Informatics Bulletin, Faculty of Computers and Artificial Intelligence, Helwan University

Published Online Vol 3 Issue 2, July 2021

(https://fcihib.journals.ekb.eg)

A Review of Intrusion Detection and Prevention

Systems in Fog Computing Environment
Ibrahim Mohsen Selim Rowayda Abdel-Hamid Sadek
Tech.Assis. of Information Technology Department Assoc.Prof. of Information Technology Department
Faculty of Computers and Artificial Intelligence Faculty of Computers and Artificial Intelligence
,Helwan University ,Helwan University
Cairo , Egypt Cairo , Egypt
[email protected] [email protected]

Abstract—The development of the Internet of Things (IoT) distributed to handle big-scale models and data services.
has increased the interconnectivity of many IoT devices. Cloud Compared with cloud systems, as shown in Table I , fog
computing is an ingenious way to process and store massive systems have less resource computing power, such as
amounts of data in a simpler way, but using cloud computing
memory, processing and storage, but they can be increased as
seems to have some annoying problems, such as lack of location
needed.
awareness, lack of geographic location distribution, lack of
support for mobility, in addition to high latency and delay in A. Cloud Computing
response time. Developed another computing platform called
Fog Computing as a supplement to the cloud solution, because it Cloud computing is one of the most important services
extends the computing range of the fog part and cloud services available on-demand that benefit users and organizations in
to the edge of the system, thereby making the processing, general, as it provides a lot of resources over internet, whether
connection, retention, and storage functions more Proximity to it is computing power or storing huge amounts of data for
this device solves the deficiencies faced by cloud computing. In them with high efficiency and lowest costs [3].
addition, many issues related to protection, privacy, and security
have appeared in the fog computing platform. Network defenses B. Fog Computing
must be developed in a high-performance manner, detecting
The fog model aims to improve some of the deficiencies of
abnormal activity, monitoring all input and output
cloud systems and analyze big data at network edge [4]. It
communications in real-time, and developing new models for
appropriate fog network portals to identify new attack families brings the computing and data storage closer to were required
from the edge. to shorten the response time. Due to its instant response
functionality, it can support many industrial applications,
Index Terms—Fog Computing, Cloud Computing, Edge providing flexible and inexpensive in terms of hardware and
Computing, Internet of Things. software. In modern Edge-Fog-Cloud architecture, the
network system is connected to many devices and computing
I. INTRODUCTION

W ith the popularity of the Internet of Things (IoT), the

network architecture includes three layers: edge, cloud
and fog, as shown in Figure 1, to provide dynamic analysis of
network monitors and large-scale data analysis [1]. The edge
layer contains IoT devices, computing devices and tools close
to the organization. Fog is a decentralized computing
architecture with the same services similar to the cloud,
including software as a service (SAAS) , platform as a service
(PAAS), and infrastructure as a service (IAAS) [2].
Fog computing is designed to solve cloud deficiencies
such as lack of location awareness, lack of geographical
location distribution, lack of support for mobility, in addition
to high latency and delay in response time. The fog layer
includes the same services as the cloud, but they are

