7.1. Network Layer Security
An attack launched from the edge network could threaten all of the edge functional entities and may propagate to the whole communication network (e.g., eavesdropping on the communication link or injecting malicious traffic to the broadcast address in the network) [
163]. Intrusion detection and prevention are two important research interests proposed to protect edge network security in IIoT environments. Many current solutions to combat IIoT network layer attacks rely on emerging technologies, such as AI- and Blockchain-based solutions, to provide the necessary detection and prevention mechanisms, as detailed in
Table 4. For example, Diro and Chilamkurti [
164] utilized the LSTM algorithm to detect attacks on distributed fog environments that might target IIoT devices. This technique is the first step to improving the security of fog computing, by accurately and precisely detecting various attacks that might degrade the network performance and malfunctioning network entities. The authors validated the proposed technique using two datasets—ISCX (Found at
https://www.unb.ca/cic/datasets/ids.html (accessed on 26 January 2023)) and AWID (Found at
https://icsdweb.aegean.gr/awid/ (accessed on 28 January 2023))—and compared the proposed method with LR. The technique yielded a promising accuracy of 98.22% on the AWID dataset and 99.91% on the ISCX dataset. The proposed technique was better than LR by 9% on the ISCX dataset; however, it took a significantly longer time to train the proposed method, compared to LR.
Chekired et al. [
165] proposed a distributed and hierarchical intrusion detection system to detect attacks targeting the fog architecture. The proposed solution was mainly designed to detect false data injection attacks that target smart meters in the power grid. The proposed technique consists of three layers: AMI, fog, and cloud. Each layer incorporates various IDSs that hierarchically detect intrusions in a cooperative manner. The fog layer assimilates three types of IDS: Fog IDS, residual area network IDS, and HAN IDS. The authors then adopted a stochastic MC to differentiate malicious activities from normal traffic. The authors demonstrated the effectiveness of the proposed technique using real electricity data generated from Toronto.
Huang et al. [
166] presented a defense approach to prevent DDoS attacks in IIoT environments. The proposed technique relies on a multi-point collaborative capability, deployed at the edge to detect DDoS attacks and protect IIoT devices from adversaries. The collaborative defense aspect of the proposed technique is accomplished through the use of blockchain technology, which is adopted to securely distribute defense information throughout the IIoT environment. Additionally, the authors introduced a swift defense information distribution technique, to minimize the information sharing latency and enable the proposed method to respond promptly. The authors also employed two deep learning-based mechanisms to differentiate normal traffic from attacks using an LSTM-Attention network, the attack traffic was further categorized, and the attacks were detected using a 1D CNN architecture. Furthermore, the authors used the classified attack feature representations to acquire new feature information and, hence, produce defense information and improve the robustness of the security system. The classification part based on deep learning was evaluated and compared with baseline models (i.e., SVM, MLP, and
kNN). The deep learning-based techniques obtained superior results, compared to the baseline models, in terms of precision, recall, F1 score, and accuracy. Experiments conducted on the DoS2019 dataset (Found at
https://www.unb.ca/cic/datasets/ddos-2019.html (accessed on 9 February 2023)) also demonstrated that the swift sharing approach could decrease the propagation delay when distributing the information, thus enhancing the response time and better protecting the devices from DDoS attacks. The proposed LSTM-based approach achieved high performance in three performance metrics (i.e., 99% precision, 98.7% recall, and 98.8% F1 score), while the 1D CNN-based method achieved slightly better results than the LSTM-based approach (i.e., 99.3% precision, 98.9% recall, and 99.1% F1 score).
Mudassir et al. [
167] presented three accurate deep learning-based approaches capable of detecting botnet attacks that target the IIoT environment. The three techniques are based on ANN, RNN-LSTM, and RNN-GRU, respectively, and were evaluated on the BotIoT dataset. The ANN-based approach achieved the highest performance, in terms of accuracy (99%), although the other techniques obtained similar accuracies (98%). However, the RNN-GRU-based techniques performed slightly better in terms of detecting attacks with minimum samples, such as DoS and DDoS targeting HTTP protocol. The performances of the three models, in terms of precision and recall, were not high, particularly in classifying attacks with a small number of samples. Thus, the authors improved their performance by under-sampling the majority class to create a balanced dataset. The proposed methods achieved better results, in terms of precision and recall, on the balanced dataset. However, deploying such techniques on IIoT networks may pose an issue, considering the constraints of the devices, as the deployment of deep learning-based approaches typically requires high computation and memory usage.
