A Machine Learning-Based Interest Flooding Attack Detection System in Vehicular Named Data Networking

Abstract

A vehicular ad hoc network (VANET) has significantly improved transportation efficiency with efficient traffic management, driving safety, and delivering emergency messages. However, existing IP-based VANETs encounter numerous challenges, like security, mobility, caching, and routing. To cope with these limitations, named data networking (NDN) has gained significant attention as an alternative solution to TCP/IP in VANET. NDN offers promising features, like intermittent connectivity support, named-based routing, and in-network content caching. Nevertheless, NDN in VANET is vulnerable to a variety of attacks. On top of attacks, an interest flooding attack (IFA) is one of the most critical attacks. The IFA targets intermediate nodes with a storm of unsatisfying interest requests and saturates network resources such as the Pending Interest Table (PIT). Unlike traditional rule-based statistical approaches, this study detects and prevents attacker vehicles by exploiting a machine learning (ML) binary classification system at roadside units (RSUs). In this connection, we employed and compared the accuracy of five (5) ML classifiers: logistic regression (LR), decision tree (DT), K-nearest neighbor (KNN), random forest (RF), and Gaussian naïve Bayes (GNB) on a publicly available dataset implemented on the ndnSIM simulator. The experimental results demonstrate that the RF classifier achieved the highest accuracy (94%) in detecting IFA vehicles. On the other hand, we evaluated an attack prevention system on Python that enables intermediate vehicles to accept or reject interest requests based on the legitimacy of vehicles. Thus, our proposed IFA detection technique contributes to detecting and preventing attacker vehicles from compromising the network resources.

1. Introduction

The exponential global surge in the use of conventional vehicles has undoubtedly enhanced individual convenience but has also escalated the risk of accidents [1]. According to World Health Organization (WHO) statistics from 2023, fatalities from road accidents account for 29% of all reported injuries [2]. To address these challenges, the deployment of a vehicular ad hoc network (VANET) [3] has emerged as a promising solution. The primary objective is to reduce road accidents and optimize traffic flow through efficient vehicle-to-everything (V2X) communication [4]. The onboard unit (OBU)-equipped vehicles possess robust communication, storage, and procession capabilities, effectively handling data transmission, storage, and computational tasks. In addition to safety applications (e.g., collision warning messages, emergency information dissemination, traffic conditions, speed limit warnings, and lane change assistance), vehicles can provide infotainment services [5].

Despite numerous features, VANET faces various challenges due to the traditional transmission control protocol/internet protocol (TCP/IP). The existing TCP/IPs encounter issues such as intermittent connectivity, scalability, security, and privacy concerns in the context of VANETs. Specifically, a vehicular environment requires efficient crucial information dissemination and the ability to handle a large number of users within challenging intermittent conditions. In addition to its limitations, TCP/IP operates as a host-centric network, which adds an additional burden and worsens the overall network latency [6]. Consequently, existing IP-based network architecture is inefficient for VANET. Alternatively, named data networking (NDN) [7] has emerged as a promising network architecture of the information-centric network (ICN) [8] for VANET. Instead of relying on IP addresses for establishing connections and data transmission, NDN employs a unique hierarchical naming approach (e.g., /VNDN/infotainment/music/album/video.mp4) that prioritizes content over its host. This content-centric model proves advantageous. One notable feature of NDN is its in-network content-caching mechanism, which enables vehicles to retrieve content from nearby nodes rather than solely relying on the original host.

Table 1. Limitations of TCP/IP communications and NDN-based solutions.

Limitations of TCP/IP Communication	NDN-Based Solutions
It is host-oriented	It is a content-oriented network interested in content rather than the host.
It relies on IP addresses.	NDN uses unique content names that reduce the dependency on IP addresses.
It is connection-oriented.	NDN is a connectionless network architecture that does not require establishing explicit connections between two ends.
TCP/IP faces intermittent connectivity issues	The in-network content caching and name-based forwarding strategy support intermittent connectivity.
It secures the channel.	NDN secures content with a cryptographic signature rather than the communication channel.
It has limited scalability in large networks	NDN’s architecture allows for scalable content retrieval through its distributed caching mechanism, improving performance in large-scale networks.
Lack of inherent support for multi-cast.	NDN inherently supports multi-cast communication, enabling efficient dissemination of content to multiple recipients simultaneously.

compares IP-based communication limitations and NDN-based solutions address those limitations.

