sample selected extreme learning machine based...

Research ArticleSample Selected Extreme Learning Machine Based IntrusionDetection in Fog Computing and MEC

Xingshuo An1 Xianwei Zhou1 Xing Luuml1 Fuhong Lin 1 and Lei Yang2

1School of Computer and Communication Engineering University of Science and Technology Beijing Beijing China2Department of Computer Science and Engineering University of Nevada Reno Reno NV USA

Correspondence should be addressed to Fuhong Lin fhlinustbeducn

Received 5 September 2017 Accepted 16 November 2017 Published 14 January 2018

Academic Editor Shangguang Wang

Copyright copy 2018 Xingshuo An et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Fog computing as a new paradigm has many characteristics that are different from cloud computing Due to the resources beinglimited fog nodesMEC hosts are vulnerable to cyberattacks Lightweight intrusion detection system (IDS) is a key technique tosolve the problem Because extreme learning machine (ELM) has the characteristics of fast training speed and good generalizationability we present a new lightweight IDS called sample selected extreme learning machine (SS-ELM) The reason why we proposeldquosample selected extreme learningmachinerdquo is that fog nodesMEC hosts do not have the ability to store extremely large amounts oftraining data sets Accordingly they are stored computed and sampled by the cloud serversThen the selected sample is given to thefog nodesMEC hosts for trainingThis design can bring down the training time and increase the detection accuracy Experimentalsimulation verifies that SS-ELM performs well in intrusion detection in terms of accuracy training time and the receiver operatingcharacteristic (ROC) value

1 Introduction

With the rapid development of smart devices we are embrac-ing an era of the Internet of Things (IoT) The IoT appli-cations require mobility support geodistribution locationawareness and low latency However it is difficult for cloudcomputing tomeet these requirements Edge paradigms suchas fog computing (FC) and mobile edge computing (MEC)are proposed to overcome the above challenging issues [1ndash3]The nodes which could perform computing tasks are calledfog nodesMEC hosts in FC and MEC hosts in MEC whichcan provide low-latency service FC and MEC are somewhatdifferent For example MEC hosts are typically deployed bymobile service providers [4] and fog nodes are made up ofedge servers or devices with communication and computingpower However their network model and many features aresimilar [5]They both extend cloud computing to the edge Inthis work we study a generalized network model that can beapplied in FC and MEC

Generally the infrastructure of FC or MEC consists ofthree layers the cloud server fog nodeMEC host layer and

user device layer where fog nodesMEC hosts are computingnodes unique to FC and closer to the user [6] The purposeof using fog nodesMEC hosts is to provide service withlower latency more flexible access and more secure networkcommunication to network users [7]

As a new network paradigm FCMEC presents severalchallenges in network stability and performance In FCMECmost of the terminal devices are resource-constrained forexample the terminal connected to a fog nodeMEC host canbe a smart home appliance a smart phone an unmannedaerial vehicle (UAV) or a VR device [8] Threats may comefrom various aspects for a network with such characteristicssuch as denial of service (DoS) man in the middle (MIM)rogue gateway privacy leakage and service manipulation [5]

Since there are many attacks against the FC networkthe benefits of FC are diminished by the damage causedby malicious attacks if no proper security and privacyprotection mechanisms are available To effectively handlesecurity threats in FC infrastructure and to minimize theassociated damage we focus on the security precautionsOne way turns to the intrusion detection system (IDS) An

HindawiWireless Communications and Mobile ComputingVolume 2018 Article ID 7472095 10 pageshttpsdoiorg10115520187472095

2 Wireless Communications and Mobile Computing

IDS is an important security barrier that can quickly detectintrusion and security risks in the network [9 10] Thedetection algorithm is one of the most important parts inIDS An intrusion detection algorithm suitable for criticalinfrastructures can accurately and quickly detect intrusions[11] Therefore to adapt to the new paradigm of FC thepresent study focuses on the intrusion detection scheme toensure the security and meet new challenges

This paper will first analyze the security problems inFCMEC According to fog nodesMEC hostsrsquo resource-constrained characteristics an intrusion detection schemewith a lightweight algorithm is proposed This design takesfull advantage of the computing resources of fog nodesMEChosts It deploys classifiers for intrusion detection on fognodesMEC hosts and stores training data sets in the cloudserver The contribution of this work is as follows(1) According to the network characteristics of fog thispaper proposes a general scheme of intrusion detectionsystem in FCMEC environment(2) Based on the traditional ELM this paper innovativelyadds the sample selection process in the training phase Thisdesign is used to improve the classifier algorithm so that itcan become more lightweight when fog nodesMEC hostsperform tasks(3) We compare the performance of BP SVM ELMand SS-ELM as intrusion detection classifiers and verify thesuperiority of SS-ELM

The paper is organized as follows In Section 2 wewill review related works on FCMEC security and extremelearning machine- (ELM-) based IDSs In Section 3 wewill discuss the requirements and schemes of an IDS inan FCMEC environment In Section 4 we will introducean ELM-based intrusion detection algorithm for FCMECSection 5 will describe the simulation to verify the algorithmThe paper is concluded in Section 6

2 Related Works

Existing research on FCMEC security mainly focuses onanalyzing security threats in FCMEC and the correspondingcountermeasures [7 12ndash14]

Dsouza et al [8] first described the advantages of FCas a new paradigm and elaborated the security problemsin several different scenarios of FC including intelligentinstrument authentication MIM attacks and privacy issuesin FCMEC Yi et al [7] suggested that FC security isa problem worthy of studying particularly the aspects ofauthentication access control intrusion detection and userprivacy issues FCMECrsquos possible contribution to networksecurity has been discussed from the perspective of computerforensics [13 14] In particular Wang et al compared cloudcomputing and FCMEC in terms of security [14] and notedthat FCMEC and honeypot technology can be integratedinto cloud computing forensics to protect the security ofcloud servers

There are some studies related to intrusion detection inFCMEC [5 15 16] The security of edge computing haspreviously been reviewed [5] and the author suggested thatFCMEC is a paradigm of edge computing In that paper

various security issues encountered in edge computing andsecuritymechanismswere discussed in detail In addition theauthor noted that a fog IDS should meet the defense needsof both local fog nodesMEC hosts and the entire networkbe able to detect lasting threats and have an intrusionprevention mechanism that can operate autonomously It hasbeen noted that an IDS can be deployed on the fog nodeMEChost side (host-side detection) or fog networkMEC networkside (network-side detection) tomonitor host-side intrusionsor network-side attacks [15] A new cloudlet mesh securityarchitecture was proposed based on cloudlets [16] and thisarchitecture is used to protect the mobile cloud network Ifcloudlet servers are treated as fog nodesMEC hosts thensuch architecture constitutes a host-side IDS

