Challenges of Network Forensic Investigation in Fog and Edge Computing
Abstract
:1. Introduction
- We see the first contribution in identifying the above challenges, i.e., making the scientific world aware of the differences between network forensics in edge, fog and cloud forensics in contrast to network forensics in “classic” types of networks, especially as these differences so far have only been considered for one field (edge, fog, cloud) in isolation or not at all. Yet, as the importance of edge, fog and cloud computing is undisputed and growing, there is a need to act.
- As the second contribution, we strive to analyzefor which of these challenges existing solutions from other fields might be adapted, and for which of these challenges we are not aware of solutions.
- The third contribution is our approach of analyzing along dimensions as in software testing, which allows provision of a certain systematic analysis right away in contrast to a “brute force” approach of an extensive literature analysis for which some other approach for extracting the challenges (possibly ad hoc) would still have to be found and applied.
2. Background
2.1. Networking in Edge and Fog Computing
the control of computing applications, data, and services away from some central nodes (the “core”) to the other logical extreme (the “edge”) of the Internet [6].
2.2. Network Forensic Investigation
3. Related Work
4. Challenges
- Device varietyThe number of possible devices in fog and edge environments differs from small installations with only a few, mostly homogeneous devices to large-scale environments with a huge variety of different components.On the one hand, such devices are limited in their performance and software possibilities, for example, single-board computers like Raspberry Pi or Arduino, industrial gateways and Programmable Logic Controllers (PLCs) with a specific and robust network connection and industrial-grade specifications, smart cameras for real-time video and object identification, drones and autonomous vehicles, wearable devices like smartwatches or fitness trackers. Their job is to process and analyze the data on board. This enables real-time decision and autonomous operations in various applications without a continuous network connection to a central server.On the other hand, high-powered devices like edge servers and routers, which can be rack-mounted or in a smaller form factor, have higher computational resources. They provide increased processing power, storage capacity, and networking capabilities. The devices differ in their physical interfaces to connect to a network as well as in the deployed protocols and communication techniques. Some devices are always on and send data periodically; other devices are in stand-by for a longer period, but then send a bunch of data at a random timeslot.This variety of involved devices hampers an easy data acquisition process and demands a flexible and versatile capture process.
- Cloud computing interactionThe evolution of fog and edge computing is blurring the lines between edge and cloud environments, creating a continuum that spans from the cloud to the edge devices. Organizations are adopting hybrid architectures that leverage the strengths of both edge and cloud computing. Critical and time-sensitive tasks are executed at the edge, while data that are not time critical are sent to the cloud for further analysis and storage, but the scheduling of this processing is again a complex problem [45]. A possible solution is the implementation of fog devices that create a separate layer between the edge and the cloud, processing various tasks at this position. This application placement depends on various aspects like purpose [46], energy consumption [47] or availability [48], but every installation impacts the position of a capture process as well as the analysis of the data.
- Lack of centralized capture positionsThe environments consist of a large number of distributed computing resources, which we coined as spatial dispersion when introducing the field of investigation. This makes it challenging to have a centralized position to capture all relevant network traffic for the subsequent analysis of the data. This lack of centralized access makes it difficult to collect the entire relevant network traffic from all involved devices, especially as not all traffic is transported to the cloud.
- Limited storage and processing capabilitiesEdge and fog devices often have limited storage and processing capabilities compared to traditional servers. This limitation affects the amount of network traffic data that can be captured and stored for forensic analysis. It may be necessary to prioritize and filter data to reduce storage requirements, potentially leading to the loss of valuable forensic evidence (and/or incomplete capture). Edge servers typically provide higher storage capacities, but the access to these areas is typically limited to specific interfaces and APIs. As a result, the capture process has to be performed at a point inside the network that is suitable to collect all relevant traffics at once; the use of the devices for storing the captured data is not possible. This is a common problem in advanced network forensic investigation as discussed in [49].
- Inherent dynamicFog nodes as well as edge end points might join or leave the network dynamically. This dynamic behavior results in similar challenges as discussed in [2] inside virtual networks. As a result, an installed capture process is threatened for missing network packets because of new or undetected, but relevant devices (so-called incomplete capture). Investigators need to adapt their techniques to handle the frequent changes in network topology and availability of fog nodes.
