Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 1821804, 9 pages
Research Article

A Novel Differential Game Model-Based Intrusion Response Strategy in Fog Computing

School of Computer and Communication Engineering, University of Science and Technology Beijing (USTB), Beijing 100083, China

Correspondence should be addressed to Fuhong Lin; nc.ude.btsu@nilhf

Received 23 May 2018; Accepted 18 July 2018; Published 1 August 2018

Academic Editor: Liran Ma

Copyright © 2018 Xingshuo An et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


Fog computing is an emerging network paradigm. Due to its characteristics (e.g., geo-location and constrained resource), fog computing is subject to a broad range of security threats. Intrusion detection system (IDS) is an essential security technology to deal with the security threats in fog computing. We have introduced a fog computing IDS (FC-IDS) framework in our previous work. In this paper, we study the optimal intrusion response strategy in fog computing based on the FC-IDS scheme proposed in our previous work. We postulate the intrusion process in fog computing and describe it with a mathematical model based on differential game theory. According to this model, the optimal response strategy is obtained corresponding to the optimal intrusion strategy. Theoretical analysis and simulation results demonstrate that our security model can effectively stabilize the intrusion frequency of the invaders in fog computing.

1. Introduction

Fog computing is an emerging network model [1]. As shown in Figure 1, fog computing is a three-layer architecture: user device layer, fog node layer, and cloud computing layer. Fog nodes are service nodes located between cloud and users [2]. Fog nodes [3] are geo-distributed, which can provide low latency services for users. The research in this paper is based on this network architecture.

Figure 1: Fog computing network structure.

Fog nodes are located at the edge of the network, which is closer to users. The needs of heterogeneous network access and diverse services make fog nodes face more complex and insecure network environment. The traditional network security technology such as physical security technology [4] is difficult to resist the multisource and cross-domain intrusion [5]. It is necessary to research the network security technology suitable for fog computing to deal with new challenges. Intrusion detection system [6] (IDS) is a measure that can provide effective security for fog network [7]. Our previous work [8, 9] has proposed a general IDS framework to protect cloud servers and fog nodes from security threats. One of the functions of IDS is to make corresponding response strategy based on attackers’ behaviors. In this framework, intrusion response is the strategy and action for intrusion when the fog node detects the intrusion. Response strategy selection is the most critical problem in intrusion response [10].

In the fog network, the intruder will attack the fog cluster and carry out an invasion process from fog to cloud. Cloud as a management system for fog cluster needs to respond to such intrusion processes. The intruder implements different frequency attacks on fog nodes. The purpose is to successfully bypass the IDS deployed by the fog node, in order to intrude into the system for further intrusion activities. In other words, the intruder’s needs maximized his invasion success expectations. For the system, the cloud server’s strategy is to set the access forbidding rate to the fog cluster. In addition to dealing with illegal users, fog cluster also needs to serve legal users. The system needs to serve legal users as much as possible. In order to find the optimal strategy of the intruder and the system, we can regard the problem as a game [10], and the intruder and the system are the players of the game.

In view of intrusion response, some researchers use static game method to model and solve. A universal game model is proposed in [11]. An approach named Response and Recovery Engine (RRE) [12] was proposed. RRE was based on Markov game theory. Reference [13] proposed a dynamic intrusion response model based on game theory to assure the incentives of system. Noncooperative games model was applied to solve the problem of intrusion response [14]. Using the modeled stochastic game, the authors in [15] proposed a decision working framework to take optimal actions in case of network intrusion.

In fog computing, the interaction between fog nodes and cloud is real time. In continuous time, the cloud needs to make decisions in real time. Accordingly, intruders need to change their strategy in real time to maximize their gains. Differential game [16], as a game model in continuous time, is more suitable for the network environment of fog computing. At present, there is little reference about the application of differential games in the field of fog computing security. The relevant research is only found in [17]. The author defines the strategy of fog nodes from the perspective of energy consumption. The two players of the game are vulnerable node and the malicious nodes in the fog cluster. In this paper, the two players of the game are defined, and strategic analysis from the perspective of the system composed of fog cluster and the perspective of intruders is made, respectively. The main work of this paper is to analyze the characteristics of intrusion in the environment of fog network, apply differential game to model the invaders and system, respectively, and emphasize the theoretical analysis of defense model of the system. In our model, the cloud server can take the best security strategy to filter the access requests of the illegal users based on the attack of invaders. To our knowledge, this is the first differential game theory approach to model the interactions between the intruder and the system in fog computing.