NDN is one of the five research endeavors supported by the National Science Foundation (NSF) within its future internet architecture program, encompassing the fundamental principles of information-centric networking (ICN). In 2009, VAN Jacobson initially proposed the concept of a content-centric network [9], which evolved into NDN under the NSF-funded future internet architecture project [10] as a future internet architecture [11]. NDN uses two types of packets: interest and data packets. The content consumer always initiates the interest packet to request specific data, and the data packet contains the content in response to the interest packet. As mentioned below, nodes within NDN are categorized into three categories according to the situation. (1) Content consumer node: It is a content-intensive entity that initiates communication by broadcasting an interest request for specific content. (2) Content producer node: The content producer node matches the requested content and provides it to the content consumer. (3) Intermediate node: The intermediate node in the NDN architecture serves two distinct roles based on the context of the received packet. Firstly, when the requested content name matches the available content name within the node’s storage, it functions as a content producer, directly providing the requested data to the content consumer node. Secondly, if the intermediate node does not have the requested content, it acts as a relay node, forwarding the interest packet to the next hop in the network. This dynamic behavior of intermediate nodes facilitates efficient content retrieval and distribution, contributing to the overall robustness of the NDN network.

In addition, every NDN node contains three data structures:

Content store (CS): The CS allows the NDN node to cache data packets and serve the content consumers without forwarding interest requests to the content producer every time. The CS reduces network congestion and improves content retrieval.

Pending interest table (PIT): The PIT stores unsatisfied interest requests and their interfaces in a table until the interest request is satisfied.

Forward information base (FIB): The FIB is responsible for forwarding unsatisfied interest packets to the next hops. Unlike traditional IP-based routing, NDN’s FIB entries are indexed with name prefixes rather than IP addresses, as described in [12]. The entries in FIB contain next-hop information. This feature allows routers to direct interest packets to one or multiple next-hops, depending on the forwarding strategy, enabling efficient multi-path forwarding in the network. Figure 1 shows the NDN communication architecture in vehicular NDN (VNDN).

Regardless of the fact that NDN has numerous features, it is highly vulnerable to various attacks, such as interest flooding attacks (IFAs) [13], content poisoning attacks (CPAs) [14], man-in-the-middle attacks [15], and illusion attacks [16]. On top of these attacks, IFA stands out as one of the most prevalent in VNDN. The IFA is a variant of a distributed denial of service (DDoS) attack, where a content consumer initiates IFA in VNDN with a storm of non-existing interest requests. The IFA deliberately depletes resources, including PIT, CS, network bandwidth, and producer resources. This attack is executed by inundating the network with excessive interest packets. By overwhelming the system, the attacker exhausts NDN resources, rendering them inaccessible to legitimate consumers and causing disruption in the network’s operation [17]. IFA attackers can consume network resources by employing two distinct techniques: (1) a non-existing interest packet: In this approach, the attacker generates random interest packets that contain invalid requests, such as /VNDN/infotainment/music/5453.txt, where the attacker requests a text file in the music prefix. These packets refer to content that does not exist in the network. Consequently, intermediate nodes cannot resolve and retain such requests in the PIT. This results in unnecessary resource consumption and potential network congestion. Thus, PIT can be choked with forged interest packets. (2) Valid data request: The attackers target content producers with enormous legitimate interest packets using forged nounce [13]. For example, an attacker initiates an interest packet with /VNDN/infotainment/music/nounce, where nounce is a random value. Using such forged interest packets significantly impacts the producers and network routers by traversing the network resources. Figure 2 visually represents IFA in VNDN, where the attack scenario poses a significant threat to the communication infrastructure of connected intermediate vehicles using a non-existing and valid interest packet.

