Protecting User Privacy in a Multi-Path Information-Centric Network Using Multiple Random-Caches

Transcription

1 Chu WB, Wang LF, Jiang ZJ e al. Proecing user privacy in a muli-pah informaion-cenric nework using muliple random-caches. JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY 32(3): May 27. DOI.7/s Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework Using Muliple Random-Caches Wei-Bo Chu, Li-Fang Wang, Ze-Jun Jiang, and Alan Chin-Chen Chang 2, Fellow, IEEE School of Compuer Science and Technology, Norhwesern Polyechnical Universiy, Xi an 772, China 2 Deparmen of Informaion Engineering and Compuer Science, Feng Chia Universiy, Taichung, Taiwan 4724, China {wbchu, wanglf, claud@nwpu.edu.cn; alan3c@gmail.com Received Ocober 3, 26; revised February 2, 27. Absrac In-nework caching is a fundamenal mechanism advocaed by informaion-cenric neworks (ICNs) for efficien conen delivery. However, his new mechanism also brings serious privacy risks due o cache snooping aacks. One effecive soluion o his problem is random-cache, where he cache in a rouer randomly mimics a cache hi or a cache miss for each conen reques/probe. In his paper, we invesigae he effeciveness of using muliple random-caches o proec cache privacy in a muli-pah ICN. We propose models for characerizing he privacy of muli-pah ICNs wih random-caches, and analyze wo differen aack scenarios: ) prefix-based aacks and 2) suffix-based aacks. Boh homogeneous and heerogeneous caches are considered. Our analysis shows ha in a muli-pah ICN an adversary can poenially gain more privacy informaion by adoping prefix-based aacks. Furhermore, heerogeneous caches provide much beer privacy proecion han homogeneous ones under boh aacks. The effec of differen parameers on he privacy of muli-pah random-caches is furher invesigaed, and he comparison wih is single-pah counerpar is carried ou based on numerical evaluaions. The analysis and resuls in his paper provide insighs in designing and evaluaing muli-pah ICNs when we ake privacy ino consideraion. Keywords informaion-cenric nework (ICN), user privacy, cache snooping, random-cache, muli-pah Inroducion Wih he dramaic increase in daa raffic, oday s Inerne has evolved from a plaform for global communicaion o a plaform for global informaion publicaion, disseminaion and rerieval. This change of nework usage raises significan challenges for he curren Inerne, which, due o is hos-cenric design principle, is raher inefficien in large-scale conen delivery. Meanwhile, he hos-o-hos communicaion model also provides zero or poor suppor for user mobiliy. Several fuure Inerne archiecures have been proposed in his conex, i.e., DONA [], PSIRP [2], SAIL 2, ICN [3-6]. Among hem, informaion-cenric neworking (ICN) has received a lo of research aenion. ICN is a new neworking paradigm ha faciliaes conen disribuion by focusing on conen objecs raher han heir hos or locaion. In such paradigm, every piece of conen has a name ha can be addressed and roued by nework, and daa delivery becomes easier: a consumer issues he reques for conen objecs, and he nework locaes and rerieves he daa. Besides name-based rouing, ICN advocaes sysemaic in-nework caching, in which each node, i.e., rouer, is equipped wih a piece of sorage for holding requesed conen and poenially saisfies fuure requess in case daa is cached. Thus in ICN, he inermediae rouer also provides conen objecs. This inherenly guaranees ICN wih lower bandwidh con- Regular Paper The work was suppored by he Young Scieniss Fund of he Naional Naural Science Foundaion of China under Gran No and he Aeronauical Science Foundaion of China under Gran No. 24ZD5349. Naional Science Foundaion. NSF fuure Inerne archiecure projec. hp:// Mar Scalable and adapive Inerne soluions. hp:// Mar Springer Science + Business Media, LLC & Science Press, China

2 586 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 sumpion, less congesion, less server load, and shorer ransmission delays. However, rouer-side conen caching a he same ime brings serious privacy risks. One major hrea is cache snooping, where an adversary deermines conen presence hrough probing he caches. For example, he adversary can deermine wheher a paricular piece of conen has been requesed by his/her neighbors, or wheher cerain conen from adjacen producers has been recenly feched. Previous sudies [7] show ha his simple iming aack can be highly effecive. In his paper, we analyze he effeciveness of using muliple random-caches [7] o proec cache privacy in a muli-pah ICN. Random-cache has been considered as an effecive soluion o cache snooping in ICN. I basically refers o he echnique where he cache in a rouer randomly mimics a cache hi or a cache miss for each conen reques so as o make he observed oupu of conen requess/probes saisically indisinguishable, regardless of wheher or no he conen is in a rouer s cache. This echnique has several advanages over oher counermeasures, i.e., i is more scalable, easy-o-implemen, and opaque o boh conen consumers and conen producers. The performance of using single random-cache on proecing user privacy in ICN has been heoreically analyzed in [7]. However, issues, e.g., wheher his echnique is sill effecive in muli-pah ICN, and o wha exen i can provide privacy proecion are sill open problems. Considering he fac ha muli-pah is currenly widely adoped in various neworks for beer performance and reliabiliy, we believe ha his echnique will be likely adoped in fuure ICNs. Therefore, i is exremely imporan for nework operaors o fully undersand hese issues before muli-pah ICN wih random-caches can be deployed a scale. In his paper, we propose models o characerize user privacy in a muli-pah ICN wih random-caches. We show ha in addiion o prefix-based aacks in a single random-cache sysem, an adversary in a mulipah ICN can poenially launch suffix-based aacks o infer conen presence. Meanwhile, we show ha heerogeneous caches provide much beer proecion han homogeneous caches. In paricular, we find ha when he number of pahs is small, muli-pah ICN wih homogeneous caches can seriously leak user privacy under suffix-based aacks. A quaniaive comparison of user privacy using random-caches beween single-pah ICN and muli-pah ICN is carried ou. In summary, we make he following conribuions. ) We adop aformalframeworko quanify he privacy evaluaion of shared rouer caches, and propose models for analyzing he privacy of a muli-pah ICN wih random-caches. 2) We consider boh homogeneous and heerogeneous caches in our model, where in homogeneous caches he parameers of he random-caching algorihm are idenical while hey are chosen independenly in heerogeneous caches. We analyze he effec of hese wo random-caches on privacy proecion based on he formal framework. 3) We invesigae wo aack scenarios: prefixbased and suffix-based aacks. Prefix-based aacks correspond o he echnique ha an adversary deermines conen presence based on he oupu sequence of probes before a cache hi is reurned, and suffixbased aacks correspond o he echnique ha he/she deermines i based on oupu sequence of probes before all caches reurn cache hi. We analyze and evaluae he privacy of muli-pah random-caches under boh aacks. 4) We conduc evaluaion on our models hrough simulaion and numerical sudies, focusing solely on prefix-based aacks since our analysis indicaes ha in pracice, suffix-based aacks are hard o launch as i is nearly impossible for he adversary o rack all oupu sequences. We show ha our model accuraely characerizes user privacy in a muli-pah ICN. Based on he proposed model, we invesigae he impac of various parameers on user privacy in a muli-pah randomcaches sysem. We also compare user privacy in a muli-pah ICN wih is single-pah counerpar based on numerical sudies. We believe he proposed model as well as he resuls derived provides insighs in designing and evaluaing a muli-pah ICN when user privacy is of concerns. The res of he paper is organized as follows. Secion 2 inroduces he background on cache snooping aacks. Secion 3 describes our models for characerizing user privacy in a muli-pah ICN wih random-caches, where boh homogeneous and heerogeneous caches are considered. We also analyze prefix-based and suffixbased aacks. Secion 4 presens performance sudies and evaluaion resuls. Secion 5 gives relaed work and Secion 6 concludes he paper. 2 Background In his secion, we inroduce cache snooping aacks in ICN. We also briefly review he framework o evaluae he cache privacy and he random-cache. These

