A Security Monitoring Plane for Named Data Networking Deployment
IEEE Communications Magazine (CommMag), Feature topic on Information-Centric Networking Security
88 – 94
Named Data Networking (NDN) is the most mature proposal of the Information-Centric Networking (ICN) paradigm, a clean-slate approach for the Future Internet. Although NDN was designed to natively tackle security issues inherent to IP networks, it also introduces new security threats which may prevent its practical deployment by telco operators. Therefore designing and implementing a dedicated security monitoring plane is essential to enable such future deployment and in this paper, we present a set of contributions in this area. It first consists in featuring NDN significant attacks in a real operating context to evaluate their actual impact. Then, by analyzing the NDN Forwarding Daemon (NFD) data-plane pipelines, we present a monitoring plane design which captures the state of NDN nodes by instrumenting 18 metrics with dedicated probes. We then correlate these metrics with a Bayesian Network which allows the detection of potential abnormal behaviors. To validate our approach, we demonstrate the efficiency of our monitoring plane in the detection of Content Poisoning Attacks and Interest Flooding Attacks in a testbed carrying real traffic.