GLIDE: A Game Theory and Data-Driven Mimicking Linkage Intrusion Detection for Edge Computing Networks

Intelligent Manufacturing Department, Wuyi University, Jiangmen 529020, China School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China School of Social Science, Nanjing Institute of Industry Technology, Nanjing 210023, China Jiangsu Zhongtian Technology Co., Ltd., Nantong 226463, China Jiangsu Graduate Workstation, Nanjing Liancheng Technology Development Co., Ltd., Nanjing 210012, China


Introduction
e essence of network attack and defence confrontation is to detect, monitor, and promptly leverage defence mechanisms to interfere with or block attacks [1]. e attacks of the traditional edge computing network target active defence techniques, which can be mitigated to avoid data theft or data tampering by abnormal detection [2][3][4][5]. However, it cannot solve the problem of ubiquitous intrusion monitoring identification in edge computing networks. e system services provided by the edge computing terminal and the cloud computing centre still have the possibility of being attacked [6][7][8][9][10][11]. It is still a challenge to conduct intrusion detection with data-driven analytics in the security of edge computing network, which is supported by edge, given the complexity of complex systems and the unique features of edge computing.
Many researches have been carried out in the academic world to address the network security risks introduced in the development of edge computing networks [12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29]. However, as the edge computing network is a hybrid network architecture that involves multiple links and multiple technologies, a unified international standard has not yet been formed. e security protection technologies for edge computing networks have also experienced password protection, security models, access control policies, host hardening to anomaly detection, and association analysis [30][31][32][33][34][35][36][37][38]. However, the above technologies are mainly based on passive defence. In fact, they can only be used to detect attacks and respond afterwards but not to prevent attacks. It is no longer able to adapt to the current open Internet environment that is dynamically changing and requires high real-time performance and reliability. ese researches have certain limitations in the context of edge computing networks: (1) In terms of terminal penetration defence, existing edge computing terminal security mainly uses cryptographic technology and trusted computing technology to achieve terminal security authentication and data storage computing security. Due to the difficulty of key management and the high degree of intervention, the cost of defence is too high, which is not suitable for the security protection of multiple heterogeneous terminals in the edge computing environment. At the same time, the existing terminal trust evaluation technology has limitations such as poor reputation evaluation accuracy and large amount of calculation. erefore, dynamic learning and dynamic measurement cannot be performed according to the behaviour characteristics of edge computing terminals, penetration attacks by malicious terminals cannot be effectively detected, and advanced defense control cannot be performed. So, the research results cannot be directly used for edge attack detection and active defence of edge computing terminals. (2) In terms of data security interactions, facing the demand of data security protection of edge computing network, many research studies have paid attention to the privacy protection and secure transmission of edge computing data, which are generally implemented using cryptographic technology and secure transmission protocols. However, most of the researches do not take into account the real-time requirements of data transmission in the edge computing network environment, so it is difficult to apply to the real-time secure interaction of edge computing data. In addition, the existing research results do not consider the impact on the data transmission efficiency in the case of network attacks and cannot adaptively adjust the data transmission scheme according to the degree of network attack damage to ensure transmission efficiency. erefore, the existing secure transmission technology generally belongs to the passive defence technology, which cannot actively avoid or suppress network attack behaviours and cannot meet the needs of security in edge computing networks. (3) In terms of network attack detection, the current research studies of mainstream intrusion detection for edge computing networks are focused on anomaly detection. Deep learning techniques are used to build behaviour models of edge computing networks and to detect and identify various types of network attacks based on model deviations. After the abnormality is identified, the implementation mechanism of new or unknown network attacks cannot be analysed, and the detection results cannot be directly used for the normal monitoring of subsequent network attacks nor can they protect the edge computing network protection objects. At the same time, the current intrusion detection technology mainly considers the accuracy of the detection model but has limited consideration of the application scope of the method and pays insufficient attention to the defence cost of intrusion detection. erefore, according to the definition of active defence of network security, the balance between defence gains and attack losses in the course of offensive and defensive game of existing technology needs to be further studied. (4) In terms of system attack defence disposal, there are few existing research studies on attack defence technologies for the edge computing network system domain, and only a few research results have emphasized the necessity of cooperative and coordinated processing. At present, the efficient disposal technology of attack linkage is mainly defence disposal technology based on alarm correlation analysis and defence disposal technology based on state attack graph. However, the state attack graph technology has many limitations in the implementation process, such as the failure to accurately quantify the calculation of the attack success probability and the definition of the attack hazard index, making the calculation accuracy in practical applications poor, and it is difficult to effectively defend against lowcost defence. In addition, in the case of a large-scale system in an edge computing network, there is a space explosion problem in generating a state attack graph. How to solve the network security incidents of large-scale interconnected systems in edge computing networks at low cost and high efficiency is the NP problem.
erefore, the key issue that needs to be addressed is how to establish a linkage closed-loop intrusion detection and disposal mode from the time domain, space domain, and security domain to achieve correlation analysis and optimal disposal, improve the survivability of core business systems in edge computing networks, and provide the system with the ability to deal with various attacks in a complex environment.
To improve the security for the entire edge computing network, we further study the edge computing network intrusion mimicking linkage detection technology. e mimic defence technology uses computing or service components with functional equivalents and different structures as elements, is based on a "nonsimilar redundancy" structure with high availability and reliability, and cooperates with the multimode voting mechanism that does not rely on rules and features. It disturbs the judgment of the attacker through the nonlinear transformation of the system's external characteristics. Mimic defence technology is based on dynamic heterogeneous redundant construction. It uses the harsh conditions that the attacker cannot construct 2 Complexity the attack methods of all heterogeneous components simultaneously to introduce a dynamic scheduling strategy that can avoid collaborative attacks, making it difficult for the attacker to maintain the attack chain through the voting mechanism. Also, it can increase the difficulty for attackers to detect and scan.
In recent years, more and more research works have focused on developing and advancing mimic defence technology. Li et al. [37] proposed a complex attack linkage decision-making method, which provides guiding security architecture for the construction of a mimic defence system. Tong et al. [38] used the multilevel structure of the web server to design a dynamic heterogeneous redundancy foundation at the operating system layer and server software layer and realized the establishment of a mimic defence system in the web server field.
Based on [37,38], Sang and Li [39] studied mimic defence techniques of edge computing terminal, which is also the basic framework of this paper. However, there are few researches focusing on the security analysis methods of mimic defence systems. In this paper, we propose a multiredundancy voting mechanism for the intrusion detection on the edge computing terminal. Moreover, we achieve the optimal collaborative detection rate by designing the optimal deployment strategy of multiredundancy edge computing terminal intrusion detection service. e purpose of the multiredundancy voting mechanism in the mimicry defence model on the edge computing terminal is to analyse the differences in the execution results of heterogeneous redundant executives. It thus not only implements intrusion detection but also helps to hide and defend real services. Under the edge computing network environment, the intrusion detection capability of the edge computing terminal improves the collaborative detection of network attacks. However, edge computing networks have ubiquitous interconnection characteristics [5,6]. erefore, if the intrusion detection measures do not adequately deploy, then the risk of taking control of the business services will be increased. Nevertheless, the capability of the underdeployed edge computing terminal service with intrusion detection will cause attackers to bypass the edge computing terminal to attack the real service directly. On the other hand, to resist the network intrusion, it will undoubtedly increase defence costs and occupy additional edge computing resources when deploying a great deal of multiredundant edge computing terminals [7]. To address this issue, we present a methodology, called Game theory and Data-driven Mimicking Linkage based Intrusion Detection of Edge Computing Network (GLIDE), which combines the multiredundancy edge computing terminal intrusion detection service technique and the game theory. GLIDE calculates the income equilibrium point of the participants according to the equilibrium condition decision. We further implement an optimal defence income deployment strategy for multiredundancy edge computing terminal intrusion detection services in edge computing networks in order to improve the detection rate of network attacks and thus enhance the security of the network. Figure 1 shows the schematic of this study. e contributions of this paper are summarized as follows: (i) First of all, we present a novel edge computing network mimic linkage intrusion detection model called GLIDE to resist unpredictable attacks in the edge computing network. (ii) Secondly, we utilize the game theory in the field of the edge computing network and suggest a game model-based mechanism which employs the optimal intrusion detection deployment strategy considering the perspective of intrusion detection revenue. Also, we analyse the interaction between the attacker and the intrusion detection system to obtain an optimal decision-making scheme for the defence action set using the game model. (iii) irdly, we utilize the Nash equilibrium of attack and defence income in the game model, which can be used to optimize the defence cost and the strategy of the intrusion detection service. e rest of the paper is organized as follows: Section 2 presents some background and related works. Section 3 introduces the mimic state linkage intrusion detection of edge computing networks and its game model and discusses the advantages and the utility of different participants according to different situations. Section 4 provides the analysis of the Nash equilibrium in the model and designs an optimal deployment strategy for the multiredundancy edge computing terminal mimicry defence intrusion detection service. Section 5 describes the experimental analysis of the proposed model. Section 6 concludes the paper.

