1 Introduction

With the evolutionary growth of Internet of Things (IoT), it is estimated that almost 50 billion devices will be interconnected by 2020, and the generated data traffic will grow by another 1000 times. Sensing data from huge number of heterogeneous sensors will generate big data at the edge of IoT. With the emergence of diverse IoT applications (e.g., environment monitoring, e-health, industrial control), it becomes challenging for fog/edge computing to deal with these heterogeneous IoT environments with edge big data. Driving by this trend, fog/edge computing, an emerging computing paradigm, has received a tremendous amount of interest. By pushing data storage, computing, analysis and controls closer to the network edge, fog/edge computing has been widely recognized as a promising solution to meet the requirements of low latency, high scalability and energy efficiency, as well as mitigate the network traffic burdens.

Currently, there are four novel development trends for fog/edge computing. First, motivated by the success of artificial intelligence (AI) in a wide spectrum of fields, it is envisaged that AI powered fog/edge computing could enhance the intelligent processing and analysis capabilities at the edge of the networks. Based on the fog/edge computing, edge AI or edge intelligence, is beginning to receive a tremendous amount of interest. Second, as next generation networking technologies, software-defined networks (SDN) and information-centric networks (ICN) has been introduced into networked fog/edge computing. These deep integration technologies provide evolutionary networking approach for fog/edge computing, which can support the reconfigurable fog/edge computing architecture and contents processing/analysis capabilities at the communication layer for 5G/6G. Third, optimized big data architecture is a must for edge big data analysis. Improved architectures of traditional big data, such as Hadoop and MapReduce, have attracted a lot of attentions.

Aforementioned novel development trends introduce a lot of benefits into fog/edge computing. However, the security and intelligent management problems of fog/edge computing resources are meanwhile introduced, which are still open issues. First, because fog/edge computing is usually deployed in large-scale IoT, it faces various threats from untrusted distributed geographic multi-sources and differentiated layer of the networks. Traditional security approaches cannot be used in fog/edge computing due to the limited computing and storage resources at edge. Second, content threats will be generated at the communication layer, because SDN/ICN technologies has been introduced into networked fog/edge computing nodes. Third, at the edge of the networks, there is unbalance between the users and providers of fog/edge computing resources. On-demand resource scheduling and balance are the must for fog/edge computing. Based on aforementioned motivations, this chapter aims to study the lightweight security and intelligent scheduling approaches for fog/edge computing resources. Novel technologies, such as blockchain, edge learning and semantic reasoning, will integrated seamlessly in the proposed architecture. To resolve aforementioned problems, this chapter studies the collaborative trust, content intrusion detection and security isolation, storage resource intelligent orchestration, smart resources partitioning technologies for fog/edge computing. This work is significant to promote the highly secure and efficient fog/edge computing for next generation networks.

2 Related Works

Currently, the security and smart scheduling of fog/edge computing resources have been attracted a lot of attentions. Basically, existing works focus on the security of communications, storage, data analysis of fog/edge computing. First, because context-aware capability is a novel and special feature of the fog/edge computing, content security protection should be provided at the communication layer. Second, big data at the edge raise up the requirements of efficient and dynamic edge storage resource scheduling. Third, the computing and processing resources configurations should be considerations. Related works are presented as follows.

Considering content awareness and edge distribution, edge/fog computing can provide benefits to defense in the performance of threat-aware filtering and semantic reasoning to construct edge defense isolation. In order to satisfy the secure automation control requirements of contents in IoT environments, exploiting edge/fog computing to achieve adaptive operations platform has been perceived as a promising approach, which enabled high manageability of IoT [1]. Moreover, content and data analysis technologies of fog/edge computing has been widely applied in next generation networks [2], security defense [3, 4], and optimizing computation resources of the application layer [5].

Edge storage related technologies have attracted a lot of attentions. Most of the recent research works about edge storage mainly focuses on the optimization and enrichment of the storage algorithms. In [6], Guanlin Wu et al. proposed a multiplier cooperative storage algorithm based on alternating directions. It minimizes the latency of task implementation and the total cost of the entire operation while maximizing node utilization of local information and system reliability. Besides, considering fairness metrics, the authors proposed an approximation algorithm to achieve caching load balance based on an integer linear programming problem in [7]. In [8], a three-layer architecture model for data storage management is proposed. It provides an adaptive algorithm that dynamically increases the high predictive precision required to provide efficient real-time decisions making and minimizes the amount of data stored in limited storage space. Cloud-edge collaborative work mode makes information interaction more convenient. Recently, most researches focus on resource scheduling and delay optimization. A vehicle control framework coordinated an Upper Edge Server is proposed in [9]. It enables more flexible scheduling of edge servers in view of the autonomous control of the vehicle. It also addresses the balance among the size of required edge servers, the capacity, and the ratio of dominated time. In [10], by integrating the advantages of edge platform and cloud platform, a new framework is proposed for the joint processing between the edge and cloud. It leverages the full network cognition and recorded information provided by the cloud, guiding edge computing components to meet the multiple performance demands of heterogeneous IoT networks. In addition, in [11], three scheduling algorithms (static, dynamic and batch synchronization) are able to solve problems when edge and cloud work collectively. The emergence of Hadoop allows data storage to be distributed, while HDFS, the bottom of Hadoop, is not suitable for use at the edge. Its framework is built on a specific collection of nodes. Specifically, the NameNode (only one) that provides metadata services and the DataNode that provides storage blocks are the units of the HDFS. However, HDFS has a drawback, which is a single point of failure, because there is only one NameNode. The work in [12] investigates the performance of the Hadoop benchmark suite, which runs on both physical and virtual infrastructure on the test platform for edge computing deployment. Moreover, most of the work focuses on analyzing and compressing data with MapReduce. Compared with cloud computing, edge computing lacks research on data storage architecture.

