The NDN model, where MDA is detected and mitigated by the proposed MDAM, is as following: we model NDN as a graph of interconnected nodes (routers).
MDAM is a set of algorithms that run on routers, and has low degree of implementation complexity.
MDAM keeps several statistics on expired Interests for each router.
To sum up, MDAM continuously monitors the rates of unsatisfied Interests with respect to overall pending Interests in PIT of each single router at the level of coarse granularity, in order to determine if there is MDA existing in NDN.
The list of the detected prefixes is extracted from FIB by MDAM in each NDN router.
Second, as Algorithm 2, whenever the malicious prefixes are identified, MDAM then monitors through which interfaces these malicious Interests come in according to PIT, and then checks the number of the corresponding expired PIT entries (recording these malicious Interests) at a granularity of per-prefix-per-interface (E(p)(f)) against its predefined threshold ([F.sub.th]).
Dividing the detection mechanism of MDAM into two phases instead of monitoring per-prefix-per-interface from beginning to the end can significantly decrease the overhead.
Nothing that when the first-hop routers receive the ALERT messages and have successfully determined the corresponding malicious interfaces where malicious Interests come in, through the second phase described above (to check if E(p)(f)> [F.sub.th] for every interfaces), the mitigation mechanism of MDAM is triggered: the Interest-incoming rate of each of the detected malicious interfaces is decreased because the hosts directly connect with these interfaces are identified as attackers (in the Section 5 of this paper, we do a case study that all the Interest packets requesting the malicious prefix(es) are dropped directly at all the involved interfaces of the first-hop routers).
In this section, we implement MDAM at each NDN router in Fig.
In this part, the experimental settings are set to be the same as Section 3.1, except that each of the routers is implemented with MDAM. Based on the trace files of Section 3.1, the average number of expired PIT entries per-prefix at each router is about one entry per second, and the average number of expired PIT entries per-prefix at per-interface at each router is about 0.2 entry per second in our simulated scenarios.
However, only about seven seconds after MDA launches, the PIT sizes for both routers recover to their normal levels (about 10 entries for the gateway router and 5 entries for the backbone router), which means that MDAM can successfully and timely prevent NDN routers from MDA with proper parameter settings.
9 shows the amount of the returned Data packets for six randomly selected NDN users suffering MDA when MDAM is enabled at each router.