An Invocation Chain Test and Evaluation Method for Fog Computing

,


Introduction
Fog computing extends cloud computing services to the edge of the network. There are many security threats in network architecture of cloud computing that have been analysed in [1,2]. Under the distributed architecture of fog computing, there are numerous fog nodes and complicated connections. The security threats faced by the whole fog computing network system are quite different from those of the traditional cloud computing system. The vulnerabilities are often referred to as computer hardware, software, or policy flaws that allow attackers to access or destroy a system without authorization. There are many known and unknown vulnerabilities in the fog nodes, and there are problems that the security updates of the fog nodes and the central cloud is not synchronized in time. Once it is broken, the user data connected to the insecure fog nodes are faced with a variety of security threats [3]. In the scenarios of enterprise networks and Internet of Things, the fog nodes are geographically dispersed and exposed, and they are vulnerable to attack at the hardware level. Since fog computing systems have the difference of device structure, protocol, and service provider, the existing intrusion detection technology has difficulty detecting the above attacks [4].
Vulnerabilities exist in all aspects of design, implementation, and operations management of the fog computing system. It is unrealistic to eliminate all vulnerabilities in the system. It is well proved that the impact of a single vulnerability among others is quite small, while the impact of the vulnerabilities becomes significant when they are interlinked. Many examples prove that while the impact of several isolated vulnerabilities is small, more often than not, the vulnerabilities are interlinked. If the attacker organizes and utilizes these vulnerabilities organically, they will bring great harm to the system. Recently, Bozzato discovered three vulnerabilities in the Samsung SmartThings Hub controller, namely, CVE-2018-3879, CVE-2018-3880, and CVE-2018-3917 [5]. The attacker can get sensitive information leaked from memory in the hub core process by combining these vulnerabilities together, while using any single one of them cannot cause the smart home device to suffer network attacks. The attacks on computer systems based on vulnerability combination will cause serious harm to the whole system.
Vulnerability assessment is a proactive defence network security technology. Its working principle is to collect fog computing information; find out the entry point where attacks can be implemented; and perform simulated attacks to discover important vulnerabilities of the system. With the diversification and complication of vulnerabilities, the traditional rule-based vulnerability assessment methods have been unable to comprehensively assess the potential threats arising from the interaction of multiple vulnerabilities. A model-based vulnerability assessment method is proposed to analyse the vulnerabilities of the fog computing system from the perspective of the attacker, enumerate all the invocation chains that utilize the combination of the vulnerabilities, and analyse the test effects of different invocation chains one by one [6]. Since the length of the invocation chain grows exponentially with the increase in the host size and number of vulnerabilities of the fog computing system, this approach obviously cannot be applied to large-scale systems. In order to solve the combinatorial explosion problem caused by the model-based vulnerability assessment method, an attribute-based vulnerability assessment method is provided in [7], proposing the attack will be effectively executed when all the preconditions of the attack are satisfied. It clarifies the precondition of each attack and reflects the time sequence and causal relationship between the vulnerabilities used in different invocation chains, thereby making the constructed invocation chain more concise and more effective. However, [7] only proposes the construction framework of the invocation chains and does not elaborate on the specific method of constructing the invocation chains.
The attack graph is a graph theory method in mathematical modelling, which can visually reflect the detailed process of the system being detected. This paper proposes a vulnerability combination evaluation method based on the attack graph. It includes three parts, i.e., (1) to model fog computing system environment; (2) to generate the invocation chains on the basis of the attack graph, which in nature is vulnerability combination, and compute the chance of different invocation chains successfully implementing detection of the system according to the depth-first principle; and (3) to evaluate the performance of the invocation chains to verify whether the invocation chains can detect known or unknown vulnerabilities. The vulnerability combination assessment method based on attack graph proposed in this paper is helpful to carry out deep security detection of the system and provide technical support for improving the antiattack ability of the fog computing system.