Tsogbaatar et al. [
168] introduced a framework using an ensemble of deep learning models as a building block to detect IoT threats utilizing SDN. The proposed framework consists of three modules: An anomaly detector module, device status prediction, and smart flow management. Stacked deep auto-encoders are used to extract features and feed them into the ensemble deep learning model. The proposed system was evaluated on the N-BaIoT and costumed datasets, and accomplished superior results on even a 1% imbalanced dataset, compared to related works, achieving an improvement of approximately 3% over a single deep learning model.
Popoola et al. [
169] proposed using dimensionality reduction and intrusion detection techniques to identify threats in IoT environments. The dimensionality reduction part of the framework was based on LAE, while the intrusion detection part was based on B-LSTM. The authors analyzed the long-term inter-related changes using B-LSTM after the LAE had reduced the feature set to accurately identify network traffic samples. The proposed framework was validated on the BotIoT dataset, yielding promising results. The conducted experiments demonstrated that the utilized feature reduction technique remarkably improved the memory space, by approximately 92%, and performed better than state-of-the-art dimensionality techniques by up to 27%. The performance of the proposed framework, in terms of MCC, was high; obtaining 93.17% in binary classification scenarios and 97.29% in multi-class classification scenarios.
Popoola et al. [
170] introduced a botnet detection technique based on deep learning which is capable of dealing with imbalanced network traffic data. The authors adopted the SMOTE algorithm, which produces additional samples for classes with a small number of samples, to attain class balance. Consequentially, the authors fed the balanced data into a deep RNN to acquire knowledge of the hierarchical feature representations and, thus, distinguished attacks from normal traffic. The authors conducted two types of experiments using the BotIoT dataset: Without and with the SMOTE algorithm. The first experiment proved that the imbalanced data affected the results (in terms of recall, precision, F1 score, AUC, GM, and MCC). On the contrary, the SMOTE-RNN-based approach yielded superior detection results, compared to state-of-the-art models, achieving 99.75% recall, 99.50% precision, 99.62% F1 score, 99.87% AUC, 99.74% GM, and 99.62% MCC. The proposed solution utilized the characteristic of RNNs, in terms of distinguishing samples in historical time-series data, which have achieved high accuracy in many fields, including intrusion detection systems. However, the time required to detect intrusions is not negligible, which is a key issue, as this technique must be deployed on resource-constrained edge devices.
Jayalaxmi et al. [
171] proposed a botnet detection technique based on deep learning to protect IIoT networks. This method adopts a CFBPNN architecture and a feature selection method known as CFS, in order to minimize the time required for the intrusions and improve the detection rate performance. Additionally, the authors utilized a time-series technique known as NARX to examine the elements that have a high impact on the target class, to anticipate the behavioral pattern. The authors conducted various experiments on five datasets to evaluate their proposed framework; namely, NF-UNSW-NB15, NF-CSE-CIC-IDS2018, NF-ToN-IoT, NF-BoT-IoT (these four datasets can be found at
https://staff.itee.uq.edu.au/marius/NIDS_datasets/ (accessed on 12 February 2023)), and ToN-IoT-Windows (this dataset can be found at
https://research.unsw.edu.au/projects/toniot-datasets (accessed on 20 February 2023)). The authors compared the proposed framework with various neural network models; the results indicated perfect accuracy, an outstanding F1 score, and good precision of the proposed model.
Alani et al. [
172] proposed an effective botnet detection method using packet inspection and machine learning. The proposed framework also utilizes a feature selection technique to reduce the feature set and the detection time. The feature selection method chooses only seven important features, extracted from the network packet fields. These features are fed into the machine learning algorithm, in order to train it. The proposed detection technique and feature selection capability achieved higher than 99% accuracy.
Popoola et al. [
173] introduced an FDL-based technique to detect zero-day botnet attacks and protect IoT edge devices from data privacy leakage. The authors presented an optimal DNN architecture to classify the captured network traffic. The models of the DNN architecture are independently trained in multiple IoT edge devices, remotely managed by a model parameter server, and local model updates are aggregated using the federated averaging algorithm. Various messages exchanged between IoT edge devices and model parameter servers were used to generate the global DNN model. The authors utilized two datasets to validate their proposed framework: BotIoT (found at
https://research.unsw.edu.au/projects/bot-iot-dataset (accessed on 2 March 2023) or
https://ieee-dataport.org/documents/bot-iot-dataset (accessed on 2 March 2023)) and N-BaIoT (found at
https://www.kaggle.com/datasets/mkashifn/nBaIoT-dataset (accessed on 2 March 2023)). The proposed framework presented a high performance in classification metrics and can ensure data confidentiality and privacy. As the training data are distributed between edge IoT devices, the required memory space and storage are minimal for each IoT device. Additionally, the framework is deployed over edge IoT devices, ensuring low latency. Li et al. [
174] have deployed a similar approach, combining both FDL and edge/fog computing to protect IIoT environments from DDoS attacks. This method also achieved high detection accuracy (i.e., 98%).
