Next Article in Journal
The Seed Optimization Method for Fuzz Testing Based on Neural Network-Guided Genetic Algorithm
Previous Article in Journal
VDTAR-Net: A Cooperative Dual-Path Convolutional Neural Network–Transformer Network for Robust Highlight Reflection Segmentation
Previous Article in Special Issue
Feature-Centric Approaches to Android Malware Analysis: A Survey
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Computers
Volume 15
Issue 3
10.3390/computers15030169
computers-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Systematic Review

Intrusion Detection in Fog Computing: A Systematic Review of Security Advances and Challenges

by
Nyashadzashe Tamuka
1,*,
Topside Ehleketani Mathonsi
1,
Thomas Otieno Olwal
2,
Solly Maswikaneng
1,
Tonderai Muchenje
1 and
Tshimangadzo Mavin Tshilongamulenzhe
1
1
Department of Information Technology, Tshwane University of Technology, Soshanguve, Pretoria 0152, South Africa
2
Department of Electrical Engineering, Tshwane University of Technology, Soshanguve, Pretoria 0152, South Africa
*
Author to whom correspondence should be addressed.
Computers 2026, 15(3), 169; https://doi.org/10.3390/computers15030169
Submission received: 3 February 2026 / Revised: 24 February 2026 / Accepted: 2 March 2026 / Published: 5 March 2026
(This article belongs to the Special Issue Distributed Computing Paradigms for the Internet of Things: Exploring Cloud, Edge, and Fog Solutions)
Browse Figures
Versions Notes

Abstract

Fog computing extends cloud services to the network edge to support low-latency IoT applications. However, since fog environments are distributed and resource-constrained, intrusion detection systems must be adapted to defend against cyberattacks while keeping computation and communication overhead minimal. This systematic review presents research on intrusion detection systems (IDSs) for fog computing and synthesizes advances and research gaps. The study was guided by the “Preferred-Reporting-Items for-Systematic-Reviews-and-Meta-Analyses” (PRISMA) framework. Scopus and Web of Science were searched in the title field using TITLE/TI = (“intrusion detection” AND “fog computing”) for 2021–2025. The inclusion criteria were (i) 2021–2025 publications, (ii) journal or conference papers, (iii) English language, and (iv) open access availability; duplicates were removed programmatically using a DOI-first key with a title, year, and author alternative. The search identified 8560 records, of which 4905 were unique and included for qualitative grouping and bibliometric synthesis. Metadata (year, venue, authors, affiliations, keywords, and citations) were extracted and analyzed in Python to compute trends and collaboration. Intrusion detection systems in fog networks were categorized into traditional/signature-based, machine learning, deep learning, and hybrid/ensemble. Hybrid and DL approaches reported accuracy ranging from 95 to 99% on benchmark datasets (such as NSL-KDD, UNSW-NB15, CIC-IDS2017, KDD99, BoT-IoT). Notable bottlenecks included computational load relative to real-time latency on resource-constrained nodes, elevated false-positive rates for anomaly detection under concept drift, limited generalization to unseen attacks, privacy risks from centralizing data, and limited real-world validation. Bibliometric analyses highlighted the field’s concentration in fast-turnaround, open-access journals such as IEEE Access and Sensors, as well as a small number of highly collaborative author clusters, alongside dominant terms such as “learning,” “federated,” “ensemble,” “lightweight,” and “explainability.” Emerging directions include federated and distributed training to preserve privacy, as well as online/continual learning adaptation. Future work should consist of real-world evaluation of fog networks, ultra-lightweight yet adaptive hybrid IDS, self-learning, and secure cooperative frameworks. These insights help researchers select appropriate IDS models for fog networks.

1. Introduction

The rapid adoption of the Internet of Things (IoT) and edge computing has shifted data processing from centralized clouds to distributed fog nodes. Fog computing extends cloud services to the network edge, enabling low-latency processing for IoT applications [1]. However, this distributed, resource-constrained paradigm poses new security challenges. Intrusion Detection Systems (IDSs), whether network- or host-based, must be tailored to protect fog networks from cyberattacks without imposing excessive overhead [2]. Traditional IDS techniques, such as signature-based detection, can reliably detect known threats but struggle with novel attacks and may be too heavyweight for fog devices with limited CPU and memory [3]. Conversely, anomaly-based IDSs can identify emerging threats by modeling normal behavior, but they often suffer from high false-positive rates and require robust models to operate in real time [4].
There has been a surge of research on lightweight IDS for fog and edge computing from 2020 to 2025, leveraging advances in machine learning and deep learning to improve detection accuracy [5]. Researchers are exploring how to distribute IDS functionality across fog nodes, reduce data dimensionality for faster processing, and maintain detection performance under constraints on latency and privacy [5]. For example, some studies use federated learning or distributed training to learn intrusion models collaboratively at the edge without centralizing sensitive data [6]. Others design hybrid systems in which simple anomaly detectors run on fog nodes for real-time screening, while more complex classifiers in the cloud perform deeper analysis [7]. There is also interest in optimizing IDS models through feature selection and metaheuristic algorithms to eliminate redundancies in network traffic data [8].

1.1. Research Questions

The research questions addressed by this study are:
i.
 What advances characterize intrusion detection for fog computing?
ii.
What are the challenges of intrusion detection systems in fog computing?

1.2. Contribution

Unlike related surveys that considered IDS across IoT networks, this review focused specifically on fog networks and evaluated methods against the constraints that govern those environments, including latency budgets, device memory, energy, and data locality. Methodologically, it used a PRISMA-guided, title-restricted search from 2021 to 2025 in Web of Science and Scopus, and deduplication for reproducibility, and includes a bibliometric map of author collaboration and journals. This review presents evidence across datasets and evaluation metrics to show where high reported accuracy did not translate into real-time intrusion detection. It also sets a research agenda around drift-aware evaluation, privacy-preserving and federated training, explainable models for intrusion detection, and model evaluation in real-world fog networks. Unlike other related reviews, this review provides transparent methods and deployment-oriented recommendations for fog computing. The remainder of this article is structured as follows. Section 2 is the background on fog computing and IDS fundamentals, clarifying the context for the reviewed works. Section 3 is the research methods. Section 4 is the literature review, categorizing studies into traditional IDS approaches, machine-learning-based techniques, deep learning models, and hybrid frameworks applied in fog networks. It offers a comparative analysis with a consolidated table that contrasts the methods, datasets, performance, and limitations of these works. Section 5 consists of the findings from the analysis. Section 6 discusses the identified gaps and how they motivate the design of a lightweight hybrid IDS. Section 7 presents the limitations. Section 8 concludes the review, outlining future research directions for advancing IDS in fog and edge computing.

2. Background

2.1. Fog Computing and Security Challenges

Fog computing refers to a decentralized computing infrastructure that brings cloud-like services (computation and networking) closer to end devices (sensors, actuators, mobile devices) to reduce latency and bandwidth usage [1]. In fog networks, multiple layers of nodes, such as micro data centers and routers, collaboratively handle data in transit to the cloud [9]. Fog nodes are often deployed in unsecured or remote locations, making them vulnerable to physical tampering and cyber intrusions. Attackers can target fog layers with threats such as man-in-the-middle (MITM) attacks, distributed denial-of-service (DDoS), rogue edge devices, data injection, and other network attacks [9]. Moreover, resource constraints on fog devices imply that classical, heavy-duty security solutions such as full-scale deep packet inspection or computationally intensive cryptography may be impractical in fog networks [10].
Security in fog computing must address both classic network threats and new threats. Many IoT protocols and fog applications use lightweight communication, which may introduce vulnerabilities of their own. Fog nodes often act on data from hundreds or thousands of devices, so a compromise of a fog node can have a widespread impact. Ensuring confidentiality and integrity in this environment requires encryption and authentication to prevent unauthorized access, as well as intrusion detection to detect breaches that evade preventative measures. The low-latency requirement of many fog use cases, for example, autonomous systems, demands that security mechanisms introduce minimal delay. This is where efficient IDS becomes critical; they must detect and ideally mitigate attacks in real time to be effective in fog settings.

