Tao Chen,Kai Lei,Kuai Xu

DOI: https://doi.org/10.1109/pccc.2014.7017100

2014-01-01

Abstract:The new named data networking (NDN) has shifted the Internet from today's IP-based packet-delivery model to the name-based data retrieval model. The architecture shift from IP addresses to named data results in effective content delivery via in-networking cache and direct object retrieval. However, this shift has also created challenges and obstacles for securing data objects and providing appropriate access control on named data due to broad data replications and the loss of network perimeters. This paper designs, implements, and evaluates an encryption and probability based access control model for NDN with video streaming service as a case study. In particularly, we explore a combination of public-key cryptography and symmetric ciphers to encrypt video data for preventing unauthorized access. In addition, we build a bloom-filter probabilistic data structure for pre-filtering Interests from consumers without desired credentials. Our experimental results have demonstrated the capabilities of the proposed model for providing access control while incurring low system and performance overhead on producers and consumers.

Anwen Wang,Ting Chen,Hao Chen,Xiang Ji,Wei,Xin Han,Feng Chen

DOI: https://doi.org/10.1109/access.2019.2913656

IF: 3.9

2019-01-01

IEEE Access

Abstract:Cooperative vehicle infrastructure system (CVIS) is an essential part of the future intelligent transportation system (ITS). However, CVIS is uneasy to meet different QoS requirements of various information flows in the existing traffic environment. In fact, some real-time applications highly related to traffic safety early warning cannot be easily achieved or passengers' Internet accessing experience is always not very good. To overcome the above problem, this paper proposes a communication protocol named data networking for vehicle infrastructure cooperation (NDNVIC), which can respond to the vehicle's data query timely. In this paper, we utilize some ZigBee nodes as vehicle and RSU nodes and conduct several simulation experiments under a large-scale deployment with 150 RSU nodes to verify the effectiveness of NDNVIC. Compared with the traditional TCP/IP protocol, the response rate of NDNVIC is about four times, as fast as, that of TCP/IP.

Wen Li,Lingdi Ping,Kuijun Lu,Xiaoping Chen

DOI: https://doi.org/10.1109/ICIE.2009.33

2009-01-01

Abstract:As traditional network security cannot meet the security requirements, the international research shows that network security is on the way to Trustworthy Internet and that the trustworthy issue becomes a hot topic in the future Internet. Trust evaluation of users' behavior is an important part of Trustworthy Internet and a rational trust model plays a key role in the evaluation. This paper concludes many principles of the trust model by analyzing existing trust models and proposes a novel trust model including both the direct and indirect trust. In our model, the direct trust is more trustworthy and is weighted more with the more and more interactions and the indirect evaluation becomes less and less important. The subjective factor is considered to make the direct trust obey the principle of "rise-lowly, decline-quickly". Furthermore, recommenders' credibility is taken into account in the indirect trust evaluation, which can avoid the denigration and make indirect trust more objective. We also consider the process of referral of the credibility to gain more information to evaluate the indirect trust effectively. Credibility evaluation is the basis of the filtering of low credibility and the improvement of trust evaluation. Finally, several experiments are shown to illustrate the properties of the model. © 2009 IEEE.

Yong Yu,Yannan Li,Xiaojiang Du,Ruonan Chen,Bo Yang

DOI: https://doi.org/10.1109/mcom.2018.1701086

IF: 9.03

2018-11-01

IEEE Communications Magazine

Abstract:ICNs are promising alternatives to current Internet architecture since the Internet struggles with a number of issues such as scalability, mobility, and security. ICN offers a number of potential benefits including reduced congestion and enhanced delivery performance by employing content caching, simpler network configurations, and stronger security for the content. NDN, an instance of ICN, enables content delivery instead of host-centric approaches by naming data rather than host. In order to make NDN practical in the real world, the challenging issues of content security need to be addressed. In this article, we examine the architecture and content security as well as possible solutions to these issues of NDN, with a special focus on the content integrity and provenance. We propose a variety of digital signature schemes to achieve the data integrity and origin authentication in NDN for various applications, which include cost-effective signatures, privacy preserving signatures, network coding signatures, and post-quantum signatures. We also present speed-up techniques in generating signatures and verifying signatures such as pre-computation, batch verification, and server-aided verification to reduce the computational cost of the producers and receivers in NDN. A number of certificate-free trust management approaches and possible adoptions in NDN are investigated.

