A method for testing content name announcement topology security in an IFA scenario

By constructing a directed tree model of the content name announcement topology of the information center network, calculating the node interest convergence rate and blocking probability, the problem of lacking quantitative assessment of network security in existing technologies is solved, and proactive security analysis and optimization design of the information center network topology are realized.

CN122394932APending Publication Date: 2026-07-14BEIHANG UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIHANG UNIV
Filing Date
2026-05-09
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing technologies lack a systematic and quantitative assessment method for how the content name announcement topology in an information center network affects network security in interest flooding attack scenarios from the perspective of network logical structure design, making it difficult to provide an effective basis for topology optimization and security design.

Method used

A directed tree model of the content name announcement topology is constructed. Based on the directed tree model, the normal interest convergence rate and malicious interest convergence rate of each node are calculated. The node blocking probability is calculated by combining the Erlang B blocking model. The security of the content name announcement topology is evaluated by the total normal interest generation rate of the entire network.

Benefits of technology

It enables proactive and comparable quantitative evaluation of different announcement topologies under interest flooding attack scenarios, truly reflects the stress mechanism of node resources, and provides a unified quantitative basis for announcement topology optimization and security design.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394932A_ABST
    Figure CN122394932A_ABST
Patent Text Reader

Abstract

The application discloses a kind of IFA scene under the test method of content name announcement topology security, comprising: on physical topology, with the root of the content provider node to be evaluated, the directed tree model of the content name announcement topology is constructed;Based on the directed tree model, the preset local normal interest arrival rate and malicious interest arrival rate of each node are gradually converged, and the normal interest convergence rate and malicious interest convergence rate of each node are obtained;Normal interest convergence rate and malicious interest convergence rate and corresponding differential state occupancy time are used to calculate the average service load of each node;Based on the average service load of each node and the preset state resource capacity, Erlang B blocking model is used for processing, and the blocking probability of each node is obtained;The average normal request packet loss probability is obtained by using the total generation rate of network normal interest to weight average each node blocking probability;Based on average normal request packet loss probability, the security of content name announcement topology is evaluated.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of information center network and network security technology, and particularly relates to a testing method for the security of content name announcement topology in an IFA scenario. Background Technology

[0002] As internet applications evolve from traditional inter-host communication to content retrieval and service access, the traditional TCP / IP-based host-centric network architecture is increasingly revealing its limitations in content distribution efficiency and network caching utilization. Information-centric networks (ICNs), which organize communication around content, directly address and forward content by name, achieving decoupling between network nodes and services, and are considered a key candidate architecture for the future internet. In ICNs, requesters retrieve content by sending interest packets carrying the content name. Intermediate nodes must maintain state information (such as a Pending Interest Table, PIT) for unmet interests to ensure data returns along the correct path. While this mechanism improves flexibility, it makes the state resources of intermediate nodes potential targets for attacks. Interest flooding attacks are a typical ICN-specific attack method where attackers continuously send a large number of malicious interest packets, exhausting the state resources of intermediate nodes, causing normal requests to be blocked or dropped, and significantly reducing network service capabilities. Current research on such attacks mainly focuses on passive defenses such as interest rate limiting, resource quota control, and abnormal traffic detection, enabling detection and mitigation after an attack occurs.

[0003] However, existing technologies still have significant technical problems: On the one hand, current research mainly focuses on detection and suppression methods at the traffic level, lacking a unified approach for proactive security analysis from the perspective of network logical structure design. Especially when attack traffic and normal traffic have similar statistical characteristics, or when low-speed distributed attacks are employed, relying solely on traffic detection is insufficient to accurately reflect the differences in attack resilience of different network structures. Information-centric networks construct logical visibility relationships on the physical topology through content name announcements. Different announcement methods form different logical topologies, leading to vastly different request propagation paths, node load distributions, and the degree of pressure on critical node resources, directly impacting overall network security. However, existing technologies still lack a systematic quantitative assessment method for "how content name announcement topology affects network security in interest flooding attack scenarios." An analytical model capable of uniformly characterizing the logical announcement topology, the interest traffic aggregation process, and the relationship between node state and resource pressure has not yet been established. Furthermore, there is a lack of assessment methods to map different announcement topologies to comparable security indicators, making it difficult to provide an effective basis for topology optimization and security design. Summary of the Invention

[0004] To address the aforementioned technical problems, this invention proposes a testing method for the topological security of content name announcements in an IFA scenario, thereby resolving the issues present in the prior art.