Wazid et al. [
175] proposed an effective method to detect routing attacks launched by malicious neighbors, in order to target edge-based IoT environments and degrade the performance (particularly, the delay and throughput) of edge networks. This method was designed to detect routing attacks and can be deployed on edge servers to identify the suspicious nodes that launch the attacks on their neighbors. This method should be distributed on powerful servers, as the collected data would be huge, including routing messages that are sent to all the nodes in the network (i.e., broadcast messages).
Singh et al. [
176] introduced a network traffic monitoring system that thoroughly inspects incoming and outgoing network packets. The proposed system specifies signature rules to detect SQL injection attacks and other traffic injection attacks, places these rules in the IDS database, compares the packets with these rules, and, if any deviation is found, the attack is detected. This method only detects one family of attacks: Traffic injection attacks. This kind of method belongs to misuse intrusion detection systems. The biggest issue with intrusion detection systems in this category is their lack of ability to detect novel attacks (i.e., attacks with no signatures in the database). The only solution is to update the signature rules placed in the database through historical attack data analysis, which takes time and effort.
Yan et al. [
177] presented a multi-layer framework to mitigate DDoS attacks. The framework collects network traffic at the cloud computing layer, classifies the traffic, and detects DDoS attacks based on the captured traffic. The authors utilized a data analysis mechanism located at the cloud computing layer to inspect the DDoS attack behavior. Consequentially, the inspection information is forwarded to the fog computing layer to mutually combat DDoS attacks.
Zhou et al. [
141] proposed a fog-based technique to mitigate DDoS in IIoT environments. The proposed system captures network traffic and analyzes it offline using VNFs in a local server. The analyzed network traffic information is matched with information captured at the cloud servers, to effectively detect and defend against DDoS attacks. The proposed method was designed to improve the response time and enable IIoT resource-constrained devices to efficiently adopt this technique without noticeable computational overhead. This approach consists of three levels and was implemented utilizing the Mero control system to achieve acceptable results. These methods were also designed to only detect one family of attacks (i.e., DDoS attacks), so they do not constitute a complete protection solution for IIoT environments.
Bhardwaj et al. [
140] proposed a proactive technique to mitigate DDoS attacks. The proposed method uses three components to effectively detect DDoS attacks: Locally deduced information, edge function, and web service. This approach is distinctive, as the detection is accomplished in real-time and provides defense responses. The authors claimed that the proposed solution could detect IoT DDoS attacks faster than related approaches by 10 times. Additionally, the authors claimed that the proposed approach could reduce the damaging impact of DDoS by 82%.
Simpson et al. [
178] proposed an approach based on fuzzy logic to detect cooperative attacks (i.e., a type of black hole attack) targeting edge nodes in IoT environments. The authors presented a trustworthy infrastructure placed on the edge, to mitigate security risks in smart cities. This infrastructure was designed to detect malicious threats (cooperative attacks, in particular) in real time. The authors position the detection mechanism on the edge computing platform to reduce the computational overhead on IoT devices. Compared to services provided by the cloud, placing the detection method at the network’s edge can decrease bandwidth utilization and delay. Once an attacker is detected, the node that launches the attack is isolated. The authors also proposed utilizing a reaction-based trust evaluation, which generates a reputation value to re-analyze suspicious entities. The proposed framework was evaluated, demonstrating its effectiveness in detecting cooperative attacks.
Zaminkar et al. [
179] presented a defense technique based on node rating and ranking to deter sinkhole attacks from affecting IoT devices. The authors conducted real experiments in industrial premises containing IoT devices and launched real-world sinkhole attacks using relevant tools. The authors captured real data frames flowing from and to IoT devices communicating with the APs through Wi-Fi (i.e., traffic transferred through wireless communication). Other network traffic transferring from the APs to a central switch and then to a router was captured as well (i.e., traffic transferred using wired communication). Network traffic was captured by switch port mirroring and the Wireshark sniffing tool. The authors deployed nine commercial IoT tools in the industrial environment, which acted as infecting devices, and formed two botnets to launch the sinkhole attacks.
