A Comprehensive Survey on the Cooperation of Fog Computing Paradigm-Based IoT Applications: Layered Architecture, Real-Time Security Issues, and Solutions

The Internet of Things (IoT) can enable seamless communication between millions of billions of objects. As IoT applications continue to grow, they face several challenges, including high latency, limited processing and storage capacity, and network failures. To address these stated challenges, the fog computing paradigm has been introduced, purpose is to integrate the cloud computing paradigm with IoT to bring the cloud resources closer to the IoT devices. Thus, it extends the computing, storage, and networking facilities toward the edge of the network. However, data processing and storage occur at the IoT devices themselves in the fog-based IoT network, eliminating the need to transmit the data to the cloud. Further, it also provides a faster response as compared to the cloud. Unfortunately, the characteristics of fog-based IoT networks arise traditional real-time security challenges, which may increase severe concern to the end-users. However, this paper aims to focus on fog-based IoT communication, targeting real-time security challenges. In this paper, we examine the layered architecture of fog-based IoT networks along working of IoT applications operating within the context of the fog computing paradigm. Moreover, we highlight real-time security challenges and explore several existing solutions proposed to tackle these challenges. In the end, we investigate the research challenges that need to be addressed and explore potential future research directions that should be followed by the research community.


I. INTRODUCTION
In the wake of the invention of computers and the Internet, many experts view the development of the Internet of things (IoT) as a key resolution in information and communication The associate editor coordinating the review of this manuscript and approving it for publication was Amjad Mehmood . technology (ICT). The IoT facilitates the connection of several smart objects and sensors to the Internet, allowing the collection of data from the physical environment. Through this capability, it allows the automatic and dynamic storage and processing of the accumulated data [1], [2], [3], [4], [5]. Moreover, the IoT is not solely dependent on a single technology but incorporates six essential components within the physical environment: identification, sensing, communication, computation, services, and semantics [6], [7], [8]. The identity of smart objects and sensors is assigned in the identification process, while sensing refers to capturing the data from smart objects and sensors. For this purpose, several technologies such as wireless sensor network (WSN) [9], [10], radio frequency identification (RFID) [11], [12], near field communication (NFC) [13], [14], Bluetooth [15], [16], [17], Wi-Fi [18], [19], and long-term evolution (LTE) [20], [21] are used. Then, the processing is performed on the collected data to extract important and useful data and remove unnecessary data. By using the collected data, the appropriate service and decision are chosen to send a response to the IoT devices. However, the interconnection of these elements enables the applications of IoT such as smart homes [22], [23], health care domain [24], [25], intelligent transportation systems [26], [27], [28], animal tracking [29], [30], and smart robotic grippers [31]. Thus, the growth of IoT applications has led to the generation of vast amounts of data, resulting in heavy network and processing loads. In the process, these vast amounts of data require huge and extensive storage capacity, computing resources, and communication bandwidth. Based on the insights from Cisco, it is expected that the number of Internet-connected devices will exceed 50 billion in the coming years, with an estimated average of seven devices per person being under human control [32], [33]. According to John T. Chambers (former CEO and executive of Cisco), there will be an astonishing 500 billion devices associated with the Internet by the year 2025 [34]. However, the research and academic community is facing a significant challenge in managing the immense and massive amounts of data generated by IoT applications [35], [36].
To address this challenge, the integration of IoT with cloud computing led to the emergence of the Cloud of Things (CoT) [37], [38], [39]. In addition, cloud computing provides a centralized computing model that offers wide computing resources and storage capacity. This integration enables the smooth collection of data from IoT devices and simplifies the computation process for the gathered data [40], [41]. Hence, Figure 1 is used to illustrate the CoT model, where devices transmit data to the cloud directly. Then, an appropriate decision is taken according to the result of analysis and computation, both of which take place in the cloud. Furthermore, the CoT model consists of two layers; (i) the storage and control layer and (ii) the device layer. The storage and control layer provides the facility for the centralized storage and computation of vast amounts of data. For this purpose, it utilizes the IoT devices and the data generated from these devices to control and manage the IoT services. The second layer, the device layer, is composed of IoT devices connected to the Internet, each other, and the cloud. Moreover, the device layer is not restricted to only complicated devices but also includes simple and small objects such as appliances, furniture, and works of art [42]. Thus, common communication mediums (routers, gateways, and bridges) and other communication protocols are used to achieve communication within layers and across layers [43]. This approach has several benefits, such as requiring minimal monitoring and management efforts. As a consequence, it has given birth to a multi-billion industry. Simultaneously, this process requires a substantial amount of network bandwidth to transmit the data directly to the cloud [44], [45]. In addition, the centralization of resources within cloud-based IoT solutions frequently leads to a significant physical gap between IoT devices and the cloud infrastructure. Consequently, this can lead to an increase in average network latency and jitter [46], [47], [48]. As a consequence of the inherent communication delay in cloud computing, end-users face challenges to access time-sensitive applications that require rapid response times and mobility support, such as intelligent transportation systems and augmented reality experiences. Furthermore, the cloud-based IoT communication model faces security and privacy threats for applications that are delay-sensitive, location-aware, and mobility-supported [49], [50].
The fog computing paradigm is conceptualized as an expansion of the cloud computing paradigm, acting bridge to provide services between end-user devices and cloud servers [51], [52], [53], [54]. Furthermore, this term has also been elaborated by various organizations and researchers according to their perspectives [55], [56], [57], [58]. It is characterized by its decentralized nature. Instead of acting as a substitute for cloud computing, it is an extension of the cloud situated at the network edge in closer proximity to the physical objects. Furthermore, it acts as an intermediary between the end-users and the cloud. It brings computation resources and storage to the network edge and closer to the end-users [59], [60], [61], [62]. In other words, it creates a hierarchical infrastructure, fog platform is used to store the temporary data as well as perform local data analysis. While a 73304 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. cloud platform is used to store the data permanently as well as perform global data analysis [63], [64]. According to the studies of Atlam et al. [65], Zhang et al. [66], Bonomi et al. [67], and Dastjerdi et al. [68], the fog computing paradigm consists of several characteristics, which are summarized as follows: • Low Latency: IoT devices have a very low physical distance from the fog nodes. Thus, the fog performs data analysis locally separate from the cloud, and, by so doing, provides low latency.
• Location-Awareness: Fog computing supports the awareness of device location, enabling the active or passive tracking of fog nodes to deliver services to devices at the network edge.
• Geographic Distribution: The fog computing paradigm provides services in a distributed form. However, the location of an end user's devices can easily be tracked to support the mobility feature.
• Scalability: The fog computing paradigm provides distributed resources and storage with data analysis to support large-scale IoT devices. In contrast, the centralized cloud requires heavy management to support large-scale IoT devices and IoT applications.
• Physical Distance: The fog nodes can receive the data from IoT devices within a single hop. Thus, data transmission occurs directly and efficiently. In contrast, the cloud computing paradigm receives aggregated data summaries from several devices and within multiple hops.
• Mobility Support: The fog computing paradigm can support high mobility as well as connect to mobile devices. It provides the capability to communicate with mobile devices by using mobility-based communication protocols such as the location ID separation protocol (LISP).
• Bandwidth Saving: The fog computing paradigm reduces the amount of network transmission and saves bandwidth. Because, it expands the functionalities of storage, analysis, and computation at the network's edge.
• Security and Privacy: The fog computing paradigm provides resources (storage, analysis, and computation) at the network edge, bringing them closer to end-users and ensuring that data remains in proximity. Additionally, it provides high security and privacy measurements to the data. In contrast, data stay in the cloud for storage and to perform data analysis and computation in the cloud computing paradigm. Therefore, the cloud provides less security and fewer privacy measures as compared to fog computing. Table 1 provides a comparison of the fog computing paradigm with other computing models, such as the cloud computing paradigm. The fog computing communication model offers distinct characteristics, such as low latency, location-awareness, decentralized distribution, scalability, less physical distance, support for mobile devices, and bandwidth savings. However, due to these characteristics, it faces some unavoidable security and privacy threats [69], [70], [71], [72], [73], [74]. Furthermore, it is deployed by fog service providers, which may not be as secure and trusted as the more-established cloud providers. Also, IoT devices have limited resources in terms of storage and computing, which can have the effect of making them vulnerable to being compromised and easily hacked, stolen, or broken. Unfortunately, no research and systematic studies to identify the security and privacy challenges, along with security resources in fog computing paradigm-based IoT applications, have yet been conducted. However, the research on security and privacy issues of fog computing paradigm-based IoT applications is still in its early stages. Accordingly, it is essential to conduct a thorough study of the security and privacy requirements to design and implement IoT-based applications.
This survey paper delves into a closer look at real-time security and privacy challenges, such as identity identification, authorization (access control), end-user privacy preservation, intrusion detection and prevention, and trust management in fog computing-based IoT applications. All of these challenges make clear the necessity to provide a promising method for building IoT applications that provide secure and reliable real-time services for the end-users. The contributions made by this article are summarized as follows: • This article makes specific contributions to the proposed layered architecture of fog-based IoT applications.
• It also constructs a picture for understanding the working of IoT applications under the fog computing paradigm.
• This article demonstrates real-time security and privacy challenges, such as authentication, authorization, end-user privacy preservation, intrusion detection and prevention, and trust management, which may affect the fog-based IoT network as well as end-users.
• It also reviews the possible existing and promising solutions to ensure reliable and secure real-time services for fog-based IoT applications.
• Further, this article also highlights the research challenges and suggests future research directions for the research community. Furthermore, the organization of this article is as follows: • Section I is used to describe the introduction of IoT.
In addition, this section also presents the introduction of cloud computing and fog computing along with their characteristics.
• Section II presents the architecture of fog computingbased IoT applications.
• Section III is used to highlight real-time security issues, such as authentication, authorization, end-user privacy preservation, intrusion detection and prevention, and trust management. Further, this section also presents the existing possible solutions.
• Section IV is used to describe the research challenges and future research directions.
• Section V is used to elaborate the conclusion of this article as final remarks. VOLUME 11, 2023

