Basic Search / Detailed Display

Author: 賴孟泫
Meng-Hsuan Lai
Thesis Title: 一個有效防範命名資料網路下興趣洪水攻擊機制
An Efficient Anti-Interest Flooding Attack Mechanism for Named Data Networking
Advisor: 羅乃維
Nai-Wei Lo
Committee: 楊傳凱
Chuan-Kai Yang
賴源正
Yuan-Cheng Lai
Degree: 碩士
Master
Department: 管理學院 - 資訊管理系
Department of Information Management
Thesis Publication Year: 2020
Graduation Academic Year: 108
Language: 英文
Pages: 75
Keywords (in Chinese): 命名資料網路以內容為中心保證金機制洪水攻擊
Keywords (in other languages): Named Data Networking, deposit-based mechanism, Content-Centric Networking, Interest Flooding Attack
Reference times: Clicks: 276Downloads: 2
Share:
School Collection Retrieve National Library Collection Retrieve Error Report

隨著科技日新月異,物聯網(Internet of Things)、區塊鏈(BlockChain)各種科技技術也相繼推出,相關的產品與服務也日益普及,社群媒體(如Youtube, Netflix, Facebook)的蓬勃發展,像是智慧型手機、穿戴裝置的數量都在近幾年呈爆炸性的成長,這些產品及服務的本質皆仰賴於網路的資料傳輸,然而傳統的網路架構容易造成單一節點流量過載的情況,因為在傳統網路中,連線的建立係基於點對點,然而真正的需求是內容本身。因此以資料為中心的網路在近年來成為熱門話題,命名資料網路(Named Data Networking)被入選於2010年美國國家科學基金會(National Science Foundation, NSF)的未來網路架構專案(Future Internet Architecture, FIA),命名資料網路是一個未來新興網路架構,該網路架構主要以內容為主體,每一個內容都有一個唯一可識別的名字。在命名資料網路中有兩種封包:興趣封包(Interest Packet)、資料封包(Data Packet);兩種角色:消費者(Consumer)、生產者(Producer)。消費者透過發送興趣封包請求內容,當興趣封包到達生產者時,生產者產生一個資料封包,並由原路返回至消費者。然而,惡意攻擊者透過發送大量的興趣包,使整個網路雍塞,這種攻擊被稱為興趣洪水攻擊(Interest Flooding Attack, IFA)。為了防範這個攻擊,我們提出了一個基於保證金的機制,消費者在請求時,必須交付一定金額量的保證金,當資料封包到達消費者時,該筆保證金將予以退還,如果該請求過期,保證金則不予以退還。在實驗表明,我們提出的保證金機制有效,興趣包滿足率(Interest Satisfaction Ratio, ISR)在遭受攻擊後能快速的上升,並維持在0.8以上。我們同時也提出一個進階的攻擊模型,在該模型下,我們提出的機制仍然可以有效地抵擋攻擊。


With the development of technology, more and more information technology have proposed. However, all of new technology and social media is relied on data transfer, e.g., Youtube, Facebook, and Netflix. Therefore, it needs a more efficiency network architecture. Named Data Networking (NDN) is an entirely new network architecture to meet the demand for the new technology. Every content in NDN has a unique name. The consumer requests the content by interest packet. In addition, the response is a data packet sent from content provider. However, Interest Flooding Attack (IFA) is a major threat in NDN by sending massive interest packets to overwhelm the network. Therefore, we proposed an Anti-Interest Flooding Attack Mechanism (AIFAM) against IFA. In order to distinguish the malicious nodes and legitimate nodes, this mechanism is based on deposit, the consumer needs to pay deposit when it wants to send an interest packet. The deposit will be returned after receiving the data packet, if the interest packet is not satisfied within lifetime the deposit will not be returned. The result about experiments shows that AIFAM is an efficiency countermeasure. The Interest Satisfaction Ratio (ISR) is able to rise up rapidly after suffering IFA. Therefore, it is an available countermeasure to fight IFA with both the non-existent content request and dynamic generated content request in basic attack and advanced attack.