Many existing works focus on the processing and computing resources management of fog/edge computing. Different from the cloud-based system that aggregates all edge data into a remote data center, edge/fog computing provides a more efficient and scalable platform that enables context-awareness, low latency, energy efficiency, and big data analytics [13, 14]. Resource partitioning is a hot topic in wireless communication filed [15,16,17]. Existing studies always focused on the management of radio and frequency resources in femtocell and small cells. Due to the heterogeneity nature of wireless communication, the most popular approach for radio resource partitioning was frequency reuse. Singh and Andrews [18] provided a joint analytical framework for users offloading and resource partitioning in co-channel heterogeneous networks. Recently, another study [19] exploited the Stackelberg game model to optimize cooperatively the resource partitioning and data offloading in co-channel two-tier heterogeneous networks. However, different from resource partitioning in wireless communication, edge/fog computing pay more attention on recognizing which is the most popular delay sensitive services regardless of the data scale or user number in a domain so that the existing studies on resource partitioning in wireless communication cannot be applied in fog/edge computing systems. Moreover, the existing resources partitioning approaches designed for cloud-enabled IIoT also cannot be applied to fog-enabled IoT directly. For example, Mach and Becvar [20] formulated a load balancing problem between multiple fog servers as the cooperative resource sharing. However, the existing load balancing scheme required all data traffic to pass through an additional load balancer. To improve the efficiency of big data analysis, the literature [21] proposed a computation partitioning model for mobile cloud computing. However, this method only can improve the data processing efficiency in data center, but not adapt to fog computing paradigm due to the decentralization nature of fog computing [22]. Expect for the studies on flows shunting in IIoT, some early proposals in [23, 24] also tried to develop the autonomous resources allocation platforms for IoT to reduce the service response time under the fog environment. Recently, advocating the underlying edge/fog computing infrastructures to share their resources was also very insightful [25, 26]. However, it was not easy to observe the computing states of all heterogeneous edge devices in realtime [27].

3 Collaborative Trusted Edge/Fog Computing

A typical collaborative trusted service discovery system comprises three categories of entities: trust evidence providers, fog nodes, and trusted service discovery users, which are shown in Fig. 1. (1) Trust Evidence Providers are IoT devices that have cooperated with fog nodes. When they work with fog nodes, each IoT device will record trust evidence of fog nodes according to performance of fog nodes. The trust evidence can be recorded based on diverse trust properties in terms of Quality-of-Service (QoS) trust and social trust, where trust properties indicate the variables employed to measure the trustworthiness. By aggregating the trust evidence, one can obtain the trust values of fog nodes and block untrusted nodes. (2) Fog Nodes run a cross-blockchain structure consisting of multiple parallel blockchains. Each parallel blockchain stores encrypted data of fog nodes that serve in a specific application. The encrypted data includes the encrypted location information of fog nodes and the corresponding encrypted trust evidence collected by edge/fog devices. Fog nodes search for trusted fog nodes for users using encrypted data in the blockchain. After that, fog nodes send back the encrypted trust evidence of fog nodes which are in the preset areas. (3) Trusted Service Discovery Users require to locate trusted fog nodes that can provide specific service in predefined areas. They send encrypted query request to fog nodes and ask them to send back encrypted trust evidence belonging to the fog nodes who can provide that service in the search areas. Then the user will purchase the decryption key from the trust evidence provider and calculate the trust values of these nodes.

Fig. 1
figure 1

Collaborative trusted service discovery architecture for fog computing

Full size image

3.1 Fog Nodes Information Encryption

Step. 1: The generation of {l[i]}: Set the initial values of the scaled Zhongtang chaotic system as x[0], y[0], and z[0]. Three pseudorandom sequences {x[i]}, {y[i]}, {z[i]} are constructed by iterating the chaotic system 2 × N 2 × 3 × r times, where N 2 and r denote the image size, the frequency of color information encryption scheme, respectively. Then l[i] equals to max(x[i],  y[i],  z[i]), The element of pseudorandom sequence {L[i]} is calculated as mod(floor(l[i] × 1014),  256).

