融合人体免疫防御机理的ICN安全路由机制

doi:10.3778/j.issn.1673-9418.2004042

摘要/Abstract

摘要：

信息中心网络（ICN）引入网内缓存机制使路由器具有内容缓存功能，将网络由IP寻址改为内容名称寻址，旨在更好地为内容分发类应用提供服务。而兴趣洪泛攻击（IFA）会导致路由器资源耗尽，使其大量丢弃合法兴趣包，成为ICN的安全“克星”。结合人体免疫防御机理，提出两阶段ICN安全路由机制抵御兴趣洪泛攻击。在免疫时间内，通过免疫反馈及隔离策略完成非特异性免疫，防止路由器未决兴趣表（PIT）被恶意占用；但非特异性免疫不能缓解持续的IFA攻击，因此进一步通过回溯策略完成特异性免疫，形成免疫记忆，彻底阻断兴趣洪泛攻击。实验结果表明，提出的路由机制可有效抵御兴趣洪泛攻击，减少攻击造成的资源耗尽及无效计算，保证了网络性能。

关键词: 信息中心网络（ICN）, 人体免疫防御, 非特异性免疫, 特异性免疫, 安全路由

Abstract:

Information-centric networking (ICN) introduces in-network caching mechanism to enable routers to have content caching function, changing the network from IP addressing to content name addressing, aiming to better provide services for content distribution applications. However, interest flooding attack (IFA) will lead to the exhaustion of router resources and make it discard a large number of legitimate interest packets, thus becoming the “bane” of ICN security. Combined with human immune defense theory, a two-stage ICN secure routing mechanism is proposed to resist interest flooding attacks. During the immunization time, non-specific immunization is completed through immune feedback and isolation strategy to prevent the pending interest table (PIT) of the router from being maliciously occupied. However, non-specific immunity cannot alleviate persistent IFA attacks, so further specific immunity is completed through backtracking strategy to form immune memory and completely block interest flooding attacks. Experimental results show that the proposed routing mechanism can effectively resist interest flooding attacks, reduce resource depletion and invalid computation caused by attacks, and ensure network performance.

Key words: information-centric networking (ICN), human immune defense, non-specific immunity, specific immunity, safe routing

孙莉莉, 易波, 王兴伟, 黄敏. 融合人体免疫防御机理的ICN安全路由机制[J]. 计算机科学与探索, 2021, 15(4): 658-669.

SUN Lili, YI Bo, WANG Xingwei, HUANG Min. Human Immune Defense Theory Merged ICN Secure Routing Mechanism[J]. Journal of Frontiers of Computer Science and Technology, 2021, 15(4): 658-669.

