Yuwen Xiong,Cong Wang,Chuang Chen,Jiawen Xu,Maode Ma,Tong Zhou

DOI: https://doi.org/10.1007/978-981-97-5609-4_42

2024-01-01

Abstract:Cache Poisoning Attack is a major threat in NDN, impacting network performance. Current solutions are costly and don't fully address router single point failures or repeated router evaluations with producer mobility. To tackle these, we introduce CPA-BT, a Blockchain-based Trust Model. It integrates blockchain, enabling edge routers connected to data producers to operate under a consensus mechanism, treating their evaluation as blockchain transactions. With 2/3 consensus, a leader edge router records the transactions, addressing the mentioned challenges. Simulations show CPA-BT effectively isolates malicious and faulty producers, reducing cache poisoning risks and outperforming other trust models in task failure rate reduction.

Dohyung Kim,Jun Bi,Athanasios V. Vasilakos,Ikjun Yeom

DOI: https://doi.org/10.1109/tifs.2017.2725229

IF: 7.231

2017-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In Named-Data Networking (NDN), content is cached in network nodes and served for future requests. This property of NDN allows attackers to inject poisoned content into the network and isolate users from valid content sources. Since a digital signature is embedded in every piece of content in NDN architecture, poisoned content is discarded if routers perform signature verification; however, if every content is verified by every router, it would be overly expensive to do. In our preliminary work, we have suggested a content verification scheme that minimizes unnecessary verification and favors already verified content in the content store, which reduces the verification overhead by as much as 90% without failing to detect every piece of poisoned content. Under this scheme, however, routers are vulnerable to verification attack, in which a large amount of unverified content is accessed to exhaust system resources. In this paper, we carefully look at the possible concerns of our preliminary work, including verification attack, and present a simple but effective solution. The proposed solution mitigates the weakness of our preliminary work and allows this paper to be deployed for real-world applications.

Emmanuel A. Massawe,Suguo Du,Haojin Zhu

DOI: https://doi.org/10.1109/icdcsw.2013.32

2013-01-01

Abstract:Currently, there are numbers of different architectural proposals for future internet that focus on content-centric networking as the alternative of the existing location-based networking. These architectures give more emphasis on the security part of their paradigms and pay little attention or ignore on issues of privacy in their architectural designs. In this paper we propose the Scalable and Privacy Preserving Routing Protocol in Named Data Networking (SP-NDN) by utilizing the multiple Bloom filters in order to ameliorate user's interest packet flow privacy and security during the transit. In contrast to existing schemes, we present a content-dependent key tree based on multicast key management protocol to integrate Bloom filter and multicast encryption that mitigates the leakage of the original user's keywords and precluding unauthorized users (eavesdroppers) from guessing the key words. Our schemes guarantee the high security and privacy of user's interest packet during the transmission and at the same time trying to minimize the possible increase number of false positives likely to happen when a content is queried.

Yi Wang,Zhuyun Qi,Bin Liu

DOI: https://doi.org/10.1145/3063955.3063993

2018-01-01

China Communications

Abstract:Named Data Networking (NDN) improves the data delivery efficiency by caching contents in routers. To prevent corrupted and faked contents be spread in the network, NDN routers should verify the digital signature of each published content. Since the verification scheme in NDN applies the asymmetric encryption algorithm to sign contents, the content verification overhead is too high to satisfy wire-speed packet forwarding. In this paper, we propose two schemes to improve the verification performance of NDN routers to prevent content poisoning. The first content verification scheme, called “user-assisted”, leads to the best performance, but can be bypassed if the clients and the content producer collude. A second scheme, named “Router-Cooperation”, prevents the aforementioned collusion attack by making edge routers verify the contents independently without the assistance of users and the core routers no longer verify the contents. The Router-Cooperation verification scheme reduces the computing complexity of cryptographic operation by replacing the asymmetric encryption algorithm with symmetric encryption algorithm. The simulation results demonstrate that this Router-Cooperation scheme can speed up 18.85 times of the original content verification scheme with merely extra 80 Bytes transmission overhead.

