Named data networking (NDN) is a promising alternative data dissemination technology of TCP/IP communication networks, which can bring out much more cost-effective and resilient communication in a highly mobile environment. However, due to the feature of NDN, content poisoning comes out as a potential threat. Hence, state-of-the-art studies introduce network layer approaches based on name-key binding, in which the producer notifies routers of the bindings of names and key values. Key values include publisher public key digest or content digest. Routers check key values to determine whether incoming data packets have been poisoned. Unfortunately, the approaches lead to more vulnerabilities in dynamic content poisoning because attackers can impersonate the producer to alter or fabricate the bindings. Thus, we introduce a consumer-oriented two-phased lightweight security scheme, which consists of an end-to-end authentication and a packet-level name-key query mechanism. Specifically, the name-key bindings are authenticated via an additional verification by the consumer. Furthermore, we also introduce a novel trust model to help routers to determine and disconnect from the malicious nodes. Finally, our extensive experimental results demonstrate that the scheme can work effectively in improving the vulnerability of existing studies on dynamic content poisoning and lowering the system overhead simultaneously.

1. Introduction

Recently, the emergence of ad hoc networks is confronting a variety of challenges such as high mobility, heterogeneous communication protocols, security vulnerabilities, and strict delay constraints. To tackle the challenges, the researchers have explored named data networking (NDN) [19]. As a future Internet architecture, the standard specification of NDN is specified by NDN 3.0, on which this article is based. Specifically, NDN follows the pull communication model as shown in Figure 1, the receiver, i.e., consumer, issues a packet named interest specifying the name of the requested content and any entity generating the very content, i.e., producer, receives interest, matches the names, packets the content into the data packet, and responds it to the consumer along with the path. Thus, the content-driven query model and in-network caching technique enable resilient communication [3, 4, 10].

Different from the security of TCP/IP, NDN ensures the security by the consumer verifying the signature of a data packet issued by the producer. First, the signature is generated via hashing and then encrypting the content in the data packet by the producer. The publisher public key digest, i.e., PPKD, in the metadata of the packet plays as the identifier of the producer. Then, after receiving the data packet, the consumer decrypts the signature and compares the decrypted hash with the received content digest. If failed, the consumer reissues interest containing PPKD in the exclude field to reject all packets with the same PPKD [2, 11, 12]. Accordingly, signatures ensure the integrity of the content and the authenticity of the producer.

However, the security feature brings out the threat of content poisoning because routers cannot perform signature verification due to the line speed limit and heterogeneous trust model [14, 11]. To tackle this problem, researchers proposed a network layer scheme based on name-key binding, where the key denotes PPKD and the content digest. Specifically, the producer informs routers of the bindings of names and key values, i.e., PPKD or content digest, in advance, so that routers obtain the key values in the bindings to compare them with the key values in the incoming data packets. After receiving data packets, for example, routers hash the received content and then compare the result with the content digest in previously obtained name-key bindings. Since the verification is implemented by decrypting the signature and hashing the received content and the comparison of the key values is implemented mainly by hashing the received content, the overhead of the latter is much lower than the former. Thus, routers can perform the comparison of the key values at line speed to mitigate the content poisoning well [2, 11].

Unfortunately, existing solutions cannot ensure the authenticity of the name-key bindings. In existing solutions, the binding of names and key values is informed to routers by the producer via blockchain or package embedding. However, taking the blockchain as an example, an attacker could impersonate a benign producer to register the fabricated name-key bindings in the blockchain, thereby, interfering with routers to discard the poisoned content. For static content, since the content may have been cached by routers, the impersonation can easily be detected by other nodes [3, 6]. Nevertheless, for dynamic content, this defect is vital because the key value, i.e., content digest, can only be generated after the content [3], that is, an attacker can respond to interest with fabricated name-key bindings before the producer, which cannot be verified by the routers. That is exactly the reason for the formation of content poisoning. In addition, existing solutions, such as blockchain, also bring heavy system overhead [4]. In short, existing solutions cannot ensure the authenticity of the name-key bindings of dynamic content, which leads to the defect in mitigating dynamic content poisoning.