Related Research
With the diversified, collaborative, and intelligent development of network attack techniques such as advanced persistent attacks (APT) and multistep combined penetrating attacks have become the main form of the threatening network security [8]. ese days, unpredictable attack detection techniques have drawn attention from the cybersecurity researchers in the field of attack and defence [9]. e defence of the new attack is also one of the original motivations for the active protection of network security [10]. Fu et al. [11] combined the conventional APT attack technology and principle and classified the attack into six implementation stages: detection preparation, code incoming, initial intrusion, etc., and summarized the attack characteristics. en, they reviewed the current state of the research on existing APT attack detection defence frameworks. Moreover, they pointed out research content and latest developments of four mainstream APT attack detection technologies, such as network traffic anomaly detection and malicious code anomaly detection. However, the aboveexplained detection algorithms need to be implemented based on big data analysis technology. In the environment of high real-time performance and extensive data in the edge computing network, there are still problems such as insufficient timeliness and complicated calculation when an Complexity 3 abnormality is discovered [12,40]. In the new attacks, such as APT, there is an important feature that is multipoint and multitarget attack, which is different from traditional ones [13][14][15]. In response to the intrusion detection problem of this type of attack, Qi [16] proposed a distributed intelligent detection model based on multiagent. e model uses a distributed architecture based on a three-level agent. e Management Agent, the Resident Agent, and the Mobile Agent are not only independent but also cooperative with each other. Also, it implements real-time analysis and alerting of network data and hardware information in the target system. Liu et al. [17] introduced agent technique into network intrusion detection and proposed a network intrusion detection framework model based on distributed mobile agent technology. It applies the misuse detection mode and the anomaly detection mode in a coordinated way. ere are many similar research studies on distributed collaboration and linkage intrusion detection. Notwithstanding, such research mainly focuses on collaborative strategy between intrusion detection systems. ey have not considered factors through the actual network attack and defence processes, such as the asymmetry of information and the asymmetry of the consequences. erefore, how to develop an adaptive intrusion detection method that adapts to the characteristics of network attack changes has attracted the attention of many scholars [18][19][20][21].
According to the confrontational nature of network attack and defence [22], from the view of active defence, the core goal is to seek the optimal network defence benefits that match the cyber-attack hazard. On the contrary, from the perspective of the attacker, the core goal is to find the best damage from the attack [23]. Consequently, relevant research introduces the game theory and studies the optimal strategy of network attack and defence. To carry out the security assessment and active protection of the network, Jiang et al. [24] proposed a network optimal active defence method based on the offensive and defensive game model. It performs the optimal attack and defence strategy selection by solving the game benefit Nash equilibrium condition between the defender and the attacker. To effectively address the network security risk management and reduce the loss of security risk, Gang et al. [8] presented a network security optimal attack and defence decision-making method based on the noncooperative non-zero-sum game model. It generates an optimal attack and defence strategy by analysing the attack and defence interactions of attackers and defenders. Zhang et al. [25] introduced a network security defence decision-making method based on the offensive and defensive differential game. In this study, according to the security evolution model, it analyses the change process of the security state of the network system and constructs the differential game model of attack and defence. Also, this technique presents the solution way of saddle point strategy and gives the optimal defence strategy selection algorithm. Wang et al. [26] suggested an algorithm for selecting the optimal defence strategy based on the static Bayesian game.
is algorithm calculates the effectiveness of the defence strategy based on probability and gives the optimal active defence strategy selection algorithm. Also, they have employed the game theory into the study of optimal strategy selection for network intrusion detection. Shen et al. [27] recommended a wireless sensor network intrusion detection approach. From the perspective of saving defence cost, it gives the optimal strategy for intrusion detection service deployment in a wireless sensor network environment. To address the massive linkage control problem of attack detection, Li et al. [28] used game theory to analyse the security combination model of firewall, intrusion detection system (IDS), and vulnerability scanning technology and gave the optimal intrusion detection calculation method. At the same  4 Complexity time, in the particular network environment with obvious resource constraints such as WSN network and mobile Adhoc network, the game theory is also applied to the solution of the optimal intrusion detection strategy [29][30][31][32][33][34]. Research on mimetic honeypot intrusion detection technology based on game theory is also often involved [35,36]. In general, game theory has been widely used in the field of network attack and defence and can be used to solve the optimal strategy of network attack and defence. Game theory is a decision-responsive mathematical model which makes one side of a game to change its strategy according to the decision made by the counterpart. To a certain extent, game theory can be defined as the principle for using mathematical models to study the conflict and cooperation between intelligent and rational decision makers.
ere are several elements in the game theory model.