- Data fragmentation and encryptionNodes may perform data processing and aggregation, leading to data fragmentation and encryption. The problem of fragmented or encrypted data is a well-known problem in networks nowadays, which hampers the analysis of network traffic [50,51]. The encryption of network traffic is a common practice to prevent the plain text transmission [52]. If used, eavesdropping of the connection is still possible, but analyses like application identification or usage are hampered [53]. The analysis of these encrypted data is part of current research like [54,55]. The fragmentation of network traffic depends on the maximum transmission unit (MTU) of a network path. Routers inside a network set their own MTU if needed, which results in smaller network packets than initially sent [56]. The reconstruction of the fragmented network traffic has to be performed at the receiving side, so a packet capture process has to take care of collecting all fragments of the transmitted data. Otherwise, such an incomplete capture might led to the failure of a forensic analysis.
- Trust and privacy concernsFog environments involve multiple stakeholders, including device owners, fog node operators, and cloud service providers. This distributed nature raises concerns about trust and privacy. Investigators may encounter difficulties in accessing and retrieving data from different entities due to legal, privacy, and permission-related issues.
- Limited forensic tools and standardsTraditional network forensic tools and standards may not be fully applicable to fog environments. Fog nodes and edge devices often have resource constraints, making it challenging to deploy and execute complex forensic tools. Additionally, there may be a lack of standardized protocols and procedures specific to fog environments, hindering interoperability and consistency in forensic investigations.
- Time synchronization and clock driftFog devices may have different clocks and varying levels of clock accuracy. Inaccurate time synchronization and clock drift can complicate the correlation of network events across fog nodes, affecting the accuracy and reliability of forensic investigations.
- JurisdictionThe distribution of edge and fog devices might result in installations all over the world. As a result, different laws and jurisdictions are relevant for the access of the network packets. This is a common problem in modern, globally spread environments with distributed virtual network endpoints [2].
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Davidoff, S.; Ham, J. Network Forensics: Tracking Hackers through Cyberspace; Prentice Hall: Hoboken, NJ, USA, 2012. [Google Scholar]
- Spiekermann, D.; Eggendorfer, T. Challenges of network forensic investigation in virtual networks. J. Cyber Secur. Mobil. 2016, 5, 15–46. [Google Scholar] [CrossRef]
- Kimovski, D.; Mathá, R.; Hammer, J.; Mehran, N.; Hellwagner, H.; Prodan, R. Cloud, fog, or edge: Where to compute? IEEE Internet Comput. 2021, 25, 30–36. [Google Scholar] [CrossRef]
- Kansal, P.; Kumar, M.; Verma, O.P. Classification of resource management approaches in fog/edge paradigm and future research prospects: A systematic review. J. Supercomput. 2022, 78, 13145–13204. [Google Scholar] [CrossRef]
- Mukherjee, M.; Shu, L.; Wang, D. Survey of fog computing: Fundamental, network applications, and research challenges. IEEE Commun. Surv. Tutor. 2018, 20, 1826–1857. [Google Scholar] [CrossRef]