Hence, to tackle this defect of existing solutions, we propose a consumer-oriented integration scheme, in which the routers receive the name-key bindings from the consumer. First, the consumer queries and verifies the authentic bindings from the producer and then sends the bindings via reissued interest to routers. The proposed scheme consists of end-to-end authentication to verify the authenticity and a packet-level query mechanism to publish the bindings [4]. The bindings are included in a self-certifying catalog (SCC) by the producer. The SCC will be forwarded to the routers and consumer. Then, the signature will be verified by the consumer. Therefore, our scheme leverages such an additional signature verification on the consumer side to ensure the authenticity of the bindings. Specifically, the consumer issues an interest to request the bindings, and the producer responds with an SCC data packet containing the bindings. Then, the consumer performs signature verification to obtain the authentic key values, i.e., PPKD. As the SCC data packet has been verified, attackers cannot impersonate the producer to fabricate the bindings. Then, the consumer embeds PPKD into the reissued interest, where the routers read PPKD to compare with the PPKD of the incoming data packets. The reissued interest will be forwarded to the producer identified by PPKD. It should be noted that even if attackers disseminate poisoned SCC, they are easier to be detected by a collaborative trust model based on the content exclusion rate and neighbors’ feedback.

The proposed scheme solves the defect in existing solutions to mitigate both dynamic and static content poisoning. Routers obtain the authenticated name-key bindings from the consumer instead of the producer. Because the purpose of content poisoning is to prevent the consumer from receiving valid content, it is meaningless for an attacker to impersonate a consumer. Besides, the proposed scheme avoids the excessive system overhead brought by the existing solutions, i.e., blockchain. Specifically, our contributions are as follows:(1)End-to-end authentication based on a handshake strategy: in NDN, communication is content-centric; thus, there is no handshake strategy like TCP/IP. The proposed network layer authentication introduces a normal but not trivial handshake strategy in publishing the bindings to establish an end-to-end trust model, where the consumer verifies the authenticity of the bindings and then sends them to the routers.(2)Packet-level lightweight self-certifying query mechanism: we introduced the self-certifying catalog (SCC) containing the bindings as a lightweight query mechanism. The producer responds with the SCC packet. Compared with the existing solutions, i.e., blockchain, the packet-level mechanism ensures a lower system overhead.(3)Collaborative trust model based on neighbors’ feedback and content exclusion rate: to disconnect from malicious nodes, routers leverage the collaborative model based on neighbors’ feedback and exclusion rate to evaluate the reputation of a suspicious node.

Through experiments, we evaluate the effectiveness of the proposed scheme for content poisoning through security analysis and performance experiments. Furthermore, experimental results show that compared with the state-of-the-art, our scheme has better performance and greatly reduces the system overhead.

The remainder of this article is organized as follows. We describe the scenarios and content poisoning security threats in NDN. Then, we describe the system design, including the configuration, end-to-end authentication, and the packet-level lightweight query mechanism. Through the comparative experiment, we demonstrate the feasibility and effectiveness of our work. Besides, the proposed scheme has better performance to ensure dynamic content security. Finally, we conclude and outline the future work.

2. Background and Security Threats

NDN has taken an important part in improving efficiency in many scenarios. Nevertheless, content poisoning emerges as a crucial challenge. Here, we describe the application, scenarios, and attack models caused by fabricated name-key bindings.

2.1. Background

NDN is a named content-centric future Internet architecture. Interest and data are the two main types of packets in NDN. Communication in NDN follows a pull model: consumers request content by sending interest packets, which contain the name of the requested content. If a node can “satisfy” the content name, it returns the corresponding data packet along with the original path. Otherwise, the node records the interest in the pending interest table (PIT) and forwards the interest to the next hop. The interfaces of the neighbors are recorded in the forwarding information base. Fields in the interest packet include the following:(i)Name: the field consists of one or more components of variable length(ii)Exclude: the field contains name components that must not occur in the returned content(iii)Publisher public key digest (PPKD): the SHA-256 digest of the public key of the producer. If this field is present in interest, a matching object must have the same digest.

It should be noted that the above description does not include all fields in NDN 3.0. The interested readers can refer to [2, 11, 12] for the detailed structure. Correspondingly, each object in the data packet also contains a metadata header, and the fields include the following:(i)Name: a sequence of explicit name components followed by an implicit digest component(ii)Signature: a public key signature generated by the producer, covering the entire content(iii)Publisher public key digest (PPKD): SHA-256 digest of the public key needed to verify the content signature(iv)Freshness: recommended content lifetime (to be cached) set by the producer(v)Key locator: reference to the public key required to verify the signature

When generating a data packet, the producer hashes and encrypts the entire content with the public key configured by the certificate authority (CA). For most algorithms, i.e., digital signature algorithm (DSA), the consumer obtains a hash value of the entire content at first to verify a signature. Then, the signature is decrypted, and the results are compared. Thus, there is one more decryption in verification than hashing. Furthermore, we also demonstrate the comparative results in Section 5. More details of signature in NDN can be found in [2, 11, 12].

2.2. Scenarios

Named data networking is now widely used in various highly mobile scenarios, such as intelligent transportation systems [3, 4, 13, 14]. The systems bring out a variety of challenges, such as high mobility, heterogeneous communication, security vulnerabilities, and strict latency constraints. Unlike the TCP/IP network, NDN can meet the requirements because it is content-centric and decentralized. The content is requested via a readable name in interest instead of establishing a communication channel. The consumer-driven retrieval model and in-network caching technology enable faster and energy-efficient content dissemination in networks.