摘要 I Abstract II Acknowledgement III Table of Contents IV List of Figures VI List of Tables IX Charpter 1 Introduction 1 1.1 NDN Overview 2 1.2 NDN History 5 1.3 Details in NDN Architecture 7 1.3.1 Name 7 1.3.2 Route 8 1.3.3 Cache 8 1.3.4 Security 8 1.4 Research Objective 9 Charpter 2 Related Work 13 2.1 Packet Information Based 14 2.2 PIT and ISR Based 14 2.3 Others 15 Charpter 3 Proposed Mechanism 18 3.1 Deposit-Based Control Function 18 3.1.1 Pricing function 19 3.1.2 Deposit table 22 3.1.3 Withdrawing virtual money from account 22 3.1.4 Reimbursement 23 3.1.5 Discarding process 23 3.1.6 Refill Mechanism 24 3.2 Type of Malicious Request 28 3.3 Attack Model 30 Charpter 4 Experiment and Analysis 31 4.1 Experiment and Simulation Parameters 31 4.2 Configuring Parameters of AIFAM 34 4.3 Result and Analysis 46 4.3.1 Different number of malicious nodes: 47 4.3.2 Effectiveness in AIFAM and CRHMM: 49 4.3.3 Applying AIFAM in realistic network topology 53 Charpter 5 Conclusion and Future Work 57 Reference 59