FCMEC is an extension computing paradigm of cloudcomputing Therefore we refer to the virtual machine (VM)IDS in cloud computing in the present study For examplean intrusion detection scheme deployed in a cloud VMwas introduced which was based on the Smith-Watermanalgorithm to collect and detect the anomalous behavior ofVMs [17] This algorithm improved the systemrsquos detectionefficiency and thus reduced the detection time to some extentIn a previous report [18] attacking threats in federated cloudenvironments were analyzed and a detection system formisuse cataloging was proposed An approach named VAEDwhich is deployed in VMs was given [19] Its results seem tobe promising for detecting evasion-based malware attacks

Many studies focused on intrusion detection Howeversince the scenarios of these studies are in the cloud thereis no focus on IDS in resource-constrained environmentsespecially FCMEC That is to say lightweight IDS is worthstudying in FCMEC

Intrusion detection techniques include statistics-baseddetection data-mining-based detection expert-system-based detection support vector machine- (SVM-) baseddetection genetic-algorithm-based detection and neural-network-based detection Considering the heterogeneityand dynamic characteristics rich network resources andcomplex attack behaviors in FCMEC we will use theELM-based algorithm to design and implement an intrusiondetection scheme in FCMEC in this paper The ELM is aneural network method At the end of this section we willreview the application of an ELM in intrusion detection

The ELM was first proposed by Huang et al [20] Thisalgorithm uses a random mechanism to reduce the numberof parameters to set and select and thus is a simple and fastlearning algorithm ELMs have been widely used in manyfields since their proposal including intrusion detection AnELM was used for intrusion detection and showed greateraccuracy in intrusion detection than that of an SVM [21]Ye and Yu proposed an intrusion detection method inwhich each class was combined into an ensemble classifierusing a one-to-all strategy [22] A weighted ELM was alsoproposed for intrusion detection [23] Cai et al proposeda new fusion method which combined with a ball vectormachine (BVM) ELM and a back propagation (BP) neuralnetwork for intrusion detection This method has shownstrong performance in detection accuracy and false positiverate [24]

Wireless Communications and Mobile Computing 3

Fog nodeMEC host

Fog nodeMEC host

Fog nodeMEC host

Fog nodeMEC host layer

equipmentUser

layer

ProbingAttack

attackDDoS

(U2R) Attack

(R2L) Attack

Cloudcomputing

Figure 1 FCMEC network security threats

3 Intrusion Detection Scheme in FCMEC

31 FCMEC Network Architecture and Its Security ThreatsFog networksMEC networks consist of user devices fognodesMEC hosts and cloud computing centers The typicaldifferences from the traditional cloud computing paradigmlie in the following (1) A cloud computing center man-ages and controls multiple fog nodesMEC hosts (2) FognodesMEC hosts located at the edge of the network betweenthe network center and the user have a certain computingpower (3) Fog nodesMEC hosts can handle computing tasksand can provide network services to user devices directly

User devices are heterogeneous and include smart sen-sors smart phones UAVs and other networkable terminalsWe hypothesize that fog nodesMEC hosts and terminaldevices in a fog networkMEC network are all likely tobe attacked and are thus not reliable Considering the fognetworkMEC network structure we present the intrusiondiagram of a network attack in FCMEC as follows

As shown in Figure 1 fog nodesMEC hostsMEC hostsin the FCMEC layer provide a network connection service touser devices and also exchange datawith the cloud computingserver Security threats come from direct or indirect attackson fog nodesMEC hostsMEC hosts and user devices InFCMEC network nodes are widely distributed and lackeffective physical protection They are vulnerable to invasionby malicious attackers The detection ability and responsespeed of traditional IDS have been unable to meet the needsof detection of fog environment Therefore the establish-ment of an efficient intrusion detection system in FCMECenvironment has become an important research direction ofFCMEC data security

In a fog networkMECnetwork the detection of intrusionis the process in which the IDS determines whether thehost state or network connection data are legal through asecurity audit In addition the fog networkMEC networkIDS deployment is related to the security of the entire systemBoth the fog nodesMEC hostsMEC hosts and the cloudcomputing center can compute and store data In orderto distribute the computational load of IDS reasonably wedecided to deploy IDS in the fog networkMEC networkusing cloud serversrsquo storage capability and fog nodesMEChostsrsquo limited computing power There are some reasonsfor the deployment scheme (1) From the perspective ofdetection efficiency if an IDS is deployed in the cloudcomputing center only then the network communicationcost will increase because all data must be sent to andprocessed by the cloud server Furthermore the computationload of the cloud server will also increase (2) From theperspective of security the cloud center as the central nodeof the entire network will easily become the target of attacksOnce the central node is attacked data obtained from fognodeMEC host detectors become unreliable (3) Intrusiondetection data sets are needed for training if a neural networkis used for intrusion detection Training data sets are usuallylarge and thus will greatly increase the training time ifthe training is conducted only by the cloud computingcenter compromising the training efficiency (4) Due tothe heterogeneity of user devices different fog nodesMEChosts can result in greatly different network environments inFCMEC For example certain fog nodesMEC hosts mostlyprovide networking services to cars and thus communicatewith vehicle sensors or car control systems while other fognodesMEC hosts serve primarily smartphones Moreover


the customer population of a fog nodeMEC host is alsodynamically changing a user device may join or exit a fognodeMEC host at any time

32 Intrusion Detection Scheme in FCMEC As described inSection 31 the relationship between a fog nodeMEC anduser devices is of highly dynamic variability To adapt tothe dynamic fog networkMEC network and to protect thesecurity and high efficiency of fog IDS we propose a generalarchitecture for FCMEC intrusion detection systems Thisscheme takes advantage of the computing capability andstorage capacity of fog nodesMEC hosts and cloud serversThe architecture includes data processing detection andknowledgemining in IDSThe scheme is divided into 6 layersaccording to the data flow of fog networkMEC network

User Equipment Layer FCMEC user equipment is het-erogeneous including personal computers (PC) intelligentterminals vehicles in Internet of Vehicles (IOV) and sensorsThese devices may access different fog nodesMEC hoststhrough different protocols

Network Layer It provides link services for different fog net-workMEC network protocols It is responsible for receivingdata transmitted from the network and user equipment layerand packing and transmitting data

Data Processing Layer The primary role is to deal with net-work intrusion data from user equipment including packetcapture data cleaning data filtering and data preprocessingThe task of this layer is done on fog nodesMEC hosts

Detection Layer After the intrusion data is pretreated thedetection layer is sent to the classifier to detect the attacks(1) It uses the classifier to analyze the intrusion data todetermine what kind of attack it belongs to (2) This layeris equipped with a security monitoring system to monitorthe host state of fog nodesMEC hosts (3) At the same timeit manages and records network protocols and logs for fognetworkMEC network packets After collecting and storinga certain amount of data the fog nodeMEC host sends thetest results and the relevant logs to the cloud server In theIDS of FCMEC the detection layer is the core layer and thedetection task is completed in fog nodeMEC host

