The jury members are:

Reporter:

Miki Yamamoto, Professor at Kansai University

Toru Hasegawa, Professor at Osaka University

Examiner:

Giovanna Carofiglio, Distinguished Engineer / Senior Director at Cisco Systems

Houda Labiod, Professor at Telecom ParisTech

Isabelle Chrisment, Professor at University of Lorraine

Sylvain Contassot-Vivier, Professor at University of Lorraine

Invited:

Hideki Tode, Professor at Osaka Prefecture University

Tohru Asami, CEO at ATR

Supervisor:

Olivier Perrin, Professor at University of Lorraine

Thomas Silverston, Associate Professor at Shibaura Institute of Technology

Abstract:

In recent years, Named Data Networking (NDN) has emerged as one of the most promising future networking architectures. To be adopted at Internet scale, NDN needs to resolve the inherent issues of the current Internet. Since information leakage from an enterprise is one of the big issues even in the Internet and it is very crucial to assess the risk before replacing the Internet with NDN completely, this thesis investigates whether a new security threat causing the information leakage can happen in NDN. Assuming that (i) a computer is located in the enterprise network that is based on an NDN architecture, (ii) the computer has been already compromised by suspicious media such as a malicious email, and (iii) the company installs a firewall connected to the NDN-based future Internet, this thesis focuses on a situation that the compromised computer (i.e., malware) attempts to send leaked data to the outside attacker.

NDN is basically a “pull”-based architecture and there are only two kinds of packets: Interest and Data, which are a request and a response packet, respectively. In order to retrieve content, a consumer first sends the Interest to NDN network and then obtains the corresponding Data from the producer or the intermediate NDN node. In other words, they cannot send a Data unless they receive the Interest packet. Therefore, as one of the naive methods to mitigate information leakage through a Data, an enterprise network firewall can carefully inspect a Data to publish, and produce it instead of the inside employee in the network (i.e., a whitelist). In this case, all the publicly-accessible content is on the firewall.

However, the firewall cannot manage a naming policy on the outside content and NDN forwarding nodes do not verify whether the name really exists. That causes a risk of information leakage through an Interest by malware’s hiding information such as customer information in the Interest name and sending it toward the outside attacker. The malware can pretend to access outside content, so that it is quite difficult for the firewall to detect the information leakage attack. This thesis argues that the information leakage attack through an Interest in NDN should be one of the essential security attacks at protocol level and it is important to develop the detection method of this attack.

The contributions of this thesis are fivefold. Firstly, this thesis proposes an information leakage attack through a Data and through an Interest in NDN. This thesis investigates the one through an Interest deeply, and, as a more advanced attack for the attacker to hide the malicious activity, this thesis proposes a steganography-embedded Interest name to perform information leakage efficiently. To the best of author’s knowledge, this is the first research about the information leakage attack in NDN.

Secondly, in order to address the information leakage attack, this thesis proposes an NDN firewall which monitors and processes the NDN traffic coming from the consumers with the whitelist and blacklist. To design the firewall, this thesis focuses on two requirements: (i) designing an NDN firewall independent from NDN Forwarding Daemon (NFD), which deicides how to forward an Interest, and (ii) performing a fast lookup of the names or name prefixes in the whitelist and blacklist. By utilizing a cuckoo filter, which is a probabilistic filter, the proposed NDN firewall provides Interest packet filtering based on the names or name prefixes in the lists that can be updated on the fly. While satisfying the requirements and providing the functions, the firewall implementation achieves high performance. Specifically, the throughput degradation with the firewall is only from 0.912% to 2.34%, which will be acceptable in an enterprise network.

Thirdly, this thesis proposes an NDN name filter to classify a name in the Interest as legitimate or anomalous. Since NDN has not been deployed at large scale, a dataset about NDN traffic does not exist. Assuming that it is highly possible for the future NDN naming policy to become the one naturally evolved from the current Uniform Resource Locator (URL) naming policy, this thesis utilizes content names based on URLs collected by a web crawler. By using search engine information and applying the name dataset to an isolation forest, this thesis builds NDN name filters. This thesis evaluates the performances of the name filters and shows that the proposed name filters can choke drastically the information leakage throughput per Interest and malware has to send 137 times more Interest packets to leak information than without using the filters.

The name filter can, indeed, reduce the throughput per Interest, but to ameliorate the speed of this attack, malware can send numerous Interests within a short period of time. Moreover, the malware can even exploit an Interest with an explicit payload in the name (like HTTP POST message in the Internet), which is out of scope in the proposed name filter and can increase the information leakage throughput by adopting a longer payload. That is the limitation of the name filter. To take traffic flow to the NDN firewall from the consumer into account, fourthly, this thesis proposes an NDN flow monitored at an NDN firewall. At first, this thesis introduces the concept of NDN flow and specifies it strictly, which has not yet been standardized in NDN research. Then, this thesis proposes a method to generate an NDN flow dataset analogically derived from the HTTP flow dataset in the current Internet because there is no dataset about NDN traffic.

Fifthly, in order to deal with the drawbacks of the NDN name filter, this thesis proposes an NDN flow filter to classify a flow as legitimate or not. Based on the generated NDN flow dataset, this thesis builds an NDN flow filter against the information leakage attack. By applying the obtained dataset to a Support Vector Machine (SVM), this thesis builds an NDN flow filter against the information leakage attack, and the performance evaluation shows that the information leakage throughput choked by the flow filter is from 1.87·10−4 to 8.08·10−3 times that of only by the name filter, and the throughput choked by the name and flow filter under banning Interests with an explicit payload in the name reaches at most 1.72 Kbps. Thus, the flow filter complements the name filter and greatly chokes the information leakage throughput.