[0005] To achieve the above objectives, this invention provides a testing method for the topological security of content name announcements in an IFA (Information Facilitation) scenario, comprising: In terms of physical topology, a directed tree model of the content name announcement topology is constructed with the content provider node to be evaluated as the root. Based on the directed tree model, the normal interest arrival rate and malicious interest arrival rate of each node are aggregated step by step to obtain the normal interest aggregation rate and malicious interest aggregation rate of each node. The average service load of each node is calculated using the normal interest convergence rate and the malicious interest convergence rate, as well as the corresponding differential state occupancy time. Based on the average business load and preset state resource capacity of each node, the Erlang B blocking model is used to process and obtain the blocking probability of each node. The average normal request packet loss probability is obtained by weighting the blocking probability of each node using the total normal interest generation rate of the entire network. The security of the content name announcement topology is assessed based on the average normal request packet loss probability.

[0006] Optionally, the process of constructing a directed tree model of the content name announcement topology includes: The physical topology is obtained by processing the set of autonomous system nodes and the set of physical connection edges using a scale-free network generation method. Based on the physical topology, the node where the content provider is located is selected as the root node; On the set of connection edges in the physical topology, a unique parent node is assigned to each non-root node, resulting in a directed tree model of the content name announcement topology rooted at the content provider node.

[0007] Optionally, the process of assigning a unique parent node to each non-root node includes: in the directed tree model of the content name announcement topology, setting a unique parent node for each non-root node to represent its logical upstream announcement source, and setting at least one child node for each node to represent the direction in which the content name continues to propagate.

[0008] Optionally, the process of obtaining the normal interest convergence rate and malicious interest convergence rate of each node includes: For any node, the normal interest convergence rate of the current node is obtained by summing the local normal interest arrival rate of the current node with the normal interest convergence rate of all direct child nodes of the current node. The malicious interest aggregation rate of a node is obtained by summing the local malicious interest arrival rate of the current node with the malicious interest aggregation rate of all its direct child nodes.

[0009] Optionally, the process of calculating the average service load of each node includes: The normal interest service load component is obtained by multiplying the normal interest convergence rate of a node by the average duration of normal interest status. The malicious interest service load component is obtained by multiplying the malicious interest aggregation rate of a node by the average state occupancy time of malicious interests. The average service load of the node is obtained by adding the normal interest service load component and the malicious interest service load component, wherein the average duration of the malicious interest state is longer than the average duration of the normal interest state.

[0010] Optionally, based on the average service load and preset state resource capacity of each node, the Erlang B blocking model is used for processing, and the expression for the blocking probability of each node is obtained as follows: ; In the formula, For nodes The probability of blocking, For nodes State resource capacity, For nodes Average business load, It is a loop variable.

[0011] Optionally, the calculation expression for the total normal interest generation rate of the entire network is: ; In the formula, Let V be the total normal interest generation rate across the entire network, and V be the set of autonomous system nodes. For nodes The normal interest reach rate generated locally, where i is the i-th node.

[0012] Optionally, the average normal request packet loss probability is: ; In the formula, This represents the average packet loss probability for normal requests.