Step. 2: The construction of M 2: Present fog nodes as icons on blank image M 2 using rendering rules. The rules are given as follows. The location of one icon on the image is determined by the coordinate information of one fog node. The color of the icon is determined by the service type of that fog node. Performing r rounds of color information encryption operations on M 1 to obtain intermediate image M 2.

$$ \left\{\begin{array}{l}f\left(x,y,k\right)=\kern0.5em \left(y-1\right)\times N+\left(k-1\right)\times {N}^2+x,\\ {}{R}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)=\kern0.5em L\left[f\left(x,y,k\right)\right]\oplus {R}_{M_1,k-1}\left(x,y\right),\\ {}{R}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\kern0.5em {R}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)+L\left[f\left(x,y,k\right)+1\right],\\ {}{R}_{M_1,k}\left(x,y\right)=\kern0.5em \operatorname{mod}\left({R}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right),256\right),\\ {}{G}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)=\kern0.5em L\left[f\left(x,y,k+1\right)\right]\oplus {G}_{M_1,k-1}\left(x,y\right),\\ {}{G}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\kern0.5em {G}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)+L\left[f\left(x,y,k+1\right)+1\right],\\ {}{G}_{M_1,k}\left(x,y\right)=\kern0.5em \operatorname{mod}\left({G}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right),256\right),\\ {}{B}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)=\kern0.5em L\left[f\left(x,y,k+2\right)\right]\oplus {B}_{M_1,k-1}\left(x,y\right),\\ {}{B}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\kern0.5em {B}_{M_1,k-1}^{\hbox{'}}\left(x,y\right)+L\left[f\left(x,y,k+2\right)+1\right],\\ {}{B}_{M_1,k}\left(x,y\right)\kern0.5em =\kern0.5em \operatorname{mod}\left({B}_{M_1,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right),256\right),\end{array}\right. $$
(1)

R M1, k(x, y), G M1, k(x, y), B M1, k(x, y) denote the ciphertexts generated by performing k rounds of color information encryption operations on R M1(x, y), G M1(x, y), and B M1(x, y). N 2 is the total number of pixels in M 1.

Step. 3: The creation of M 3: Final encrypted image M 3 is gained by performing t times of generalized Arnold transform on M 2. m and n are set as the control parameters of the generalized Arnold transform. Then the process of scrambling the coordinates of pixel (x, y) with one round of generalized Arnold transform can be described as

$$ \left\{\begin{array}{c}{R}_{M_3}\left(x,y\right){=}{R}_{M_2}\left(\mathrm{mod}\left(x+n\times y,N\right),\mathrm{mod}\left(m\times x+\left(n\times m+1\right)\times y,N\right)\ \right),\\ {}{G}_{M_3}\left(x,y\right){=}{G}_{M_2}\left(\mathrm{mod}\left(x+n\times y,N\right),\mathrm{mod}\left(m\times x+\left(n\times m+1\right)\times y,N\right)\ \right),\\ {}{B}_{M_3}\left(x,y\right){=}{B}_{M_2}\left(\mathrm{mod}\left(x+n\times y,N\right),\mathrm{mod}\left(m\times x+\left(n\times m+1\right)\times y,N\right)\ \right).\end{array}\right. $$
(2)

And the final encrypted image M 3 is obtained by encrypting intermediate image M 2 with t rounds of generalized Arnold transform. Moreover, the trust evidence of each fog node is also encrypted by a symmetric key algorithm with a specific encryption key. After that, M 3 is stored in the parallel blockchain along with the encrypted trust evidence.

3.2 Trusted Service Request Generation

Trusted service request generation includes following two steps. Step. 1: The construction of the trusted service request: In the trusted service request, the trusted service discovery user defines the service type of fog nodes and the area where it should provide service. Then the user renders the search area on an image M 4 using the rendering rules. Step. 2: The encryption of the trusted service request: Encrypt M 4 to obtain final encryption image M 5, where the encryption algorithm and key set are the same with that performed on M 1. Then the query request M 5 is sent to the fog node of the parallel blockchain.

3.3 Privacy-Preserving Range Query and Response

Step. 1: The construction of query criteria: Query criteria are used to judge whether M 3 meets the demand of the trusted service discovery user. Then the query criteria of pixel M 5(x,  y) can be calculated as

$$ {\displaystyle \begin{array}{c}\left\{\begin{array}{c}U\left(x,y\right)={R}_{M_3}\left(x,y\right)\oplus {R}_{M_5}\left(x,y\right),\\ {}V\left(x,y\right)={G}_{M_3}\left(x,y\right)\oplus {G}_{M_5}\left(x,y\right),\\ {}W\left(x,y\right)={B}_{M_3}\left(x,y\right)\oplus {B}_{M_5}\left(x,y\right).\end{array}\right.\end{array}} $$
(3)

Step. 2: Results list (RL) creation: For M 5(x,  y), the coordinates information and color information of the pixel will be stored into RL if U(x, y), V(x, y), W(x, y) are all zero. Then, the query response RL and the corresponding encrypted trust evidence of the fog nodes are stored into the router parallel blockchain and sent to the corresponding trusted service discovery user in an off-chain manner by the fog node.