2.2. Intrusion Detection Systems: Signature vs. Anomaly Detection

Intrusion Detection Systems are typically categorized into misuse (signature-based) IDSs and anomaly-based IDSs [11]. Signature-based IDS, such as Snort and traditional rule-based systems, use predefined patterns of known attacks (signatures) to identify malicious activities [12]. They are effective at detecting previously seen attacks with well-defined signatures, yielding low false positive rates for those threats [13]. However, they cannot detect novel attacks or variants whose signatures are not in the database, making them less useful against zero-day exploits [14]. Maintaining an up-to-date signature database in a distributed fog environment is also challenging, and deep packet inspection can be computationally expensive for fog devices.
Anomaly-based IDS, on the other hand, establishes a model of normal behavior (for instance, baseline of network traffic features or system call patterns) and flags deviations as potential intrusions [11]. These systems can detect previously unknown attacks by looking for out-of-the-ordinary events. The trade-off is that they often produce more false alarms (flagging benign anomalies as attacks) and require expensive training and threshold setting. Traditional anomaly IDS used statistical methods or simple machine learning on aggregated metrics [15]. Modern anomaly detectors increasingly employ advanced Machine Learning/Deep Learning techniques (such as clustering, one-class classifiers, autoencoders, neural networks) to learn complex patterns of normal vs. malicious behaviour [15]. In fog computing, anomaly detection is attractive because devices can locally monitor traffic or device logs and alert when anomalies occur. Nevertheless, ensuring the model’s accuracy and minimizing false positives are crucial; otherwise, the system may overload administrators with alerts or consume excessive resources during analysis.

2.3. Machine Learning and Hybrid IDS Approaches

Recent IDS research in fog environments has leaned toward hybrid approaches that integrate elements of signature and anomaly detection, powered by machine learning [16]. A hybrid IDS might use misuse detection for known attack signatures and an ML-based anomaly module for unknown threats. There is also a trend of combining multiple algorithms (ensembles) or multiple analysis layers (fog and cloud) to improve detection ability [17]. For instance, some architectures deploy a lightweight anomaly detector on each fog node to filter malicious traffic and send suspicious data to a cloud-based module for deeper analysis using a heavier deep learning model [18]. This two-tier design leverages the fog for quick preliminary screening and the cloud for more compute-intensive processing [19].
Machine learning (ML) enables automated pattern recognition in network traffic. Supervised learning algorithms, such as Support Vector Machines, Random Forests, Logistic Regression, and Neural Networks, can be trained on labeled attack data to classify traffic as normal or belonging to specific attack categories. Unsupervised methods, such as clustering and outlier detection, can identify anomalies without labels, which is useful for detecting new attacks. In fog environments, ML models must often be lightweight due to device constraints. Researchers thus explore techniques such as feature selection to reduce input dimensionality or the use of simpler classifiers at the edge. Some works specifically propose “lightweight IDS” based on algorithms such as single-layer perceptrons or small decision trees running on fog nodes [20]. Metaheuristic optimization, for instance, genetic algorithms and particle swarm optimization, have been used to select the most important features or to optimize model parameters [21]. Another relevant concept is federated learning and distributed training for IDS [22]. Instead of aggregating all data at a central server, federated learning allowed fog devices to train local models on their own data and then share only model updates (gradients or parameters) with a central aggregator [23]. The aggregator produced a global model, which was sent back to the devices. This approach, applied in some of the reviewed studies, enhances data privacy (raw data remains on fog nodes) and can reduce bandwidth usage for IDS in heterogeneous fog networks.

3. Methods

The review applied a systematic literature review (SLR) and bibliometric analysis to map recent work on intrusion detection in fog computing, with attention to both advances and challenges. Bibliometric analysis provides a reproducible, statistics-driven account of a field by aggregating evidence from large publication sets [24]. The review was designed around two guiding questions: (i) What advances characterize intrusion detection for fog environments, and (ii) What are the limitations and challenges for the related studies? The study followed a “Preferred-Reporting-Items for-Systematic-Reviews-and-Meta-Analyses” (PRISMA) 2020 statement with four stages: Identification, Screening, Eligibility, and Inclusion [24]. The PRISMA framework shown in Figure 1 provided a structured approach to identify and evaluate all relevant studies for a set of predefined questions, using inclusion and exclusion criteria to determine which to include and which to exclude [25].

3.1. Identification

The Databases and query scope: Two multidisciplinary citation indexes, which are Scopus and the Web of Science, were used. These were selected because they index the computer-science and engineering publication venues and provide metadata exports (BibTeX/CSV) suitable for analysis. Search field and strings: To ensure topical precision, searches were restricted to the title field, ensuring that retrieved records explicitly mention intrusion detection in fog computing. However, relevant studies discussing intrusion detection and fog computing were only included if they appeared in the abstract or author keywords. The identified articles should be interpreted as a high-precision representation of the literature rather than an exhaustive capture of all possible fog-IDS studies. The search strings were:
Web of Science (Title): TI = (“intrusion detection” AND “fog computing”)
Scopus (Title): TITLE (“intrusion detection”) AND TITLE (“fog computing”)
The combined searches returned 8560 records: Web of Science = 322 and Scopus = 8238. BibTeX exports (The Scopus.bib and WoS.bib) were retained for processing. Table 1 shows the search and screening. Figure 1 presents the PRISMA framework covering the Identification, Screening, Eligibility, and Inclusion stages.

3.2. Screening

Records were restricted to the 2021–2025 publication range to capture contemporary methods aligned with current fog deployments. Retained: 7538 articles (WoS = 232; Scopus = 7306). Excluded (outside 2021–2025): 1022 (WoS = 90; Scopus = 932). No other criteria were applied at this stage.

3.3. Eligibility

Peer-reviewed document types. To ensure scientific quality and comparability, only journal articles and conference papers were retained. After document-type filter: 5883 records (WoS = 232; Scopus = 5651). Excluded (not journal/conference): 1655 (all from Scopus). Language. Non-English publications were then removed. After language filter (English only): 5826 records (WoS = 232; Scopus = 5594). Excluded (non-English): 57 (all from Scopus).

3.4. Inclusion

Access: An open-access check was conducted to ensure that full texts were available for consultation. This filter did not further reduce the set: Open access retained: 5826 (WoS = 232; Scopus = 5594). Excluded (not open access): 0.

3.5. Merging and Deduplication

Web of Science and Scopus exports were merged programmatically. Duplicates were removed with a DOI-first key (normalized DOI); where DOI was missing, a composite fallback key was used, normalized Title and Year, and the first author’s family name. This produced a final corpus of 4905 unique records, implying 921 duplicates were removed.

3.6. Data Extraction and Bibliometric Measures

The analysis was carried out in Python (version 3.11) using pandas, matplotlib, networkx, unidecode, and wordcloud libraries. For each record, the Python script extracted year, title, authors, source venue, affiliation text (country), keywords (title terms), and citation counts. Because citation fields differ across databases, counts were harmonized by taking, per record, the maximum across available fields, and parsing the Web of Science Times Cited and Scopus free-text notes of the form “Cited by: N”. These metrics were derived: (i) publication trends (documents per year) and citations per year; (ii) most-cited documents; (iii) venue- and author-level h-index, g-index, m-index, total citations (TC), and number of publications (NP); (iv) keyword frequencies and a word cloud; and (v) collaboration structures via co-authorship networks and country collaborations.