Furthermore, dynamic content also plays a key role in NDN. Dynamic content is time-sensitive, which means it changes based on consumer requests, e.g., the location. Therefore, dynamic content cannot be previously cached in the router. When a consumer expresses an interest, the producer responds directly to the consumer with the requested content. For example, when a node fails, the new node will replace it and perform the assigned temporary tasks. Here, the dynamic content will be produced by the new node and delivered to the consumer.

2.3. Content Poisoning and Name-Key Binding

Content poisoning is a new challenge to security in NDN. As shown in Figure 1, the consumer issues an interest containing the content name to request the content. The router will search the cache store (CS), the pending interest table (PIT), and the forwarding information base (FIB) in turn. If failed, the router updates PIT and forwards the interest in multiple paths until it is responded to with a packet by the producer. Consumers can verify the authenticity of the content by signature verification. However, since the router does not perform a signature verification, the attackers may spread poisoned content over the network, which results in content poisoning.

Therefore, many studies [13, 6, 10] proposed name-key binding rules from which routers can query content digests or PK digests to compare with PPKD. However, as mentioned above, although the existing name-key mechanism works well in solving static content, it cannot tackle the dynamic content poisoning, which unfortunately can cause a series of potential security attacks, e.g., denial-of-service attack or impersonation attack, which seriously interfere with the application of NDN in high mobility, lightweight, and strict latency-constrained environments.

2.4. Dynamic Content Poisoning

Dynamic content refers to the content generated with a time-sensitive feature, e.g., the location or real-time monitoring information. As mentioned above, the dynamic content poisoning may result in a series of attacks, e.g., DoS attacks, interception, impersonation attacks, and interference, which are described and analyzed as follows:(1)Denial-of-service attack: the malicious hosts may respond to the interest with a large amount of poisoned name-key bindings, which interfere with the routers with detecting poisoned content. Then, the consumer cannot receive valid content until all fake bindings are excluded.(2)Impersonation attack: malicious hosts may falsify PPKD to identify the corrupted name-key bindings, publish it to the routers, and communicate with the consumer as the producer to gain an illegitimate advantage(3)Interception: malicious hosts may act honestly as an intermediate router to participate in interest and data package forwarding. Upon receiving a data package, they inject and modify the content and forward the data package along with the path.(4)Hijacking: malicious hosts may intrude and control a normal host and disseminate the poisoned content as the hijacked host

All the attacks are implemented through content poisoning based on different types of content in NDN. We can hold back the influence of the attacks by mitigating the poisoned content. According to the types of poisoned content, as shown in Figure 2, the content poisonings can be classified as follows:(1)Forged contentWhen receiving an interest, the malicious adversaries may pack the poisoned content into a data packet and disseminate it to routers or consumers.(i)Corrupted content: as an intermediate router, the adversary intercepts the data packet, obtains PPKD or content digest, and then forwards poisoned content to the consumer with the obtained PPKD. Interception and impersonation attacks can be implemented by corrupted content.(ii)Fake content: the adversary responds to the interest by impersonating a producer before the producer responds to interest and packs the poisoned content with different fake PPKD or content digests to the consumer. DoS attack is related to fake content.(2)Damaged contentDamaged content may be caused by multiple factors such as signal interference. It takes up the network, and consumers must exclude the damaged content to get the valid ones. The damaged content can be detected by routers through hash comparing, as long as they obtain the content digest in advance.

Note that the above analyses are oriented to dynamic content. In brief, compared with the damaged content, the forged content is not only more harmful but also more difficult to handle. The scheme is proposed mainly for mitigating dynamic forged content poisoning.

To overcome the lack of authentication, the scheme should be lightweight and trustworthy. The dynamic content should be self-certifying, so that the routers can verify the digest without signature verification. Besides, the system overhead should be lower than the existing solutions to make the scheme feasible for the routers while forwarding the packages at a line speed.

3. System Design

The scheme provides a lightweight security mechanism in the network layer, which consists of a registration and distribution module and a package-based handshake strategy.

3.1. Initial Configuration

In our scheme, there are two key operations in the configuration to be performed: certificates predistribution and SCC generation. The certificate plays the role of trust root generated by GCS inside the network, through which an entity can trust one another by authentication before performing the tasks. Let be a finite cyclic group of order under multiplicative operation, where is a prime number. We denote hash functions from as H, where is the length of the outputs of hashing. is the point with the coordinate on the curve to generate the key pair, where . GCS generates the key pair: . , , , and denote the th entity, router, producer, and consumer, respectively. GCS predistributes the key pairs to an entity , so that can verify the authenticity: .

