PrivBox: Privacy-Preserving Deep Packet Inspection With Dual Double-Masking Obfuscated Rule Generation



Wu, Pengfei; Ning, Jianting; Huang, Xinyi; Chen, Rongmao; Zhang, Kai; Liang, Kaitai

PublisherIEEE COMPUTER SOC

2025

 IEEE Transactions on Dependable and Secure Computing

22

5

4954

4970

1545-5971

1941-0018

DOIhttps://doi.org/10.1109/TDSC.2025.3557423

https://ieeexplore.ieee.org/document/10948341


Many network middleboxes have been deployed to perform deep packet inspection (DPI) over packet payloads. However, such middleboxes cannot accomplish their tasks when the traffic is encrypted. BlindBox (SIGCOMM 2015) provided the first solution for performing DPI over encrypted traffic. To improve its efficiency, a later proposal PrivDPI (CCS 2019) introduced a practical technique to generate encrypted rules. However, a recent proposal P2DPI (ASIACCS 2021) showed that the rule generator in PrivDPI can comprise the user's privacy. In this article, we present a new attack on P2DPI and show that the privacy of its endpoints can still be compromised by the rule generator. We comprehensively analyze the vulnerability of prior studies and present PrivBox, a new DPI system that achieves the same privacy guarantee as BlindBox while maintaining practical efficiency. This is based on a new technique called dual double-masking obfuscated rule generation. For a ruleset of 3,000, PrivBox achieves connection establishment time on the endpoint side comparable to PrivDPI and supports up to 4,672 token encryptions per second, which is sufficient for a number of real-world applications. Overall, our experiment demonstrates that PrivBox is practical and well-suited for short, frequently established sessions, especially when token repeating is common.



Last updated on 20/02/2026 09:10:26 AM