Li Qi,Lee Patrick P. C.,Zhang Peng,Su Purui,He Liang,Ren Kui

DOI: https://doi.org/10.1109/TNET.2017.2715822

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Named data networking (NDN) enhances traditional IP networking by supporting in-network content caching for better bandwidth usage and location-independent data accesses for multi-path forwarding. However, NDN also brings new security challenges. For example, an adversary can arbitrarily inject packets to NDN to poison content cache, or access content packets without any restrictions. We propose c...

Yong Yu,Yannan Li,Xiaojiang Du,Ruonan Chen,Bo Yang

DOI: https://doi.org/10.1109/mcom.2018.1701086

IF: 9.03

2018-11-01

IEEE Communications Magazine

Abstract:ICNs are promising alternatives to current Internet architecture since the Internet struggles with a number of issues such as scalability, mobility, and security. ICN offers a number of potential benefits including reduced congestion and enhanced delivery performance by employing content caching, simpler network configurations, and stronger security for the content. NDN, an instance of ICN, enables content delivery instead of host-centric approaches by naming data rather than host. In order to make NDN practical in the real world, the challenging issues of content security need to be addressed. In this article, we examine the architecture and content security as well as possible solutions to these issues of NDN, with a special focus on the content integrity and provenance. We propose a variety of digital signature schemes to achieve the data integrity and origin authentication in NDN for various applications, which include cost-effective signatures, privacy preserving signatures, network coding signatures, and post-quantum signatures. We also present speed-up techniques in generating signatures and verifying signatures such as pre-computation, batch verification, and server-aided verification to reduce the computational cost of the producers and receivers in NDN. A number of certificate-free trust management approaches and possible adoptions in NDN are investigated.

telecommunications,engineering, electrical & electronic

Kai Lei,Tao Chen,Cheng Peng,Zhi Tan

DOI: https://doi.org/10.1109/cse.2014.128

2014-01-01

Abstract:In recent years, the focus to optimize network transmission efficiency has evolved to adopt methods that let those intermediate data transferring nodes get involved with routing, forwarding and caching. In other words, the new network architecture designs become in favor of hop-to-hop model, instead of traditional TCP-like end-to-end model. Named data networking is a promising future internet data oriented architecture which uses names instead of addresses and exchanges or forwards interest/data pair packets at each node along the path to route data for delivery. And meanwhile Network coding (NC) is a content oriented and effective method to reduce redundancy, increase network throughput and improve robustness. Nonetheless, due to NDN's current preliminary research, less research has combined these two technologies together. This paper presents some new thoughts to study on the benefits brought by integrating network coding to NDN, which can effectively improve network utilization, strengthen caching privacy, and also promote development of the NDN architecture itself.

Peng Zhang,Qi Li,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2015.2498603

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As a popular realization of Information-Centric Network (ICN), Named Data Networking (NDN) greatly improves the efficiency of Internet content-distribution. A feature of NDN is that it improves privacy, as no addresses are needed for either the content consumer or publisher. However, NDN packets contain content names, and hence a well-motivated adversary can still deduce what content the user is requesting once it can link the packets and users. How to provide privacy in NDN, given its unique data retrieval mode, is an open problem. In this paper, we explore a specific content-oriented anonymity model called content-user unlinkability, which breaks the relationship between the content and the requesting user. We argue that achieving content-user unlinkability efficiently is a non-trivial task, since existing tunnel-based approaches will largely dismiss content caching of NDN, resulting in large content retrieval delay. To this end, we propose CRISP, namely Cooperative Random IntereSt Propagation. In CRISP, routers cooperate to form full-meshed groups, within which content requests are randomly propagated before they are forwarded to content producers. We show CRISP can achieve probable content-user unlinkability with probabilistic models. Extensive simulations demonstrate that CRISP outperforms existing solutions including ANDANA and Crowds, in terms of both content retrieval latency and data throughput.