3 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 587 conens provide a basis for analyzing he privacy of muli-pah ICN wih random-caches. For more deails we sugges readers refer o [7]. 2. Cache Snooping Aack Cache snooping is a echnique ha uses iming informaion o infer he presence of ineresed conen in a nework. Basically, his aack requires an adversary o send ineress/probes o he nework, and hen based on he delays of feching i, he/she decides wheher he ineresed conen is cached by he nework. For example, afer comparing he delay of feching he ineresed conen from he nework wih he one of feching conen objec from a firs-hop rouer s cache, he adversary can immediaely deermine ha he conen has been recenly requesed by his/her neighbors if he wo delays are very close. Noe ha he delays of feching conen from a firs-hop rouer s cache can be obained via a well-conrolled process. More specifically, he adversary can firs disable he local cache of his/her own device, and hen coninuously sends ineress o he nework for a conen wih a size comparable o he ineresed one. He/she hen observes a series of conen delays. The delays of feching conen from he firs-hop rouers cache can be well esimaed by he minimum of hese delays. Some examples and scenarios of his aack can be found in [8-2]. The aack has been shown very effecive. According o he sudy in [7], he probabiliy of deermining he presence of ineresed conen from a shared consumer-facing rouer s cache can be higher han 99.9%, and he aack sill works under complicaed nework opologies. As a resul, cache snooping is generally considered as a major hrea o users privacy in ICN. 2.2 A Formal Framework for Privacy Evaluaion The proposed framework for privacy evaluaion comprises of hree differen componens, namely, sysem model, adversary model, and privacy model. Le us elaborae hese models. Sysem Model. In he framework, each rouer R mainains an inernal sae for each conen objec C, i.e., R records he number of imes ha C has been forwarded by i. Denoe S as he sae and S(C) he number of imes ha C has been forwarded. Meanwhile, a cache managemen algorihm CM conrols R s response o ineress. For securiy concerns, CM can hide cache his bu i canno hide cache misses. In paricular, when he requesed conen is in cache, CM can hide cache his simply by no using he cache and forwarding he ineres o conen source, or by inroducing arificial delays before reurning he conen. Mahemaically, his process can be modeled as a probabilisic algorihm Q S : NM {,, where NM denoes he conen name space. Q S (C) oupus if he required conen C is cached in he rouer wih sae S and a cache hi is generaed, and i oupus if a cache miss occurs. Afer forwarding he conen C, CM incremens S(C) by, and i keeps S(C ) unchanged for all oher conen C C. Adversary Model. Given he above seing, an adversary A is able o launch cache snooping aacks by ineracing wih R. To be specific, he adversary learns he informaion abou he conen forwarded by R by querying Q S (C), and based on he observed oupus, A hen deermines wheher he ineresed conen C is in R. Privacy Model. The concep of (ε, δ)-probabilisic indisinguishabiliy is used o define and evaluae cache privacy. The definiion is given in [7]. We presen i here for compleeness. Definiion ((ε, δ)-probabilisic Indisinguishabiliy). Two disribuions D and D 2 are (ε, δ)- probabilisic indisinguishable, if we can divide he oupu space Ω = Range(D ) Range(D 2 ) ino Ω = Range(D ) Range(D 2 ) and Ω 2 = Ω\Ω such ha for all O Ω, e ε Pr(D=O) Pr(D 2=O) eε, Pr(D Ω 2 )+Pr(D 2 Ω 2 ) δ. From he above definiion, we can see ha ε describes he probabilisic differences of he oupu of D and D 2 in heir inersecion, and δ measures he size of heir difference se. As a resul, he larger ε and δ, he more he differences of he wo disribuions. In oher words, if boh ε and δ are very small, hen he wo disribuions are considered o be idenical. In he framework, (ε, δ)-probabilisic indisinguishabiliy is used o evaluae cache privacy. The idea is o rea he responses of a cache under probes as a random process. Thus wo oupu sequences can be obained when an adversary sends queries o he cache wih and wihou he ineresed conen (see Fig.). The disribuions of he wo oupu sequences can be calculaed, and hen heir difference can be evaluaed by he (ε, δ)-probabilisic indisinguishabiliy. Inuiively, if ε and δ are boh very small, hen i is regarded ha cache privacy is well proeced.

