Wireless Personal Communications

, Volume 95, Issue 4, pp 3509–3537 | Cite as

Privacy-Preserving Data Packet Filtering Protocol with Source IP Authentication

  • Xiaofen Wang
  • Yi Mu
  • Rongmao Chen


Packet filtering allows a network gateway to control the network traffic flows and protect the computer system. Most of the recent research works on the filtering systems mainly concern the performance, reliability and defence against common network attacks. However, since the gateway might be controlled by red an untrusted attacker, who might try to infer the identity privacy of the sender host and mount IP tracking to its data packets. IP spoofing is another problem. To avoid data packets to be filtered in the packet filtering system, the malicious sender host might use a spoofed source IP address. Therefore, to preserve the source IP privacy and provide source IP authentication simultaneously in the filtering system is an interesting and challenging problem. To deal with the problem, we construct a data packet filtering scheme, which is formally proved to be semantic secure against the chosen IP attack and IP guessing attack. Based on this filtering scheme, we propose the first privacy-preserving packet filtering system, where the data packets whose source IP addresses are at risk are filtered, the privacy of the source IP is protected and its correctness can be verified by the recipient host. The analysis shows that our protocol can fulfil the objectives of a data packet filtering system. The performance evaluation demonstrates its applicability in the current network systems. We also presented a packet filtering scheme, where the data packets from one subnet can be filtered with only one filter policy.


Packet filter Privacy-preserving IP spoofing Authentication 



This work is supported by the National Natural Science Foundation of China under Grants 61502086 and 61572115, the Fundamental Research Funds for the Central Universities (No. ZYGX2014J061), the foundation from Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems (No. YF16202) and the foundation from Guangxi Key Laboratory of Trusted Software (No. PF16116X).