Threat Modelling for Fog Computing System Environment
As stated above, the open structure and distribution are the characteristics of fog computing, which make it vulnerable and very weak to security threats. The security test model of fog computing is shown in Figure 1. The tester detects the fog computing system environment and obtains the system running status as well as vulnerability information to generate the vulnerability detection mode and build the system environment model. Therefore, the invocation chains are generated by using the attack graph method, and the effectiveness of invocation chains are evaluated to verify the vulnerability combination evaluation method based on the attack graph.  2 Wireless Communications and Mobile Computing running on the system through the fog computing system detection toolset. The working mechanism of fog computing system detection is shown in Figure 2. The fog computing system detection toolset includes vulnerability scanners which are designed to discover the vulnerability information of the fog computing system, host detection tools which are able to obtain the configuration information of each host in the system and the applications running on the hosts, and topology discovery tools which can obtain the topology structure of the fog computing system by calculating the connection information among hosts in the network transport layer. The vulnerability information of the fog computing system, the configuration information running on each host, and the connection information among hosts constitute the security parameters of the fog computing system, which are the core elements of fog computing system environment modelling. This paper presents a formal description of the security parameters of the fog computing system and their interactions based on the attack graph modelling language (AGML) [8,9].

Security Risk Propagation Model of Fog Computing.
Malwares can spread rapidly in fog computing environment and even infect the whole network. Therefore, how to find the hidden danger of each node quickly and reasonably in the fog computing system and avoid the further attacks of malicious malwares is an urgent problem to be solved in the fog computing security. It is assumed that the fog computing system contains N nodes, and these nodes present four different states as follows: susceptible, infectious, recovered, and dead. As the propagation of network attacks is a dynamic process, the state of node varies constantly. Figure 3 shows the conversion among these node states. Supposing all nodes are distributed in the network with density δ, as to a node with state I, the number of its adjacent nodes is δπr 2 . It should be noted that only the nodes with state S may be infected due to their vulnerability.  3 Wireless Communications and Mobile Computing the nodes with state S and state I is δπr 2 SðtÞn I ðtÞ. The number of nodes with state S converting into ones with state I is μ SI ðtÞρ SI δπr 2 SðtÞn I ðtÞ per unit time. ρ SI is the probability that the node with state S and the node with state I are attacked by the infected node in the communication process, and μ SI ðtÞ is the conversion rate [10]. Meanwhile, the numbers of nodes converting from state S to state R and converting from state S to state D are ρ SR n S ðtÞ and ρ SD n S ðtÞ, respectively. ρ SR is the probability of installing the vulnerability patches on the nodes with state S and getting them immunized; and ρ SD is the probability of nodes with state S not working properly [11].
Next is the case of installing vulnerability patches on nodes. Assume that there are γ 0 N vulnerability patches, where 0 ≤ γ 0 ≤ 1. The installation speed of vulnerability patch in the whole fog computing system is ρ r γ 0 Nμ R ðtÞ, where ρ r depends on the node density, network speed, and other factors in the fog computing system, and μ R ðtÞ represents the consumption of network resources by installing vulnerability patches, i.e., 0 ≤ μ R ðtÞ ≤ 1. If the node with state S has vulnerability patches installed, it will converse into a node with state R with a certain probability. The number of nodes converting from state S to state R is ρ SR ρ r γ 0 μ R ðtÞγ 0 n S ðtÞ per unit time. When the node with state I obtains the vulnerability patch, the probability of it converting to a node with state R, ρ IR , satisfies 0 ≤ ρ IR ≤ ρ SR ≤ 1. Therefore, the number of nodes converting from state I to state R is ρ IR ρ r γ 0 μ R ðtÞγ 0 n I ðtÞ per unit time.

