XGBoost-Based Detection of DDoS Attacks in Named Data Networking

Abstract

Named Data Networking (NDN) is highly susceptible to Distributed Denial of Service (DDoS) attacks, such as Interest Flooding Attack (IFA) and Cache Pollution Attack (CPA). These attacks exploit the inherent data retrieval and caching mechanisms of NDN, leading to severe disruptions in data availability and network efficiency, thereby undermining the overall performance and reliability of the system. In this paper, an attack detection method based on an improved XGBoost is proposed and applied to the hybrid attack pattern of IFA and CPA. Through experiments, the performance of the new attacks and the efficacy of the detection algorithm are analyzed. In comparison with other algorithms, the proposed method is demonstrated to have advantages in terms of the advanced nature of the proposed classifier, which is confirmed by the AUC-score.

1. Introduction

Named Data Networking (NDN) [1] is a proposed future Internet architecture that significantly optimizes data distribution efficiency by leveraging name-based addressing and in-network caching mechanisms. Its content naming rules allow data packets to be cached directly on routers and forwarded through name prefix matching. This approach not only reduces the overhead of the traditional network Domain Name System (DNS), but also effectively reduces network latency through multicast capabilities and dynamic caching strategies, especially in high-mobility scenarios. In addition, NDN embeds security into the data itself through content object signing and ensures integrity verification through encrypted signatures.

Compared with TCP/IP’s reliance on transport layer encryption (such as TLS/SSL), this model is more in line with future data-driven security needs. However, NDN’s unique architecture also brings new security challenges, namely denial of service attacks. DoS attacks in TCP/IP networks and NDN have both similarities and differences. Both are distributed, use a large number of requests or packets to exhaust resources, and the source of the attack may be disguised. DDoS attacks in traditional networks and NDN differ significantly in both targets and methods [2]. In traditional networks, DDoS attackers usually target specific IP addresses. In NDN, DDoS attackers aim to exhaust network resources by sending a large number of interest packets, which not only overload content servers but also cache nodes and intermediate routing nodes. In addition, traditional DDoS attacks are usually implemented using techniques such as SYN flooding and UDP flooding, while attackers in NDN take advantage of its unique data center architecture and introduce unique attack modes such as Interest Flooding Attack (IFA) [3] and content poisoning. Attackers can use IFA to send false requests to the network to exhaust pending interest table (PIT) [4] resources, or manipulate cache replacement strategies through cache pollution attack (CPA) [5] to reduce cache hit rate. Despite these challenges, NDN still provides innovative solutions to key issues in traditional IP networks, such as mobility bottlenecks and redundant data transmission, through dynamic signature verification and distributed trust management. The design and optimization of NDN security mechanisms remain a focus of future research.

Flooding attacks encompass various forms, including the IFA, Collusive Interest Flooding Attack (CIFA) [6], and the Improved Collusive Interest Flooding Attack (I-CIFA) [7]. Combining the significant attack potency of IFA with the strong concealment ability of CIFA, I-CIFA has a better attack effect than both in large topologies. The PIT in NDN routers can be depleted due to the reception of a large number of collusive data packets, which results in the occurrence of an I-CIFA attack. Combining the two types of attacks (CPA and I-CIFA) can cause even greater harm, which we refer to as I-CIFPA [8], achieved by simultaneously launching a Cache Pollution Attack and an Improved Collusive Interest Flooding Attack. In response to this type of attack, we propose an improved XGBoost, a multiclassification-based algorithm to detect interval attacks. Based on this method, the contributions of this paper include the following three points:

• The limitations of the I-CIFPA model are analyzed, and an improved XGBoost-based detection algorithm is proposed, incorporating optimized feature selection and hyperparameter tuning to enhance IFA attack detection accuracy in NDN.
• An in-depth analysis of the impact of I-CIFPA on NDN stability and resource allocation is conducted by investigating key network performance indicators, including CacheHits, TimeOutInterests, and OutInterests.
• The attack data are tested and analyzed for both single-feature and multi-feature scenarios, and the proposed algorithm is evaluated against other algorithms based on the AUC score.