3.7. Selection of Studies for Detailed Review

The final corpus of 4905 unique records was used for bibliometric analysis. However, the in-depth technical review in Section 4 and the comparative synthesis in Table 2 were not intended as a statistical review of all 4905 papers. Instead, subset of studies was selected for detailed comparison using the following criteria: (i) explicit relevance to intrusion detection in fog or edge computing, (ii) sufficient methodological detail to identify the detection approach and deployment architecture, (iii) reporting of at least one evaluable outcome, such as accuracy, precision, recall, F1-score, false-positive rate, latency, or computational indicators, and (iv) suitability for representing one of the four analytical categories used in this review (traditional/signature-based, machine learning, deep learning, and hybrid/ensemble). Where multiple studies presented closely related variants, the review prioritized papers that provided clearer methodological descriptions, more complete reporting of evaluation results, or relevance to fog deployment constraints such as latency and privacy.

4. Literature Review of IDS Techniques in Fog Computing

This section reviewed related studies on intrusion detection in fog computing. Related works were categorized based on their approach: (1) traditional or signature-based IDS adapted to fog networks, (2) machine learning-based IDS, (3) deep learning-based IDS, and (4) hybrid or ensemble approaches. Each sub-section highlights individual studies, summarizing their aims, methods, datasets, results, and limitations. All studies surveyed were published between 2021 and 2025 in reputable journals or conferences. Table 2 presents a comparative overview of related studies.

4.1. Traditional and Signature-Based Approaches

Relatively few recent works rely purely on traditional signature-based IDS in fog, since various studies have shifted toward intelligent methods. However, some hybrid proposals include signature components or simpler detection logic for resource-constrained nodes. Study [26] proposed a two-tier IDS for smart home security that combines misuse detection with machine learning. In their system, a rule-based engine first checks for known malicious behavior patterns (user behavior profiles), and then several ML algorithms (Random Forest, XGBoost, Decision Tree, k-Nearest Neighbors) further analyze traffic to detect anomalies. They evaluated this hybrid approach using the CSE-CIC-IDS2018 and NSL-KDD datasets, demonstrating improved detection of both known and unknown attacks in a smart-home fog-node scenario. The inclusion of signature-based checks helped reduce false alarms for known benign behavior. The limitation, however, is that maintaining an up-to-date rule base for misuse detection requires continuous expert input, and the approach was tested only on simulated datasets rather than real-world fog deployment.
Another relevant work is by [27], who developed a network IDS using a classical Random Forest classifier with a manually selected feature set. They focused on minimizing features and computational load to suit a fog implementation. Using the NSL-KDD and KDD’99 datasets, their model achieved reasonable accuracy in classifying attacks from normal traffic. They reported that feature selection based on analysing attack characteristics yielded a smaller model with minimal performance loss. However, the authors acknowledged a limitation: their training data was a synthetically generated network traffic dataset, which might not reflect real-world traffic complexity. This raises concerns about the model’s generalization and the potential for missed variances present in fog networks. Purely signature-based fog IDS approaches in recent literature are rare. Most often, signatures are used in conjunction with learning-based detectors. The above works illustrate that traditional techniques can help reduce false positives or focus detection, but, by themselves, they are insufficient for the dynamic and diverse fog computing context. The emphasis has thus shifted to machine learning and hybrid methods.

4.2. Machine Learning-Based Intrusion Detection

Machine learning approaches have been widely adopted to enhance IDS in fog networks, as they can learn patterns from data. Several studies since 2020 have designed supervised ML models for intrusion detection tailored to fog environments.
One prominent example is the work of [28], which developed an anomaly-based IDS called Auto-IF (Autoencoder Isolation Forest) for fog networks. The autoencoder was trained on benign traffic to learn a compressed representation, and the reconstruction error was used in conjunction with an Isolation Forest to classify incoming packets as normal or malicious. This approach enabled real-time binary classification on fog nodes, with each device independently flagging intrusions in incoming packets without prior knowledge of attack signatures. The authors validated Auto-IF on the NSL-KDD benchmark dataset, achieving high accuracy in distinguishing between attacks and regular traffic. Auto-IF’s strength was that it did not require labeled attack data for training, making it adaptable to new or evolving threats. However, the model was only configured to output a binary decision (intrusion or normal), lacking the capability to classify different attack types. Moreover, its effectiveness in a real-world fog environment wasn’t tested; the NSL-KDD dataset, while common in evaluations, is dated and may not capture modern IoT/fog traffic patterns.
Another study [29] proposed an ensemble learning IDS within a fog-cloud architecture. Their framework consisted of multiple machine learning classifiers to detect cyberattacks in Internet of Medical Things (IoMT) networks, leveraging fog nodes and cloud servers. They employed an ensemble of classifiers to improve detection. The fog layer handled initial data filtering and lightweight analysis, while more computationally intensive detection was performed in the cloud on aggregated data to balance load. Evaluated on the NSL-KDD and a real healthcare traffic dataset, their ensemble achieved over 90% detection accuracy for multiple attack categories and demonstrated scalability in fog-cloud deployment. The ensemble approach benefited from diversity: different algorithms detected distinct attack patterns, leading to a higher overall true-positive rate. The authors noted that, while effective, their approach increased processing time slightly due to ensemble overhead, which could be an issue for time-critical applications. Additionally, reliance on the cloud for final analysis can increase latency if network connections are slow or large volumes of data are offloaded.
Feature selection and optimization have also been applied to improve ML-based fog IDS. The study by [30] introduced an optimized machine learning IDS for fog networks, ESOML-IDS, “Effective Seeker Optimization with ML-based IDS They aimed to tackle the “dimensionality curse” in network data by selecting an optimal subset of features that yields high detection accuracy with lower computational cost. They developed a novel Effective Seeker Optimization (ESO) algorithm (a type of metaheuristic search) to pick the best features from raw data. They combined this with a machine learning classifier augmented by a Denoising Autoencoder for fine-tuned intrusion detection. The ESOML-IDS was tested on the UNSW-NB15 dataset and showed improved performance compared to several baseline classifiers. Specifically, after feature selection, their model achieved higher accuracy, precision, recall, and F1-score, ranging from 0.82 to 0.83, whereas traditional classifiers such as SVM and Decision Tree scored much lower (F1 ranging from 0.53 to 0.67). This represented a significant improvement, attributed to removing noisy features and to using the autoencoder to better initialize the detection model. However, the limitation is that the ESO feature selection process itself can be computationally intensive. This raises the question of whether optimization can be done offline or must be repeated for new deployments, since some fog nodes might not handle the heavy computation required by the feature selector.
Concerned about data privacy in fog networks, ref. [31] proposed a fog-edge-enabled IDS based on a Support Vector Machine within a federated learning framework for smart grids. In their approach, each edge device trained an SVM on local intrusion data, and only the model parameters (not raw data) were shared with a fog aggregator, which updated a global model. This collaborative training process preserved privacy by ensuring sensitive user data never leaves the local device and by distributing the computational load. Their experiments on NSL-KDD and CICIDS2017 datasets showed that the federated SVM model slightly outperformed a centrally trained model, achieving about 4–6% higher accuracy and significant improvements in recall and F1-score for certain attack classes. For instance, on NSL-KDD, the FL approach improved accuracy by 4.17% and F1-score by 13.19% compared to a non-FL approach. In CICIDS2017, a more modern and extensive dataset, they also observed gains of around 6–7% in the metrics. These improvements suggest that federated training on distributed fog data can yield a more generalized model by exposing it to diverse scenarios across nodes to detect various attacks. The drawback was that SVM, as a classical ML method, might not capture extremely complex nonlinear attack patterns as well as deep learning could. Yet, deep models are harder to run in FL on resource-limited nodes. Future improvements might explore federated deep learning or knowledge distillation to further boost accuracy without sacrificing privacy or efficiency.
Machine learning-based IDS in fog computing has demonstrated high accuracy and the flexibility to detect various attack types. Techniques such as ensemble learning, unsupervised learning, feature selection and optimization, and federated training address some of the unique fog requirements. Nonetheless, common challenges include ML models assuming the availability of high-quality training data and failing to perform well against attack types not represented in their training sets, unless combined with anomaly detection. Furthermore, even with feature reduction, some models might be too heavy for tiny edge/fog devices if not tuned. These considerations have led some researchers to delve into deep learning approaches.