Khan et al. [
180] introduced a smart communication mechanism that detects and prevents Sybil devices from targeting IIoT devices in PEC. Once the device masquerades as one of the IIoT devices (i.e., spoofs its identity), the adversary’s identity is detected, and a notification is sent to edge servers to deter upstream messages transmitted from that suspicious node. The building block of the proposed framework is the parallel ABC algorithm, which determines the optimal network configuration for IIoT devices on each edge server once the attack is detected. Then, the server carries out job migration with the servers nearby, in order to improve the network performance and for load balancing, based on the capabilities of the nearby servers (e.g., storage and processing capabilities). The authors conducted an experiment to validate their detection and prevention techniques, proving that the technique is capable of detecting Sybil attacks and the delay can be reduced, the throughput could be improved, and the data communication of IIoT devices in PEC could be controlled with the help of the parallel ABC algorithm.
Lawal et al. [
181] proposed a fast and accurate anomaly- and misuse-based method to mitigate anomalies in IoT environments using fog computing. To ensure that an intruder is detected rapidly, the authors placed a list of IP addresses belonging to suspicious devices in a database (the signature-based part of the proposed system). Meanwhile, the anomaly detection part of the proposed framework adopted a machine learning technique known as extreme gradient boosting to differentiate malicious packets from genuine ones. The signature-based part was shown to be effective, in terms of detection time, when tested on a dataset (i.e., its detection time was faster than the anomaly detection part by more than six times). The anomaly-based part of the framework also demonstrated its effectiveness, achieving a 99% average accuracy and a 97% average recall.
Alharbi et al. [
182] introduced a neural network architecture, called local–global best bat, to detect botnet attacks in the IIoT paradigm. The proposed method efficiently chooses feature representations and hyperparameters extracted from nine off-the-shelf IoT devices affected by attacks launched from two botnets: Mirai and Gafgyt. The bat’s velocity in the swarm is reformed using the local–global best-based inertia weight. Additionally, the authors utilized a Gaussian distribution in the population initialization step, in order to overcome the bat algorithm swarm diversity problem. The Gaussian density function in each generation is followed by a local search, thus accomplishing ideal exploration. The authors used a publicly available dataset (i.e., N-BaIoT) to validate their approach. This dataset consists of eleven classes: ten classes representing botnet attacks and a benign class. The proposed model was shown to be superior, compared to existing weight-optimization techniques such as PSO, achieving an accuracy of 90% in multi-class classification.
Nguyen et al. [
183] adopted a dynamic analysis technique to enhance graph-based features and, hence, improve the IoT botnet attack detection performance. Printable string information is gathered using dynamic analysis when carrying out the instances. Consequentially, to traverse the graph, the printable string information is effectively employed, based on static analysis, to obtain graph-based features and eventually differentiate benign instances from attack instances. The proposed method was evaluated using a dataset of 8330 samples, including 5531 attack samples and 2799 normal samples. The method yielded a promising accuracy of up to 98.1%.
Alqahtani et al. [
184] presented a feature selection method based on the Fisher score (A representative filter-based technique employed to select important features and ignore insignificant features through the minimization of intra-class distances and maximization of inter-class distances) and an IoT botnet attack detection technique based on XGBoost. The Fisher score-based feature selection method was utilized to choose the most important feature out of 115 available features, and the XGBoost-based method was used to distinguish between IoT botnet attacks and normal traffic. The authors conducted various experiments on the N-BaIoT dataset and evaluated their approach, using 10-fold cross-validation and holdout methods. The proposed feature selection method reduced the feature set to three important features out of 115 available features, thus reducing the detection time, while the selected features along with the proposed detection technique improved the detection accuracy when compared to the case where the baseline features were used.
Arshad et al. [
185] introduced a lightweight IDS designed for the IoT paradigm, which best fits the requirements of constrained IoT devices. The proposed method can be implemented on IoT devices and edge routers collaboratively to improve detection accuracy, decrease false positive rates, and enhance visibility. The authors created attack signatures and placed them in a database; this database is then installed on IoT devices. Thus, each IoT device is equipped with a signature-based IDS. Furthermore, the edge-router learns the normal activities of the IoT devices, in order to detect any activity that deviates from the normal traffic. Thus, an anomaly-based IDS is positioned at the edge router. The effectiveness of the proposed solution was demonstrated, in terms of energy and memory consumption.
Arshad et al. [
186] designed a similar framework for energy-constrained IoT devices, which can detect intrusions in IoT environments. The proposed framework can be implemented on IoT devices utilizing the Contiki operating system and on edge devices, in order to protect IoT environments against increasing threats (particularly, botnet attacks), while considering their low energy consumption, less computational overhead, and minimum communication cost. As with the previous approach, the proposed method installs a signature-based IDS in the IoT devices while placing the anomaly detection IDS at the edge router. Each IoT device has three mechanisms: Network monitoring, system monitoring, and detection engine. The anomaly detector consists of two GDEs and three capabilities: Detection, correlation, and alert capability. The framework’s efficacy was demonstrated, in terms of minimizing energy consumption and memory utilization.