The remainder of this paper is structured as follows. Section 2 provides a comprehensive review of existing countermeasures against DDoS attacks in NDN. In Section 3, the principles of hybrid attacks are examined, and a detection method for interval attacks is proposed. Section 4 analyzes the impact of I-CIFPA through simulations. And experimental results demonstrating the effectiveness of the proposed countermeasure are presented. Finally, Section 5 concludes the paper with a summary of the study and potential future research directions.

2. Related Work

With the gradual development of the NDN architecture, the research on attack models and security for NDN networks has become an important direction in the field of network security mechanisms. NDN can improve the efficiency of data transmission through content-based naming and decentralized design, but at the same time, it also exposes some unique security risks, such as interest packet flooding attacks and cache pollution attacks. Research on these attack models and detection and defense methods has gradually become a hot research direction in the field of NDN network security.

Several approaches have been proposed to detect IFA in NDN. One early method relies on satisfaction-based detection [3], where nodes monitor the ratio of satisfied interests to identify abnormal behavior. The SBPB method identifies IFA by determining whether the satisfaction level of a node falls below a predefined threshold. However, this method is limited to simple, static attack models and assumes that interest packets do not comply with caching and forwarding policies, which may lead to excessive penalties for independent decisions and insufficient ability to deal with complex scenarios such as collusion and hybrid attacks. The Poseidon detection and defense framework [9] is proposed to respond to and mitigate attacks in real time, which responds to detection through threshold settings in local algorithms and mitigates attacks via a push-back mechanism. Fixed thresholds may prevent the system from adapting to various attack patterns, and since it is deployed at routing nodes, it is relatively dependent on the network topology. A method based on Random Forest [10] is used for detecting IFA attacks. This method identifies malicious prefixes among abnormal prefixes based on the number of PIT (Pending Interest Table) entries used. Compared with other methods, the proposed scheme could reduce the occupation of PIT. The random forest algorithm uses the ensemble learning method of Bagging [11], which can lead to issues such as long training time and instability when dealing with large-scale datasets. These methods have demonstrated certain effectiveness in identifying and mitigating high-intensity IFA attacks, but low-rate attacks can hide within normal traffic and do not produce specific indicators, making it difficult to judge whether an attack is occurring based on threshold-based approaches. It is challenging to address new models of IFA attacks using these methods.

With the development of Named Data Networking, the forms of Denial-of-Service (DoS) attacks have been continuously evolving. Xin et al. were the first to propose a novel type of DoS attack, the CIFA, which is characterized by its high level of stealth, making traditional detection methods ineffective [6]. CIFA employs multiple attackers working in coordination, sending carefully crafted Interest packets at a low rate while mimicking normal communication patterns, thereby avoiding the generation of obvious anomalous traffic features. This attack strategy surpasses the limitations of traditional Interest Flooding Attacks, making it difficult for defense mechanisms based on traffic statistics or anomaly detection to capture significant attack features. These algorithms primarily employ machine learning or other single-classification algorithms.

Building on the CIFA attack, the Improved CIFA (I-CIFA) is proposed [7] and further, the hybrid combined version is introduced through I-CIFA with CPA [8]. This attack not only inherits the stealth characteristics of CIFA and enhances its attack intensity, making it more effective in depleting network resources and impacting data forwarding performance, but also exacerbates the threat of CPA attacks on caching. Currently, no defense mechanisms have been proposed against the hybrid attack of I-CIFA and CPA. Existing detection methods often fail to capture the temporal and spatial correlation between malicious interests, making them unsuitable for identifying the low-rate, distributed patterns of CIFA [12,13]. In response to this, machine learning techniques—such as Random Forest, Support Vector Machines (SVM), and Convolutional Neural Networks (CNNs)—have been increasingly applied due to their capability to model complex, nonlinear attack behaviors [14,15]. Among these, deep learning models show promise in capturing hierarchical patterns in traffic data, while ensemble methods excel in handling high-dimensional, imbalanced datasets.

