MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.

1051/matecconf/202439201103
ICMED 2024

Securing IoT networks: a fog-based framework

for malicious device detection
Dr. Raghu Kumar Lingamallu1*, Pradeep Balasubramani2, Dr. S. Arvind3
Dr.P. Srinivasa Rao4, Veeraswamy Ammisetty5, Koppuravuri Gurnadha Gupta6, and
Dr.M.N. Sharath7, YJ Nagendra Kumar8, Vaibhav Mittal9
1Assistant Professor, Department of CSE, KG Reddy College of Engineering and Technology,
Chilkur Village, Hyderabad, India, 501504
2Consultant, PS Consulting and Solutions
3Professor, Department of Computer Science Engineering, Hyderabad Institute of Technology and

Management, India
4Associate Professor, Department of Computer Science & Engineering, Vaasireddy Venkatadri

Institute of Technology, Namburu, Guntur, India

5Associate Professor, Department of Computer Science & Engineering, Koneru Lakshmaiah

Education Foundation, Vaddeswaram, Guntur, Andhra Pradesh, India

6Department of Computer Science and Engineering, Koneru Lakshmaiah Education Foundation,

Vaddeswaram, Guntur District, Andhra Pradesh, India, 522302

7Associate Professor, Rajeev Institute of Technology, Hassan, India
8Department of IT, GRIET, Hyderabad, Telangana, India
9Lovely Professional University, Phagwara, Punjab, India.

Abstract. Ensuring device security is a significant obstacle to effectively

implementing the Internet of Things (IoT) and fog computing in today's
Information Technology (IT) landscape. Researchers and IT firms have
investigated many strategies to safeguard systems against unauthorized
device assaults, often known as outside device assaults. Cyber-attacks and
data thefts have significantly risen in many corporations, organizations, and
sectors due to exploiting vulnerabilities in safeguarding IoT gadgets. The
rise in the variety of IoT gadgets and their diverse protocols has increased
zero-day assaults. Deep Learning (DL) is very effective in big data and
cyber-security. Implementing a DL-based Gated Recurrent Unit (GRU) on
IoT devices with constrained resources is unfeasible due to the need for
substantial computational power and robust storage capacities. This study
introduces an IoT-based Malicious Device Detection (IoT-MDD) that is
dispersed, resilient, and has a high detecting rate for identifying various IoT
cyber-attacks using deep learning. The suggested design incorporates an
Intrusion Detection System (IDS) on fog nodes because of its decentralized
structure, substantial processing capabilities, and proximity to edge gadgets.
Tests demonstrate that the IoT-MDD model surpasses the performance of
the other models. The study found that the cybersecurity architecture

* Corresponding author: lrgupta528@gmail.com

© The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative
Commons Attribution License 4.0 (https://creativecommons.org/licenses/by/4.0/).
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

effectively detects malicious gadgets and decreases the percentage of false

IDS alarms.