The other operation is to generate and sign SCC to establish a trust relationship between the entities. SCC is a set of data structures bound with PK digests, timestamps, name-key binding rules, and signatures. The specific structure depends on the application running on the network. The items are included as follows:where (name-key) stands for a set of mapping values such as the name-PPKD or name-content digest bindings. We perform a series of computations to get the SCC items, for example, for the dynamic content produced by :(1)PK digests: computing (2)Content digest: computing (3)Name-key binding rules: the rules of denote a set of correspondences, which is denoted as(4)Signature: is generated by content hashing and encryption as (5)Timestamp: the time is generated by the GPS

To complete the verification of the authenticity, the entity needs to store the above data in SCC. Thus, we can get

Thus, can verify the authenticity of via without third-party authorities. Besides, can broadcast to notify routers of the bindings to be forwarded. Note that denotes the dynamic content produced by predictably, such as the location while performing a coordinative task. For the content to be produced unpredictably, such as the temporary missions, we will discuss in Section 3.

3.2. SCC Authentication

In our scheme, the first communication between any two entities is completed by issuing and receiving SCC. Specifically, before forwards the content produced by , it needs to establish a trust channel with , that is, should receive and verify SCC of , named as . As shown in Figure 3, it is implemented by broadcasting and verification in the following steps:Step 1: SCC broadcasting from to . The producer broadcasts the generated at a time interval to the routers to establish a trust relationship.Check ; then,Step 2: SCC broadcasting from to Ci. checks if it is the first time receiving . If it is true, will verify the signature. Then, reads and stores from the catalog. Then, forward to the consumer .Check Check , the cached SCCIf it fails, verify by computing and checking If false, discards the catalog, terminates the forwarding, and sends an alert package to the neighbors. Otherwise, reads the bindings to update FIB and forward to the consumer : Step 3: verification in . When receives from the producer, it reads the content after verification. The consumer has to verify the signature every time.Verify by computing and checking . If the verification fails, will be discarded. Otherwise, the consumer will read the bindings in : .

Thus, broadcasts to the router , which reads through and verifies the signatures. By comparing with the PPKD in the data package, the consumers can verify the authenticity of SCC. The verification for is performed only once in . Upon receiving , verifies the signature and obtained . The updated SCC can be broadcasted; at any time, new content is produced. One problem caused by the trust mechanism is how much verification affects the efficiency of NDN, which we will discuss in the next section.

3.3. Querying Mechanism

In NDN, to lower the storage usage, SCC may not be cached in every router. Moreover, if a temporary mission is assigned, the consumer may do not know the specific producer . Thus, the scheme offers a package-based name-key request strategy, named handshake. The handshake procedure in our scheme is implemented in the following steps, while wants to request of passing through :Step 1: interest issued by . generates an interest and embeds its own PK digest into a subfield of interest, as application parameters. Then, forwards interest named by name via multipath routing:Step 2: forwarding the interest by . Upon receiving the interest, checks the name and forwards it to .Compute Check if name hits CS; if not, forward the package.Step 3: checking and response: upon receiving the interest, checks the name and , updates , and responds with to .Check name hits and then update Check . If true, response with the dynamic content : .Otherwise, compute , use as data package name, and return :Step.4: updating in Check Check the stored SCC. If true, update . Otherwise, verification is done by computing by computing and checking .If it fails, discard SCC and respond with a Nack. Otherwise, keep PIT and then forwardStep 5: verification and updating in : upon receiving , verifies the signature and obtains PPKD:Verification by computing and checking : If it fails, discard and respond a Nack. Otherwise, update , read , and obtain .

As a result, our scheme proposes a handshake strategy for consumer to request the specific PPKD from the producer . Then, can issue an interest to the dynamic content producer with PPKD instead of its own PK digest. The procedure is similar to the handshake phase, where returns the content in step 3 and no verification in step.4. The procedure will not be described in detail in this article. Note that our scheme is based on NDN 0.3, where the application parameters subfield can be filled with PK digest.

3.4. Routing

The interest package can be forwarded with a best route or multicast strategy. However, we modify the protocol slightly for SCC forwarding. The scheme needs to ensure that generated by is forwarded back along with the original path to eventually. The NDN 0.3 has provided a specification of optional digest components, like application parameters in the interest package. Thus, we use the digest of name and as the name of SCC in PIT.Step 1: interest forwarding: records the faces the interest package arrived and then register h of name and as a new PIT entry:Step 2: SCC forwarding: upon receiving the SCC package, checks the PPKD and then forwards it to the faces in PIT.Check and PIT entries. If true, delete the relevant PIT entry and forward it to the faces; otherwise, discard and notify the neighbors.