Definition 1.
Participants: the decision makers in the game model. ere must be at least two participants in a game model. Participants perform specific actions which can influence each other in the game model.

Definition 2.
Strategy set: the strategy of the game model can be divided into pure strategy and hybrid strategy according to its precise characteristics. If the policies are clearly defined action choices, they are described as pure strategies, while the hybrid strategy uses probability distribution on the purely strategic basis. A collection of policies can be called a response space. e types of response space can be classified into pure strategy space and hybrid policy space according to the corresponding strategy.

Definition 3.
Offensive and defensive income: the purposes of participants in the game model are the same: maximize its outcomes while minimizing costs. When game participants fully understand the actions of other participants, they use a game model with complete information rather than a game with incomplete information. In this case, it is impossible to understand the strategies of other participants fully. Moreover, when the utility function and the possible approach are known to all model participants, a game with complete information is performed. In essence, the core of mimic defence is the voting mechanism. e voter, also known as the voter agent, ensures that no program instance is broken by comparing the output of different variants. e voter is a necessary channel for the heterogeneous redundant executable bodies to output messages. e multiredundancy voter monitors the operating status of all equivalent executives in the mimic defence model. It takes the output of multiple heterogeneous executors as input and performs content-level comparison to realize the abnormality of heterogeneous redundant executors.
In this paper, the multiredundancy voting mechanism of the edge computing terminal mimic defence technology has intrusion detection capabilities. Assume that, for the same request, the response results of different redundant components are equivalent. However, in a real network environment, the system may be attacked or maliciously damaged at any time, and some redundant components may be damaged, leading to service failure. erefore, the response results may be invalid or wrong, which leads to inconsistent response results of the redundant components, thus achieving the purpose of intrusion detection. Commonly used voting algorithms include majority voting algorithm, large number voting algorithm, median voting algorithm, and unanimous voting algorithm. Voting can be implemented at multiple levels in the software stack, including the application layer and the middleware layer. Several common voting algorithms are summarized in Table 1.
Common voting algorithms ignore the loss and impact on performance, so from the perspective of active defence, the intrusion detection services that rely on multiredundancy voting mechanisms will inevitably increase the resource overhead of edge computing terminals. From the perspective of network intrusion detection, it can be known that all edge computing terminals in the network exist as intrusion detection nodes. e more intrusion detection services are deployed, the earlier and more comprehensive the attack behaviour can be discovered, thereby preventing the harm caused by the attack. However, in edge computing networks, this is not necessary and is not the optimal deployment method for intrusion detection services. Seeking a reasonable deployment strategy of edge computing terminal intrusion detection service and ensuring the maximization of service revenue and the minimization of defence cost in edge computing network are the best way of active defence.
ese are the basic characteristics of game theory.