To address the challenge of IFA in NDN, researchers have explored various approaches, including threshold-based IFA detection [18], statistical-based countermeasures [19], reputation-based IFA detection [20], rating-based approaches [21], and charging/rewarding mechanisms [22]. Although these approaches have contributed significantly to detecting IFA in NDN, they have not provided an efficient solution for accurately detecting and preventing such attacks in the VNDN. On the other hand, ML is gaining momentum in anomaly detection [23] in various fields, including the Internet of Things (IoT) [24], healthcare [25], image processing [26], spam detection [27], unmanned aerial vehicles (UAVs) [28], VANET [29,30], NDN [31] and so on. Specifically, ML has yielded substantial advancements by significantly enhancing capabilities in diverse aspects, including intrusion detection [32], optimal resource allocation [33], offloading strategies, and precise mobility pattern forecasting. Despite its widespread application in various domains, none of the previously mentioned research has explored the use of ML in VNDN. Unlike traditional approaches for detecting IFA in NDN, we are the first to propose an ML-based efficient solution to detect and prevent IFA in VNDN. Considering the challenges and limitations highlighted in the existing literature, the main focus of this research is to propose a resilient network framework that effectively tackles IFA through ML classifiers. To achieve this, we evaluate and propose the most accurate ML classifier for CPA detection. The significant contributions of this research are as follows:

• We propose an ML-based classification technique to identify attackers and legitimate vehicles.
• We evaluate the accuracy of five ML classifiers and propose the most accurate algorithm for IFA detection.
• Based on our ML-based detection results, we propose a simulation-based IFA prevention system in intermediate nodes.

By focusing on the detection and prevention of IFA in VNDN, this research aims to fortify the resilience of vehicular communication systems. Our ML-based approach mitigates the immediate threats posed by IFAs and establishes a foundation for secure VNDN ecosystems. The subsequent sections of this paper are structured as follows:

Section 2 presents a detailed existing work and their limitations in detecting and preventing IFA. Section 3 delves into a comprehensive analysis of the system model, network elements, and proposed ML-based IFA detection and prevention system. We provide IFA detection and prevention results in Section 4 and conclude the paper in Section 5. Finally, Section 6 presents future work.

2. Related Work

The scientific community has seen a marked surge in interest and contributions toward combatting cyber-attacks [34], specifically in the VNDN realm [35]. However, developing and implementing efficient security measures for safeguarding VNDN is in its infancy. Specifically, ML techniques have been explored in detecting attacks [36,37]. Reference [38] discovered IFA in NDN by expressing how a huge number of interest packets can overwhelm the network. Subsequently, numerous research papers have delved into the IFA using several techniques; for example, the authors in [31] proposed an ML-based classification technique for detecting IFA on tree topology (small-scale topology) and Rocketfuel ISP topology (large-scale topology). Another solution for detecting IFA presented a centralized controller-based approach [39]. In this mechanism, a router maintains an unsatisfied interest request threshold system. Based on a predetermined threshold value, a router decides to identify IFA nods. However, this approach has certain limitations. The metrics used to identify IFA nodes may lead to false detection, and the system might fail to detect IFA, especially in scenarios with significant legitimate traffic or when content producers are unavailable. These shortcomings highlight the need for more advanced and robust detection mechanisms to combat IFA in VNDN effectively. Similarly, in reference [40], the authors presented a threshold-based system for identifying IFA within a local PIT. Instead of relying on a centralized router, the PIT manages a predetermined threshold system in this approach. The threshold-based approach allows the local PIT to assess incoming interest requests autonomously and identify potential IFA scenarios based on the predefined threshold criteria. This solution aims to enhance the efficiency and accuracy of IFA detection within the network by decentralizing the detection process and employing local PIT mechanisms. However, it is essential to consider the trade-offs and limitations of this approach, particularly in terms of scalability and adaptability to various network conditions.

In order to prevent PIT from exhaustion, Wang et al. [41] proposed decoupled legitimate and timeout interest requests. Each router maintains a timeout interest request in this architecture in an m-list. If the prefix is already in the m-list, the router forwards the interest packet outright, avoiding PIT storage. While this approach mitigates some of the impacts of an IFA, it fails to provide a comprehensive solution to thwart such attacks entirely. Additionally, legitimate requests are adversely affected by this approach. In addition, attackers can misuse the router’s resources by forging names to flood the m-list, causing the solution to become inefficient. In contrast, few authors have proposed a hypothesis-testing theory-based approach in the literature; for example, the authors in [42] exploited hypothesis-based testing theory for formulating a comprehensive likelihood static hypothesis test theory (SHTT) tailored to address evolving attacks, particularly in incorporating NDN with TCP/IP, which is difficult to address using conventional approaches. Similarly, the authors in [43] tackled IFA by employing a detection approach based on SHTT. The test is free from any reliance on router characteristics or measured values. The framework comprises two main scenarios: (i)When all traffic parameters are known, an optimal test is formulated, and its statistical performance is thoroughly evaluated. (ii) The framework introduces a linear parametric model, which estimates unknown parameters and enables the development of a practical test. However, it is crucial to recognize that the scheme assessment is restricted to a basic binary tree graph with merely eight clients and one adversary. Consequently, assessing the scheme’s efficacy under more extensive networks or during distributed attacks presents considerable challenges.