telecommunications,engineering, electrical & electronic

Zhiyi Zhang

2021-01-01

Abstract:Author(s): Zhang, Zhiyi | Advisor(s): Zhang, Lixia | Abstract: Securing network communications is a major challenge facing the Internet today.Due to the point-to-point communication model of TCP/IP architecture, at the time when security became a necessity, the channel-based security model, represented by Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), was applied to secure network communication between hosts. However, designed for synchronous channels over the network infrastructure, this security solution does not fit many emerging network scenarios that require asynchronous communication. In addition, with the growth of content delivery applications, the mismatch between what application needs, i.e., secured data, and what is provided by the channel-based security model, i.e., secured channels, has also been observed in recent years.A newly proposed architecture, Named Data Networking (NDN), has been developed over the past decade.Departing from TCP/IP's network model, NDN considers named secured data, instead of channels, as the building block of the communication, and provides an alternative to today's security model by securing data directly. Not relying on the network context, a piece of named secured data can be forwarded, cached, and reused without breaking the security primitives. To deliver named secured data at the network layer, NDN uses a stateful forwarding plane and forwards packets by names instead of IP addresses.Under this background, there is an urge to understand the difference between the conventional channel-based security model and the new data-centric security model, and explore how to utilize the new way of doing network security to address today's security issues.For this purpose, we first revisit the key concepts of network security from the application's perspective and analyze the main features of the two security models. Then, we present our design of a number of security solutions built over NDN's named secured data, including (i) a self-contained smart home control system, (ii) a DDoS mitigation mechanism that supports fine-grained traffic throttling, (iii) a distributed ledger system for distributed rooftop solar energy system, (iv) a multiparty signing and verification toolset, and (v) a secured data prefetching system for vehicular networking.We also describe two security solutions built on to the application level for (i) asynchronous and privacy-preserving single sign-on (SSO) and (ii) reliable leaker identification in sensitive data sharing, respectively.While not directly built over NDN because of today's deployment constraints, they follow the notion of the data-centric security model.Through the design discussion of these systems, we confirm the unique advantages of the data-centric security model and demonstrate how the new security model and especially, NDN's named secured data, can be applied to address some challenges that are intractable to the channel-based security model.

Yi Wang,Zhuyun Qi,Bin Liu

DOI: https://doi.org/10.1145/3063955.3063993

2018-01-01

China Communications

Abstract:Named Data Networking (NDN) improves the data delivery efficiency by caching contents in routers. To prevent corrupted and faked contents be spread in the network, NDN routers should verify the digital signature of each published content. Since the verification scheme in NDN applies the asymmetric encryption algorithm to sign contents, the content verification overhead is too high to satisfy wire-speed packet forwarding. In this paper, we propose two schemes to improve the verification performance of NDN routers to prevent content poisoning. The first content verification scheme, called “user-assisted”, leads to the best performance, but can be bypassed if the clients and the content producer collude. A second scheme, named “Router-Cooperation”, prevents the aforementioned collusion attack by making edge routers verify the contents independently without the assistance of users and the core routers no longer verify the contents. The Router-Cooperation verification scheme reduces the computing complexity of cryptographic operation by replacing the asymmetric encryption algorithm with symmetric encryption algorithm. The simulation results demonstrate that this Router-Cooperation scheme can speed up 18.85 times of the original content verification scheme with merely extra 80 Bytes transmission overhead.