In summary, SCC data packages are secured by signature by the consumer. Besides, the scheme renews PIT entries in routing by additional computation (i.e., hashing). However, the routers can decide whether to use it according to the application parameters component, which reduces computation. Hence, an end-to-end security scheme for dynamic data delivery is proposed through the trust mechanism, handshake, and the slightly modified routing strategy. To conclude, in our scheme, an NDN-based network can use the name-key to mitigate dynamic content poisoning.

4. Detection and Recovery

4.1. Detection

Instead of being cached in routers, the dynamic content is generated in real-time, which may be corrupted or fabricated during routing. To mitigate content poisoning, a router needs to perform varieties of detection based on except for verification.

According to the scheme, has obtained in previous phases. As shown in Figure 4, we describe the detection in in four steps as follows:Step 1: upon receiving the data package containing content CO and signature Sig, searches the stored SCCs by name. Sig and keyCO denote the signature and content digest of CO, respectively.Check if name hits stored SCCs. If it succeeds, go to step 2; otherwise, request the name-key through handshake strategy.Step 2: checking corrupted content by Check . If it succeeds, go to step 3; otherwise, CO is corrupted content, go to step 5.Step 3: checking the fake content by Check . If it succeeds, go to step 4; otherwise, CO is fake content, go to step 5.Step 4: CO is valid, query PIT, and then forward the package to the related facesStep 5: CO is poisoned, discard the package, and notify the neighbors

In conclusion, the corrupted content can be detected by comparing the content digests. Fake content can be detected by comparing PPKD with , which is included in . The above steps demonstrate that the routers do not perform decryption or any heavy computation during forwarding packets, that is, the router can check the authenticity of the content with authentic name-key bindings. Note that, although the scheme is for dynamic content, the static content can also be detected via key values comparison.

4.2. Recovery

To recover from content poisoning, NDN needs to purge the poisoned content during routing and exclude the malicious entity. We describe the process of excluding poisoned content signed by a valid signature, e.g., when the hosts have been hijacked. The fake content generated by a hijacked host cannot be detected because PPKD and content digest are true. Thus, the consumer reissues an interest to with in the exclude field to exclude :where denotes the PPKD of the poisoned content and verifies and notifies the neighbors by checking and . Likewise, the other routers repeat the process to eliminate eventually.

The exclusion of other poisoned dynamic content and malicious entities is similar to the above. Moreover, to exclude the hijacked node, requests the neighbors to collaboratively evaluate the reputation of the targeted node by verification. The feedback of the neighbors downgrades the reputation. Once the reputation is lower than a preset threshold, the router puts PPKD into the blacklist and cuts down the direct link with the hijacked node if necessary.

4.3. Optimization

We propose a secure scheme for NDN to mitigate dynamic content poisoning. However, the system overhead is inevitably raised because of verification, which is optional in typical routing. All the entities do not have to verify each content, especially in the recovery phase. Thus, we proposed an optimized strategy based on probability verification to cut down the overhead, in which we assume that most entities are honest and trustworthy.

Specifically, the poisoned contents identified by the excluded PPKD are forwarded by different routers . Upon receiving the exclude field, the routers perform verification in a probabilistic and independent manner. A router verifies the content whenwhere denotes the last 32 bit number of . The method ensures that verification is evenly distributed on the routers to avoid a system bottleneck. Nevertheless, may not be verified for a long time. If no verification to occurs in a router, it issues an alert to the next hop along with the forwarding path. The neighbor increases the probability aswhere is the proportion of verified routers in previous hops . Hence, the verification computation is evenly distributed on the routers, resulting in that full-node verification to is no longer necessary.

5. Trust Model

For the fake content, e.g., the content generated by a hijacked node with an authentic PPKD, consumers can exclude the content via exclusion. However, dynamically generated invalid content will continue to be distributed by malicious hosts until they are isolated. Thus, we develop a trust model to evaluate the reputation (trust value) of the suspicious node.

The proposed model assumes that most hosts in NDN are secure. The exclusion of a malicious host is based on a trust value which is determined by jointly with the neighbors . When the trust value of is below the preset threshold, stops forwarding and discards the dynamic content generated by . The trust value of in is calculated as the sum of the trust value of the content of and the collaborative trust value of in :where and are the weights of the content trust value and the collaborative trust value of in , respectively, and  + . Let be the starting time of the computation and be the current time; the time interval is divided into multiple time intervals. Specifically, is calculated as the sum of the trust values of the content generated by and forwarded by in . Since a particular content may have multiple instances during routing, we use to denote one of the instances. Thus, we have the following formula:where denotes the ratio of the number of the interfaces in that have forwarded the dynamic content without exclusion. A higher indicates a higher percentage of the hosts that have verified the authenticity of . denotes a time interval. Besides, denotes the waiting time of from the last exclusion attempt for when computing the trust value of . denotes the exclusion rate for , which is the ratio of the number of exclusions for to the total number of forwarding. denotes the trust downgrading speed of an instance , which has never been excluded in time until it expires. If the final trust value of is assigned as by the administrator, we have