Analysis Layer This layer is deployed in the cloud computingcenter Its main function is to analyze the results and relatedlogs reported by fog nodesMEC hosts It can integrateinformation into knowledge and generate some applicationservices For example this layer can generate security statusreports for a fog nodeMEC host and store them on the cloudserver

Management Layer Management in the cloud server ismainly responsible for (1) uniform monitoring and manage-ment of the safety status of fog nodesMEC hosts (2) thedecision and response of the intrusion detection system and(3) the data and logs of the intrusion fog nodesMEC hoststhat can be stored so as to facilitate intrusion forensics

As shown in Figure 2 the intrusion detection classifierof the detection layer is the most important part of thesystem for intrusion data processing It is related to thesubsequent cloud server intrusion response to ensure thesecurity of the system Therefore our work focuses on thedetectors of intrusion attacks Deploying detectors on fognodesMEC hosts can make full use of the computationcapability and storage capacity of fog nodesMEC hosts forintrusion detection However large-scale data cannot beprocessed or stored due to the limited computation andstorage capability of fog nodesMEC hosts In addition asdescribed in Section 31 simply deploying the detector onfog nodesMEC hosts cannot meet the requirements of adynamic networkThe cloud server has a larger storage spacethan fog nodesMEC hosts thus the cloud server could storea large number of training sets and training set selectingrules It can distribute training sets to fog nodesMEC hostsdynamically for training so that different fog nodesMEChosts become specific and dynamic Figure 3 shows theworkflow of this schemersquos steps as follows(1) The terminal accesses the fog nodeMEC host andestablishes a connection with the fog nodeMEC host Thenetwork environment of each fog nodeMEChost is different(2) Fog nodeMEC host cluster is controlled by the cloudserver so the total training set ismanaged by the cloud serverStore the total training set in the cloud server and select asample according to rules The premise of selecting samplesis that the cloud server has a perception of the networkenvironment of fog nodesMEC hosts(3)The cloud server sends the selected training set to thefog nodeMEC host(4) Complete the training process on the fog nodeMEChost(5)The communication between the fog nodeMEC hostand the terminal generates a data stream Intrusion detectionis performed on fog nodesMEC hosts

At the fog nodeMEC host layer intrusion detectionand real-time response are required to ensure the safetyand reliability of fog nodesMEC hosts For example whenexternal intruders attack a fog nodeMEC host the fognodeMEC host should be able to detect the type of intrusionand issue an alarm to prevent intrusion Because of itscomputing and storage capabilities a fog nodeMEC host cancomplete the computation task locally to ensure short latencyWe can deploy lightweight and energy-efficient algorithms onfog nodesMEC hosts for intrusion detection

4 SS-ELM for FCMEC Intrusion Detection

In FCMEC fog nodesMEC hosts are responsible for pro-viding network services formassive heterogeneous intelligentdevices as themembers of smart devices that provide servicesby a fog nodeMEC host are dynamically changing In otherwords a fog nodeMEC host may release a devicersquos serviceor establish a connection with the device at any time Thiscreates a dynamic network security threat in FCMEC Forthe intrusion detection system of the fog nodeMEC hostit is necessary to train the classifier with the new targeted


Managementlayer

Analysislayer

Detectionlayer

Networklayer

Data processinglayer

User equipmentlayer

Intrusionresponse

Storage andcommunication

Fog networkprotocol

Data pretreatmentData cleaningPacket capture

Fog networkpackets detection

Fog nodehost detection

Statisticalmodule

Cloudserver

Information analysis Knowledge mining

Fog nodeMEC host

WiFi Ethernet 5G

WSN M2M

Figure 2 General architecture for FCMEC intrusion detection systems

Cloudcomputing

Fog node

DDoS attack

Probing attack

Fog node layer

User equipmentlayer

Sampleselection

Total sample set

training sample setFog node

Rules

(R2L) Attack

(U2R) Attack Attacktype 1

Attacktype n

Intrusion response

Fog node

Detectionclassifier

Figure 3 Fog networkMEC network intrusion detection scheme


training set in real time Many of the previous intrusiondetection classifier algorithms have long training time [19]Due to the limited computing power and storage capacityof fog nodesMEC hosts these intrusion detection schemesare not suitable for FCMEC paradigm Therefore we needto study the application of lightweight intrusion detectionalgorithm on fog nodesMEC hosts

A well-suited classifier algorithm is the most importantfactor for a fog nodeMEC host IDS The solution forthe ELM is straightforward and can be found by findingthe minimum norm of a least square problem which canultimately be transformed into a Moore-Penrose generalizedinverse problem involving amatrixTherefore this algorithmis characterized by a small number of training parametersfast training speed and satisfactory generalization abilityand thus it is suitable to be used as a classifier algorithmand deployed on fog nodesMEC hosts To adapt to thedynamic process of fog nodesMEC hosts and to reduce thetraining time of fog nodesMEC hosts we select trainingsamples according to the network characteristics and trainingcharacteristics of each fog nodeMEC host This chapterdescribes an algorithm for an SS-ELM for FCMEC Wedescribe the principles and processes of traditional ELMalgorithms in Section 41 furthermore Section 42 describesour proposed SS-ELM algorithm As described in ChapterThree the algorithm is characterized by adding sampleselection in the cloud server and using the deployed ELMclassifier to detect network attacks on fog nodesMEC hosts

41 ELM Algorithm ELM was first proposed by Huang ofNanyang Technology University [20] In this subsection thebasic principles of ELM will be introduced as follows

The ELMhas amore simple and valid studymode relativeto the traditional BP algorithmTherefore the learning speedof ELM is much faster than that of BP In addition traditionalBP usually has some problems such as having a local mini-mum being inappropriate and having an overfitting learningrate It therefore usually adopts some special methods toavoid these problems The ELM does not need to considerthese tiny problems and can get the solution of the problemdirectly It is simpler than the algorithmof feedforward neuralnetworks Hence ELM is more convenient and practical thanthe traditional ANN model The calculation construction ofELM algorithm in this investigation is shown in Figure 4

For the training data sample (997888119909 119910) the output functionexpression of single-hidden layer ahead with 119871 hidden layerneurons to the neural network is

119891119871 (119909119897) = 119871sum119894=1

120573119894119866 (119886119894 119887119894 119909) (1)

where 119886119894 and 119887119894 are weight vector connecting 119894th hiddenneuron and the input neurons 120573119894 shows the output weightconnecting the ith hidden layer with model output and119866(119886119894 119887119894 119909) shows the 119894th hidden layer relative to hidden layernode output of the sample (997888119909 119910) the expression of119866(119886119894 119887119894 119909)is

