Skip to main content
SpringerLink
Log in

Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

Packet filtering allows a network gateway to control the network traffic flows and protect the computer system. Most of the recent research works on the filtering systems mainly concern the performance, reliability and defence against common network attacks. However, since the gateway might be controlled by red an untrusted attacker, who might try to infer the identity privacy of the sender host and mount IP tracking to its data packets. IP spoofing is another problem. To avoid data packets to be filtered in the packet filtering system, the malicious sender host might use a spoofed source IP address. Therefore, to preserve the source IP privacy and provide source IP authentication simultaneously in the filtering system is an interesting and challenging problem. To deal with the problem, we construct a data packet filtering scheme, which is formally proved to be semantic secure against the chosen IP attack and IP guessing attack. Based on this filtering scheme, we propose the first privacy-preserving packet filtering system, where the data packets whose source IP addresses are at risk are filtered, the privacy of the source IP is protected and its correctness can be verified by the recipient host. The analysis shows that our protocol can fulfil the objectives of a data packet filtering system. The performance evaluation demonstrates its applicability in the current network systems. We also presented a packet filtering scheme, where the data packets from one subnet can be filtered with only one filter policy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Packet filtering. http://en.wikipedia.org/wiki/PF_(firewall).

  2. Xiang, Y., Zhou, W., & Guo, M. (2009). Flexible deterministic packet marking: An IP traceback system to find the real source of attacks. IEEE Transactions on Parallel and Distributed Systems, 20(4), 567–580.

    Article  Google Scholar 

  3. McCanne, S., & Jacobson, V. (1993) The BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the Usenix Winter 1993 technical conference (pp. 259–270). San Diego, California, USA.

  4. Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., & Sommer, R. (2005). Building a time machine for efficient recording and retrieval of high-volume network traffic. In Proceedings of the 5th internet measurement conference, IMC 2005 (pp. 267–272). Berkeley, California, USA, October 19–21, 2005.

  5. Partridge, C., Snoeren, A. C., Strayer, W. T., Schwartz, B., Condell, M., & Castineyra, I. (2001). FIRE: Flexible intra-as routing environment. IEEE Journal on Selected Areas in Communications, 19(3), 410–425.

    Article  Google Scholar 

  6. Wu, Z., Xie, M., & Wang, H. (2011). Design and implementation of a fast dynamic packet filter. IEEE/ACM Transactions on Networking, 19(5), 1405–1419.

    Article  Google Scholar 

  7. He, X., Wang, Z., Wang, X., & Zhou, D. H. (2014). Networked strong tracking filtering with multiple packet dropouts: Algorithms and applications. IEEE Transactions on Industrial Electronics, 61(3), 1454–1463.

    Article  Google Scholar 

  8. Huang, S., Tan, K. K., & Lee, T. H. (2012). Fault diagnosis and fault-tolerant control in linear drives using the Kalman filter. IEEE Transactions on Industrial Electronics, 59(11), 4285–4292.

    Article  Google Scholar 

  9. Li, L., & Xia, Y. (2013). Unscented kalman filter over unreliable communication networks with markovian packet dropouts. IEEE Transactions on Automatic Control, 58(12), 3224–3230.

    Article  Google Scholar 

  10. Antikainen, M., Aura, T., & Särelä, M. (2014). Denial-of-service attacks in bloom-filter-based forwarding. IEEE/ACM Transactions on Networking (TON), 22(5), 1463–1476.

    Article  Google Scholar 

  11. Liu, B., Bi, J., & Vasilakos, A. V. (2014). Toward incentivizing anti-spoofing deployment. IEEE Transactions on Information Forensics and Security, 9(3), 436–450.

    Article  Google Scholar 

  12. Wang, H., Jin, C., & Shin, K. G. (2007). Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Transactions on Networking, 15(1), 40–53.

    Article  Google Scholar 

  13. Wang, Y., & Sun, R. (2014). An IP-traceback-based packet filtering scheme for eliminating DDoS attacks. JNW, 9(4), 874–881.

    Google Scholar 

  14. Xiong, H., & Qin, Z. (2015). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10(7), 1442–1455.

    Article  Google Scholar 

  15. Zhou, J., Dong, X., Cao, Z., & Vasilakos, A. V. (2015). Secure and privacy preserving protocol for cloud-based vehicular dtns. IEEE Transactions on Information Forensics and Security, 10(6), 1299–1314.

    Article  Google Scholar 

  16. Boneh, D., Crescenzo, G.D., Ostrovsky, R., & Persiano, G. (2004). Public key encryption with keyword search. In Advances in cryptology: EUROCRYPT 2004, Proceedings of the international conference on the theory and applications of cryptographic techniques (pp. 506–522). Interlaken, Switzerland, May 2–6, 2004.

  17. Wei, R., Xu, Y., & Chao, H.J. (2012). Block permutations in Boolean space to minimize TCAM for packet classification. In Proceedings of the IEEE INFOCOM 2012 (pp. 2561–2565). Orlando, FL, USA, March 25–30, 2012.

  18. Cheng, Y., & Wang, P. (2015). Packet classification using dynamically generated decision trees. IEEE Transactions on Computers, 64(2), 582–586.

    Article  MathSciNet  MATH  Google Scholar 

  19. Ioannidis, J. (2011). Ipsec. In Encyclopedia of Cryptography and Security (2nd edn., pp. 635–638).

  20. Boneh, D., Boyen, X., & Goh, E. (2005). Hierarchical identity based encryption with constant size ciphertext. In Advances in cryptology: EUROCRYPT 2005, proceeding of the 24th annual international conference on the theory and applications of cryptographic techniques (pp. 440–456). Aarhus, Denmark, May 22–26, 2005.

  21. Delerablée, C., & Pointcheval, D. (2008). Dynamic threshold public-key encryption. In Advances in cryptology: CRYPTO 2008, proceedings of the 28th annual international cryptology conference (pp. 317–334). Santa Barbara, CA, USA, August 17–21, 2008.

  22. Zhang, F., Safavi-Naini, R., & Susilo, W. (2004). An efficient signature scheme from bilinear pairings and its applications. In Public key cryptography: PKC 2004, 7th international workshop on theory and practice in public key cryptography (pp. 277–290). Singapore, March 1–4, 2004.

  23. Pairing-based cryptography. https://crypto.stanford.edu/pbc/.

  24. Openssl. https://www.openssl.org.

Download references

Acknowledgements

This work is supported by the National Natural Science Foundation of China under Grants 61502086 and 61572115, the Fundamental Research Funds for the Central Universities (No. ZYGX2014J061), the foundation from Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems (No. YF16202) and the foundation from Guangxi Key Laboratory of Trusted Software (No. PF16116X).

Author information

Authors and Affiliations

  1. The Center for Cyber Security, the Big Data Research Center and the Department of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, 611731, Sichuan, China

    Xiaofen Wang

  2. The Centre for Computer and Information Security Research, School of Computing and Information Technology, University of Wollongong, Wollongong, NSW, 2522, Australia

    Yi Mu

  3. Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems and Guangxi Key Laboratory of Trusted Software, Guilin University of Electronic Technology, Guilin, 541004, Gunagxi, China

    Xiaofen Wang

  4. The College of Computer, National University of Defense Technology, Changsha, 410073, Hunan, China

    Rongmao Chen

Authors
  1. Xiaofen Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yi Mu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rongmao Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiaofen Wang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, X., Mu, Y. & Chen, R. Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication. Wireless Pers Commun 95, 3509–3537 (2017). https://doi.org/10.1007/s11277-017-4010-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-017-4010-0

Keywords

Search

Navigation