From the preceding discussion, it can be concluded that prior research primarily concentrated on developing countermeasures against individual types of attacks, often overlooking the complexities and interactions involved in multi-faceted attack scenarios. Simultaneous attacks may exist in NDN networks. Most detection schemes have primarily relied on feature recognition algorithms, particularly those based on binary classification or threshold-based approaches, to identify attacks. These methods often face limitations in handling complex and evolving attack patterns that require more adaptive and nuanced detection techniques, such as under a normal state, I-CIFPA, and other network states. Therefore, previous binary classification algorithms cannot detect interval attacks, and an effective multi-classification algorithm is required. There may be two different thresholds for network traffic under interval attacks, against which previous threshold-based methods will increase the missing detection rate. Below, we introduce the attack model of I-CIFPA and its countermeasure.

3. The Attack Model and Detection Method

In the context of increasingly intelligent complex network attacks, hybrid attacks targeting NDN networks, specifically I-CIFPA attacks, exhibit cross-layer concealment characteristics. This section conducts an in-depth modeling analysis of the I-CIFA and CPA hybrid attacks to uncover their core attack mechanisms. Based on this analysis, an improved XGBoost-enhanced detection framework is proposed to enhance the model’s generalization ability while ensuring real-time performance.

3.1. The Attack Model of I-CIFPA

Figure 1 shows the attack scenario of I-CIFPA in NDN networks and cloud infrastructure composed of various routing nodes, where $R_1$ and $R_2$ are gateway nodes and $R_3$ is a backbone node. Before sending specific unpopular Interests to request corresponding content generated from the legitimate publisher, a CPA attacker determines which content is unpopular by tracking how often subscriber requests occur. As a result, the Content Stores (CS) in all routing nodes across the network are filled with less popular content, preventing popular content from replying to Interests and causing denial of service. Malicious Interests are intermittently sent by the I-CIFA attacker to request non-existent content carried in malicious data packets, and the collusive publisher produces malicious data packets in response.

In Figure 1, the attack strength of CPA is $E_1$, and the attack duration is $L_1$. The attack strength, duration, and cycle of I-CIFA are $E_2$, $L_2$, and T, respectively. To initiate a more destructive attack on NDN networks than I-CIFA and CPA, $L_1$ is equal to the time of the attack phase of I-CIFA. Due to the new interval attack, I-CIFPA is established by initiating I-CIFA and CPA concurrently; thus, the attack intensity of I-CIFPA is $E_3\approx E_1+E_2$, and the attack cycle and duration are the same as those of I-CIFA, i.e., T and $L_2$, respectively. Each attack pulse interval of I-CIFPA is $(T-L_2)$, and CPA still exists in the network at this time.

To characterize this attack model, we propose three key features: CacheHits, the number TimeOutIntrests and OutInterests. These features are designed to better capture attack behaviors and enhance detection performance.

Consequently, I-CIFPA will cause the CS and PIT of all routing nodes to be occupied by malicious traffic in NDN networks, and subscribers will not receive a response from the publishers, leading to denial of service and seriously damaging the NDN networks.

Figure 2 shows the architecture for addressing I-CIFPA, which has four steps.

Step 1:  Design and launch I-CIFPA attack

The I-CIFPA attacker exploits the content request interval to generate spoofed interest packets that are very similar to legitimate traffic patterns. First, the I-CIFPA attack is simulated and launched in the NDN topology by controlling the infected consumer node.

Step 2:  Collect network traffic through routing nodes

In order to observe the network behavior under I-CIFPA, some routing node information is collected. These nodes are used to passively collect statistics related to interest packets and data packets, including CacheHits, TimeOutInterests and OutInterests. The data are used to provide multi-dimensional traffic attributes required for detection model training.