119866 (119886119894 119887119894 119909) = 119892 (119886119894 sdot 119909 + 119887119894) (2)

m

i L

d

f(x)

1 i L

G(a1 b1 x)G(ai bi x)

G(aL bL x)

X

1

1

1

Figure 4The architecture of the ELMneural networkmodel in thiswork

In the expression 119892 119877 rarr 119877 is the activation functionand 119886119894 sdot 119909 is the inner product of input weight 119886119894 and sample119883 in 119877119899 Consider 119873 inequality data samples (119909119894 119905119894)119873119894=1 sub119877119899times119877119898 if the single-hidden layer neural network of 119871 hiddenlayer neurons approaches119873 inequality data sample with zeroerror that is to say there are 119886119894 119887119894 and 120573119894 119894 = 1 119871 whichmakes formula (2) written as

119891119871 (119909119895) = 119871sum119894=1

119866 (119886119894 119887119894 119909) = 119910119895 119895 = 1 119873 (3)

The shorthand formula of (3) is as follows

H120573 = 119884 (4)

where H is called the hidden layer output matrix thecorresponding 119894th column shows the output of 119894th hiddenneural layer corresponding to the input 1199091 1199092 1199093 119909119899 andthe 119895th line shows all the hidden layers relative to outputamount of inputting 119909119895

H0 (1198861 119886119871 1198871 119887119871 1199091 119909119873)

= [[[[[

119866 (1198861 1198871 1199091) sdot sdot sdot 119866 (119886119871 119887119871 1199091) sdot sdot sdot 119866 (1198861 1198871 119909119873) sdot sdot sdot 119866 (119886119871 119887119871 119909119873)

]]]]]119873times119871

(5)

120573 is output weight 120573 = [ 120573119879

1

120573119879119871

]119871times119898

and 119884 = [ 119910119879

1

119910119879119873

]119873times119898

In most cases the number of hidden nodes is muchsmaller than the number of training samples (119871 ≪ 119873)making it challenging for the constructed single-hidden-layerneural network (a total of 119871 neurons in the hidden layer) toinfinitely approach thesemutually different samples with zero


error resulting in errors between the network output of thetraining samples and the actual output In this case (4) canbe rewritten as

H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898

The square loss function can be

defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)

Equation (7) can be written as follows

119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)

Then the training of the network parameters is trans-formed into the problem of minimizing the square lossfunction that is finding the least square solution 120573 so that

10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)

The following equation can be obtained using theMoore-Penrose generalized inverse

120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)

in whichH+ = (H119879H)minus1H119879 If the hidden layer outputmatrixis not of full column rank then the optimal external weightcan be obtained using the singular value decomposition(SVD) method

Shown above is the process of using the traditional ELMalgorithm to solve the problem In the ELM algorithmthe hidden layer node parameters are randomly determinedduring parameter training (in actual application the hiddenlayer node parameter values are often randomly set withinthe interval [minus1 1] because the experimental samples mustbe standardized)

42 SS-ELM Algorithm Sample sets in the cloud server (119885119899)can be divided into two parts sample sets to be distributed tofog nodesMEC hosts 119885119891

119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup

sample sets 119885119888119899119888 = 119911119888119895 = (119909119888119895 119910119888119895)119899119888119895=1 in which 119885119891119899119891cup 119885119888119899119888 =119885119899119885119891119899119891cap119885119888119899119888 = The purpose of sample selection is to select

119885119891119899119891

from 119885119899 so that the network learned from 119885119891119899119891

using theELM-based algorithm can satisfy 119869(119886119894 119887119894 120573) le 120590 in which120590 isin (0min119869(119886119894 119887119894 120573)) is the predetermined upper limit ofthe performance index

Assuming that 119880119888 = 119906119888119895 | 119906119888119895 = |119910119888119895 minus 119891(119909119888119895 119886119894 119887119894 120573)|119899119888119895=1 isthe absolute error between the sample output and networkoutput of 119885119888119899119888 119885119888119904 = (119909119888119898 119910119888119898) is defined to include anyelements in 119885119888119899119888 that correspond to the maximum element in119880119888 After initializing the sample sets (let 119885119891

119899119891= and 119885119888119899119888 =119885119899) and the network parameters (let 119886119894 = 119887119894 = 120573 = )

the following learning rules are followed

Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3

1198861015840119894 = 119886119894 + 119909119888119904 minus 119909119888119904min119909119888119904max minus 119909119888119904min


(13)

Rule 4 Use 119885119891119899119891 119886119894 and 119887119894 to calculate and update the

optimum external weight 120573 (let 119869(119886119894 119887119894 120573) = 120590) with (7)119885119891119899119891 119885119888119899119888 119886119894 119887119894 and 120573 are updated After several iterations119869(119886119894 119887119894 120573) le 120590The procedure of the algorithm is as follows(1) Initialize the sample sets (let 119885119891

119899119891= 119885119888119899119888 = 119885119899) and

network structure parameters (let 119886119894 = 119887119894 = 120573 = )on the cloud server side(2) Randomly generate hidden layer node parameters onfog nodeMEC host (119886119894 119887119894) 119894 = 1 119871(3) Calculate the hidden layer output matrix H (ensurethat H is of full column rank)(4) Calculate 119869(119886119894 119887119894 120573) and 119880119888(5) If 119869(119886119894 119887119894 120573) le 120590 turn to step (10) otherwisecontinue(6) Select 119885119888119904 from 119885119888119899119888 119885119891119899119891 = 119885119891119899119891 cup 119911119888119904 119885119888119899119888 = 119885119888119899119888 minus119911119888119904(7)Update 119886119894 and 119887119894 1198861015840119894 = 119886119894 + ((119909119888119904 minus 119909119888119904min)(119909119888119904max minus119909119888119904min)) 1198871015840119894 = 119887119894 + ((119909119888119904 minus 119909119888119904min)(119909119888119904max minus 119909119888119904min))(8) Use 119885119891

119899119891 119886119894 and 119887119894 to calculate and update the

optimum external weight 120573 (let 119869(119886119894 119887119894 120573) = 120590) with (7)(9) If 119885119888119899119888 = execute step (4) otherwise continue(10) Use 119885119899 119886119894 and 119887119894 to calculate and update theoptimum external weight 120573 with (7) and the algorithm endshere

In this work the hidden layer activation function of ELMmodel adopts a sigmoid transformation function

119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)

An algorithm analysis shows that most of the time takenfor selecting samples for fog nodesMEC hosts was spentin calculating 119869(119886119894 119887119894 120573) Assuming that 119905(119869) is the averagetime for calculating 119869(119886119894 119887119894 120573) and that the delay causedby data transmission between the cloud computing and fognodesMEC hosts is 1199051015840 (1199051015840 ≪ 119905(119869)) then the learning time forfog nodesMEC hosts is 119905(119873) asymp 119899119897 sdot 119905(119869)5 Numerical Simulation