1 Outline of IoT-based malicious device detection and IDS

The rapid growth of IoT devices and their utilization in diverse domains, including smart
cities, smart well-being, smart residences, and more, has yielded many advantages in recent
years. IoT networks are undergoing exponential expansion, as the estimated quantity of these
devices will approach 55 billion by the end of 2021 [1]. This expansion presents a multitude
of obstacles. One primary concern pertains to the security of these interconnected devices,
as they are progressively susceptible to malicious attacks. Conversely, IoT devices are beset
by insufficient computing and storage capacities, which are critical for implementing security
measures like network anomaly prevention, which is typically handled by IDS on IoT
networks [2].
Security issues related to IoT networks typically manifest as anomalies, which occur
when regular network traffic patterns deviate. Such anomalous network traffic flows include
reconnaissance and Distributed Denial of Service (DDoS) attacks [3]. These assaults, which
are frequently instigated by a botnet, exemplify prevalent anomalies that can be observed in
IoT networks. A botnet is a collection of compromised nodes or systems within a network
that are under the remote control of malicious users. Multiple forms of assaults are carried
out using these nodes or systems [4]. A botnet attack is commonly distinguished by three
characteristics: attack origin resemblance, traffic flow deviation between the normal and
attack networks, and automated attack implementation [5].
The Mirai botnet attack continues to be a prevalent intrusion targeting IoT networks. As
the Mirai botnets have developed over time [6], a recent instance of an entertainment service
provider offering online streaming services targeted by an attack utilizing a Mirai variant
occurred between March and April of 2019. More than 390,000 vulnerable IoT devices were
employed to execute the assaults. During its thirteen-day existence, the botnet produced an
estimated 300,000 queries per second [7].
Despite the inability of the anomaly mitigation strategy to identify the device-level
misuse of default login information by the Mirai malware, this demonstrates the vulnerability
and danger posed to the nodes in IoT networks. For this reason, implementing anomaly
mitigation systems is an essential component of protection measures against botnet attacks
conducted via many devices in IoT networks. By mitigating the resource constraints
associated with anomaly minimization techniques in IoT networks, fog computing can be
utilized to safeguard and guarantee the effective functioning of IoT devices connected to the
network. The concept of fog computing involves relocating computational, archiving, and
delay requirements, along with energy usage, to the network's periphery [8]. By adopting this
approach, IoT devices and applications can obtain improved and expedited responses while
circumventing the need to execute activities that strain their resources and diminish their
efficacy.
The applications of DL in large data and cybersecurity are highly effective. The
impracticability of deploying DL on IoT devices with limited resources stems from the
requirement for significant computational capabilities and resilient storage capacities. This
research paper presents an IoT-based Malicious Device Detection (IoT-MDD) system that
utilizes DL to identify diverse IoT cyber-attacks. The IoT-MDD is distributed, flexible, and
has a high detection rate.

2 Research background

2
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

A fog computing-based IDS architecture for IoT networks was proposed by Labiod et al.
(2022). The approach they propose utilizes fog computing to strengthen network security by
identifying and preventing intrusions [9]. Enhancement of network resilience against cyber
hazards is a component of the output. De Souza et al. (2022) undertook a systematic literature
review concerning IDS and prevention in fog-based IoT environments. This review
contributes to the body of work by Labiod et al. by examining different intrusion detection
techniques, thereby enhancing the proposed architecture.
De Souza et al. [10] conducted a systematic literature review to examine established
methodologies employed in fog-based IoT environments for an IDS. In contrast to Labiod et
al., who concentrate on presenting a particular architectural proposal, De Souza et al. offer a
more comprehensive outlook by examining diverse methodologies. This review facilitates
the identification of research gaps and establishes a foundation for subsequent developments
in the field.
SIMAD, a secure, intelligent method for detecting assaults in IoT-fog environments [11],
was proposed by Daoud and Mahfoudhi (2022). Expanding upon the lamentation of De
Souza et al. regarding the necessity for more advanced IDS, Daoud and Mahfoudhi propose
a rational strategy to reinforce network security. Their proposed approach seeks to enhance
network security and threat detection capabilities, thus filling in some of the deficiencies
identified in the literature review.
Lawal et al. introduced a fog computing-based DDoS attack mitigation framework for
IoT networks. In IoT-fog environments, this framework extends the research of Daoud and
Mahfoudhi [12] by addressing particular threats, such as DDoS attacks. In line with
bolstering network security, their framework endeavors to boost network resilience against
DDoS assaults by distributing detection and mitigation responsibilities across fog nodes.
A fuzzy logic and fog-based secure architecture for the IoT was proposed by Zahra and
Chishti (2020). The security of fog computing environments is improved by incorporating
fuzzy logic-based decision-making mechanisms into this architecture [13]. In contrast to the
narrow concentration of Lawal et al. on particular threats such as DDoS attacks, Zahra and
Chishti propose a security architecture encompassing a wider range of challenges in IoT
systems, including intrusion detection.
A secure integrated framework for fog-assisted IoT systems was introduced by Junejo et
al. By integrating fog computing capabilities with conventional security mechanisms, their
framework [14] effectively tackles the security challenges in IoT systems. Expanding on the
research conducted by Zahra and Chishti, this framework offers a comprehensive perspective
on IoT security that incorporates conventional and fog-based security protocols.
Using fuzzy logic and a fog-based approach, Zahra and Chishti (2022) proposed a lightweight
and generic security mechanism for detecting malicious behavior in uncertain IoT [15].
Constraints permitting, Zahra and Chishti persist in investigating the security implications of
fuzzy logic in IoT environments. Supplementing the more comprehensive security
framework by Junejo et al., their lightweight security mechanism seeks to tackle the
difficulties associated with identifying malicious activity in indeterminate IoT environments.
Samy et al. (2020) introduced a DL-based fog-based attack detection framework designed
for the IoT. DL techniques for attack detection and prevention in IoT environments are
introduced in this framework [16]. In contrast to Zahra and Chishti, who center their attention
on fuzzy logic-based methodologies, Samy et al. investigate using DL to improve security in
environments engulfed in IoT fog. Their framework presents an alternative approach to
attack detection and prevention, enhancing the current literature corpus. An analysis of these
papers collectively reveals a development in research endeavors focused on boosting security
measures within environments engulfed in IoT fog environments. Each work expands upon
prior research by tackling distinct obstacles and presenting innovative methods to enhance
the security of networks.