Cesar Ghali,Gene Tsudik,Ersin Uzun

DOI: https://doi.org/10.48550/arXiv.1402.3332

2014-02-13

Networking and Internet Architecture

Abstract:In contrast to today's IP-based host-oriented Internet architecture, Information-Centric Networking (ICN) emphasizes content by making it directly addressable and routable. Named Data Networking (NDN) architecture is an instance of ICN that is being developed as a candidate next-generation Internet architecture. By opportunistically caching content within the network (in routers), NDN appears to be well-suited for large-scale content distribution and for meeting the needs of increasingly mobile and bandwidth-hungry applications that dominate today's Internet. One key feature of NDN is the requirement for each content object to be digitally signed by its producer. Thus, NDN should be, in principle, immune to distributing fake (aka "poisoned") content. However, in practice, this poses two challenges for detecting fake content in NDN routers: (1) overhead due to signature verification and certificate chain traversal, and (2) lack of trust context, i.e., determining which public keys are trusted to verify which content. Because of these issues, NDN does not force routers to verify content signatures, which makes the architecture susceptible to content poisoning attacks. This paper explores root causes of, and some cures for, content poisoning attacks in NDN. In the process, it becomes apparent that meaningful mitigation of content poisoning is contingent upon a network-layer trust management architecture, elements of which we construct while carefully justifying specific design choices. This work represents the initial effort towards comprehensive trust management for NDN.

Qi Li,Xinwen Zhang,Qingji Zheng,Ravi Sandhu,Xiaoming Fu

DOI: https://doi.org/10.1109/tifs.2014.2365742

IF: 7.231

2015-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Named data networking (NDN) is a new paradigm for the future Internet wherein interest and data packets carry content names rather than the current IP paradigm of source and destination addresses. Security is built into NDN by embedding a public key signature in each data packet to enable verification of authenticity and integrity of the content. However, existing heavyweight signature generation and verification algorithms prevent universal integrity verification among NDN nodes, which may result in content pollution and denial of service attacks. Furthermore, caching and location-independent content access disables the capability of a content provider to control content access, e.g., who can cache a content and which end user or device can access it. We propose a lightweight integrity verification (LIVE) architecture, an extension to the NDN protocol, to address these two issues seamlessly. LIVE enables universal content signature verification in NDN with lightweight signature generation and verification algorithms. Furthermore, it allows a content provider to control content access in NDN nodes by selectively distributing integrity verification tokens to authorized nodes. We evaluate the effectiveness of LIVE with open source CCNx project. Our paper shows that LIVE only incurs average 10% delay in accessing contents. Compared with traditional public key signature schemes, the verification delay is reduced by over 20 times in LIVE.

Bing Li,Mingxuan Zheng,Maode Ma

DOI: https://doi.org/10.1049/2024/6616095

2024-03-12

IET Information Security

Abstract:Named Data Networking (NDN) is a promising network architecture that differs from the traditional TCP/IP network, as it focuses on data rather than the host. A new secure model is required to provide the data-oriented trust instead of the host-oriented trust. This paper proposes a new secure solution in the NDNs named Secure Mechanism supported by Certificateless Digital Signature and Blockchain (CLDS-B). The CLDS-B scheme employs a certificateless digital signature to guarantee the authentication and integrity of data. On the one hand, the key escrow problem has been solved to eliminate the risks of compromised private key generators; on the other hand, the data name has been bound to the public key to prevent the false public key. Moreover, the blockchain is used to manage cryptographic information. Each domain designates an information service entity to join the blockchain so that the consumer could retrieve the cryptographic information public parameter in the local domain if necessary. Furthermore, due to the decentralization of the blockchain, the CLDS-B would be robust to resist the single-node failure. Simulation results show that the CLDS-B scheme outperforms a classic NDN scheme, although it shows slightly inferior to the other secure NDN scheme. The security verification and analysis show that the CLDS-B would resist the key escrow attack. The CLDS-B would be a competitive solution in scenarios with a high-security level.

computer science, information systems, theory & methods

Li Qi,Lee Patrick P. C.,Zhang Peng,Su Purui,He Liang,Ren Kui

DOI: https://doi.org/10.1109/TNET.2017.2715822

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Named data networking (NDN) enhances traditional IP networking by supporting in-network content caching for better bandwidth usage and location-independent data accesses for multi-path forwarding. However, NDN also brings new security challenges. For example, an adversary can arbitrarily inject packets to NDN to poison content cache, or access content packets without any restrictions. We propose c...