[0013] Compared with the prior art, the present invention has the following advantages and technical effects: This invention establishes a quantitative mapping relationship of "announcement topology—interest convergence—node stress—network security" by starting with the logical structural variable of content name announcement topology. This enables proactive and comparable quantitative assessment of the security of different announcement topologies under interest flooding attack scenarios, overcoming the shortcomings of existing technologies that rely solely on passive defense through traffic detection. Furthermore, by separately characterizing the differentiated convergence processes and state occupancy durations of normal and malicious interests, it realistically reflects the node resource stress mechanism, making the assessment results more targeted and interpretable. This method is applicable to network topologies of different sizes and types, providing a unified quantitative basis for the optimized design and security selection of announcement topologies. Attached Figure Description

[0014] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments and descriptions of this application are used to explain this application and do not constitute an undue limitation of this application. In the drawings: Figure 1 This is a schematic diagram of the overall process of a test method for the topological security of content name announcements in an IFA scenario according to an embodiment of the present invention; Figure 2 This is a schematic diagram illustrating the relationship between the physical topology and the logical content name announcement topology in an embodiment of the present invention; Figure 3 This is a schematic diagram illustrating the step-by-step convergence process of normal interest traffic and malicious interest traffic at the node level in an embodiment of the present invention; Figure 4 This is a schematic diagram comparing the average normal request packet loss probability of different content name announcement topologies based on real network topologies in an embodiment of the present invention; Figure 5 This is a schematic diagram illustrating the variation of average PIT table occupancy rate of critical border routers with attack intensity under different content name announcement topologies in embodiments of the present invention. Detailed Implementation

[0015] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.

[0016] It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be executed in a different order than that shown here.

[0017] Example 1 like Figure 1As shown, this embodiment provides a testing method for the topological security of content name announcements in an IFA scenario. Scale-free networks typically contain a few highly connected central nodes and a large number of less connected edge nodes, exhibiting different security characteristics compared to uniform topologies when facing random failures and targeted attacks. Since highly central nodes in scale-free networks are more likely to become traffic convergence points, this type of network is suitable as a numerical simulation object for verifying the effectiveness of the content name announcement topological security assessment method. The method includes the following steps: Step 1, obtaining the physical topology information, content provider location information, normal interest traffic parameters, malicious interest traffic parameters, and node state resource parameters of the network to be evaluated; wherein, the physical topology is used to characterize the actual connection relationships between nodes in the network, and the node state resource parameters include the resource capacity available for each node to maintain unsatisfied interest states and parameters related to the average interest occupancy time.

[0018] Step two, as Figure 2 As shown, a content name announcement topology to be evaluated is constructed based on the physical topology and content provider location information. The content name announcement topology is a logical topology built on top of the physical topology, used to describe the visibility relationship of the target content in the network and the logical propagation direction of subsequent interest requests. Preferably, in a single content, single provider scenario, the content name announcement topology is represented as a directed tree with the node where the content provider is located as the root node.

[0019] Step 3, as Figure 3 As shown, a node-level interest traffic aggregation model is established based on the content name announcement topology, and the normal interest aggregation rate and malicious interest aggregation rate of each node are calculated respectively. The interest traffic received by each node includes not only the interest traffic generated locally by the node, but also the interest traffic aggregated from its downstream logical subtrees, thereby obtaining the total interest arrival rate of each node under the logical announcement topology.

[0020] Step 4: Based on the normal interest convergence rate, malicious interest convergence rate and the average state occupancy time of each node, establish a node business load model; among them, malicious interests are more difficult to satisfy, and their average state occupancy time is usually greater than that of normal interests, thus creating a higher load pressure on node state resources.

[0021] Step five involves abstracting the process of each node maintaining its interest state into a finite-capacity system. A node-level blocking analysis model is established based on node workload and node state resource capacity. This model calculates the blocking probability of each node under the current content name announcement topology and attack scenarios, representing the likelihood of newly arriving interest requests being rejected due to insufficient state resources. Preferably, the node-level blocking analysis model uses the Erlang B blocking model for approximate calculations.

[0022] Step six: Based on the blocking probability of each node and the distribution of normal interest requests in the network, construct a network-level security index and calculate the overall degree of damage to normal requests under a given content name advertisement topology. This will serve as the security assessment result of the content name advertisement topology in the IFA scenario. Preferably, the network-level security index is the average normal request packet loss probability or the equivalent degree of degradation in normal request service capacity.