4 588 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 Adversary Probes: Q S c Q S c Q S c Response Oupu. (a) Rouer R S c / S delays and bandwidh savings. Meanwhile, since he hreshold is unknown o he adversary, if i is properly (i.e., carefully and randomly) seleced, hen i is hard for he adversary o infer he presence of he no so popular conen 3. Therefore, random-cache provides a means o proec cache privacy. Adversary Probes: Q S c Q S c Q S c Response Oupu. (b) Rouer R S c /x Fig.. Cache snooping aacks o a rouer when he ineresed conen C is in cache and when i is absen. S (S ) denoes he inernal sae of he rouer wihou (wih) C in cache, and x is he number of imes C has been forwarded by he rouer when he adversary probes. 2.3 Random-Cache Random-cache is a echnique ha indicaes how he cache managemen algorihm responds o ineress. More specifically, in his echnique, each cache (rouer) mainains a hreshold for each conen objec. Upon receiving a new reques, he cache checks wheher he number of imes ha he conen has been forwarded exceedshehreshold. Ifso, i generaesacachehi and oherwise a cache miss. For securiy consideraion, he hreshold for each conen objec is randomly seleced on a domain [, K), and i is unknown o he adversary. The algorihm of random-caching is depiced in Algorihm in [7]. According o is working mechanism, he oupu of random-cache o probes is a sequence comprising of wo sub-sequences: ) he prefix of consecuive cache misses (i.e., s), and 2) he suffix wih consecuive cache his (i.e., s), as shown below. Oupu : {{ Cache Misses {{ Cache His S () From () we can see ha random-cache delays he very firs few requess for each conen. If he requesed conen is popular (i.e., he number of imes i has been forwarded exceeds he hreshold), hen he reques is unlikely o be delayed. In his way, random-cache reains he benefi of in-nework caching such as shor 3 Muli-Pah Random-Cache Privacy In his secion, we adop he framework presened in Secion 2 o analyze he privacy of muli-pah ICN wih random-caches, which is he main focus of his paper. The muli-pah caches sysem is inroduced firsly, and hen he analysis of is privacy is presened. We consider boh homogeneous and heerogeneous caches, and prefix-based and suffix-based aacks. 3. Sysem Models Muli-Pah Cache Sysem. Consider a mulipah/muli-access 4 random-caches sysem as ha shown in Fig.2, which consiss of m random-caches(i.e., here are m rouers R,R 2,,R m and each one has a random-cache). Users (including he adversary A) are served by hese m rouers as heir firs-hop rouers and each conen reques from users is forwarded by one of hese m rouers chosen independenly a random (i.e., due o load balancing). We assume each randomcache works independenly in ha upon receiving a conen ineres, he cache works exacly as he single-pah random-cache described in Algorihm in [7]. We furher assume ha hese m random-caches are idenical in ha hey have he same caching algorihm: for he same conen C, he domain size K and he disribuion of he hreshold k C are he same 5. Legiimae User (U) Adversary ( ) WiFi Rouer (R ) Eherne Rouer 2 (R 2 ) 3G Rouer m (R m ) ICN Neworks Conen Producer (P) Fig.2. Muli-pah/muli-access ICN nework model. 3 Privacy is normally more relaed o unpopular conen. 4 According o is design principle [3], he sraegy layer of ICN can ake advanage of muliple simulaneous conneciviies (i.e., Eherne, WiFi, 4G) o maximize daa ransmission. In his paper, we do no sricly differeniae beween muli-pah and muli-access. 5 The case of differen domain size K is much more complicaed, and addressing i obviously warrans a separae paper.

5 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 589 Adversary Model. In a muli-pah random-caches sysem, he goal of he adversary A is o learn informaion abou conen objecs forwarded(and likely sill be cached) by he m rouers R,R 2,,R m. Wha he adversary conducs is o generae a sequence of requess o a paricularly ineresed conen C, i.e., by querying Q S (C), and hen based on he cache his or misses reurned, he adversary decides wheher he ineresed conen C has been previously requesed by ohers, i.e., i was in he cache of one or more rouers before he/she requess i. 3.2 Privacy Analysis Adoping he same echnique as in he analysis of single-pah random-cache privacy, le S be he sae where he ineresed conen C has never been accessed by users, i.e., none of he m rouers has C in heir caches, and S be he sae ha C has been requesed, i.e., one of he rouers holds C in is cache. We denoe by x he number of imes ha C has been forwarded. Therefore, S and S arewovecorsoflengh m wih each elemen denoing he sae of a rouer, i.e., S (C) = (,,,) and S {{ (C) = (,,,x,,), {{ m m wih x appearing a he i-h posiion of S (C) if C has been forwarded by rouer R i. Noe ha in his paper, we resric ourselves o he case where x only appears in one rouer s cache. This is he wors case since he legiimae user only leaves his/her conen reques hisory in one rouer. We believe when here are muliple rouers wih he ineresed conen, he adversary can deermine he presence of conen more easily. Meanwhile, we assume conen requess are randomly roued o rouers, meaning ha we acually provide a lower bound of cache privacy. We denoe by Q (C,(r,r 2,,r m )) and Q (C,(r,r 2,,r m )) he oupus of requesing C o he m rouers in saes S and S, respecively, when k C, = r, k C,2 = r 2,..., k C,m = r m, where k C,,k C,2,...,k C,m are he hresholds of he m random-caches for conen C. In addiion, le Q (C,(r,r 2,,r m )) and Q (C,(r,r 2,,r m )) denoe he oupu sequences obained by requesing C consecuively, in saes S and S, respecively. Le Q and Q denoe wo random variables describing Q (C,(r,r 2,,r m )) and Q (C,(r,r 2,,r m )), respecively. Table liss he noaions used in our analysis. Symbol C S (C) S (C) K A m R i k C k C,i x Table. Noaions in Analysis Meaning Ineresed conen Sae ha C has never been accessed by users Sae ha C has been accessed by users Domain size Adversary Number of random-caches/rouers The i-h rouer Threshold for conen C Threshold for conen C a rouer i Number of imes C has been requesed when A probes r i Threshold for conen C a rouer i Q (C,(r,r 2,,r m)) Oupu of a reques for C o he m rouers in sae S Q (C,(r,r 2,,r m)) Oupu of a reques for C o he m rouers in sae S Q (C,(r,r 2,,r m)) Oupu of consecuively requesing C in sae S Q (C,(r,r 2,,r m)) Oupu of consecuively requesing C in sae S Q Random variable describing Q (C,(r,r 2,,r m)) Q Random variable describing Q (C,(r,r 2,,r m)) Unlike single-pah random-cache where he oupus of Q and Q are wo sequences wih each one consising of wo sub-sequences as shown in (), for a mulipah random-caches sysem, he oupus of Q and Q are wo sequences and each one consiss of hree subsequences: ) he prefix which is composed of consecuive cache misses, 2) he suffix wih consecuive cache his, and 3) he middle sequence composed of a mix of cache his and cache misses. These sequences are consisen wih he fac ha a he very beginning of probes no cache is overflowed 6, and hen some caches reurn cache his, unil all caches are overflowed. The oupu of cache probes in a muli-pah random-caches sysem hus can be expressed as follows: oupu : {{ {{ Cache Misses Mix of His/Misses {{, Cache His where * denoes a cache hi (i.e., ) or a cache miss (i.e., ). In single-pah random-cache sysems, an adversary can poenially disinguish Q and Q based on he prefix wih consecuive cache misses, since he prefix 6 By overflowed we mean ha he number of requess for a conen exceeds he hreshold and he rouer reurns a cache hi when i receives fuure reques.