Zhiyi Zhang,Su Yong Wong,Junxiao Shi,Davide Pesavento,Alexander Afanasyev,Lixia Zhang

DOI: https://doi.org/10.48550/arXiv.2009.09339

2020-09-20

Cryptography and Security

Abstract:Named Data Networking (NDN) secures network communications by requiring all data packets to be signed when produced. This requirement necessitates efficient and usable mechanisms to handle NDN certificate issuance and revocation, making these supporting mechanisms essential for NDN operations. In this paper, we first investigate and clarify core concepts related to NDN certificates and security design in general, and then present the model of NDN certificate management and its desired properties. We proceed with the design of a specific realization of NDN's certificate management, NDNCERT, evaluate it using a formal security analysis, and discuss the challenges in designing, implementing, and deploying the system, to share our experiences with other NDN security protocol development efforts.

Seyed Ahmad Soleymani,Shidrokh Goudarzi,Mohammad Hossein Anisi,Nazri Kama,Saiful Adli Ismail,Azri Azmi,Mahdi Zareei,Abdul Hanan Abdullah

DOI: https://doi.org/10.3390/sym12040609

2020-04-12

Symmetry

Abstract:Trust, as a key element of security, has a vital role in securing vehicular ad-hoc networks (VANETs). Malicious and selfish nodes by generating inaccurate information, have undesirable impacts on the trustworthiness of the VANET environment. Obstacles also have a negative impact on data trustworthiness by restricting direct communication between nodes. In this study, a trust model based on plausibility, experience, and type of vehicle is presented to cope with inaccurate, incomplete and uncertainty data under both line of sight (LoS) and none-line of sight (NLoS) conditions. In addition, a model using the k-nearest neighbor (kNN) classification algorithm based on feature similarity and symmetry is developed to detect the NLoS condition. Radio signal strength indicator (RSSI), packet reception rate (PDR) and the distance between two vehicle nodes are the features used in the proposed kNN algorithm. Moreover, due to the big data generated in VANET, secure communication between vehicle and edge node is designed using the Cuckoo filter. All obtained results are validated through well-known evaluation measures such as precision, recall, overall accuracy, and communication overhead. The results indicate that the proposed trust model has a better performance as compared to the attack-resistant trust management (ART) scheme and weighted voting (WV) approach. Additionally, the proposed trust model outperforms both ART and WV approaches under different patterns of attack such as a simple attack, opinion tampering attack, and cunning attack. Monte-Carlo simulation results also prove validity of the proposed trust model.

Kunpeng Ding,Jiayu Yang,Jiangping Han,Bobo Wang,Ruidong Li,Kaiping Xue

DOI: https://doi.org/10.1109/iwqos57198.2023.10188736

2023-01-01

Abstract:As a promising implementation of Information Centric Networking, Named Data Networking (NDN) can facilitate content distribution with in-network caching and location-independent data access. However, the reliance on caches makes NDN vulnerable to content poisoning attacks, which waste network resources and decrease transmission efficiency. Most mitigating schemes follow the pattern that each content is repeatedly verified individually in each router and all producers have the same status, which wastes computation resources and degrades network performance. In this paper, we propose a Reputation-based Probabilistic Batch Verification (RPBV) scheme to address the issue, in which producers’ reputation is estimated according to verification results to distinguish different producers. We provide an adaptive probabilistic verification method based on reputation to avoid a lot of unnecessary verification operations. At the same time, we adopt an efficient batch verification algorithm to simultaneously verify multiple content, which reduces the overhead greatly. With the above mechanisms implemented only on the edge router to avoid repeated verification, we provide an optional probabilistic verification method on intermediate routers to strengthen the security. The extensive simulations show that RPBV achieves much lower computation overhead and shorter content retrieval time than the traditional schemes.

Ezedin Barka,Chaker Abdelaziz Kerrache,Rasheed Hussain,Nasreddine Lagraa,Abderrahmane Lakas,Safdar Hussain Bouk