3
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

3 Proposed IoT-based Malicious Device Detection (IoT-MDD)

Conventional IoT architectures transfer information from the periphery level to higher levels
(e.g., the cloud and fog) via intelligent gateway devices. Due to the great distance between
the cloud and the peripheral layer, data analysis is time-consuming and intermittent.
Therefore, this procedure is inappropriate for handling sensitive information that necessitates
an immediate reaction. To address these issues, fog computing is implemented, which
involves relocating the cloud near the data sources.
Many IoT and edge devices dispersed across various geographic regions produce
enormous volumes of data that necessitate prompt analysis to identify security breaches.
Unified intrusion detection is, therefore, inappropriate for IoT security surveillance. The
framework under consideration is established on distributed fog nodes and operates on a DL
(GRU) paradigm. It is managed and updated through a service situated within the cloud
computing layer. The proposed framework comprises four primary phases: training and
testing of DL models, deployment of the framework, analysis of data and detection of DL-
based attacks, and analysis and performance update. The conceptual framework's phases are
illustrated in Fig. 1.

Fig. 1. Methodology for securing IoT network through DL-based intrusion detection

Phase 1: DL (GRU) learning and testing

The chosen DL model significantly influences the accuracy and efficacy of the projected
framework's detection capabilities. Quality-wise, the DL prototypical should mirror the
quality of the training data. This phase aims to identify the most effective DL model and train
it using IoT information in the cloud layer (CL) to detect a wider range of attacks. As
previously stated, a clever IoT gateway processes all IoT communications routed to higher
layers (fog and cloud) or transferred between IoT devices. A "tcpdp" is a packet analyzer and
network snoop utilized to gather packets sent or received at the network's interface. Executed
on the intelligent IoT gateway, tcpdp gathers unprocessed data packets from the IoT network
as a Pcap file. The unprocessed network data is converted to CSV format using a network
traffic flow analyzer that includes over seventy-five network traffic characteristics.