II. LAYERED ARCHITECTURE OF FOG COMPUTING-BASED IOT NETWORK
The fog computing paradigm relocates the operations closer proximity to the end-users of IoT applications. Its key objective is to provide low latency and save bandwidth to ensure the reliable and secure real-time and time-sensitive services of IoT applications [75], [76]. According to Ni et al. [77], the architecture of a fog-based IoT network consists of a cloudfog-device framework, where three layers exist, named the cloud, the fog, and the IoT device layer. In contrast, according to [78], [79], [80], and [81], there are six layers, named, the physical, the monitor, the pre-processing, the transit, the security, and the transport layer. This section provides an overview of the proposed layered architecture for an IoT network based on fog computing.
A. THREE-LAYERED ARCHITECTURE OF FOG-BASED IOT NETWORK Figure 2 demonstrates the basic architecture, consisting of the three-layers.

1) DEVICE LAYER
This layer is composed of IoT devices. Further, two types of IoT devices exist in this layer; mobile devices and static devices. Thus, mobile devices can transmit data through wireless and ad hoc manners [82]. In addition, static devices cannot respond to emergency events. According to Gazis [83], these devices have limited resources (storage, analysis, and computation) along with limited bandwidth for the transmission of data. Therefore, these devices have pre-defined functionalities to perform monitoring tasks on a product or building. In addition, fog computing includes the characteristic of location awareness. These devices, mobile and static, may have GPS enabled in them and sense the physical environment and collect data. Then, the collected data are sent to the fog layer for transit storage as well as analysis and computation. Similarly, these devices also can respond to the physical environment according to the instruction and information directed by the middle layer, the fog layer.

2) FOG LAYER
This layer consists of a variety of network equipment that can perform computation, for example, router, switches, bridges, etc. These devices are known as fog nodes. Further, this layer extends the cloud computing paradigm to the network edge as well as nearer to the end devices. The fog nodes can perform real-time data storage, data analysis, and computation. By so doing, the computation load on resource-constrained IoT devices is reduced. The fog nodes are at a shorter physical distance from the IoT devices, as they exist one hop away from the IoT devices. Therefore, they maintain provisional knowledge regarding the end-users and their devices such as location information. In addition, this layer receives the data from IoT devices to perform data analysis and computation and provide temporary data storage capacity. Then, data is sent to the cloud through other nodes or directly.

3) CLOUD LAYER
Cloud data centers exist in this later. It has significant amounts of data storage space and computation resources.
It also can access Internet-connected end-users at any time and from anywhere. Further, the cloud receives the data in a summarized form from fog nodes, where the analysis process is performed on the collected data to improve the quality of applications and services provided by the IoT [84], [85], [86], [87].
73306 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.   Figure 3 demonstrates the complex and secure layered architecture of a fog-based IoT network, consisting of a six-layered hierarchy.

1) PHYSICAL LAYER
This layer consists of IoT devices, which are enabled with GPS to fulfill the requirements of fog computing and are distributed geographically. Further, these devices can sense the physical environment.

2) MONITOR LAYER
This layer is used to monitor the whole network, including IoT devices and fog nodes in terms of resource utilization, availability, and accessibility of all networks. It also monitors the functionality provided by a device, for example, which device is performing what task and at what time.

3) PRE-PROCESSING LAYER
This layer performs the task of the management level. It analysis the vast amount of data coming from IoT devices by using several filtering and pruning algorithms to extract useful information. Moreover, fog nodes have limited data storage space as compared to the cloud. However, this layer is considered to be necessary for fog computing-based IoT applications.

4) TEMPORARY STORAGE LAYER
There are two types of data generated by IoT applications; sensitive and less-sensitive data. The data that requires a real-time response on an immediate basis, whenever an emergency event occurs, is known as sensitive data. However, the temporary storage layer is used to provide transit data storage as well as perform real-time analysis and computation. Besides this, temporary storage is not provided for the data generated by the less-sensitive applications of IoT. These applications sent data directly to the cloud.

5) SECURITY LAYER
This layer provides cryptography where the encryption and decryption of data come into play. It collects data from the bottom layer (temporary storage layer) and performs encryption by converting all collected data into an unreadable form.
To perform encryption, the key used is known by the owner of the data. Furthermore, the security layer conducts integrity measures to detect any attempts to tamper with the data by an attacker.

6) TRANSPORT LAYER
This layer gathers the encrypted data from the security layer, which it sends to the cloud where analysis is performed. Furthermore, data may be stored for a long time.
To understand the working of IoT applications under the fog computing paradigm, let us consider Figure 4, where the high-level architecture of fog computing-based IoT applications is represented. The fog nodes are deployed at the edge of the network and closer to the IoT devices, where they collect data from IoT devices. They can be in the form of simple network equipment such as routers and gateways, or complex devices such as embedded servers and video surveillance cameras. These devices have been built with intelligent. However, the data generated by the sensitive applications is stored, analyzed, and computed on intelligent devices. Thus, any sign of problems can be detected comparatively closer to the IoT devices, enabling the fog nodes to respond to the IoT devices immediately whenever needed. In contrast, the data generated by less-sensitive applications are sent to the cloud by using fog nodes or directly. The cloud provides data storage capacity, analysis, and computation, as the data cloud center has a significant amount of data storage capacity. The data can be stored here for months and years. The cloud can be used to perform various functionalities, such as big data analytics, parallel processing, and machine learning. In addition, several technologies are used to achieve communication within each layer and across layers, including wired communication and wireless communication; wired communication includes Ethernet and fiber optic technology, while wireless communication includes routers, gateways, switches, bridges, satellite links, and IEEE 802.11 a/b/c/g/n/p [88].