The main contributions of this paper are as follows:

(1) The path and characteristics of invasion are analyzed in the environment of fog computing. The invader model and defense model of the system are built, respectively, according to the invasion.

(2) We derive the optimal strategy of the system and the rational intruder, i.e., the Nash equilibrium of the game.

(3) The simulation shows the outstanding performance of the proposed strategy.

The rest of the paper is organized as follows. In Section 2, we analyzed the intrusion process in fog computing. In Section 3, the differential game models of intruders and system are established and analyzed, respectively. In Section 4, the feedback Nash equilibrium solution is given. The model simulations are provided in Section 5. Finally, the main conclusions are summarized in Section 6.

2. Intrusion in Fog Network

This study focuses on what strategy the system should take when an intrusion occurs. The process that an invasion starts from the fog nodes to the cloud is given. The ultimate goal of invaders is to gain higher permissions on cloud servers, thus causing greater damage to the entire fog network. From the perspective of network attack, invasions from user device layer to fog node layer and then to cloud servers are implemented through different invasion methods. Figure 2 shows the invasion process mentioned above.

Figure 2: Intrusion process in fog computing.

Fog nodes are faced with the heterogeneous network environment and communication protocols, and operating system and program bugs are easy to be exploited by invaders. By detecting fog bugs, invaders can find bug in fog nodes. In this process, an invader needs to send a number of access requests to each fog node to detect the bug. When the number of requests sent is too large, it will also cause a denial of service attack (DoS) to the fog node. When an invader finds an available bug, he will exploit bugs to achieve illegal invasions. Once an invader fatally invades a fog node, it will first cause serious harm to the users in the service range of the fog node, such as Privacy leakage and Malware propagation. Secondly, invaders will directly have a negative impact on the network service of fog nodes, such as U2R on fog nodes. The ultimate goal of the intruder is to gain access to the cloud server and carry out further invasion. When an invader achieves a user-to-root attack (U2R) on a fog node, the bugs of the cloud server will be continuously scanned and utilized by the invader to seek access to the cloud. Reducing the invasion frequency of invaders and improving the traffic of legal users in the system are against the invasion in fog computing. The focus of this study is on the intrusion response. Intrusion response is an important function of IDS framework [8] as shown in Figure 3.

Figure 3: The general framework for fog computing intrusion detection system.

The framework is a 6-layer IDS framework. It contains a series of functional modules, such as detection and response, which can ensure the security of fog computing. It shows that intrusion response is deployed in the cloud. The defense strategy of the cloud server is based on the whole system in order to defend against invasion from illegal users and minimize the loss of fog nodes after invasion. The invasion from illegal users and the response of the cloud server are regarded as the two players of attack-defense, and the problem is modeled and described in Section 3.

3. Differential Game Models

In this section, we model the two players of attack-defense in fog computing. In the process of invasion and response, intruders and system can be viewed as two players of the game, and their purpose is to maximize their benefits. The invader invades every fog node. The invasion frequency of each fog node is the attacker’s strategy, aiming to access the fog node as much as possible so as to make illegal access. For defenders, restricting the invasion of illegal users and letting more legal users get access to fog network are the purpose of the system. The cloud server is mainly responsible for the implementation of the system response strategy. The forbidding rate of accessing users, u(t), is the control strategy of the cloud server. The process of intrusion and the process of response are shown in Figure 4.

Figure 4: Attack strategy and response strategy in fog computing.

The invaders and defenders in fog computing are analyzed and modeled, respectively, showing the relationship between the strategy of both invaders and defenders and their benefits. The list of symbols' meanings, which can be used during modeling, is shown in Table 1.

Table 1: The list of symbols' meanings.