However, the two previous approaches suffer from the following shortcomings: signature-based IDS could pose an issue for resource-constrained devices, due to the increasing number of attacks that need to be placed in the database and managed by those constrained devices. Additionally, new attacks should be added to the database; however, updating the database on each IoT device is cumbersome and consumes energy and memory resources. Moreover, the edge router is traditionally designed to forward the network layer datagrams (i.e., it processes the network layer header); however, to deploy an IDS on the edge router, it is necessary to decapsulate the packet to see the payload information, which violates end-to-end communication (i.e., the data should be transferred from the transport layer of the sender to the transport layer at the receiver).
Zhang et al. [
187] presented a method to prevent signature forgery attacks in IIoT environments using a robust certificateless signature mechanism. The security of the proposed method was verified, and its effectiveness against malicious third parties and public key replacement threats was demonstrated.
Qi et al. [
188] proposed a prevention scheme utilizing secure access control to ensure the security of data transmission (i.e., to prevent malicious data transmission issues) in the IIoT paradigm. The introduced technique relies on a ciphertext policy attribute-based encryption mechanism, which enables IIoT entities to apply fine-grained policies to coordinate access to IIoT data. The computational overhead of implementing the proposed technique on IIoT devices is reduced through the use of a hybrid cloud infrastructure, which handles the encryption and decryption processes. This method can also provide a new privacy capability to IoT data, known as item-level data protection; a capability that can deter key leakage issues.
Tajalli et al. [
189] adopted an average consensus-based mechanism to provide smart microgrids (i.e., an IIoT application area) with optimal scheduling for real-time operations and to resist DoS attacks. The proposed method utilizes a fog layer to decrease delays and supply the necessary data storage and internal computation capabilities for the IIoT environment. The security of the proposed method was also tested in heterogeneous IIoT devices against various attacks (DoS attacks, in particular), in order to evaluate the method’s performance in the context of such attacks. Their simulation results indicated the framework’s effectiveness, in terms of accuracy, rapid response time, and feasibility.
7.2. Perception Layer Security
Edge nodes are resource-constrained: they are equipped with memories with limited storage capacity and micro/processors with limited data processing capabilities. Usually, these devices temporally sustain data transmitted by IIoT devices. Therefore, the complexity of data management is decreased; however, data security challenges (e.g., data leakage) may occur. Secure data storage is one of the hot topics relating to IIoT device deployment in the edge computing research area. As shown in
Table 5, some solutions have been proposed recently to overcome such challenges.
Liu et al. [
190] introduced a framework to preserve data storage security utilizing a privacy algorithm known as local differential and a combined AES-RSA encryption technique. The authors adopted the encryption technique to jointly and efficiently protect the secrecy of the data while making it possible to recover the data in a secure manner (i.e., an entity with the appropriate key can recover the data). This framework consists of three layers: Local, cloud, and fog. However, the proposed approach utilizes the RSA encryption technique, which belongs to public key cryptography and is known to be slow.
Hi et al. [
191] utilized SDN technology to capture the data storage status information and, hence, facilitate secure data storage on fog computing nodes. In more detail, this approach designs trusted domains, security policies, and collaborative working schemes in a hierarchical fashion. The ultimate aim of this large-scale secure storage mechanism is to coordinate and authorize storage requests and provide data storage status information in a distributed manner, enabling IIoT devices to store and share data securely on the edge.
Ming et al. [
192] presented an efficient technique providing data privacy protection and secure data sharing, which can be deployed to protect devices that use fog computing services and resources. The proposed approach adopts an enhanced inadvertent transfer algorithm and utilizes edge low-latency services to enable vehicles to query the optimal driving route while providing these vehicles with location privacy protection and anonymity.
Xue et al. [
193] introduced a secure data-sharing approach for VCC utilizing both cloud and fog computing paradigms. The proposed method was based on encryption outsourcing and fine-grained access control. The proposed framework provides the vehicles with privacy preservation and confidentiality in an efficient way; the computation overhead is securely separated from resource-constrained devices to cloud and fog servers. Additionally, response delay can be reduced while preserving the consumption of fog server resources with the help of vehicle mobility prediction and pre-pushing data to certain fog servers. The proposed method yielded a promising reduced response latency and overhead saving in edge devices.
Fan et al. [
194] introduced a data-sharing technique designed for vehicular fog computing, in order to securely recover stored data. The proposed method utilizes a novel encryption method with a multi-authority ciphertext mechanism, ensuring data access control in vehicular networks. The proposed framework also integrates an effective mechanism for attribute revocation. Therefore, vehicular network systems can effectively perform attribute revocation and execute data access authorization using the proposed framework, guaranteeing data sharing with low latency.
