Detection of Interest Flooding Attacks in Named Data Networking using Hypothesis Testing Ngoc Tan Nguyen, R´ emi Cogranne, Guillaume Doyen and Florent Retraint ICD - STMR - UMR 6281 CNRS Troyes University of Technology Troyes, France ngoc tan.nguyen@utt.fr ; remi.cogranne@utt.fr ; guillaume.doyen@utt.fr ; ﬂorent.retraint@utt.fr Copyright c 2015 IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the IEEE by sending a request to pubs-permissions@ieee.org Accepted version. Final to be published online on ieeex- plore.ieee.org within WIFS proceedings. Abstract—With the rapid growth of Internet trafﬁc, new emerging network architectures are under deployment. Those architectures will substitute the current IP/TCP network only if they can ensure better security. Currently, the most advanced proposal for future Internet architecture is Named Data Net- working (NDN). However, new computer network architectures bring new types of attacks. This paper focuses on the detection against Interest ﬂooding - one of the most threatening attacks in NDN. The statistical detection is studied within the framework of hypothesis testing. First, we address the case in which all trafﬁc parameters are known. In this context, the optimal test is designed and its statistical performance is given. This allows us to provide an upper bound on the highest detection accuracy one can expect. Then, a linear parametric model is proposed to estimate unknown parameters and to design a practical test for which the statistical performance is also provided. Numerical results show the relevance of the proposed methodology. Index Terms—Network security, Named Data Networking, Interest ﬂooding, Statistical detection, Hypothesis testing. I. I NTRODUCTION Internet usage still keeps growing tremendously, challenging the current IP network with many emerging usages for which it has not been designed, e.g. handling huge content distribution access from users and maintaining connection for mobile devices. Therefore, a current important research topic focuses on proposing clean-slate network architectures that faces the future Internet requirements. Such a new network design have been proposed in Information Centric Network (ICN) [1] architectures. Among ICN proposals, Named Data Networking (NDN) [2] is a promising future network. This architecture draws a lot of attentions from research community. NDN testbeds have been deployed and shared between institutions Copyright (c) 2015 IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the IEEE by sending a request to pubs-permissions@ieee.org Accepted version. Final to be published online on ieeexplore.ieee.org within WIFS proceedings. from America, Europe and Asia. Moreover, many telco oper- ators are also interested in this proposal, with many testbed deployment projects (e.g. DOCTOR project) to investigate its feasibility. Though NDN architecture is currently rather complete, its implementation is still under development. Research efforts on NDN are focusing on management, monitoring and, espe- cially, security. Each component in NDN architecture possibly becomes the target of new attacks. In this paper, we focus on the Interest ﬂooding attack (IFA) [3]. This attack can be launched easily, that is without much knowledge, while potentially causing large scale damage on network availability. This paper studies the statistical detection of IFA. The problem is cast within the framework of hypothesis testing theory, which to the best of our knowledge, has never been studied in this context. The main contributions of this paper are brieﬂy summarized as follows. First, the optimal Likelihood Ratio Test (LRT) is designed in the theoretical case of a perfectly known legitimate trafﬁc. The optimality of this statis- tical test is ensured whatever the attack payload may be. This test serves as an upper bound on the detection accuracy one can expect for IFA detection. Secondly, in a scenario where the legitimate trafﬁc is unknown, we propose a parametric statistical model upon which a practical Generalized LRT (GLRT) is designed. Finally, the statistical properties of the proposed GLRT are established analytically. This especially allows us to guarantee a prescribed false-alarm probability and to compute the detection accuracy. The paper is organized as follows. Section II recalls the NDN architecture and provides an overview of IFA in NDN. Next, Section III formalizes the problem of IFA detection within hypothesis testing theory. The optimal LRT and its statistical properties are presented in Section IV. Section V introduces the proposed GLRT and studies its statistical per- formance. Numerical results obtained on simulated data are presented in Section VI. Finally, Section VII summarizes and concludes the paper. II. NDN SECURITY BACKGROUND In this section, we brieﬂy introduce NDN, with a focus on the IFA and its recently proposed solutions.