3.4 Trusted Evidence Aggregation

For R M5(x, y), G M5(x, y), B M5(x, y) in the results list, its original coordinate values (X, Y) can be obtained by performing t times of inverse generalized Arnold transform on (x, y). After that, the color component values of the corresponding original pixel can be retrieved by decrypting R M5(x, y), G M5(x, y), B M5(x, y) with r rounds of color information decryption operations. And the details on performing k ‐ th round of color information decryption operations on M 5(x, y) can be expressed as in (4).

$$ \left\{\begin{array}{l}f\left(X,Y,k\right)=\kern0.5em N\times \left(Y-1\right)+X+\left(k-1\right)\times {N}^2,\\ {}{DR}_{M_5,k-1}\left(x,y\right)=\kern0.5em {DR}_{M_5,k-1}\left(x,y\right)-L\left[f\left(X,Y,k\right)+1\right],\\ {}{DR}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\operatorname{mod}\left({DR}_{M_5,k-1}^{\hbox{'}}\left(x,y\right),\kern0.5em 256\right)\kern0.5em \\ {}{DR}_{M_5,k}\left(x,y\right)=L\left[f\left(X,Y,k\right)\right]\oplus {DR}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right),\\ {}{DG}_{M_5,k-1}^{\hbox{'}}\left(x,y\right)=\kern0.5em {DG}_{M_5,k-1}\left(x,y\right)-L\left[f\left(X,Y,k+1\right)+1\right],\\ {}{DG}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\kern0.5em \operatorname{mod}\left({DG}_{M_5,k-1}^{\hbox{'}}\left(x,y\right),\kern0.5em 256\right),\\ {}{DG}_{M_5,k}\left(x,y\right)=L\left[f\left(X,Y,k+1\right)\right]\oplus {DG}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right),\\ {}{DB}_{M_5,k-1}^{\hbox{'}}\left(x,y\right)=\kern0.5em {DB}_{M_5,k-1}\left(x,y\right)-L\left[f\left(X,Y,k+2\right)+1\right],\\ {}{DB}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right)=\kern0.5em \operatorname{mod}\left({DB}_{M_5,k-1}^{\hbox{'}}\left(x,y\right),\kern0.5em 256\right),\\ {}{DB}_{M_5,k}\left(x,y\right)=L\left[f\left(X,Y,k+2\right)\right]\oplus {DB}_{M_5,k-1}^{\hbox{'}\hbox{'}}\left(x,y\right).\end{array}\right. $$
(4)

The location information of fog nodes that fulfill the requirement of the trusted service discovery user are stored in the decrypted RL. Then the user sends some cryptocurrency to the trust evidence provider to obtain the decryption key. The user can purchase encrypted trust evidence from other parallel blockchain using cryptocurrency exchange. The trusted service discovery user can evaluate trustworthiness of fogs by aggregating the obtained trust evidence.

The proposed Collaborative Trusted Service Discovery (CTSD) can evaluate the credibility of fog nodes by collaboratively aggregating trust evidence using cross-blockchain-enabled fog computing. A cross-blockchain structure is firstly proposed to ensure the encrypted location information and trust evidence of fog nodes can be propagated in a tamper-proofing and eavesdropping-resistance manner. And novel privacy-preserving range query based collaborative trust evidence aggregation is proposed to aggregate encrypted trust evidence using encrypted location information. The proposed CTSD improves the trustworthiness of fog computing.

4 Intrusion Detection and Security Isolation for Edge/Fog Computing

Currently, intrusion detection and security isolation are very important issues for edge/fog computing in content centric environments. Host Defense Fog Nodes (HDFNs) are constructed between host nodes and network nodes in edge/fog computing networks. Host defense is deployed logically between hosts and next hop of edge/fog computing nodes to prevent malicious data from entering contents. It is placed on fog nodes that achieve seamless coverage of host geographically. Each host is in a jurisdiction of one corresponding fog node. Moreover, due to the computation of fog nodes, the burden for hosts of configuring defense mechanism is sharply reduced.

4.1 Basic Idea of Edge Defense Mechanism with Content Semantic Awareness

The proposed edge defense for edge/fog computing to provide protection with semantic reasoning and smart content threat-aware. The proposed system utilizes fog computing for boundary isolation. Fog computing, offloading intelligence and recourses from cloud center to edge network, is introduced to provide edge computation and distribution required by the proposed defense mechanism. Fog computing provides context and content awareness for semantic analysis and customized configuration of intrusion detection and security isolation. Without being placed on routers or hosts, the requirements of infrastructure performance are greatly reduced. Moreover, we proposed a semantic reasoning approach based on Knowledge Graph (KG). It is designed to collect security knowledge and mine the illegal information relationships that may exist between the requested content and the blacklist. To protect against potential and ongoing attacks, our algorithm collects contextual traffic related to the pending packets, emphasizing the relevant semantic dimensions to guide reasoning. Potential threats of pending packets and their response data can be predicted by analyzing content attributes by interest names.

Smart reasoning algorithms with semantic knowledge to mine potential content threats are proposed with KG. Firstly, communication context was selected as weights based on semantics to guide the inference direction. Moreover, weighted semantic inference was designed to reason the threatening relations and knowledge with interest packets and then limit the content of response packets. Our proposed semantic inference mechanism can perceive penetrated and obfuscating content threats, and configured customized knowledge policies with distinct interests according to the security knowledge constructed from inference.