Step 3:  Data preprocessing and training

The raw traffic data are preprocessed to eliminate inconsistencies and ensure compatibility with the detection model. The data are labeled for known traffic states: normal, other network states, and I-CIFPA. The data are divided into training and testing subsets to support supervised learning and facilitate performance evaluation of the detection framework.

Step 4:  Develop Improved XGBoost Detection Model

We developed a real-time detection framework based on improved XGBoost to address the characteristics of I-CIFPA. The model incorporates optimized decision trees to capture nonlinear correlations between traffic features. In addition, we apply Bayesian optimization to fine-tune key hyperparameters (e.g., learning rate, tree depth, etc.) to maximize detection accuracy.

3.2. The Detection Mechanism of Improved XGBoost

Based on the overall detection process proposed earlier, the XGBoost algorithm is applied within the detection workflow. Compared with traditional IFA attack detection algorithms [10], XGBoost introduces the Gradient Boosting mechanism and automatic feature selection [16], enabling it to more precisely capture pattern changes in attack traffic. Furthermore, this method can address the issue of imbalanced data, effectively reducing the risk of minority attack samples being overlooked through sample weight adjustment and loss function optimization. Additionally, XGBoost does not rely on fixed thresholds but instead dynamically adjusts its detection strategy in a data-driven manner, meeting the real-time attack detection requirements in NDN environments. The core components of the detection framework are illustrated in Figure 3, which includes a feature extraction module, tree splits layer, transformed feature layer, softmax layer, and network decision layer. The feature extraction module collects and integrates multi-dimensional traffic features, the tree splits layer learns the importance of data features through multiple decision trees, the transformed feature layer further optimizes feature representation, the softmax layer is used for normalization calculations, and ultimately, the network decision layer provides the decision result for attack detection. The entire detection framework possesses strong generalization capability and real-time performance, making it suitable for various complex attack scenarios in NDN environments.

To evaluate the designed detection model, a data set $D={\left(X_i,y_i\right)}_{i=1}^M$ is proposed, where $X_i=\left(x_{i,1},x_{i,2},\dots x_{i,m}\right)$ represents the network traffic composed of m features. The label $y_i\in \{0,1,2\}$ indicates different network states, including normal (0), I-CIFPA (1) and other network state (2). We further define $y_{i,n}$, denoting the true score of the i-th sample on the n-th class, where

$$y_{i,n}\in \left\{\begin{array}{c}1,\mathrm{if}{y}_i=n,\hfill \\ 0,\mathrm{else}.\hfill \end{array}\right.$$

(1)

In order to effectively detect and distinguish normal traffic from I-CIFPA attacks, we adopted a multi-class classification model based on XGBoost. This approach enables us to build a separate decision tree for each network state and iteratively optimize it using the gradient boosting algorithm.

Let the training dataset be represented as $D={\left(X_i,y_i\right)}_{i=1}^M$. The model output for the i-th sample on class n after t rounds is denoted as ${\widehat{y}}_{i,n}^t$, and the aggregated score from the previous rounds is

$${\widehat{y}}_{i,n}^{t-1}={\displaystyle \sum _{k=0}^{t-1}}{\widehat{y}}_{i,n}^{(t-1)}.$$

(2)

We use softmax to convert the raw scores into probabilities:

$$p_{i,c}^{t-1}={\displaystyle \frac{e^{{\widehat{y}}_{i,n}^{t-1}}}{{\displaystyle {\sum }_{c=0}^2}{e}^{{\widehat{y}}_{i,c}^{t-1}}}}$$

(3)

In this case, the corresponding loss function can be expressed as

$$\begin{array}{cc}\hfill L(y,\widehat{y})& =-{\displaystyle \sum _{i=1}^M\sum _{n=0}^2}{y}_{i,n}{p}_{i,c}^{t-1}+\mathrm{\Omega }\left(f\right),\hfill \end{array}$$

(4)

where $\mathrm{\Omega }\left(f_t\right)$ is the regularization term defined as:

$$\mathrm{\Omega }\left(f_t\right)=\gamma T+{\displaystyle \frac{1}{2}}\lambda {\displaystyle \sum _{j=1}^T}{w}_j^2,$$

(5)

Here, T is the number of leaves in the t-th tree, $w_j$ is the score of the j-th leaf node, and $\lambda$, $\gamma$ are regularization parameters that help control model complexity and overfitting.