At present there are no training sets available for FCMECintrusion detection Therefore we used the KDD Cup 99


Table 1 Comparison of algorithms in testing accuracy and trainingtime

Algorithm Accuracy () Training time (s)SS-ELM 9907 plusmn 011 452 plusmn 010ELM 9609 plusmn 007 415 plusmn 004BP 8416 plusmn 018 38792 plusmn 021SVM 9425 plusmn 008 1502 plusmn 014CVM-ELM 9687 plusmn 023 1247 plusmn 053

data set [25] for the analysis in the simulation experimentsIn the data set 41 fields were collected for each networkconnectionThe abnormal types were divided into fourmajorcategories of 39 attack types of which 22 attack types werepresented in the training set and 17 unknown attack typeswere presented in the test set In addition the KDD99connection records contained both symbolic features anddiscrete features Therefore the symbolic features neededto be converted prior to the experiment We used the datapreprocessing scheme reported in the literature [26] Thedata preprocessing primarily includes converting categoryfeatures into metric features and then normalizing metricfeatures to prevent greater metric features from dominatingand outweighing smaller features For the supervised learningand prediction conducted in the experiment all featureswere normalized to be within [0 1] The cloud server wassimulated in Windows 7 operating system (i7-2760QM24GHzCPU 800GBRAM) and the SS-ELMalgorithmwasimplemented using Matlab 2014a

We compared the performance of various fog IDS clas-sifiers including the SS-ELM traditional ELM BP neuralnetwork SVM and CVM-ELM [27]The ELM BP and SVMwere deployed on fog nodesMEC hosts The kernel functionof SVM was rbf 119892119886119898119898119886 = 0005 and 119862 = 10 The BPlearning rate was 006 themomentum coefficient was 09 themaximum number of epochs (iterations) was 5000 and thegoal was 00001 A total of 2000 and 10000 pieces of datawere selected from the KDD Cup 99 and used as trainingsamples and test samples respectively The training time anddetection accuracy were compared The experimental datawere the average of 10 runs

According to the results in Table 1 the SS-ELM hasthe highest accuracy which proves that SS-ELM is themost suitable classifier algorithm for fog nodeMEC hostdeployment while from the training time perspective theSS-ELM requires a slightly longer training time than thetraditional ELM because sample selection is required in theSS-ELM BP performed poorer than the SS-ELM and ELM interms of training time and accuracy and the SVM and CVM-ELM also require a longer training time Therefore in termsof accuracy SS-ELM is more suitable for intrusion detectionin FCMEC

In experiment 2 we analyzed the training time and accu-racy of the SS-ELM algorithm for training sets of differentscales Based on the results of experiment 1 we selectedonly SS-ELM ELM CVM-ELM and SVM for comparison

times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()

02 04 06 08 1 12 14 16 18 20The amount of data in the training set

SS-ELMELMSVM

CVM-ELM

Figure 5 Accuracy rate comparison of SS-ELM ELM SVM andCVM-ELM

times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM

Figure 6 Training time comparison of SS-ELM ELM and SVM

of the training time and accuracy The training set sizes wereselected as 1000 2000 20000 The experimental resultsare shown in Figures 5 and 6

As shown in Figure 5 as the size of the training setincreases SS-ELM shows the highest intrusion detectionaccuracy in FCMEC relative to that of ELM and SVM Weanalyze it from the aspect of algorithm and we think that themain reason is the following(1) Unlike the traditional classic gradient-based learningalgorithms which intend to reach minimum training errorbut do not consider the magnitude of weights the ELM tends


to reach not only the smallest training error but also thesmallest norm of weights(2) Unlike the traditional classic gradient-based learn-ing algorithms facing several issues like local minimumimproper learning rate overfitting and so forth the ELMtends to reach the solutions straightforwardly without suchtrivial issues(3) In our improved algorithm we optimize the squareloss function 119869 = sum119873119895=1(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) for each fognodeMEC host in the training phase This optimization ismainly reflected in the process of sample selection Accordingto formula (7) to formula (10) in the manuscript each fognodeMEC host has an optimal external weight 120573 in thenetwork environment which is more suitable for the train-ing

For the training time as shown in Figure 6 the simulationresult shows that the training time of our proposed SS-ELMis slightly less than of ELM The main reason is that SS-ELM has more than one sample selection step comparedwith ELM Although the SS-ELM performed worse than theELM the difference is small and within an acceptable rangeTherefore we conclude that SS-ELM algorithm performsbetter in intrusion detection of FCMEC

As noted in Section 3 fog nodesMEC hosts in theFCMEC network are highly dynamicThus wemust analyzethe robustness of the algorithm designed specifically wemust analyze the dependency of SS-ELM algorithm ontime statistics In the KDD99 data set there are 9 features(features 23ndash31) that are about time-based traffic features ofthe connection records These features are based on timestatistics They can present some relationships between thecurrent connection records and the connection records inthe previous period However in the real FCMEC networkenvironment there are a large number of raw data withoutmanual statistical processing That is to say it is very difficultfor us to obtain data based on time statistics In order toensure that the classifier algorithm can work effectively in thenetwork environmentwith high real time and high dynamicswe removed features 23ndash31 to carry on experiment 3 Inaddition new data sets obtained were used to compare thefour algorithms used in experiment 1 The results are shownin Figure 7

Figure 7 shows that the accuracy of SS-ELM did notdecrease significantly after removing the time statistical fea-tures while the ELM BP SVM and CVM-ELM showed thataccuracy decreases to various extents with the decrease of theBP algorithm being the greatest From the data of experiment3 we can conclude that the SS-ELM has the least dependencyon time attribute and is suitable for network environmentsthat are highly dynamic and feature large changes

In experiment 4 to analyze the false positive rate ofthe SS-ELM we showed the performance of SVM SS-ELMand ELM in terms of the receiver operating characteristics(ROCs) [28] for the ROC curve the 119909-axis represents thefalse positive rate and the 119910-axis represents the true positiverate A classifier algorithm with a larger area under the ROCcurve (AUC) performs better Figure 8 shows that SS-ELMoutperformed the other two algorithms in FCMEC

The time statistics attribute not removedThe time statistics attribute removed

0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()