Yingjie Xia,Wenzhi Chen,Xuejiao Liu,Luming Zhang,Xuelong Li,Yang Xiang

DOI: https://doi.org/10.1109/tits.2017.2653103

IF: 8.5

2017-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Vehicular ad-hoc networks (VANETs) have drawn much attention of researchers. The vehicles in VANETs frequently join and leave the networks, and therefore restructure the network dynamically and automatically. Forwarded messages in vehicular ad-hoc networks are primarily multimedia data, including structured data, plain text, sound, and video, which require access control with efficient privacy preservation. Ciphertext-policy attribute-based encryption (CP-ABE) is adopted to meet the requirements. However, solutions based on traditional CP-ABE suffer from challenges of the limited computational resources on-board units equipped in the vehicles, especially for the complex policies of encryption and decryption. In this paper, we propose a CP-ABE delegation scheme, which allows road side units (RSUs) to perform most of the computation, for the purpose of improving the decryption efficiency of the vehicles. By using decision tree to jointly optimize multiple factors, such as the distance from RSU, the communication and computational cost, the CP-ABE delegation scheme is adaptively activated based on the estimation of various vehicles decryption overhead. Experimental results thoroughly demonstrate that our scheme is effective and efficient for multimedia data forwarding in vehicular ad-hoc networks with privacy preservation.

Lei Kai,Yuan Jie

DOI: https://doi.org/10.3969/j.issn.1000-0801.2014.09.005

2014-01-01

Abstract:Future internet architecture research is one of the major strategic needs of science and technology development. As a promising design, named data networking（NDN）has drawn the extensive attentions of researchers and industry. Since NDN architecture evolves the internet from today's host-based packet delivery towards directly retrieving named objects, there are still a lot of issues have yet to be studied. Its content distribution mechanisms are the key to promote the development and deployment. The concepts and characteristics of NDN content distribution were introduced. The current advances in the aspect of forwarding strategy, redundant control, congestion control and access control were emphasized. Aimed at the faced problems, some discussions and analysis were also presented.

Bing Li,Mingxuan Zheng,Maode Ma

DOI: https://doi.org/10.1049/2024/6616095

2024-03-12

IET Information Security

Abstract:Named Data Networking (NDN) is a promising network architecture that differs from the traditional TCP/IP network, as it focuses on data rather than the host. A new secure model is required to provide the data-oriented trust instead of the host-oriented trust. This paper proposes a new secure solution in the NDNs named Secure Mechanism supported by Certificateless Digital Signature and Blockchain (CLDS-B). The CLDS-B scheme employs a certificateless digital signature to guarantee the authentication and integrity of data. On the one hand, the key escrow problem has been solved to eliminate the risks of compromised private key generators; on the other hand, the data name has been bound to the public key to prevent the false public key. Moreover, the blockchain is used to manage cryptographic information. Each domain designates an information service entity to join the blockchain so that the consumer could retrieve the cryptographic information public parameter in the local domain if necessary. Furthermore, due to the decentralization of the blockchain, the CLDS-B would be robust to resist the single-node failure. Simulation results show that the CLDS-B scheme outperforms a classic NDN scheme, although it shows slightly inferior to the other secure NDN scheme. The security verification and analysis show that the CLDS-B would resist the key escrow attack. The CLDS-B would be a competitive solution in scenarios with a high-security level.

computer science, information systems, theory & methods

Yi Wang,Zhuyun Qi,Bin Liu

DOI: https://doi.org/10.1145/3063955.3063993

2018-01-01

China Communications

Abstract:Named Data Networking (NDN) improves the data delivery efficiency by caching contents in routers. To prevent corrupted and faked contents be spread in the network, NDN routers should verify the digital signature of each published content. Since the verification scheme in NDN applies the asymmetric encryption algorithm to sign contents, the content verification overhead is too high to satisfy wire-speed packet forwarding. In this paper, we propose two schemes to improve the verification performance of NDN routers to prevent content poisoning. The first content verification scheme, called “user-assisted”, leads to the best performance, but can be bypassed if the clients and the content producer collude. A second scheme, named “Router-Cooperation”, prevents the aforementioned collusion attack by making edge routers verify the contents independently without the assistance of users and the core routers no longer verify the contents. The Router-Cooperation verification scheme reduces the computing complexity of cryptographic operation by replacing the asymmetric encryption algorithm with symmetric encryption algorithm. The simulation results demonstrate that this Router-Cooperation scheme can speed up 18.85 times of the original content verification scheme with merely extra 80 Bytes transmission overhead.