[0023] Perform the above steps on multiple candidate content name announcement topologies to obtain the security assessment results for each candidate topology. Then, sort or filter them according to security indicators to determine the content name announcement topology with better security.

[0024] As a specific implementation method of this embodiment, an autonomous system-level scale-free physical topology is first constructed, denoted as: in, Let E represent the set of nodes in an autonomous system (AS), and let E represent the set of physical connections between ASs. The scale-free physical topology can be generated using existing complex network generation methods or imported from a pre-given scale-free network sample. Then, a node in the physical topology is selected as the node containing the target content provider, denoted as . .

[0025] In terms of physical topology, a directed tree model of the content name announcement topology is constructed with the content provider node to be evaluated as the root. The process includes: processing the set of autonomous system nodes and the set of physical connection edges using a scale-free network generation method to obtain the physical topology; selecting the node where the content provider is located as the root node based on the physical topology; and assigning a unique parent node to each non-root node in the set of connection edges of the physical topology to obtain a directed tree model of the content name announcement topology rooted at the content provider node.

[0026] That is, after obtaining the physical topology, based on the node where the content provider is located... Construct the content name announcement topology to be evaluated, denoted as: The content name announcement topology is a logical topology built upon the physical topology, used to represent the logical visibility relationships of target content within the network. In a single-content, single-provider scenario, the content name announcement topology is abstracted as a tree centered around the node where the content provider resides. A directed tree with a root node, where each non-root node has only one parent node to represent its logical upstream announcement source; each node may have one or more child nodes to represent the direction in which the content name continues to propagate.

[0027] Based on a directed tree model, the normal interest arrival rates and malicious interest arrival rates of each node are aggregated level by level to obtain the normal interest aggregation rate and malicious interest aggregation rate of each node. The process includes: for any node, the normal interest aggregation rate of the current node is obtained by summing the local normal interest arrival rate of the current node with the normal interest aggregation rates of all its direct child nodes; the malicious interest aggregation rate of the current node is obtained by summing the local malicious interest arrival rate of the current node with the malicious interest aggregation rates of all its direct child nodes.

[0028] In this embodiment, normal interest traffic parameters and malicious interest traffic parameters are pre-set for each node in the scale-free network. Let the node... The local generated normal interest reach rate The local malicious interest reach rate At the same time, set Indicates logical notification topology Middle node The set of direct child nodes. Since interest requests converge along the logical announcement topology from downstream towards the content provider, the nodes... Normal interest convergence rate and malicious interest convergence rate They respectively satisfy the following relations: Furthermore, nodes The total interest reach rate at this location is: Therefore, the total interest load borne by each node under a given content name announcement topology can be obtained.

[0029] Furthermore, the average service load of each node is calculated using the normal interest convergence rate, the malicious interest convergence rate, and the corresponding differentiated state occupancy duration. The process includes: obtaining the normal interest service load component by multiplying the node's normal interest convergence rate by the average normal interest state occupancy duration; obtaining the malicious interest service load component by multiplying the node's malicious interest convergence rate by the average malicious interest state occupancy duration; and adding the normal interest service load component and the malicious interest service load component to obtain the node's average service load, wherein the average malicious interest state occupancy duration is greater than the average normal interest state occupancy duration.

[0030] Considering the different characteristics of normal and malicious interests in occupying node state resources, this embodiment sets the node... The average duration of the state corresponding to normal interest is The duration for which a malicious request occupies state resources is Among these, malicious interests are usually more difficult to satisfy, therefore they generally have Based on this, the node Average business load It can be represented as: in For nodes Received normal interest convergence rate, This represents the average duration of time a normal request occupies state resources. For nodes Received malicious interest aggregation rate This refers to the duration for which a malicious request occupies state resources, which is usually the maximum allowed duration for a node to occupy state resources.

[0031] This workload is used to characterize the overall stress on node state resources under given logical notification topology and attack traffic conditions.