4.2 Architecture of Smart Reasoning Based Content Threat Fog-Defense

Host Defense Fog Nodes (HDFNs) are constructed between hosts and networks of. Host defense is deployed logically between hosts and next hop of edge/fog nodes to prevent malicious data from entering edge/fog systems. It is placed on fog nodes that achieve seamless coverage of host geographically. Each host is in a jurisdiction of one corresponding edge/fog computing node. Moreover, due to the computation of fog nodes, the burden for hosts of configuring defense mechanism is sharply reduced. The basic architecture is shown in Fig. 2.

Fig. 2
figure 2

Structure design of proposed HDFNs

Full size image

The monitoring layer receives packets from the source and record communication histories of covered edge/fog nodes including location, terminals, activities and resources. Parsing and detecting packets including both requests and responses, and device attributes of each edge/fog computing node, the monitoring layer can help to perceive host behavior and contextual traffic.

The context analysis layer parses the pending packet and extracts necessary content. Content including packet names, publisher keys and excluding information for names of responses is extracted from interest packets. For data packets, components of name, signature, sighed information and content are extracted into the database. The extracted content is analyzed to compute the relevance of history communication to select the most related context packets.

The strategy layer implements semantic reasoning with Knowledge Graph on packet names and content to mine inherent threats. For interest packets, the policy layer firstly selects the relevant context traffic and calculate a correlation weight matrix to guide the direction of reasoning. It then mines implicit threatening entities and underlying threatening relations between content and blacklists. By combining the interest packet components to limit producer identity and exclude package names, the user-configured strategy is generated and are called interest-configured strategy (ICSs).

In the filtering layer, blacklist-based content matching is performed to prevent exception requests. In addition, the data integrity and validity are checked to prevent requests and ICS from being tampered with by malicious nodes for interest packets. For received data packets, ICS matching and content filters, integrity and validity permission checking are implemented in an orderly fashion. In data packets, the whole content is filtered to prevent illegal and falsity content attacking whereas in interest packets the content names are filtered for malicious request detection.

In the security layer, in order to add up the blacklist with reasoned threats, the ICS tag is added by the tagging module on interest packets. Therefore, the extra edge/fog computing nodes save the time and energy of processing packets and acquire ICSs when caching the interest. The encryption module conducts encryption for a tagged interest packet. The transport layer then forwards new packets to the next hop.

4.3 Smart Semantic Reasoning for Defense Knowledge Policy

The PTransE model is applied to find the potential sensitive entities to composite a relation between requests and blacklists, which are likely to be the obfuscating objects in the responded data packets. One captures its meaning, such as head entity eh, relation r and tail entity et, and the other are projection vectors ehp, etp, constructing two mapping matrices, βreh and βret. PTransE takes multiple-step relation paths into consideration for representation learning, the score function of multiple steps is defined in.

$$ {\displaystyle \begin{array}{c}{F}_r\left({O}^{\beta}\right)=\frac{\sum_{p^m\in {O}^{\beta }}\varGamma \left(\left.{p}^m\right|{e}_h,{e}_t\right){F}_r\left({p}^m\right)}{\sum_{P^m\in {O}^{\beta}\left({e}_h, et\right)}\varGamma \left(\left.{p}^m\right|{e}_h,{e}_t\right)}\end{array}} $$
(5)

During the training, we took KG triples as learning samples to optimize parameters in loss function as is proposed in. We construct false triples as negative samples by replacing random elements in KG triples. The loss function value continuously reduced through learning, and the entity vector and relation matrix can better reflect the semantic information of entities and relations. Relations with the similar semantics with context and requests were learnt as a result. We trained the model to optimize the loss metric thus obtaining multistep relations of entity pairs O β (e h, e t) = {p m 1,···p m α}, where each relation path is p m = (τ 1,···τ l).

To guide the relation path direction, we modified the resource function Γ(p m|e h, e t) which measures the resource flowed from eh to et as the path reliability. When the middle entity e i − 1W e, the resource allocated to the next entity is weakened by the relevance weight resulting in lower loss function in learning. And θ is defined as below.

$$ \varGamma \left(\left.{p}^m\right|{e}_{i-1},{e}_i\right)=\sum_{e_{i-1}\in {E}_{i-1}}\theta \frac{\varGamma \left(\left.{p}^m\right|{e}_h,{e}_{i-1}\right)}{\left|{E}_i\right|} $$
$$ {\displaystyle \begin{array}{c} where\ \theta =\left\{\begin{array}{c}\ {\mathrm{e}}^{-{\tau}_i^c}, if\ {e}_h\left({}^{\prime}\right)\ or\ {e}_t\left({}^{\hbox{'}}\right)\in {W}_c\\ {}\ 1, others\end{array}\right.\end{array}} $$
(6)

As a result, the blacklists are expanded with the reasoned middle entities for each request. A response will be blocked when the middle entities are detected in the packet content.

To build edge defense against potential content threats, we proposed a fog based content threat defense scheme with content-oriented semantic reasoning. The proposed mechanism realized edge defense against content threats by blocking illegal content and unexpected access. Smart reasoning models for semantics with context awareness were proposed to mine potential threatening knowledge from packet. The simulation results showed the proposed fog based ICN defense mechanism could provide valid and efficient isolation defense. This work is significant to improve ICN security.