Qi Li,Xinwen Zhang,Qingji Zheng,Ravi Sandhu,Xiaoming Fu

DOI: https://doi.org/10.1109/tifs.2014.2365742

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Named data networking (NDN) is a new paradigm for the future Internet wherein interest and data packets carry content names rather than the current IP paradigm of source and destination addresses. Security is built into NDN by embedding a public key signature in each data packet to enable verification of authenticity and integrity of the content. However, existing heavyweight signature generation and verification algorithms prevent universal integrity verification among NDN nodes, which may result in content pollution and denial of service attacks. Furthermore, caching and location-independent content access disables the capability of a content provider to control content access, e.g., who can cache a content and which end user or device can access it. We propose a lightweight integrity verification (LIVE) architecture, an extension to the NDN protocol, to address these two issues seamlessly. LIVE enables universal content signature verification in NDN with lightweight signature generation and verification algorithms. Furthermore, it allows a content provider to control content access in NDN nodes by selectively distributing integrity verification tokens to authorized nodes. We evaluate the effectiveness of LIVE with open source CCNx project. Our paper shows that LIVE only incurs average 10% delay in accessing contents. Compared with traditional public key signature schemes, the verification delay is reduced by over 20 times in LIVE.

Danye Wu,Zhiwei Xu,Bo Chen,Yujun Zhang,Zhu Han

DOI: https://doi.org/10.1109/tcomm.2020.3026380

IF: 6.166

2021-01-01

IEEE Transactions on Communications

Abstract:By moving computing resources close to where they are needed (i.e., the network edges), edge computing can significantly reduce burden on the centric cloud data centers. However, extreme scale of on-line big data may impose a significant burden on the network backbones. Information-centric edge networking can address this challenge by incorporating in-network caching into edge networks. This however, opens a door for many new security issues and requires various security defenses. One of those is efficient access control design specifically for information-centric edge networking. In this work, we aim to design an efficient and secure access control scheme for information-centric edge networking. In our design, we propose the confidentiality-enhanced network coding which can ensure that, without having access to the authorization key, the attacker will not be able to obtain the original content. And thanks to the properties of confidentiality-enhanced network coding, highly efficient access control can be realized by encrypting only part of the encoding matrix. In addition, our design can allow efficiently revoking users. Security analysis and experimental evaluation on NS3 demonstrate that our scheme can successfully enforce access control in information-centric edge networking with a small overhead.

telecommunications,engineering, electrical & electronic

Junwei Cao,Shuo Chen,Zhen Chen,Ge Ma,Zhongda Yuan,Ziwei Hu,Jing Zhou,Jinghong Guo

2016-01-01

Abstract:Named Data Networking (NDN) is a paradigm shift from a traditional host-to-host network to a named content based one by a wholly new designed network architecture. CCNx, which is the most popular implementation of NDN, is designed over TCP or UDP. While the current implementation of NDN is an overlay network, the major contribution of this paper is to propose an underlay implementation of NDN by using Ethernet frames directly to encapsulate named data even without a MAC address. We present an underlay NDN prototype. In this paper, pure named content architecture is proposed, with a concrete implementation and performance evaluation using Ethernet frames. Our underlay implementation has a slightly better theoretical protocol efficiency than an overlay implementation. The experiment itself also demonstrates the feasibility of pure NDN, which is an essential evolution from a traditional address based to a content based network.

Lin Yao,Zhenzhen Fan,Jing Deng,Xin Fan,Guowei Wu

DOI: https://doi.org/10.1109/tdsc.2018.2876257

2020-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Named Data Network (NDN), as a promising information-centric networking architecture, is expected to support next-generation of large-scale content distribution with open in-network cachings. However, such open in-network caches are vulnerable against Cache Pollution Attacks (CPAs) with the goal of filling cache storage with non-popular contents. The detection and defense against such attacks are especially difficult because of CPA's similarities with normal fluctuations of content requests. In this work, we use a clustering technique to detect and defend against CPAs. By clustering the content interests, our scheme is able to distinguish whether they have followed the Zipf-like distribution or not for accurate detections. Once any attack is detected, an attack table will be updated to record the abnormal requests. While such requests are still forwarded, the corresponding content chunks are not cached. Extensive simulations in ndnSIM demonstrate that our scheme can resist CPA effectively with higher cache hit, higher detecting ratio, lower hop count, and lower algorithm complexity compared to other state-of-the-art schemes.