III. REAL-TIME SECURITY ISSUES AND SOLUTIONS FOR FOG COMPUTING-BASED IOT APPLICATIONS
The fog computing communication environment includes numerous characteristics for IoT applications, such as location awareness, device mobility, low latency, geographic distribution, wireless access, and heterogeneity [89]. Meanwhile, there is a variety of security and privacy threats exist in computing. Therefore, there is a need for a protection mechanism to provide security to fog-based IoT applications, otherwise, the end users cannot trust the network and use and enjoy the real-time services of IoT applications. Thus, this study chooses to focus on secure and reliable real-time services for IoT applications.
In the following section, we review several security challenges concerning real-time services. We divide the literature into five categories based on the real-time services of IoT applications, namely, authentication, access control, end-user privacy, intrusion detection and prevention, and trust management, as shown in Figure 5. We also introduce some existing promising solutions that can be used to address and overcome these challenges. Moreover, we identify existing and possible solutions to make sure the authentication and access control rights in the network and prevent the network from being accessed by an attacker while preserving and mitigating the private information of end-users from being accessed by an attacker. Furthermore, we present the techniques used in the proposed solutions and demonstrate their advantages and limitations.

A. AUTHENTICATION
The IoT concatenates the real-time services provided by smart objects and sensors to enable communication with the physical environment. Therefore, this characteristic of the IoT leads to various security challenges, where attackers can gain network access, utilize the resources of the network, and affect the infrastructure without having correct credentials or suffering any liabilities. However, it is a difficult task to secure authenticity and creditability before accessing the services, while providing guarantees that all entities involved in the communication process are trusted. For example, an attacker may pretend to be an intended user to gain access and utilize the services of the network without leaving a mark of evidence of the intruder's misbehavior and malicious activities.

1) EXISTING SOLUTIONS FOR AUTHENTICATION
Several methods have been proposed to mitigate the problems of authenticity and provide security and reliability for communication in the network. Thus, the following sub-section presents the existing promising solutions to ensure authenticity in the network, in the forms of identity authentication, cooperation-based authentication, and anomaly authentication.

a: IDENTITY-BASED AUTHENTICATION
Loffi et al. [90] used the existing multi-factor mutual authentication protocol and proposed a new flexible method that made use of a challenge-response function, a nonce, and an adjustable variable response time to improve the accuracy of their model. Furthermore, elliptic curve cryptography serves as the encryption cipher in the proposed model.
Chandrasekhar and Singhal [91] proposed an authentication strategy. It aims to provide integrity and authenticity for cloud storage when data comes from multiple sources and is accessible by multiple users. While such dangers exist, cloud computing does provide the benefits of flexibility, scalability, low cost, accessibility, and availability. The proposed query-based authentication strategy is constructed by using a multi-trapdoor hash function and a special enhanced form of encryption [92], [93]. It permits clients to validate the accuracy and authenticity of query results while achieving minimal communication and computation overhead.
An alternative authentication scheme involves the development of a secure and authenticated key agreement strategy specifically designed for smart grid applications [94]. Moreover, this scheme is based on the Canetti-Krawczyk (CK) adversary model [95], [96]. According to it, an authentication model should provide the property to make secure all the past sessions and future sessions as well. However, the authors reported the Tsai and Lo scheme [97], which is considered to be the first anonymous scheme. At the same time, it provides weak security measurements and may permit leaks to numerous security attacks such as a session exposure attack. However, Odelu et al. proposed a protocol to overcome the security weaknesses that exist in the Tsai and Lo scheme. The authors asserted that their proposed protocol requires low computation costs to provide a variety of security functionalities. It also establishes security for the session keys in the CK adversary model.
Jiang et al. [98] proposed an authentication scheme to ensure authentication between two entities in a wireless sensor network (WSN) environment. Further, the authors enhance the work of He et al. [99] to increase efficiency as well as enable resistance against various known attacks such as user impersonation and eavesdropping attacks. However, the proposed scheme has two phases; registration and authentication phase. The registration of users is performed in the first phase, which employs the elliptic curve cryptography (ECC) model instead of modular exponentiation. In the second phase, the login and the authentication are performed to establish a session key whenever users want to use the sensed data. In addition, the proposed scheme can fulfill the requirement of mutual authentication that exists in Burrows-Abadi-Needham (BAN) logic [100]. Therefore, it is considered to be untraceable and enables resistance against known attacks.
Hu et al. [101] proposed a scheme in combination with data encryption and data accuracy to overcome the issues of confidentiality, integrity, and availability for the communication process of face identification and face resolution applications in fog computing-based IoT. For these purposes, it provides three key countermeasures, consisting of authentication and session key agreement, advanced encryption standard (AES) based encryption mechanisms, and a hash data integer algorithm. The session key is generated by using the algorithm of Diffie-Hellman key agreement [102], [103]. In addition, the AES symmetric key encryption algorithm is used to ensure the confidentiality of the data. A hash data integer algorithm, for example, SHA-I, is used to confirm the integrity or accuracy of the data. The experimental results demonstrate that the proposed scheme introduces a slight increase in communication and computation overhead while ensuring system confidentiality, integrity, and availability. Additionally, the fog computing paradigm highlights the need for secure and reliable information rather than outdated information. Hence, it can be thought of as a limitation of the proposed scheme because it deals with the retroceded information. Furthermore, this article does not consider the mobility feature of IoT devices.
Software-defined networking (SDN), where switches act as fog nodes simultaneously, can be a good choice for a fog computing-based IoT network to manage network flow automatically and dynamically [104]. In SDN, the controller is used to control and manage all switches through the Open-Flow channel to transmit commands and requests as well as states against commands and requests from the switches. Therefore, it is imperative to ensure the security of the Open-Flow channel in SDN [105]. However, Li et al. [106] detect a MiTM attack and packet modification utilizing a bloom filter. The bloom filter acts as an efficient data structure to test the existence of any fabricated and fake element in a given set. Hence, the controller can detect packet fabrication and modification by collecting all bloom filters. If there are differences between filters, the controller detects it as a MiTM attack and confirms that the packets are fabricated and modified during their transmission. Furthermore, the authors highlight that if an attacker intercepts an OpenFlow channel that consists of a one-flow path between the controller and switches, the proposed scheme does not work. In other words, if the OpenFlow channel consists of one flow path, the proposed scheme cannot detect the MiTM attack between the controller and the switches. At the same time, the proposed scheme does not provide a solution for mobile devices.

b: COOPERATION-BASED AUTHENTICATION
Lin and Li [107] and Zhou et al. [108] have made some efforts to propose cooperation-based authentication schemes for users. These proposed schemes are used to reduce communication and computation overhead. These schemes do not require a trusted authority to perform the process of authentication. Thus, they shorten the delay to authenticate the individuals. Moreover, these schemes accept the cooperation of neighbor nodes to eliminate the unnecessary authentication process on the same message through different users. However, these schemes can resist numerous attacks, such as a free-riding attack where fake and unnecessary efforts are not consumed in the network. Furthermore, these schemes encourage user cooperation and accept the help of adjacent neighbor nodes to avoid entangling the system's resources in unnecessary and time-consuming authentication processes.

c: ANOMALY-BASED AUTHENTICATION
When using the real-time services of IoT applications, end users expect to avoid disclosing private information regarding their identity during the authentication process. If an attacker intercepts information, he/she would be able to identify the trajectory and intersection information of the user [109], [110]. However, Lu et al. [111] proposed an approach to enable the nodes to verify the credentials of end users without extracting the identity information of the user such as a user's location. However, nodes cannot distinguish the target users. Furthermore, extensive experiments are not performed by the authors to confirm the effectiveness of the proposed approach, nor did they identify what they present as a strong threat model.
Kumar et al. [112] designed an ensemble learning-based IDS for the IoMT network to identify cyber-attacks using 73310 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
fog-cloud architecture. The proposed scheme consists of two engines; traffic processing and intrusion detection engine. The first engine includes feature mapping, feature selection, and feature normalization. The authors make use of the XGBoost-based ensemble method with various machine-learning techniques to train their system for detecting cyber-attacks. In the intrusion detection engine, the authors made use of the ToN_IoT dataset to test the proposed detection system and claimed that this approach is capable of achieving an accurateness of 96.35%, and a detection rate of 99.98%. Moreover, it can minimize the false alarm rate by up to 5.59%. According to the authors, they have proposed the first ensemble learning-based IDS for the IoMT environment using fog-cloud architecture.
In addition, Manimurugan [113] developed the IoT-Fog-Cloud computing model with the help of the machine learning approach. This proposed approach aims to recognize the cyber-attacks in the IoT smart city. The model was trained using the Improved Naïve Bayes algorithm on the UNSW-NB15 dataset to detect attacks. The authors claimed that the proposed approach outperforms in terms of detection rates and accuracy.
Thus, Table 2 summarizes all the proposed existing and promising solutions to ensure authentication in the network. It also provides techniques for overcoming the problem and presents the advantages and limitations of the proposed solutions.