Meanwhile, the authors in [44] presented a Markov-based IFA detection system. This approach involves creating a space vector determined by the fluctuations in the PIT occupancy rate, and the network’s state is evaluated using a quantized value. By calculating the Euclidean distance, the system distinguishes between legitimate and malicious interest packets, achieving a high detection rate. However, a notable drawback of this approach is its significant consumption of network resources, particularly when identifying interest packets within a large volume of NDN network traffic.

Moreover, Xin et al. [45] introduced a cumulative entropy-oriented IFA detection system that monitors abnormal interest requests and identifies malicious prefixes using entropy theory. Similar to our proposed work, few researchers have incorporated ML for IFA detection in NDN. For instance, Azmi et al. [46] proposed a feature selection technique for IFA detection. In this research, the authors employed an information gain and data reduction approach to identify pertinent features from the UNSW-NB 15 dataset, specifically for detecting DDoS attacks. The dataset underwent testing using three distinct classification methods: artificial neural network (ANN), naïve Bayes (NB), and decision table. The experiment’s outcomes were thoroughly analyzed, and evaluation metrics, such as true positive (TP), false positive (FP), precision, and accuracy were utilized to categorize the data into two classes: attacks and normal. By employing this methodology, the researchers aimed to develop an effective DDoS attack detection system that relies on relevant characteristics, which can be classified with high precision and accuracy. Similarly, the authors in [47] leveraged ML for detecting IFA. The authors collected a dataset with 12 features implemented in the ndnSIM simulator and performed the accuracy of three ML classifiers, including K-nearest neighbor (KNN), decision tree (DT), and ANN. The results showed that DT outperformed other classifiers with 85.42% accuracy while KNN achieved 81% and ANN yielded 80% accuracy. Although the proposed ML-based IFA detection system is important, it could not achieve high accuracy.

Different from traditional rules-based, threshold-based, and other partial ML-based approaches for detecting IFA, we propose an efficient IFA detection mechanism that exploits five ML classifiers and depicts an accurate algorithm for IFA detection. Additionally, we propose a prevention mechanism to cope with IFA in VNDN. To the best of our knowledge, this study presents the first contribution that leverages ML classifiers for detecting and preventing IFA attacker vehicles in VNDN. Thus, we address the limitations of existing research work by exploiting a novel ML-based classification system in detecting and preventing IFA in VNDN. A comprehensive list of notations used throughout this paper is presented in

Table 2. Notations and their descriptions.

Notation	Description
$C{C}_R$	Content Consumer Reputation
$D_{P}kt$	Data Packet
$I_{p}kt$	Interest Packet
$Cnt$	Content
$C_C$	Content Consumer
$C{C}_R^n$	Content Consumer New Reputation
$C{C}_R^n-1$	Content Consumer Previous Reputation
$AgrC{C}_R$	Aggregate Content Consumer Reputation

.

3. System Model

This section is structured into three interconnected and comprehensive subsections, each contributing to the overarching goal of our research. Initially, we present the design of a purpose-built network architecture exclusively for IFA detection within VNDN environments. This architecture is a fundamental framework for efficient data analysis and processing in VNDN. In the second subsection, we leverage ML binary classification techniques to identify attacker and non-attacker vehicles using five ML classifiers. By employing advanced ML techniques, we aim to achieve high accuracy and reliability in identifying potential IFA attacker vehicles amidst the complex data flow within VNDN. Finally, the third subsection introduces our proposed algorithm for IFA prevention, which proactively mitigates the impact of potential intrusions. This algorithm contributes to the enhanced security and resilience of the VNDN system, safeguarding the network against IFA attacks and fostering a safer and more trustworthy VNDN.