DOI: https://doi.org/10.3390/s18082683

2018-08-15

Abstract:Flying Ad hoc Network (FANET) is a new resource-constrained breed and instantiation of Mobile Ad hoc Network (MANET) employing Unmanned Aerial Vehicles (UAVs) as communicating nodes. These latter follow a predefined path called 'mission' to provide a wide range of applications/services. Without loss of generality, the services and applications offered by the FANET are based on data/content delivery in various forms such as, but not limited to, pictures, video, status, warnings, and so on. Therefore, a content-centric communication mechanism such as Information Centric Networking (ICN) is essential for FANET. ICN addresses the problems of classical TCP/IP-based Internet. To this end, Content-centric networking (CCN), and Named Data Networking (NDN) are two of the most famous and widely-adapted implementations of ICN due to their intrinsic security mechanism and Interest/Data-based communication. To ensure data security, a signature on the contents is appended to each response/data packet in transit. However, trusted communication is of paramount importance and currently lacks in NDN-driven communication. To fill the gaps, in this paper, we propose a novel trust-aware Monitor-based communication architecture for Flying Named Data Networking (FNDN). We first select the monitors based on their trust and stability, which then become responsible for the interest packets dissemination to avoid broadcast storm problem. Once the interest reaches data producer, the data comes back to the requester through the shortest and most trusted path (which is also the same path through which the interest packet arrived at the producer). Simultaneously, the intermediate UAVs choose whether to check the data authenticity or not, following their subjective belief on its producer's behavior and thus-forth reducing the computation complexity and delay. Simulation results show that our proposal can sustain the vanilla NDN security levels exceeding the 80% dishonesty detection ratio while reducing the generated end-to-end delay to less than 1 s in the worst case and reducing the average consumed energy by more than two times.

Peng Zhang,Qi Li,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2015.2498603

2017-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:As a popular realization of Information-Centric Network (ICN), Named Data Networking (NDN) greatly improves the efficiency of Internet content-distribution. A feature of NDN is that it improves privacy, as no addresses are needed for either the content consumer or publisher. However, NDN packets contain content names, and hence a well-motivated adversary can still deduce what content the user is requesting once it can link the packets and users. How to provide privacy in NDN, given its unique data retrieval mode, is an open problem. In this paper, we explore a specific content-oriented anonymity model called content-user unlinkability, which breaks the relationship between the content and the requesting user. We argue that achieving content-user unlinkability efficiently is a non-trivial task, since existing tunnel-based approaches will largely dismiss content caching of NDN, resulting in large content retrieval delay. To this end, we propose CRISP, namely Cooperative Random IntereSt Propagation. In CRISP, routers cooperate to form full-meshed groups, within which content requests are randomly propagated before they are forwarded to content producers. We show CRISP can achieve probable content-user unlinkability with probabilistic models. Extensive simulations demonstrate that CRISP outperforms existing solutions including ANDANA and Crowds, in terms of both content retrieval latency and data throughput.

Bing Li,Maode Ma,Yonghe Zhang,Feiyu Lai

DOI: https://doi.org/10.1109/HotICN57539.2022.10036170

2022-01-01

Abstract:Named Data Networking (NDN) has been viewed as a promising future Internet architecture. It requires a new access control scheme to prevent the injection of unauthorized data request. In this paper, an access control supported by information service entity (ACISE) is proposed for NDN networks. A trust entity, named the information service entity (ISE), is deployed in each domain for the registration of the consumer and the edge router. The identity-based cryptography (IBC) is used to generate a private key for the authorized consumer at the ISE and to calculate a signature encapsulated in the Interest packet at the consumer. Therefore, the edge router could support the access control by the signature verification of the Interest packets so that no Interest packet from unauthorized consumer could be forwarded or replied. Moreover, shared keys are negotiated between authorized consumers and their edge routers. The subsequent Interest packets would be verified by the message authentication code (MAC) instead of the signature. The simulation results have shown that the ACISE scheme would achieve a similar response delay to the original NDN scheme when the NDN is under no attacks. However, the ACISE scheme is immune to the cache pollution attacks so that it could maintain a much smaller response delay compared to the other schemes when the NDN network is under the attacks.