B. AUTHORIZATION
An authorization mechanism plays a critical role in the IoT ecosystem by allowing control and management of access to information and resources within the network. It ensures that only authorized entities can utilize the network's resources. In addition, it also prevents unauthorized access to sensitive information and resources. The IoT implements two types of authorization mechanisms; physical and logical authorization [114]. Thus, both forms of authorization mechanisms have become much-criticized as well as a challenging task in IoT applications. Once implemented, an authorization mechanism asks the following questions: • What mechanism should be allowed to access the specific and required service?
• Which users have the authority to access specific information?
• Which types of operations are allowed to be the user after accessing the service of the network?

1) EXISTING SOLUTIONS FOR AUTHORIZATION
Several mechanisms have been proposed to ensure authorization (access control) and make it impossible for malicious attackers to utilize the system's resources and information.
In the following subsection, we investigate the various proposed solutions for authorization mechanisms, including role-based authorization, credential-based authorization, and trust-based authorization.

a: ROLE-BASED AUTHORIZATION
Role-based authorization mechanisms are used in traditional systems to provide access privileges to network resources and information by using the roles of individuals, for example, doctors, professors, managers and assistants, and so on [115]. For better understanding, let us consider an example. In case of a road accident, the doctor must have access to the user's location to ensure timely and effective medical support. Ordinarily, of course, information regarding the user's location should be kept confidential. Hence, Hu et al. [116] presented a system based on user identity to effectively control and manage location information and other private credentials in emergencies. Nevertheless, it ensures that only an authorized user can use the user's private information. In the case of regular situations, the system does not show information to any individual. Moreover, the IoT consists of nodes that have dynamic characteristics and possess constrained computing power and storage capacity. Therefore, the proposed scheme is thought to be limited applicability due to these limitations. Dang and Hoang [117] presented a model for managing mobility and securing data in the fog environment. The proposed model features three modules that serve distinct purposes. Firstly, the Fog-based Privacy-aware Role-Based Access Control (FPRBAC) module enables authorization between fog nodes within the network. Secondly, the Region-Based Trust-Aware (RBTA) module assists trust translation among fog nodes belonging to different regions. Lastly, the mobility management service module handles location requests within a region model.
The model implemented the mobility service with location registration that addresses the location issues by storing various information about fog devices. It is based on values of trust between regions where fog nodes can join and leave within relevant assigned roles. The FPRBAC module serves the purpose of authenticating requests for users to access computing resources from fog nodes. This authentication process is based on granting permissions that have been assigned to the respective roles. Furthermore, the experimental results demonstrated that the proposed model exhibits superior performance compared to other approaches.

b: CREDENTIAL-BASED AUTHORIZATION
In a credential-based authorization mechanism, a special type of certificate is required from the user to access resources and information related to the network. However, an attacker must be unable to bypass the authorization mechanism without a required certificate of information. Therefore, this mechanism is considered to be secure and authenticated in the IoT environment. The credential-based access control mechanism encompasses two types: attribute-based access control and capability-based access control [118]. In attribute-based authorization, each user has a special type of attribute, which is used to access a particular resource or piece of information. However, Lewko and Waters [119] proposed a model that Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. establishes a policy system in which each user is given certain attributes according to his/her requirements. To use a particular resource or piece of information, the user's attributes are matched with the pre-defined rule system. Once the user's attributes meet the criteria defined in the rule system, they become able to access the required resource or information.
In contrast, the second type of credential-based access control, capability-based authorization, recognizes the communicable and unforgettable markup as being unique and uses it to access the privileges of resources or an item of information. The key concept of capability is introduced in [120]. However, Hernández-Ramos et al. [121] presented a distributed model that depends on the existing abilities of smart objects in respect of communication and computation power. In the proposed model, the owner of the resource or service provides authorization certificates to the individuals who want to use it. However, the user has to possess such an authorization certificate er to perform the corresponding resource or service request operation. Furthermore, the authors acknowledge the principle of least privilege to manage and control access to a resource or item of information. It provides security to the system as a centralized mode in terms of end-to-end level validation, although it requires each user to have the ability to publish a key certificate. Therefore, this process is one drawback of the proposed model, which needs, in addition, further enhancements to overcome security obstacles.
Yao et al. [122] presented a study on the privacy and security limitations present in existing symmetric and public key cryptosystems within the fog environment. The authors proposed an innovative approach called attribute credential-based public key cryptography (AC-PKC) that provides authentication, access control with privacy preservation, and flexible key management. In the proposed approach, they introduced registered but anonymous attribute credentials for fog nodes. It uses a combination of elliptic curve cryptography (ECC) and certificate-less public key cryptography (CL-PKC) to establish a robust public-key scheme. It effectively addresses security concerns such as authentication, encryption, and access control with privacy preservation. Furthermore, the performance of the proposed approach was evaluated based on various aspects including security, computation overhead, privacy preservation, communication overhead, and flexibility. Through performance analysis and comparison, it was demonstrated that the proposed approach offers a dynamic security mechanism suitable for fog computing.

c: TRUST-BASED AUTHORIZATION
Traditional authorization mechanisms are not compatible with the unique challenges offered by distributed IoT, applications where roles and credentials are used to authorize the users. However, a trust-based authorization mechanism is considered to be an advanced extension of traditional authorization mechanisms for IoT devices. However, Bernabe et al. [123] presented a network strategy to ensure reliable and effective communication between smart IoT devices that the authors call the TAC-IoT. It is based on values of trust such as reputation, quality of service, and security considerations along with social equipment. Furthermore, constrained and unconstrained devices have been used to implement and evaluated the proposed network.
In addition, Mahalle et al. [124] proposed an authorization model based on fuzzy trust values such as experience, knowledge, and recommendations, which they named FTBAC.
The trust values are assigned by the appropriate authority. Moreover, the authorization model presented in this study comprises three distinct layers: the device layer, the requesting layer, and the authorization layer. The device layer consists of the IoT devices involved in the communication process, illustrating their interconnectedness and functionality. Hence, the requesting layer is used to collect the factors of knowledge, experience, and recommendation values to evaluate the fuzzy trust values. The third layer, authorization, is used to make decisions about collecting fuzzy trust values.
Another study carried out by Daoud et al. [125], focuses on developing an efficient distributed access control model for Fog-IoT networks following a secure resource allocation management framework to guarantee a high-security level between different resources and operational parts by adding real-time constraints. They introduced a comprehensive scheduling process and efficient mechanism for resource allocation to guarantee improved performance and the lowest latency level.
In another study [126], the authors proposed a security framework for Fog-IoT systems comprising two key components: the Trust Management Component (TMC) and the Security Component (SC). The SC guarantees the authentication, authorization, integrity, and confidentiality of data, while the TMC assesses the performance of Fog-IoT nodes using a trust model based on network communication and Quality of Service (QoS) parameters. The access control policies within the SC incorporate trust values to certify that only trusted nodes can access fog resources. The model was tested using Raspberry Pi 3 Model B+ and subjected to various networks to evaluate its memory and time complexity.
One more research study conducted by Zhang et al. [127] proposed a secure multi-cloud collaboration model based on trust values to address security concerns arising from untrusted service providers or malicious users in the Cloud-Fog environment. The researchers propose a role-based trust evaluation scheme to enhance user security in the context of Multi-Cloud Service Composition (MCSC). In addition, the study puts forth secure collaboration and an efficient user authentication scheme to safeguard service security. The proposed framework employs a single sign-on technique, ensuring that only authenticated users can access component services using a single set of credentials. The authors performed extensive testing and analysis to confirm the suitability of the proposed, particularly in terms of user and service security protection. Table 3 summarizes all the proposed existing and possible solutions to ensure authentication and prevent the access of an attacker in the network, along with techniques that can overcome the problems. In addition, it presents the advantages and limitations of the proposed solutions.