6 59 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 fully characerizes heir difference. However, in a mulipah random-caches sysem, besides he prefix, he adversary can poenially disinguish Q and Q based on he sequence preceding he suffix (which includes he prefix sequence and he middle sequence). We call hese wo aacks, prefix-based aack and suffix-based aack. Acually, we can see ha prefix-based aack corresponds o he echnique where an adversary deermines conen presence based on he oupu sequence of probes before a cache hi is reurned, and suffixbased aack corresponds o he echnique where he adversary deermines i based on he oupu sequence of probes before all caches reurn cache his. For singlepah random-cache, hese wo aacks coincide since here is only one cache (i.e., once a cache hi is generaed, all subsequen requess for he conen will be responded wih a cache hi). In wha follows, we will evaluae cache privacy under boh wo aacks. Meanwhile, based on how we selec r, r 2,, r m he hreshold for he ineresed conen, we can furher divide he m caches ino homogeneous and heerogeneous ones. Homogeneous caches refer o he caches where r = r 2 = = r m, and heerogeneous onesmeanhar, r 2,, r m arechosenindependenly. These wo caches provide differen privacy proecions, and will be analyzed in our models Prefix-Based Aack ) Homogeneous Caches. We firs consider prefixbased aack wih homogenous caches. Le L be he prefix lengh (i.e., he number of cache misses). Since a cache hi means ha one cache is overflowed, he prefix wih lengh L means ha he very firs L requess all cause cache misses and i is he (L+)-h reques ha causes a cache hi. Le r = r 2 = = r m = r. For Q wih sae S, we can calculae he probabiliy ha he prefix wih lengh L appears given hreshold r: (L r) = Cr L f(l r,m,r+) m m L+ = Cr L f(l r,m,r+) m L. In he above equaion, m L is he number of ways o disribue L requess o m caches, and CL r denoes he number of ways of selecing r ou of L requess so ha one cache is full, i.e., i is overflowed in he (L + )- h reques. We le CL r = when r < or r > L. f(l r,m,r + ) denoes he number of ways o disribue he res L r requess o he oher m caches such ha each one of hem will have sricly less han r + requess (i.e., none of hem is overflowed). f(l r,m,r+)canbecalculaedwihhe following recurrence: f(l r,m,r+) r = CL r i f(l r i,m 2,r+), i= where f(l r,,r+) = and f(,,r+) =. This sems from adding an exra cache and direcing from o r requess o he cache, in an order mixed wih he requess in he oher caches. Since he hreshold r is seleced randomly on a domain [,K), he probabiliy ha he prefix wih lengh L appears can be obained by he oal probabiliy heorem: (L) = K s= (L r) Pr{r = s, where L m (K ). Nex, we consider Q (wih sae S ). Assume ha he conen has been forwarded by a rouer (cache) for x ( x K) imes. Based on wheher he cache wih he conen is overflowed, we have he following cases. r [,x): in his case, he cache wih he conen is overflowed. There are wo scenarios o have he (L+)-h reques generae a cache hi: ) he reques is forwarded o he cache conaining he conen, and 2) he reques is forwarded o anoher cache (wih no conen iniially) and hen makes i overflowed. Therefore, he probabiliy ha he prefix wih lengh L appears given r can be calculaed as: Pr Q (L r) = {f(l,m,r+)+ ml+ CL r f(l r,m 2,r+) (m ), where CL r f(l r,m 2,r+) denoes he number of ways o have one paricular empy cache (wih no conen a he very beginning) overflowed. Since here are (m ) empy caches, he number of ways o disribue requess such ha one empy cache is overflowed in he (L +)-h reques is CL r f(l r,m 2,r + ) (m ). And f(l,m,r + ) denoes he number of ways o disribue requess such ha he cache which iniially carries he conen generaes he cache hi in he (L+)-h reques (also he number of ways o disribue L requess o he remaining (m ) empy caches such ha hey are all no overflowed). m L+ is he number of ways o disribue all (L + ) requess o m caches. Therefore, he probabiliy ha