Figure 1.Hirarchical Architecture of Fog Computing

17
 Informatics Bulletin, Helwan University, Vol 3 Issue 2, July 2021

applications. A single device may generate small data, but A. Fog Attacks
when multiple device data are combined, the amount of data There are also many different types of attacks facing Fog-
generated will become very large and difficult to process and IoT-Cloud architecture, such as intruders, Zero-day attacks
verify in real time. Hardware and network elements are and of course flood attacks in addition to abuse of service,
vulnerable to cyber-attacks because they use devices or advanced persistent threats and other attacks such as port
network services. scanning, back-door attacks, and user attacks to the root [1].
TABLE I
o Intruders: Users who access Fog as authorized users
SIMPLE COMPARISON OF CLOUD AND FOG COMPUTING [5] and are trying to obtain some resources without rights.
Cloud Computing Fog Computing
o Zero-day attacks: There is vulnerability in the
Support for Mobility limited included software that is being exploited by the hacker and it is
usually on virtual machines.
Location awareness Partially included
o Flood attacks: The attacker floods the victim by
Latency High Low sending him an enormous number of packets such as
Distributed Denial of Service (DDoS).
Geographic
Centralized Decentralized
distribution o Service Abuse: Allowing unauthorized hackers to
access and exploit services.
Distance to devices Far Near
o Advanced Persistent Threats: Attackers break into
Energy consumption High Low the system by using some sophisticated software to
Computation power steal data from the system
and storage High Low o Port scanning: The hacker sends a message to find
capabilities out a list of ports which are active, which are not, and
Service location Through the internet At network edge
then are being exploited.
o Back-door attacks: They are attacks that the hacker
Real-time
supported supported accesses authentication anonymously to control it
interactions
remotely.
o User attacks to Root: An attacker try to access to the
C. Edge Computing root from a legitimate user.
Edge computing offers additional advantages over fog
B. Fog Security Solutions
computing because it increases the independence of each
device and reduces points of failure, but this makes it difficult Access Control and Authentication as well as Encryption,
to manage data and also makes it difficult to collect data on Intrusion Detection, Firewall and Defense Systems. These
large networks such as the Internet of Things [6]. security solutions seek to solve some of the various security
problems and privacy challenges of the IoT-Fog-Cloud
architecture [1]. There is also a set of suggested solutions that
II. FOG SECURITY
have been presented through the research [8], which are to
Since the Fog device is connected to the Cloud and IoT secure every part in the layers of cloud and fog, as shown in
system, it allows the use of various cyber threats to exploit the Figure 2.
IoT network. This is due to the proliferation of many
unsecured devices and the inability to monitor and protect The Fog platform must have a high-quality mechanism to
sites with high efficiency, the open structure of fog is a major monitor the use of network resources, and it must be one of
cause of weaknesses as well. Attackers can use these the basics of any fog platform where harmful activities are
weaknesses to work in fog devices and services, in addition to detected and attempted to avoid them or reduce their damages
threats to their big data privacy [7]. as much as possible before they occur [8]. It involves scanning
dynamic networks to identify harmful packets based on a set
of specific network controls and policies.

18
 Informatics Bulletin, Helwan University, Vol 3 Issue 2, July 2021

dispersion, taking into account the low latency. IDS can also
be used in computing fog on the fog node system side to
detect any unsuspecting behavior by monitoring and analyzing
files, especially log files, tracking the implementation of
access control policies, as well as monitoring user login
information. Also, intrusion detection techniques can be
classified into two categories, namely detection, signature
based intrusion detection systems, and anomaly-based
intrusion detection systems [13].

C. Intrusion Prevention System

Intrusion prevention system is one of the tools that exist on
the network, which is used to discover malicious activities and
prevent any malicious activity trying to access the network.
IPS is mainly used to detect attacks in addition to recording
them, as well as prevent malware or other types of special
Figure 2.Some Security Solutions for each Component of the Fog System [8]. exploits [14].

D. Privacy and Encryption

III. IMPORTANT ASPECTS OF FOG SECURITY TECHNIQUES The protection of user information is one of the biggest
problems we face in many systems such as the Internet of
A. Network Monitoring Things, fog, and edge in addition to cloud systems. There are
The process of monitoring the network for network attacks also many different methods and many mechanisms for
can be divided into dynamic, static, or mixed of the two. preserving privacy that have been proposed and implemented
Protection systems, firewalls, anti-virus , and intrusion have in both the cloud and networks. It can complete between
been used extensively to monitor and prevent harmful events. layers of cloud and fog to prevent infiltration and protect big
However, each method has its own advantages and data between them. Encryption techniques must be used
disadvantages. Due to new variants in attack signatures, no during data exchange between internal network nodes and
one can detect and stop advanced persistent threats. The other networks [15]. Distributions of network nodes, security
purpose of network monitoring is to collect useful information and privacy technologies need a lot of research to secure
from different parts of the network so that the information sensitive information.
collected can be used to administer and control the network
[9]. Virtual Private Networks (VPNs) are also a line of E. Access Control
protection that can protect networks from specific attacks, but Access control is one of the most important tools to
they can also be compromised through using cryptographic ensure system security in addition to protecting privacy, and
attacks like man in the middle attacks. due to the nature of the outsourcing of the fog layer, it must
be encrypted for the external data. Several public key-based
B. Intrusion Detection System solutions have been used in an effort to achieve access
Intrusion Detection Systems are widely used in network, control. Yu et al. [16] made a scheme that illustrates and uses
cloud, fog and edge systems to reduce malicious attacks such Attribute-Based Encryption.
as denial of service attacks and port scanning attacks in We will present some cyber defense plans, discover
addition to attacks on virtual machines, especially hypervisors anomalies, monitor all input and output network connections
[10]. IDS is also considered a very important tool for networks in real-time with high performance, and develop models on
in general to defend against attacks and predict them in the network portals that are fog/edge fit, such as IDS that can
future before they happen [11]. In Fog Computing, IDS can be identify new attack families from the edge. IDS detects
used in the fog node to detect malicious intrusions and malicious intrusions and activities by monitoring persistent
activities by monitoring persistent user login information, user login information, following access control policies, as
following access control policies, as well as carefully well as carefully analyzing log files.
analyzing log files [12]. It can also be used on the network
side and also helps to clarify some of the features of advanced
systems and how it can detect both client-side and cloud-based IV. CHALLENGES OF FOG SECURITY
intrusion. There are also some challenges that these systems Since the fog network is connected and deals with a huge
face, such as implementing large intrusion detection in a fog number of devices, the data that any device generates may be
computing environment with high mobility and geographic small, but when a number of devices are combined, it becomes
19
 Informatics Bulletin, Helwan University, Vol 3 Issue 2, July 2021

