Verifiable and Privacy-Preserving Deep Packet Inspection for Multiple Rule Service Providers

Secure outsourced middleboxes provide deep packet inspection (DPI) for encrypted traffic that enables the detection of malicious activities in communications. However, existing DPI systems generally support only a single rule service provider (RSP), whose rule sets are limited to specific attack types. This constraint reduces inspection coverage and diminishes the accuracy of detecting diverse malicious traffic. In this paper, we present MRv-DPI, a new privacy-preserving DPI system that supports inspection rules from multiple RSPs, enabling targeted inspection for any type of attack pattern. Additionally, by considering that the middleboxes may only use partial subscribed RSPs’ rule sets to inspect each packet, our system also provides inspection results verification. To support multiple RSPs, MRv-DPI employs a key-homomorphic pseudo-random function, allowing matching between rules encrypted under distinct keys and packets encrypted under a shared key. For result verification, we design a temporal-hashed substring search trie based on trusted hardware, ensuring tamper-resistant verification against untrusted cloud-based middleboxes. To address efficiency challenges arising from increased rule sets across multiple RSPs, MRv-DPI segments both packets and rules, and assigns each rule a main sub-segment to facilitate fast filtering of benign packets. We evaluate MRv-DPI through comprehensive experiments using four public rule sets in a real client-to-server environment. Compared to existing DPI solutions, MRv-DPI not only enhances both security and functionality but also achieves up to 2× faster packet inspection and reduces communication overhead by 36.1% – 57.4%.