Research On The Namespace Management And Content Poisoning Attacks In Named Data Networking

As a specific implementation of the Information-Centric Networking(ICN),the Named Data Networking(NDN)attempts to solve various problems faced by the current Internet with a brand-new design.The name-based forwarding mechanism of NDN uses names to forward consumers' interest packets and producers' replied data packets.Theoretically,the name space in NDN is unbounded,which eliminates the address exhaustion problem consequently.The caching mechanism in NDN enables nodes in a network to cache data packets while forwarding them.The cached data packets satisfy interest packets from other consumers and meet the distribution of data efficiently.In NDN,a producer attaches a signature to a data packet to achieve content-based security.Since the current name space management mechanism in NDN does not include authorization of the content publishing,forwarding nodes have to abandon the verifications of data packets when forwarding.Attackers in the network intercept consumer's interest packets by publishing forged data packets and destroying the availability of the network.The above-mentioned attack is named the Content Poisoning Attack(CPA)and the research work of this dissertation is focused on the name space management mechanism,the mitigations on the Content Poisoning Attack,and related attack variants in NDN.This dissertation has made four achievements which are described below:1.Namespace Management Mechanism based on Authorized PublishingIn this dissertation,a name space management mechanism named the Register Before Publish(RBP),which combines authorized content publishing is proposed.By providing the credentials of the publishing right of name spaces,the problem that forwarding nodes cannot verify the identity of the producer is solved.The producer registers to the RBP by obtaining the authorization for content publishing(RBP Binding),and the forwarding node checks the consistency of the RBP Binding carried in the interest packet sent by the consumer and the data packet returned by the producer to realize the verification of the data packet.RBP Binding is provided in the form of a string output with an encrypted hash function,which ensures low overhead and security in the process of query and transmission.The RBP follows NDN's data-centric design philosophy,and only during the producer registration phase and consumer query phase generate a certain amount of network traffic.When data packets are forwarding in a network,all forwarding nodes use the authorization credentials to confirm the identity of the producer without repeated verifications.2.Mitigate Content Poisoning Attack Launched by Border HostsAfter deploying RBP in the network,this dissertation proposed an attack mitigation strategy(Smart-Forwarding)that combines verification and warning by border forwarding nodes.The border forwarding nodes of a network verify the RBP Bindings of the data packets,intercepts forged data packets,and send warnings to the upstream neighbors.The forwarding nodes that have received warnings isolate the attacker by adjusting the forwarding path of interest packets.The temporary forwarding suppression and the restart of the suspicious forwarding interface by flooding provide the forwarding path discovery of legitimate producers.3.Mitigate On-path Content Poisoning AttackAs to the On-path Content Poisoning Attack,this dissertation proposed an attack defense strategy based on the Kalman filter algorithm.When the core network is insecure,forwarding nodes rely on random checks on the legitimacy of data packets to mitigate attacks.Better mitigation on this kind of attack is achieved by enlarging the probabilities of randomly checking,which brings greater overhead.To reduce the verification overhead.This dissertation uses the Kalman filter algorithm to fuse the legal rate of data flow obtained by randomly checking and neighbor's recommendations,and the output is used as the basis for the ranking of forwarding interfaces.The attacker is isolated by lowering the rank of the forwarding interface to the attacker.This dissertation also designed reward and punishment functions to encourage true and accurate recommendations and increase the risk of providing false ones.4.Mitigate Random Content Poisoning AttackAs to the Random Content Poisoning Attack,this dissertation proposed an attack defense strategy that combines offline attack feature extraction and online attack interception.The names in interest packets reveal some information of applications that sent them and an attacker selectively intercepts important interest packets with a greater probability.This variant of CPA is named the Random Content Poisoning Attack(RCPA)and the random attack mode reduces the intensity of the attack while concealing the attacker's behavior as well.Based on the analysis of the name space composition of interest packets on a forwarding node,this dissertation models the RCPA.Since an attacker's behavior changes the forwarding state of a forwarding node,this dissertation uses the Information Gain Ratio to extract the attack features from forwarding states.To reduce the cost of sampling verification,the attack features are used as a priori conditions for detecting the attack,and the dynamic sampling rate is used to improve the sampling part in the attack mitigation strategy based on the Kalman filter which is proposed previously.