ELM BP SVM CVM-ELMSS-ELMThe algorithm

Figure 7 A comparative study on the dependence of time-dependent attributes

0

01

02

03

04

05

06

07

08

09

1

True

pos

itive

01 02 03 04 05 06 07 08 09 10False positive rate

SVMSS-ELMELM

CVM-ELM

Figure 8 ROC of SVM SS-ELM ELM and CVM-ELM

6 Conclusions

FCMEC is a newparadigm Fog nodesMEChostsrsquo resource-constrained features bring about newproblems to the securityrealm particularly in the area of intrusion detection ForMEC its characteristics are similar to FCMEC In thepresent study an FCMEC IDS scheme was established basedon the analysis of the network characteristics and securityrequirements of FCMEC In addition an SS-ELM algo-rithm that combines sample selection and ELM is proposedaccording to the network characteristics of FCMEC Thetraining time and detection accuracy of ELM BP and SVMare examined experimentally In the experiment the SS-ELM


algorithm shows excellent performance in FCMEC particu-larly in accuracy and time dependence Several experimentshave demonstrated the advantages of SS-ELMas a lightweightalgorithm from different perspectives and have contributedto solving the problems caused by resource constraints inFCMEC

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the National Science and Technol-ogyKey Projects (no 61602034) and theUSNational ScienceFoundation under Grants CNS-1559696 and IIA-1301726

References

[1] A Alrawais A Alhothaily C Hu and X Cheng ldquoFog Comput-ing for the Internet ofThings Security and Privacy Issuesrdquo IEEEInternet Computing vol 21 no 2 pp 34ndash42 2017

[2] E Portal ldquoMobile-edge computing-introductory technicalwhite paperrdquo Tech Rep 2014

[3] M Beck M Werner S Feld and S Schimper ldquoMobile edgecomputing A taxonomyrdquo in Proceedings of the the 6th Interna-tional Conference on Advances in Future Internet 2014

[4] S Wang Y Zhao L Huang J Xu and C Hsu ldquoQoS predic-tion for service recommendations in mobile edge computingrdquoJournal of Parallel and Distributed Computing In press

[5] R Roman J Lopez and M Mambo ldquoMobile edge computingFog et al a survey and analysis of security threats andchallengesrdquo Future Generation Computer Systems vol 78 pp680ndash698 2018

[6] X Masip-Bruin E Marın-Tordera G Tashakor A Jukan andG-J Ren ldquoFoggy clouds and cloudy fogs A real need forcoordinated management of fog-to-cloud computing systemsrdquoIEEEWireless CommunicationsMagazine vol 23 no 5 pp 120ndash128 2016

[7] S Yi C Li and Q Li ldquoA survey of fog computing conceptsapplications and issuesrdquo in Proceedings of the Workshop onMobile Big Data (Mobidata rsquo15) pp 37ndash42 ACM HangzhouChina June 2015

[8] C Dsouza G-J Ahn andM Taguinod ldquoPolicy-driven securitymanagement for fog computing preliminary framework anda case studyrdquo in Proceedings of the 15th IEEE InternationalConference on Information Reuse and Integration (IEEE IRI rsquo14)pp 16ndash23 Redwood City Calif USA August 2014

[9] D E Denning ldquoAn Intrusion-Detection Modelrdquo in Proceedingsof the IEEE Symposium on Security and Privacy p 118 OaklandCalif USA April 1986

[10] S Wang Q Sun H Zou and F Yang ldquoDetecting SYN floodingattacks based on traffic predictionrdquo Security Communicationvol 5 pp 1131ndash1140 2012

[11] O Linda T Vollmer and M Manic ldquoNeural Network basedintrusion detection system for critical infrastructuresrdquo in Pro-ceedings of the International Joint Conference on Neural Net-works IJCNN 2009 pp 1827ndash1834 Atlanta Ga USA June 2009

[12] I Stojmenovic and S Wen ldquoThe fog computing paradigmscenarios and security issuesrdquo in Proceedings of the Federated

Conference on Computer Science and Information Systems (Fed-CSIS rsquo14) pp 1ndash8 IEEE Warsaw Poland September 2014

[13] S J Stolfo M B Salem and A D Keromytis ldquoFog computingMitigating insider data theft attacks in the cloudrdquo in Proceedingsof the 1st IEEE Security and Privacy Workshops SPW 2012 pp125ndash128 San Francisco Calif USA May 2012

[14] Y Wang T Uehara and R Sasaki ldquoFog computing Issues andchallenges in security and forensicsrdquo in Proceedings of the 39thIEEE Annual Computer Software and Applications ConferenceWorkshops COMPSACW 2015 pp 53ndash59 Taichung TaiwanJuly 2015

[15] S Yi Z Qin and Q Li ldquoSecurity and Privacy Issues of FogComputing A Surveyrdquo in Wireless Algorithms Systems andApplications vol 9204 of Lecture Notes in Computer Science pp685ndash695 Springer International Publishing Cham 2015

[16] Y Shi S Abhilash and K Hwang ldquoCloudlet mesh for securingmobile clouds from intrusions and network attacksrdquo in Proceed-ings of the 3rd IEEE International Conference on Mobile CloudComputing Services and Engineering MobileCloud 2015 pp109ndash118 San Francisco Calif USA April 2015

[17] N Pitropakis C Lambrinoudakis and D Geneiatakis ldquoTill allare one Towards a unified cloud IDSrdquo in Trust Privacy andSecurity in Digital Business vol 9264 pp 136ndash149 SpringerInternational Publishing 2015

[18] E C Oscar E B Fernandez and M A Raul ldquoThreat analysisand misuse patterns of federated Inter-Cloud systemsrdquo in Pro-ceedings of the 19th European Conference on Pattern Languagesof Programs EuroPLoP 2014 Irsee Germany July 2014

[19] P Mishra E S Pilli V Varadharajan and U Tupakula ldquoVAEDVMI-assisted evasion detection approach for infrastructure asa service cloudrdquo Concurrency Computation Practice Experiencevol 29 no Issue p 30 2017

[20] G B Huang Q Y Zhu and C K Siew ldquoExtreme learningmachine theory and applicationsrdquoNeurocomputing vol 70 no1ndash3 pp 489ndash501 2006

[21] C Cheng W P Tay and G-B Huang ldquoExtreme learningmachines for intrusion detectionrdquo in Proceedings of the AnnualInternational Joint Conference on Neural Networks IJCNN 2012Brisbane Australia June 2012

[22] Z Ye and Y Yu ldquoNetwork intrusion classification based onextreme learning machinerdquo in Proceedings of the IEEE Interna-tional Conference on Information and Automation ICIA 2015pp 1642ndash1647 Lijiang China August 2015

[23] W Srimuang and S Intarasothonchun ldquoClassification model ofnetwork intrusion usingWeighted Extreme LearningMachinerdquoin Proceedings of the 12th International Joint Conference onComputer Science and Software Engineering JCSSE 2015 pp190ndash194 Songkhla Thailand July 2015