4
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

This phase comprises multiple stages, initially of which entails learning the GRU
framework using the accessible IoT database obtained in the preceding stage. The GRU
model is trained in the CL to increase its execution speed. We then execute the GRU model
to evaluate and build the model. For binary class categorization, we employ the sigmoid
initiation function; for multiple categorizations, we utilize softmax. "Adam" is a variable
training method employed as an optimizer. It rapidly obtains excellent results by calculating
unique training rates for each parameter. Following this, the hyperparameters influencing the
DL model's efficacy are adjusted. The partitioning procedure is employed to utilize distinct
training and testing datasets. The datasets were divided into two distinct components: training
and testing. 75% of the dataset is allocated to the training set, while the residual 25% is
designated for testing purposes. When the valuation outcome is unsatisfactory, either the
hyperparameters are adjusted, or the GRU model is nested in depth until optimal
performance is attained.

Phase 2: Deployment of fog-based framework for malicious device detection

to secure IoT networks

In the second phase of the proposed structure, fog nodes are utilized to execute the
architecture. The structure of the suggested framework, which includes the CL, Fog level
(FL), and boundary levels, is depicted in Fig. 2. The edge layer includes various IoT devices,
such as security cameras, sensors, and detectors, with limited resources. These devices
produce enormous quantities of unorganized information that are challenging to analyse at
the periphery. The edge layer comprises smart residences, hydrocarbon platforms, smart
electricity infrastructure, smart vehicles, and smart industry. Employing an intelligent IoT
gateway, peripheral layer devices' data is directed toward the fog layer (FL), business
information center, and cloud. The FL, which comprises thousands of routing devices,
servers, and processors under the ownership of an Internet service provider, constitutes the
second layer. Edge devices are weaker than these devices. Operations requiring substantial
amounts of memory, processing capacity, storage, and power can be executed on fog devices.
In addition, fog nodes are disseminated across various topographical areas, including service
provider networks and areas nearer to the periphery layer than the CL. Multiple ports and
services facilitate communication with applications and standards. At the FL, dispersed data
analytics enables data analysis before its transmission to the cloud. Furthermore, it lowers
delay and bandwidth, swiftly responds to crucial decisions, and contributes to the system's
flexibility. The most advanced level is the CL, which furnishes cloud operators with
adaptable, reliable, and flexible assets while delivering computing services via the Internet.
Cloud computing enables data storage, analysis, and transmission via the Internet. The
Internet of Things encounters significant latency when transferring or analyzing data in the
cloud, particularly regarding real-time applications like autonomous vehicles.

5
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

Fig. 2. Fog-based framework for malicious device detection to secure IoT networks
As depicted in Fig. 2, it has been presumed that a clustering algorithm is employed to
organize fog nodes into clusters to implement the suggested architecture in IoT networks; the
FL is subdivided into N clusters. This clustering technique aims to recognize clusters of
wireless devices in a distributed manner by utilizing physical network layout characteristics.
This clustering algorithm applies to the framework because it operates without requiring data
regarding the anticipated number of clusters and implies that participating nodes have zero
or minimal movement. Clusters are identified by considering various parameters, including
the node connections, the density of the network graph, and the preferred connection. Fog
nodes are clustered to improve network scaling, equalize network burden, and protect traffic
exchanged between clusters and the cloud. Data from various IoT peripheral networks can
be managed, processed, and analyzed by a single cluster; for example, cluster1 in Fig. 2
processes and evaluates data from a smart home network and a WSN.
Intelligent gateways capture and forward network traffic to the closest fog node in the
capacity of sink nodes. Fog nodes acquire and retain network traffic relayed by multiple IoT
smart gateways in distinct files. On fog nodes, a service in the background is responsible for
reading and processing data from files. The information processing consists of gathering the
characteristics of each network traffic packet and feeding them to the GRU classifier to
identify attacks.