Adil et al. [
195] introduced an approach to identify jamming attacks utilizing edge nodes. The authors deployed three edge nodes equipped with different transmission frequencies in a WSN and used the RTT measurement of the transmitted signal to detect jamming attacks targeting the transmission channel. Even if one transmission channel (i.e., the one that an edge node is communicating through) is jammed, the other two edge nodes would be able to verify the wireless transmission serviceability in the WSN. Moreover, the RTT of the transmitted signal from the neighboring channel is also intermittent, compared to its usual time interval, due to interference in the neighboring channels. This interference indicates the existence of a jamming attack in the WSN. The proposed method was implemented using OMNeT++ and accomplished a detection rate of 94%.
Bany et al. [
196] proposed a protocol that deals with proactive jamming attacks targeting IoT networks. This protocol relies on the channel and routing assignment, and does not require new hardware or entities installed in the network or servers. The aim of this protocol is to enhance the overall packet delivery ratio of the IoT network in the context of normal activities performed by IoT devices, multi-channel fading, and jamming attacks. The introduced method comprises three steps: Path discovery, channel assignment, and route selection. The proposed method enhanced the packet delivery ratio in IoT networks, compared to existing protocols.
Abhishek et al. [
197] proposed a technique to detect jamming attacks in IoV networks. The authors mentioned that vehicular networks are vulnerable to jamming attacks, due to the nature of the shared wireless media through which the packets are transmitted. The authors focused on a type of Jamming attack in which the attacker waits until packets are transmitted, and then the attacker jams the channel. This type of attack is severe, as the packet drop rate increases and the delay of the network is noticeable. Thus, sensitive applications that demand real-time communication would be disrupted. To solve this issue, the authors introduced a detection technique based on SVM to identify jamming attacks. To train the proposed method, the authors created a dataset of packet drop probabilities obtained from jointly sufficient statistics. The proposed method was tested, and its effectiveness, in terms of detection ratio, was proven.
7.3. Application Layer Security
This subsection discusses the work proposed to secure the IIoT application layer.
Table 6 compares those works focused on improving application layer security.
Dovom et al. [
198] introduced a framework that detects and categorizes malware, especially in IoT and IIoT environments, by diverting the program’s opcodes into a vector space and adopting both fuzzy and fast fuzzy pattern tree mechanisms. The fast fuzzy pattern tree-based technique achieved acceptable accuracy and good detection time. The framework also utilizes both robust feature extraction capability and a fuzzy categorization component. These components enable the framework to become a typical edge computing method that detects and categorizes malware. The only issue with this system is its reliance on fuzzy logic, which is known to be inaccurate when predicting unseen samples.
Guizani and Ghafoor [
199] presented a software-based framework that adopts NFV technology to resist malware diffusion in heterogeneous IoT environments. To deploy a precise countermeasure, the authors deployed a deep learning-based IDS to detect a broad range of malware promptly. The designed IDS is based on a combination of two well-known deep learning algorithms (i.e., RNN and LSTM). Once the malware is detected, the framework provides software or operating system updates to address the security vulnerability that enables the attacker to break into the system.
Khoda et al. [
200] observed that several IDS datasets lack a balance between the classes in the training set (i.e., the number of samples for the benign class is much higher than the number of samples for the attack class), which may affect the performance of machine learning-based IDSs. Thus, the authors presented an over-sampling (a mechanism that increases the number of samples of classes with fewer samples; for example, by duplicating the samples of that minority class) technique to deal with this problem. The framework also introduces two capabilities to detect edge computing malware in a unique way. The first capability utilizes fuzzy set theory, while the second one uses a new loss function capable of dynamically prioritizing malware samples. The proposed framework accomplished superb results, compared to related techniques. The method achieved an improvement in terms of the F1 performance metric, which reached over 9% when compared to related work.
Alaeiyan et al. [
203] introduced an edge layer deployable multi-label malware detection system-based fuzzy clustering. This system enables CPS networks to accurately predict malware threats. The Opcode frequencies are represented as a feature space, which is used with the proposed framework to conduct statistical analysis and differentiate malware categories. The proposed method was evaluated using three datasets, in which a high performance was achieved, in terms of accuracy.