As shown in Figure 4, intruders start attack at fog nodes. The frequency of invasion against fog nodes is . The expectation of successful invasion is defined as the incomes of invaders, which is , and is the probability of a single successful invasion. The probability of a round of successful invasion detected on the fog node will increase when is increased. When increases, the probability of detecting attacks on the fog node will increase. We define , and is the upper limit of the invasion frequency on the ith fog node. The incomes of invaders are

Cloud servers are as a defender of the system and the defense strategy is deployed from the perspective of fog cluster. The fog cluster is viewed as a system. When the number of system’s access is too large, the system needs to take corresponding response strategy. The functional relationship between the system income and the access traffic of system is given and the functional relationship between the response strategy of system and the access traffic of system is also given:

is the capacity of the system. When , it represents the traffic of the legal access in the system. represents the proportion of legal users in and it is obvious that . . When , it represents the traffic of the abnormal access in the system. Obviously, the proportion of illegal users is larger than legal access traffic. The original forbidding rate will no longer apply to the response of the system and the defense strategy should be started at this time.

The larger is, the greater proportion of illegal users is. The forbidding peer rate of system needs to be larger. So , and represents the forbidding factor.


According to formula (3), exhibits an impact of quadric relationship on . Based on the properties of quadratic function, we give Theorem 1.

Theorem 1. When the system starts the defense policy, the maximum capacity of the system cannot exceed .

Proof. When becomes large to , . When continues to become larger, , the incomes of the system are negative and legal users cannot make access and the system is down. There is no meaning to start the strategy.

Corollary 2. Condition 1 for the system to take the response strategy is that the value of is between and . .

The range of forbidding factor is as follows:

Based on the properties of quadratic function, . because represents access amount of legal users. When , the system reaches its critical point.

If , then . is , which is the maximal incomes of system before taking the strategy.

From , it can be concluded that .

Because of the properties of quadratic function, is the maximal incomes of the system after taking the strategy.

, which is .

The relationship between and is as follows:

The inequality needs to satisfy , and the range of is further determined:

According to inequality (4), the range of forbidding factor is as follows: .

Corollary 3. Condition 2 for the system to take the response strategy is as follows: , .

Corollary 4. The maximal incomes of the system can be improved when the response strategy is used.

Following the above, a precise function of income can be obtained:

In the further discussion, when , the relationship between incomes of the system and the strategy of the system is important. From , the income after the strategy being used is

The process of game is dynamic and continuous. Both the invasion against fog nodes started by invaders and the corresponding strategy executed by the system have a direct impact on memory occupancy. Memory occupancy can be dynamically represented as :

Because of , when the gains of both system and invaders are calculated, the impact on the gains caused by needs to be considered. If the memory occupancy of system increases, this may be due to the resource occupation caused by the successful invasion. This is what invaders want, as the starter of the invasion from outside. The impact of on the gains needs to be considered when the gains are calculated. On the contrary, for the system, the start of the response strategy requires system memory. is as the cost of response when calculating gains, it should deduct the impact of on its gains from . The object functions [16] of system gains and invader gains are

c and d are influence factors of on the gains of invaders and gains of the system.

4. Solution of Optimal Strategy

In Section 3, intruders attack and system defense in fog network are regarded as dynamic game processes, and a differential game model is established. In this section, the optimal strategy of differential game model established in Section 3 will be solved [16, 18].

From Bellman equation, formula (8) can be changed to

From the derivation of formula (10) with respect to , we can obtain the optimal response strategy as

We assume that

Substituting formula (12) into (10) and (11), we can get

Then the optimal intrusion response strategy can be represented in terms of as

where we need to solve the expression of firstly.

can be changed into

from which we can deduce that

Formula (18) gives rise to the expression of

The optimal response strategy of system response is finally presented

Then we solve the optimal intrusion strategy. From Bellman equation, formula (9) can be changed into

In formula (21), the derivation with respect to leads to the optimal intrusion strategy

In the same way, to solve the expression of , we assume

Substituting formula (23) into (21) and (22), we can get

From formula (24), can be written as

From formula (27), we can deduce that

where + + .

We can get the expression of as

Therefore, the optimal invasion strategy of each fog node is

From formula (7), we can update the equation of state

In summary, we get the optimal response strategy and the optimal intrusion strategy. They are described with formula (20) and (30), respectively.