To optimize the model efficiently, we apply a second-order Taylor expansion to approximate the loss function. This leads to the following objective:

$$L\left(y,{\widehat{y}}^{\left(t\right)}\right)={\displaystyle \sum _{j=1}^T}\left[G_j{w}_j+{\displaystyle \frac{1}{2}}\left(H_j+\lambda \right)w_j^2\right]+\gamma T.$$

(6)

where $G_j$ and $H_j$ are the respective summations of first- and second-order derivatives on each sample belonging to the j-th leaf node:

$$\begin{array}{c}{G}_j={\displaystyle \sum _{i\in I_j}}{\displaystyle \frac{\partial L\left(y_i,{\widehat{y}}_i^{t-1}\right)}{\partial {\widehat{y}}_{i,n}^{t-1}}}\end{array}$$

(7)

$$\begin{array}{c}{H}_j={\displaystyle \sum _{i\in I_j}\sum _{n_1=0}^2}{\displaystyle \frac{{\partial }^{2}L\left(y_i,{\widehat{y}}_i^{t-1}\right)}{\partial {\widehat{y}}_{i,n_1}^{t-1}\partial {\widehat{y}}_{i,n}^{t-1}}}.\end{array}$$

(8)

To decide whether a node should be split, the model calculates the information gain as:

$$\mathrm{gain}={\displaystyle \frac{1}{2}}\left({\displaystyle \frac{{\mathrm{G}}_{\mathrm{L}}^2}{\left({\mathrm{H}}_{\mathrm{L}}+\lambda \right)}}+{\displaystyle \frac{{\mathrm{G}}_{\mathrm{L}}^2}{\left({\mathrm{H}}_{\mathrm{L}}+\lambda \right)}}-{\displaystyle \frac{{\left({\mathrm{G}}_{\mathrm{L}}+{\mathrm{G}}_{\mathrm{R}}\right)}^2}{\left({\mathrm{H}}_{\mathrm{L}}+{\mathrm{H}}_{\mathrm{R}}+\lambda \right)}}\right)-\gamma ,$$

(9)

where $G_L$, $G_R$, $H_L$ and $H_R$ represent the loss values of the left and right leaf nodes, respectively.

After feature transformation through decision tree ensemble, each sample is represented by a fixed-length vector that encodes the high-level structural patterns learned from the original input. For the final classification of the network state, we apply a fully connected layer followed by a Softmax activation.

The score $z_i=w_n^T·X+b$ is obtained by passing the transformed features and bias b through a fully connected layer, where $i=1,2,3$, and $w_n^T$ is the weight matrix. After exponentiation and normalization of the score $z_i$, the probability is

$$p_i=Softmax\left(z_i\right)={\displaystyle \frac{e^{z_i}}{{\sum }_{j=1}^3{e}^{z_j}}},$$

(10)

where ${\sum }_{i=1}^3{p}_i=1$.

The final predicted network state corresponds to the class with the highest probability:

If $p_1>\{p_2,p_3\}$, the network status will be judged as normal.

If $p_2>\{p_1,p_3\}$, the network status will be judged as other attack.

If $p_3>\{p_1,p_2\}$, the network status will be judged as I-CIFPA.

To further enhance classification accuracy, particularly in detecting the I-CIFPA class, we perform Bayesian optimization on the hyperparameters of the XGBoost model. This tuning process yields the final optimized version, called Improved XGBoost.

4. Experiment Analysis

To ensure the accuracy of the experiment, we use ndnSIM in NS-3 to simulate the experimental environment, and adopt a large topology structure for network simulation and data generation [8]. The impact of interval attacks is examined by analyzing the multi-dimensional network traffic characteristics of various routing nodes extracted from a particular network topology. These features include the counts of CacheHits, TimeOutInterests and OutInterest of backbone routing node.