- Garcia Lopez, P.; Montresor, A.; Epema, D.; Datta, A.; Higashino, T.; Iamnitchi, A.; Barcellos, M.; Felber, P.; Riviere, E. Edge-Centric Computing: Vision and Challenges. SIGCOMM Comput. Commun. Rev. 2015, 45, 37–42. [Google Scholar] [CrossRef]
- Hong, C.H.; Varghese, B. Resource management in fog/edge computing: A survey on architectures, infrastructure, and algorithms. ACM Comput. Surv. (CSUR) 2019, 52, 1–37. [Google Scholar] [CrossRef]
- Pop, P.; Raagaard, M.L.; Gutierrez, M.; Steiner, W. Enabling fog computing for industrial automation through time-sensitive networking (TSN). IEEE Commun. Stand. Mag. 2018, 2, 55–61. [Google Scholar] [CrossRef]
- Giordano, A.; Spezzano, G.; Vinci, A. Smart agents and fog computing for smart city applications. In Proceedings of the Smart Cities: First International Conference, Smart-CT 2016, Málaga, Spain, 15–17 June 2016; Proceedings 1. Springer: Berlin/Heidelberg, Germany, 2016; pp. 137–146. [Google Scholar]
- Wei, Z.; Li, B.; Zhang, R.; Cheng, X. Contract-Based Charging Protocol for Electric Vehicles with Vehicular Fog Computing: An Integrated Charging and Computing Perspective. IEEE Internet Things J. 2022, 10, 7667–7680. [Google Scholar] [CrossRef]
- Kumari, A.; Tanwar, S.; Tyagi, S.; Kumar, N. Fog computing for Healthcare 4.0 environment: Opportunities and challenges. Comput. Electr. Eng. 2018, 72, 1–13. [Google Scholar] [CrossRef]
- Yi, S.; Li, C.; Li, Q. A survey of fog computing: Concepts, applications and issues. In Proceedings of the 2015 Workshop on Mobile Big Data, Hangzhou, China, 21 June 2015; pp. 37–42. [Google Scholar]
- C. da Silva, R.A.; S. da Fonseca, N.L. On the location of fog nodes in fog-cloud infrastructures. Sensors 2019, 19, 2445. [Google Scholar] [CrossRef]
- La, Q.D.; Ngo, M.V.; Dinh, T.Q.; Quek, T.Q.; Shin, H. Enabling intelligence in fog computing to achieve energy and latency reduction. Digit. Commun. Netw. 2019, 5, 3–9. [Google Scholar] [CrossRef]
- Lee, G.; Saad, W.; Bennis, M. An online optimization framework for distributed fog network formation with minimal latency. IEEE Trans. Wirel. Commun. 2019, 18, 2244–2258. [Google Scholar] [CrossRef]
- Garfinkel, S. Network forensics: Tapping the internet. IEEE Internet Comput. 2002, 6, 60–66. [Google Scholar]
- Spiekermann, D.; Keller, J.; Eggendorfer, T. Improving Lawful Interception in Virtual Datacenters. In Proceedings of the Central European Cybersecurity Conference 2018, Ljubljana, Slovenia, 15–16 November 2018; pp. 1–6. [Google Scholar]
- Bonomi, F.; Milito, R.; Zhu, J.; Addepalli, S. Fog computing and its role in the internet of things. In Proceedings of the First Edition of the MCC Workshop on Mobile Cloud Computing, Helsinki, Finland, 17 August 2012; pp. 13–16. [Google Scholar]
- Huang, C.; Lu, R.; Choo, K.R. Vehicular Fog Computing: Architecture, Use Case, and Security and Forensic Challenges. IEEE Commun. Mag. 2017, 55, 105–111. [Google Scholar] [CrossRef]
- Cheng, N.; Xu, W.; Shi, W.; Zhou, Y.; Lu, N.; Zhou, H.; Shen, X. Air-ground integrated mobile edge networks: Architecture, challenges, and opportunities. IEEE Commun. Mag. 2018, 56, 26–32. [Google Scholar] [CrossRef]
- Lim, W.Y.B.; Luong, N.C.; Hoang, D.T.; Jiao, Y.; Liang, Y.C.; Yang, Q.; Niyato, D.; Miao, C. Federated Learning in Mobile Edge Networks: A Comprehensive Survey. IEEE Commun. Surv. Tutor. 2020, 22, 2031–2063. [Google Scholar] [CrossRef]
