Searchable Encryption Token Extraction for Deep Packet Inspection over Compressed HTTPS

Deep packet inspection is an unavoidable task to prevent the web-based attacks. HTTPS traffic constitutes a significant percentage of web traffic. In order to perform the deep packet inspection on HTTPS traffic, searchable encryption is used. Using searchable encryption, there is no need to decrypt the packet contents; hence the privacy is preserved. Besides, a significant percentage of HTTPS traffic is compressed before reaching the SSL layer. Compression consists of two stages: LZ77 compression and Huffman encoding. For compressed traffic, required tokens for performing searchable encryption are not accessible and the full decompression should be applied to access the tokens. In this case, token extraction is done by parsing a nondeterministic finite automata (NFA) on the decompressed contents. The goal of this paper is to decrease the time complexity of NFA parsing process. In the proposed method, instead of full decompression of the compressed traffic, at first Huffman decoding is applied on the packets to access the LZ77 compressed content. Then, the LZ77 pointers can be used to recognize the repeated substrings and to skip the NFA parsing process. Hence, the token extraction process is accelerated. The evaluations show that the proposed method decreases 65% of time of compressed HTTPS token extraction by skipping the 44% of characters.