4.1. Simulation Environment

Figure 4 [8] illustrates the network topology, which includes 169 red routing nodes on the outermost layer that represent subscribers, 45 green routing nodes in the intermediate layer representing gateway nodes, and the remaining 65 blue routing nodes signifying backbone nodes. In the simulation, the packet size is set to 1024 bytes, with a Content Poisoning Attack rate of 15 attacks per second and an Interval-Centric Interest Flooding Attack rate of 35 attacks per second. The attack cycle is 7 s, with an attack duration of 6 s within each cycle. The simulation spans a total time period of 0 to 200 s, during which interval attacks occur in the period between 50 and 150 s. These parameters are designed to mimic realistic network conditions under both legitimate and malicious traffic.

It provides detailed experimental parameters corresponding to specific configurations of network topologies. In general, attackers have different attack rates, and the attack rates of I-CIFA and CPA are different, so the changes in network traffic can be clearly analyzed. Ideally, the CS and PIT capacities of each routing node are both set to 1000.

4.2. Performance Analysis of I-CIFPA

The I-CIFPA is simulated on the ndnSIM platform, and the built-in output program of the platform, namely the trace helper, is utilized to track the simulation results. The requested statistics are collected and aggregated by this tool, where data on CacheHits are generated by ndn::CsTracer, and TimeOutInterests and OutInterests are generated by ndn::L3RateTracer. The experimental results are shown in Figure 5, Figure 6 and Figure 7.

Figure 5 shows that in the I-CIFPA scenario, the number of CacheHits is higher than that under normal and I-CIFA conditions. Additionally, CacheHits significantly increases during the attack intervals, indicating that I-CIFPA has higher stealth. Although the ideal CS capacity for each routing node is set to 1000, under limited CS capacity, I-CIFPA exhausts CS resources by caching too much unpopular content, leading to link congestion. This reduces the caching and forwarding efficiency of legitimate data packets, severely impacting the performance of the NDN network.

As shown in Figure 6, the number of TimeOutInterests under I-CIFPA is greater than those of I-CIFA, and it increases significantly during each interval attack. As a result, TimeOutInterests cannot be forwarded to publishers, so subscribers cannot receive replies from the legitimate publisher, causing a denial of service. This observation indicates that the robustness and stealth capabilities of I-CIFPA surpass those of CIFA.

Figure 7 demonstrates that during the attack interval, the number of OutInterests generated by I-CIFPA exceeds that produced by CIFA. This indicates that in the I-CIFPA scenario, the intensive transmission of interest packets leads to higher cache occupancy rates and excessive request hotspots, necessitating substantial remote resource requests. Compared with CIFA, the I-CIFPA attack integrates characteristics of CPA by simultaneously generating massive interest packets while occupying cache resources.

In summary, the numbers of CacheHits, TimeOutInterests and OutInteres take the form of periodic pulses under I-CIFPAs, severely damaging the NDN network and making the detection of and defense against I-CIFPAs more difficult.

4.3. Analysis of Experiment Result

In this section, we first determined the evaluation criteria for I-CIFPAs, and conducted analysis and experiments based on the proposed XGBoost detection model. At the same time, the parameters are continuously adjusted according to the Bayesian optimization algorithm to obtain an enhanced XGBoost model. Finally, the results are compared with other algorithms to verify the performance of the proposed method.

Table 1. Optimal parameters of Improved XGBoost.