4.3. Deep Learning-Based Approaches

Deep learning (DL) techniques have been increasingly applied in IDS due to their capacity to learn complex patterns and high-dimensional feature interactions. In fog computing, DL-based IDS is explored to improve detection accuracy, especially for novel attacks.
Study [32] adopted deep learning frameworks for fog IDS, focusing on IoT traffic anomaly detection. They proposed a vector-convolutional deep learning approach for a fog environment. Their model used a convolutional neural network (CNN) adapted to handle traffic feature vectors, extracting local feature patterns from network flow data. This CNN-based model was deployed at the fog layer to analyze incoming IoT traffic in real-time. They reported improvements in detection accuracy by using vectorized convolutional operations to capture temporal-spatial correlations in network data that simpler ML methods might miss. The approach was evaluated on IoT datasets and achieved high detection rates, reportedly above 90% range for anomaly detection. Their findings demonstrated that deep feature learning using CNNs can significantly improve anomaly detection performance on fog nodes, as CNNs can automatically extract relevant features from raw network traffic. A limitation is that CNNs typically require substantial training data to generalize well. If the model is trained on one network’s traffic, it might need retraining or transfer learning to adapt to another environment’s traffic profile.
Recurrent neural networks (RNNs) variants have also been employed for IDS in fog computing to capture patterns in attack traffic. A study by [33] proposed a bidirectional LSTM (Bi-LSTM)-based IDS to better detect infrequent attack types. Their motivation was that certain attacks, like U2R (User-to-Root) and R2L (Remote-to-Local), which are typically rare and stealthy, are often missed by simpler models. Imrana et al.’s Bi-LSTM model was trained and tested on the NSL-KDD dataset, achieving notably improved recall for the U2R and R2L attack classes compared to baseline methods. The overall accuracy was high (above 95%). Specifically, the detection rates for difficult attack categories increased, demonstrating the model’s strength in detecting subtle patterns that unidirectional or non-recurrent models could not. The study has some limitations, for example, Training Bi-LSTM networks is resource-intensive and may not be feasible on fog devices. The evaluation again used NSL-KDD, meaning the model’s performance on modern IoT traffic or in an online environment wasn’t proven.
A related study by [34] proposed the Deep-IFS model, a deep learning framework designed for intrusion detection in Industrial IoT traffic within fog computing environments. The architecture integrated Local GRU networks at individual fog nodes to capture localized traffic patterns and a Multi-Head Attention mechanism at the aggregation stage to extract global patterns, while residual connections mitigated information loss across layers. Several worker fog nodes trained models on data partitions, and a master fog node periodically synchronized their parameters, resembling federated learning but with synchronous updates. Using the Bot-IoT dataset, the authors demonstrated that Deep-IFS scaled effectively to large IIoT traffic volumes and outperformed centralized training across accuracy, precision, F1, and recall. The model’s strength lies in its ability to leverage distributed fog resources to achieve faster, more accurate detection. This came with challenges such as communication overhead and relatively high computational demands of GRU and Attention models. The deployment of Deep-IFS is best suited to fog infrastructures equipped with sufficiently powerful processing capabilities.
Ref. [35] proposed an intrusion detection framework that integrated deep learning with explainable AI (XAI) techniques. Their system consisted of two phases: a deep neural network for detecting intrusions and an XAI module to interpret the model’s outputs. To enhance interpretability, they employed RuleFit, LIME, and SHAP, enabling administrators to understand which features contributed to specific alerts. The framework was evaluated on the NSL-KDD and UNSW-NB15 datasets, achieving detection performance on par with other deep learning-based IDS solutions while providing valuable explanatory insights. This is relevant because one of the criticisms of deep learning models in security is their “black box” nature, and adding XAI improves trust and usability in fog or IoT networks. A limitation, however, is the computational overhead introduced by methods like LIME and SHAP, which may not be feasible for real-time use at the fog layer.
Ref. [36] proposed a fog-assisted Cu-DNNGRU model for intrusion detection. The CUDA-optimized GRU-based deep neural network was trained on the N-BaIoT dataset and achieved 99.39% accuracy with high precision and recall. Compared with others, such as LSTM and BiLSTM, the GRU-based model consistently delivered superior results, highlighting the benefits of both the selected architecture and GPU optimization. The approach demonstrated the advantages of leveraging GPU-accelerated fog nodes, showing that parallel processing can significantly enhance performance for large-scale IoT intrusion detection. While the results are promising, they may also reflect the relatively clean separability of the N-BaIoT dataset, exposing potential overfitting despite the authors’ use of cross-validation. A practical limitation is that many fog nodes may lack GPU support, restricting the deployment of such models to environments equipped with edge accelerators.
Deep learning approaches have consistently achieved very high detection accuracy, often above 95%, while demonstrating strong performance in multi-attack classification. These models incorporate advanced strategies such as distributed training and explainable AI to enhance both effectiveness and trust. However, their challenges include high computational demands and the reliance on large, labeled datasets for training. Most evaluations are conducted on benchmark datasets, meaning that performance in real-world fog environments may decline when facing concept drift or unseen attack types. To address these trade-offs, researchers are increasingly exploring hybrid designs that balance accuracy and adaptability by distributing tasks between fog nodes.