Generation of Vulnerability Detection
Patterns. Vulnerability detection patterns are the methods of finding out vulnerabilities that exist in the fog computing system. They are not used to deal with a single vulnerability but for a certain type of vulnerability. For example, the detailed execution of the buffer overflow in the simple mail transfer protocol (SMTP) is different from the buffer overflow in the hypertext transfer protocol (HTTP). However, if the preconditions and effects of the two tests are the same, the two detection patterns can be classified into the same detection pattern. In this paper, the common attack pattern enumeration and classification (CAPEC) is used to classify the detection patterns [12] and extract the detection patterns with similar preconditions and effects. According to the fog computing system environment, the detection patterns are combined into the corresponding invocation chains, which form the attack graph to test the security of the system.
The descriptive grammar of detection patterns can be formally expressed as triple <Type, Predicate, Detection-Pattern>, in which Type represents the object type in the detection pattern, Predicate represents the predicates of preconditions and effects in the detection pattern, and Detec-tionPattern is described as <Name, Class, Vuls, Var, Pre, Eff>. Name is the name of the detection pattern, and Class is the type of it. If the Class value is α, it is expressed as a vulnerability detection pattern, and if it is β, it is expressed as a vulnerability-independent detection pattern. Vuls contains all the vulnerabilities that the detection pattern may exploit. If the Class value is β, then Vuls is Φ. Var denotes the set of variables and their types in the detection pattern. Each element in the set is denoted by <v : t>, where v is a variable and t is the type to which the variable belongs. Pre and Eff are the set of preconditions and the set of effects, respectively, for a certain pattern corresponding to Predicate. The logical relationship between the elements in the set is parallel relationship.
For example,  [13,14]. Var indicates all local variables of the pattern and the types of these variables. s denotes the source host of the vulnerability detection, d is the target host of the vulnerability detection, sn is the software applications running on the target host, cveid is the vulnerability identification of the software application, port is the port of network connection listening, and pro is the protocol adopted for network connection. Pre represents the preconditions used for this detection pattern: (1) the running service on target host d is sn, which is provided by communication protocol pro, and its listening port is port; (2) service sn on target host d has vulnerability cveid; (3) source host s can access to port port of target host d through communication protocol pro; (4) it can run service sn on source host s with the authority root. Eff illustrates the two effects of successful application of this pattern: one can run services with privilege root on host d; another is service sn on host d provides denial of service.

Modelling of Fog Computing System Environment.
Based on the decision tree algorithm, the fog computing system environment is modelled with tree structure. First step is to classify hosts; that is, the indexes are built according to the address of hosts; next, classify the type of attribute according to predicate name; at last, classify the type of predicate according to its attribute. This decision tree-based classification algorithm can reduce many unnecessary search and matching processes and speed up the process of system environment modelling. The method of fog computing environment modelling is shown in Algorithm 1. The input of the algorithm is Tree of system environment attributes and attribute f of system environment set Initial, and the output is Tree after inserting attribute f . The function of the algorithm is to insert attribute f into Tree in a suitable position. First, the algorithm determines whether the parameter value of the HostID type of the attribute f is equal to the identification of a second-tier node in Tree. If no such node exists, then the node i with the HostID type parameter value identification of the attribute f is generated as the newly added second-tier node. Then, the node j with the predicate name identifier of the attribute f is generated. The node j acts as the postorder node of the node i, and then the attribute f acts as the postorder node of the node j. If the parameter value of the HostID type of the attribute f equals the identity of the second-tier node k existing already in Tree, then it is judged whether the predicate name of the attribute f equals the identity of a postorder node of the node k. If such a postorder node does not exist, then a node m with the predicate name identifier of the attribute f is generated as the postorder node of the node k. If such a postorder node n exists, then the attribute f is used as the postorder node of the node n.

Construction of the Invocation Chain and Its Effectiveness Evaluation
The attack graph demonstrates well how to use multiple vulnerabilities in the fog computing system for the combined application of detection patterns [15,16]. This paper adopts the method of invocation chain, where the program instru-mentation is performed in the execution process of each step detection pattern, and events capture and log output are carried out in each path of the vulnerability combination operation, so that the detection effect of each step can be tracked and observed conveniently. In addition, this paper also evaluates the effectiveness of the invocation chain to verify whether the invocation chain technology can detect existing or unknown vulnerabilities. S-NodesðNodeðIÞÞ = S-NodesðNodeðIÞÞ ∪ fNodeðPÞg; 6.
For each ack in Ack f Do 10 If ack in AA Then.