difficult to process the total amount of data, so filtering each o Under Attacked Devices (UD)
network packet will insist on increasing processing power and o Hacked Devices (HD)
memory. Fog computing systems contain many and many 2. Intrusion Detection System (IDS): It analyzes the
nodes because of their nature that they are decentralized and network traffic of Fog Computing as when certain
this leads to high energy consumption. Therefore, a lot of end devices try to slow down the network speed, for
work is required in developing and improving protocols that example when sending data at a rate slower than its
help to save and start new structures that are suitable for fog available capacity, alerts of attack are generated.
models such as improving the efficiency of communication 3. Virtual Honeypot Device (VHD): used to record
protocols and increasing Efficiency of network resources and logs of all hacked devices to help the system discard
optimization of computing protocols [17]. future unknown attacks.
The network resource monitoring mechanism must be
implemented within each fog platform because it is one of the
basics of the fog system as it is used to identify and reduce
harmful activities before any damage to the system occurs.
The process includes examining large and dynamic networks
to identify harmful and unwanted packets according to
predefined basics and network rules. Scanning is usually done
by classification of firewalls, antivirus, intrusion detection,
and protection systems.
Applications can be used in a distributed manner, suitable
for network distribution, and in an intuitive and intelligent
manner that will help improve network monitoring. As there
Figure 3.Three Phase of Cyber-Security Framework [18].
are a huge number of different heterogeneous devices that
transfer, exchange and process data at different levels such as It was clarified in the outputs that this model is successful
operating systems, system management programs and also in detecting the harmful devices in addition to that it reduces
applications. Spending a lot of time discovering and the false IDS alarm rate, but there is a problem as when the
monitoring normal network activity may not correspond to the legitimate edge device is returned from the VHD, some errors
real-time nature of sending packets of data. Encryption can occur.
methods are very accurate and effective ways to provide
privacy, but these systems usually affect performance because In [19], Wang, Y., Meng, W., Li, W., Li, J., Liu, WX, &
they require a lot of accounts and communication. With the Xiang, Y made a framework for privacy protection for
emergence of new attack families, over time, the old attacks signature-based fog detectors in distributing networks based
gradually developed and a new group of attack families on some characteristics where results in all environments
appeared, so it was necessary to keep pace with and deal with show that similar methods used in the framework can also
those attacks. have. They used a way to protect IDS privacy by
implementing Non Trusted Third Party (TTP) encryption
V. STATE OF THE ART methods. The Privacy Protection Framework is used for
A total of six research works have been identified in which a distributed intrusion detection and collaboration, including
range of different technologies have been used to secure and the approved threat model and Rabin's fingerprint algorithm,
monitor fog computing [18], [19], [20], [21], [22], [23]. for signature matching for intrusion detection based on the
collaborative signature.
o Related Work
This framework can help maintain shared data privacy,
In [18], Sohal, A. S., Sandhu, R., Sood, S.K, & reduce cloud-side workload, and provide less detection delay.
Chang made a network security framework using three
different technologies, Markov Model, IDS, and In [20], the author proposes to discover different DDoS
Honeypot Virtual Device (VHD), as shown in Figure 3, vulnerability attack cases on Fog network where DDoS
used to identify harmful devices in a fog computing attacks are malicious attempts to destroy normal traffic of the
environment. target network by flooding the target or the infrastructure
1. Markov Model: The hidden two-stage Markov around internet traffic. In this case, the IDS for DDoS attacks
model is used to effectively classify peripheral is detected based on:
devices into different levels : o Nave Bayesian: The author uses Bayesian Networks
o Legitimate Devices (LD) for measurement conditional probabilities to
o Sensitive Devices (SD)