参考文献

[1] VASILAKOS A V, LI Z, SIMON G, et al. Information centric network: research challenges and opportunities[J]. Journal of Network and Computer Applications, 2015, 52: 1-10.
[2] BERNARDINI C, MARCHAL S, ASGHAR M R, et al. PrivICN: privacy-preserving content retrieval in information-centric net-working[J]. Computer Networks, 2019, 149: 13-28.
[3] MAJEED M F, AHMED S H, MUHAMMAD S, et al. Multi-media streaming in information-centric networking: a survey and future perspectives[J]. Computer Networks, 2017, 125: 103-121.
[4] WANG X W, LI J, TAN Z H, et al. The state of the art and future tendency of “Internet+” oriented network technology [J]. Journal of Computer Research and Development, 2016, 53(4)：727-741.
王兴伟, 李婕, 谭振华, 等. 面向“互联网+”的网络技术发展现状与未来趋势[J]. 计算机研究与发展, 2016, 53(4): 727-741.
[5] XYLOMENOS G, VERVERIDIS C N, SIRIS V A, et al. A survey of information-centric networking research[J]. IEEE Communications Surveys & Tutorials, 2013, 16(2): 1024-1049.
[6] CHATTERJEE T, RUJ S, BIT S D. Security issues in named data networks[J]. Computer, 2018, 51(1): 66-75.
[7] GHASEMI C, YOUSEFI H, SHIN K G, et al. Routing meets caching in named data networks[C]//Proceedings of the 2018 IEEE Conference on Computer Communications Workshops, Honolulu, Apr 15-19, 2018. Piscataway: IEEE, 2018: 1-2.
[8] STEELE J E. How do we get there[M]//GRAY C H. The Key to New Technology. New York: Routledge, 1960: 55-60.
[9] DRESSLER F, AKAN O B. Bio-inspired networking: from theory to practice[J]. IEEE Communications Magazine, 2010, 48(11): 176-183.
[10] TAN Y. Artificial immune system: applications in computer security[M]. New York: John Wiley & Sons, Inc., 2016.
[11] GASTI P, TSUDIK G, UZUN E, et al. DoS and DDoS in named data networking[C]//Proceedings of the 22nd Inter-national Conference on Computer Communication and Net-works, Nassau, Jul 30-Aug 2, 2013. Piscataway: IEEE, 2013: 1-7.
[12] SONG T, YANG Y, LI T. Rethinking Caching security of information-centric networking: a system recovery perspective[J]. IEEE Communications Magazine, 2019, 57(10): 104-110.
[13] ABDALLAH E G, HASSANEIN H S, ZULKERNINE M. A survey of security attacks in information-centric networking[J]. IEEE Communications Surveys & Tutorials, 2015, 17(3): 1441-1454.
[14] YI C, AFANASYEV A, MOISEENKO I, et al. A case for stateful forwarding plane[J]. Computer Communications, 2013, 36(7): 779-791.
[15] GHALI C, NARAYANAN A, ORAN D, et al. Secure frag-mentation for content-centric networks[C]//Proceedings of the 14th IEEE International Symposium on Network Compu-ting and Applications, Cambridge, Sep 28-30, 2015. Washington: IEEE Computer Society, 2015: 47-56.
[16] AFANASYEV A, YI C, WANG L, et al. SNAMP: secure namespace mapping to scale NDN forwarding[C]//Proceed-ings of the 2015 IEEE Conference on Computer Communi-cations Workshops, Hong Kong, China, Apr 26-May 1, 2015. Piscataway: IEEE, 2015: 281-286.
[17] AFANASYEV A, MAHADEVAN P, MOISEENKO I, et al. Interest flooding attack and countermeasures in named data networking[C]//Proceedings of the 2013 IFIP Networking Conference, Brooklyn, May 22-24, 2013. Washington: IEEE Computer Society, 2013: 1-9.
[18] COMPAGNO A, CONTI M, GASTI P, et al. Poseidon: miti-gating interest flooding DDoS attacks in named data network-ing[C]//Proceedings of the 38th Annual IEEE Conference on Local Computer Networks, Sydney, Oct 21-24, 2013. Wash-ington: IEEE Computer Society, 2013: 630-638.
[19] DAI H C, WANG Y, FAN J D, et al. Mitigate DDoS attacks in NDN by interest traceback[C]//Proceedings of the 2013 IEEE Conference on Computer Communications Workshops, Turin, Apr 14-19, 2013. Piscataway: IEEE, 2013: 381-386.
[20] ZHI T, LUO H, LIU Y. A Gini impurity-based interest flood-ing attack defence mechanism in NDN[J]. IEEE Communi-cations Letters, 2018, 22(3): 538-541.
[21] HOU R, HAN M, CHEN J, et al. Theil-based countermeasure against interest flooding attacks for named data networks[J]. IEEE Network, 2019, 33(3): 116-121.
[22] WANG K, ZHOU H C, QIN Y J, et al. Decoupling malicious interests from pending interest table to mitigate interest floo-ding attacks[C]//Proceedings of the 2013 IEEE Global Com-munications Conference, Atlanta, Dec 9-13, 2013. Piscataway: IEEE, 2013: 963-968.
[23] LIU G, QUAN W, CHENG N, et al. Accuracy or delay? A game in detecting interest flooding attacks[J]. Internet Technology Letters, 2018, 1(2): e31.
[24] DONG J Q, WANG K, QUAN W, et al. InterestFence: simple but efficient way to counter interest flooding attack[J]. Com-puters & Security, 2020, 88: 101628.
[25] ZHOU H, WU C, JIANG M, et al. Evolving defense mechanism for future network security[J]. IEEE Communications Maga-zine, 2015, 53(4): 45-51.
[26] VIDAL J M, OROZCO A L S, VILLALBA L J G. Adaptive artificial immune networks for mitigating DoS flooding attacks[J]. Swarm and Evolutionary Computation, 2018, 38: 94-108.
[27] W?HLISCH M, SCHMIDT T C, VAHLENKAMP M. Less-ons from the past: why data-driven states harm future infor-mation-centric networking[C]//Proceedings of the IFIP Net-working Conference, New York, May 22-24, 2013. Washington: IEEE Computer Society, 2013: 1-9.