[0032] Based on the average service load and preset state resource capacity of each node, the Erlang B blocking model is used to process the data and obtain the blocking probability of each node. That is, in this embodiment, the resources used by each node to maintain unsatisfied interest states are abstracted as a finite-capacity system. Let the nodes... The state resource capacity is This can be understood as the maximum number of valid entries in the PIT (Pending Interest Table) or similar state tables of a node that can be occupied by interest requests. When a new interest request arrives at the node, if there are still idle state resources, the interest is accepted; if the state resources are already full, the interest is blocked or discarded. For the loop variable (from 0 to ... All natural numbers). Based on the Erlang B blocking model, nodes... blocking probability It can be represented as: The blocking probability represents the probability that a new interest request cannot be accepted due to the lack of available state resources, given the current node's service load and state resource capacity.

[0033] The average normal request packet loss probability is obtained by weighting the blocking probability of each node using the total normal interest generation rate of the entire network. That is, after obtaining the blocking probability of all nodes, a network-level security indicator is further constructed. Let the total normal interest generation rate of the entire network be: The average normal request packet loss probability of the entire network under the given content name announcement topology L is defined as: The security of a Content Name Advertisement (CMA) topology is assessed based on the average normal request packet loss probability. The average normal request packet loss probability quantifies the overall damage suffered by normal requests in the network under the current CMA topology and interest flooding attack scenarios. A lower value indicates that normal requests are less likely to be dropped due to node state resource exhaustion under that CMA topology, thus indicating higher security for the topology.

[0034] In this embodiment, two or more different content name announcement topologies can be selected as the evaluation objects, and under the conditions of the same scale-free physical topology, the same normal interest traffic parameters, the same malicious interest traffic parameters, and the same node state resource parameters, the network-level average normal request packet loss probability is calculated for each. If a certain content name announcement topology corresponds to... If the value is smaller, the content name announcement topology is considered to have higher security in the current interest flooding attack scenario. This method allows for a unified comparison and ranking of the security of multiple candidate content name announcement topologies.

[0035] In the scale-free network scenario described in this embodiment, since a few highly connected nodes are more likely to become convergence points for interest traffic, the impact of different content name announcement topologies on these key nodes will vary more significantly. Using the evaluation method of this invention, it is possible to clearly identify which nodes are more likely to form high-congestion-probability areas under a specific logical announcement topology, and the overall impact of this logical announcement topology on the network's normal request service capability, thereby providing a quantitative basis for subsequent content name announcement topology optimization.

[0036] In summary, this embodiment demonstrates that the method for assessing the security of content name announcement topology in IFA scenarios of the present invention is applicable to complex network scenarios such as scale-free networks. It can quantitatively assess the security of content name announcement topology by starting from logical content announcement topology and combining interest traffic aggregation characteristics, node state resource pressure mechanisms, and network-level security indicators.

[0037] Furthermore, the evaluation method is applicable to both numerical simulation scenarios based on theoretical models and content name announcement topology security analysis based on real network topology, container networks, or prototype system experimental environments.

[0038] Based on the above implementation plan, the following beneficial effects were achieved: First, starting from the logical structural variable of content name announcement topology, this invention breaks through the limitations of existing technologies that mainly focus on passive defense methods such as interest rate limiting, anomaly detection, and traffic suppression, and can proactively analyze the security of IFA scenarios from the perspective of network structure design.

[0039] Second, this invention establishes a quantitative mapping relationship between content name announcement topology, interest traffic aggregation, node status resource pressure, and overall network security, enabling different content name announcement topologies to be compared under unified indicators, thereby improving the computability and operability of security analysis.

[0040] Third, by separately characterizing the convergence process of normal and malicious interests and the differences in the time that different types of interests occupy state resources, this invention can more realistically reflect the stress mechanism of node state resources in IFA scenarios, thereby making the evaluation results more targeted and interpretable.

[0041] Fourth, the network-level security indicators proposed in this invention can directly reflect the degree of damage to normal requests under attack scenarios, and can provide a unified target basis and evaluation basis for subsequent content name announcement topology generation algorithms, designated announcement path strategy design, and prototype system implementation.