4.4. Hybrid and Ensemble Approaches

Hybrid IDS approaches in fog computing integrate multiple techniques, for instance, combining machine learning and deep learning, or anomaly detection with signature detection to overcome the limitations of any single method. The goal is to improve detection coverage, that is, to intercept more attack types without compromising latency.
To address limited resource requirements, ref. [37] developed a hybrid intrusion detection framework operating at the fog computing layer. A hybrid DNN-kNN model was applied to distinguish attacks from normal traffic. Tested on the NSL-KDD and CICIDS2017 datasets, their method achieved over 99% accuracy while maintaining low computational overhead. This revealed improvements in traditional machine learning and recent intrusion detection approaches. The study’s limitation is computational complexity.
Ref. [38] proposed an Enhanced Hybrid Intrusion Detection System (EHIDS) designed for IoT–fog networks. They integrated evolutionary optimization with neural networks by using a Genetic Algorithm (GA) to initialize and tune a Backpropagation Neural Network (BPNN), and they deployed the resulting model in the fog layer as a network-based IDS. The framework consists of stages such as feature selection and normalization, GA-based optimization of BPNN parameters, and classification, which allowed the system to achieve faster convergence and higher detection accuracy compared to. The findings showed improved accuracy and reduced execution time, with reported training-time reductions of 37.07% and 16.35% across datasets such as ToN_IoT. The EHIDS’ strength was its efficiency and scalability. The optimized BPNN could be retrained more frequently to adapt to new threats without a high computational cost. However, GA introduced overhead during initial optimization, and BPNNs may lack the representational depth of modern deep learning models.
Ref. [39] proposed a hybrid intrusion detection framework that integrated lightweight edge processing with a deep learning ensemble in the cloud. At the fog layer, stacked autoencoders were used for real-time anomaly detection and feature extraction, reducing the dimensionality of raw traffic data before transmission. The filtered representations were then analyzed in the cloud using a transformer–CNN–LSTM ensemble that combined convolutional and recurrent mechanisms for high-accuracy attack classification. Evaluated on NSL-KDD, UNSW-NB15, and AWID datasets, the framework achieved detection rates above 99%, demonstrating its ability to secure IoT environments. The design balanced latency and bandwidth constraints by offloading computationally intensive tasks to the cloud while retaining essential information at the edge. However, limitations include the complexity of maintaining a multi-component ensemble and the reliance on stable connectivity. If the autoencoders fail to preserve critical features or cloud access is interrupted, detection accuracy would decline.
A deep learning-based Network Intrusion Detection System (NIDS) was deployed on fog nodes by [40] to identify malicious activity. Using the UNSW-NB15 and NSL-KDD datasets for evaluation, the proposed model achieved 91.20% accuracy on UNSW-NB15 and 95.40% accuracy on NSL-KDD, demonstrating strong detection capability. An Ensemble Intrusion Detection Model that integrated deep learning with efficient feature selection using Random Forests was proposed by [41]. The model combined a conventional CNN and an IDS-specific AlexNet into an ensemble framework, Ensemble CNN-IDS. Findings on the UNSW-NB15 dataset, which includes nine attack classes (Fuzzers, Backdoors, Worms, Analysis, Shellcodes, Exploits, DoS, Reconnaissance, and Generic), highlighted that the proposed model achieved superior performance. It achieved 97.5% accuracy, outperforming both traditional classifiers and related IDS approaches.
Ref. [42] proposed a lightweight intrusion detection framework based on ConvNeXt-Sf. They applied max–min normalization and label encoding (LE-MMN) to transform network traffic into a suitable format. The ConvNeXt architecture was adapted by reducing its two-dimensional structure to a one-dimensional sequence and incorporating ShuffleNet V2 design principles to create a lightweight model, ConvNeXt-Sf. Evaluations on the BoT-IoT and the TON-IoT datasets show that ConvNeXt-Sf required only 1.25% of the parameters of ConvNeXt, while reducing training time by 82.63% and prediction time by 56.48% without sacrificing detection accuracy. Compared to traditional models, the proposed system achieved a 6.18% improvement in accuracy and a 4.49% reduction in false alarm rate, outperforming both standard and other lightweight approaches. A limitation, however, is that the method relies on supervised learning, which requires significant labeled data for effective deployment.
Ref. [43] proposed MECNN, a fog-deployed intrusion detection system that evolved a convolutional neural network (CNN) using a modified multi-objective evolutionary algorithm based on decomposition (MOEA/D). MECNN used an encoding scheme that mapped CNN topologies to MOEA/D chromosomes and jointly optimizes two competing goals, model complexity and detection performance, to yield IDS models with different accuracy–efficiency trade-offs. This enabled operators to select and deploy the most suitable MECNN variant per fog node, achieving fast, accurate detection under local constraints. Using the AWID and CIC-IDS2017 datasets, the findings revealed improved robustness and accuracy, with results reported at 99.96%.
Ref. [44] proposed a self-learning IDS based on Deep Reinforcement Learning (DRL) deployed in a fog network. A DRL agent performed binary detection of normal and malicious traffic locally, while an ensemble classifier in the cloud layer handled multi-class attack identification. The system was evaluated on the CIC-IDS2018 dataset, where it demonstrated superior performance compared to other methods, achieving 99.99% accuracy for Botnet detection and an F-measure of 0.9959 in binary classification, while reducing prediction latency to 0.52 s. These results confirmed that combining DRL with ensemble learning provides an effective balance of adaptability and accuracy for intrusion detection in fog networks.
Ref. [45] presented a lightweight IDS for IIoT that ran on fog devices and used an online learner ensemble to detect threats in real time while adapting to changing traffic. To build trust, the system integrated SHAP explanations, making clear which factors, such as packet size and device activity patterns, were used to generate the alert. The IDS was evaluated on the ToN_IoT and BoT-IoT benchmarks and deployed on a Raspberry Pi 5 testbed, achieving 96.4% accuracy with a 2.1% false-positive rate and an average inference time of 35 ms, demonstrating low-latency and resource-aware operation. These findings indicated that combining adaptive online learning with XAI yields an interpretable detection suited to fog networks. The study’s limitation is that the validation focused on two benchmark datasets and a single edge platform. Broader trials across diverse attacks could have been considered.
Hybrid approaches clearly dominate the recent landscape of fog computing IDSs. They strive to address the shortcomings identified in purely traditional or machine learning methods alone. The consensus is that no single method is sufficient to meet the diverse requirements of fog networks (accuracy, speed, low false positives, low resource use, and privacy). By combining methods, researchers have achieved systems with high accuracy and often improved coverage.

4.5. Comparative Analysis of Reviewed IDS Approaches

To provide a consolidated view of the literature, Table 2 summarizes the aspects of each reviewed study. The aim, techniques used, dataset(s) evaluated, performance results, and noted limitations or gaps are presented.
As described in Section 3.7, Table 2 is a representative technical comparison drawn from the larger bibliometric corpus, rather than an exhaustive line-by-line summary of all 4905 records.

5. Results

5.1. Word Cloud

Figure 2 shows a word cloud that highlights the dominance of data-driven methods in intrusion detection. The word size indicates the relative frequency of terms, and colors were used only for visual distinction and do not represent categories. The largest terms, which are “learning,” “security,” “internet,” “things,” “deep,” and “machine,” indicate a strong emphasis on machine and deep learning techniques applied to IoT contexts. Prominent supporting terms such as “data,” “survey,” and “computing” reflect both empirical, dataset-oriented studies and synthesis work that complements the field. The presence of “federated,” “blockchain,” “cloud,” and “fog computing” shows growing interest in privacy-preserving across the fog networks. Security concerns are evident in “attacks,” “anomaly,” “privacy,” “intrusion detection,” and “DDoS,” suggesting the need for anomaly detection strategies. Methodological words such as “optimization,” “ensemble,” “neural,” “classification,” “feature,” and “lightweight” suggest work on model efficiency and feature engineering for resource-constrained edge devices. Terms such as “industrial,” “vehicular,” “healthcare,” and “real-time” indicate applications from latency-sensitive domains that require on-device detection.

5.2. Author Impact by h-Index

Figure 3 ranks authors by h-index on intrusion detection for fog networks. Prabhat Kumar leads with an h-index of 12, followed by Danish Javeed (10) and Najmul K.M. Islam (9). A second cluster: Randhir Deepak Kumar and Alireza Jolfaei tied at 8, with Noshina Tariq at 7, and five others (Muhammad Shahid Saeed, Dezhi Han, Selvakumar Manickam, and Ahamed Aljuhani) clustered at 6. This shows that a small group of researchers accounted for much of the significant citation impact in the area. Overall, the distribution shows that advances in IDS for fog computing are driven by a concentrated set of contributors whose outputs are repeatedly cited across multiple publications, thereby improving architectures and model evaluation in this domain.

5.3. Top Sources by h-Index

Figure 4 reports the venues with the highest h-index in intrusion detection for fog networks. IEEE Access ranks first (h = 45), ahead of Sensors (h = 32). A middle cluster follows, Electronics (Switzerland) and Applied Sciences (Switzerland) (both h = 17), then Sustainability (Switzerland) (h = 13) and ACM Computing Surveys (h = 12). Four venues show similar, sustained impact: Digital Communications and Networks and Scientific Reports (h = 11 each), and Wireless Communications and Mobile Computing together with PeerJ Computer Science (h = 10 each). This indicates that much of the field’s highly cited work is concentrated on open-access, fast-turnaround platforms, notably IEEE Access and several MDPI journals, thereby likely accelerating the dissemination of methods and datasets.

5.4. Co-Authorship Network

Figure 5 shows the Top 10 co-authorship networks in recent studies on fog intrusion detection. A small cluster centered on Jolfaei, Alireza, Javeed, Danish, Saeed Muhammad Shahid, Najmul K.M., and Kumar Randhir Deepak is tightly connected, indicating repeated joint publications. Gadekallu Thippa links to that cluster through a single connection, suggesting occasional collaboration rather than frequent co-authorship. Authors such as Noshina Tariq, Sudeep Tanwar, and Manal Abdullah appear as isolated, indicating they were productive, but their regular co-authors were not among the top 10. The co-authorship reveals an intrusion-detection approach for fog network collaboration.

5.5. Top 10 Relevant Authors

Figure 6 shows the ten most prolific authors. Prabhat Kumar leads with 20 papers, almost twice as many as the next contributor. A second tier follows: Danish Javeed (12), Noshina Tariq (11), and Alireza Jolfaei (10), indicating sustained activity from several researchers rather than a single dominant researcher. A third cluster, Randhir Deepak Kumar, Najmul K. M. Islam, and Ahamed Aljuhani, contributed 9 papers each. Rounding out the list were Dezhi Han (8), Muhammad Shahid Saeed (7), and Selvakumar Manickam (7). Taken together, the top four names accounted for 53 of 112 papers in the Top 10 set, or 47%. The overlap between these names and the co-authorship cluster suggests that much of the recent output is produced by a small number of collaborating teams. These counts reflect publication volume rather than citation impact, but they point to the origins of methodological developments in fog intrusion detection.