Moreover, to obtain , we use the vector to denote the trust values of neighbors to . Simultaneously, the vector is used to denote the trust value of to . denotes a variable based on the similarity of and and the activity of in . Intuitively, the recent interactions of are more indicative than earlier interaction. Thus, the decay factor is used to denote the decay of activity according to the time elapsed. We havewhere denotes the number of interactions between and its neighbors in the time interval , denotes the total number of all interactions that occurred in , and and denote the weight factors.

We introduce the fuzzy reputation theory in [7, 15] to determine the trust value. However, instead of subjective trust evaluation of the content, we calculate the trust value of the malicious nodes based on the content. First, we preset two values, and , to denote the trusted threshold value and untrusted threshold, respectively. Then, we have the following:(i)When , can be trusted, and the router will continuously forward the content P generated.(ii)When , is untrusted, and the content will be discarded.(iii)When , is in the ambiguous area. The trust of is determined by formula (19), which is based on the trend of the trust values over the past time intervals:When , is evaluated as trusted, and the router can continuously forward the content of . When , is untrusted, and considers the content to be discarded.

To conclude, we evaluate the trust value of based on the content and neighbors’ feedback collaboratively in . When the trust value is ambiguous, we look at the trend (i.e., increasing or decreasing) of the trust value over time intervals to assess if it can be trusted. As a result, the trust value of drops rapidly with the dissemination of the poisoned content. Thus, the router can detect the malicious node and use the proposed model to isolate it from the router.

6. Evaluation

In this section, we analyze the overhead of the proposed scheme and the capability to detect poisoned content and then demonstrate the efficiency and usability of our scheme through the extensive experimental evaluation.

6.1. Overhead Analysis

We conduct a comparative analysis of the system overhead of one successful content exchange between two nodes in multiple methods, i.e., the proposed scheme, interest-key binding (IKB), interest-key-content-binding (IKCB) with blockchain, and secure message communication protocol (SMCP) with basic PKI, as given in Table 1. , , , , and , respectively, denote the time cost of symmetric encryption, decryption, one-way hash, signature generation, and elliptic curve cryptographic points multiplication, which is commonly used in public key cryptography. The values are estimated in [17] with a 4 core, 3.2 GHz, 8G memory platform. , , and denote the output of identity, digest, and time stamp in communication, respectively, and were valued as 160 bits, 160 bits, and 32 bits, respectively. Table 1 provides that our scheme offers significantly lower overhead in computation time and communication. The table provides the communication and computation costs and the number of messages required for authentication. We analyze that SMCP costs the most in computation and communication because it needs to fetch multiple public key certificates. The IKB and IKCB methods are close to our scheme because they are based on name-key rules instead of CA. However, the computation cost of our scheme is less than other schemes, although the proposed scheme needs more messaging. Besides, we can see in Table 2 that our scheme provides better security with lower system overhead.

6.2. Security Analysis

The comparative analysis of security features of existing schemes is given in Table 2. The proposed scheme offers a trade-off of security and system overhead because of the probabilistic verification.

In Table 2, f1, f2, f3, f4, f5, and f6 denote mutual authentication, content integrity, privacy-preserving, impersonation-resistant, DoS-resistant, and probabilistic verification, respectively. From the table, it is clear that the proposed scheme offers more comprehensive security than others. Traditional SMCP cannot mitigate the attacks related to content poisoning in NDN. IKB and IKCB provide no protection from authentication-related attacks.

To illustrate the security features more clearly, referring to state-of-the-art literature [5, 6, 18], an experiment is also set up to evaluate the security. The degree of security is designed as the proportion of valid content received by “benign” nodes, after the routers exclude poisoned content using the schemes, with a different proportion of malicious nodes in a certain time interval. When the proportion of valid content received reaches 100%, the state is named complete convergence. The speed of convergence represents the usability of the scheme.

Our extensive experiment is simulated based on ndnSIM in the experimental platform configured as 4 core, Intel(R) Core (TM) i7 CPU @ 2.90 Hz, and 32 G RAM. Considering the general mobile network topology, we set up and configured 80 nodes in the network based on tree topology, in which there are 20 routers and each router faces 3 users. In simulation, the experiment is conducted with the malicious nodes proportion varying from 5% to 30%. Other nodes are defined as “benign” nodes. Benign nodes try to forward and transfer the exclude subfield honestly. We prepopulate 1000 contents with the poisoned content proportion varying from 80% to 99%. The poisoned content is evenly distributed in the routers and identified by the malicious nodes.

