In order to effectively detect interest flooding attack (IFA) in Named Data Networking (NDN), this paper proposes a detection method of interest flooding attack based on chi-square test and similarity test. Firstly, it determines the detection window size based on the distribution of information name prefixes (that is information entropy) in the current network traffic. The attackers may append arbitrary random suffix to a certain prefix in the network traffic, and then send a large number of interest packets that cannot get the response. Targeted at this problem, the sensitivity of chi-square test is used to detect the change of prefix of interest packets. Interest packets initiated by IFA attackers are usually attached to a real prefix, but with a randomly generated suffix attached. Taking into account of this problem, the similarity of interest packet prefixes is further detected. Finally, the detection results of the two aspects are combined to determine whether interest flooding attack has occurred or not. In addition, according to the symmetric routing characteristic of Pending Interest Table (PIT), we also send the forged interest packet back to the attacker, and then restrict the corresponding port of the attacker, so as to effectively suppress the IFA attack. The experimental results show that the method we proposed can not only detect IFA in NDN at the beginning of the attack, but also is more accurate and effective than other methods.
Named Data Networking (NDN) is a typical implementation of Information Centric Networking (ICN) [
In terms of security, although NDN can effectively shield Denial of Service (DoS) attacks under traditional networks, but nothing can be done about Interest Flooding Attack (IFA). Attackers can deplete Pending Interest Table (PIT) and computing resources by sending a large number of non-existent malicious interest requests, thus giving rise to network service interruption in a short time and having a great attack and destructive ability on NDN [
For the above reasons, the research on detection and defense of interest flooding attack that NDN may suffer is of certain forward-looking and important significance for promoting the development of NDN and enhancing the security of NDN.
In order to prevent criminals from launching interest flooding attacks on NDN and improve the security detection and defense capabilities of NDN, this paper proposes a bilateral detection method of interest flooding attack, which combines chi-square test and similarity test. This method can not only realize the early detection of IFA, but also ensure the validity and accuracy of detection.
The contributions of this study are summarized as follows: Apply the chi-square test method to the IFA test of NDN. Use the sensitivity of the chi-square test to perceive the subtle changes in the interest packet traffic in the NDN, thereby improving the sensitivity of IFA detection and discovering possible attacks in time. In order to judge the possible existence of IFA more accurately, the similarity of interest packet traffic is further detected. By implementing this step, the accuracy of IFA detection can be effectively improved, and the misjudgment of attacks caused by normal network fluctuations can be reduced. Apply sliding window method to sample the network traffic data, for ensuring the timeliness and rationality of data sampling. Discriminate the NDN attack behavior based on the detection results of the chi-square test and similarity test.
In order to realize fast and accurate detection of IFA in NDN, researchers have proposed several effective methods, which are mainly divided into two categories.
The first category is the detection methods based on the abnormal change of PIT state after IFA. Based on the statistics of interest packets entering and leaving PIT and IFA detection, a push-back mechanism is applied to notify other routers that the router receiving the message no longer accepts all interest packets under the malicious prefix, thus preventing the spread of attacks [
Literature Afanasyev et al. [
In summary, this category of methods mainly advocates detecting IFA based on the change of PIT status after the attack, which has certain accuracy. However, when the pit state changes, the attack may have already occurred, or even a large-scale attack, so this category of methods has a certain delay.
The second IFA detection method is based on the change of network traffic characteristics. Literature Compagno et al. [
Based on the research status of the above two categories of methods at home and abroad, it can be found that although these methods have certain detection effects on IFA, there is still no effective solution to distinguish between the large fluctuating attack traffic and the real attack traffic. The surge of normal data traffic in the network will also lead to false positives, thus affecting the accuracy of IFA detection. Therefore, it is of great significance to improve the accuracy of IFA detection while ensuring the detection rate and reducing the occurrence of misjudgment for improving the performance of the whole NDN system.
In NDN, the Interest packet and Data packet are the basic units used to transmit information [
IFA attackers take advantage of this feature of NDN, a large number of malicious interest packets with real content name prefixes but forged suffixes are initiated to the network, resulting in invalid interest packets being continuously forwarded in each node, thus depleting the PIT resources of the router, causing the PIT on the router to be unable to normally receive interest packets requested by users, thus causing network congestion and even paralysis. On the one hand, attackers can easily attack by forging different false content names without using many network resources; On the other hand, the interest packets sent by attackers are the contents under the same prefix and avoid repeated requests as much as possible, so as to affect the query and aggregation of information names to the greatest extent, thus affecting the normal work of router nodes and causing great destructive power to the network.
