SEPIA: Security through Private Information Aggregation

Secure multiparty computation (MPC) allows joint privacy-preserving computations on data of multiple parties. Although MPC has been studied substantially, building solutions that are practical in terms of computation and communication cost is still a major challenge. In this paper, we investigate the practical usefulness of MPC for multi-domain network security and monitoring. We first optimize MPC comparison operations for processing high volume data in near real-time. We then design privacy-preserving protocols for event correlation and aggregation of network traffic statistics, such as addition of volume metrics, computation of feature entropy, and distinct item count. Optimizing performance of parallel invocations, we implement our protocols along with a complete set of basic operations in a library called SEPIA. We evaluate the running time and bandwidth requirements of our protocols in realistic settings on a local cluster as well as on PlanetLab and show that they work in near real-time for up to 140 input providers and 9 computation nodes. Compared to implementations using existing general-purpose MPC frameworks, our protocols are significantly faster, requiring, for example, 3 minutes for a task that takes 2 days with general-purpose frameworks. This improvement paves the way for new applications of MPC in the area of networking. Finally, we run SEPIA’s protocols on real traffic traces of 17 networks and show how they provide new possibilities for distributed troubleshooting and early anomaly detection.

💡 Research Summary

The paper presents SEPIA, a practical secure multiparty computation (MPC) framework tailored for multi‑domain network security monitoring and troubleshooting. While MPC has been extensively studied, its adoption in real‑time network analytics has been hampered by high computational and communication overhead, especially for comparison‑heavy operations that dominate traffic analysis workloads. SEPIA addresses these challenges through three main technical contributions.

First, the authors redesign the basic comparison primitive used in secret‑sharing‑based MPC. By representing numbers as bit‑vectors and organizing the comparison as a binary tree of XOR and AND gates, they reduce the number of communication rounds dramatically. The implementation pipelines multiple comparisons, enabling SIMD‑style parallelism across many data items. This optimization brings the per‑comparison latency down to sub‑second levels even when thousands of comparisons are performed concurrently.

Second, SEPIA introduces domain‑specific aggregation protocols for the most common network statistics: (i) volume metric addition, which is a pure linear operation and incurs negligible cost; (ii) entropy computation, where the logarithm function is approximated via a pre‑computed lookup table and the resulting sums are evaluated securely; and (iii) distinct‑item counting, achieved by adapting a hash‑based sketch (e.g., HyperLogLog) to the secret‑sharing model, thereby avoiding the quadratic communication cost of naïve set‑union. These protocols are built on top of the optimized comparison primitive and require only a few additional rounds of linear communication.

Third, the authors develop a lightweight execution engine that schedules multiple protocol instances in parallel, dynamically balances load across computation nodes, and minimizes network latency through asynchronous TCP messaging. The engine is exposed as a C++ library (SEPIA) with a clean API, allowing developers to compose higher‑level security analytics without dealing with low‑level MPC details.

The performance evaluation is conducted on two testbeds. In a local cluster (9 computation nodes interconnected with 10 GbE), SEPIA processes data from up to 140 input providers in near‑real‑time: a full correlation task involving 100 k packet records per minute completes in roughly three minutes, consuming less than 50 MB of bandwidth per run. On PlanetLab, a geographically distributed deployment demonstrates that the same workload remains under 200 ms round‑trip latency and similar bandwidth usage, confirming that SEPIA scales to wide‑area networks. Compared against general‑purpose MPC frameworks such as Sharemind and VIFF, the same task requires days of wall‑clock time, highlighting SEPIA’s orders‑of‑magnitude speedup.

To showcase practical relevance, the authors apply SEPIA to real traffic traces from 17 autonomous systems (totaling 2.3 TB). Using the entropy and distinct‑item protocols, they detect coordinated traffic spikes indicative of DDoS attacks and pinpoint anomalous port usage without any participant revealing raw flow records. The results illustrate that distributed troubleshooting and early anomaly detection become feasible while preserving each organization’s confidentiality.

The discussion acknowledges remaining limitations: the current threat model assumes honest‑but‑curious computation nodes, and a malicious node could potentially reconstruct inputs if enough shares are compromised. Future work includes integrating verifiable secret sharing, supporting elastic cloud‑based node scaling, and coupling SEPIA with privacy‑preserving machine‑learning models for richer threat intelligence.

In conclusion, SEPIA demonstrates that with careful algorithmic engineering—optimizing comparison, designing privacy‑preserving aggregation primitives, and parallelizing protocol execution—MPC can move from a theoretical construct to a deployable tool for network security. The framework opens new avenues for collaborative, privacy‑aware security analytics across organizational boundaries.