20
 Informatics Bulletin, Helwan University, Vol 3 Issue 2, July 2021

determine if a packet is normal or it is an intrusion o IFogSim: A framework for simulating fog

packet. computing services used to provide a global
o Markov model and virtual honeypot device can simulation framework in which to develop and pilot
provide high protection and increase security a fog computing infrastructure [26].
against DDoS attackers. o Cloudsim: a framework for simulating the
With a dataset containing multiple features, it is necessary infrastructure of cloud computing where one can
to choose some of the attributes appropriate for this attack focus on designing a system to verify some problems
and to remove redundant features because it helps improve without worrying, in addition to providing accurate
detection accuracy for the rapid detection of DDoS attacks, information related to the cloud infrastructure and
but it is only suitable for the need to detect DDoS. Found to services [27].
get good results and reduce the false positive rate of attack.
VII. FUTURE WORK
In addition, Yassin et al. in [21], the intrusion detection A new mechanism must be developed on network
system is developed using certain functions of fog computing portals suited to a fog/edge environment that can identify new
to identify network attacks in wireless sensor networks. attack families from the edge in an effort to reduce some of
Especially in selective forwarding attacks (SFA), attackers the limitations of previous network monitoring techniques,
who participate in routing as normal nodes selectively ignore develop network defenses, detect anomalous activity, and
data packets from neighboring nodes. The IDS system uses monitor all input and output communications using high-
static monitoring sensors to alleviate the selective redirection performance manners.
problem in mobile wireless sensor networks. The log also
VIII.CONCLUSION
maintains a table of input data packets, and forwards data
packets to or from the monitored node's data packet. This The research provides research works on fog/edge,
information is used to determine the node's neglect rate at a which is a decentralized computing architecture with the
given time to determine whether the node is a malicious node same services as similar to cloud services. Utilizing fog by
or a safe one. addressing tasks at the network edge eliminates major cloud
layer challenges such as supporting mobility, location
In addition, Aliyu, F., Sheltami, T. and Shakshuki, EM in awareness, low latency, and geographic location. Fog
[22] made intrusion detection systems and intrusion technology continues to be used to address security and
prevention systems in a fog environment to eliminate MitM privacy challenges that stem from connectivity to IoT
attacks as IDS nodes inquire about the nodes connected to architecture and cloud systems. The goal is to enhance the
them with one hop away and IPS uses simple encryption to security of fog computing and develop a network defense that
prevent MitM attacks. can identify new attack families from the edge.

REFERENCES
In addition, Shi, Y., Abhilash, S., Hwang, and K. in [23]
made a security framework that based on the Cloudlet
[1] Moustafa, N. (2019). A Systemic IoT-Fog-Cloud Architecture for Big-
network architecture. It can detect intruders in a cloud and Data Analytics and Cyber Security Systems: A Review of Fog
ensure that mobile devices, Cloudlet and communications Computing. arXiv preprint arXiv:1906.01055.
between clouds are secure. The security framework also
[2] Dastjerdi AV, Gupta H, Calheiros RN, Ghosh SK, Buyya R (2016) Fog
creates a protective shield to combat cloud intrusion and
computing: Principals, architectures, and applications. arXiv
prevent spam or virus attacks. preprintarXiv:1601.02752

VI. FOG SIMUATION PLATFORMS [3] Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A.
In addition to real solutions, we also need simulations to (2011). Cloud computing—The business perspective. Decision support
systems, 51(1), 176-189.
study and try the inner and outer workings of different IoT-
Fog-Cloud system, also to develop effective new algorithms [4] Stojmenovic, I., & Wen, S. (2014, September). The fog computing
for managing and protecting data. There are several simulators paradigm: Scenarios and security issues. In 2014 federated conference
available to specifically check distributed cloud systems and on computer science and information systems (pp. 1-8). IEEE.
IoT systems [24]. Simulations are easier to set up, cheaper,
[5] Hu, P., Dhelim, S., Ning, H., & Qiu, T. (2017). Survey on fog
and usually faster and more convenient, so there are some computing: architecture, key technologies, applications and open
tools that are some of the best simulation tools for edge, fog issues. Journal of network and computer applications, 98, 27-42.
and cloud computing, and the Internet of Things such as:
[6] Neware, R. (2019). Fog Computing Architecture, Applications and
o OMNet ++: A library and framework for building Security Issues: A Survey.
standard network emulators [25].