- Salman, O.; Elhajj, I.; Chehab, A.; Kayssi, A. IoT survey: An SDN and fog computing perspective. Comput. Netw. 2018, 143, 221–246. [Google Scholar] [CrossRef]
- Qaisar, S.; Riaz, N. Fog networking: An enabler for next generation internet of things. In Proceedings of the Computational Science and Its Applications—ICCSA 2016: 16th International Conference, Beijing, China, 4–7 July 2016; Proceedings, Part II 16. Springer: Berlin/Heidelberg, Germany, 2016; pp. 353–365. [Google Scholar]
- Liu, L.; Chen, C.; Pei, Q.; Maharjan, S.; Zhang, Y. Vehicular edge computing and networking: A survey. Mob. Netw. Appl. 2021, 26, 1145–1168. [Google Scholar] [CrossRef]
- Wang, S.; Zhang, X.; Zhang, Y.; Wang, L.; Yang, J.; Wang, W. A survey on mobile edge networks: Convergence of computing, caching and communications. IEEE Access 2017, 5, 6757–6779. [Google Scholar] [CrossRef]
- Song, F.; Zhu, M.; Zhou, Y.; You, I.; Zhang, H. Smart Collaborative Tracking for Ubiquitous Power IoT in Edge-Cloud Interplay Domain. IEEE Internet Things J. 2020, 7, 6046–6055. [Google Scholar] [CrossRef]
- Khan, S.; Gani, A.; Wahab, A.W.A.; Shiraz, M.; Ahmad, I. Network forensics: Review, taxonomy, and open challenges. J. Netw. Comput. Appl. 2016, 66, 214–235. [Google Scholar] [CrossRef]
- Qureshi, S.; Tunio, S.; Akhtar, F.; Wajahat, A.; Nazir, A.; Ullah, F. Network Forensics: A Comprehensive Review of Tools and Techniques. Int. J. Adv. Comput. Sci. Appl. 2021, 12. [Google Scholar] [CrossRef]
- Wang, Y.; Uehara, T.; Sasaki, R. Fog Computing: Issues and Challenges in Security and Forensics. In Proceedings of the 39th Annual Computer Software and Applications Conference, COMPSAC Workshops 2015, Taichung, Taiwan, 1–5 July 2015; Ahamed, S.I., Chang, C.K., Chu, W.C., Crnkovic, I., Hsiung, P., Huang, G., Yang, J., Eds.; IEEE Computer Society: Washington, DC, USA, 2015; pp. 53–59. [Google Scholar] [CrossRef]
- Tomovic, S.; Yoshigoe, K.; Maljevic, I.; Radusinovic, I. Software-defined fog network architecture for IoT. Wirel. Pers. Commun. 2017, 92, 181–196. [Google Scholar] [CrossRef]
- Kaur, K.; Garg, S.; Aujla, G.S.; Kumar, N.; Rodrigues, J.J.; Guizani, M. Edge computing in the industrial internet of things environment: Software-defined-networks-based edge-cloud interplay. IEEE Commun. Mag. 2018, 56, 44–51. [Google Scholar] [CrossRef]
- Sandvik, J.; Franke, K.; Abie, H.; Årnes, A. Evidence in the fog—Triage in fog computing systems. Forensic Sci. Int. Digit. Investig. 2023, 44, 301506. [Google Scholar] [CrossRef]
- Roman, R.; Lopez, J.; Mambo, M. Mobile edge computing, Fog et al.: A survey and analysis of security threats and challenges. Future Gener. Comput. Syst. 2018, 78, 680–698. [Google Scholar] [CrossRef]
- Al-Masri, E.; Bai, Y.; Li, J. A Fog-Based Digital Forensics Investigation Framework for IoT Systems. In Proceedings of the 2018 IEEE International Conference on Smart Cloud, SmartCloud 2018, New York, NY, USA, 21–23 September 2018; pp. 196–201. [Google Scholar] [CrossRef]
- Sedaghat, S. New approach in the applications and forensics of the networks of the internet of things based on the fog infrastructure using SDN. Int. J. Inf. Comput. Secur. 2021, 15, 272–298. [Google Scholar] [CrossRef]
- Math, S.; Tam, P.; Kim, S. Intelligent Media Forensics and Traffic Handling Scheme in 5G Edge Networks. Secur. Commun. Netw. 2021, 2021, 5589352:1–5589352:11. [Google Scholar] [CrossRef]