  1. 1.
  2. 2.
    Xiang, Y., Zhou, W., & Guo, M. (2009). Flexible deterministic packet marking: An IP traceback system to find the real source of attacks. IEEE Transactions on Parallel and Distributed Systems, 20(4), 567–580.CrossRefGoogle Scholar
  3. 3.
    McCanne, S., & Jacobson, V. (1993) The BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the Usenix Winter 1993 technical conference (pp. 259–270). San Diego, California, USA.Google Scholar
  4. 4.
    Kornexl, S., Paxson, V., Dreger, H., Feldmann, A., & Sommer, R. (2005). Building a time machine for efficient recording and retrieval of high-volume network traffic. In Proceedings of the 5th internet measurement conference, IMC 2005 (pp. 267–272). Berkeley, California, USA, October 19–21, 2005.Google Scholar
  5. 5.
    Partridge, C., Snoeren, A. C., Strayer, W. T., Schwartz, B., Condell, M., & Castineyra, I. (2001). FIRE: Flexible intra-as routing environment. IEEE Journal on Selected Areas in Communications, 19(3), 410–425.CrossRefGoogle Scholar
  6. 6.
    Wu, Z., Xie, M., & Wang, H. (2011). Design and implementation of a fast dynamic packet filter. IEEE/ACM Transactions on Networking, 19(5), 1405–1419.CrossRefGoogle Scholar
  7. 7.
    He, X., Wang, Z., Wang, X., & Zhou, D. H. (2014). Networked strong tracking filtering with multiple packet dropouts: Algorithms and applications. IEEE Transactions on Industrial Electronics, 61(3), 1454–1463.CrossRefGoogle Scholar
  8. 8.
    Huang, S., Tan, K. K., & Lee, T. H. (2012). Fault diagnosis and fault-tolerant control in linear drives using the Kalman filter. IEEE Transactions on Industrial Electronics, 59(11), 4285–4292.CrossRefGoogle Scholar
  9. 9.
    Li, L., & Xia, Y. (2013). Unscented kalman filter over unreliable communication networks with markovian packet dropouts. IEEE Transactions on Automatic Control, 58(12), 3224–3230.CrossRefGoogle Scholar
  10. 10.
    Antikainen, M., Aura, T., & Särelä, M. (2014). Denial-of-service attacks in bloom-filter-based forwarding. IEEE/ACM Transactions on Networking (TON), 22(5), 1463–1476.CrossRefGoogle Scholar
  11. 11.
    Liu, B., Bi, J., & Vasilakos, A. V. (2014). Toward incentivizing anti-spoofing deployment. IEEE Transactions on Information Forensics and Security, 9(3), 436–450.CrossRefGoogle Scholar
  12. 12.
    Wang, H., Jin, C., & Shin, K. G. (2007). Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Transactions on Networking, 15(1), 40–53.CrossRefGoogle Scholar
  13. 13.
    Wang, Y., & Sun, R. (2014). An IP-traceback-based packet filtering scheme for eliminating DDoS attacks. JNW, 9(4), 874–881.Google Scholar
  14. 14.
    Xiong, H., & Qin, Z. (2015). Revocable and scalable certificateless remote authentication protocol with anonymity for wireless body area networks. IEEE Transactions on Information Forensics and Security, 10(7), 1442–1455.CrossRefGoogle Scholar
  15. 15.
    Zhou, J., Dong, X., Cao, Z., & Vasilakos, A. V. (2015). Secure and privacy preserving protocol for cloud-based vehicular dtns. IEEE Transactions on Information Forensics and Security, 10(6), 1299–1314.CrossRefGoogle Scholar
  16. 16.
    Boneh, D., Crescenzo, G.D., Ostrovsky, R., & Persiano, G. (2004). Public key encryption with keyword search. In Advances in cryptology: EUROCRYPT 2004, Proceedings of the international conference on the theory and applications of cryptographic techniques (pp. 506–522). Interlaken, Switzerland, May 2–6, 2004.Google Scholar
  17. 17.
    Wei, R., Xu, Y., & Chao, H.J. (2012). Block permutations in Boolean space to minimize TCAM for packet classification. In Proceedings of the IEEE INFOCOM 2012 (pp. 2561–2565). Orlando, FL, USA, March 25–30, 2012.Google Scholar
  18. 18.
    Cheng, Y., & Wang, P. (2015). Packet classification using dynamically generated decision trees. IEEE Transactions on Computers, 64(2), 582–586.MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Ioannidis, J. (2011). Ipsec. In Encyclopedia of Cryptography and Security (2nd edn., pp. 635–638).Google Scholar
  20. 20.
    Boneh, D., Boyen, X., & Goh, E. (2005). Hierarchical identity based encryption with constant size ciphertext. In Advances in cryptology: EUROCRYPT 2005, proceeding of the 24th annual international conference on the theory and applications of cryptographic techniques (pp. 440–456). Aarhus, Denmark, May 22–26, 2005.Google Scholar
  21. 21.
    Delerablée, C., & Pointcheval, D. (2008). Dynamic threshold public-key encryption. In Advances in cryptology: CRYPTO 2008, proceedings of the 28th annual international cryptology conference (pp. 317–334). Santa Barbara, CA, USA, August 17–21, 2008.Google Scholar
  22. 22.
    Zhang, F., Safavi-Naini, R., & Susilo, W. (2004). An efficient signature scheme from bilinear pairings and its applications. In Public key cryptography: PKC 2004, 7th international workshop on theory and practice in public key cryptography (pp. 277–290). Singapore, March 1–4, 2004.Google Scholar
  23. 23.
    Pairing-based cryptography.
  24. 24.

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  1. 1.The Center for Cyber Security, the Big Data Research Center and the Department of Computer Science and EngineeringUniversity of Electronic Science and Technology of ChinaChengduChina
  2. 2.The Centre for Computer and Information Security Research, School of Computing and Information TechnologyUniversity of WollongongWollongongAustralia
  3. 3.Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems and Guangxi Key Laboratory of Trusted SoftwareGuilin University of Electronic TechnologyGuilinChina
  4. 4.The College of ComputerNational University of Defense TechnologyChangshaChina

Personalised recommendations