Shen et al. [
204] investigated IoT malware spread behavior to determine the best possible malware detection techniques for protecting the privacy of IoT smart objects and preventing the spread of malware. The authors introduced a joint cloud-fog infrastructure and deployed an IDS to detect malware capable of overcoming the heterogeneity of smart sub-nets and the limited resources of IoT devices. Due to the smart object malware uncertainty, the authors also applied a signaling game to reveal the communication between the IoT devices and the corresponding edge nodes. The authors also detailed some related mechanisms, such as theoretically calculating the optimal Bayesian equilibrium of the game to enhance malware identification probability. Additionally, the researchers explored the factors influencing the optimal probability of an IoT device spreading malware, as well as factors that affect the performance of fog nodes in identifying an infected IoT device. Moreover, the researchers provided a method demonstrating the practical and potential application of preventing the spread of malware in IoT networks.
Alhawi et al. [
205] proposed a decision tree-based approach to detect Windows ransomware network traffic attacks. The proposed framework uses a specialized version of the decision tree, known as J48, and the authors evaluated the method using conversation-based network traffic samples (i.e., packets) along with extracted features (i.e., fields). The proposed framework achieved an acceptable true positive rate of about 97%.
Azmoodeh et al. [
206] proposed an approach to detect ransomware attacks targeting IoT networks by measuring the power consumption of Android devices. The proposed method measures various processes to scan energy consumption patterns and differentiate ransomware attacks from legitimate applications. The authors compared four well-known machine learning algorithms (i.e., SVM, neural network,
kNN, and random forest) using a dataset collected from VirusTotal API (This dataset can be found at the following website:
https://www.virustotal.com/gui/home/upload (accessed on 20 March 2023)). The authors conducted various experiments to compare the machine learning algorithms and fine-tune the number of neighbors hyperparameter, in order to achieve the best result possible.
kNN with DTW capability achieved the best results, in terms of accuracy, recall, precision, and F1 score, compared to the other machine learning algorithms.
Almashhadani et al. [
207] presented a detailed behavioral analysis of activities occurring when crypto-ransomware—in particular, a type of severe ransomware known as Locky—attacks a network. The authors built their own test bed to validate their assumption. They extracted some important features from the network packets, to classify the captured traffic into various types. Additionally, the authors presented a network-based IDS, utilizing two separate detectors working simultaneously at two levels: Flow and packet. Various experiments were conducted using the features extracted by the authors and four machine learning algorithms: Random forest, decision tree, naïve Bayes, and SVM. The proposed technique was shown to be effective in detecting ransomware attacks, through five performance metrics (accuracy, false positive rate, precision, recall, and F1 score), and provided an outstanding detection rate and low false positive rate. The best machine learning algorithm in the packet-based set of experiments was the decision tree, yielding 97.92% accuracy, 97.9% precision, 97.9% recall, 97.9% F1 score, and a false positive rate of 0.021. Meanwhile, the best machine learning algorithm in the flow-based set of experiments was naïve Bayes, which obtained 97.08% accuracy, 0.029 false positive rates, 97.72% precision, 97.71% recall, and 97.71% F1 score.
Maiorca et al. [
208] introduced an Android ransomware attack detector using the random forest ensemble method. The proposed technique differs from previous methods, in that it utilizes extracted features from API packages to categorize applications, without needing to be familiar with user-defined content (e.g., strings) and the language used to write the application. The authors evaluated the proposed approach on two public datasets (i.e., the ransomware dataset (As indicated by the authors, this dataset can be found at
http://ransom.mobi/ (accessed on 25 March 2023)) and the malware-trusted dataset (Found at
https://www.sec.cs.tu-bs.de/~danarp/drebin/ (accessed on 25 March 2023))). The results indicated that the proposed approach is applicable, with very high accuracy, to differentiate malware from Android ransomware attacks. Additionally, the authors flagged the detected ransomware applications utilized by the VirusTotal service.
Sgandurra et al. [
209] introduced a dynamic analysis and classification approach based on logistic regression, which identifies ransomware threats when users install applications. The introduced method scans some actions executed by applications at the time of installation, in order to detect any indication of ransomware activity. The authors validated the technique on a dataset consisting of 583 ransomware samples (downloaded from the VirusShare website) belonging to 11 classes and 942 samples belonging to normal applications. The authors compared their technique with naïve Bayes and SVM. The proposed method was found to be superior to the other methods, in terms of the low complexity of the underlying machine learning algorithm and detection rate (achieving 96.3% detection rate and 99.5% ROC curve).
Tseng et al. [
210] proposed a DNN-based approach to identify ransomware in a timely manner. The authors presented a labeling mechanism and chose some significant features in order to improve the performance of the proposed method and reduce the detection time. The proposed method achieved an acceptable detection rate and false negative rate.