Mimetic Intrusion Detection Model Based on Game Theory
e ideal network attack detection should identify most of the possible attacks. At the same time, according to the actual situation, it needs to find a balance between the detection cost and the benefit and also obtains the optimal defence rate by using the minimum cost.
As shown in Figure 2, the mimetic intrusion detection game model is defined as a triple model ADG � (U, S, X), where U � (U 1 , U 2 , . . . , U n ) refers to all participants in the offensive and defensive game model. Participants are the subject of the game, where n represents the number of participants. P, Q { } describes all participants in the game according to the actual participation of the offensive and defensive game. P ≜ P 1 , P 2 , P 3 denotes three kinds of service existing in the edge computing network, that is, the master station system service, the multiple redundancy edge computing terminal intrusion detection service, and the single-redundancy edge computing terminal service. Among them, the multiredundancy edge computing terminal service has intrusion detection capability. Q ≜ Q 1 , Q 2 represents normal users and attackers (malicious users), respectively.
S � (S 1 , S 2 , . . . , S n ) refers to the action set of the participants. Specifically, the action set mainly refers to the denotes that this type of user cannot access services in the edge computing network. Table 2 shows the details.
X � (X 1 , X 2 , . . . , X n ) expresses the offensive and defensive utility of the participants. Here, different participants have different levels of utility. X P , X Q represents the utility set of the game participants, where X P denotes the utility of each type of service in the edge computing network. X Q denotes the accessible utility of normal users and attackers.

Participants' Income.
From game theory, the key process of the game is maximizing the income of the game participants. In the proposed model, we assume that the edge computing network has the prior knowledge of the attack, i.e., the identity of the visitor is known when the service is provided. e assumption is shown in Section 4. Given a game model ADG � (U, S, X), we define the probability for the visitor as F( which denotes the distribution probability of normal users and attackers using the probability and statistical methods. Following the definition, we get the probability distribution of the services (the master station system service, the multiredundancy edge computing terminal intrusion detection service, and the single-redundancy edge computing terminal service) provided by the edge computing network, which is F( Definition 4. Game strategy: in the game model, the probability distribution of the action set participant selected is called the game strategy. When using binary 0 or 1 decision, the probability distribution is called pure approach. On the contrary, the procedure is hybrid when using different probability values decision.   In the proposed game model, the participants' game stage and action set are clear. e game strategy, therefore, exploits a pure approach. is section analyses the benefits of various game scenarios based on different system services and different participants.

Master Station System
Services. e master station system service is the real service of the business system in the edge computing network. If the user is normal and accesses the master station system service, the benefit of the master station system service and the access revenue of the normal user are both α(α > 0). If the attacker can access the primary system services, then the master station system service will be damaged, leading to deterioration of the capability of the master station system service on the edge computing network. erefore, we define the attacker's income ρα, where ρ ≥ 1 represents the attacker's attack damage factor. At this point, the service income of the real system is − ρα.

Multiredundancy Edge Computing Terminal Intrusion
Detection Services. Multiredundancy edge computing terminal intrusion detection service, i.e., the edge computing terminal service, detects the network intrusion by using the multiredundancy heterogeneous executable bodies and the multiredundancy voting mechanisms when the edge computing network is enabled. Normal users cannot access this kind of intrusion detection service, regardless of the multiredundancy edge computing terminal intrusion detection service, which means that the service does not increase their access income of the regular business. erefore, the normal user's access income is 0. Equivalently, the service income of the edge computing terminal intrusion detection service is 0 as well. From the counterpart perspective, when the multiredundancy edge computing terminal intrusion detection service detects an attacker successfully, the service income is μβ, where β > 0 and μ ≥ 1 is the intrusion detection factor (i.e., an attacker's success intrusion probability). At this point, the attacker's access income is − μβ.

Single-Redundancy Edge Computing Terminal Service.
Single-redundancy edge computing terminal service, i.e., an edge computing terminal service, uses a single redundant executive body in an edge computing network. is kind of service has a capability of preventing the network intrusion but a deficient capability of detecting the network intrusion; due to that it cannot exploit the multiredundancy voting mechanism. Under the normal situation, the normal user's access income of the single-redundancy edge computing terminal service is 0. However, if the attacker accesses the single-redundancy edge computing terminal service, it may be attacked and damaged. e service income thus is − ρα. At this point, the attacker's access income is ρα − εβ, where β > 0, and ε ≥ 1 represents a single-redundancy edge computing terminal service defence factor.

Participants' Utility.
In this subsection, we consider the dynamic gaming phase of five roles (master station system service, the multiredundancy edge computing terminal intrusion detection service, the single redundancy of the edge computing terminal service, the normal user, and the attacker). Moreover, we comprehensively calculate the offensive and defensive utilities of all participants' game based on the change of corresponding participants during the game process and achieve the optimal strategy using the duction of the Bayesian principle.