C. END-USER PRIVACY PRESERVING
The fog computing-based IoT communication paradigm requires two-way communication. Firstly, the data is gathered from the physical environment and subsequently transmitted to the fog nodes. Then, the nodes possess the capability to store the gathered data and can also transmit it to the cloud as per the requirements of the application. During this process, end-user privacy is critical to prevent data leakage from being detected by malicious attackers. Three types of privacy issues exist in fog-based IoT applications [128]. The first is the privacy of IoT devices. The resource constraints of IoT devices make them vulnerable to a decreased capacity for performing encryption and decryption processes on data, thereby interpreting them as vulnerable to malicious attacks. Thus, an attacker becomes able to steal the private information exchanged between two entities. There are several types of mobile computing applications of the IoT, which provide location-based services. However, location privacy is considered to be a second privacy issue because the place of equipment can provide information regarding the owner. Therefore, a malicious attacker may infer the IoT mobile devices [129], [130]. The last privacy issue is the protection of the user's data generated by IoT devices. Therefore, privacy leakage of users in IoT applications has attracted the attention of the research community as well as academia and industry.

1) EXISTING SOLUTIONS FOR END-USER PRIVACY PRESERVING
The following sub-section describes the existing solutions regarding how IoT devices handle identity privacy, location privacy, and data privacy.

a: PRIVACY OF DEVICE IDENTITY
Guan et al. [131] designed a new scheme for fog-IoT systems that offer multi-authority for locally managing the devices. It uses the Paillier algorithm during data aggregation for data privacy. The authors proposed the integration of a local certification authority with specialized fogs at the network edge to handle pseudonym management, permitting real-time service for device registration and updates. The experimental results comparing the scheme to existing ones shows the suitability of the proposed scheme for fog-enhanced IoT systems.
Zhang et al. [132] highlight the limitations of the conventional PPDA solutions that have been previously used for protecting IoT devices and proposed a scheme to overcome the performance and privacy issues that occurred by the resource constraint of IoT devices. It integrates a paillier homomorphic encryption method and an online/offline signature technique to guarantee integrity verification and privacy-preserving during the data aggregation process. The comprehensive security analysis conducted by the authors shows that the proposed technique gives promising results.
According to Khan et al. [133], many privacy-preservation strategies have been proposed for fog-enabled aggregation, but there is no proper scheme in fog-enabled smart grids for fault tolerance that allows the system to produce accurate results even in the presence of faulty meter, Therefore, the proposed approach introduces a robust and distributed data aggregation technique in the fog-based environment. This technique ensures fault-tolerance and offers important security. Furthermore, the scheme utilizes the Boneh-Goh-Nissam (BGN) cryptosystem for metering data privacy, while the elliptic curve digital signature algorithm (ECDSA) is selected for source authentication due to its smaller key sizes and efficiency on resource-constrained devices. The scheme also addresses replay and false data injection attacks, ensuring the authenticity and confidentiality of user data.
Lu et al. [134] proposed a lightweight privacy preservation and data aggregation scheme for fog computing-based IoT applications. This scheme permits the aggregation of data from various types of IoT devices. To ensure data security, the proposed scheme employs three techniques: homomorphic Paillier encryption [135], the Chinese remainder theorem [136], and a one-way hash function. These techniques are specifically designed to solve the limitations of IoT devices with limited bandwidth. Furthermore, false data injection attacks can also be resisted by enhancing the security of the proposed model. As a result, as compared to the basic strategy of privacy preservation based on Paillier encryption [137], this model is likely to be effective in respect of fault tolerance, communication overhead, and computation  cost. However, it does not include the feature of traceability, which is one drawback of the proposed model.
Wang et al. [138] proposed a scheme to address the challenges of secure aggregation and identity privacy in fog computing. It involves four key entities: a system manager, a terminal device, a fog node, and a cloud server. The system manager provides help to other entities to generate public and private keys. The terminal device acts as the connection between users in the IoT. The fog node acts as a bridge between the terminal device and the cloud server and stores data for communication as well as controls and manages all terminal devices. However, the terminal devices depend on the fog node rather than the network gateway. The last entity, the cloud server, has large and strong computing power. Therefore, it can process all data coming from the fog nodes as well as the terminal devices. Furthermore, the authors did not consider the complete scenario of an adversary model, nor did they consider the issue of privacy of the location.

b: PRIVACY OF LOCATION
Huo et al. [140] proposed a location difference-based proximity detection model intended to achieve proximity detection while preserving the privacy of fog node locations. It utilizes the Paillier encryption algorithm [141], [142], [143], [144]. Additionally, it employs a decision tree approach for proximity detection, which proves to be highly effective and reliable in terms of communication and computation costs when compared to alternative proximity detection strategies [145]. However, it is worth noting that the authors did not consider the feature and impact of traceability in the proposed model.
Yang et al. [146] proposed a scheme to address the privacy concerns associated with the sensitive location information of prover systems, particularly in location-based applications. Furthermore, the scheme tackles this problem by utilizing the bounded retrieval model. Moreover, the proposed scheme is designed for both one-dimensional and threedimensional scenario models. Experimental results indicate that the one-dimensional scenario model offers superior effectiveness and protection of location privacy against verifiers compared to the three-dimensional scenario model.

c: PRIVACY OF DATA
Wang et al. [147] proposed a fog server to store partial and incomplete information instead of a cloud server, which can be controlled by users. In addition, the authors designed a dummy rotation algorithm to hide the real trajectory information against the dummy trajectory information by incorporating the principles of similarity, intersection, practicability, and association. Dummy trajectory information provides a better way to mislead the behavior of a malicious attacker. The performance of the proposed privacy preservation scheme is measured by the following four metrics: trajectory disclosure property, average Euclidean distance, local data volume, and position disclosure probability. In addition, integrity is not considered among the performance evaluation metrics.
Koo and Hur [148] proposed a data privacy preservation protocol to delete duplicate data and manage the resources of the network effectively and efficiently in the fog computing communication paradigm. The protocol aims to achieve fine-grained access control by using a user-level key management mechanism that uses an update mechanism, pairing-based cryptography, and a Merkle (hash) tree [149]. It incorporates three entities: the end-user, the fog, and the cloud. Moreover, it also provides a capability for managing and controlling ownership. It is efficient concerning communication overhead, computation cost, and storage capabilities as compared to traditional data duplication protocols [150] and provides secure and reliable user-level key management. At the same time, it has some drawbacks that are viewed as limitations of the proposed protocol. Specifically, the authors used a limited adversary model and so the proposed protocol cannot resist differential attacks.
Mobile devices contain large amounts of private information related to the end-user, which cannot be sent directly to perform processing without being protected by any privacy preservation mechanism. Accordingly, the protection of private and important information of the user is very necessary before using any method of processing. To tackle this problem, some researchers have put their efforts into proposing promising optimal solutions [151], [152]. Du et al. [153], proposed a query model based on differential privacy for privacy protection. It sizes information regarding the structure along the edge weights of data centers supported by the fog computing communication paradigm. Furthermore, it uses a Laplace operator (differential operator) to achieve the best results of the privacy-preserving model [154]. The proposed model also can resist various malicious attacks in their early stages, such as a fog node recognition attack, and achieves high data reliability, efficiency, and low energy consumption. In addition, the experimental results show that the model is effective. On the other hand, the authors consider the limited adversary model. Table 4 summarizes all the proposed existing and possible solutions for preserving the user's privacy and mitigating the user's private information regarding the identity, location, and data generated by applications from being learned by an attacker. It also gives all the techniques used to overcome the problem and presents the advantages and limitations of the proposed solutions.