Ogundokun et al. [
211] proposed a detection technique based on machine learning to identify ransomware attacks targeting IoT devices. Experiments were conducted using a laptop computer, a projector, and an Android device. Along with detecting ransomware attacks, the proposed system monitors the power consumption of IoT devices operating processes every 500 ms, using Power-to-track. The proposed method achieved acceptable performance in four metrics: Accuracy, recall, precision, and F-score.
Al-Hawawreh et al. [
212] conducted a comprehensive systematic analysis of ransomware attacks targeting IIoT devices, and suggested several potential defense mechanisms. The authors deployed IIoT devices in an industrial setting following IIRA and analyzed the shortcomings of IIoT environments that might be exploited by ransomware threats. The test bed contained I/O devices (i.e., actuators, sensors, and controllers), virtual components (i.e., mail servers, cloud servers, maintenance operators, and SCADA monitoring devices), and IIoT gateways. The authors found that the gateways in the IIoT networks are susceptible to ransomware threats, where IIoT devices and systems might be affected through gateways. The IIoT gateways share some default capabilities; they can act as mediators between the outside world and the IIoT environment (i.e., I/O devices or PLCs). Full access to the IIoT gateway can be gained once an attacker initiates a ransomware attack targeting that gateway, changes the legitimate gateway’s credentials, and updates the firmware with malignant software. Therefore, the malicious gateway would reveal any data transmitted from users to the external world (or vice-versa). Consequentially, the authors launched ransomware attacks in the considered IIoT environment, utilizing Python scripts similar to the Erebus Linux Ransomware attack. Furthermore, the authors suggested some potential detection and defense mechanisms to protect IIoT environments against ransomware attacks, including the adoption of next-generation firewalls that contain enhanced traffic filtering mechanisms, the utilization of monitoring systems (e.g., IDSs) to detect attacks as early as possible, and the placement of IIoT edge gateways in a trusted zone to prevent infected gateways from affecting the IIoT infrastructure.
To summarize this section, we can make some observations related to the state-of-the-art methods. Devices, networks, and exchanged data between devices could all be targeted by cyber-criminals in various communication systems. However, the difference when securing the deployment of IIoT devices in edge or fog computing is that the significance of edge security expands when the data are downgraded to edge devices. The traditional protection of the exchanged data between IIoT edge devices, edge computing-based IIoT networks, and the devices themselves is low, while the complexity of the network that involves both heterogeneous IIoT devices and edge servers is high. Thus, proposing and standardizing new approaches that protect edge networks or data sharing is difficult, particularly when considering methods that require changes in the hardware, standardized communications protocols, or existing infrastructures.
For those approaches that do not impose changes to the hardware, communication protocols, or existing edge network infrastructure—for example, IDS approaches that detect various edge computing IIoT attacks such as injection attacks, DDoS attacks, and routing attacks—it is necessary to provide a solution that is lightweight and accurate. In this line, the proposed solutions for secure data sharing need to be further improved and investigated. These solutions are still limited and may become a hot topic in the near future. The use of emerging technologies, such as Blockchain and AI, could add value to the secure data sharing and management research area.
Most of the IIoT network layer security solutions are detection-based. Most IIoT network layer security solutions utilize machine learning to detect attacks such as DoS that prevent the IIoT devices from accessing edge nodes (i.e., violate the availability requirement). The detection accuracy and time of these approaches are decent; the accuracies of these approaches can range from 90% to 100%, depending on the dataset and data division, and can detect intrusions in real time. A few proposed solutions mitigate security issues that violate confidentiality and data integrity. These solutions rely on well-known encryption mechanisms to mitigate the impact of some security issues, such as malicious data transmission transferred from IIoT devices to the edge nodes or vice-versa and signature forgery attacks.
The majority of the IIoT perception layer security proposed solutions prevent/mitigate security challenges that violate confidentiality, secure data sharing/storage security, and privacy. Some of these approaches rely on standardized encryption methods such as AES and RSA to provide confidentiality to the transmitted data from IIoT devices and edge nodes and vice-versa and to preserve the security of the data stored at the edge node. Infrequent solutions utilize machine learning to detect jamming attacks that violate the availability requirement, targeting the communication links between the IIoT devices and edge nodes.
Most IIoT application layer security solutions are detection-based. These solutions utilize machine learning to detect attacks that inherited traditional networks and IoT environments, such as malware and a subtype of malware known as ransomware. These attacks violate integrity, confidentiality, and authentication. Thus, detecting these attacks might help security personnel take further countermeasures to prevent these attacks from spreading to the IIoT devices (especially if they control the edge nodes). These approaches’ accuracies are reasonable, ranging from 70% to 99.5% depending on the used dataset.