Phase 3: Data analysis and GRU-based intrusion detection

Once attack detection has been implemented on the FL nodes across all clusters, the system
receives network data routed through IoT intelligent gateway devices belonging to various
networks. The IDS under consideration processes unprocessed network information
distinguishes between normal and attack traffic, and determines the nature of an attack based
on the training database. Each cluster member retains the unique identifier (ID) of its head
node, and the Cluster Head (CH) is informed of the quantity and IDs of the group members
that comprise it. When an attack is recognized as a member of the fog cluster, comprehensive
details regarding the identified attack (including category, origin, protocol, time frame, and
more) are transmitted from cluster nodes to the CH, which acts as a data aggregator.
Subsequently, the data is transmitted from the CH to the cloud provider, as illustrated in
Fig. 2, using blue arrows. Cluster participants transmit the data to CHs, subsequently
transmitting it to the cloud facility. The cloud facility generates an alert and records all data

6
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

from CHs for a network manager to utilize in assessing and revising the efficacy of the
IDS and formulating suitable courses of action.

4 Results and discussion

Keras is utilized to implement every DL model in our experiments on TensorFlow. Keras is
a high-level API for constructing and training DL models. Every test is performed on a
workstation running 64-bit Windows 10 with an Intel Core i7-7400 processor operating at
3.00 GHz, 16 GB of memory, and CPU-enabled TensorFlow.
The database utilized for this study is UNSW-NB15 for IDSs [17]. This database was
generated at the Australian Cyber Security Center's Cyber Range Lab. It has nine threat
groups and is presented in excel format and comprises 47 distinct features, including but not
limited to state, time frame, protocol, and application.

100
98
96
94
92
90
88
Accuracy Precision Recall (%) F1 score (%)
(%) (%)

CNN DNN LSTM GRU

Fig. 3. Performance comparison of various DL methods used to detect malicious devices in IoT
network
A comparison of the performance of different DL techniques employed for the
identification of malicious devices in IoT networks is displayed in Fig. 3. Accuracy is
attained by the Convolutional Neural Network (CNN), which also attains F1 score values of
95%, 93%, and 93%, respectively, for precision, recall, and accuracy. Concerning precision,
recall, and F1 score, the Deep Neural Network (DNN) attains a marginally superior accuracy
of 97.5%. Its corresponding values are 93.4%, 94.8%, and 95.6%. The efficacy of the Long
Short-Term Memory (LSTM) network is enhanced, as evidenced by its 99.01% accuracy,
97.31% recall, 95.72% precision, and 96.07% F1 score, respectively. In line with the
abovementioned models, the GRU achieves superior performance, attaining an accuracy of
99.45%. It also demonstrates precision, recall, and F1 score values of 96.52%, 98.27%, and
97.62%, respectively. The findings of this study indicate that LSTM and GRU networks
demonstrate enhanced capabilities in detecting malicious devices within IoT networks,
thereby underscoring their potential to bolster security measures in IoT environments.

7
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

Fig. 4. Resource utilization (%) of IoT devices against time frame with IDS, without IDS, and the
proposed IoT-MDD system
Fig. 4 shows the resource consumption percentages of IoT devices across different
periods in three scenarios: with IDS, without IDS, and with the proposed IoT-MDD system.
The resource consumption starts at 40% and subsequently climbs to peak at 92% without any
initial security measures. On the other hand, using IDS shows a regulated resource use trend,
gradually increasing over time, which suggests the additional load caused by security
protocols. The IoT-MDD system successfully manages resource use below acceptable
bounds and consistently maintains resource utilization levels between 30% and 82% across
different time frames, substantially reducing possible hazards. This shows that the suggested
method effectively ensures IoT device security without significantly impacting resource use,
making it a feasible option for real-world implementation.

5 Conclusion
DL is very efficient in the fields of extensive data and cyber-security. Deploying a GRU on
IoT devices with limited resources is impractical since it requires significant computing
power and reliable storage capabilities. This paper presents an IoT-MDD system that uses
deep learning to detect a wide range of IoT cyber-attacks effectively. The system is
disseminated, strong, and boasts a high detection rate. The proposed system includes an
IDS on fog nodes because of their decentralized nature, significant processing capabilities,
and proximity to edge devices. GRU achieved superior performance, attaining an accuracy
of 99.45%. It also demonstrates precision, recall, and F1 score values of 96.52%, 98.27%,
and 97.62%, respectively. The IoT-MDD system successfully manages resource use below
acceptable bounds and consistently maintains resource utilization levels between 30% and
82% across different time frames.

