Reference : A multifold approach to address the security issues of stateful forwarding mechanisms...
Dissertations and theses : Doctoral thesis
Engineering, computing & technology : Computer science
Security, Reliability and Trust
A multifold approach to address the security issues of stateful forwarding mechanisms in Information-Centric Networks.
Signorello, Salvatore mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
University of Luxembourg University of Lorraine, ​Luxembourg Nancy, ​​Luxembourg France
Docteur en Informatique
State, Radu mailto
Festor, Olivier mailto
Rodošek, Gabrijela mailto
Engel, Thomas mailto
Palattella, Maria Rita mailto
François, Jérôme mailto
Laurent, Maryline mailto
[en] Information-Centric Networking ; Named-Data Networking ; security ; Denial of Service ; Interest Flooding Attack
[en] Today's Internet dominant usage trends motivate research on more content-oriented future network architectures. Among the emerging future Internet proposals, the promising Information-Centric Networking (ICN) research paradigm aims to redesign the Internet's core protocols to promote a shift in focus from hosts to contents. Among the ICN architectures, the Named-Data Networking (NDN) envisions users' named content requests to be forwarded and recorded by their names in routers along the path from one consumer to 1-or-many sources. The Pending Interest Table (PIT) is the NDN's data-plane component which temporarily records forwarded content requests in routers. On one hand, the PIT stateful mechanism enables properties like requests aggregation, multicast responses delivery and native hop-by-hop control flow. On the other hand, the PIT stateful forwarding behavior can be easily abused by malicious users to mount disruptive distributed denial of service attacks (DDoS), named Interest Flooding Attacks (IFAs). In IFAs, loosely coordinated botnets flood the network with a large amount of hard to satisfy requests with the aim to overload both the network infrastructure and the content producers. Countermeasures against IFA have been proposed since the early attack discovery. However, a fair understanding of the defense mechanisms' real efficacy is missing since those have been tested under simplistic assumptions about the evaluation scenarios. Thus, overall, the IFA security threat still appears easy to launch but hard to mitigate.
This dissertation work shapes a better understanding of both the implications of IFAs and the possibilities of improving the state-of-the-art defense mechanisms against these attacks. The contributions of this work include the definition of a more complete and realistic attacker model for IFAs, the design of novel stealthy IFAs built upon the proposed attacker model, a re-assessment of the most-efficient state-of-the-art IFA countermeasures against the novel proposed attacks, the theorization and one concrete design of a novel class of IFA countermeasures to efficiently address the novel stealthy IFAs. Finally, this work also seminally proposes to leverage the latest programmable data-plane technologies to design and test alternative forwarding mechanisms for the NDN which could be less vulnerable to the IFA threat.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Services and Data management research group (SEDAN)
Fonds National de la Recherche - FnR
Researchers ; Students
FnR ; FNR6450335 > Thomas Engel > IDSECOM > ID-based SEcure COMmunications system for unified access in IoT > 01/04/2014 > 31/03/2017 > 2013

File(s) associated to this reference

Fulltext file(s):

Open access
versionBiblio-UniLu.pdfAuthor postprint5.45 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.