12.
For each e in DM.Eff Do 13.
If e in T Then

Construction and Presentation of Invocation Chain.
During the execution of the detection pattern, matching checks may be made on the preconditions of each execution. In order to reduce the number of matching checks of preconditions, it is necessary to instantiate the preconditions of detection patterns. Aiming at the system environment of tree structure, the set of atomic attacks Ack f which can satisfy the preconditions of DM is generated by attributes f . An atomic attack is a step-by-step, independent, targeted, and unrepeatable attack, which is taken in a behaviour to achieve the purpose of attack. The attack graph construction algorithm is to generate all executable atomic attack sets for the fog computing system and then convert each atomic attack into V(Node, S_id-D_id, cveid) according to vulExists (d, sn, cveid) and netConn (s: HostID, d: HostID, pro: Protocol, port: Port), where Node is the node number, S_id-D_id is the source node and the destination node, and cveid is the vulnerability number.
During the execution of the detection pattern, matching checks may be made on the preconditions of each execution. In order to reduce the number of matching checks of preconditions, it is necessary to instantiate the preconditions of detection patterns [17]. For the system environment of tree structure, the set of atomic attacks Ack f which can satisfy the preconditions of DM is generated by attributes f . An atomic attack is an independent, target-oriented, and indivisible one-time attack, which is taken in a behaviour to achieve the purpose of attack. The attack graph     Wireless Communications and Mobile Computing construction algorithm is to generate all executable atomic attack sets for the fog computing system and then convert each atomic attack into V(Node, S_id-D_id, cveid) according to vulExists (d, sn, cveid) and netConn (s: HostID, d: HostID, pro: Protocol, port: Port), where Node is the node number, S_ id-D_id is the source node and the destination node, and cveid is the vulnerability number. Algorithm 2 is the description of the algorithm for constructing the set of atomic attacks. The input of the algorithm is the correlation detection pattern set DM and fog computing environment set Initial, and the output is the executable atomic attack set AA. Firstly, the attributes in Initial are stored in a tree structure T, and a dispatch queue of attributes is established. Queue.Dequeue() indicates that the first function in the queue Queue is taken out. When the algorithm runs, an attribute f is constantly extracted from the Queue, and then the function InstantiatePattern is used to generate the set of atomic attacks Ack f on the attribute f . The consequences of these atomic attacks are added to the tree structure, and the above operations are repeated until the Queue is empty. Algorithm 3 is the description of constructing the invocation chain algorithm. The input of the algorithm is AA, which draws the attack graph automatically by calling function dot in Graphviz software [18], and the output of the algorithm is V.
As shown in Figure 4, the constructed invocation chains are presented in the form of attack graphs, and different invocation chains are traversed according to the principle of depth-first [19]. Nodes represent every step in the execution process of invocation chain. Each node is described with three layers. The first layer is composed of letters and numbers which are used to uniquely identify a node vulnerability. The letters represent the top-down level of the node in the attack graph, while the numbers represent the sequence number of the node from left to right in a layer of the attack graph; the second layer represents the source host and target host of the node vulnerability when it is exploited; the third layer indicates the vulnerability number of the node. Figure 4, it is assumed that a node is exploited and that there are two or more sequential nodes in the node. The probability of exploiting one of the sequential nodes is P, P = E * S. P depends on the probability of availability of the vulnerability itself E and the possibility of this point being selected S. S AB refers to, when there are two or more postorder nodes for node A in the attack graph, the probability of the posternode B being selected under the condition that postorder node A is successfully detected. The possibility of node being selected depends on the availability of vulnerabilities and the distribution of sequential vulnerabilities. The calculation method is shown as

Effectiveness Evaluation of Invocation Chain. In
S i refers to the probability of vulnerability i being selected throughout the attack graph. The calculation method is related to the distribution of the preorder nodes in the attack   graph. In the attack graph, the distribution of preordered and postordered nodes can be roughly divided into the following two types: (1) P A denotes the probability of vulnerability A being successfully exploited. S B denotes the selectivity of vulnerabilities B after vulnerability A is exploited. It goes like S B = P A S AB , and the probability of vulnerability B being exploited P B is P B = E B S B (2) The relationship between the invocation chains from A to C and that from B to C is logic, and P A presents the probability of vulnerability A being successfully exploited and P B the probability of vulnerability B being successfully exploited. According to the probability formula, the probability of vulnerability C being successfully exploited is obtained as P C = E C S C . The selectivity of vulnerabilities S C is The probability of a vulnerable node being successfully exploited in a specific invocation chain can be obtained by the above calculating process. However, it is not equal to the probability that the vulnerability will be successfully exploited in the whole network, as the vulnerability may appear in different invocation chains. The comprehensive probability of the vulnerability being successfully exploited is determined by the probabilities of the vulnerability node being successfully exploited in different paths. With the weighted average method [20], the comprehensive probability of vulnerabilities being successfully exploited is calculated as In (3), p i denotes the probability of the vulnerabilities being successfully exploited in their respective test sequences, and n denotes the number of vulnerabilities arising in the whole network attack graph. According to the different P AVG , the degree of vulnerability threat is divided into five levels, i.e., security [0, 20%), low threat [20%, 40%), medium threat [40%, 60%), high threat [60%, 80%), and emergency [80%, 100%] [21].