[1] Cisco, "Cisco Annual Internet Report White Paper," 9 Mar. 2020. [Online]. Available: https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white-paper-c11-738429.html. [Accessed 19 May 2020].
[2] P. Gasti, G. Tsudik, E. Uzun and L. Zhang, "DoS & DDoS in Named Data Networking," in International Conference on Computer Communications and Networks, Nassau, Bahamas, 2013.
[3] R. Cheriton and M. Gritter, "TRIAD: A New Next-Generation Internet Architecture," 2001.
[4] T. Koponen, M. Chawla, B.-G. Chun, A. Ermolinskiy, K. H. Kim, S. Shenker and I. Stoica, "A Data-Oriented (and Beyond) Network Architecture," in ACM SIGCOMM, Kyoto, Japan, 2007.
[5] "Publish-Subscribe Internet Routing Paradigm," PSIRP, [Online]. Available: www.psirp.org. [Accessed 19 5 2020].
[6] B. Ahlgren, M. D’Ambrosio, C. Dannewitz, M. Marchisio, I. Marsh, B. Ohlman, K. Pentikousis, R. Rembarz, O. Strandberg and V. Vercellone, "Design Considerations for a Network of Information," in ACM CoNEXT Conference, Madrid, Spain, 2008.
[7] R. A. Potys, "NetInf TP: A receiver-driven protocol for ICN data transport," in IEEE 23rd International Symposium on Quality of Service (IWQoS), Portland, Oregon, USA, 2015.
[8] A. Shinde, "Content Centric Networks (CCN): A Survey," in 2018 2nd International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud), Palladam,India, 2018.
[9] L. Wang, A. K. M. M. Hoque, C. Yi, A. Alyyan and B. Zhang, "OSPFN: An OSPF Based Routing Protocol for Named Data Networking," NDN Technical Report NDN-0003, 2012.
[10] L. Dong and R. Li, "RPL based Named Data Routing Protocol for Low Power and Lossy Wide Area Networks," in 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), Limerick, Ireland, 2019.
[11] L. Wang, V. Lehman, A. K. M. M. Hoque, B. Zhang, Y. Yu and L. Zhang, "A Secure Link State Routing Protocol for NDN," IEEE Access, pp. 10470-10482, 2018.
[12] D. Saxenaa, V. Raychoudhury, N. Suri, C. Becker and J. Cao, "Named Data Networking: A survey," Computer Science Review, pp. 15-55, 2016.
[13] R. Tourani, S. Misra, T. Mick and G. Panwar, "Security, Privacy, and Access Control in Information-Centric Networking: A Survey," IEEE Communications Surveys & Tutorials , pp. 566 - 600, 2018.
[14] X. Zhang and R. Li, "A Charging/Rewarding mechanism-based Interest Flooding Attack mitigation strategy in NDN," in 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), Arlington, VA, USA, 2019.
[15] Y. Xin, Y. Li, W. Wang, W. Li and X. Chen, "A novel Interest Flooding Attacks Detection and Countermeasure Scheme in NDN," in 2016 IEEE Global Communications Conference (GLOBECOM), Washington, DC, USA, 2016.
[16] Y. Nakatsuka, J. L. Wijekoon and H. Nishi, "FROG: A Packet Hop Count based DDoS Countermeasure in NDN," in 2018 IEEE Symposium on Computers and Communications (ISCC), Natal, Brazil, 2018.
[17] K. Wang, H. Zhou, Y. Qin, J. Chen and H. Zhang, "Decoupling malicious Interests from Pending Interest Table to mitigate Interest Flooding Attacks," in 2013 IEEE Globecom Workshops (GC Wkshps), Atlanta, GA, USA, 2013.
[18] A. Afanasyev, P. Mahadevan, I. Moiseenko, E. Uzun and L. Zhang, "Interest flooding attack and countermeasures in Named Data Networking," in 2013 IFIP Networking Conference, Brooklyn, NY, USA, 2013.
[19] A. Compagno, M. Conti, P. Gasti and G. Tsudik, "Poseidon: Mitigating interest flooding DDoS attacks in Named Data Networking," in 38th Annual IEEE Conference on Local Computer Networks, Sydney, NSW, Australia, 2013.
[20] K. Wang, H. Zhou, Y. Qin and H. Zhang, "Cooperative-Filter: countering Interest flooding attacks in named data networking," Soft Computing 18, pp. 1803-1813, 2014.
[21] T. Nguyen, R. Cogranne and G. Doyen, "An optimal statistical test for robust detection against interest flooding attacks in CCN," in 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, Canada, 2015.
[22] V. Selvi, Ramdinesh, S. R and Varunya, "Game theory based mitigation of Interest flooding in Named Data Network," in 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, India, 2016.
[23] Y. Xin, Y. Li, W. Wang, W. Li and X. Chen, "Detection of collusive interest flooding attacks in named data networking using wavelet analysis," in 2017 IEEE Military Communications Conference (MILCOM), Baltimore, MD, USA, 2017.
[24] C. Pu, N. Payne and J. Brown, "Self-Adjusting Share-Based Countermeasure to Interest Flooding Attack in Named Data Networking," in 2019 International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), Atlanta, GA, USA, 2019.
[25] A. Benmoussa, A. e. K. Tahari, N. Lagaa, A. Lakas, F. Ahmad, R. Hussain, C. A. Kerrache and F. Kurugollu, "A Novel Congestion-Aware Interest Flooding Attacks Detection Mechanism in Named Data Networking," in 2019 28th International Conference on Computer Communication and Networks (ICCCN), Valencia, Spain, 2019.
[26] D. Mankins, R. Krishnan, C. Boyd, J. Zao and M. Frentz, "Mitigating distributed denial of service attacks with dynamic resource pricing," in Seventeenth Annual Computer Security Applications Conference, New Orleans, LA, USA, 2001.
[27] L. Wang, Y. Pan, M. Dong, Y. Yu and K. Wang, "Economic Levers for Mitigating Interest Flooding Attack in Named Data Networking," Mathematical Problems in Engineering, 2017.
[28] L. Rabiner and B. Juang, "An introduction to hidden Markov models," IEEE ASSP Magazine, pp. 4-16, 1986.
[29] S. Mastorakis, A. Afanasyev, I. Moiseenko and L. Zhang, "ndnSIM 2.0: A new version of the NDN simulator," Los Angeles, California, USA, 2015.
[30] H. Oliver, P. Michael, S. Jens and S. Ralf, "On Realistic Network Topologies for Simulation," in ACM SIGCOMM, Karlsruhe, Germany, 2003.

QR CODE