computer science, information systems, software engineering, hardware & architecture

Kai Lei,Jie Xing,Yi Wang,KeKe Li,Dong Lin

DOI: https://doi.org/10.1109/infcomw.2018.8406944

2018-01-01

Abstract:As a promising future network architecture, Named Data Networking (NDN) enables efficient content distribution and significantly reduces the overall network traffic through its routing and caching mechanisms. On the other hand, the routing and caching features of NDN could cause a side-effect in which Content Providers (CPs) are unable to acquire the accurate number of access to their contents, since consumers can get contents directly from intermediate network devices such as routers. However, the accurate statistical information of content access is of great importance for CPs when making pricing and cache placement strategies based on content popularity, but now CPs can only assume the content's access information rather than the real data to make strategies. In this paper, we propose a new scheme to help CPs regain the access information of contents timely and efficiently. In our solution, network devices keep track of the requested content information and collect the statistics of the content access information in a self-adaptive manner. The statistical information is sent to CPs by routers when certain events are triggered, so that CPs could obtain the popularity of their contents. With the proposed scheme, CPs, in the context of NDN, based on the real popularity information of contents, can make appropriate caching and pricing strategies for the sake of better serving their business interest. Our simulation further indicates that the proposed scheme is not only lightweight but also exhibits good accuracy and low latency.

Kai Lei,Junjie Fang,Qichao Zhang,Junjun Lou,Maoyu Du,Jiyue Huang,Jianping Wang,Kuai Xu

DOI: https://doi.org/10.1007/s10723-020-09531-1

2020-01-01

Journal of Grid Computing

Abstract:Recent advances in artificial intelligence, big data, mobile edge computing and embedded systems have successfully driven the emergence and adoption of smart vehicles and vehicle edge computing which will improve road safety, traffic congestions, and vehicle exhaust emissions. The high-mobility, ad-hoc network topology, and diverse vehicle-to-everything (V2X) have brought substantial challenges in the TCP/IP-based vehicular networking. Given the unique characteristics and strengths in resilient communication in mobile ad hoc networking environments, named data networking (NDN) has become a natural fit for supporting vehicular edge computing (VEC) as the underlying network architecture. However, a variety of security and privacy challenges remain for developing NDN-based VEC networks such as key management, cache poisoning, access control. In this paper, we introduce a novel blockchain-based security architecture in NDN-based VEC networks to systematically tackle these security challenges. More specifically, we design and implement an efficient blockchain system on NDN by adopting lightweight yet robust delegate consensus algorithm, and carry out extensive experiments to evaluate performance efficiency on key management protocols, cache poisoning defense schemes, and access control strategies for NDN-based VEC networks. To the best of our knowledge, this paper is the first effort to systematically devise practical and efficient blockchain-based security architecture to provide key management, cache poisoning security protection, and privacy-aware access control in NDN VEC networks.

Zhiyi Zhang,Su Yong Wong,Junxiao Shi,Davide Pesavento,Alexander Afanasyev,Lixia Zhang

DOI: https://doi.org/10.48550/arXiv.2009.09339

2020-09-20

Cryptography and Security

Abstract:Named Data Networking (NDN) secures network communications by requiring all data packets to be signed when produced. This requirement necessitates efficient and usable mechanisms to handle NDN certificate issuance and revocation, making these supporting mechanisms essential for NDN operations. In this paper, we first investigate and clarify core concepts related to NDN certificates and security design in general, and then present the model of NDN certificate management and its desired properties. We proceed with the design of a specific realization of NDN's certificate management, NDNCERT, evaluate it using a formal security analysis, and discuss the challenges in designing, implementing, and deploying the system, to share our experiences with other NDN security protocol development efforts.