3.1. Proposed Network Architecture

In our proposed network architecture, the intermediate node receives all interest packets, including both satisfied and unsatisfied ones. These packets are then shared with roadside units (RSUs) through a push-based beacon message dissemination system. The interaction between intermediate nodes and RSUs, particularly in terms of communication and data sharing, is elaborated below:

Vehicle to RSU Communication

The existing NDN content propagation is a pull-oriented content retrieval. To extend the scope of current NDN from a pull-based content retrieval to a push-based content propagation, beacon message propagation has been proposed in the literature [48,49], where nodes can broadcast messages to neighboring nodes without considering interest packets. Considering the push-based beacon message dissemination in VNDN, we design a network architecture as depicted in Figure 3, where an intermediate node receives an interest packet from the content consumer and queries RSU about the legitimacy of the content consumer. Based on the reputation of the content consumer, the intermediate vehicles decide to accept or reject the interest request.

To classify content consumers as attackers or legitimate vehicles, the RSUs employ an ML algorithm to distinguish them effectively. Figure 4 depicts our network architecture, where a consumer sends an interest packet to request data from the intermediate node. Subsequently, the intermediate node sends the interest packet (satisfied or unsatisfied) to the RSU. The RSU then performs ML classification to classify content consumers as attackers or legitimate vehicles.

3.2. ML Classification-Based Attack Detection

This section aims to assess the performance of ML algorithms in distinguishing between legitimate and attacker nodes using a publicly available dataset simulated in ndnSIM. The main objective of this analysis is to leverage ML classification techniques using binary classification on the dataset, differentiating between attackers and legitimate vehicles. Our study primarily focuses on identifying and characterizing the behavior of content consumer vehicles through the utilization of ML algorithms and performance metrics, including accuracy, precision, recall, and F1 score, to evaluate the accuracy of the models.

3.2.1. Dataset Collection

Selecting a suitable dataset for attack detection is one of the most crucial tasks. Considering the relevance and suitability of the dataset, we obtained a simulation-based dataset from a publicly available source [50], implemented using the ndnSIM simulator [51] for IFA detection. The dataset comprises 10 essential features organized in a CSV file, namely InInterests, OutInterests, DropInterests, InData, OutData, InSatisfiedInterest, OutSatisfiedInterest, PITSize, PITSizeInt, and Attack. This dataset uses tree and DFN topology for simulating IFA. Notably, the ‘Attack’ feature is the target variable, indicating an attacker’s presence (designated by the value 1) or a non-attacker scenario (denoted by the value 0). The traces in the dataset contain 24,660 interest requests with attack and legitimate packets.

3.2.2. Data Preprocessing

The preprocessing in ML has a significant role in enhancing the quality and suitability of the data. We involved various steps in data preprocessing, including feature selection, data clearing, removing noise, dataset splitting, and applying cross-validation. Considering the importance of preprocessing, this research initially consolidated all the individual CSV dataset files into a single CSV file. Secondly, we removed missing and duplicate records from the dataset. To ensure the reliability of our proposed model, we randomly shuffled the dataset with 70% as training and 30% as testing and applied a 10-fold cross-validation technique. This approach effectively demonstrated the accuracy of our ML approach in detecting and predicting the legitimacy of vehicles.

3.2.3. Classification

In order to measure the efficiency of various ML algorithms, we evaluated and compared the performance of five ML classifiers on training and testing datasets. During training, these classifiers learned the underlying patterns and relationships between the input features and the corresponding class labels. This learning process enabled the models to learn and understand the dataset’s intricacies. The selection of ML classifiers in this study, namely DT, K-nearest neighbor (KNN), random forest (RF), Gaussian naïve Bayes (GNB) and logistic regression (LR), was made with careful consideration of their unique characteristics and their alignment with the objectives of interest flooding attack (IFA) detection in the context of VNDN. These classifiers were selected based on their aptitude for addressing the challenges associated with identifying abnormal patterns in interest propagation, a fundamental requirement for effective IFA detection in VNDN. The rationale for specific classifier selection is mentioned below:

• DT: The DT [52] is a significant method for reaching conclusions based on a set of rules derived from a tree-like structure. We selected DT due to its outstanding capabilities in capturing nonlinear relationships and handling categorical features often utilized in VNDN datasets. Its interpretability offers insights into the decision-making process, aiding in understanding detected attack patterns. The tree comprises two nodes: a decision node and a leaf node. Decision nodes determine the attribute that needs to be selected for further analysis, while leaf nodes represent the final class outcome. The DT employs a top-down approach to provide results. The root is placed at the top of the tree, which acts as the initial decision node. DT uses the information gain technique to select each subsequent DT node, ensuring that each part of the tree selects the most informative attributes. This enables DT to classify and predict results based on the input data characteristics and patterns.
• KNN: The KNN algorithm [53] is the most used ML classifier, popular for its effectiveness in dealing with large datasets. KNN is deemed a suitable ML classifier for recognizing local clustering, which is an essential trait for detecting attack occurrences that might exhibit spatial proximity. It is a simple and flexible classifier that can be applied to regression and classification purposes. The KNN involves categorizing the latest data points by assigning them to the most common class among their K-nearest neighbors in the training set. The KNN then provides the majority class label or the average value of those neighbors. Considering the appropriate value of K is essential and depends on the specific characteristics of the dataset, making KNN a versatile and adaptive choice for various ML scenarios.
• RF: RF [54] combines multiple base models to make predictions. Given the potential noise and outliers in VNDN data, RF’s ability to handle such variations becomes crucial. This approach is often called “bootstrapping and aggregation”, where the majority vote of the base models on the test data determines the final result. In the RF approach, the data are fed to the base models using row sampling with replacement, a method known as bagging.
• GNB: GNB [55] is a simple yet effective classification method that employs Bayes’ theorem for predicting the class of unlabeled data points. We selected GNB for its efficiency in high-dimensional data handling and probabilistic nature, allowing it to capture the likelihood of feature co-occurrences relevant to IFA scenarios. It calculates the prior probabilities of different classes and utilizes this information to make predictions on new, unseen data. One of the key assumptions of GNB is the independence of features, which means that it assumes each feature contributes to the classification independently of other features. This independence assumption simplifies the computation and makes GNB computationally efficient. Due to its simplicity and efficiency, GNB is particularly well-suited for applications with many features and is commonly used in various ML tasks.
• LR: The LR [56] is a statistical method used for predicting the probability of categorical variables, especially in two-class classification problems. It is a well-established binary classification technique for IFA detection. It utilizes a logistic function to calculate an event’s likelihood.

3.2.4. Model Evaluation

Model evaluation plays a pivotal role in assessing the performance and efficacy of an ML model. It assesses the model’s ability to generalize to unseen data and accurately predict desired outcomes. Throughout the evaluation process, we utilized several metrics, including accuracy, precision, recall, and the F1 score, to thoroughly assess our model. In particular, during the evaluation phase for classifying “Positive Reputation” samples, we focused on four key performance metrics:

• True positive (TP): represents the count of positive samples correctly classified.
• False positive (FP): indicates the count of samples incorrectly classified as positive.
• True negative (TN): refers to the count of negative samples correctly classified.
• False negative (FN): signifies the count of samples incorrectly classified as negative.

By scrutinizing these metrics, we obtained valuable insights into the model’s accuracy in distinguishing between positive and negative instances. This comprehensive evaluation allowed us to identify potential areas for improvement. Below are the corresponding mathematical models for each algorithm:

$$Accuracy=\frac{TP+TN}{TP+FP+TN+FN}$$

(1)

$$Precision=\frac{TP}{TP+FP}$$

(2)

$$Recall=\frac{TP}{TP+FN}$$

(3)

$$F1=\frac{2\times (Precision\times Recall)}{Precision+Recall}$$

(4)

3.3. Attack Prevention System

Upon successful IFA detection using ML techniques, the subsequent crucial step is preventing such attacks. To achieve this, we propose Algorithm 1, which empowers intermediate vehicles to make informed decisions regarding interest requests from content consumers. Leveraging the results obtained from ML classification, Algorithm 1 allows the vehicles to selectively accept or reject these requests based on the legitimacy of the content consumer, thereby mitigating the IFA attack and enhancing network security and reliability.