7 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 59 he prefix wih lengh L appears can be calculaed as follows: x Pr Q (L) = Pr Q (L r) Pr{r = s, s= where L (m ) r. Since r [,x), we also have L (m ) (x ). r [x,k): in his case, none of he m caches is overflowedin sae S. Again herearewoscenarioso have he (L+)-h reques generae a cache hi: ) he reques is forwarded o he cache conaining he conen, and 2) he reques is forwarded o anoher cache ( empy iniially) ha is overflowed in he (L + )-h reques. Therefore, he probabiliy ha he prefix wih lengh L appears given r can be calculaed as follows: Pr 2 Q (L r) = m L+{M +M 2, where M = C r x L f(l r+x,m,r+) denoes he number of ways o disribue L requess such ha he (L + )-h reques generaes a cache hi in he cache which iniially conains he conen (noe ha only r x requess are needed o overflow he cache). And M 2 = r x i= CL rci L rf(l r i,m 2,r +) (m ) denoes he number of ways o disribue L requess such ha he (L+)-h reques generaes a cache hi in anoher cache (here he cache ha iniially conains he conen should no be overflowed and herefore no more han r x requess are allowed o direc o i). And in his case, we have r x L m r x. Since r [x,k), we obain L m (K ) x. The probabiliy ha he prefix wih lengh L appears can be calculaed as follows: K Pr 2 Q (L) = s=x Pr 2 Q (L r) Pr{r = s. Finally, summarizing all he above wo cases, for Q we can obain he probabiliy ha he prefix wih lengh L appears as follows: (L) = Pr Q (L)+Pr2 Q (L), where L m (K ) x. (This is because (m ) (x ) m (K ) x since x K.) Now we can pariion he oupu space Ω = Range(Q ) Range(Q ) ino Ω and Ω 2, based on he prefix lengh L. Ω = Range(Q ) Range(Q ). This equals he space where L m (K ) x. In his space, boh Q and Q can generae a prefix wih lengh L. Based on he definiion of (ε, δ)-probabilisic indisinguishabiliy, we can calculae ε as follows: ε = ln(max{ (L) Pr, (L) Q ), (2) (L) (L) where L m (K ) x. Observaion. Since ε, we can see ha he muli-pah sysem wih homogeneous caches unavoidably leaks privacy informaion under prefix-based aacks. This is quie differen from single-pah uniformrandom-cache whose ε equals [7]. Ω 2 = Ω\Ω. If m (K ) x < L m (K ), henheoupuofq conainsaleasm (K ) x+ cache misses, which is no possible for Q. Therefore, according o he definiion of (ε, δ)-probabilisic indisinguishabiliy, we can calculae δ as follows: δ = m (K ) L=m (K ) x+ (L). (3) 2) Heerogeneous Caches. We now consider prefix-based aack wih heerogeneous caches, i.e., r,r 2,,r m are chosen independenly. Le R = (r,r 2,,r m ) and R\r i = (r,,r i,r i+,,r m ). Also le g(l,r) denoe he number of ways o disribue L requess o m caches such ha none of hem is overflowed (i.e., no more han r requess are direced o R, no more han r 2 requess are direced o R 2, ec.). g(l,r) can be calculaed wih he following recurrence relaion: g(l,r) = r s= C s L g(l s,r\r ), where g(l,r) = when L = or Card(R) =, where Card(R) denoes he number of daa iems in R, and g(l,r) = when L < or L > m r i. i= Similarly, for Q we can calculae he probabiliy ha he prefix wih lengh L appears given R: (L R) = m m L+{ C ri L g(l r i,r\r i ), (4) i= where g(l r i,r\r i ) denoes he number of ways o disribue L r i requess o rouers R,...,R i,r i+,...,r m such ha none of hese rouers is overflowed, i.e., he number of requess direced o R j (j i) is sricly no more han r j. Therefore, he erm C ri L g(l r i,r\r i ) in (4) denoes he number of ways o disribue L requess o m caches such ha he i-h cache will generae a cache hi

8 592 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 in he (L+)-h reques. And m i= C ri L g(l r i,r\r i ) denoes he number of ways o disribue L requess o m caches such ha one cache will generae a cache hi. Since r,r 2,,r m can be seleced independenly a random on a domain [,K), he probabiliy ha he prefix wih lengh L appears can be obained by he oal probabiliy heorem: (L) = K s = K s m= F(L,R,s,,s m ), where we denoe F(L,R,s,,s m ) = (L R) m Pr{r i = s i, and we have L m (K ). i= Nex, we consider Q. Sill assume he conen has been forwarded x imes by a cache. Wihou loss of generaliy, we assume he conen has been forwarded by rouer R. Again, based on wheher R is overflowed, we have he following cases. r [,x): in his case, R is overflowed when he adversary probes. Due o similar reasoning as for he homogeneous caches, we can calculae he probabiliy ha he prefix wih lengh L appears given r,r 2,,r m : Pr Q (L R) = m L+{g(L,R\r )+ m i=2 C ri L g(l r i,r\r \r i ), where L (m ) (K ). Here R\r \r i = (r 2,,r i,r i+,,r m ). And he probabiliy ha he prefix wih lengh L appears can be calculaed as: x Pr Q (L) = K s =s 2= K s m= G(L,R,s,,s m ), where we denoe G(L,R,s,,s m ) = Pr Q (L R) m Pr{r i = s i. i= r [x,k): in his case, R is no overflowed. Based on he similar reasoning procedure, we can obain he probabiliy ha he prefix wih lengh L appears given r,r 2,,r m as: Pr 2 Q (L R) = m L+ {N +N 2, where L m (K ) x, N = C r x L g(l r + x,r\r ), and N 2 = m r x C ri L Cs L r i g(l r i i=2 s= s,r\r \r i ). Le H(L,R,s,,s m ) = Pr 2 Q (L R) m Pr{r i = s i, he probabiliy ha he prefix wih i= lengh L appears is given as follows: K Pr 2 Q (L) = K s =xs 2= K s m= H(L,R,s,,s m ). Summarizing he above wo cases, for Q we can have he probabiliy given he prefix wih lengh L as: (L) = Pr Q (L)+Pr2 Q (L), where L m (K ) x. Againbased on he prefixlengh L, we canpariion he oupu space of Ω = Range(Q ) Range(Q ) ino Ω and Ω 2, and hen calculae ε (see (2)) and δ (see (3)). For breviy, we omi hese deails Suffix-Based Aack ) Homogeneous Caches. We now consider he suffix-based aack wih homogenous caches. In he suffix-based aack, an adversary deermines he conen presence based on he oupu sequence of probes before all caches reurn a cache hi, i.e., he sequence preceding he suffix. Oupu : {{ {{ Mix of Cache Hi and Miss Suffix Le r = r 2 = = r m = r in sae S, and r = r 2 = = r m = r in sae S. If he oupus of Q and Q are indisinguishable, hen he number of cache misses (i.e., he number of ) in heir sequences should be equal since a ha ime all caches are overflowed. Therefore, we have: mr = mr x, (5) where mr and mr x denoe he number of cache misses in he oupu of Q and Q, respecively. (5) can be rewrien as follows: r r = x m. Since r and r are boh inegers, we can see ha x/m should also be an ineger. This means ha when xcannobedividedbymwih noremainder,he adversary can immediaely infer ha he ineresed conen has been feched by ohers since he number of cache misses (i.e., s) in he oupu of Q and Q is compleely differen. Since x can be any ineger (alhough unknown o he adversary), we can see ha he adversary can a leas deermine he presence of conen a