5. Numerical Simulation

In this section, Matlab 2014a software is used for simulation. According to the model, the tendency of the optimal response strategy changing with time and the tendency of the optimal invasion strategy changing with time are analyzed, respectively. In the limited time domain, 5 fog nodes are analyzed in 20 minutes to obtain the dynamic rules of system strategy and intruder strategy. The parameters used in the simulation are shown in Table 2.

Table 2: Range of parameters in the model.

The access capacity of the system is and the proportion of legal users in the system is . From (5), the range of is fixed. is the invasion limit on each fog node, its domain is between 50 and 100. For a and b, they represent the influence factors of intrusion strategy and the influence factors of response strategy on , respectively. Since the influence of intruders on is indirect and the response strategy adopted by the system is direct to , assuming a is less than b, d and c are the influence factor of on gains of invaders and the influence factor of on gains of system so c needs to be between 0.1 and 0.5 and d needs to be between 0.01 and 0.1. r is a discount factor, which needs to be between 0 and 1.

First, the response strategy of the system is stimulated. Figure 5 shows the changing rule of in different limiting factors . It can be seen that the value of has an impact on the initial value of the game. However, when the game begins, no matter what is, will converge and be stable at around 10 minutes. This shows that when the system capacity of and is fixed, the value of has a little influence on the option of response strategy, which means when choosing strategy, the attempts to choose limiting factor do not have to be frequent, for the cloud server choosing the strategy.

Figure 5: The variation of optimal response strategy over time with different .

Figure 6 shows the convergence of the optimal defense strategy of the system when the discount factor r takes different values. The smaller r is, the faster optimal strategy converges. When is 0.9, the terminal time of the game is still not convergent. The reason for it is that , as the main parameter of the ultimate gains, will directly affect choosing system response strategy in the process of dynamic game.

Figure 6: The variation of optimal response strategy over time with different .

The optimal intrusion strategy of the invaders is stimulated, assuming that an invader invades 5 fog nodes and Figure 7 shows five intrusion strategies against 5 fog nodes of different . At the initial time, the frequency of invasion is 0. As time goes on, the invaders will increase the frequency of invasion to gain higher gains. However, as the game continues, the invasion strategy will also reach a steady state. Similar to the system response strategy, it also converges at a certain time. Similarly, in order to observe the convergence of , discount factor r takes different values. Figure 8 shows the tendency of optimal intrusion strategy changing with time when r takes different value. Obviously, the smaller r is, the faster the optimal strategy converges.

Figure 7: The optimal intrusion strategy when 5 fog nodes are invaded.
Figure 8: The variation of optimal intrusion strategy over time with different .

A comprehensive analysis shows that the system broadens the restrictions on access traffic in the process of reducing the forbidding rate of the system. At the same time, in order to maximize the incomes, the intruders will also enhance the intrusion level on the fog nodes. As the game continues, the system and intruders will adjust their strategy to maximize their incomes. The system state will also change when the strategy is changed. and will also affect the incomes of players. Therefore, this process is a game between two players adjusting the optimal strategy and making the optimal strategy converge.

6. Conclusions

Fog computing is a new computing paradigm, and its security problem can not be ignored. As the manager of fog cluster, cloud server needs to respond in time when intrusion occurs. Firstly, the characteristics of intrusion in fog computing are analyzed, and the invaders and system in fog computing are modeled, respectively. Then the differential game model is solved, and the optimal strategy of intruders and system is obtained. Finally, we simulated the optimal intrusion strategy and the optimal response strategy, and we analyzed the experimental results. The results show that our game model and the optimal strategy can guarantee the security of fog cluster.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work is supported by the National Key R&D Program of China (2017YFC0820700), the Foundation of Science and Technology on Information Assurance Laboratory (no. KJ-17-101), and the National Science Foundation Project of China (no. 61701020).