Utility Analysis of Master Station System Service.
Considering the instantiating executing strategy s open s (i.e., the normal users and attackers can access the master system service at the same time), the total service utility of the master station system service (i.e., X P 1 ) can be calculated by Similarly, when the system service is in a situation exposed to attack s close s (i.e., the master system service is in the extreme case of being unable to provide services due to occurring an attack), the total service utility of the actual system is

Utility Analysis of Multiredundancy Edge Computing Terminal Intrusion Detection Service.
e executing strategy is s open s (i.e., the multiredundancy edge computing terminal intrusion detection service provides access to normal users and attackers at the same time); the total service utility of the multiredundancy edge computing terminal intrusion detection service (i.e., X P 2 ) can be calculated by where the executing strategy is s close s (i.e., there is no multiredundancy edge computing terminal intrusion detection service into the edge computing network); the total service utility is

Utility Analysis of Single-Redundancy Edge Computing Terminal Service.
e executing strategy is s open s (i.e., the single-redundancy edge computing terminal service provides access to normal users and attackers at the same time); the total service utility of the single-redundancy edge computing terminal service (i.e., X P 3 ) can be calculated by In the case of executing strategy s close s (i.e., there is no single-redundancy edge computing terminal service in the edge computing network), the total service utility is Complexity 7

Utility Analysis of Normal Users.
In a situation where the normal user executes the strategy s permit u , the summation of access utility can be calculated by considering the access of the master station system service, the multiredundancy edge computing terminal intrusion detection service, and the single-redundancy edge computing terminal service, which is When the normal user executes strategy s deny u (i.e., a normal user does not access the services in the edge computing network due to the network attacks), the summation of access utility is

Utility Analysis of Attackers.
For the attackers during the game, where the attacker executes the strategy s permit u , the summation of access utility is calculated by utilization of attacker on accessing the master station system service, multiredundancy edge computing terminal intrusion detection service, and the single-redundancy edge computing terminal service, which is On the other hand, when the attacker does not access the services in the edge computing network, that is, in the case of executing strategy s deny u , the utility of the attacker is Considering the calculations mentioned above, we can obtain the utility for normal users and attackers performing different game actions when accepting different services, respectively.

Solution of Optimal Strategy for GLIDE
Game participants often have difference and balance on strategy selection. For example, when an attacker finds that the object being attacked is a multiredundancy edge computing terminal intrusion detection service system, the rational attacker will pursue the maximum attack damage with the minimum attack cost. In this case, it is obvious that the attacker will not continue to execute the attack method but will alter other strategies or actively stop the attack. For defence system services, when there are no attackers in the network, the approach will be adjusted to minimize the provision of intrusion detection services to save network resources. Similar strategic changes and the game between the offensive and defensive sides are constantly changing. e game of this technique will achieve the optimal income of the participants when the offense and defence sides implement a certain mechanism, respectively, namely, the Nash equilibrium state.
Definition 5. Nash equilibrium: for the attackers and defenders in the game, if and only if each participant's strategy is the best countermeasure against another.
is section provides the analysis and certification for that the Nash equilibrium state exists in the GLIDE model proposed in the paper. Based on this inspiration, the Nash equilibrium calculation results are used as the basis for decision-making, which guides the optimal deployment strategy of multiredundancy edge computing terminal intrusion detection services in edge computing networks. Since If so, the utility of providing the normal service by the master station system X P 1 (s open s ) is greater than that of not providing service X P 1 (s close s ), which should be the optimal target pursued by the edge computing network. z < 2/(2 − ρ) is the preferred condition. We thus infer that the edge computing network will choose to provide the master system service when z < 2/(2 − ρ). On the contrary, z > 2/(2 − ρ); the strategy s close s will be selected as the executed one. However, according to the game, when the primary station system provides the service, the preferred strategy of the multiredundancy edge computing terminal intrusion detection service and the single-redundancy edge computing terminal service must be S open s . We further assume that X Q 1 (s permit u ) � X Q 1 (s deny u ) and X Q 2 (s permit u ) � X Q 2 (s deny u ); the following can be derived: From (11) and (12), we can obtain 8 Complexity We then derive According to equation (15)  )}; the model has a Bayesian Nash equilibrium and needs to satisfy these conditions: Similarly, when an attacker stops attacking, i.e., the edge computing network executes the strategy (S According to the solution results that use the Nash equilibrium condition under the above different strategies, this section can be used to solve the optimal algorithm of the mimic state linkage intrusion detection optimal strategy for edge computing networks, which is depicted in Algorithm 1.