[0042] Fifth, this invention is applicable to information center network scenarios of different scales and types. It can be used for numerical evaluation in scale-free networks and real network topologies, and can also be used to guide the design of content name announcement mechanisms in actual prototype systems. It has good universality and engineering application value.

[0043] Example 2 In this embodiment, a content name announcement topology security assessment process based on real network topology is given to illustrate that the assessment method of the present invention is applicable not only to abstract and complex network scenarios, but also to network topology scenarios derived from real Internet structures.

[0044] In this embodiment, multiple real network topologies are first selected as experimental objects, and an autonomous system-level physical topology model is constructed based on each real network topology. Preferably, the real network topologies are derived from the Internet Topology Zoo dataset. For each real network topology, it is abstracted into a physical topology, as shown below: in, Represents the set of autonomous system nodes. This represents the set of physical connections between autonomous systems. Then, a node is selected from each physical topology as the content provider node, and the corresponding logical content name announcement topology is constructed. The present invention uses the evaluation method to calculate the security index of the logical content name announcement topology under the interest flooding attack scenario.

[0045] In this embodiment, to more closely resemble a real network hierarchy, nodes can be hierarchically divided according to their degree. Preferably, nodes are sorted from low to high connectivity, with the top 70% designated as access layer nodes, 70% to 90% as aggregation layer nodes, and 90% to 100% as core layer nodes. Subsequently, legitimate requesters are deployed in the aggregation and access layer nodes, while malicious requesters are deployed in some of these nodes to create a mixed-interest traffic scenario.

[0046] In a preferred embodiment, the PIT state resource capacity of all nodes is uniformly set to 100. 30% of the nodes in the aggregation layer and access layer are configured with normal requesters, and an additional 30% of these nodes are randomly selected to deploy malicious requesters. The interest transmission rate for both normal and malicious requesters in the aggregation layer is set to 40 requests per second, and the interest transmission rate for both normal and malicious requesters in the access layer is set to 50 requests per second. For each real network topology, multiple experiments are conducted in both scenarios with fixed content provider nodes and random content provider nodes to reduce the impact of random factors on the evaluation results.

[0047] After obtaining the normal interest reach rate and malicious interest reach rate of each node, the normal interest convergence rate of each node is calculated step by step based on the content name announcement topology. With malicious interest convergence rate Furthermore, by combining the average duration of state resource usage by normal and malicious interests, the service load of each node can be obtained. Then, the state resources of each node are abstracted into a finite-capacity system, and the node blocking probability is obtained based on the Erlang B blocking model. Furthermore, based on the network-level average normal request packet loss probability: Perform a quantitative security assessment on the given logical content name announcement topology. The smaller the value, the stronger the protection capability of the content name announcement topology for normal requests in the IFA scenario, and the higher its security.

[0048] In this embodiment, a horizontal comparison can be further performed on the announcement topologies of different logical content names. For example, announcement topologies based on the shortest path rule, announcement topologies based on the depth-first rule, and other candidate announcement topologies can be constructed respectively, and their corresponding... Compare them. Figure 4 The average values ​​based on 17 real topologies are given. Comparison Results. The results show that, in scenarios with fixed content provider nodes and random content provider nodes, there are significant differences in the average normal request packet loss probability corresponding to different content name announcement topologies. This demonstrates that the evaluation method of this invention can effectively distinguish the security advantages and disadvantages of different logical content announcement topologies.

[0049] Furthermore, in a scenario with fixed content provider nodes, the average value corresponding to the optimal logical content name announcement topology is... It can be reduced to approximately 0.350, while the average value corresponding to the announcement topology constructed based on the shortest path rule and the depth-first rule is... The values ​​are approximately 0.383 and 0.412, respectively; in the scenario of random content provider nodes, the average value corresponding to the topology of the better logical content name announcement is... It is approximately 0.346, while the average value corresponding to the announcement topology constructed based on the shortest path rule and the depth-first rule is... The values ​​are approximately 0.380 and 0.407, respectively. This demonstrates that the evaluation method of this invention can not only work in real network topology scenarios, but also provide a unified quantitative basis for comparing the security of multiple candidate content name announcement topologies.