Our proposed algorithm outlines a verification process for incoming $I_{p}kts$ at an intermediate node. When an intermediate node receives an interest request, it queries the content consumer’s reputation from RSU. The algorithm takes $I_{p}kts$ as the input variable, representing the interest packet received from the content consumer. If $I_{pkts}$ has a value of 1, the algorithm identifies the consumer as an attacker and discards the interest packet. if $I_{pkts}$ has a value of 0, the algorithm further verifies the interest packet. Additionally, the algorithm shares information about this content transmission with the RSUs Additionally, the algorithm shares information about this content transmission with the RSUs. This verification mechanism ensures the network efficiently handles incoming interest packets from content consumers. It promptly discards attacker vehicle interest requests. By employing this mechanism, the network prevents attacker vehicles. Figure 5 depicts our proposed IFA prevention system in VNDN.

Algorithm 1 Interest packet verification mechanism.

Require:  $I_{P}kt$ 1: Query RSU 2: if$I_{P}KT$ = 1 then 3:     Discard $I_{P}kt$ 4: end if 5: if $I_{P}kt$ = 0 then 6:     Check CS 7:     if $Cnt\in CS$ then 8:         Create a $D_{P}kt$ 9:         Send $D_{P}kt$ to the $C_C$ 10:         Share information with RSU 11:     else 12:         if $Cnt\in PIT$ then 13:            Add interface 14:            Remove $I_{P}kt$ 15:            Share information with RSU 16:         else 17:            Add entry in the PIT 18:            Forwarded $I_{P}kt$ to FIB 19:            Share information with RSU 20:         end if 21:     end if 22: end if

4. Experimental Results and Discussion

Our experimental evaluation comprises two main components: IFA detection and prevention in VNDN. In the first part, we present the outcomes of IFA detection, where we provide the evaluated results of various ML classifiers. Subsequently, we present the IFA prevention results in the second part. This division allows us to comprehensively analyze our ML-based approach’s effectiveness in identifying and mitigating IFA attacks within the VNDN environment.

4.1. ML Evaluation Results

To achieve our objectives, we evaluated various ML algorithms based on the behavior of content consumers. The results of our proposed model, including precision, recall, and F1 score, are presented in

Table 3. ML classifier performance.

ML Classifiers	Precision	Recall	F1 Score
DT	0.85	0.87	0.86
KNN	0.87	0.81	0.84
RF	0.91	0.87	0.89
NB	0.99	0.57	0.72
LR	0.98	0.57	0.72

. To further assess the performance of each ML algorithm, we employed precision-recall curves and receiver operating characteristic (ROC) curves for visualization. The precision and recall curves are commonly used for evaluating binary classification performance. On the other hand, the ROC curve illustrates the trade-off between precision and recall values, with a larger area under the curve indicating higher values for both metrics. A high precision value corresponds to a low false positive rate, while a high recall value corresponds to a low false negative rate. Our findings demonstrate that RF performed exceptionally well in detecting IFA attackers, achieving outstanding accuracy in our experiments.

Visualized Results

To achieve the visual performance of our ML models, we employed visualization techniques using accuracy calculation and ROC analysis. Initially, we utilized precision-recall and ROC curves to evaluate the trade-off between precision and recall in binary classification. Notably, the area under the curve (AUC) revealed exceptional performance in the RF classifier that achieved the highest AUC value. The RF outperforms other ML classifiers in accurately classifying IFA attackers and legitimate vehicles. Figure 6, Figure 7, Figure 8, Figure 9 and Figure 10 show the precision–recall curve performances for DT, KNN, GNB, and LR classifiers, respectively. Finally, Figure 11 presents the consolidated and comparative evaluation, providing a comprehensive view of the performances of different ML classifiers in tackling IFA detection.

In pursuing robust and accurate IFA detection, our study meticulously examined the performance of five distinct classifiers. Through a systematic classification approach, we observed compelling variations in accuracy across these classifiers. As depicted in the consolidated results in Figure 11, the RF classifier emerged as the front-runner, achieving an accuracy of 94%. On the other hand, KNN exhibited a commendable accuracy of 90%. The remaining classifiers exhibited accuracy in the 80s range. These consolidated ROC results collectively shed light on the multifaceted landscape of IFA detection in VNDN.

