Detection and Mitigation of Cache Poisoning of NDN
Problem Definition
Named Data Networking (NDN) is a proposition for a future internet architecture created as a data-centric alternative to the existing host-centric architecture of TCP/IP. NDN attempts to expand beyond the minimal functionality offered by IP as a communication layer. It does so by allowing packets to name objects rather than communication endpoints, to better serve the needs of the distribution network that the modern internet has morphed into. Beyond allowing data to be named, NDN innovates beyond the existing architecture by incorporating Content Stores (CS) which behave as caches for optimizing data delivery, Pending Interest Table (PIT), and Forwarding Information Base (FIB). Despite best intentions however, this new architecture for the internet would also introduce new attack surfaces and new vulnerabilities.
In our project, we would focus on Cache poisoning detection and mitigation during syncing between NDN nodes of Data packets.
Previous Work
To completely avoid cache poisoning, we could approach the problem in two ways. The first would be to eliminate cache altogether, and the second would be to only store static content in the cache. However, those options do not make sense from a practical point of view for what NDN is trying to achieve with its CS.
There have been some cache-based fault detection previously done. Based on research by Karami and Guerrero-Zapata[1], a new detection method using RBF neural network can be used to detect the cache poisoning efficiently. But a false positive rate of 6.5% still exists.
Our Approach
Our approach will not involve the publisher once the data packets are up-to-date. Instead, we look to make synchronization between nodes the primary method to share updated packets and while ensuring that no poisoned packets have been injected.
To achieve this we propose:
Get indication if receiving data from another node's cache, then the node sends a request to the server, to verify the data integrity.
A checksum method to verify data packet integrity.
State Change Detection[2]- periodically detection of state inconsistencies
One proposed method for syncing safely is to have one router(routermain) signal to the routers in its vicinity to create a timer to wait, then send a request to that node for the updated packets when the timer runs out. Routermain will receive the data packets from the server, and once the timer runs out, there will be a request sent to routermain (this might cause flooding) to want to receive the updated packets, then routermain will send it to the other nodes, ensuring a safe sync.
Another method is cache based poisoning detection is to compare data packets efficiently to protect the integrity of a packet across nodes. preliminary solution is:
reduce the packet to a checksum(placeholder idea), then send out the packets to various nodes. They will do the checksum for those data packets, if there is any inconsistency, notify the original node, and the original node can notify all the other nodes that you need to update your cache.
2022.10.8 - 2022.10.21: Continue researching the issue, summarize relevant papers
2022.10.22 - 2022.10.28: Redefine and get more specific about our approach based on new research
2022.10.29 - 2022.11.18: Attempt to implement our redefined solution in a simulation
2022.11.19 - 2022.11.26: Draw conclusion from research, begin work on project report
2022.11.27 - 2022.12.06: Finalize report
[1] A. Karami and M. Guerrero-Zapata, "A hybrid multiobjective RBF-PSO method for mitigating DoS attacks in Named Data Networking", Neurocomputing, vol. 151, pp. 1262-1282, 2015. Available: 10.1016/j.neucom.2014.11.003 [Accessed 6 October 2022].
[2] T. Li, W. Shang, A. Afanasyev, L. Wang, and L. Zhang, “A brief introduction to NDN dataset synchronization (NDN Sync),” MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM), 2018.
L. Zhang et al., "Named data networking", ACM SIGCOMM Computer Communication Review, vol. 44, no. 3, pp. 66-73, 2014. Available: 10.1145/2656877.2656887 [Accessed 6 October 2022].
Y. Musashi, M. Kumagai, S. Kubota and K. Sugitani, "Detection of Kaminsky DNS Cache Poisoning Attack", 2011 4th International Conference on Intelligent Networks and Intelligent Systems, 2011. Available: 10.1109/icinis.2011.18 [Accessed 6 October 2022].
N. Kumar, A. Singh, A. Aleem and S. Srivastava, "Security Attacks in Named Data Networking: A Review and Research Directions", Journal of Computer Science and Technology, vol. 34, no. 6, pp. 1319-1350, 2019. Available: 10.1007/s11390-019-1978-9 [Accessed 6 October 2022].
Chung-Ho Chen and A. K. Somani, "A cache protocol for error detection and recovery in fault-tolerant computing systems," Proceedings of IEEE 24th International Symposium on Fault- Tolerant Computing, 1994, pp. 278-287, doi: 10.1109/FTCS.1994.315632.
https://sites.google.com/view/csc466/project-proposal