Simulation Results
As shown in Figure 5 Figure 6: The test instance of invocation chain based on the attack graph.  [23,24]. The distribution of vulnerabilities information of each host in the fog computing system is shown in Table 2.
The test instance of invocation chain method based on the attack graph is shown in Figure 6 According to the effectiveness evaluation of invocation chain mentioned above, the successful probability of atomic attack and P AVG in each path can be calculated, respectively. The results of the calculation are shown in Table 3. The comparison results of invocation chain tests in each path are P AVG ðPath 5Þ < P AVG ðPath 1Þ < P AVG ðPath 7Þ < P AVG ðPath 6Þ < P AVG ðPath 3Þ < P AVG ðPath 2Þ < P AVG ðPath 4Þ. Path 4 is the most vulnerable path to detect system vulnerabilities, and it is also the most important to strengthen the protection of this path to prevent network attacks. Figure 7 shows the comparison of test payoff and test effort. Test payoff refers to the times to scan and analyse network vulnerabilities, and test return refers to the probability of the vulnerabilities being successfully exploited in the fog computing system through invocation chain tests. For security testing, we hope to choose the path with the minimum test payoff and the maximum test effort [25]. When evaluating the system security and deciding the security policy, we should also consider that the attacker may take advantage of this behaviour. Although test payoff of Paths 2, 3, 4, and 6 is high, they can also get high test return. The P AVG values of the above four test sequences are higher than 50%. The shortest test time required for testing according to Path 5 is basically within 5 seconds, and its P AVG value is 13.81%.
As can be seen from Figure 8, due to the different P AVG values of each test sequence, the test payoff and test effort in each path are also different. In order to integrate the impact of payoff and effort on security test decision, the multiobjective decision-making method can be used to analyse which path is more efficient and faster to determine the test sequence under the given test environment [26].
In the above fog computing experimental environment, this paper compares the alarm time of vulnerability detection with that of the model-based vulnerability assessment method proposed in [6] and the attribute-based vulnerability assessment method proposed in [7] and analyses the impact of different methods on the alarm time of vulnerability detection. The faster the alarm time of vulnerability detection, and the earlier the security flaws can be found in the fog computing system [27]. Figure 8 shows the comparison results of various methods under the premise that the experimental environment and parameters are basically the same. It can be seen that the invocation chain method proposed in this paper is superior to other methods in mapping time and association analysis time, because other methods need mapping and exchange from alarm to node, node to path, and path to processing unit; meanwhile, association analysis needs to analyse other alarms on all paths where the alarm is located, and there will be overlaps on paths and repeated alarm message processing. A large amount of repeated analysis in the multinode and multiconnection fog computing  Figure 8, when alarm time is 2, the mapping time of the invocation chain method is about 47% lower than that of the model-based vulnerability assessment method, and the association analysis time is about 38% lower than that of the attribute-based vulnerability assessment method.

Conclusion
Fog computing systems face various security threats, and the vulnerabilities in distributed fog nodes restrict the development of fog computing technology. In the paper, the invocation chain test method proposed can not only analyse the impact of nodes' vulnerabilities but also analyse the impact of test sequence on fog computing security. By analysing the network topology of fog computing and the relationship among the fog nodes exploited successively, the importance of test sequence in the network is obtained. The higher the probability that the node's vulnerability is selected, the greater the impact on network security; the higher the probability that a vulnerable node is being successfully expanded, the more security protection is needed. Through the test results, it is easy to find that the test chain method can better find potential or unknown vulnerabilities, and the probability of vulnerability successfully exploited is generally raised to more than 50%. The method of invocation chain is used to vulnerability assessment. The invocation chain generated based on the attack graph is concise and clear, which can be better applied to complex large-scale systems.

Data Availability
No data were used to support this study.