Abstract: One embodiment provides a system that facilitates a content requesting device to handle a potential timeout event. During operation, the system receives, by a content producing device, a packet that corresponds to a first Interest message from a content requesting device, where the first Interest includes a name. Responsive to determining that additional time is required to generate a matching Content Object for the first Interest, the system generates a notification message which indicates a time period after which a second Interest is to be sent out by the content requesting device. The name for the second Interest can be the same as the name for the first Interest or a new name as indicated in the notification message. The system transmits the notification message to the content requesting device, thereby facilitating the content requesting device to handle a potential timeout event.

Abstract: One embodiment provides a system that facilitates an intermediate node to handle a potential timeout event. During operation, the system receives, by an intermediate node, a keep-alive control packet which indicates a name for an Interest message, an indicator to keep alive a Pending Interest Table (PIT) entry, and a time period for which to keep the PIT entry alive. The intermediate node determines whether the keep-alive control packet corresponds to the PIT entry based on the name, and, responsive to determining that the keep-alive control packet corresponds to the PIT entry, updates a timeout value of the PIT entry based on the time period indicated in the keep-alive control packet. Responsive to determining one or more interfaces specified in the PIT entry from which the Interest message is received, the intermediate node forwards the keep-alive control packet to the one or more interfaces.

Abstract: A CCN-deployment system can design and deploy a content centric network (CCN) topology, either across a collection of CCN nodes or across an existing computer network. During operation, the system analyzes a computer network of N network nodes to determine a physical network topology. The system also determines a number, k, of network nodes of the physical network on which to overlay a content centric network (CCN). The system then determines an average degree of connectivity, and a degree-of-connectivity distribution, that achieves an optimal performance metric for the CCN overlay network. The system generates a network topology of k network nodes that satisfies the average degree of connectivity, and that satisfies the degree-of-connectivity distribution. The system can deploy the content centric network topology across k nodes of the underlying physical network.

Abstract: Described are methods and system for network analysis. A network analyzer for a first network is configured to receive network assessment information from a network metric monitors situated in third-party networks, the network assessment information indicating values for characteristics of one or more network paths from the respective network metric monitor to a node in a second network. The network analyzer aggregates the received network assessment information and identifies, from the aggregated network assessment information, a route from the first network to the node in the second network. The identified route is then selected from among a plurality of potential routes from the first network to the node in the second network and used in setting a routing policy for data flows from the first network through the node in the second network.

Abstract: A packet-forwarding network node can process a programmable packet based on a reputation value for a name prefix to perform a customized operation on a local resource. The programmable packet can include a name prefix, and a header comprising reputation criteria for the packet's name prefix and one or more resource fields. A resource field can include instructions that perform an operation on a corresponding resource of the network node. When the network node receives the programmable packet, the node determines a reputation value for the name prefix at the local node, and compares this reputation value to the packet's reputation criteria. If the reputation value for the name prefix at the local node satisfies the reputation criteria, the node proceeds to execute the one or more instructions of the respective resource field to perform the operation on the corresponding resource.

Abstract: A network communication bridge establishes communication between a computing system within a protected network and an external computing system. A registrar is positioned outside the protected network and registers authorized users. The registrar determines if the computing device associated with the user is publicly addressable, and for those computing devices that are not publicly addressable, the computing device maintains a persistent communication session with a bridge proxy server. The bridge proxy server employs a reversal or relaying technique to enable communication between two systems that cannot ordinarily establish communication with each other, based on characteristics of the two systems. If at least one party to a communication is publicly addressable, then a reversal technique is employed.

Abstract: A device can process commands from a remote device that manages the local device over a content centric network. During operation, the device can receive an Interest for managing a device resource, such that the Interest's name includes a name or a name prefix associated with the device resource, and includes a command for managing the resource. If the device determines that the name prefix corresponds to the local device, the device analyzes the Interest's command to determine a device resource and performs the resource-managing operation on the device resource. If the name prefix does not correspond to the local device, the device performs a longest-prefix-matching lookup using the Interest's name prefix to determine a destination for the Interest. If the Interest's destination corresponds to a component of the local device, the device forwards the Interest to the component or a local agent for the component.

Abstract: A key-resolution service (KRS) can facilitate a client device in verifying that Content Objects are signed by a trusted entity. During operation, the KRS service can receive an Interest that includes a KRS query for a content name that is to be resolved. The KRS service obtains the content name from the Interest, and obtains a KRS record that includes security information for the content name or a prefix of the content name. The KRS service then returns a Content Object whose payload includes the KRS record to satisfy the first Interest. The client device can query the KRS service to obtain a trusted key associated with at least a name prefix of the Content Object, and if necessary, can disseminate Interests to obtain keys that complete a chain of trust between the trusted key and a key that is used to authenticate the Content Object.

Abstract: One embodiment of the present invention provides a system for detecting insider attacks in an organization. During operation, the system collects data describing user activities. The system extracts information from the data that includes user information and user communications. The system then generates a topic-specific graph based on the extracted information. The system analyzes a structure of the graph to determine if one or more rules have been violated. The system may determine that a rule associated with the graph has been violated and signal an alarm in response to detecting the rule violation.

Abstract: A content-discovery system allows a node in a Content Centric Networks (CCN) to discover content over CCN. The CCN node can generate an Interest that includes a query for discovering content associated with a given name prefix, and after disseminating the Interest over CCN, can receive a query-result Content Object that includes a listing of matching Content Objects and their reputation information. The CCN node can also process Interests issued by other CCN nodes that would like to discover content. After receiving an Interest comprising a query for discovering content, the CCN node searches a repository for a set of Content Objects that match the query. The CCN node generates a results list that includes the Content Object in the search results and their reputation information. The CCN node then generates and returns a query-result Content Object that includes the Interest's name, and whose payload includes the results list.