5.6. Publication Sources by Volume

Figure 7 ranks publication venues by volume. IEEE Access leads by a wide margin (195 papers), followed by Sensors (101) and Electronics (Switzerland) (56), with Applied Sciences (36), Computers, Materials and Continua (32), the International Journal of Advanced Computer Science and Applications (31), and Scientific Reports (27) forming the next tier. This reveals that recent work on fog network intrusion detection is concentrated in large, high-throughput, open-access journals, notably IEEE and MDPI, consistent with a field growing rapidly. The remaining Top 20 contribute between 13 and 27 papers each, spanning outlets such as Future Internet, PeerJ Computer Science, Wireless Communications and Mobile Computing, and Information (Switzerland). The IEEE Internet of Things Journal also appears, underscoring the close connection between IoT research and intrusion detection in these journals.

5.7. Country Collaborations

Figure 8 indicates the top ten countries in country collaborations. Nodes represent countries, while gray links indicate collaboration relationships between countries. Thicker links represent stronger collaboration based on a higher number of co-authored papers. The network shows the United States as the main collaboration hub, with strong links to India, China, Australia, Canada, Pakistan, and Saudi Arabia. India serves as a prominent hub, with visible ties to the United States, the Netherlands, and Switzerland. Saudi Arabia formed another prominent node, collaborating with both the United States and Pakistan, and connecting to Europe via Switzerland. This is dominated by a few high-weight bilateral axes, such as the United States–India, rather than a dense multilateral cluster. This indicates that intrusion detection across borders in fog networks is concentrated in a small set of partnerships, with limited interconnections among the remaining countries. Broadening joint projects beyond these dominant hubs could diversify datasets and testbeds, thereby improving the validity of intrusion detection for fog deployments.

5.8. Findings from the Comparative Analysis of Various IDS Techniques

From Table 1, it can be seen that the NSL-KDD, UNSW-NB15, CIC-IDS2017, and KDD99 benchmark datasets, as well as IoT datasets such as BoT-IoT, N-BaIoT, and AWID, have been widely adopted. This indicates the research community’s effort to evaluate on more relevant intrusion data, though older datasets persist for benchmarking. In terms of performance, many studies reported very high accuracies of 95–99% on these datasets, demonstrating the capabilities of Machine Learning/Deep Learning methods. However, these findings have some limitations; for example, they lacked real-world validation. Some datasets were not representative of actual fog network traffic. The limitations column is revealing: almost every approach has drawbacks. Traditional methods, such as anomaly detection and signature-based techniques, lack adaptability in dynamic fog networks. Due to their reliance on labeled network traffic, Machine Learning methods tend to struggle with new attacks or need retraining. Deep Learning methods have resources and explainability limitations. Hybrid methods can be computationally intensive for fog devices, degrading their performance. A common strategy is the need to optimize performance without compromising efficiency. For instance, refs. [26,43] prioritized low resource usage and privacy, but were not tested on multiple attacks.
On the other hand, ensembles or deep networks achieved top accuracy at the cost of complexity, which might not be feasible with fog networks. Another challenge is the problem of false positives in intrusion detection. Anomaly-based IDSs were reported to suffer from high false-positive rates. Hybrid approaches that use a preprocessing stage or feature selection reduce false positives. This is crucial because in fog networks, a node or nodes might be overwhelmed by intrusions if the IDS is inaccurate. Techniques such as autoencoders, isolation forest, one-class Support Vector Machine, and clustering were tuned to minimize false positives. Hyperparameter tuning of these models for optimal intrusion detection compromised energy efficiency, which is incompatible with resource-constrained fog devices. Distribution and scalability were considered by [27,32]. This acknowledges that using an IDS in a centralized way is not compatible with large-scale fog deployments. Rather, distributed learning or federated models can be used. This aligns with the fog network architecture, which is distributed and not central. These approaches demonstrate that collaborative detection can improve accuracy while addressing data privacy concerns.
Although various reviewed studies reported high accuracy in the 95–99% range, these values should be interpreted cautiously in the context of intrusion detection for fog networks. Accuracy alone may overestimate practical effectiveness, especially when class distributions are imbalanced or when benign traffic dominates the dataset. In such settings, a model can achieve a high accuracy while performing poorly on minority but operationally important attack classes. Therefore, precision, recall, F1-score (macro-F1 and class-wise F1), false-positive rate, and false-negative rate are often more informative than accuracy alone for evaluating fog-IDS performance.
Another concern is dataset realism. Several studies rely on benchmark datasets such as NSL-KDD, KDD99, UNSW-NB15, CIC-IDS2017, BoT-IoT, and ToN-IoT, which are useful for comparability but differ in age, labeling quality, traffic composition, and representativeness of dynamic fog/IoT environments. Significant findings on a single benchmark do not necessarily imply robustness under concept drift or unseen attacks in live deployments. Cross-dataset validation, cross-network evaluation, time-based validation, and evaluation under drift-aware settings remain underexplored in the reviewed literature and should be prioritized for future work.
The comparative evidence also shows that deployment-oriented reporting is uneven across the literature. A small number of studies provide significant implementation indicators beyond accuracy. For example, ConvNeXt-Sf [42] reported parameter reduction (1.25% of ConvNeXt), reduced false alarm rate, and prediction time, indicating an efficiency-oriented evaluation. A lightweight online-ensemble IDS with explainable AI (XAI) was validated on a Raspberry Pi 5 testbed and reported 35 ms average inference time with a 2.1% false-positive rate, which is relevant for fog deployment constraints. Other studies discussed distributed or federated gains, but also acknowledged communication and synchronization overhead. However, many papers still provide limited or no quantitative reporting on memory usage, CPU/GPU utilization, energy consumption, or communication cost, making practical comparison difficult. This inconsistency suggests that future fog-IDS studies should report a deployment profile, including hardware platform, latency, memory usage, energy consumption, and communication overhead in addition to detection metrics.
In summary, despite high detection rates reported by many studies, model complexity, evolving threats, deployment feasibility, data privacy, and detection latency remain limitations. Hybrid lightweight deep learning or reinforcement learning IDS models optimized for real-time intrusion detection can be used to detect intrusions in fog networks. Such models would strive to balance accuracy and latency, perhaps by combining efficient feature extraction and on-device anomaly detection. This calls for an overview of the challenges in existing studies and the need for the proposed hybrid lightweight IDS.

6. Discussion on Challenges and Limitations

Despite the substantial progress in fog IDS research, the review has uncovered several limitations and challenges that remain unaddressed:

6.1. Resource Intensity vs. Real-Time Requirements

Many high-accuracy models, such as reinforcement learning and deep learning ensembles, are too resource-intensive for real-time deployment on typical fog nodes. For example, the transformer-CNN-LSTM ensemble by [37] achieved optimal accuracy, but it cannot be used on low-power fog devices and introduces a cloud dependency. In the same vein, the 99% accurate GRU model by [34] relied on GPU acceleration, which may not be available on fog nodes. This gap highlights the need for lightweight models that still maintain high detection performance. An ideal solution may involve model compression or simpler architectures optimized for fog hardware.

6.2. High False Positive Rates in Anomaly Detection

While many reviewed works reported high true-positive rates, the false-positive rate is a concern for anomaly-based IDS. A system that misdetects is likely to be impractical in fog networks. Hybrid systems were proposed by [35,39] to mitigate mis-detection, but tuning anomaly detectors to be both sensitive and specific remains challenging. An ideal IDS can dynamically adjust its threshold based on network traffic context to keep false alarms low while maintaining high attack detection.