D. INTRUSION DETECTION AND PREVENTION
In fog computing-based IoT applications, a malicious attacker can muddle the entities, including IoT devices and fog nodes. Therefore, the implementation of intrusion detection and prevention systems is necessary, aiming to detect malicious attackers as well as protect the architecture of fog-based IoT applications. Furthermore, it is not enough to implement this system in only one layer but must be implemented across the entire architecture. There are numerous systems proposed to detect and mitigate malicious attacks [155]. These proposed schemes are used in various applications to identify and mitigate the abnormal behavior exhibited by malicious attackers, including the smart grid application [156], [157], the cloud-based application [155], and the SCADA system [158]. However, to implement an intrusion detection and prevention system on each layer of fog-based IoT applications, several challenges arise as regards controlling and managing real-time notifications, false alarms, and response time [159].

1) EXISTING SOLUTIONS FOR INTRUSION DETECTION AND PREVENTION
Several solutions have been proposed to detect and protect the architecture of fog-based IoT applications against malicious activities by attackers. The following subsection details the current solutions based on host-based, network-based, and distributed intrusion detection and prevention mechanisms.

a: HOST-BASED INTRUSION DETECTION AND PREVENTION
Vieira et al. [160] indicate that grid and cloud computing communication environments have a distributed nature. This, unfortunately, in many cases makes finding the vulnerabilities to exploit easy for a malicious attacker. In addition, the behavior of an attacker is silent, because an attacker in the cloud and grid communication environment leaves no trace paths in a node operating system. Therefore, it becomes imperative to deploy an intrusion detection and prevention system to efficiently identify the malicious behaviors of attackers and proactively prevent their intrusion. The system monitors the behavior of each node and sends a notification as an alert to other nodes in the network whenever an attack occurs. To operate efficiently, the system requires compatibility among nodes, different protocols, and maintenance and update mechanisms. To fulfill these requirements, the authors proposed a middleware layer as cloud middleware, named the grid and cloud computing intrusion detection system. It consists of four components; node, service, audit system, and storage service. The node accesses the resources provided by the network through a middle layer, middleware. The second component facilitates communication between nodes. The audit system serves as a crucial component within the proposed architecture, acting as a supervisor. It functions to gather information from various sources, including the log system, trace files, services, system events, system calls, file systems, and messages transmitted between nodes. The storage service stores the captured data to perform the process of analysis. Based on the observation and results of the analysis, the proposed system calculates the probability of an attack. If the calculated probability is high, the occurrence of a malicious attack is indicated, and the proposed system sends a notification in the form of an alert message to all the other nodes in the network. However, the proposed scheme needs some further steps to ensure its actions are accurate and effective.
Arshad et al. [161] presented an abstract model aimed at reducing the time interval related to the integration of intrusion detection and prevention mechanisms. According to the authors, the process of intrusion detection requires a response on an immediate basis to prevent the behavior of an attacker. Therefore, the time interval between intrusion detection and prevention must be minimal. Furthermore, the model uses two types of techniques to detect the behavior of an attacker, namely, signature-based detection and anomaly-based detection. In signature-based detection, the model analyzes the behavior of each node against a pre-defined database and identifies the malicious node as an attacker. In anomaly-based detection, the model provides the profile and description for normal as well as an attacker's behavior. At present, the description of the proposed model has made petitions, but no experiments have been conducted to produce results that could be discussed and evaluated. In addition, achieving the delicate balance of minimizing intrusion response while maintaining the overall security and privacy of the cloud infrastructure presents a considerable challenge.

b: NETWORK-BASED INTRUSION DETECTION AND PREVENTION
Hamad and Al-Hoby [162] have addressed the problem of intrusion detection and prevention for communication between nodes as securely and reliably in the cloud computing communication environment. The researchers proposed a cloud intrusion detection service framework that can be implemented by cloud providers. This framework enables clients to subscribe to security-as-a-service, offering a range of capabilities. The proposed framework consists of three layers: the user layer, the system layer, and the database layer. The user layer provides an interface for cloud subscribers to define rules and requirements for protection. Moreover, it enables both client and administrator to access different services, that is configuration detail, subscription detail, and security monitoring services. The second layer, named the system layer, operates as a bridge between the user and the database, offering the necessary application programming interface (API) for accessing the database. The database layer provides a fast-tracking system tracing all settings of the subscription and updating the setting details accordingly. The service-based detection and prevention system within the proposed framework introduces extra computation and communication overhead compared to the traditional detection and prevention systems.
According to Houmansadr et al. [163], a smartphone is a fast type of communication and provides powerful and advanced computing and connectivity functionalities. Simultaneously, it uses a software architecture similar to personal computers. However, it is also vulnerable to security threats such as viruses, worms, and Trojan horse programs [164]. Hence, the researchers have proposed a system called the cloud-based intrusion detection and response time for smartphones. This proposed framework provides a user-friendly interface that is designed to be accessible and intuitive, catering to users with varying levels of technical expertise. The proposed solution provides light resource equipment and the capability for the detection and prevention of an attacker in real time. Furthermore, it analyzes the behavior of all the system calls of smartphones and detects any abnormal system calls. Then, it takes appropriate action to prevent the abnormal system call through scalability, low cost, and resistance, whenever an abnormal system call is detected. The authors deployed the proposed framework in an Android-based, HTC Droid Incredible smartphone. However, the generated attack graph of the proposed framework cannot automatically decide to take preventive response action in the smartphone environment.