5 Storage Resource Intelligent Orchestration for Edge/Fog Computing

5.1 Basic Idea of Proposed Edge Unified Big Data Intelligent Storage Architecture

The proposed architecture divides edge nodes into two types based on their functions, namely edge servers, and edge data prosumers. We call the edge nodes as edge data prosumers, which are the data producers and consumers simultaneously. While each edge server is composed of a Master and several data containers. The Master here is equivalent to an agent with control and management capabilities, and the data container performs the storage tasks assigned by the Master.

There are three main functional modules in the Master, synchronization communication management, dynamic storage, as well as multi-user data write and mapping. The most distinctive feature is storing data dynamically to meet the requirements of edge computing. It can use intelligent recommendation algorithms to decide the stored location of the data, by learning data checking and labeling. As for communication management, the Master manages the request and reception of data, which improves the liquidity of data between edge servers. We also set up a communication protocol pool to enhance the portability and scalability of the edge server. Similar to HDFS, the data mapping table can facilitate data lookup. The difference is that it supports arbitrarily modify and delete data, and a file can have multiple writers. While the data container reports the remaining storage space to the Master in time. It stores edge fragmented data and user private data, such as the ID number of a personal medical record in medical scenes, as well as public shared data that was previously stored in the cloud. Data popularity is the criterion for a data storage location and is, therefore, an important component of data tags.

The workflow of the proposed architecture is shown in Fig. 3, achieving cloud-edge collaborative mechanism. Edge data prosumers can do data pre-classification and preprocess for edge service. The initial popularity of the data is marked by them and initialized based on the data being called. They make the data more valuable and easy to analyze for some tasks, such as machine learning. Data uploading and downloading are the basic functions for the data prosumers. In this paper, we have enhanced the characteristics of the edge servers. Edge servers can store data sent by the cloud and the edge. The stored data is dynamic and circulated in the edge servers. This architecture pays more attention to the interactivity between edge servers. Besides, the cloud can audit messages. It meanwhile provides computing service and data storage. Both data sharing and message sharing happen in the cloud.

Fig. 3
figure 3

Unified edge big data storage architecture

Full size image

5.2 Machine Learning Based Dynamic Data Storage Strategy

The dynamic storage area in Master ensures the real-time characteristics of edge computing. Firstly, the Master identifies the data popularity on the data tag, with popularity as an important indicator, and Q-learning to determine where the data is stored. This ensures data that is frequently used can be stored in the edge server, and data that is not used frequently and that is not user privacy can be stored in the cloud. This process reduces the time for data recall and the cost of resources consumed. And the Master updates the data label according to scalable recommendation algorithms (e.g. knowledge-based recommendation, deep learning, etc.). Secondly, by checking the timestamp of the data, the Master determines whether expires and drops the expired data in time. Thirdly, when the data container reaches its capacity threshold, the Master cleans its redundant storage contents until there is extra space to assign tasks again.

5.3 Dynamic Storage Model

Let a e(t e) denote that the storage action vector in slot t e. |a e(t e)|dji = 1 indicates that data d ji is stored in a container of Master y j , and |a e(t e)|dji = 0 otherwise. We update the popularity of the data depending on the received requests from the prosumers, defined as

$$ {\displaystyle \begin{array}{c}D{P}_{d_{ji}}\left({t}_e\right)=\alpha \cdotp D{P}_{d_{ji}}\left({t}_e-1\right)+\left(1-\alpha \right)\cdotp {N}_{d_{ji}}/\frac{1}{D}\sum_{q=1}^D{N}_{q_{ji}}\end{array}} $$
(7)

Having observed the prosumer requests at the end of slot t e, our edge server state is expressed as

$$ {\displaystyle \begin{array}{c}{s}_e\left({t}_e\right)={\left[{a}_e^T\left({t}_e\right),D{P}^T\left({t}_e\right)\right]}^T\end{array}} $$
(8)

Storage performance can be estimated via the state value function

$$ {\displaystyle \begin{array}{c}{V}_{\pi}\left({s}_e\left({t}_e\right)\right)=\underset{T\to \infty }{\lim}E\left[\sum_{\tau ={t}_e}^T{\gamma}^{\tau -T}C\left({s}_e\left[\tau \right],\pi \left({s}_e\left[\tau \right]\right)\right)\right]\end{array}} $$
(9)

which is the overall average cost generated by the infinite time range, with the future discount parameter γ between 0 and 1. The discount factor γ tunes balances current versus future costs. The best policy π∗ making the minimal cost is

$$ {\pi}^{\ast }={argmin}_{\pi \in \varPi }{V}_{\pi}\left({s}_e\right),\forall {s}_e\in S $$

To give a clear overview of how Q-learning works, we define the state-action value function based on the policy π, namely. We use εt − greedy algorithm to tend to a best policy. Algorithm 1 shows the dynamic storage mathematics model.

figure a

6 Service Popularity-Based Smart Resources Partitioning for Edge/Fog Computing

6.1 Basic Idea

To resolve the unbalance problem between resources providers and consumers in the network edge, a smart resources partitioning scheme, SRPS, is proposed, which is shown in Fig. 4.