Figures 5 and 6 show the effectiveness through the comparative experiment. The proportions of poisoned content and malicious nodes are under the control of the two experiments, respectively. We assume all the benign routers forward exclude packages accurately, and the malicious nodes send fabricated messages. On the contrary, in our method, the name-key binding rules are distributed in multipath routing. For that, the method IKB is similar to IKCB in the manner and usability of mitigating content poisoning. To demonstrate the result clearly, we only conduct the comparative experiment for the proposed scheme and IKB. We also introduce a subjective trust evaluation (STE) in [2] to demonstrate the comparative result in performance among the different methods.

As shown in Figure 5, our scheme achieves full convergence in 7.4 s, 10.1 s, and 12.0 s at malicious node proportions of 0, 10% (2 malicious nodes), and 30% (6 malicious nodes), respectively. Correspondingly, IKB achieved complete convergence at 15.4 s, 17.9 s, and 22.1 s. Moreover, it can be observed that our scheme outperforms IKB in both convergence speed and complete convergence time. This experiment shows that consumers cannot obtain authentic and trustworthy name-key binding rules in advance through IKB due to malicious nodes forwarding invalid content, resulting in much slower detection of poisoned content. Furthermore, we found that due to the limitation of the size of the exclusion table, when the proportion of malicious nodes is as high as 30%, the IKB scheme cannot even achieve complete convergence. However, the table size has little impact on the performance of our method.

As shown in Figure 6, we control the proportion of malicious nodes at a certain level (10% in the experiment) and then change the poisoned content from 80% to 99%. The comparative experiment shows that our scheme has better performance in convergence speed than the existing IKB approach. Specifically, our scheme achieves complete convergence in 1.2 s and 10.6 s for 80% and 90% of the poisoned content, respectively, which is far better than 5.0 s and 20.9 s with the IKB method. It means the percentage of the poisoned content has an impact on the exclusion speed. But our scheme has a faster processing speed. In addition, for content with a poisoning ratio of 99%, both schemes cannot achieve convergence within the valid time (30 s). Nonetheless, the proposed scheme is still far better than the traditional approach in the convergence speed and valid content ratio. This experiment shows that the proportion of the poisoned content has a positive effect on the convergence rate.

Besides, we perform an analysis to intuitively illustrate the correlation between our trust model and the ratio of packet and exclusion ratio. For a certain time, 10 s in the experiment, we observe that the trust value estimated in our model decreases as the content generation rate or poisoning rate increases. Figure 7 shows the trend of correlation among the trust value, the poisoned content ratio, and content generation speed increase. We observe that there is a sharp drop as the content generation rate increases. In other words, the poisoned content pushes the trust value to drop below a threshold. It demonstrates that even though existing solutions fail to protect SCC from malicious nodes as mentioned in Section 1, our model can detect and disconnect from the malicious node as fast as possible.

6.3. Performance

The experimental result also demonstrates that compared with the traditional solution, our scheme excludes malicious routers faster in NDN. We conduct a comparative experiment with the existing schemes in performance in excluding malicious nodes. To demonstrate the result more clearly, we introduce the subjective trust evaluation method (STE) in Ghali et al. [6] for performance comparison. It should be noted that the topology of simulation is static.

We adjust the proportion of malicious nodes in the experiment from 5% to 30% and observe the performance of existing approaches on the detection rate within the effective time (30 s) compared with the proposed scheme. Figure 8 shows that the proposed scheme has a better and more stable performance in detection rate. As shown in Figure 8, when the proportion of malicious nodes increases from 5% to 30%, the detection rate of our scheme drops from nearly 100% to 98.2%. In addition, the detection rate drops slighter than in other schemes, which indicates that the proportion of poisoned nodes has less influence on our scheme on the detection rate. This is because our scheme excludes the interference of malicious nodes and detects the poisoned content faster than other approaches.

Similarly, Figure 9 shows that the proposed scheme outperforms other approaches in accuracy with different proportions of poisoned nodes. When the proportion of poisoned nodes is at 5%, the accuracy rates are relatively close. However, when the poisoning ratio increased, the performance of IKB and IKCB schemes dropped drastically from 96% to below 90%. Meanwhile, the accuracy of our scheme remains around 97%. We analyze that the consumer-oriented query mechanism helps the router to obtain the authentic binding rules and is not easy to be interfered with by malicious nodes. Therefore, the proposed scheme can detect malicious content more precisely. The other approaches are more vulnerable to the malicious nodes, resulting in a significant drop in accuracy. It should be noted that, without considering the efficiency and effective time, the accuracy of STE is close but worse than our scheme.