c: DISTRIBUTED-BASED INTRUSION DETECTION AND PREVENTION
The traditional intrusion detection and prevention system uses two component-based architectures; collection and analysis. This architecture is considered to be effective only to make small collections of hosts to monitor them. However, Dastjerdi et al. [165] presented a scalable, flexible, and cost-effective system that is based on mobile agents, regardless of their geographical location, to address the limitations observed in traditional systems. This customized system is specifically designed to enhance the security of users in cloud computing environments. Its goals are to attain scalability, low latency, cost reduction, and decreased network load. The system design is derived from two models: a peer-to-peer intrusion detection system utilizing mobile agents [166] and a distributed intrusion detection system employing mobile agents [167]. The proposed system consists of four key components: a controller, an agent, an agency, and a mobile agent. The agent's primary part is to detect malicious activities and generate alert messages that are then forwarded to the controller. The controller collects all relevant information in a log file. Subsequently, a mobile agent is dispatched by the controller to collect evidence for further analysis and auditing. The proposed system represents an improvement over existing solutions in terms of trust management. However, it is important to consider that an increase in the number of devices connected to the mobile agent may also elevate network load.
In a different research study focusing on intrusion detection in IoT systems, the researchers [168] proposed a distributed ensemble design that integrates the utilization of fog computing. The architecture of the proposed system consists of three phases; preprocessing, anomaly detection, and traffic testing. In the first phase, data is processed, and optimized features are selected. In the second phase, a random forest-based ensemble method using XGBoost, Gaussian naïve Bayes, and K-NN algorithms are used for classification. This model is carried out on UNSW-NB15 and DS2OS datasets. Furthermore, the authors also highlight the shortcomings of the centralized computing-based IDS techniques that have been previously used for securing resource-constraint devices.
The authors [169] have proposed a hybrid binary classification method (DNN-kNN) for intrusion detection using the Deep Neural Networks (DNN) and k-Nearest Neighbor (kNN) algorithm that is capable to operate in the fog computing layer. In the detection process, the gain ratio attribute evaluation technique has been used for selecting the best attributes for detecting the attacks. Furthermore, the proposed DNN-kNN method is not capable of detecting routing attacks and has minimal processing and memory overhead at the fog node.
Ram [170] integrates trust computing into cloud computing to build a secure and reliable network for cloud-based applications. The proposed method deploys an individual sensor at each cloud-computing region, which is used to detect the malicious activity of an attacker. Furthermore, it drops all packets whenever the attacker is detected and generates an alert message to inform other sensors deployed at other cloud-computing regions regarding the attacker and its malicious behavior. The proposed method consists of four modules: a detection module, an alert-clustering module, threshold calculation, and a response and blocking system. Furthermore, the detection module has three components: a block, communications, and mutual modules. The block checks the integrity and correctness of the packets sent from the source node and drops all bad packets related to the attacker. The communication submodule is used to send an alert message to all other regions whenever the malicious activity of an attacker is detected. The third submodule, the mutual module, is used to collect the alert message. However, each region has an alert clustering module, with the ability to evaluate the accuracy by calculating its severity, as well as the capability to decide whether the received alert is true or false. Thus, the proposed method provides the capability to detect and prevent malicious security attacks such as DoS attacks and distributed denial of service (DDoS) attacks. Furthermore, this method sends an alert message to all other regions. Hence, if there are n number of sensors, then n (n − 1) alert messages will be exchanged between all regions. This results in the issue of scalability as well as communication overhead, with any increase in the number of sensors.
Liu et al. [171] reported the existence of various challenges in traditional traffic control systems, such as heavy roadside sensors and the attraction of malicious vehicles. Also, traditional traffic control systems face the problem of a single point of failure. Therefore, Liu et al. proposed two intelligent light control systems using the fog computing communication paradigm where traffic lights act as fog nodes. The first scheme is very simple and can be considered to be an extension of traditional work [172]. It is used to detect and mitigate a DoS attack. The hardness of the proposed scheme depends on the computation of the cryptographic puzzle, namely, the Diffie-Hellman puzzle. It is likely to be secure and reliable, but the fog nodes do not have storage and computation capabilities. However, if the number of nodes is large, storage and computation overhead occur. Considering this effect, the authors proposed an improved scheme to mitigate the above-stated issue. The improved scheme depends on the hash collision puzzle. According to the experimental results, the second proposed scheme reduces communication overhead, computation cost, and unnecessary storage utilization. Accordingly, it is considered to be a fog-friendly scheme. Table 5 summarizes all the proposed existing and promising solutions for discovering the malicious activities of an attacker as well as protecting the services provided by the applications. It also provides the techniques used to overcome the problem as well as the advantages and limitations of the proposed solutions.

E. TRUST MANAGEMENT
In a fog computing-based IoT network, the fog node may have the ability to communicate and establish trusting relationships with other fog nodes. However, the fog node cannot know how the other nodes are going to behave in a real-time IoT environment. Thus, the authentication and authorization (access control) mechanisms play an important role to mitigate the presence of malicious IoT devices and fog VOLUME 11, 2023  nodes. Furthermore, this mechanism also facilities the establishment of a secure relationship between the IoT devices and fog nodes in the network. However, it remains difficult to provide a guarantee that all the entities in the network are trusted as well as can resist attackers and their malicious behavior. Regardless, the end-users require reliable and secure services and a robust trust model from the IoT applications. Hence, establishing and maintaining a certain level of trust is essential to facilitate effective communication with each other. There are no unique words or definitions to explain trust. Generally, it is defined as a combination of attributes such as confidence, security, and reliability. An entity must have these attributes for other entities to communicate and transmit messages in the network [173], [174], [175], [176]. As a result, several researchers have dedicated their efforts to tackling the challenge of trust management within the communication environment of cloud computing [177], [178]. Nevertheless, in the fog computing communication environment, there is a need to consider the matter of trust management to guarantee the reliability and security of communication between IoT devices and enable seamless connectivity within the fog nodes network. Furthermore, the trust management protocol requires the following questions to be answered to make a trustworthy protocol in the network: • What are the key attributes that define the trustworthiness of individual IoT devices and fog nodes within a fog-based IoT network?
• Which entity has the right or permission to validate as well as monitor the assigned attributes of the IoT device and fog node?

1) EXISTING SOLUTIONS FOR TRUST MANAGEMENT
The following sub-section presents the proposed robust trust model for evidence-based, monitor-based, and reputationbased trust management.

a: EVIDENCE-BASED TRUST MANAGEMENT
Li and Singhal [179] and Yu et al. [180] examine trust management using two models: an evidence-based model and a monitor-based model. The evidence-based model establishes the authenticity of relationships between entities by leveraging specific attributes, such as response-based evidence. These attributes may encompass elements like public keys, identity addresses, or other values that substantiate the trustworthiness of the entity. These attributes are produced by an entity itself or other entities. Furthermore, these attributes can be accessed either online or offline. Several mechanisms exist to evaluate trustworthiness through different types of attributes such as a trust chain [181], mutual friend [182], packet forwarding ratio [183], and recommended trust level [184], [185].  [186] have proposed the CONFIDANT protocol in an ad hoc network, which effectively detects the behavior of individual nodes and protects the network against potential malicious activities from attacker nodes. It consists of four components, namely, the monitor system, the reputation system, the trust manager, and the path manager. The monitor system sends a notification to the reputation system whenever it detects the malicious behavior of an attacker node in the network. The reputation system maintains a table containing the name of a node among its ratings. If the rating of a node exceeds that of a pre-defined threshold, the rating of a node is updated to identify it as a malicious attacker node. Furthermore, the reputation system maintains a list, named the blacklist, which is intended to contain the name of all malicious attacker nodes, which it sends to the trust manager periodically. The trust manager generates an alert message and sends it to the whole network in its transmission range. The last component, path manage, is used to assign ratings to paths according to the rating of the nodes that exist on the path and to delete those paths that contain attacker nodes. The authors did not discuss the mechanism for computing the reputation and feedback values, nor does the proposed scheme provide any mechanism to prevent the malicious attacker node from broadcasting false information regarding the other neighbor nodes in the network.
Marti et al. [187] proposed two mechanisms, named the watchdog locator and path rater method. The watchdog location is deployed on each node to mitigate the malicious activities of an attacker node, while simultaneously maintaining the buffer of recently forwarded packets by each node. At the same time, it monitors the buffer and performs a comparison with the packets that exist in the buffer to identify any similarities. If a monitored packet bears similarity to a packet stored in the buffer, it is transmitted to neighboring nodes within the network's transmission range. Conversely, if a packet remains in the buffer for an extended period, the watchdog locator increments the failure count by one. If the failure count reaches a pre-defined threshold, however, the watchdog locator assumes the node to be an attacker node. The second proposed mechanism is the path rater. It is used to ensure a reliable route between nodes to ensure communication is secure. It accomplishes this by computing the path metrics and selecting the one with the highest path metric value. Subsequently, it removes the nodes that have low path metric ratings and identifies them as attacker nodes. In addition, the proposed mechanisms are likely to be unable to detect the malicious nodes in the case of packet collision as well as the collision of malicious nodes.
Wei et al. [188] proposed a scheme to enhance security in an ad hoc network. It uses uncertain reasoning to calculate the trust value. The concept of uncertain reasoning comes from the field of artificial intelligence, aiming to address problem-solving and offer flexibility across various fields, including expert systems, data fusion systems, and multi-agent systems [189], [190], [191], [192]. However, the proposed scheme provides the ability to detect malicious node behavior and mitigate issues like unreliable wireless connections and buffer overflow. These factors contribute to dropped and tampered transmitted packets within the system. However, it improves the performance concerning throughput and the packet forwarding ratio. In addition, it increases endto-end delay along with communication overhead.

c: REPUTATION-BASED TRUST MANAGEMENT
In reputation-based trust management, the trust level is computed by reputation, which is a perception that an agent or peer makes about a node by using past actions [193]. It is an important metric for evaluating the trustworthiness of a node. In addition, reputation-based trust management does not require central coordination, a central database, and a global view of the network. Hence, some researchers put efforts into applying reputation-based trust management mechanisms in various applications, such as mobile ad hoc networks, mobile crowdsensing applications, vehicular ad hoc networks, and many other delay-tolerant kinds of networks [194], [195], [196], [197]. Furthermore, Adams et al. [198] proposed three types of reputation-based trust management schemes, namely, positive, negative, and hybrid reputation. Thus, positive reputation-based trust management focuses on the feedback and observation of the nodes, which exhibit positive behavior in the network. Negative reputation-based trust management focuses on the recorded complaint, feedback, and observation of the nodes that exhibit negative behavior in the network. In the hybrid reputation, nodes are considered to be trustworthy and feedback is used to reflect the node's reputation negatively. In addition, Yunfang [199], Ruohomaa and Kutvonen [200], and Ruohomaa et al. [201] have identified the problem in the trust scheme of Adam et al., which proposes a hybrid solution as a robust trust model to ensure security and reliability in the network. Table 6 summarizes a comprehensive overview of the current and promising solutions that goal to ensure the reliability and security of services offered by IoT applications to endusers. It outlines the techniques or components employed to address specific challenges and presents the advantages and disadvantages related to each proposed solution.