[0050] In summary, this embodiment demonstrates that the method for evaluating the security of content name announcement topology in IFA scenarios of the present invention is applicable to real network topology scenarios, and can quantify the impact of different content name announcement topologies on normal requests under interest flooding attacks into comparable security indicators, thereby providing support for subsequent announcement topology selection and optimization.

[0051] Example 3 In this embodiment, an association verification process based on the occupancy rate of the PIT table of the critical border router is given to illustrate the consistency between the topology security assessment results of the content name announcement of this invention and the pressure on the state resources of the critical nodes inside the network.

[0052] In information-centric networks, interest flooding attacks directly disrupt the resource structures maintained by intermediate nodes that do not satisfy interest states, such as the Pending Interest Table (PIT). When a large number of malicious interest requests continuously converge towards the content provider along the logical content name advertisement topology, the PIT entries at critical relay nodes are quickly occupied, thereby compressing the state resource space available for normal requests. Therefore, changes in the PIT occupancy rate of critical nodes can reflect the resilience of different content name advertisement topologies to interest flooding attacks from an internal network perspective.

[0053] In this embodiment, a symbiotic network container simulation platform was developed based on OpenSN. An IFA attack simulation experiment under a symbiotic network architecture was conducted on this platform, selecting a critical boundary router with significant traffic aggregation as the observation object. Preferably, the critical boundary router is the BR1801. Then, under the same physical topology, the same normal interest traffic parameters, the same malicious interest traffic parameters, and the same state resource capacity, the average PIT table occupancy rate of the critical boundary router under different attack intensities was statistically analyzed for multiple different content name advertisement topologies, and compared with the aforementioned network-level security assessment results.

[0054] In this embodiment, as the attack intensity gradually increases, the average PIT table occupancy rate of critical border routers under multiple content name advertisement topologies to be evaluated all show an upward trend, but the growth rate and final occupancy level under different logical content name advertisement topologies are significantly different. Figure 5 The figure presents the results of the average PIT table occupancy rate of critical border routers under different content name advertisement topologies as a function of attack intensity. As can be seen from the figure, under medium to high attack intensity, there are significant differences in the occupancy of state resources on critical border routers under different content name advertisement topologies. Some content name advertisement topologies cause a large amount of normal and malicious interest to converge at a few critical relay nodes, leading to a rapid increase in the PIT table occupancy rate of critical border routers and gradually approaching saturation. Other content name advertisement topologies, however, can constrain the convergence of interest traffic at the logical path level, keeping the PIT table occupancy rate of critical border routers at a relatively low level, thus reserving more available state resources for normal requests.

[0055] Furthermore, the average PIT table occupancy rate of the critical border router in this embodiment is compared with the previously calculated network-level average normal request packet loss probability. Comparing the evaluation results, we can find that the two are consistent: when the average normal request packet loss probability of a certain content name advertisement path is high, the average PIT table occupancy rate of the corresponding critical border router is high; conversely, when the average normal request packet loss probability of a certain content name advertisement path is low, the average PIT table occupancy rate of the corresponding critical border router is also low, indicating that the content name advertisement topology has higher security in the interest flooding attack scenario.

[0056] The reason for this is that the evaluation method of this invention takes the content name advertisement topology as the starting point for analysis, characterizes the convergence process of interest traffic step by step through the logical topology, and uniformly maps the pressure on node state resources into congestion probability and network-level security indicators. Therefore, the PIT table occupancy level of critical relay nodes is essentially a direct reflection of the logical content advertisement topology, interest traffic convergence pattern, and node state resource contention relationship. In other words, the changing pattern of PIT table occupancy rate of critical boundary routers can experimentally verify that the mapping relationship of "content name advertisement topology - interest traffic convergence - node state resource pressure - overall network security" established by the evaluation method of this invention is reasonable.