Security Analysis of GLIDE
At present, the single-redundancy defence model based on the mimic defence idea is basically an iPo model. As shown in Figure 3, when a submitted request is entered into the system, it is first copied by the input proxy unit into n copies and forwarded to the executive body set. e executive body set contains n similar redundant executors, of which P 1 , P 2 , P 3 , . . . , P n are executors with the same function but different implementation methods; each executor accepts a copy of the request and processes it. e processing result of each executor outputs a response after voting by the voter. Taking advantage of the dependence of network attacks on the environment, an attack targeting a specific vulnerability cannot be effectively played in heterogeneous executors (P 1 , P 2 , P 3 , . . . , P n ) at the same time, thereby achieving a defence effect against the vulnerability attack. e multiredundancy voter mainly compares the differences in the execution results of redundant executors, so as to vote whether the mimic defence system has suffered network intrusion and achieve the purpose of intrusion detection. Based on mimic defence technology, mimic defence structure routers, mimic defence structure distributed storage systems, mimic defence structure web servers, and other systems with mimic defence structures have been formed.
Based on the existing mimic defence, this paper uses the Dynamic Heterogeneous Redundancy model to design and build a dynamic heterogeneous redundant mimic defence model for edge computing terminals, as shown in Figure 4. It adds a heterogeneous component set, a dynamic scheduling algorithm, and a heterogeneous element pool. Heterogeneous element pool provides diversified design of components at various levels and can form a heterogeneous component set, which improves the security of the system. When the executor in the executive body set is attacked, the system selects components from the heterogeneous component set to replace the attacked executor in the executive body set according to the dynamic scheduling algorithm, so Complexity as to eliminate the environment necessary for the triggering of the attack, making it difficult for the same attack to occur continuously. On the other hand, the existence of a dynamic scheduling algorithm makes the system show different system attributes to the outside during the period, which disturbs the judgment of the attacker and increases the difficulty of scanning and detection by the attacker.
In order to better understand how the key features in the dynamic heterogeneous redundant mimic defence model of the edge computing terminal affect the system's security defence capabilities, this paper conducts security analysis model based on the states of different components in the dynamic heterogeneous redundant mimic defence model of the edge computing terminal. In the model, the transfer of the attacker's position from the current component to its next component is considered as the attacker successfully invaded the current component. e transfer of the attacker's position from the current component to its previous component is considered as the attacker has lost control of the current component.
is situation usually manifests itself as a heterogeneous dynamic change of components in the mimic defence system, or an abnormal result is found in the voting output of the voter. In order to avoid that, as the network scale increases, the forward and backward transfer between many components will increase the difficulty of model analysis. is model only focuses on the situation where the attacker invades the next component and stays in the current component from the current component, thereby reducing the complexity of transferring between components.
e security analysis abstract model structure of the dynamic heterogeneous redundant mimicry defence model of the edge computing terminal is shown in Figure 5. e a component represents the attacker, the i component represents the input proxy module in the mimic defence system, and the logical P component represents the set of executive bodies in the mimic defence system, where P 1 , P 2 , . . . , P n represent the specific executor. e o component represents the voter in the mimic defence system. ese two components are the mimic defence boundary of the system and do not have heterogeneous redundancy features. erefore, dynamic defence technology is used to prevent the attacker from using the input proxy as a springboard to continuously attack the executive bodies P 1 , P 2 , . . . , P n and hijacking the correct output of the voting system. e numbers 1, 2, 3, 4, and 5 in the model represent the transfer process of the attack between components, in which 1, 3, and 5 represent the process of the attacker invading the next component from the current component; 2 and 4 represent the process of the attacker staying in the current component. Assumption 1. When using this model to evaluate the security of a mimic defence system, it is assumed that, for any kind of attack, there will be sufficient heterogeneous executors to build a mimic defence structure without being restricted by the diversity of software and hardware. ) strategy (4) end (5) else (6) ere is no optimal strategy. − εβ)))then (9) executes (S ) strategy (10) end (11) else (12) ere is no optimal strategy. (13) end (14) end (15) else (16) if (υ > 1 − τ) ∧ (τ > (μβ/(ρα + μβ − εβ)))then (17) executes (S ) strategy (28) end (19) else (20) ere is no optimal strategy. (21) end (22) end (23) End ALGORITHM 1: Solving algorithm for optimal strategy of intrusive mimic relation detection. 10 Complexity the dynamic characteristics of the mimic defence structure, which can be fixed or random values.

Definition 7.
e time required for the successful implementation of the attack T attack : the time required for the attacker to successfully invade from a component to its next component in the model, reflecting the complexity of the attacker's successful implementation of an attack.

Definition 8.
e probability of performance difference p h between mimic defence executors after being attacked: the probability of heterogeneous attributes between the execution components of the model for an attack, that is, the probability that different execution components will produce different results in an attack is p h , which reflects the heterogeneous characteristics in the mimic defence structure.

Definition 9.
e probability of successful attack transfer by the attacker p (i,j) is the probability that the attacker successfully invades from component i to the next component j in a static system without heterogeneous characteristics and dynamics, reflecting the difficulty of the attacker's successful attack.

Single-Redundancy Attack Defence Analysis.
When the mimic defence system uses single redundancy, the model of the system is shown in Figure 6. e attacker invades the mimic defence system by component a. p 1 , p 2 , p 3 , p 4   Complexity by an attacker is heterogeneous is p h , so the probability that any dynamic change of component i will not affect the continued implementation of the attack is 1 − p h . Component i can have up to T attack /T dynamic dynamic transformations during the successful implementation period T attack of an attack. erefore, the probability that an attacker dynamically changes the component i within the unit time required to complete an intrusion attack does not affect the attack is (1 − p h ) T attack /T dynamic . Based on the above analysis, the probability of an attacker successfully invading component i by component a can be expressed as After successfully invading component i, an attacker can launch T dynamic /T attack attacks against the execution component P in each dynamic transformation period. en the probability of failure of all intrusion attacks from component i to component P is (1 − p (i,P) ) T dynamic /T attack , so the probability of successful intrusion from component i to component P within the dynamic transformation period T dynamic is e attacker will stay on component i during time T attack in the following two cases: (1) An attacker's infiltration attack from component i to component P fails, and the dynamic transformation of component i does not affect the attack initiated by the attacker. In this case, the probability that the attacker will stay on component i is (2) An attacker's infiltration attack from component i to component P succeeds, and the dynamic transformation of component i does not affect the attack initiated by the attacker, but the dynamic transformation of component P affects the effective implementation of the attack. In this case, the probability that the attacker will stay on component i is Combined with the above two situations, the ultimate possibility that the attacker will stay on component i is expressed as Similarly, when the dynamic transformation between component i and component P does not affect the attack initiated by the attacker, the probability that component i successfully invades component P is (1 − (1 − p (i,P) ) T dynamic /T attack ), so p 3 can be expressed as rough the equations of p 1 , p 2 , and p 3 , the probability that an attacker can successfully invade component P by component a can be calculated as Next, calculate the probability that component a successfully invades component o. First, we need to calculate p 4 and p 5 . According to the process representations and analysis methods of p 1 , p 2 , and p 3 , the expressions of p 4 and p 5 are as follows:  12 Complexity rough the equations of p 1 , p 2 , p 3 , p 4 , p 5 , the probability that an attacker can successfully invade component o by component a can be calculated as