References
1. J. Pacheco, S. Hariri. Anomaly behavior analysis for IoT sensors. Trans. Emerg.
Telecommun. Technol., 29, 4, (2018)
2. M.A. Khan, K. Salah. IoT security: Review, blockchain solutions, and open challenges.
Future Gener. Comput. Syst., 82, 395-411, (2018)
3. M.A. Lawal, R.A. Shaikh, S.R. Hassan. An anomaly mitigation framework for iot using
fog computing. Electronics, 9, 10, (2020)

8
MATEC Web of Conferences 392, 01103 (2024) https://doi.org/10.1051/matecconf/202439201103
ICMED 2024

4. N. Moustafa, J. Hu, J. Slay. A holistic review of network anomaly detection systems: A

comprehensive survey. J. Netw. Comput. Appl., 128, 33-55, (2019)
5. S. Al-Mashhadi, M. Anbar, I. Hasbullah, T.A. Alamiedy. Hybrid rule-based botnet
detection approach using machine learning for analysing DNS traffic. PeerJ
Comput. Sci., 7, (2021)
6. V. Simonovich. Imperva blocks our largest DDoS L7/brute force attack ever (peaking
at 292,000 RPS), (2019)
7. A. Woodiss-Field, M.N. Johnstone, P. Haskell-Dowland. Towards evaluating the
effectiveness of botnet detection techniques. In International Conference on Ubiquitous
Security, Singapore: Springer Singapore, 292-308, (2021)
8. Q. Yaseen, F. Albalas, Y. Jararwah, M. Al‐Ayyoub. Leveraging fog computing and
software defined systems for selective forwarding attacks detection in mobile wireless
sensor networks. Trans. Emerg. Telecommun. Technol., 29, 4, (2018)
9. Y. Labiod, A. Amara Korba, N. Ghoualmi. Fog computing-based intrusion detection
architecture to protect iot networks. Wirel. Pers. Commun., 125, 1, 231-259, (2022)
10. C.A. De Souza, C.B. Westphall, R.B. Machado, L. Loffi, C.M. Westphall, G.A.
Geronimo. Intrusion detection and prevention in fog based iot environments: A
systematic literature review. Computer Networks, 214, (2022)
11. W.B. Daoud, S. Mahfoudhi. SIMAD: Secure Intelligent Method for IoT-Fog
Environments Attacks Detection. Comput. Mater. Contin., 70, 2, (2022)
12. M.A. Lawal, R.A. Shaikh, S.R. Hassan. A DDoS attack mitigation framework for IoT
networks using fog computing. Procedia Comput. Sci., 182, 13-20, (2021)
13. S.R. Zahra, M.A. Chishti. Fuzzy logic and fog based secure architecture for internet of
things (flfsiot). J. Ambient Intell. Humaniz. Comput., 1-25, (2020)
14. A.K. Junejo, N. Komninos, J.A. McCann. A Secure Integrated Framework for
Fog-Assisted Internet-of-Things Systems. IEEE Internet Things J., 8, 8, 6840-6852,
(2020)
15. S.R. Zahra, M.A. Chishti. A generic and lightweight security mechanism for detecting
malicious behavior in the uncertain Internet of Things using fuzzy logic-and fog-based
approach. Neural Comput. Appl., 34, 9, 6927-6952, (2022)
16. A. Samy, H. Yu, H. Zhang. Fog-based attack detection framework for Internet of things
using deep learning. IEEE Access, 8, 74571-74585, (2020)
17. N. Moustafa, J. Slay, (2015). UNSW-NB15: a comprehensive data set for network
intrusion detection systems (UNSW-NB15 network data set). In military
communications and information systems conference (MilCIS), 1-6, (2015)