[24] C Cai H Pan and G Cheng ldquoFusion of BVM and ELM foranomaly detection in computer networksrdquo in Proceedings ofthe International Conference on Computer Science and ServiceSystem CSSS 2012 pp 1957ndash1960 Nanjing China August 2012

[25] KDD CUP 99 data set httpkddicsuciedudatabaseskddcup99kddcup99html

[26] J J Davis and A J Clark ldquoData preprocessing for anomalybased network intrusion detection a reviewrdquo Computers ampSecurity vol 30 no 6-7 pp 353ndash375 2011

[27] Y Zhou An incremental ELM algorithm based on instanceselection [MS thesis] Hebei University Hebei China 2015

[28] A P Bradley ldquoThe use of the area under the ROC curvein the evaluation of machine learning algorithmsrdquo PatternRecognition vol 30 no 7 pp 1145ndash1159 1997

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


IDS is an important security barrier that can quickly detectintrusion and security risks in the network [9 10] Thedetection algorithm is one of the most important parts inIDS An intrusion detection algorithm suitable for criticalinfrastructures can accurately and quickly detect intrusions[11] Therefore to adapt to the new paradigm of FC thepresent study focuses on the intrusion detection scheme toensure the security and meet new challenges

This paper will first analyze the security problems inFCMEC According to fog nodesMEC hostsrsquo resource-constrained characteristics an intrusion detection schemewith a lightweight algorithm is proposed This design takesfull advantage of the computing resources of fog nodesMEChosts It deploys classifiers for intrusion detection on fognodesMEC hosts and stores training data sets in the cloudserver The contribution of this work is as follows(1) According to the network characteristics of fog thispaper proposes a general scheme of intrusion detectionsystem in FCMEC environment(2) Based on the traditional ELM this paper innovativelyadds the sample selection process in the training phase Thisdesign is used to improve the classifier algorithm so that itcan become more lightweight when fog nodesMEC hostsperform tasks(3) We compare the performance of BP SVM ELMand SS-ELM as intrusion detection classifiers and verify thesuperiority of SS-ELM

The paper is organized as follows In Section 2 wewill review related works on FCMEC security and extremelearning machine- (ELM-) based IDSs In Section 3 wewill discuss the requirements and schemes of an IDS inan FCMEC environment In Section 4 we will introducean ELM-based intrusion detection algorithm for FCMECSection 5 will describe the simulation to verify the algorithmThe paper is concluded in Section 6

2 Related Works

Existing research on FCMEC security mainly focuses onanalyzing security threats in FCMEC and the correspondingcountermeasures [7 12ndash14]

Dsouza et al [8] first described the advantages of FCas a new paradigm and elaborated the security problemsin several different scenarios of FC including intelligentinstrument authentication MIM attacks and privacy issuesin FCMEC Yi et al [7] suggested that FC security isa problem worthy of studying particularly the aspects ofauthentication access control intrusion detection and userprivacy issues FCMECrsquos possible contribution to networksecurity has been discussed from the perspective of computerforensics [13 14] In particular Wang et al compared cloudcomputing and FCMEC in terms of security [14] and notedthat FCMEC and honeypot technology can be integratedinto cloud computing forensics to protect the security ofcloud servers

There are some studies related to intrusion detection inFCMEC [5 15 16] The security of edge computing haspreviously been reviewed [5] and the author suggested thatFCMEC is a paradigm of edge computing In that paper

various security issues encountered in edge computing andsecuritymechanismswere discussed in detail In addition theauthor noted that a fog IDS should meet the defense needsof both local fog nodesMEC hosts and the entire networkbe able to detect lasting threats and have an intrusionprevention mechanism that can operate autonomously It hasbeen noted that an IDS can be deployed on the fog nodeMEChost side (host-side detection) or fog networkMEC networkside (network-side detection) tomonitor host-side intrusionsor network-side attacks [15] A new cloudlet mesh securityarchitecture was proposed based on cloudlets [16] and thisarchitecture is used to protect the mobile cloud network Ifcloudlet servers are treated as fog nodesMEC hosts thensuch architecture constitutes a host-side IDS

FCMEC is an extension computing paradigm of cloudcomputing Therefore we refer to the virtual machine (VM)IDS in cloud computing in the present study For examplean intrusion detection scheme deployed in a cloud VMwas introduced which was based on the Smith-Watermanalgorithm to collect and detect the anomalous behavior ofVMs [17] This algorithm improved the systemrsquos detectionefficiency and thus reduced the detection time to some extentIn a previous report [18] attacking threats in federated cloudenvironments were analyzed and a detection system formisuse cataloging was proposed An approach named VAEDwhich is deployed in VMs was given [19] Its results seem tobe promising for detecting evasion-based malware attacks

Many studies focused on intrusion detection Howeversince the scenarios of these studies are in the cloud thereis no focus on IDS in resource-constrained environmentsespecially FCMEC That is to say lightweight IDS is worthstudying in FCMEC

Intrusion detection techniques include statistics-baseddetection data-mining-based detection expert-system-based detection support vector machine- (SVM-) baseddetection genetic-algorithm-based detection and neural-network-based detection Considering the heterogeneityand dynamic characteristics rich network resources andcomplex attack behaviors in FCMEC we will use theELM-based algorithm to design and implement an intrusiondetection scheme in FCMEC in this paper The ELM is aneural network method At the end of this section we willreview the application of an ELM in intrusion detection

The ELM was first proposed by Huang et al [20] Thisalgorithm uses a random mechanism to reduce the numberof parameters to set and select and thus is a simple and fastlearning algorithm ELMs have been widely used in manyfields since their proposal including intrusion detection AnELM was used for intrusion detection and showed greateraccuracy in intrusion detection than that of an SVM [21]Ye and Yu proposed an intrusion detection method inwhich each class was combined into an ensemble classifierusing a one-to-all strategy [22] A weighted ELM was alsoproposed for intrusion detection [23] Cai et al proposeda new fusion method which combined with a ball vectormachine (BVM) ELM and a back propagation (BP) neuralnetwork for intrusion detection This method has shownstrong performance in detection accuracy and false positiverate [24]


Fog nodeMEC host

Fog nodeMEC host

Fog nodeMEC host


equipmentUser

layer

ProbingAttack

attackDDoS

(U2R) Attack

(R2L) Attack

Cloudcomputing





















Managementlayer

Analysislayer

Detectionlayer

Networklayer


User equipmentlayer

Intrusionresponse


Fog networkprotocol




Statisticalmodule

Cloudserver


Fog nodeMEC host

WiFi Ethernet 5G

WSN M2M


Cloudcomputing

Fog node

DDoS attack

Probing attack

Fog node layer

User equipmentlayer

Sampleselection

Total sample set


Rules

(R2L) Attack


Attacktype n

Intrusion response

Fog node

Detectionclassifier








119891119871 (119909119897) = 119871sum119894=1

120573119894119866 (119886119894 119887119894 119909) (1)