[0057] Therefore, this embodiment further illustrates that the evaluation method for content name announcement topology security in the IFA scenario of the present invention can not only output security indicators such as the average normal request packet loss probability from a network-level perspective, but also the evaluation results can be mutually verified with the experimental observation results of the pressure on the state resources of key nodes, thereby enhancing the interpretability and engineering applicability of the evaluation method.

[0058] The above are merely preferred embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for testing the topological security of content name announcements in an IFA scenario, characterized in that, Includes the following steps: In terms of physical topology, a directed tree model of the content name announcement topology is constructed with the content provider node to be evaluated as the root. Based on the directed tree model, the normal interest arrival rate and malicious interest arrival rate of each node are aggregated step by step to obtain the normal interest aggregation rate and malicious interest aggregation rate of each node. The average service load of each node is calculated using the normal interest convergence rate and the malicious interest convergence rate, as well as the corresponding differential state occupancy time. Based on the average business load and preset state resource capacity of each node, the Erlang B blocking model is used to process and obtain the blocking probability of each node. The average normal request packet loss probability is obtained by weighting the blocking probability of each node using the total normal interest generation rate of the entire network. The security of the content name announcement topology is assessed based on the average normal request packet loss probability.

2. The test method for content name announcement topology security in an IFA scenario according to claim 1, characterized in that, The process of constructing a directed tree model of the content name announcement topology includes: The physical topology is obtained by processing the set of autonomous system nodes and the set of physical connection edges using a scale-free network generation method. Based on the physical topology, the node where the content provider is located is selected as the root node; On the set of connection edges in the physical topology, a unique parent node is assigned to each non-root node, resulting in a directed tree model of the content name announcement topology rooted at the content provider node.

3. The test method for content name announcement topology security in an IFA scenario according to claim 2, characterized in that, The process of assigning a unique parent node to each non-root node includes: in the directed tree model of the content name announcement topology, setting a unique parent node for each non-root node to represent its logical upstream announcement source, and setting at least one child node for each node to represent the direction in which the content name continues to propagate.

4. The test method for content name announcement topology security in an IFA scenario according to claim 1, characterized in that, The process of obtaining the normal interest convergence rate and malicious interest convergence rate of each node includes: For any node, the normal interest convergence rate of the current node is obtained by summing the local normal interest arrival rate of the current node with the normal interest convergence rate of all direct child nodes of the current node. The malicious interest aggregation rate of a node is obtained by summing the local malicious interest arrival rate of the current node with the malicious interest aggregation rate of all its direct child nodes.

5. The test method for content name announcement topology security in an IFA scenario according to claim 1, characterized in that, The process of calculating the average service load of each node includes: The normal interest service load component is obtained by multiplying the normal interest convergence rate of a node by the average duration of normal interest status. The malicious interest service load component is obtained by multiplying the malicious interest aggregation rate of a node by the average state occupancy time of malicious interests. The average service load of the node is obtained by adding the normal interest service load component and the malicious interest service load component, wherein the average duration of the malicious interest state is longer than the average duration of the normal interest state.

6. The test method for content name announcement topology security in an IFA scenario according to claim 1, characterized in that, Based on the average service load and preset state resource capacity of each node, the Erlang B blocking model is used for processing, and the expression for the blocking probability of each node is as follows: ; In the formula, For nodes The probability of blocking, For nodes State resource capacity, For nodes Average business load, It is a loop variable.

7. The test method for content name announcement topology security in an IFA scenario according to claim 6, characterized in that, The formula for calculating the total normal interest generation rate of the entire network is as follows: ; In the formula, Let V be the total normal interest generation rate across the entire network, and V be the set of autonomous system nodes. For nodes The normal interest arrival rate generated locally, where i is the i-th node.

8. The test method for content name announcement topology security in the IFA scenario according to claim 7, characterized in that, The average normal request packet loss probability is: ; In the formula, This represents the average probability of packet loss during normal requests.