Fig. 4
figure 4

Architecture of SRPS

Full size image

SRPS has three key components: (1) Global fog identifier (GFID): The SRPS exploits the GFID to name each of fog node. The separation between the GFID and the global service identifier (GSID) provides support for global observability. (2) SRPS controller: The SRPS controller is utilized to monitor and control the computing states of all fog nodes in F-edge/fog. The SRPS controller maintains the mapping from GFID to GSID. If a fog node moves from GSID to GSID’ or the computing resource of fog node is exhausted, service providers can redirect the service requests to a new address to find computing resources without any service interrupts. (3) Computing task stream list (CTSL): To realize automatic resources partitioning, the CTSL is presented, which includes three basic tuples: MatchField, ActionField, and Counter. The parameters in each tuple can be pre-customized by system designers of F-edge/fog. Since the cloud usually aggregates large-scale computing, storage, and network resources, a SRPS controller can be implemented in cloud to monitor the global states of geo-distributed fog entities. And also, edge/fog users can optimize the resources allocation of each fog node by adding their own scheduling algorithms into SRPS controller. The states of each underlying infrastructure (e.g., GPS, camera, liquid meter, and the mometer) are identified by geo-distributed fog nodes. We emphasize that all of edge devices are equipped with SDN protocols. Especially, all of the computing tasks on different edge devices are labeled as record items and added into the defined CTSL.

6.2 Service Popularity Model

Consider there are many different types of edge/fog services to be processed in edge/fog. An edge/fog service is denoted as E = {α type, β task, γ SLA}, where α type, β task, γ SLA denote application type, computing task and computing quality contract (CQC). It is common to see that a fog node simultaneously serves for multiple edge/fog service sessions. Similar to the content caching problem in edge/fog computing systems, the edge/fog service E on the i th fog node is modeled through a generalized Zipf function.

$$ {Z}_i^E\left({k}_t\right)=\frac{\varOmega }{k_t^{\gamma }},{k}_t=1,2,\dots, K, $$
$$ {\displaystyle \begin{array}{c}{\mathrm{k}}_{\mathrm{t}+\Delta \mathrm{t}}={\mathrm{Z}}_{\mathrm{i}}^{\mathrm{E}-1}\left({\mathrm{Z}}_{\mathrm{i}}^{\mathrm{E}}\left({\mathrm{k}}_{\mathrm{t}}\right)+{\uplambda}_{\Delta \mathrm{t}}\right)\end{array}}. $$
(10)

where \( \Omega ={\left(\sum \limits_{k=1}^{\mathrm{K}}\frac{1}{k^{\gamma }}\right)}^{-1} \) and 0 ≤ γ ≤ 1 is the exponent and k t denotes the popularity ranking of edge/fog service E on the i th fog node at time t. λ is the number of arrival E type of edge/fog services on fog node i th during Δt spot. And also, the \( {Z}_i^{E^{-1}}\left(^\ast \right) \) is the inverse function of \( {Z}_i^E\left(^\ast \right) \).

Originally, Zipf’s law was found by observing and analyzing the word frequency distribution. About 20 years ago, the distribution of many Internet services was proven to follow Zipf’s law and many existing web caching strategies used Zipf’s law to model Internet users’ service requests. Recently, popularity-based smart caching for information-centric networking (ICN) has utilized Zipf’ law to model the content distribution. Now, Zipf’s law is being applied in many fields such as linguistics, geography, economics, and broadcast TV. Similar to Internet services, the distribution of edge/fog services also follows Zipf’s law. This paper exploits Zipf’s law to predict the computing cost of edge/fog services by calculating their popularity rankings. Fog node gets popularity rankings of edge/fog services by analyzing the statistics of past and current logs in real time.

6.3 Computing Cost

To improve the resources utilization and computing quality, fog nodes are more willing to locally process popular edge/fog services and work with fewer remote-control operations (e.g., wake up, sleep, and migration).

For multiple types of edge/fog services at time t, the computing cost for one example edge/fog service on fog node is defined as the following function:

$$ {\displaystyle \begin{array}{c}{C}_i^{E_j}=\frac{C_i^{E_0}}{Z_i^{E_j}\left({k}_t\right)}\end{array}} $$
(11)

Where \( {\mathrm{C}}_{\mathrm{i}}^{{\mathrm{E}}_0} \) is the fixed original computing cost on fog node j th when \( {Z}_i^{E_j}\left({k}_t\right)=1 \).

By combining the Eqs. (1)–(3), the relationship between computing cost and service popularity is a convex function when γ < 1, while the relationship between computing cost and service popularity is a concave function when γ > 1. Moreover, for a fixed ΔR, ΔC 2 is larger than ΔC 1 and \( \Delta {C}_2^{\prime } \) is smaller than \( \Delta {C}_1^{\hbox{'}} \). In the other word, for γ < 1, the change of service popularity when k t < 7 has a greater impact on the computing cost than the change of service popularity when k t > 16. For γ > 1, the change of service popularity has a greater impact on the computing cost when k t > 13 than when k t < 20. In this paper, the SRPS shifts the less popular services on i th fog nodes into the other fog nodes to minimize their computing costs under γ > 1.