119866 (119886119894 119887119894 119909) = 119892 (119886119894 sdot 119909 + 119887119894) (2)

m

i L

d

f(x)

1 i L


G(aL bL x)

X

1

1

1



119891119871 (119909119895) = 119871sum119894=1

119866 (119886119894 119887119894 119909) = 119910119895 119895 = 1 119873 (3)


H120573 = 119884 (4)


H0 (1198861 119886119871 1198871 119887119871 1199091 119909119873)

= [[[[[


]]]]]119873times119871

(5)

120573 is output weight 120573 = [ 120573119879

1

120573119879119871

]119871times119898

and 119884 = [ 119910119879

1

119910119879119873

]119873times119898




H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898


defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)


119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)


10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)


120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)




119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup


119885119891119899119891






Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3



(13)



119899119891= 119885119888119899119888 = 119885119899) and





119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)










times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Fog nodeMEC host

Fog nodeMEC host

Fog nodeMEC host


equipmentUser

layer

ProbingAttack

attackDDoS

(U2R) Attack

(R2L) Attack

Cloudcomputing





















Managementlayer

Analysislayer

Detectionlayer

Networklayer


User equipmentlayer

Intrusionresponse


Fog networkprotocol




Statisticalmodule

Cloudserver


Fog nodeMEC host

WiFi Ethernet 5G

WSN M2M


Cloudcomputing

Fog node

DDoS attack

Probing attack

Fog node layer

User equipmentlayer

Sampleselection

Total sample set


Rules

(R2L) Attack


Attacktype n

Intrusion response

Fog node

Detectionclassifier








119891119871 (119909119897) = 119871sum119894=1

120573119894119866 (119886119894 119887119894 119909) (1)


119866 (119886119894 119887119894 119909) = 119892 (119886119894 sdot 119909 + 119887119894) (2)

m

i L

d

f(x)

1 i L


G(aL bL x)

X

1

1

1



119891119871 (119909119895) = 119871sum119894=1

119866 (119886119894 119887119894 119909) = 119910119895 119895 = 1 119873 (3)


H120573 = 119884 (4)


H0 (1198861 119886119871 1198871 119887119871 1199091 119909119873)

= [[[[[


]]]]]119873times119871

(5)

120573 is output weight 120573 = [ 120573119879

1

120573119879119871

]119871times119898

and 119884 = [ 119910119879

1

119910119879119873

]119873times119898




H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898


defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)


119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)


10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)


120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)




119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup


119885119891119899119891






Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3



(13)



119899119891= 119885119888119899119888 = 119885119899) and





119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)










times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia
















Managementlayer

Analysislayer

Detectionlayer

Networklayer


User equipmentlayer

Intrusionresponse


Fog networkprotocol




Statisticalmodule

Cloudserver


Fog nodeMEC host

WiFi Ethernet 5G

WSN M2M


Cloudcomputing

Fog node

DDoS attack

Probing attack

Fog node layer

User equipmentlayer

Sampleselection

Total sample set


Rules

(R2L) Attack


Attacktype n

Intrusion response

Fog node

Detectionclassifier








119891119871 (119909119897) = 119871sum119894=1

120573119894119866 (119886119894 119887119894 119909) (1)


119866 (119886119894 119887119894 119909) = 119892 (119886119894 sdot 119909 + 119887119894) (2)

m

i L

d

f(x)

1 i L


G(aL bL x)

X

1

1

1



119891119871 (119909119895) = 119871sum119894=1

119866 (119886119894 119887119894 119909) = 119910119895 119895 = 1 119873 (3)


H120573 = 119884 (4)


H0 (1198861 119886119871 1198871 119887119871 1199091 119909119873)

= [[[[[


]]]]]119873times119871

(5)

120573 is output weight 120573 = [ 120573119879

1

120573119879119871

]119871times119898

and 119884 = [ 119910119879

1

119910119879119873

]119873times119898




H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898


defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)


119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)


10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)


120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)




119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup


119885119891119899119891






Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3



(13)



119899119891= 119885119888119899119888 = 119885119899) and





119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)










times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








119891119871 (119909119897) = 119871sum119894=1

120573119894119866 (119886119894 119887119894 119909) (1)


119866 (119886119894 119887119894 119909) = 119892 (119886119894 sdot 119909 + 119887119894) (2)

m

i L

d

f(x)

1 i L


G(aL bL x)

X

1

1

1



119891119871 (119909119895) = 119871sum119894=1

119866 (119886119894 119887119894 119909) = 119910119895 119895 = 1 119873 (3)


H120573 = 119884 (4)


H0 (1198861 119886119871 1198871 119887119871 1199091 119909119873)

= [[[[[


]]]]]119873times119871

(5)

120573 is output weight 120573 = [ 120573119879

1

120573119879119871

]119871times119898

and 119884 = [ 119910119879

1

119910119879119873

]119873times119898




H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898


defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)


119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)


10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)


120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)




119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup


119885119891119899119891






Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3



(13)



119899119891= 119885119888119899119888 = 119885119899) and





119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)










times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




H120573 = 119884 + 119864 (6)

in which 119864 = [ 119890119879

1

119890119879119873

]119873times119898


defined as

119869 = 119873sum119895=1

(120573119894119866(119886119894 119887119894 119909119895) minus 119910119895) (7)


119869 = (H120573 minus Y)119879 (H120573 minus Y) (8)


10038171003817100381710038171003817H120573 minus 11988410038171003817100381710038171003817 = min120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 (9)


120573 = argmin120573

1003817100381710038171003817H120573 minus 1198841003817100381710038171003817 = H+119884 (10)




119899119891= 119911119891119895 = (119909119891119895 119910119891119895 )119899119891119895=1 and backup


119885119891119899119891






Rule 1

119885119891119899119891= 119885119891119899119891cup 119911119888119904 (11)

Rule 2

119885119888119899119888 = 119885119888119899119888 minus 119911119888119904 (12)

Rule 3



(13)



119899119891= 119885119888119899119888 = 119885119899) and





119866 (119886119894 119887119894 119909) = 11 + 119890minus(119886119894119909+119887119894) (14)










times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









times104

90

91

92

93

94

95

96

97

98

99

100

Accu

racy

()


SS-ELMELMSVM

CVM-ELM


times104

0

2

4

6

8

10

12

14

16

Trai

ning

tim

e (s)


SS-ELMELMSVM

CVM-ELM











0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









0

10

20

30

40

50

60

70

80

90

100

Accu

racy

()



0

01

02

03

04

05

06

07

08

09

1

True

pos

itive


SVMSS-ELMELM

CVM-ELM


6 Conclusions






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






Acknowledgments


References
































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


sample selected extreme learning machine based...

Documents