21
 Informatics Bulletin, Helwan University, Vol 3 Issue 2, July 2021

[7] Pierson, R. M. (2017). How Does Fog Computing Differ from Edge
Computing. Online: https://readwrite. com/2016/08/05/fogcomputing- [19] Wang, Y., Meng, W., Li, W., Li, J., Liu, W. X., & Xiang, Y. (2018). A
different-edge-computing-pl1/. Accessed, 12. fog-based privacy-preserving approach for distributed signature-based
intrusion detection. Journal of Parallel and Distributed
[8] Khan, S., Parkinson, S., & Qin, Y. (2017). Fog computing security: a Computing, 122, 26-35.
review of current applications and security solutions. Journal of Cloud
Computing, 6(1), 1-22. [20] Singh, S., Kumari, K., Gupta, S., Dua, A., & Kumar, N. (2020, June).
Detecting Different Attack Instances of DDoS Vulnerabilities on Edge
[9] Shin, S., & Gu, G. (2012, October). CloudWatcher: Network security Network of Fog Computing using Gaussian Naive Bayesian Classifier.
monitoring using OpenFlow in dynamic cloud networks (or: How to In 2020 IEEE International Conference on Communications Workshops
provide security monitoring as a service in clouds?). In 2012 20th IEEE (ICC Workshops) (pp. 1-6). IEEE.
international conference on network protocols (ICNP) (pp. 1-6). IEEE.
[21] Yaseen, Q., AlBalas, F., Jararweh, Y., & Al-Ayyoub, M. (2016,
[10] Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. September). A fog computing based system for selective forwarding
(2013). A survey of intrusion detection techniques in cloud. Journal of detection in mobile wireless sensor networks. In 2016 IEEE 1st
network and computer applications, 36(1), 42-57. International Workshops on Foundations and Applications of Self*
Systems (FAS* W) (pp. 256-262). IEEE.
[11] Sadek, R. A., Soliman, M. S., & Elsayed, H. S. (2013). Effective
anomaly intrusion detection system based on neural network with [22] Aliyu, F., Sheltami, T., & Shakshuki, E. M. (2018). A detection and
indicator variable and rough set reduction. International Journal of prevention technique for man in the middle attack in fog
Computer Science Issues (IJCSI), 10(6), 227. computing. Procedia Computer Science, 141, 24-31.

[12] Raponi, S., Caprolu, M., & Di Pietro, R. (2019, June). Intrusion [23] Shi, Y., Abhilash, S., & Hwang, K. (2015, March). Cloudlet mesh for
detection at the network edge: Solutions, limitations, and future securing mobile clouds from intrusions and network attacks. In 2015
directions. In International Conference on Edge Computing (pp. 59- 3rd IEEE International Conference on Mobile Cloud Computing,
75). Springer, Cham. Services, and Engineering (pp. 109-118). IEEE.

[13] Sadaf, K., & Sultana, J. (2020). Intrusion detection based on [24] Markus, A., & Kertesz, A. (2020). A survey and taxonomy of
autoencoder and isolation Forest in fog computing. IEEE Access, 8, simulation environments modelling fog computing. Simulation
167059-167068. Modelling Practice and Theory, 101, 102042.

[14] Tabrizchi, H., & Rafsanjani, M. K. (2020). A survey on security [25] Varga, A., & Hornig, R. (2008, March). An overview of the OMNeT++
challenges in cloud computing: issues, threats, and solutions. The simulation environment. In Proceedings of the 1st international
Journal of Supercomputing, 1-40. conference on Simulation tools and techniques for communications,
networks and systems & workshops (pp. 1-10).
[15] Lee, K., Kim, D., Ha, D., Rajput, U., & Oh, H. (2015, September). On
security and privacy issues of fog computing supported Internet of [26] Mahmud, R., & Buyya, R. (2019). Modelling and simulation of fog and
Things environment. In 2015 6th International Conference on the edge computing environments using iFogSim toolkit. Fog and edge
Network of the Future (NOF) (pp. 1-3). IEEE. computing: Principles and paradigms, 1-35.

[16] Yu, S., Wang, C., Ren, K., & Lou, W. (2010, March). Achieving [27] Beloglazov, A. (2016). Cloudsim: A framework for modeling and
secure, scalable, and fine-grained data access control in cloud simulation of cloud computing infrastructures and services. Cloud
computing. In 2010 Proceedings IEEE INFOCOM (pp. 1-9). Ieee. Computing and Distributed Systems (CLOUDS) Laboratory,
Department of Computer Science and Software Engineering, the
[17] Sadek, R. A. (2018). Hybrid energy aware clustered protocol for IoT University of Melbourne, Australia.
heterogeneous network. Future Computing and Informatics
Journal, 3(2), 166-177.

[18] Sohal, A. S., Sandhu, R., Sood, S. K., & Chang, V. (2018). A
cybersecurity framework to identify malicious edge device in fog
computing and cloud-of-things environments. Computers &
Security, 74, 340-354.

22