9 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 593 he probabiliy of ( /m). This also implies ha homogeneous caches seriously leak privacy informaion under suffix-based aack. 2) Heerogeneous Caches. For heerogeneous caches, r,r 2,,r m are se independenly. Since he suffixbased aack is based on he oupu sequence of probes before all caches reurn a cache hi, he difference beween Q and Q is solely caused by R where in sae S he ineresed conen C has been requesed x imes, while in sae S, C has never been accessed. Therefore, for he probabiliy ha a paricular prefix S occurs before all caches reurn a cache hi we have (S (r,r 2,,r m )) = (S (r + x,r 2,,r m )). However, even wih he above relaion, calculaing (ε, δ)-probabilisic indisinguishabiliy for he wo processes is difficul. This is because he prefix lengh grows exponenially wih he increase of he number of rouers m and he domain size K, and in heory i can grow infinie (as long as here are caches no overflowed). In oher words, under his scenario i is no likely ha he adversary can disinguish he wo processes as i is nearly impossible for him/her o rack all hese oupu sequences. Due o his reason, we will no consider his scenario in our numerical sudies. 4 Numerical Evaluaion In his secion, we validae our models hrough simulaion and numerical sudies. We mainly focus on he following four objecives: ) exploring he accuracy of our analyical model; 2) invesigaing he propery of mulipah-caches privacy, more specifically, how he privacy (i.e., ε and δ) changes when he parameers vary; 3) comparing he mulipah-caches privacy under boh homogeneous and heerogeneous caches; 4) comparing he mulipah-caches privacy wih is single-pah counerpar. 4. Evaluaion Resuls Throughou his sudy, we resric ourselves o prefix-based aacks. Meanwhile, we adop uniformrandom-cache 7 alhough differen ypes of randomcache (i.e., exponenial-random-cache) can also be adoped. We firs invesigae he accuracy of our analyical model. To achieve his, we build a simulaion sysem wih differen parameers (i.e., he number of imes he ineresed conen has been requesed x, he domain size K, and he number of pahs a reques can be forwarded m), and hen we compare he derived prefix lengh probabiliies in simulaion wih ha calculaed based on our model. Fig.3 shows he wo probabiliies under boh homogeneous and heerogeneous caches, where we se K =, m = 3 and x = 3. I can be seen ha our model is very accurae as he wo probabiliies are highly in agreemen. We also conduc comparisons under differen seings, and he resuls are persisen. Therefore, we conclude ha our model is accurae and can be used o sudy cache privacy under muli-pah environmen. Probabiliy Probabiliy Prefix Lengh L (a). 5 5 Prefix Lengh L (b) Simulaion Analyical Model 2 25 Simulaion Analyical Model 2 25 Fig.3. Probabiliy comparison beween analyical model and simulaions. (a) Homogeneous caches. (b) Heerogeneous caches. We hen invesigae how ε changes under differen parameers by our model, and he resuls are shown in Fig.4(a), Fig.5(a) and Fig.6(a). From hese figures, i can be seen ha ε incremens wih he increase of x and m; however, i decreases when K becomes larger. 7 Uniform-random-cache is he cache where he hreshold for each conen is uniformly chosen from domain.

10 594 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 8 Heerogeneous Caches Homogeneous Caches.4.2. Heerogeneous Caches Homogeneous Caches 6.8 ε x (a) δ x (b) Fig.4. Muli-pah caches privacy under differen x (K =, m = 3). (a) ε under differen x. (b) δ under differen x. 7 6 Heerogeneous Caches Homogeneous Caches.8 Heerogeneous Caches Homogeneous Caches 5.6 ε 4 δ K (a) K (b) Fig.5. Muli-pah caches privacy under differen K (m = 3, x = 5). (a) ε under differen K. (b) δ under differen K. ε Heerogeneous Caches Homogeneous Caches m (a) δ Heerogeneous Caches Homogeneous Caches m (b) Fig.6. Muli-pah caches privacy under differen m (K =, x = 5). (a) ε under differen m. (b) δ under differen m. Since ε describes he probabilisic differences of he wo disribuions Q (wih no reques record in cache) and Q (wih reques record in cache) in heir inersecion, Fig.4(a) inuiively presens ha an adversary can poenially gain more privacy informaion when he ineresed conen has been requesed more imes when he/she probes. Fig.5(a) shows ha a mulipah-caches sysem can provide users beer privacy proecion by using a large domain size. And Fig.6(a) implies ha an adversary can deermine conen presence more easily when more pahs are used o forward he requess. We also invesigae how δ changes wih differen

11 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 595 parameers. Noe ha as compared wih ε, δ is more relevan o privacy concerns. This is because in a mulipah caches sysem, he se ha δ measures consiss of he oupu solely from Q, which is quie differen from single-pah random-cache where he se ha δ measures consiss of oupus from boh Q and Q. This is also o say ha, in a muli-pah sysem, a larger value of δ ypically means a higher probabiliy ha an adversary can deermine he absence of he ineresed conen ha he conen has never been requesed by users, resuling in anoher kind of privacy breach in pracice. Fig.4(b), Fig.5(b) and Fig.6(b) show how δ changes under differen parameers. From Fig.4(b), we can see ha δ incremens wih he increase of x; however, i decreases when m and K ge larger (see Fig.5(b) and Fig.6(b)). The resuls show ha a muli-pah sysem can provide users beer privacy proecion by using a large domain size and adoping more pahs. However, an adversary can deermine he presence of conen more easily when here are more conen reques records. Meanwhile, from Fig.4 o Fig.6 we can see ha homogeneous caches and heerogeneous caches provide differen privacy proecions. More specifically, i can beseenhahomogeneouscachesleadoasmallerεand a larger δ han heerogeneous caches. Given ha he occurrence of oupu in he se ha δ measures allows he adversary o immediaely deermine he absence of he ineresed conen, and a larger δ indicaes ha an adversary can deermine he absence of conen more easily, we conclude ha heerogeneous caches provide a beer privacy proecion han homogeneous caches. Acually from Fig.7, we can see ha he disribuions of Q and Q do no differ fundamenally under boh homogeneous caches and heerogeneous caches, and herefore i is no easy for he adversary o disinguish he wo processes based on an oupu in he se ha ε measures (heir inersecion). We also compare he muli-pah caches privacy wih single-pah counerpar. Fig.8 shows he comparison of δ. Clearly, we can see ha a muli-pah sysem provides far more beer privacy proecion han a single Q Q.5 Q Q Probabiliy..5 Probabiliy Prefix Lengh L (a) Prefix Lengh L (b) Fig.7. Probabiliy of oupu prefix lengh L (K =, m = 3, x = 5). (a) Homogeneous caches. (b) Heerogeneous caches. δ Single Cache Muli-Pah Homogeneous Caches Single Cache.5.2 Muli-Pah Homogeneous Caches x K m (a) (b) (c) δ δ.5. Single Cache Muli-Pah Homogeneous Caches Fig.8. Comparison of δ in muli-pah caches privacy and single-pah cache privacy. (a) Under differen x (K =, m = 3). (b) Under differen K (x = 5, m = 3). (c) Under differen m (K =, x = 5).