6.3. Generalization to Unknown Attacks

Reviewed studies such as [25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40] still train and test on the same set of known attack categories. In reality, new attacks continually emerge, for instance, in IoT networks, where new device security vulnerabilities can be used for new exploits. Signature-based IDS will miss these, and Machine Learning models might misclassify them if they are unlike anything seen in training. This justifies the need for continuous learning, or online learning, in IDS. A novel IDS model could incorporate online anomaly detection that updates its model incrementally when new patterns are observed, possibly using unsupervised or semi-supervised learning on the fog node itself. The existing federated learning approaches were found beneficial for intrusion detection and privacy, but mostly for known patterns distributed in data. The challenge is detecting a zero-day attack and quickly learn from it.

6.4. Latency and Placement of Detection Components

Proposed techniques offload much to the cloud [34], incurring latency, while others run entirely on the fog node, potentially incurring high local computation. Smart partitioning of IDS tasks is still an open issue. For instance, studies envisioned hierarchical intrusion detection systems comprising a one-class model on each IoT device for detecting obvious anomalies, a fog-level model for local network anomalies, and a cloud-level model for global event correlation. Designing such a multi-level IDS is expensive and hasn’t been fully realized. A right trade-off between detection speed and depth of analysis can be recommended. This ties into using AI accelerators or efficient algorithms to perform deep analysis with minimal delay.

6.5. Privacy and Data Sharing

Few studies address data privacy explicitly by not sharing raw data [29,32]. In many cases, researchers aggregate all data in a single location for model training, which may not be feasible or legal for sensitive data such as smart grid and healthcare data. A federated deep learning or reinforcement learning, and hybrid federated approaches, such as federated anomaly detection integrated with centralized signature updates to protect data, can be proposed. The recommended novel model would ideally ensure that only minimal information, like model updates or anonymized features, is exchanged/gossiped between fog nodes.

6.6. Evaluation in Realistic/Real-World Environments

A significant number of studies validated their approach on simulated datasets. The scarcity of real-world validation is not only a methodological gap but also a deployment problem. Fog environments are heterogeneous, with large differences in hardware capability, operating systems, and communication protocols across nodes, making reproducible implementation and benchmarking difficult. Deploying IDS in operational fog/IoT systems introduces cost and maintenance burdens, including monitoring and retraining. Various application use cases, such as healthcare, smart grids, finance, and industrial IoT, impose privacy and compliance constraints that limit the sharing of raw data. Interoperability challenges with existing edge middleware and IoT gateways can prevent the direct transfer of laboratory IDS prototypes into production environments. These barriers highlight the need for frameworks that are not only theoretically sound but also practically deployable and evaluated in realistic conditions, maybe using tools like iFogSim or actual IoT deployments. A novel IDS design should be lightweight in terms of CPU energy consumption and memory usage.

6.7. Integration of IDS with Explainability

Most researchers focus on detection. Fog computing would benefit from an IDS that can also provide local response and explainability to isolate or mitigate threats autonomously. The literature lacks a detailed discussion of self-learning IDS that provides detailed explainability and recommendations, such as quarantining a compromised node, rerouting traffic, blocking traffic, and alerting neighboring fog nodes. A promising IDS model could be extended to an intrusion detection and prevention system that includes explainability.

6.8. Interoperability and Regulatory Constraints

The limited number of real-world fog IDS deployments is not only a methodological gap but also an implementation and governance challenge. Building realistic fog testbeds is costly because it requires heterogeneous devices, repeatable attack generation, monitoring infrastructure, and safe operational isolation. In addition, interoperability constraints are significant: fog nodes often run mixed hardware, operating systems, and protocols, and IDS components must coexist with legacy IoT/OT services without disrupting latency-sensitive workloads.
Regulatory and organizational requirements further slow deployment. In sectors such as healthcare, smart grids, and industrial systems, data movement and incident handling are governed by privacy, auditability, and compliance obligations, which complicate centralized training and unrestricted traffic capture. This helps explain why many studies remain at the benchmark level despite promising results.
Future fog IDS evaluations should therefore report quantitative feasibility metrics alongside detection scores, including hardware specifications, model size (MB), peak memory usage, CPU utilization, inference latency (for example, p50 and p95), energy use per inference or per time window, and communication overhead for federated or hierarchical designs (such as bytes transferred per round and synchronization frequency). Reporting these measures would make comparisons more practical for resource-limited fog deployments.

7. Study’s Limitations

This study has its limitations. For example, the database search was restricted to Web of Science and Scopus. It did not include additional repositories such as IEEE Xplore, ACM Digital Library, ScienceDirect, Wiley Online Library, or Google Scholar, which may have reduced coverage. The retrieval strategy was intentionally title-restricted to improve topical precision and reproducibility; however, this may have excluded relevant studies that discuss intrusion detection in fog computing in the abstract or keywords but not explicitly in the title. The review period was limited to 2021–2025, which supports a focus on recent developments but may omit earlier foundational work and very recent publications outside the selected window. Future reviews should be improved by broadening repository coverage and conducting searches using abstract or keyword queries.

8. Conclusions and Future Work

Fog networks demand a new generation of IDS that is not only accurate in detecting cyber threats but also optimized for distributed, resource-constrained operations. Various studies on intrusion detection systems in fog networks, encompassing traditional signature-based methods, machine learning classifiers, deep learning models, and hybrid approaches, were surveyed. The review showed that hybrid IDS combining machine-learning and deep-learning methods dominate the fog literature and often report high accuracy on benchmark datasets. Studies increasingly favor tiered designs that keep fast screening on fog nodes and offload heavier analysis upstream, and they explore federated or distributed training to keep data local. Feature selection and dynamic thresholds help reduce false positives, while explainability tools are being added to support operations. Bibliometric analyses highlighted the field’s concentration in fast-turnaround, open-access journals such as IEEE Access and Sensors, as well as a small number of highly collaborative author clusters, alongside dominant terms such as “learning,” “federated,” “ensemble,” “lightweight,” and “explainability.” Several challenges remain unresolved. The latency-energy trade-off still limits real-time use of complex models on fog devices. Detection performance degrades under concept drift and in the presence of unseen attacks, and anomaly-based systems continue to produce high false-positive rates. Evidence is largely drawn from benchmarks rather than diverse, real-world fog deployments, and suitable labeled datasets are scarce. Privacy-preserving learning reduces data movement but adds communication overhead, and explainability methods can introduce extra latency if not designed for the edge. Reporting practices are also inconsistent, with latency and energy budgets often omitted.
Future directions can be grouped by deployment readiness to distinguish near-term priorities from exploratory opportunities. Near-term directions include deployment-oriented evaluation on real or semi-real fog testbeds, standardized reporting of latency, false-positive rate, hardware platform, and communication overhead, and (iii) lightweight hybrid IDS designs. These directions are immediately actionable because they build on methods already demonstrated in the literature but require stronger evaluation. Emerging directions include federated and distributed learning for privacy-preserving IDS, online/continual learning for concept-drift adaptation, and lightweight explainability for operational trust. These approaches are promising and are increasingly supported by recent studies, but their practical use still depends on safeguards against model drift or poisoning, stable communication, and cost-effective synchronization. Exploratory directions include self-learning cooperative IDS frameworks with autonomous response, multi-agent coordination across fog nodes, and ultra-lightweight adaptive models that jointly optimize detection quality, energy use, and privacy under dynamic workloads. These directions are conceptually important for future fog security architectures, but they currently require stronger real-world validation and interoperability standards.

Author Contributions

N.T.: Analysis and research write-up. T.E.M.: Technical review, idea enhancement, and guidance. T.O.O.: Technical review, idea improvement, and guidance. S.M.: Technical review, idea improvement, and guidance. T.M.: Technical review, idea improvement, and guidance. T.M.T.: Technical review, idea improvement, and guidance. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded by the Tshwane University of Technology.