6.4 Popularity-Aware Computation Partitioning Algorithm

The working flow of algorithm 2 illustrated is described step by step as follows. The input parameters of algorithm 2 contain \( {\lambda}_{\delta_{\mathrm{t}}},{f}_h,{k}_i, Th,{R}_{ij},{L}_f^R,{\gamma}_{CQC} \). Therein, \( {\lambda}_{\delta_{\mathrm{t}}},{f}_h,{R}_{ij},{L}_f^R \) can be calculated by fog server based on the edge/fog service requests in a real system. Th and γ CQC are two constants, which are configured by the edge/fog engineer according to the engineering experience in the applied edge/fog scenario. k i is a statistical variable that can be calculated. When the data flows of edge/fog services arrive at the fog node, the service type of these data flows will be identified and then the edge/fog service popularity rank on this fog node will be updated. If the rank of an arriving edge/fog service is less than Th, it will be pushed into the pending list. Otherwise, it will be pushed into the forwarding list (FW List). For the edge/fog service on the pending list, fog node will calculate the computing cost of providing this edge/fog service and observe if the computing quality is in the scope of γ CQC.The fog node will select a policy (it may be an identity of a virtual machine). For the edge/fog service on the FW List, the fog node will send it to the SRPS controller for deeper analysis.

figure b

The SRPS scheme modeled the relationship between service popularity and computing cost with Zipf’s law. Moreover, the SRPS scheme decoupled the computing control from data processing and support mobile and heterogeneous computing resource scheduling.

7 Analysis

In this section, we give the main contributions and cost analysis of the proposed approach for security and intelligent management for fog/edge computing resources.

7.1 Main Contributions

The contributions of aforementioned approaches are as follows:

Firstly, collaborative trust and security protection scheme was proposed for edge/fog computing systems. The trust evidence can be recorded based on diverse trust properties in terms of Quality-of-Service (QoS) trust and social trust, where trust properties indicate the variables employed to measure the trustworthiness. Fog Nodes run a cross-blockchain structure consisting of multiple parallel blockchains. The encrypted data includes the encrypted location information of fog nodes and the corresponding encrypted trust evidence collected by edge/fog devices. Semantic based security detection and isolation scheme are proposed for edge/fog computing system to defense against content threat.

Secondly, a unified data storage architecture that is dedicated to managing data at the edge is proposed. The characteristic of our proposed architecture is to migrate the advantages of Hadoop Distributed File System (HDFS) in Cloud Computing to the edge to ensure that edge services provide better QoS. Moreover, to maximize the capability of edge nodes, we devise a dynamic storage policy-making mechanism based on Q-learning, which can recommend data with high invoked popularity for edge servers and updating data in time accordingly. To achieve a high-level linkage, we also propose a communication model for edge-cloud and edge-edge communication. Edge nodes can share their storage information with neighbors by the synchronous communication.

Thirdly, a scheme is proposed for service popularity-based smart resources partitioning. The Zipf’s law is used to calculate the popularity rank of the IIoT service and predicted the computing cost of arriving IoT services on edge/fog computing. We provided a solving method of threshold value for forwarding edge/fog services, and applied it to decide whether the arriving IIoT service should be locally handled. The work first decoupled the computing control layer from the computing layer, and provided a programmable interface for edge/fog computing operators.

7.2 Main Cost

In the proposed approach, each edge/fog computing node can adaptively pick up and process the most popular IIoT services and smartly partition its resources based according to the popularity rankings of picked IIoT services. Unpopular IoT services on an edge/fog node will be forwarded to the other FN for efficient processing. In other words, it is no need for each edge/fog node to ask for the states of other edge/fog nodes. Thus, the complexity of proposed algorithms is Θ(n). The function of proposed algorithms was not to copy the load balancing and VM migration in cloud data to distributed edge/fog nodes. By using Algorithms 1 and 2 to partition the resources of edge/fog nodes, we can obtain minimized computing cost and minimized CQC validation. All the performance improvements of the proposed scheme were directly beneficial to edge/fog computing users because the service popularity reflected the real demands of edge/fog computing users. In terms of whether it will cause additional computing cost, the answer is inevitable. However, compare to the improvements of proposed approach, the additional computing cost caused by complexity of proposed algorithms is minor. Moreover, the additional computing cost can be handled by resources offloaded from cloud. Besides, the edge/fog nodes selectively deals with the local delay-sensitive services rather than all of the arriving edge/fog computing services.

8 Conclusion

In this chapter, the methods and technologies of security and intelligent management for fog/edge computing resources were studied. Blockchain and semantic are introduced to enhance the trust and security protection capabilities of the edge/fog computing systems. Moreover, we are dedicated to the complex application scenarios and massive data generated by edge nodes, which takes challenges to the edge-cloud collaboration. By taking the advantages of Hadoop, a unified edge-cloud intelligent storage architecture is proposed to improve the performance of edge services. Finally, the proposed resource partitioning scheme modeled the relationship between service popularity and computing cost with Zipf’s law, which decoupled the computing control from data processing and support mobile and heterogeneous computing resource scheduling. Future work is the artificial intelligence collaborations technologies for edge/fog computing systems.