Yu Wang,Mingwei Xu,Zhen Feng,Qing Li,Qi Li

DOI: https://doi.org/10.1109/pccc.2014.7017094

2014-01-01

Abstract:Information-Centric Networking (ICN) has been proposed recently to improve the efficiency of content delivery in current IP networks. ICN employs data names, instead of host addresses, as routing and forwarding indicators. Content in the ICN carries only signature of the content provider but does not contain the identity of the content consumer by default. Such information is, however, essential for many of the web applications, such as email, online social networking, online game, e-commerce, and other session-based web services.In this paper, we propose a session-based access control (SAC) mechanism for ICN scenario to bridge the gap. Key distribution protocols are designed to protect the confidentiality of the content during information delivery. We also employ a dynamic naming scheme to enhance user privacy. According to security analysis, our access control mechanism can provide communication security and privacy protection for both sides of the session. Our design can be easily applied to session-based applications in ICN with negligible overhead.

Qing Li,Zongyi Zhao,Mingwei Xu,Yong Jiang,Yuan Yang

DOI: https://doi.org/10.1016/j.comcom.2016.09.012

IF: 5.047

2016-01-01

Computer Communications

Abstract:As the popularity of content-delivery applications (e.g., YouTube) grows, the inefficiency of transmission on the Internet has emerged, since in the TCP/IP networks, routers are unaware of the passing contents and the same content might be transmitted through the same path multiple times. To solve the problem as well as other problems, a lot of Information Centric Networking (ICN) architectures, including Named Data Networking (NDN), are proposed. These architectures enable the routers to identify and cache contents. In this paper, we design an efficient and feasible scheme of caching and routing for NDN, i.e., Selective cAching and Dynamic routing (SADO). First, we propose a selective caching method that balances caching load among routers and reduces the caching redundancy dramatically. Then, we provide a scalable method to maintain routing information for the in-router cached contents. After that, a probabilistic forwarding method for requests is proposed to minimize the expected cost of fetching contents. Finally, we evaluate the performance of SADO by comprehensive simulations. The simulation results show that SADO achieves a decrease of 34% in the cost of fetching a content and a decrease of 81% in the load carried by the source servers, and a cached content is utilized 0.8 times on average. (C) 2016 Elsevier B.V. All rights reserved.

Lei Kai,Zhu Fangxing,Peng Cheng,Xu Kuai

DOI: https://doi.org/10.1109/ICPP.2015.19

2015-01-01

Abstract:How to effectively distribute and share increasingly large volumes of data in large-scale network applications is a key challenge for Internet infrastructure. Although NDN, a promising new future internet architecture which takes data oriented transfer approaches, aims to better solve such needs than IP, it still faces problems like data redundancy transmission and inefficient in-network cache utilization. This paper combines network coding techniques to NDN to improve network throughput and efficiency. The merit of our design is that it is able to avoid duplicate and unproductive data delivery while transferring disjoint data segments along multiple paths and with no excess modification to NDN fundamentals. To quantify performance benefits of applying network coding in NDN, we integrate network coding into an NDN streaming media system implemented in the ndn SIM simulator. Basing on BRITE generated network topologies in our simulation, the experimental results clearly and fairly demonstrate that considering network coding in NDN can significantly improve the performance, reliability and QoS. More importantly, our approach is capable of and well fit for delivering growing Big Data applications including high-performance and high-density video streaming services. © 2015 IEEE.

Shi Li,Inshil Doh,Kijoon Chae

DOI: https://doi.org/10.1109/icoin.2016.7427091

2016-01-01

Abstract:Content Delivery Networks (CDN) act as trusted overlay networks that offer high-performance delivery of common Web objects, static data and rich multimedia content by distributing content load among edge servers which are close to the clients. And the interconnection of different CDNs (called CDNi) could provide more advantages and benefits to both content provider and client than a single CDN during the content delivery. However, the interconnection can also bring some security issues which are not existed in single CDN. For example, the users' privacy could be revealed to other CDNs. Thus, to focus on this issue, in this paper, we propose an anonymous IP-based privacy protection mechanism which can protect the users' privacy from leaking to all the CDNs, and the requested content can also be accurately transmitted to the end user through the closest edge server by using the anonymous IP address.