Yi Zhang,Bo Bai,Kuai Xu,Kai Lei

DOI: https://doi.org/10.1145/3229543.3229547

2018-01-01

Abstract:Named-Data Networking (NDN) is a new communication paradigm where network primitives are based on named-data rather than host identifiers. Compared with IP, NDN has a unique feature that forwarding plane enables each router to select the next forwarding hop independently without relying on routing. Therefore, forwarding strategies play a significant role for adaptive and efficient data transmission in NDN. Most of the existing forwarding strategies use fixed control rules based on simplified or inaccurate models of the deployment environment. As a result, existing schemes inevitably fail to achieve optimal performance across a broad set of network conditions and application demands. In this paper, We propose IFS-RL, an intelligent forwarding strategy based on reinforcement learning. IFS-RL trains a neural network model which chooses appropriate interfaces for the forwarding of Interest based on observations collected by routing node. Not relying on pre-programmed models, IFS-RL learns to make decisions solely through observations of the resulting performance of past decisions. Therefore, IFS-RL can implement intelligent forwrarding which adapt to a wide range of network conditions. Besides, we also researches the learning granularity and the enhancement for network topology change. We compare IFS-RL to state-of-the-art forwarding strategies in ndnSIM. Experimental results show that IFS-RL can achieve higher throughput and lower packet drop rates.

Lei Kai,Yuan Jie

DOI: https://doi.org/10.3969/j.issn.1000-0801.2014.09.005

2014-01-01

Abstract:Future internet architecture research is one of the major strategic needs of science and technology development. As a promising design, named data networking（NDN）has drawn the extensive attentions of researchers and industry. Since NDN architecture evolves the internet from today's host-based packet delivery towards directly retrieving named objects, there are still a lot of issues have yet to be studied. Its content distribution mechanisms are the key to promote the development and deployment. The concepts and characteristics of NDN content distribution were introduced. The current advances in the aspect of forwarding strategy, redundant control, congestion control and access control were emphasized. Aimed at the faced problems, some discussions and analysis were also presented.

Qi Xia,Isaac Amankona Obiri,Jianbin Gao,Hu Xia,Xiaosong Zhang,Kwame Omono Asamoah,Sandro Amofa

DOI: https://doi.org/10.1109/tifs.2023.3327660

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The Named Data Networking (NDN) architecture is a futuristic internet infrastructure that aims to deliver content efficiently. However, NDN is faced with the challenge of ensuring the privacy of both content and names. Traditional solutions have focused on encrypting and signing content before injecting the resultant ciphertext into the NDN platform to provide confidentiality and integrity. However, these solutions fail to protect content name privacy in critical applications such as the military and healthcare. To address this challenge, we propose Privacy-Preserving Data Sharing on Named Data Networking (PRIDN), which employs a combination of proxy re-encryption and symmetric mechanisms to secure both content and names. PRIDN offers several advantages over existing solutions. Firstly, it eliminates the need for subscribers to communicate with content publishers for decryption keys, reducing communication overhead and ensuring that content publishers do not need to be online all the time to respond to key generation requests. Second, the proxy re-encryption mechanism prevents replication of ciphertexts, thus avoiding multiple instances of the same content in the network. Lastly, PRIDN also protects sensitive information in content names, preventing user profiling and censorship. Simulation results from ndnSIM and MIRACL libraries demonstrate that PRIDN reduces content retrieval time on NDN. A crypto-verification tool, Verifpal, shows that the proposed protocols are secure for real-world deployment.

Junjun Lou,Qichao Zhang,Zhuyun Qi,Kai Lei

DOI: https://doi.org/10.1109/hoticn.2018.8605993

2018-01-01

Abstract:Named Data Networking is built with security which requires each named Data object to be digitally signed by its producer. Thus, the NDN project has proposed a key management model on NDN testbed for verification of the Data packet to be immune to distributing poisoned content. However, in practice, this model poses two challenges for verifying fake content: (1) the centralized architecture easily leads to a single point of failure, especially when the root key fails, its difficult to verify the keys across sites due to the lack of trust between them, and (2) excessive overhead of certificate chain traversal when verifying signature. This paper first proposes a blockchain-based key management scheme in NDN to address the problem of lack of mutual trust between sites without trust anchors. Specifically, all site nodes form a permissioned blockchain for storing public key hashes to ensure the authenticity, and the proxy gateway participates in verifying to reduce excessively frequent communication between the router and the blockchain. In addition, the NDN public key content object and the scheme of their storage, verification, and revocation are redesigned. The result of our analysis and evaluation shows that the proposed scheme is capable of supporting less verification numbers and higher verification efficiency.