Yuxin Chen,Jiayu Yang,Xuanbo Huang,Jiangping Han,Bobo Wang,Jian Li,Kaiping Xue

DOI: https://doi.org/10.1109/icccn58024.2023.10230118

2023-01-01

Abstract:With potential advantages over TCP/IP for content delivery, mobility, and security, Named Data Networking (NDN) has become a promising architecture for the next-generation network. However, its poor performance in reliable transmission is still an unsolved problem. Many existing schemes in NDN employ inaccurate retransmission timeouts calculated with RTTs from diverse content sources to detect packet loss, which is lagging and may deteriorate transmission performance. Besides, after identifying the loss, the consumer costly resends the request to recover it, further increasing recovery time. In this paper, we propose an in-network Proactive Loss Recovery (PLR) scheme, which provides an efficient in-network method for timely detection and proactive recovery of lost packets. Deployed on each router, PLR detects the loss by monitoring queue status and sends high-priority explicit feedback to notify consumers of loss events timely. Meanwhile, lost packets are stored in each router's cache and will be retransmitted at an adaptive rate based on the detected remaining bandwidth. The simulation shows that PLR can vastly reduce the number of retransmissions on consumers, and the content completion time can be decreased by up to 21.8% compared with the baseline.

Li Qi,Lee Patrick P. C.,Zhang Peng,Su Purui,He Liang,Ren Kui

DOI: https://doi.org/10.1109/TNET.2017.2715822

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Named data networking (NDN) enhances traditional IP networking by supporting in-network content caching for better bandwidth usage and location-independent data accesses for multi-path forwarding. However, NDN also brings new security challenges. For example, an adversary can arbitrarily inject packets to NDN to poison content cache, or access content packets without any restrictions. We propose c...

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Cesar Ghali,Gene Tsudik,Ersin Uzun

DOI: https://doi.org/10.48550/arXiv.1402.3332

2014-02-13

Networking and Internet Architecture

Abstract:In contrast to today's IP-based host-oriented Internet architecture, Information-Centric Networking (ICN) emphasizes content by making it directly addressable and routable. Named Data Networking (NDN) architecture is an instance of ICN that is being developed as a candidate next-generation Internet architecture. By opportunistically caching content within the network (in routers), NDN appears to be well-suited for large-scale content distribution and for meeting the needs of increasingly mobile and bandwidth-hungry applications that dominate today's Internet. One key feature of NDN is the requirement for each content object to be digitally signed by its producer. Thus, NDN should be, in principle, immune to distributing fake (aka "poisoned") content. However, in practice, this poses two challenges for detecting fake content in NDN routers: (1) overhead due to signature verification and certificate chain traversal, and (2) lack of trust context, i.e., determining which public keys are trusted to verify which content. Because of these issues, NDN does not force routers to verify content signatures, which makes the architecture susceptible to content poisoning attacks. This paper explores root causes of, and some cures for, content poisoning attacks in NDN. In the process, it becomes apparent that meaningful mitigation of content poisoning is contingent upon a network-layer trust management architecture, elements of which we construct while carefully justifying specific design choices. This work represents the initial effort towards comprehensive trust management for NDN.

Qing Li,Zongyi Zhao,Mingwei Xu,Yong Jiang,Yuan Yang

DOI: https://doi.org/10.1016/j.comcom.2016.09.012

IF: 5.047

2016-01-01

Computer Communications

Abstract:As the popularity of content-delivery applications (e.g., YouTube) grows, the inefficiency of transmission on the Internet has emerged, since in the TCP/IP networks, routers are unaware of the passing contents and the same content might be transmitted through the same path multiple times. To solve the problem as well as other problems, a lot of Information Centric Networking (ICN) architectures, including Named Data Networking (NDN), are proposed. These architectures enable the routers to identify and cache contents. In this paper, we design an efficient and feasible scheme of caching and routing for NDN, i.e., Selective cAching and Dynamic routing (SADO). First, we propose a selective caching method that balances caching load among routers and reduces the caching redundancy dramatically. Then, we provide a scalable method to maintain routing information for the in-router cached contents. After that, a probabilistic forwarding method for requests is proposed to minimize the expected cost of fetching contents. Finally, we evaluate the performance of SADO by comprehensive simulations. The simulation results show that SADO achieves a decrease of 34% in the cost of fetching a content and a decrease of 81% in the load carried by the source servers, and a cached content is utilized 0.8 times on average. (C) 2016 Elsevier B.V. All rights reserved.