The overall architecture of interest flooding attack detection in named data network designed in this paper is shown in
The process of interest flooding attack detection is divided into the following parts: Data acquisition and processing module. The data acquisition and processing module regularly collects traffic data, extracts complete information name prefixes from the collected interest packets and stores them to provide data information for the chi-square traffic determination and similarity test. Flow anomaly detection module. The flow anomaly detection module calculates the chi-square value of the collected data. When the chi-square value exceeds the set threshold value, it indicates that there is a flow anomaly and suspected IFA is generated. Bilateral detection and IFA discrimination module. The bilateral detection and IFA discrimination module is used to carry out the traffic anomaly detection while testing the similarity of traffic, and determined whether there is an interest flooding attack based on the results of the chi-square calculation and similarity calculation. IFA Alarm and Defense Module. The IFA alarm and defense module are used to carry out the IFA alarm according to the above judgment results, and corresponding defense measures are taken to inhibit IFA.
In the process of IFA detection, it is particularly important to determine the size of the detection window, and the setting of the window value will have a great impact on the detection results. If the window size is large, may lead to a large scale attacks when the attacks are detected, and the attack behavior cannot be detected in advance. If the window size is small, will get inaccurate traffic distribution. Thus, it is essential to select an appropriate window size to obtain the current information.
According to Shannon’s theory [
Based on the above theory, we can determine the size of the window according to the distribution of information name prefixes in the current network traffic. Using the method of information entropy, we use a larger window when the prefix distribution is complex (the information entropy value is large) and a smaller window when the prefix distribution is simple (the information entropy value is small).
According to Shannon’s theory, the calculation method of information entropy is shown in
where r refers to r independent events in the information sequence, which in this paper represents the number of interest packets received in the network within each window;
In order to obtain the distribution of network traffic under normal network conditions, we need to simply record the information names passing through PIT. In this paper, a counter is added to record all information names, prefixes and times that pass through PIT. The counter is located at the front of the whole PIT and it is completely transparent to the data flow. It does not make any modification to interest packets or data packets, only records the data. Moreover, the counter only records the prefix and quantity records of incoming information, does not record specific information, and has little demand for storage space. The process of construction is shown in
When the detection module is started, the detection window is determined. The occurrence time and corresponding probabilities of interest packet prefixes in the counter at this time are recorded. Because of the randomness of network traffic, the total number of prefixes recorded in the counter is different every time the detection window is calculated, so only the first n information prefixes with the highest occurrence times are recorded, and the probability is recorded as
Since the value interval of
Too many or too few interest packets selected in the window may lead to a large deviation between the actual flow distribution and the theoretical flow distribution, which will further affect the detection effect of the detection model proposed in this paper. Therefore, in the specific determination of window size, we select the appropriate detection window size by comparing IFA detection effects under different windows through experiments.
In order to improve the accuracy of subsequent window selection, after each detection obtains the required window size, all data in the counter are emptied and recorded again.
When an IFA is launched, the attacker will attach any random suffix to a prefix in the network traffic, and then send a large number of interest packets that cannot be responded to. In this attack situation, those large number of interest packets will converge under a certain prefix. Due to the convergence of traffic, the number of PIT entries of network nodes close to content providers or central locations increases rapidly, resulting in PIT cache overflow, central nodes denying service and unable to respond to legitimate interest requests. To solve this problem, this paper uses the chi-square test method to detect IFA that may occur.
Chi-square test is a widely used hypothesis test method, which belongs to the category of nonparametric test. It aims to detect the deviation degree between the actual observation value and the theoretical calculation value of statistical samples [
This paper uses this principle to detect interest flooding attacks. Under normal network traffic, assuming that the probability of prefix occurrence for each packet of interest is equal, the chi-square value will float within a fixed range. When IFA occurs, the network traffic will show a very high proportion of interest packets under a certain prefix, and the chi-square value calculated from this will rise sharply. According to the chi-square value, we can discern the existence of IFA.
