and hosts, packets are of little value to the adversary. The operation is carried out at cloud gateways, without encrypting the payload. Its simple logic can therefore be executed within a single pipeline of the Tofino programmable switch, to ensure wire-speed performance without the scalability issue. Being protocol-independent and operating in-network at wire speed make FlowShredder a practical and generic security service to protect the cloud traffic. In addition, FlowShredder can work with end-to-end encryption such as 0-RTT TLS for enhanced protection. We implement FlowShredder in P4 switches. Experiments show that FlowShredder can effectively resist the traffic analysis attack with supervised learning techniques.
AB - Cloud services increasingly generates enormous Internet traffic. Much of it such as rich media traffic is not highly sensitive, but prefers some sort of protection. The traditional end-to-end encryption such as TLS is costly and has issues such as increased latency, while the simple anonymity solutions cannot resist traffic analysis attacks. In this paper, we propose FlowShredder, a protocol-independent and in-network service to secure such traffic in the cloud. FlowShredder aims to break the association between packets, data flow and hosts by obfuscating the packet header (some payload if needed). Without the context of flow and hosts, packets are of little value to the adversary. The operation is carried out at cloud gateways, without encrypting the payload. Its simple logic can therefore be executed within a single pipeline of the Tofino programmable switch, to ensure wire-speed performance without the scalability issue. Being protocol-independent and operating in-network at wire speed make FlowShredder a practical and generic security service to protect the cloud traffic. In addition, FlowShredder can work with end-to-end encryption such as 0-RTT TLS for enhanced protection. We implement FlowShredder in P4 switches. Experiments show that FlowShredder can effectively resist the traffic analysis attack with supervised learning techniques.
UR - https://www.scopus.com/pages/publications/85212984128
U2 - 10.1007/978-981-96-0805-8_23
DO - 10.1007/978-981-96-0805-8_23
M3 - 会议稿件
AN - SCOPUS:85212984128
SN - 9789819608041
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 327
EP - 334
BT - Service-Oriented Computing - 22nd International Conference, ICSOC 2024, Proceedings
A2 - Gaaloul, Walid
A2 - Sheng, Michael
A2 - Yu, Qi
A2 - Yangui, Sami
PB - Springer Science and Business Media Deutschland GmbH
Y2 - 3 December 2024 through 6 December 2024
ER -