- Oriwoh, E.; Sant, P. The Forensics Edge Management System: A Concept and Design. In Proceedings of the 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, UIC/ATC 2013, Vietri sul Mare, Sorrento Peninsula, Italy, 18–21 December 2013; IEEE Computer Society: Washington, DC, USA, 2013; pp. 544–550. [Google Scholar] [CrossRef]
- Ding, F.; Zhu, G.; Alazab, M.; Li, X.; Yu, K. Deep-Learning-Empowered Digital Forensics for Edge Consumer Electronics in 5G HetNets. IEEE Consum. Electron. Mag. 2022, 11, 42–50. [Google Scholar] [CrossRef]
- Shalaginov, A.; Iqbal, A.; Olegård, J. IoT Digital Forensics Readiness in the Edge: A Roadmap for Acquiring Digital Evidences from Intelligent Smart Applications. In Proceedings of the Edge Computing—EDGE 2020—4th International Conference, Held as Part of the Services Conference Federation, SCF 2020, Honolulu, HI, USA, 18–20 September 2020; Proceedings; Lecture Notes in Computer Science. Katangur, A., Lin, S., Wei, J., Yang, S., Zhang, L., Eds.; Springer: Berlin/Heidelberg, Germany, 2020; Volume 12407, pp. 1–17. [Google Scholar] [CrossRef]
- Ovesen, A.B.; Nordmo, T.S.; Johansen, H.D.; Riegler, M.A.; Halvorsen, P.; Johansen, D. File System Support for Privacy-Preserving Analysis and Forensics in Low-Bandwidth Edge Environments. Information 2021, 12, 430. [Google Scholar] [CrossRef]
- Esposito, C.; Castiglione, A.; Pop, F.; Choo, K.R. Challenges of Connecting Edge and Cloud Computing: A Security and Forensic Perspective. IEEE Cloud Comput. 2017, 4, 13–17. [Google Scholar] [CrossRef]
- Chang, V.; Golightly, L.; Modesti, P.; Xu, Q.A.; Doan, L.M.T.; Hall, K.; Boddu, S.; Kobusińska, A. A Survey on Intrusion Detection Systems for Fog and Cloud Computing. Future Internet 2022, 14, 89. [Google Scholar] [CrossRef]
- Young, M.; Pezze, M. Software Testing and Analysis: Process, Principles and Techniques; John Wiley & Sons, Inc.: Hoboken, NJ, USA, 2005. [Google Scholar]
- Lynch, N.A. Distributed Algorithms; Morgan Kaufmann: Burlington, MA, USA, 1996. [Google Scholar]
- Pham, X.Q.; Huh, E.N. Towards task scheduling in a cloud-fog computing system. In Proceedings of the 2016 18th Asia-Pacific Network Operations and Management Symposium (APNOMS), Kanazawa, Japan, 5–7 October 2016; pp. 1–4. [Google Scholar]
- Goudarzi, M.; Wu, H.; Palaniswami, M.; Buyya, R. An application placement technique for concurrent IoT applications in edge and fog computing environments. IEEE Trans. Mob. Comput. 2020, 20, 1298–1311. [Google Scholar] [CrossRef]
- Badri, H.; Bahreini, T.; Grosu, D.; Yang, K. Energy-aware application placement in mobile edge computing: A stochastic optimization approach. IEEE Trans. Parallel Distrib. Syst. 2019, 31, 909–922. [Google Scholar] [CrossRef]
- Zhu, H.; Huang, C. Availability-aware mobile edge application placement in 5G networks. In Proceedings of the GLOBECOM 2017—2017 IEEE Global Communications Conference, Singapore, 4–8 December 2017; pp. 1–6. [Google Scholar]
- Spiekermann, D.; Eggendorfer, T.; Keller, J. A Study of Network Forensic Investigation in Docker Environments. In Proceedings of the 14th International Conference on Availability, Reliability and Security, Canterbury, UK, 26–29 August 2019; ARES `19. Association for Computing Machinery: New York, NY, USA, 2019. [Google Scholar]
- Corey, V.; Peterman, C.; Shearin, S.; Greenberg, M.S.; Van Bokkelen, J. Network forensics analysis. IEEE Internet Comput. 2002, 6, 60–66. [Google Scholar] [CrossRef]