The specific detection scheme is as follows: extract all interest packet information from the detection window, extract complete information name prefixes from these interest packets, and put them into W set:
where,
where,
Interest packets launched by IFA attacks are usually attached to a real prefix, but with randomly generated suffixes, the excessive number of such interest packets destroy the distribution probability of information names under normal conditions, thus causing the similarity of interest packet information name prefixes to change. Therefore, we can detect IFA through the similarity changes of interest packet information name prefixes in different time periods.
The prefix similarity test method of interest packet designed in this paper is as follows:
By counting the prefix distribution of interest packets in adjacent time periods (windows)
List all interest packet prefixes and arrival times arriving at PIT in
According to the prefix of each interest packet in
The correlation coefficient is calculated for the obtained two groups of percentage data to obtain the similarity of network traffic in
Firstly, the covariance (
Then, according to the flow distribution in each time period, the variance
The similarity value
The closer the value of
Statistics of these data are carried out at regular intervals, and by comparing the similarity of the data in adjacent time windows, the changes in the flow distribution of adjacent time windows are found. When the similarity coefficient
Since PIT uses symmetric routing, that is, packets take the same path as their corresponding interest packets, but in the opposite direction. Therefore, we can use this feature to trace the forged interest packet back to the attacker and restrict the corresponding port of the attacker, thus effectively suppressing IFA.
The specific design scheme is as follows: when a node detects IFA, it quickly locates the first information name prefix in the counter (i.e., the prefix containing the largest number of interest packets), then the node sends out false data packets and interest packets under the prefix, and forwards them back to the initiator by looking for PIT in the intermediate node. When a fake packet arrives at the edge router, the edge router finds the host to which the attacker is connected according to the interface when the interest packet is passed in. Then, the edge router restricts the transmission of interest packets from the interface by discarding interest packets from the interface. The specific implementation process is shown in
As a result, the corresponding PIT entries in the nodes through which malicious interest packets pass will be satisfied by false data packets, and these PIT entries will be deleted, freeing up space to meet the interest requests of normal users. At the same time, because the sending of malicious interest packets is restricted from the root, malicious interest packets will not spread in the network, thus inhibiting IFA.
We use ndnSIM for simulation experiments. The ndnSIM is an open-source network simulation platform, and all NDN routing and forwarding experiments can be implemented on ndnSIM [
Main Modules | Specific Configuration |
---|---|
CPU | Intel (R) Core (TM) i5-4590 (4 cores, main frequency: 3.30 GHz) |
Memory | 8GB |
Operating System | Ubuntu 12.04 |
System Bits | 64-bit |
NdnSIM Version | 2.3 |
The topology of the experimental network is shown in
In
The dynamic change of the window size is very important to improve the effectiveness of IFA detection. Under the condition of large fluctuation of network traffic, the distribution of interest packets under different information name prefixes in the network is more complex. If a small window is adopted, the traffic distribution under normal conditions cannot be correctly obtained, and misjudgment is likely to occur. However, when the fluctuation of network traffic is small, it indicates that the traffic distribution at this time is relatively simple, so the real traffic distribution can be obtained by using a small window. In the subsequent similarity test, the small fluctuation can be detected by the similarity test module. Therefore, we conducted the following experiments to determine the appropriate window size. In the experiment, the number of interest packets in the window is set to [50,100], [100,200], [200,400] respectively, and three groups of experiments are carried out to obtain which group of window sizes can effectively improve IFA detection and determine the appropriate window size.
Proportion of attack traffic | Window Size [50,100] | Window Size [100,200] | Window Size [200,400] |
---|---|---|---|
25% | 2.47 | 2.80 | 3.32 |
50% | 1.42 | 1.69 | 2.05 |
75% | 0.81 | 0.97 | 1.26 |
Firstly, we compared the detection time. From
Secondly, we have carried out a comparative experiment to detect the misjudgment rate. In the experiment, the running time of the system is set to 40 s, and the number of network fluctuation phenomenon is set to 20 times. The fluctuation traffic is 125% of the normal request traffic, and the duration is 0.5 s. A total of 10 experiments were carried out, and the experimental results are shown in
With the increase of window size, the detection range expands, and the number of interest packets contained in each window increases, thus the network traffic distribution at that time can be more accurately obtained, the misjudgment rate will also decrease. As can be seen from
Considering the detection time and detection accuracy, we set the window size [100,200] as the window size used in the subsequent experiments, i.e., the value of the detection window is set to be that the smaller window contains 100 interest packets, and the larger window contains 200 interest packets.