Abstract: One embodiment provides a system that facilitates an intermediate node to handle a potential timeout event. During operation, the system receives, by an intermediate node, a keep-alive control packet which indicates a name for an Interest message, an indicator to keep alive a Pending Interest Table (PIT) entry, and a time period for which to keep the PIT entry alive. The intermediate node determines whether the keep-alive control packet corresponds to the PIT entry based on the name, and, responsive to determining that the keep-alive control packet corresponds to the PIT entry, updates a timeout value of the PIT entry based on the time period indicated in the keep-alive control packet. Responsive to determining one or more interfaces specified in the PIT entry from which the Interest message is received, the intermediate node forwards the keep-alive control packet to the one or more interfaces.

Abstract: A network device can process a payload in an Interest packet. During operation, the network device can receive an Interest packet that includes a name or a name prefix associated with one or more target entities for the Interest. If the network device determines that the Interest packet includes a payload, the network node can analyze the Interest's name and/or payload to determine an operation to perform for processing the payload. The network device then proceeds to process the payload by performing the determined operation.

Abstract: A key-resolution service (KRS) can facilitate a client device in verifying that Content Objects are signed by a trusted entity. During operation, the KRS service can receive an Interest that includes a KRS query for a content name that is to be resolved. The KRS service obtains the content name from the Interest, and obtains a KRS record that includes security information for the content name or a prefix of the content name. The KRS service then returns a Content Object whose payload includes the KRS record to satisfy the first Interest. The client device can query the KRS service to obtain a trusted key associated with at least a name prefix of the Content Object, and if necessary, can disseminate Interests to obtain keys that complete a chain of trust between the trusted key and a key that is used to authenticate the Content Object.

Abstract: A packet-forwarding network node can process a programmable packet based on a reputation value for a name prefix to perform a customized operation on a local resource. The programmable packet can include a name prefix, and a header comprising reputation criteria for the packet's name prefix and one or more resource fields. A resource field can include instructions that perform an operation on a corresponding resource of the network node. When the network node receives the programmable packet, the node determines a reputation value for the name prefix at the local node, and compares this reputation value to the packet's reputation criteria. If the reputation value for the name prefix at the local node satisfies the reputation criteria, the node proceeds to execute the one or more instructions of the respective resource field to perform the operation on the corresponding resource.

Abstract: A network node can use reputation values to determine when to forego validating a cached Content Object's authenticity. During operation, the network node can receive an Interest over a Content Centric Network (CCN). If the Content Store includes a matching Content Object that satisfies the Interest, the node obtains the cached Content Object. The node then determines whether the Interest includes a validation token that is to be used to validate the Content Object's authenticity. If so, the node determines a reputation value for the Content Object, such that the reputation value indicates a likelihood that validation of the Content Object's authenticity will be successful. If the network node determines that the reputation value exceeds a predetermined threshold, the node returns the Content Object without validating the Content Object's authenticity.

Abstract: A CCN network node use reputation values for one or more interfaces to determine how to forward an Interest. During operation, the network node can receive an Interest or Content Object via a network interface, determines one or more candidate outbound faces for forwarding the Interest by performing a longest-prefix-matching lookup in a forwarding information base (FIB) using the Interest's name or name prefix as input. A respective FIB entry maps a name prefix to a forwarding rule that includes a corresponding outbound face for the name prefix. The node can determine a reputation value for each of the candidate outbound faces based on reputation information stored in association with the Interest's name or name prefix, and selects a candidate outbound face with a reputation value exceeding a first predetermined threshold. The node can then forward the received Interest via the selected outbound face.

Abstract: One embodiment provides a system that facilitates a content requesting device to handle a potential timeout event. During operation, the system receives, by a content producing device, a packet that corresponds to a first Interest message from a content requesting device, where the first Interest includes a name. Responsive to determining that additional time is required to generate a matching Content Object for the first Interest, the system generates a notification message which indicates a time period after which a second Interest is to be sent out by the content requesting device. The name for the second Interest can be the same as the name for the first Interest or a new name as indicated in the notification message. The system transmits the notification message to the content requesting device, thereby facilitating the content requesting device to handle a potential timeout event.

Abstract: A device can process commands from a remote device that manages the local device over a content centric network. During operation, the device can receive an Interest for managing a device resource, such that the Interest's name includes a name or a name prefix associated with the device resource, and includes a command for managing the resource. If the device determines that the name prefix corresponds to the local device, the device analyzes the Interest's command to determine a device resource and performs the resource-managing operation on the device resource. If the name prefix does not correspond to the local device, the device performs a longest-prefix-matching lookup using the Interest's name prefix to determine a destination for the Interest. If the Interest's destination corresponds to a component of the local device, the device forwards the Interest to the component or a local agent for the component.

Abstract: A CCN-deployment system can design and deploy a content centric network (CCN) topology, either across a collection of CCN nodes or across an existing computer network. During operation, the system analyzes a computer network of N network nodes to determine a physical network topology. The system also determines a number, k, of network nodes of the physical network on which to overlay a content centric network (CCN). The system then determines an average degree of connectivity, and a degree-of-connectivity distribution, that achieves an optimal performance metric for the CCN overlay network. The system generates a network topology of k network nodes that satisfies the average degree of connectivity, and that satisfies the degree-of-connectivity distribution. The system can deploy the content centric network topology across k nodes of the underlying physical network.

Abstract: One embodiment of the present invention provides a system for mitigating interest flooding attacks in content-centric networks (CCNs). During operation, the system receives, at a physical interface of a router, an interest packet; obtains current interest satisfaction statistics associated with the physical interface; and determines whether to forward or drop the interest packet based on the current interest satisfaction statistics.