12 596 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 pah counerpar (δ = 2x/K for single-pah uniformrandom-cache, see [7]). Since muli-pah caches can be implemened even hrough virual caches in a sysem ha is no physically muli-pah, we sugges sysem adminisraors and managers adop muli-pah in heir nework infrasrucures o provide users beer privacy proecion. 4.2 Discussions 4.2. Performance Impac on Caching Algorihm Here we discuss he problem wheher he randomcache soluion will impac cache performance. The performance of a cache (or cache algorihm) is generally measured as he hirae (defined as he raio of requess served by he cache over he oal requess received) and he memory occupancy (defined as he amoun of memory occupied when holding conen). Noe ha random-cache only conrols how a rouer responds o he ineress/probes for he conen in cache. However, i does no influence when a conen is cachedand when i is eviced. Acually, he inserion and evicion of conen is conrolled by cache replacemen algorihms such as LRU, FIFO, Random (for capaciy-based cache replacemen algorihm) and TTL (ime-o-live, for TTLbased caching algorihms). To his end, i can be seen ha random-cache has no impac on he caching performance, and i can be used wih any exising cache managemen algorihm Impac of Quick Evicion of Unpopular Conen Random-cache can be used o proec he privacy of unpopular conen. However, unpopular conen is likely o be eviced, and hus influences is effeciveness. This is because hroughou he paper, we make an implici assumpion for he success of cache snooping aack. Tha is, when he adversary launches he aack, i happens ha he ineresed conen is in cache. Therefore, if he conen is quickly eviced, hen wih a low probabiliy ha he adversary is able o access he conen in cache is low. In oher words, under such cases, i becomes more difficul for he adversary o infer he presence of he ineresed conen. 5 Relaed Work Side channel aacks (i.e., iming aacks) have long been a securiy hrea, and here is a large body of research on his opic. Felen and Schneider [3] inroduced aacks ha allow a malicious Webpage o deermine he user s visi hisory, i.e., wheher he user has recenly visied some oher Webpages. They also proposed a way of reengineering browsers o preven mos of hese aacks. In [4] and [5], he auhors analyzed iming aacks on web privacy, and proposed hree differen approaches o model he aacks. Weinberg e al. [6] described ineracive echniques (called hisory sniffing) o allow malicious web sies o infer vicims visis o oher sies, even when defense mechanisms are adoped in major Web-browsers. They demonsraed he feasibiliy of he aack hrough experimens. Baron [7] proposed a counermeasure agains aacks on web privacy described in [4] and [5], based on he idea of having Web-browsers behave(i.e., rendering behavior like link coloring) idenically for boh he previously visied Webpages and new pages. However, hisechniquecanbebypassedbyineraciveaacks [6] ha exploi iming informaion o infer user visi hisory. Borz and Boneh [8] inroduced wo kinds of iming aacks ha leak users privacy, namely, direc iming aack and cross-sie iming aack, and explained why and how hese wo aacks work. They also proposed mehods on how o wrie applicaion code o resis he aacks. Timing aacks on SIP VoIP neworks have also been invesigaed. In [9], Zhang e al. presened a iming aack ha aims a revealing he calling hisory of an SIP domain. They demonsraed via experimens ha such an aack could be easily carried ou, and discussed counermeasures o preven hese aacks. Researchers have proposed counermeasures agains cache sniffing aacks. Jakobsson and Samm [2] proposed a server-side mehod (called Web Camouflage) o proec users cache privacy by randomizing and personalizing he links in Webpages such ha he exac URLs are impossible for an adversary o guess. Schinzel [2] discussed echniques ha randomize he response delay of idenical requess o miigae imingbased aacks. In paricular, hree echniques, namely, delaying all responses, adding a random delay o each response, and selecing a single random delay per desinaion, are proposed. However, he feasibiliy and he effeciveness of hese echniques in NDN are sill no clear. Side channel aacks argeing informaion-cenric neworks, i.e., NDN, are invesigaed. In [22-24], Lauinger e al. overviewed NDN-relaed securiy issues and discussed several possible soluions. Wong and Nikander [25] addressed he privacy problem by concae-