Here, it is necessary to determine the chi-square value of interest packet prefix under normal network traffic and IFA in NDN through experiments, to prove the sensitivity of the chi-square test method to traffic changes, and to determine the threshold of the chi-square test. The experiment increases or decreases the strength of IFA by controlling the rate values of normal network traffic and IFA traffic, thus obtaining the chi-square value changes under different attack intensities. The experimental results are shown in
Through experiments, it can be found that the chi-square value appears an upward trend with the increase of attack traffic, and the chi-square value at 75% attack traffic can reach 10 times of the normal chi-square value, thus proving that the method has high sensitivity to IFA detection. Under normal network traffic, the chi-square value basically remains between 0 and 10. At 25% of the attack traffic, the chi-square value basically remains between 7 and 17. Under 50% of the attack traffic, the chi-square value basically remains between 18 and 38. At 75% of the attack traffic, the chi-square value basically remains between 40 and 70. From the results, we can judge that if the attack traffic is more than 25%, a suspected IFA is considered to have occurred. At the same time, the chi-square calculation threshold for IFA can be determined to be 10.
IFA detection method based on similarity can find the change of information name prefix distribution in two adjacent time windows. In the experiment, the similarity change under different attack intensities is obtained by controlling the rate value of normal network traffic and IFA traffic, thus proving the feasibility of similarity test method for IFA detection and determining the threshold of similarity test. The experiment starts to release attack traffic when the interest packet is sent to the 1000-th and ends the attack when it is sent to the 3000-th. The experimental results are shown in
As can be seen from
As can be found from
In the experiment, a short network traffic fluctuation is designed to simulate the normal network fluctuation, thus detecting the accuracy of the method in this paper for IFA detection. In the experiment, a total of 20 network fluctuations were set in 40 s. Each network fluctuation traffic was 125% of the normal request traffic, and the fluctuation traffic lasted for 0.5 s. A total of 10 experiments were carried out, and the experimental results are shown in
From
In order to verify the superiority of IFA detection method proposed in this paper, this method is compared with the detection method based on information entropy adopted in literature [
Proportion of attack traffic | Detection time (s) in literature [ |
The detection time (s) of the algorithm in this paper |
---|---|---|
25% | 3.15 | 2.72 |
50% | 2.07 | 1.65 |
75% | 1.18 | 0.92 |
As can be seen from
Here, the packet loss rate refers to the proportion of all interest packets entering the PIT that have been replaced by the replacement policy or deleted after reaching the timeout. Under normal circumstances, the packet loss rate is basically maintained at nearly 0%. When IFA occurs, the packet loss rate will rise sharply due to the occupation of plenty of malicious interest packets on the PIT, showing a higher level. Therefore, the change of packet loss rate can effectively reflect the real-time impact of IFA on network traffic. In the experiment, three groups of experiments were carried out according to different attack intensities. The attack traffic was set to be released when the 500-th interest packet was sent, and the packet loss rate of each window was calculated. The experimental results are shown in
As can be seen from
According to the characteristic that NDN interest flooding attackers will continuously send plenty of interest packets that cannot be responded to, this paper proposes a bilateral detection model based on the chi-square test and similarity test. The method comprises a data acquisition and processing module, a flow anomaly detection module, a bilateral detection and IFA discrimination module, and an IFA alarm and defense module. The implementation process of the method proposed in this paper is as follows: Firstly, the structure of the PIT is expanded, a counter is added to record information, and the sliding window method is used to dynamically adjust the size of the detection window. The sensitivity of the chi-square test is used to preliminarily detect the attack behavior. Then, the similarity test method is used for further detection, thus realizing bilateral detection. Finally, based on ndnSIM simulation platform, the simulation experiment of this method is carried out, and the feasibility and effectiveness of this method are verified by the chi-square anomaly detection, similarity anomaly detection, accuracy detection, time detection and packet loss rate detection of IFA, respectively.