4.2. IFA Prevention Results

To validate our proposed IFA prevention system in VNDN, we conducted simulations using an Intel Desktop Core i7 CPU operating at 2.6 GHz, with 16 GB of RAM, and running on the Windows 10 operating system. In our simulation, we randomly considered 10 content consumers with attacks (1) and legitimate (0). Our proposed algorithm classified attackers and legitimate information as illustrated in Figure 12, where attackers are identified with red and the legitimate source is identified with green. On the other hand, the existing NDN system could not consider the legitimacy of content consumers and received every interest packet, as shown in Figure 13. Thus, our proposed prevention system identifies the legitimacy of vehicles, followed by an ML-based detection system. Thus, our proposed network architecture classifies the attacker vehicles first and prevents them from violating the PIT and CS of intermediate vehicles.

Figure 12 depicts the efficiency of our proposed IFA prevention system. In this validation scenario, both legitimate and malicious interest requests are simulated by content consumers. Leveraging the capabilities of our devised algorithm, the intermediate vehicle undertakes a pivotal role in this endeavor. A distinctive dichotomy emerges in the depicted visualizations: The algorithm adeptly identifies and rejects invalid content requests, visually represented by the prominent red indicators, while conversely accepting valid content consumers through green color. These visual representations underscore the system’s capability to discriminate between legitimate and unauthorized interest propagation, reaffirming the effectiveness of our proposed approach. In addition, we measured the efficiency of the default content acceptance at an intermediate node, as shown in Figure 13, where an intermediate node accepted every interest packet without considering the reputation of the content producer.

4.3. Discussion

The experimental results presented in the previous section provide valuable insights into the effectiveness of our ML-based approach for classifying IFA in VNDN. In this discussion, we delve into the implications of these findings, highlight the strengths and limitations of our approach, and contextualize our results within the broader landscape of vehicular network security. The first component of our evaluation focused on IFA detection, where various ML classifiers were employed to classify content consumers as attackers or legitimate entities. We measured the efficiency of classifiers in terms of precision, recall, and F1 score. These metrics collectively indicate the classifier’s ability to identify malicious and benign entities within the network accurately. The high area under the curve (AUC) value obtained by RF reinforces its effectiveness, while the comparative visualization in Figure 11 provides a comprehensive view of the performance differences across different ML classifiers. Notably, RF’s accuracy of 94% showcases its superiority in IFA detection compared to other classifiers. The highest accuracy in detecting IFA reflects our algorithm’s ability to discern between malicious and benign entities. In contrast, the existing NDN system’s limitations in evaluating content consumer legitimacy are illustrated in Figure 13. This highlights the significance of our proposed prevention system in enhancing the network security by identifying attackers and preventing their interference with the PIT and CS of intermediate vehicles.

5. Conclusions

The IFA is one of the most vulnerable attacks in VNDN. The IFA targets intermediate nodes, flooding them with unsatisfying interest requests and saturating network resources, particularly the PIT. This research paper aims to address IFA challenges in VNDN. To cope with IFA in VNDN, the study explored the potential of ML classifiers for detecting the IFA with high accuracy. In this connection, we employed five ML classifiers on a publicly available dataset implemented on the ndnSIM simulator. The study compared their accuracy in identifying IFA vehicles. The findings demonstrated that RF achieved an accuracy of 94% in detecting IFA. This highlights the effectiveness of the proposed IFA detection technique, which empowers VNDN to classify attacker vehicles and proactively prevent them from violating the network. On the other hand, our proposed IFA prevention system classified and prevented attackers with 100% accuracy. The implications of this research are significant, as it contributes to enhancing the security and reliability of vehicular named data networking. Future work may explore further improvements in ML-based detection methods and investigate the application of other ML algorithms to tackle additional security concerns in VNDN. Ultimately, these advancements will foster the development of more resilient and secure VANET architectures, thus promoting the continued growth and success of intelligent transportation systems.

6. Future Work

The proposed research work exploited ML classifiers using a batch learning-based system, whereas deep learning (DL) classifiers can be applied using an incremental learning system, and detailed comparative measures can be considered in the future. Moreover, this study is limited to evaluating the legitimacy of content consumer vehicles, whereas intermediate vehicles can be attackers. Thus, the legitimacy of intermediate vehicles can be determined in future research.