13 Wei-Bo Chu e al.: Proecing User Privacy in a Muli-Pah Informaion-Cenric Nework 597 naing conen providers ID, conen s crypographic ID and some oher mea-daa o consruc conen names. Similar approaches were adoped by Dannewiz e al. [26] where conen names are consruced using a hash of he public key and a se of oher aribues. Burke e al. [27] proposed o use conrol access coupled wih srong auhenicaion o limi users access o shared rouers. Acs e al. [7] sudied cache privacy in NDN and inroduced some pracical counermeasures, and in paricular, hey proposed he randomcache echnique and quanified he degree of conen privacy provided by random-cache based on a formal model. In [-], Mohaisen e al. proposed he vanilla approach and is wo variaions o miigae iming aacks. Unlike [7], heir mehods require recording iming informaion of ineress and rack access frequency for each conen, which unavoidably resuls in a considerable amoun of sae o mainain. Compagno e al. in [2] described an aack o geographically localize a clien in NDN using he iming informaion. Alhough he aack is ineresing, hey did no presen any counermeasures. 6 Conclusions In his paper, we invesigaed he effeciveness of using muliple random-caches o proec cache privacy in a muli-pah ICN. We proposed models for characerizing muli-pah random-caches privacy, and analyzed wo differen aacks prefix-based and suffix-based aacks. Boh homogeneous and heerogeneous caches are considered. Numerical and simulaion sudies are furher carried ou o validae our models and o sudy he propery of muli-pah caches privacy. A comparison of random-cache privacy beween single-pah and muli-pah ICN was also carried ou based on numerical sudies. We believe he proposed models and resuls provide insighs in designing and evaluaing muli-pah ICN when privacy is of concerns. Acknowledgemen The auhors would like o hank he anonymous reviewers for heir valuable commens and suggesions which cerainly improve he qualiy of his paper. References [] Koponen T, Chawla M, Chun B e al. A daa-oriened (and beyond) nework archiecure. ACM SIGCOMM Compuer Communicaion Review, 27, 37(4): [2] Mark A. Academic disseminaion and exploiaion of a clean-slae inerneworking archiecure: The publishsubscribe Inerne rouing paradigm. hp:// Mar. 27. [3] Jacobson V, Smeers D K, Thornon J D e al. Neworking named conen. In Proc. ACM Inernaional Conference on emerging Neworking Experimens and Technologies, Dec. 29, pp.-2. [4] Zhang L, Jacobson V, Tsudik G e al. Named daa neworking (NDN) projec. hp://named-daa.org/, Mar. 27. [5] Cho K, Choi J, Ko D e al. Conen-oriened neworking as a fuure Inerne infrasrucure: Conceps, srenghs, and applicaion scenarios. In Proc. he 3rd In. Conf. Fuure Inerne Technologies, June 28. [6] Choi J, Han J, Cho E, Kwon T, Choi Y. A survey on conen-oriened neworking for efficien conen delivery. IEEE Communicaions Magazine, 2, 49(3): [7] Acs G, Coni M, Gasi P, Ghali C, Tsudik G. Cache privacy in named-daa neworking. In Proc. he 33rd Inernaional Conference on Disribued Compuing Sysems, July 23, pp.4-5. [8] Tourani R, Mick T, Misra S e al. Securiy, privacy, and access conrol in informaion-cenric neworking: A survey. arxiv: , 26. hps://arxiv.org/pdf/ u.pdf, Mar. 27. [9] Chaabane A, Crisofaro E D, Kaafar M A, Uzun E. Privacy in conen-oriened neworking: Threas and counermeasures. ACM SIGCOMM Compuer Communicaion Review, 23, 43(3): [] Mohaisen A, Mekky H, Zhang X, Xie H, Kim Y. Timing aacks on access privacy in informaion cenric neworks and counermeasures. IEEE Transacions on Dependable and Secure Compuing, 25, 2(6): [] Mohaisen A, Zhang X, Schuchard M, Xie H, Kim Y. Proecing access privacy of cached conens in informaion cenric neworks. In Proc. ACM SIGSAC Symposium on Informaion, Compuer and Communicaions Securiy, May 23, pp [2] Compagno A,ConiM,Gasi P,ManciniLV,TsudikG. Violaing consumer anonymiy: Geo-locaing nodes in named daa neworking. In Proc. he 3h Inernaional Conference on Applied Crypography and Nework Securiy, June 25, pp [3] Felen E W, Schneider M A. Timing aacks on web privacy. In Proc. he 7h ACM Conference on Compuer and Communicaions Securiy, Nov. 2, pp [4] Focardi R, Gorrieri R, Lanoe R e al. Formal models of iming aacks on web privacy. Elecronic Noes in Theoreical Compuer Science, 22, 62: [5] Gorrieri R, Lanoe R, Maggiolo-Scheini A e al. Auomaed analysis of imed securiy: A case sudy on Web privacy. Inernaional Journal of Informaion Securiy, 24, 2(3/4): [6] Weinberg Z, Chen E, Jayaraman P, Jackson C. I sill know wha you visied las summer: Leaking browsing hisory via user ineracion and side channel aacks. In Proc. IEEE Symposium on Securiy & Privacy, May 2, pp [7] Baron L. Prevening aacks on a user s hisory hrough CSS: Visied selecors. hp://dbaron.org/mozilla/visiedprivacy, Mar. 27.

14 598 J. Compu. Sci. & Technol., May 27, Vol.32, No.3 [8] Borz A, Boneh D. Exposing privae informaion by iming web applicaions. In Proc. he 6h Inernaional Conference on World Wide Web, May 27, pp [9] Zhang G, Fischer-Huebner S, Marucci L e al. Revealing he calling hisory of SIP VoIP sysems by iming aacks. In Proc. ARES, March 29, pp [2] Jakobsson M, Samm S. Web camouflage: Proecing your cliens from browser-sniffing aacks. IEEE Securiy & Privacy, 27, 5(6): [2] Schinzel S. An efficien miigaion mehod for iming side channels on he web. In Proc. he 2nd Inernaional Workshop on Consrucive Side-Channel Analysis and Secure Design, Feb. 2, pp [22] Lauinger T. Securiy & scalabiliy of conen-cenric neworking [Maser s Thesis]. Technische Universia Darmsad, 2. [23] Lauinger T, Laouaris N, Rodriguez P e al. Privacy implicaions of ubiquious caching in named daa neworking archiecures. Technical Repor, TR-iSecLab-82-, iseclab, 22. [24] Lauinger T, Laouaris N, Rodriguez P e al. Privacy risks in named daa neworking: Wha is he cos of performance? ACM SIGCOMM Compuer Communicaions Review, 22, 42(5): [25] Wong W, Nikander P. Secure naming in informaion-cenric neworks. In Proc. he Re-Archiecing he Inerne Workshop, Nov. 2, Aricle No. 2. [26] Dannewiz C, Golic J, Ohlman B, Ahlgren B. Secure naming for a nework of informaion. In Proc. INFOCOM Workshops, Mar. 2. [27] Burke J, Gasi P, Nahan N, Tsudik G. Securing insrumened environmens over conen-cenric neworking: The case of lighing conrol and NDN. In Proc. Compuer Communicaions Workshops, Apr. 22, pp Wei-Bo Chu received his B.S. degree in sofware engineering in 25 and his Ph.D. degree in conrol science and engineering in 23, boh from Xi an Jiaoong Universiy, Xi an. From 2 22 he worked as a visiing researcher a Microsof Research Asia, Beijing. Since 23 he has been wih he School of Compuer Science and Technology, Norhwesern Polyechnical Universiy, Xi an. His research ineress include Inerne measuremen and modeling, raffic analysis, and performance evaluaion. Li-Fang Wang is currenly a professor in he School of Compuer Science and Technology, Norhwesern Polyechnical Universiy, Xi an. She received her Ph.D. degree in compuer science and echnology from Norhwesern Polyechnical Universiy, Xi an, in 23. Her research ineress include disribued compuing, compuer neworks, cloud compuing and sorages, and elecronic service echnologies. Ze-Jun Jiang is a professor in he School of Compuer Science and Technology a Norhwesern Polyechnical Universiy, Xi an. He received his B.S. degree and M.S. degree in compuer science and echnology in 985 and 988 respecively, boh from Norhwesern Polyechnical Universiy, Xi an. His research ineress include deduplicaion in disribued sysems, cloud compuing, cloud sorage, cloud securiy, informaion securiy, and compuer sofware. Alan Chin-Chen Chang is a chair professor of Feng Chia Universiy, Taichung, China. He is currenly a fellow of IEEE and a fellow of IEE. He published several hundred papers in informaion sciences. In addiion, he has served as a consulan o several research insiues. His curren research ineress include daabase design, compuer crypography, image compression, and daa srucures.