An in-network collaborative verification mechanism for defending content poisoning in Named Data Networking

The verification mechanism is the key to ensuring the content security in Name Data Networking (NDN). However, due to the limited computational capacity of NDN router, it is difficult to complete the verification task of all received data packets under heavy traffic. As a consequence, content poisoning has become one of the important security risks of current NDN. To solve this problem, we introduce the concept of data packet credibility and propose an in-network cooperative verification mechanism. In our design, the router calculates the credibility of received data packet from two aspects, one is the internal-evaluation estimated by itself, another is the external-evaluation from its upstream routers. After completing the combined evaluation, router further performs a probabilistic verification according to the credibility. For the data packet with high credibility, it will be verified with low probability. Then router forwards the combined evaluation result to its downstream routers on the reverse path by modifying the structure of data packet. Through building a collaborative verification relationship, this mechanism tries to avoid repeatedly verifying the data packets verified by upstream routers. Simulation results show that it can effectively defend content poisoning while significantly reducing content verification overhead.