Detection of Anomalous e2e Encrypted Function Invocation in FaaS using Zero-Knowledge Proofs

Function-as-a-Service providers manage security devices that are shared among multiple tenants. It is undesirable to give them access to cleartext HTTP requests to perform tasks such as traffic inspection. The recent Zero-Knowledge Middlebox (ZKMB) can be used to enforce network policies on TLS traffic without revealing any information on the content to the policy verifier. In this paper, we describe a ZKMB implementation and a policy designed to check whether the HTTPS function invocations by the clients follow a legitimate pattern. We also present and compare two strategies to distribute allowed patterns, introducing a Moving-Target Defense approach for the function URI randomization, which shows a good tradeoff between detection effectiveness and confidentiality. Performance assessment in our prototype implementation shows that the ZK algorithms are not yet suitable for real-time execution, but current research interest in this technology is expected to narrow this gap.