Ruichuan Chen,Eng Keong Lua,Jon Crowcroft,Wenjia Guo,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/p2p.2008.31

2008-01-01

Abstract:Poisoning attacks in the Peer-to-Peer (P2P) content sharing service have become a serious security problem on the global Internet due to the features of P2P systems such as self-organization, self-maintenance, etc. In this paper, we propose a novel poisoning-resistant security framework based on the notion that the content providers would be the only trusted sources to verify the integrity of the requested content. To provide the mechanisms of availability and scalability, a content provider publishes the information of his shared contents to a group of content maintainers self-organized in a security overlay, so that a content requestor can verify the integrity of the requested content from the associated content maintainers. Two defense functions are first carried out --- filtering out malicious activities and selecting the authentic content version. Then, the content requestor can perform the content integrity verification while downloading and take prompt protection actions to handle content poisoning attacks. To further enhance the system performance, we devise a scalable probabilistic verification scheme. The evaluation results illustrate that our framework can effectively and efficiently defend against content poisoning in various scenarios.

Syed Sajid Ullah,Insaf Ullah,Hizbullah Khattak,Muhammad Asghar Khan,Muhammad Adnan,Saddam Hussain,Noor Ul Amin,Muazzam A. Khan Khattak

DOI: https://doi.org/10.1109/ACCESS.2020.2995080

IF: 3.9

2020-01-01

IEEE Access

Abstract:Named Data Networking (NDN) is one of the future envisioned networking paradigm used to provide fast and efficient content dissemination with interest-based content retrieval, name-based routing and in-network content caching. On the one hand, this new breed of future Internet architecture is becoming a key technology for data dissemination in the IoT networks; on the other hand, NDN suffers from new challenges in terms of data security. Among them, a content poisoning attack is the most common data security challenge. The aim of this attack is to inject poisoned content with an invalid signature to the network. Therefore, to prevent NDN against possible content poisoning attack, a signature of the contents is appended to each data packet for verifications. In this paper, we propose an identity-based signature scheme for IoT-based NDN networks, with a special emphasis on content integrity and authenticity. The proposed scheme is based on the concept of the Hyperelliptic curves, which provide the same level of security as Rivest-Shamir-Adleman (RSA), Bilinear pairing and Elliptic Curve Cryptosystems (ECC) with lower-key size. The proposed scheme is subject to both formal and informal security analysis in order to show the feasibility of our scheme. Finally, the performance of the proposed scheme is analyzed via comparison with the relevant existing schemes that authenticates the superiority of our scheme in terms of security and efficiency.

Lin Yao,Zhenzhen Fan,Jing Deng,Xin Fan,Guowei Wu

DOI: https://doi.org/10.1109/tdsc.2018.2876257

2020-11-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Named Data Network (NDN), as a promising information-centric networking architecture, is expected to support next-generation of large-scale content distribution with open in-network cachings. However, such open in-network caches are vulnerable against Cache Pollution Attacks (CPAs) with the goal of filling cache storage with non-popular contents. The detection and defense against such attacks are especially difficult because of CPA's similarities with normal fluctuations of content requests. In this work, we use a clustering technique to detect and defend against CPAs. By clustering the content interests, our scheme is able to distinguish whether they have followed the Zipf-like distribution or not for accurate detections. Once any attack is detected, an attack table will be updated to record the abnormal requests. While such requests are still forwarded, the corresponding content chunks are not cached. Extensive simulations in ndnSIM demonstrate that our scheme can resist CPA effectively with higher cache hit, higher detecting ratio, lower hop count, and lower algorithm complexity compared to other state-of-the-art schemes.

computer science, information systems, software engineering, hardware & architecture

Chen He,Jiangtao Luo,Fei Zhang,Zuoqi Jiang,Mengnan Wang

DOI: https://doi.org/10.1109/hoticn.2018.8606005

2018-01-01

Abstract:Named Data Networking (NDN) is regarded as a promising architecture for the future Internet. Due to the characteristics of in-network caching and name-based routing in NDN, access control cannot be tied to a particular location, and traditional channel-based access control mechanisms are no longer viable, which brings a major challenge to the access control enforcement. To enhance content-based access control in NDN, this paper presents a per-packet protection (PPP) scheme based on a combination of public key encryption and symmetric-key cryptography, which adopts one-way hash functions to generate random cipher keys for different data packets. Furthermore, PPP using secret sharing method provides efficient and flexible access control, which supports scalability and collusion resistance. The experimental results prove that our solution introduces acceptable overheads and reduces the computation time at the users.