- Patil, R.Y.; Devane, S.R. Network forensic investigation protocol to identify true origin of cyber crime. J. King Saud Univ.-Comput. Inf. Sci. 2022, 34, 2031–2044. [Google Scholar] [CrossRef]
- Zhang, H.; Qin, B.; Tu, T.; Guo, Z.; Gao, F.; Wen, Q. An adaptive encryption-as-a-service architecture based on fog computing for real-time substation communications. IEEE Trans. Ind. Inform. 2019, 16, 658–668. [Google Scholar] [CrossRef]
- Papadogiannaki, E.; Ioannidis, S. A survey on encrypted network traffic analysis applications, techniques, and countermeasures. ACM Comput. Surv. (CSUR) 2021, 54, 1–35. [Google Scholar] [CrossRef]
- Wang, P.; Wang, Z.; Ye, F.; Chen, X. Bytesgan: A semi-supervised generative adversarial network for encrypted traffic classification in SDN edge gateway. Comput. Netw. 2021, 200, 108535. [Google Scholar] [CrossRef]
- Lawal, M.A.; Shaikh, R.A.; Hassan, S.R. An anomaly mitigation framework for iot using fog computing. Electronics 2020, 9, 1565. [Google Scholar] [CrossRef]
- Tanenbaum, A.S.; Wetherall, D. Computer Networks, 6th ed.; Prentice Hall: Boston, MA, USA, 2021. [Google Scholar]
- Li, Y.; Wang, S. An Energy-Aware Edge Server Placement Algorithm in Mobile Edge Computing. In Proceedings of the 2018 IEEE International Conference on Edge Computing (EDGE), San Francisco, CA, USA, 2–7 July 2018; pp. 66–73. [Google Scholar] [CrossRef]
- Cao, K.; Li, L.; Cui, Y.; Wei, T.; Hu, S. Exploring placement of heterogeneous edge servers for response time minimization in mobile edge-cloud computing. IEEE Trans. Ind. Inform. 2020, 17, 494–503. [Google Scholar] [CrossRef]
- Li, Y.; Zhou, A.; Ma, X.; Wang, S. Profit-aware edge server placement. IEEE Internet Things J. 2021, 9, 55–67. [Google Scholar] [CrossRef]
- Mao, B.; Tang, F.; Kawamoto, Y.; Kato, N. AI models for green communications towards 6G. IEEE Commun. Surv. Tutor. 2021, 24, 210–247. [Google Scholar] [CrossRef]
- Liu, D.; Kong, H.; Luo, X.; Liu, W.; Subramaniam, R. Bringing AI to edge: From deep learning’s perspective. Neurocomputing 2022, 485, 297–320. [Google Scholar] [CrossRef]
- Hua, H.; Li, Y.; Wang, T.; Dong, N.; Li, W.; Cao, J. Edge computing with artificial intelligence: A machine learning perspective. ACM Comput. Surv. 2023, 55, 1–35. [Google Scholar] [CrossRef]
Collect | Analyze | ||
---|---|---|---|
Capture | Record | ||
Device variety | x | x | x |
Cloud computing interaction | x | x | x |
Lack of centralized capture position | x | x | x |
Limited storage and processing capabilities | - | - | x |
Inherent dynamic | x | - | x |
Data fragmentation and encryption | - | x | - |
Trust and privacy | x | - | x |
Limited tools and standards | x | x | x |
Time sync | - | x | - |
Jurisdiction | x | - | x |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Spiekermann, D.; Keller, J. Challenges of Network Forensic Investigation in Fog and Edge Computing. Future Internet 2023, 15, 342. https://doi.org/10.3390/fi15100342
Spiekermann D, Keller J. Challenges of Network Forensic Investigation in Fog and Edge Computing. Future Internet. 2023; 15(10):342. https://doi.org/10.3390/fi15100342
Chicago/Turabian StyleSpiekermann, Daniel, and Jörg Keller. 2023. "Challenges of Network Forensic Investigation in Fog and Edge Computing" Future Internet 15, no. 10: 342. https://doi.org/10.3390/fi15100342
APA StyleSpiekermann, D., & Keller, J. (2023). Challenges of Network Forensic Investigation in Fog and Edge Computing. Future Internet, 15(10), 342. https://doi.org/10.3390/fi15100342