  1. F. Bonomi, R. Milito, J. Zhu, and S. Addepalli, “Fog computing and its role in the internet of things,” in Proceedings of the 1st ACM Mobile Cloud Computing Workshop, MCC 2012, pp. 13–16, ACM, Helsinki, Finland, August 2012.
  2. Y. Huo, C. Yong, and Y. Lu, “Re-ADP: Real-time Data Aggregation with Adaptive w-event Differential Privacy for Fog Computing,” Wireless Communications and Mobile Computing, pp. 1–13, 2018. View at Google Scholar
  3. J. Su, F. Lin, X. Zhou, and X. Lu, “Steiner tree based optimal resource caching scheme in fog computing,” China Communications, vol. 12, no. 8, Article ID 7224698, pp. 161–168, 2015. View at Publisher · View at Google Scholar · View at Scopus
  4. Y. Huo, Y. Tian, L. Ma, X. Cheng, and T. Jing, “Jamming Strategies for Physical Layer Security,” IEEE Wireless Communications, vol. 25, no. 1, pp. 148–153, 2018. View at Google Scholar · View at Scopus
  5. B. Z. Abbasi and M. A. Shah, “Fog computing: Security issues, solutions and robust practices,” in Proceedings of the 2017 23rd International Conference on Automation and Computing (ICAC), pp. 1–6, IEEE, Huddersfield, UK, 2017.
  6. D. E. Denning, “An Intrusion-Detection Model,” in IEEE Symposium on Security and Privacy, IEEE, Oakland, CA, USA, 1986. View at Publisher · View at Google Scholar
  7. Y. Huo, C. Hu, X. Qi, and T. Jing, “LoDPD: A Location Difference-Based Proximity Detection Protocol for Fog Computing,” IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1117–1124, 2017. View at Publisher · View at Google Scholar · View at Scopus
  8. X. An et al., “Sample Selected Extreme Learning Machine Based Intrusion Detection in Fog Computing and MEC,” Wireless Communications and Mobile Computing, vol. 2018, Article ID 7472095, 10 pages, 2018. View at Google Scholar
  9. Lin. Fuhong et al., “Fair Resource Allocation in Intrusion Detection System for Edge Computing,” IEEE Consumer Electronics Magazine, 2018. View at Google Scholar
  10. N. Stakhanova, S. Basu, and J. Wong, “A taxonomy of intrusion response systems,” International Journal of Information and Computer Security, vol. 1, no. 1-2, pp. 169–184, 2007. View at Publisher · View at Google Scholar · View at Scopus
  11. Y. B. Guo and M. A. J. Feng, “Game theoretical framework for adaptive intrusion detection and response,” System Engineering and Electronics, 2005. View at Google Scholar
  12. S. A. Zonouz et al., “RRE: A Game-Theoretic Intrusion Response and Recovery Engine,” IEEE Transactions on Parallel and Distributed System, vol. 25, no. 2, pp. 395–406, 2013. View at Google Scholar
  13. S. Jin, L. Yin, and A. X. Li, “Dynamic Intrusion Response Based on Game Theory,” Journal of Computer Research and Development, vol. 45, no. 5, pp. 747–757, 2013. View at Google Scholar
  14. W. P. Wang and W. W. Zhu, “Network Security Behavior Model Based on Dynamic Non-Cooperative Game Model with Incomplete Information,” Journal of Chinese Computer System, vol. 27, no. 2, pp. 253–256, 2006. View at Google Scholar
  15. A. Kundu and S. K. Ghosh, “Game Theoretic Attack Response Framework for Enterprise Networks,” in Distributed Computing and Internet Technology, vol. 8337, pp. 263–274, Springer International Publishing, New york, NY, USA, 2014. View at Google Scholar
  16. D. W. Yeung and L. A. Petrosyan, Cooperative Stochastic Differential Games, Springer, New York, NY, USA, 2006. View at MathSciNet
  17. Z. Li, X. Zhou, Y. Liu, H. Xu, and L. Miao, “A non-cooperative differential game-based security model in fog computing,” China Communications, vol. 14, no. 1, pp. 180–189, 2017. View at Publisher · View at Google Scholar · View at Scopus
  18. A. Dixit, “A model of duopoly suggesting a theory of entry barriers,” Bell Journal of Economics, vol. 10, no. 1, pp. 20–32, 1979. View at Google Scholar