IV. RESEARCH CHALLENGES AND FUTURE RESEARCH DIRECTIONS
This section highlights the various research directions. Furthermore, this section aims to assist the academia and research community in further investigation of these issues.

A. IDENTIFICATION AND PROTECTION OF SENSITIVE DATA
In IoT applications, smart sensors and objects are used to collect data from the physical environment such as health status, traffic information, pollution levels, and information regarding personal activities. Thus, some data may be sensitive, for example, information regarding personal activities and health status. While some data may not be considered sensitive, for example, traffic information and pollution levels. Nonetheless, distinguishing sensitive data from a vast amount of data is considered a challenging task. Because it is determined by the end-users according to their priority and choice. In addition, several applications of IoT produce data that have different security levels for different users. Therefore, the identification of sensitive data is considered an initial step to protecting data in fog-based IoT networks. Although, there are several works proposed to encrypt the data [202], [203], [204]. Regrettably, these mechanisms cause unnecessary communication and computation overhead. Hence, the researcher must consider the identification process to identify the sensitive data before using the protection mechanism.

B. SECURE DATA SHARING
In fog based IoT network, IoT collects the data from the physical environment whereas the fog computing paradigm offers the capability of temporary storage for the collected data. However, data must be encrypted from being forwarded to fog nodes to prevent sensitive data leakage. There are several encryption mechanisms to attain fine-grained data sharing in the cloud computing paradigm [205], [206], [207], [208]. But efficiency is still considered a bottleneck to implementing these encryption mechanisms on fog-based IoT networks. Therefore, fog based IoT communication environment requires an efficient fine-grained data-sharing approach to manage decryption key distribution in a better way as well as minimize resource utilization.

C. BRING YOUR OWN DEVICE (BYOD) BASED AUTHORIZATION
Due to advancements in technology, each person has multiple devices to connect to the Internet such as a PC, laptop, smartphone, tablet, and wearable devices. However, it is considered a challenging task to manage and control the multiple Internet-connected devices owned by one user. In addition, the fog computing paradigm has the feature of decentralized communication. Therefore, it does not focus on the devices, it only focuses on the user who accesses them. Hence, it is considered necessary to propose a new mechanism to control and manage all devices owned by one user as well as a key management mechanism for fog nodes. There are some key management and device management mechanisms to provide authorization to multiple devices belonging to one owner. These mechanisms use identity or password-based authentication to verify the authenticity of the user. Along, provide session key by using bring-yourown-device management to reduce the overhead of mobile device management for secure and reliable communication to other devices [209], [210], [211]. But it does not focus on the mobility feature of devices. Hence, authorization mechanisms need further investigation where multiple devices should be able to access the real-time services along a union of old devices that should be consistent and compatible.

D. SYBIL ATTACK
It is a vague attack where an attacker node may act like it has multiple identities. Furthermore, it was familiarized by Douceur in 2002 [212]. However, the fog computing paradigm is considered susceptible to a Sybil attack which poses a significant security concern, where attackers can fabricate fake identities. In the presence of a Sybil attack in the fog-based IoT network, the intended user may receive false data from a fake node and the IoT application may generate false results. Furthermore, attackers behave similarly to the intended and legitimate users, therefore it is considered extremely difficult to detect the misbehavior of an attacker in the network. There are several works proposed to detect the Sybil attacker in the network, where the behavior of both, the intended user and attacker are compared such as social community, social graph, and friend relationship [213], [214], [215], [216]. Besides, the fog computing paradigm has decentralized nature. Therefore, these proposed schemes become unable to detect the behavior of a Sybil attack effectively and efficiently. However, the fog-based IoT network requires an effective and efficient based Sybil attacker defense scheme while preserving the privacy of real-time services provided by the IoT applications.

E. BIG DATA ANALYSIS
IoT applications generate data in a vast amount. However, the analysis of this data is performed by using different data mining and machine learning algorithms and these algorithms pose an individual's privacy challenge in the big data era. However, it is extraordinarily difficult to preserve the individual's privacy during big data analysis. There are several solutions proposed, based on homomorphic encryption [217], [218] and differential privacy [154], to preserve the user's privacy during big data analysis. In addition, the homomorphic encryption-based schemes [219], [220], [221] increase communication and computation overhead. In contrast, differential privacy-based schemes [222], [223], [224], [225], [226] are constructed on centralized data storage. Further, the fog computing paradigm is decentralized, therefore fog computing-based IoT network demands an approach to perform the analysis of big data while preserving the privacy of end-users.

V. CONCLUSION
In the last few decades, academia and the research community have put their attention on the emerging idea of IoT. It can connect various smart devices, technologies, and applications, enhancing the overall quality of life. However, it encounters several research challenges, including issues related to high latency, low storage, processing capabilities, and network failure. Thus, the paradigm of fog computing has emerged to bring resources nearer to IoT devices. However, the fog-based IoT network is confronted with traditional real-time security challenges for end-users. However, a comprehensive survey is presented in the paper, aiming to ensure secure and reliable services for IoT applications. Firstly, the layered architecture of the fog-based IoT network is presented along with an explanation of how IoT applications operate under the paradigm of fog computing. Then, we have demonstrated the literature on real-time security challenges, such as authentication, authorization, end-user privacy-preserving, instruction detection and prevention, and trust management. In addition, the existing possible solutions to these real-time security challenges are also discussed. Lastly, several research challenges and outlines of future directions are discussed concerning security and privacy issues within the communication environment of fog-based IoT.
MUHAMMAD BURHAN received the B.S. degree in information technology from the University of the Punjab, Pakistan, in 2016, and the M.S. degree in computer science from the National University of Computer and Emerging Sciences, Pakistan, in 2019, under the supervision of Dr. Rana Asif Rehman. He is currently a Lecturer with the Department of Information Technology, University of the Punjab. His research interests include the design and development of efficient routing and forwarding protocols, wireless networks, named-data networks-based vehicular ad hoc networks, and software-defined networks.
HINA ALAM received the master's degree in computer science from the National University of Computer and Emerging Sciences (FAST-NUCES), Lahore, Pakistan, in 2019. She is currently a Lecturer with the Informatics and Systems Department, University of Management and Science, Lahore. Her research interests include edge computing, the Internet of Things, cloud computing, and machine learning.
AHMAD ARSALAN received the M.S. degree in computer science from the National University of Computer and Emerging Sciences, Islamabad, Pakistan, in 2018. He is currently pursuing the Ph.D. degree in computer science with COM-SATS University, Lahore Campus, Pakistan. He is a full-time Senior Lecturer with the University of Central Punjab, Lahore Campus, Pakistan. His research interests include the design and development of future internet architectures, cross-layer design for wireless networks, and efficient forwarding and routing protocols for named data networking-based software-defined networks. He is also serving as a reviewer for IEEE ACCESS, the Journal of Future Generation Computer Systems (Elsevier), and the International Journal of Communication Systems (Wiley).