Wei Guo,Yu Zhang,Binxing Fang

DOI: https://doi.org/10.1007/978-981-19-9697-9_50

2023-01-01

Abstract:Named data networking (NDN) is an instance of information-centric networking (ICN) architecture that delivers data based on the data's name. NDN uses variable-length names to identify data and uses stateful forwarding to deliver packets, which makes NDN forwarders difficult to design on existing programmable data planes. In this paper, we introduce an NDN forwarding scheme based on Protocol-Oblivious Forwarding (POF). This scheme extends a stateful module in the POF architecture to implement stateful forwarding and forward NDN packets with a programmed data plane and a controller application. Packets are forwarded in a forwarder together by a POF switch, a stateful module, and a POF controller. The POF switch implements the stateless forwarding functions of NDN, such as the Forwarding Information Base (FIB) by flow tables. The stateful module implements the stateful forwarding functions, such as the Pending Interest Table (PIT) and the Content Store (CS). The POF controller implements the control functions, such as NDN routing mechanisms. We implemented a prototype by extending a POF software switch. Experimental results show that the prototype can forward NDN packets correctly and can support applications such as live video streaming.

Yong Yu,Yannan Li,Xiaojiang Du,Ruonan Chen,Bo Yang

DOI: https://doi.org/10.1109/mcom.2018.1701086

IF: 9.03

2018-11-01

IEEE Communications Magazine

Abstract:ICNs are promising alternatives to current Internet architecture since the Internet struggles with a number of issues such as scalability, mobility, and security. ICN offers a number of potential benefits including reduced congestion and enhanced delivery performance by employing content caching, simpler network configurations, and stronger security for the content. NDN, an instance of ICN, enables content delivery instead of host-centric approaches by naming data rather than host. In order to make NDN practical in the real world, the challenging issues of content security need to be addressed. In this article, we examine the architecture and content security as well as possible solutions to these issues of NDN, with a special focus on the content integrity and provenance. We propose a variety of digital signature schemes to achieve the data integrity and origin authentication in NDN for various applications, which include cost-effective signatures, privacy preserving signatures, network coding signatures, and post-quantum signatures. We also present speed-up techniques in generating signatures and verifying signatures such as pre-computation, batch verification, and server-aided verification to reduce the computational cost of the producers and receivers in NDN. A number of certificate-free trust management approaches and possible adoptions in NDN are investigated.

telecommunications,engineering, electrical & electronic

Yongkai Fan,Guanqun Zhao,Kuan-Ching Li,Bin Zhang,Gang Tan,Xiaofeng Sun,Fanglue Xia

DOI: https://doi.org/10.3390/s20041090

2020-02-17

Abstract:The trustworthiness of data is vital data analysis in the age of big data. In cyber-physical systems, most data is collected by sensors. With the increase of sensors as Internet of Things (IoT) nodes in the network, the security risk of data tampering, unauthorized access, false identify, and others are overgrowing because of vulnerable nodes, which leads to the great economic and social loss. This paper proposes a security scheme, Securing Nodes in IoT Perception Layer (SNPL), for protecting nodes in the perception layer. The SNPL is constructed by novel lightweight algorithms to ensure security and satisfy performance requirements, as well as safety technologies to provide security isolation for sensitive operations. A series of experiments with different types and numbers of nodes are presented. Experimental results and performance analysis show that SNPL is efficient and effective at protecting IoT from faulty or malicious nodes. Some potential practical application scenarios are also discussed to motivate the implementation of the proposed scheme in the real world.

Junxiao Shi,Teng Liang,Hao Wu,Bin Liu,Beichuan Zhang

DOI: https://doi.org/10.1145/2984356.2984358

2016-01-01

Abstract:In Named Data Networking (NDN) content consumers request data by names instead of sending requests to specific destination addresses. This fits shared media particularly well for benefits such as native multicast, mobility support, and fault tolerance. However, since current network interface cards only filter packets based on destination addresses, all NDN packets have to be delivered to software for name-based filtering, resulting in significant CPU overhead. We propose NDN-NIC, a network interface card that filters packets based on their content names, to minimize the CPU overhead while running NDN over shared media. This paper tackles NDN-NIC's main research challenge: using the limited amount of on-chip memory (in tens of kilobytes) to support packet filtering based on a large number of rulesets (in hundreds of thousands). We use Bloom filters to store various name tables on NDN-NIC, and design a number of mechanisms to further adjust the name prefixes that go into the Bloom filters, minimizing false positives under given memory limit. Using traffic traces collected from a department network, simulations show that NDN-NIC with 16KB of memory can filter out 96.30% of all received packets and reduce the main CPU usage by 95.92%.