3-Redundancy Attack Defence Analysis.
When the mimic defence system adopts 3-redundancy, the model of the system is shown in Figure 7. When an attacker launches an attack from component i to logical execution body P, according to the mimic defence principle, an attacker can successfully invade the logical executable body P only when the executable bodies P 1 , P 2 , and P 3 are completely isomorphic. According to the above analysis, the probability that P 1 , P 2 , and P 3 are completely isomorphic is (1 − p h ) 2 . In this case, the probability of successful invasion from component i to logical component P within the dynamic transformation period . e analysis method of single redundancy mimicry defense system can also be used. In time Ta, the second situation that the attacker will stay at component i can be described as follows an attacker's infiltration attack from component i to component P succeeds, and the dynamic transformation of component i does not affect the attack initiated by the attacker, but the dynamic transformation of the execution component P i in logic component P affects the effectiveness implementation of the attack. erefore, the probability that the attacker will stay on component i is denoted as p 2 : e probability of successfully invading component P by component i is denoted as p 3 : rough the equations of p 1 , p 2 , and p 3 , the probability that the component a successfully invades the logical component P can be calculated; p P is At the same time, the first case where the attacker will continue to stay at the logic component P during time T attack changes: the attacker launches an infiltration attack from all the execution bodies in the logic component P to the component o, there is an attack failure initiated by the execution body P i , and the dynamic transformation of all the execution bodies in the logic component P does not affect the attack initiated by the attacker. In this case, the probability that the attacker continues to stay in the logic component P is Based on the above analysis, p 4 can be expressed as p 5 is calculated as follows: erefore, when the mimic defence system adopts 3redundancy, the probability that an attacker can successfully invade component o by component a can be denoted as

Setting of Experimental Environment.
In this section, we built an edge computing network test platform to evaluate the performance of the solution. We first explain the experimental setup and then give detailed experimental results. As illustrated in Figure 8, at first, the edge computing network test platform is designed on the NS2 simulation platform. To simulate the real network environment, we deploy the corresponding network components in the network, such as routers, real system servers, single-redundancy edge computing terminal servers and multiredundancy edge computing terminal servers, and edge computing control centres. e core of the edge computing network is to make full use of the computing power of the edge computing terminal. erefore, in this experiment, we deployed a large number of edge computing terminal groups and relied on the edge computing control centre for management and interconnection. In this experiment, 500 edge computing terminals were set up for simulation experiments. Due to the limited computing power and resources of the edge computing terminal, we considered the simulation time to be 10 minutes to ensure the accuracy and rationality of the experiment.
Specifically, in GLIDE, only the multiredundancy edge computing terminal service has an intrusion detection function, and the service inevitably consumes more network resources. e proposed model considers the proportion of the multiredundancy edge computing terminal intrusion detection service in the three types of core services that directly determine the performance of the model. erefore, during the experiment, we changed the number-ratio relationship between the single-redundancy edge computing terminal server and the multiredundancy edge computing terminal server. Moreover, by compromising the two specific indicators, which are the number of edge computing terminals and the capture rate of malicious packets, the performance of the proposed model concerning edge computing resource consumption and intrusion prevention is comprehensively considered.

Analysis of the Experimental Results.
is section tests the defence performance of the proposed attack and defence game model through the performance of network resource consumption and detection rate. We compare and prove it with the performance of the existing Fog-IDS model [14] and the EIDS model [15]. According to the above theoretical analysis, this paper adopts three different edge computing network service-deployment strategies and allocates them with a probability of τ, υ where τ, υ respectively represent single-redundancy edge computing terminal service and multiredundancy edge computing terminal service, and the latter has intrusion detection capabilities.
rough the comparison of these different probabilities, this paper will get different compromise edge computing terminals' number and malicious packets' capture rate. ese results can help find a reasonable service strategy deployment method in the edge computing network.