Adjusted Parameter	Interval	Value
max_depth	[1, 10]	7
n_estimator	[1, 500]	200
eta	[0.01, 0.5]	0.1
gamma	[0.001, 10]	0.01
subsample	[0.01, 1]	0.8
min_child_weight	[0, 20]	10

presents the optimized classifier. Bayesian optimization was applied to adjust the key hyperparameters of XGBoost, aiming to enhance its performance in detecting Distributed Denial of Service (DDoS) attacks in NDN. Compared to the XGBoost baseline model, after applying Bayesian optimization, the max_depth parameter was increased from 6 to 7, allowing the model to have stronger expressive power while maintaining generalization; the n_estimators was increased from 100 to 200 to enhance the model’s learning capability; the eta (learning rate) was reduced from 0.3 to 0.1 to ensure a more stable training process and avoid performance degradation due to premature convergence. Additionally, the gamma (penalty coefficient) was adjusted from 0 to 0.01, introducing moderate regularization to prevent overfitting; the subsample (random sampling ratio) was decreased from 1 to 0.8, introducing some randomness during training to improve generalization; the min_child_weight was increased from 1 to 10, imposing stricter constraints on the minimum weight of leaf nodes to reduce noise influence and make the model more robust. These adjustments to the optimized parameters not only ensure real-time detection but also improve the generalization ability of the XGBoost model, making it more accurate and efficient in DDoS attack detection tasks within NDN environments.

Figure 8, Figure 9, Figure 10 and Figure 11 present the detection results of I-CIFPA attacks using the proposed method. In this experiment, test data were utilized for validation and detection purposes. To demonstrate the superiority of multi-feature integration, individual feature values were first separately employed for detection, followed by a comprehensive analysis using combined multi-feature values. The detection results are presented as follows.

As shown in Figure 11, the enhanced XGBoost model under multiple features shows a good advantage in detection rate. This section verifies the effectiveness and practicality of the multi-feature fusion strategy by comparing the experimental results of single-feature detection and joint multi-feature detection. Figure 8, Figure 9 and Figure 10 reveal the limitations of single-feature detection; CacheHits reflects the node cache efficiency, but cannot distinguish between normal high-demand traffic and abnormal cache behavior caused by attacks. TimeOutInterest represents the proportion of unresponded interest packets, and its detection results are easily affected by non-attack factors such as network congestion. OutInterests can intuitively indicate interest packet flooding attacks, but it is not sensitive enough to low-rate covert attacks. In contrast, the joint multi-feature method integrates multiple dimensions such as cache occupancy patterns and interest packet routing characteristics to obtain better detection results and better performance. This method significantly improves the model’s ability to distinguish complex attacks without introducing too much computational overhead.

To demonstrate the performance of the proposed improved XGBoost, we conducted experiments to compare it with XGB [17], KNN [18], ADA [19] and Random Forest [20]. Figure 12 shows the final results of multiple experiments and the average of each experiment.

As shown in Figure 12, the AUC score corresponding to the enhanced XGBoost model exceeds the baseline model of other multi-classification based machine learning algorithms. After averaging the results over 10 experiments, the final AUC values for each classifier are as follows: XGB: 0.9615, KNN: 0.9653, ADA: 0.9695, DecisionTree: 0.9583, and ImprovedXGB: 0.9746. Experimental results shows that the Improved XGBoost achieves higher AUC values across multiple experiments, indicating better classification performance. And compared to other models, the Improved XGBoost exhibits less fluctuation across different runs, proving its robustness. These findings confirm that the proposed Improved XGBoost model is more effective and reliable than traditional machine learning models in detecting and classifying network states.

5. Conclusions

In this paper, an enhanced XGBoost-based detection method is proposed to identify the I-CIFPA in NDN. The study first evaluates the performance characteristics of IFA and I-CIFPA, demonstrating that I-CIFPA exhibits significantly enhanced stealthiness and destructiveness. In feature detection experiments, results confirm that multi-feature fusion outperforms single-feature approaches. Comparative validations against other algorithms show the proposed method achieves superior performance in key metrics such as detection rate and AUC score, providing a reliable solution for efficient security protection in NDN. It is recommended that future research combine the cooperation mechanism between routing nodes and adopt a federated learning framework to optimize the detection scheme of I-CIFPA. By combining the dynamic cache strategy with the PIT space management mechanism, the practicality and defense effect of the detection scheme will be further improved.