Tengchao Ma,Changqiao Xu,Shujie Yang,Yiting Huang,Xiaohui Kuang,Hong Tang,Luigi Alfredo Grieco

DOI: https://doi.org/10.1002/int.22934

IF: 8.993

2022-05-29

International Journal of Intelligent Systems

Abstract:A new class of poisoning attacks has recently emerged targeting the client‐side Domain Name System (DNS) cache. It allows users to visit fake websites unconsciously, thereby revealing their information, such as passwords. However, the current DNS defense architecture does not include DNS clients. Although relative encryption solutions can mitigate this attack, they require the cooperation of multiple parties, and the deployment speed is slow. Therefore, we propose an intelligent‐driven proactive defense strategy. First, we model the offensive and defensive process as a stochastic game based on moving target defense. Second, we adopt and optimize Proximal Policy Optimization (PPO), a deep reinforcement learning method, to solve problems caused by uncertain attack strategies and unknown state transition probability. Third, we design a self‐checking component in PPO to solve the uncertainty of action space caused by game state constraints based on our previous work. Thus the convergence speed and stability of PPO are improved. Finally, to the best of our knowledge, we are the first to game with intelligent attackers besides three conventional ones. Our strategy does not require any modifications to the DNS architecture. Through an extensive experimental campaign, the prototype system is proved to be effective against multiple attack modes. Its success rate is 98.5% approximately, and network round‐trip time is about 55 ms. Even for random attackers, our method can achieve the theoretical maximum defensive success rate.

computer science, artificial intelligence

Kunpeng Ding,Jiayu Yang,Jiangping Han,Bobo Wang,Ruidong Li,Kaiping Xue

DOI: https://doi.org/10.1109/iwqos57198.2023.10188736

2023-01-01

Abstract:As a promising implementation of Information Centric Networking, Named Data Networking (NDN) can facilitate content distribution with in-network caching and location-independent data access. However, the reliance on caches makes NDN vulnerable to content poisoning attacks, which waste network resources and decrease transmission efficiency. Most mitigating schemes follow the pattern that each content is repeatedly verified individually in each router and all producers have the same status, which wastes computation resources and degrades network performance. In this paper, we propose a Reputation-based Probabilistic Batch Verification (RPBV) scheme to address the issue, in which producers’ reputation is estimated according to verification results to distinguish different producers. We provide an adaptive probabilistic verification method based on reputation to avoid a lot of unnecessary verification operations. At the same time, we adopt an efficient batch verification algorithm to simultaneously verify multiple content, which reduces the overhead greatly. With the above mechanisms implemented only on the edge router to avoid repeated verification, we provide an optional probabilistic verification method on intermediate routers to strengthen the security. The extensive simulations show that RPBV achieves much lower computation overhead and shorter content retrieval time than the traditional schemes.

Yue Li,Yingjian Liu,Haoyu Yin,Zhongwen Guo,Yu Wang

DOI: https://doi.org/10.1109/jiot.2023.3297334

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Internet of Underwater Things (IoUT) needs to maintain effective communication even under the circumstances of severe environments and limited energy. Named Data Networking (NDN), a future network architecture, is starting to be used for IoUT as an effective architecture implementation. Despite having a good performance of data transmission, Underwater Named Data Networking (UNDN) nevertheless faces some security risks, such as Denial-of-Service (DoS) brought by Interest Flooding Attacks (IFAs). This paper proposes a novel DoS attack, Synergetic Denial-of-Service (SDoS), which can cause hiding damages to router’s Content Store (CS), Pending Interest Table (PIT), and Forwarding Information Base (FIB). We not only study the basic synergetic attack model of SDoS but also analyze some possible attack variants. Simulation results illustrate that SDoS entirely invalidates the only IFA detection algorithm in UNDN. Compared to ordinary IFAs, SDoS attacks increase network traffic fourfold. Furthermore, we discover a unique infection problem in UNDN and propose a countermeasure named Trident, which has meticulously designed adaptive threshold, Double Trial for attacker identification, and a self-proving mechanism based on leaky bucket. Experiment results demonstrate that Trident can detect and resist not only IFAs but also SDoS attacks effectively. Meanwhile, Trident also achieves good defense performance on the variants of SDoS and can take on burst traffic and network congestion robustly.

computer science, information systems,telecommunications,engineering, electrical & electronic