Analysis of the Results of Compromising the Number of Edge
Nodes. Due to the limited existing computing power of the edge computing terminal in edge networks, edge computing terminals are vulnerable to be attacked from the network or maliciously exploited by illegal users. erefore, it is particularly important to properly allocate the intrusion detection service of the edge computing terminal, that is, to properly deploy the multiredundancy edge computing terminal intrusion detection service in the GLIDE. Next, we find a reasonable deployment plan by comparative verification experiment.
By comparing the model of this paper with the existing Fog-IDS model and EIDS model. the relationship between the number of compromised edge computing terminals and the life cycle of the edge computing terminal is shown in Figure 9. It can be observed that the life cycle of the edge computing terminal has become longer, and the number of compromised edge computing terminals of the three models tends to increase. However, by comparison, during the terminal life cycle, the number of compromised edge computing terminals of the GLIDE is controlled to be less than 200, which is significantly less than the Fog-IDS model and the EIDS model. It confirms that deploying multiredundancy edge computing terminal services in the network model has specific intrusion detection and defence effects.
When the probability of deploying intrusion detection service of the multiredundancy edge computing terminal has increased, the security in the network is further improved because the service has certain intrusion detection capability. Further comparison with Figure 10 illustrates that when the multiredundancy edge computing terminal service probability was raised to 0.5, the number of compromised edge computing terminals was controlled to be about 150.
In summary, it can be identified that, in the edge computing network, the upward curve trend of the number of compromised edge computing terminals in this model is relatively smooth, which means that the proposed multiredundancy edge computing terminal intrusion detection service in this model is efficient. On the other hand, it is not difficult to see that as the life cycle of edge computing terminals increases, more edge computing terminals are compromised. is also depicts that the computing power of the edge computing terminal is relatively weak. erefore, it is a breakthrough of the model in this paper to make full use of the reliable resources of the edge computing terminal in the life cycle of the limited edge computing terminal and improve its computational efficiency while ensuring its security.

Analysis of the Results of Malicious Packet Capture Rate.
is section is further considered from a security perspective. e malicious packet capture rate is intuitively reflected in the defensive performance when using different service-deployment strategies τ, υ { } � (0.5, 0.3), (0.3, 0.5) { }. In different intrusion detection service rates of single-redundancy edge computing terminal services and multiredundancy edge computing terminal services, for the malicious packet capture rate of the attack behaviour as depicted in Figures 6 and 7, the change line chart includes the Fog-IDS model, the EIDS model, and the GLIDE (our model).
As illustrated in Figure 11, the service distribution rate in the model is 0.2 for the master system service, 0.5 for the   single-redundancy edge computing terminal service, and 0.3 for the multiredundancy edge computing terminal service. As can be seen from Figure 6, the malicious packet capture rate of the Fog-IDS model and the EIDS model is not stable. Specifically, the capture rate of the Fog-IDS model is between 0.5 and 0.6, and the capture rate of the EIDS model is between 0.5 and 0.7. As compared with the other models, the overall malicious packet capture performance of our model is better than the existing Fog-IDS model and EIDS model, and its trend tends to be stable. As depicted in Figure 12, the service distribution rate in the model is 0.2 for the master station system service, 0.3 for the single-redundancy edge computing terminal service, and 0.5 for the multiredundancy edge computing terminal service. When the edge node life cycle is relatively small, the malicious packet capture rate of the GLIDE model is kept at around 0.8, which is obviously better than the Fog-IDS model and the EIDS model. However, as the node life cycle becomes longer, the malicious packet capture rate of these three models shows a downward trend. We can speculate that the multiredundancy edge computing terminal service consumes a lot of computing power of the node, making its computing resources consume too much. erefore, when the node life cycle is gradually increased, the malicious packet capture rate will drop significantly.
In summary, since the edge network is characterized by fully utilizing the computing power of each terminal to solve the computational problem of the core service, the multiredundancy edge computing terminal service cannot be deployed excessively. Although this can improve the security performance for a certain period of time, the computing resources of the edge computing terminal are excessively consumed. It is not worth the loss. Combined with the experimental results, the following conclusions can be drawn: through multiple NS2 simulation test platform experiments, the model can achieve optimal performance when the parameters satisfy τ, υ { } � (0.5, 0.3) { }. In an actual complex network environment, due to factors such as the constant changes of the attack and defence strategies, excessive deployment of multiple redundant edge computing terminal services does not improve detection performance. On the contrary, it may cause excessive consumption of computing resources. After repeated experiments, when the network resource consumption and detection rate performance reach a dynamic balance, there is always an optimal income solution in this paper that satisfies both the offense and defence.

Conclusions
In this paper, we introduced an edge computing network mimic linkage intrusion detection model called GLIDE based on the multiredundancy edge computing terminal intrusion detection service to conduct distributed linkage monitoring of attacks. We first employed the game theory into the GLIDE model by considering the problem of occupying the edge computing terminal resources by the terminal intrusion detection service based on the multiredundancy edge calculation. We then utilized the Nash equilibrium of attack and defence income in the game model and the Nash equilibrium condition under different dynamic deployment conditions to analyse the deployment strategy of the terminal intrusion detection service based on multiredundancy edge calculation. is procedure can be optimized to ensure the optimal balance of attack and defence revenue. Finally, we implemented the GLIDE model on 500 edge computing terminals that were set up for simulation experiments. e experimental results confirm that the GLIDE model can determine the optimal deployment strategy for intrusion detection service of multiredundancy edge computing terminal based on the probability of attackers. Also, it can realize the intrusion detection with an optimal defence cost.
is paper is based on the assumption of complete rationality to analyse. Next, we will use Darwin's theory of biological evolution and Lamarck's genetic theory as the ideological foundation. From the perspective of system theory, the adjustment process of group behaviour will be regarded as a dynamic system, in which each individual's invasion behaviour and the invasion relationship with the group are individually characterized. e formation mechanism from individual behaviours to group behaviours and the various factors involved can be incorporated into the 16 Complexity evolutionary game model to form a macro model with a microfoundation, which more truly reflects the diversity and complexity of behavioural subjects.

Data Availability
e binary text data used to support the findings of this study are available from the corresponding author or the experimenter upon request, including all experimental data.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.