As shown in Figure 10, when the proportion of poisoned nodes is 5%, the false positive rate (FPR) is relatively close (about 0.5%). As the proportion of poisoned nodes increases, the false positive rate of other approaches rises, STE, IKB, and IKCB rise to around 2%, 3%, and 4%, respectively, but we observe that the proposed scheme has the most stable performance, which is still below 1%. The reason is, compared with our scheme, the traditional approaches are more vulnerable to the interference of malicious nodes. Besides, the fabricated name-key bindings affect FPR of the existing approaches. When the proportion of malicious nodes increases, existing approaches receive more fabricated information, which results in higher FPR. Therefore, the experiment demonstrates that our scheme lowers FPR of dynamic content detection effectively.

We set up a comparative experiment to observe the time cost of different approaches in detecting malicious nodes. To illustrate the performance intuitively, we simplified the network topology and set up 5 routers and 50 contents, each router facing 2 users. Figure 11 shows that the proposed scheme is close to STE in performance but slightly better than the latter, much better than IKB and IKCB. This is because IKB and IKCB rely on exclusion rates to adjust the trust value of malicious nodes, but we introduce neighbors’ feedback as a collaborative evaluation method. Therefore, our scheme spends less time accurately detecting malicious nodes. Even when the proportion of poisoned nodes is 30%, the time cost of our scheme is controlled at around 50 ms.

To conclude, compared with the state-of-the-art, our scheme performs better in usability and system overhead. This is because our scheme reduces the excessive overhead of encryption and consensus and offers a trustworthy authentication for communication in NDN.

Existing research on mitigating NDN content poisoning can be classified according to the methods proposed: verification and subjective trust model. Besides, a comparative summary of different features of existing schemes is given in Table 3.

Verification: detection of content poisoning can be implemented by checking name-key, content flags, or signatures. Gasti et al. proposed a scheme based on interest/content to verify the content [11]. Ghali et al. also proposed an interest-key binding rule to forcibly establish a trust relationship in NDN [2]. Furthermore, Kai et al. proposed IKCB using the permissioned blockchain for the producer to register PPKD and content digest of the content [3, 4]. However, the name-key approaches cannot tackle the dynamic content and impersonation attacks very well. Nam and Kim, respectively, provided a scheme based on signature in which the verification is only executed when the interest hits the cache [19, 20, 22, 23]. However, its signature verification will increase with the proportion of the poisoned content, which results in the latency of the entire network. Hu et al. proposed a method to mitigate content poisoning attacks with a multipath routing strategy based on name-key rules [21], but it cannot tackle the dynamic content well.

Subjective trust model: Mai et al. proposed a method based on machine learning to detect the poisoned content [22, 24]. However, machine learning models are the huge burden to the nodes that are performing the mission. Furthermore, Ghali et al. proposed a novel algorithm based on content ranking, which adjusts the ranking value of contents according to the computation of exclusion rate in interest. However, the method does not process the poisoned content and brings vulnerabilities in content flooding and the risk of DoS attacks [11, 25].

Although, state-of-the-art studies mitigate content poisoning with name-key binding rules. For dynamic content, unfortunately, many attacks are caused by fabricated key values, i.e., PPKDs. Thus, a security scheme should be provided to prevent the malicious nodes from altering the name-key rules. In addition, a lightweight trust model is needed to avoid high system overhead.

8. Conclusion

Existing solutions based on name-key bindings help routers to detect the poisoned content at line speed, which plays a key role in mitigating content poisoning in NDN. However, the solutions cannot prevent the attackers from impersonating the producer to fabricate the bindings. To tackle the problem, instead of existing producer-oriented solutions, we propose a novel consumer-oriented two-phased security mechanism. Specifically, we establish an end-to-end trust mechanism between producers and consumers through an additional signature verification, which greatly reduces the attacker’s ability to fabricate bindings. The routers receive the authentic name-key bindings from the consumer instead of the producer. Hence, the bindings of dynamic content are secured, since it is meaningless for the attackers to impersonate the consumer. Furthermore, to detect the malicious nodes, we provide a collaborative trust model for the routers to detect the abnormal behavior of a suspicious node via content exclusion and neighbors’ feedback. We demonstrate the effectiveness and feasibility of the proposed scheme through experiments. In summary, our scheme overcomes the defect of existing solutions in mitigating dynamic content poisoning with a lower system overhead in NDN. The future work mainly focuses on the decentralized trust model in NDN.

Data Availability

The data generated during and analyzed during the current study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that there are no conflicts of interest.


This work was supported in part by the National Natural Science Foundation of China (61872434) and the National Key Scientific Research Project of China (MJ-2018-S-33).