Data Availability Statement

Available upon request from the authors.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
IDSIntrusion Detection System
MLMachine Learning
DLDeep Learning
CNNConvolutional Neural Network
XAIExplainable Artificial Intelligence

References

  1. Ngabo, D.; Wang, D.; Iwendi, C.; Anajemba, J.H.; Ajao, L.A.; Biamba, C. Blockchain-based security mechanism for the medical data at the fog computing architecture of the Internet of Things. Electronics 2021, 10, 2110. [Google Scholar] [CrossRef]
  2. Alzahrani, H.; Sheltami, T.; Barnawi, A.; Imam, M.; Yasar, A. A lightweight intrusion detection system using convolutional neural network and long short-term memory in fog computing. Cmc-Comput. Mater. Contin. 2024, 80, 4703–4728. [Google Scholar] [CrossRef]
  3. Qaddoura, R.; Al-Zoubi, A.M.; Faris, H.; Almomani, I. A multi-layer classification approach for intrusion detection in IoT networks based on deep learning. Sensors 2021, 21, 2987. [Google Scholar] [CrossRef] [PubMed]
  4. Al-Shurbaji, T.; Anbar, M.; Manickam, S.; Hasbullah, I.H.; Alfriehate, N.; Alabsi, B.A.; Alzighaibi, A.R.; Hashim, H. Deep learning-based intrusion detection system for detecting IoT botnet attacks: A review. IEEE Access 2025, 13, 11792–11822. [Google Scholar] [CrossRef]
  5. Gill, S.S.; Golec, M.; Hu, J.; Xu, M.; Du, J.; Wu, H.; Walia, G.K.; Murugesan, S.S.; Ali, B.; Kumar, M.; et al. Edge AI: A taxonomy, systematic review and future directions. Clust. Comput. 2025, 28, 18. [Google Scholar] [CrossRef]
  6. Liu, H.; Zhang, S.; Zhang, P.; Zhou, X.; Shao, X.; Pu, G.; Zhang, Y. Blockchain and federated learning for collaborative intrusion detection in vehicular edge computing. IEEE Trans. Veh. Technol. 2021, 70, 6073–6084. [Google Scholar] [CrossRef]
  7. Xiong, K.; Wu, Z.; Jia, X. Deepcontainer: A deep learning-based framework for real-time anomaly detection in cloud-native container environments. J. Adv. Comput. Syst. 2025, 5, 1–17. [Google Scholar] [CrossRef]
  8. Alkanhel, R.; El-kenawy, E.S.M.; Abdelhamid, A.A.; Ibrahim, A.; Alohali, M.A.; Abotaleb, M.; Khafaga, D.S. Network Intrusion Detection Based on Feature Selection and Hybrid Metaheuristic Optimization. Comput. Mater. Contin. 2023, 74, 2677–2693. [Google Scholar] [CrossRef]
  9. Alnajim, A.M.; Habib, S.; Islam, M.; Thwin, S.M.; Alotaibi, F. A comprehensive survey of cybersecurity threats, attacks, and effective countermeasures in the industrial internet of things. Technologies 2023, 11, 161. [Google Scholar] [CrossRef]
  10. Mohammed, B.A.; Al-Shareeda, M.A.; Homod, R.Z.; Alkhabra, Y.A.; Al-Mekhlafi, Z.G.; Alshammari, G.; Alanazi, A. Taxonomy-Based Lightweight Cryptographic Frameworks for Secure Industrial IoT: A Survey. IEEE Internet Things J. 2025, 12, 43296–43316. [Google Scholar] [CrossRef]
  11. Otoum, Y.; Nayak, A. As-ids: Anomaly and signature-based IDs for the Internet of Things. J. Netw. Syst. Manag. 2021, 29, 23. [Google Scholar] [CrossRef]
  12. Liu, Q.; Hagenmeyer, V.; Keller, H.B. A review of rule learning-based intrusion detection systems and their prospects in smart grids. IEEE Access 2021, 9, 57542–57564. [Google Scholar] [CrossRef]
  13. Ahmed, U.; Nazir, M.; Sarwar, A.; Ali, T.; Aggoune, E.H.M.; Shahzad, T.; Khan, M.A. Signature-based intrusion detection using machine learning and deep learning approaches empowered with fuzzy clustering. Sci. Rep. 2025, 15, 1726. [Google Scholar] [CrossRef] [PubMed]
  14. Ahmad, R.; Alsmadi, I.; Alhamdani, W.; Tawalbeh, L.A. Zero-day attack detection: A systematic literature review. Artif. Intell. Rev. 2023, 56, 10733–10811. [Google Scholar] [CrossRef]
  15. Abdelmoumin, G.; Rawat, D.B.; Rahman, A. On the performance of machine learning models for anomaly-based intelligent intrusion detection systems for the Internet of Things. IEEE Internet Things J. 2021, 9, 4280–4290. [Google Scholar] [CrossRef]
  16. Mohamed, N.; Al-Jaroodi, J.; Lazarova-Molnar, S.; Jawhar, I. Applications of integrated IoT-fog-cloud systems to smart cities: A survey. Electronics 2021, 10, 2918. [Google Scholar] [CrossRef]
  17. Alsadie, D. Artificial intelligence techniques for securing fog computing environments: Trends, challenges, and future directions. IEEE Access 2024, 12, 151598–151648. [Google Scholar] [CrossRef]
  18. Alzahrani, A.I.; Al-Rasheed, A.; Ksibi, A.; Ayadi, M.; Asiri, M.M.; Zakariah, M. Anomaly detection in fog computing architectures using custom tab transformer for internet of things. Electronics 2022, 11, 4017. [Google Scholar] [CrossRef]
  19. Jeyaraj, R.; Balasubramaniam, A.; Ajay Kumara, M.A.; Guizani, N.; Paul, A. Resource management in cloud and cloud-influenced technologies for Internet of Things applications. ACM Comput. Surv. 2023, 55, 1–37. [Google Scholar] [CrossRef]
  20. Abulhassan, A.; Rashid, I.; Imam, M.; Binbeshr, F. DDoS Attack Detection in IoT: A Comparative Resource and Performance Analysis of Deep Learning and Machine Learning Models. IEEE Access 2025, 13, 116529–116547. [Google Scholar] [CrossRef]
  21. Gad, A.G. Particle swarm optimization algorithm and its applications: A systematic review. Arch. Comput. Methods Eng. 2022, 29, 2531–2561. [Google Scholar] [CrossRef]
  22. Khraisat, A.; Alazab, A.; Singh, S.; Jan, T.; Gomez, A., Jr. Survey on federated learning for intrusion detection systems: Concept, architectures, aggregation strategies, challenges, and future directions. ACM Comput. Surv. 2024, 57, 1–38. [Google Scholar] [CrossRef]
  23. Sharma, M.; Kaur, P. Reliable federated learning in a cloud-fog-IoT environment. J. Supercomput. 2023, 79, 15435–15458. [Google Scholar] [CrossRef]
  24. Page, M.J.; McKenzie, J.E.; Bossuyt, P.M.; Boutron, I.; Hoffmann, T.C.; Mulrow, C.D.; Shamseer, L.; Tetzlaff, J.M.; Akl, E.A.; Brennan, S.E.; et al. The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ 2021, 372, 71. [Google Scholar] [CrossRef]
  25. Selçuk, A.A. A guide for systematic reviews: PRISMA. Turk. Arch. Otorhinolaryngol. 2019, 57, 57. [Google Scholar] [CrossRef]
  26. Alghayadh, F.Y. A Hybrid Intrusion Detection System for Smart Home Security Based on Machine Learning and User Behavior. Doctoral Dissertation, Oakland University, Rochester, MI, USA, 2021. [Google Scholar]
  27. Rani, D.; Kaushal, N. Supervised Machine Learning Based Network Intrusion Detection System for Internet of Things. In 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT); IEEE: Piscataway, NJ, USA, 2020. [Google Scholar] [CrossRef]
  28. Sadaf, K.; Sultana, J. Intrusion detection based on an autoencoder and an isolation forest in fog computing. IEEE Access 2020, 8, 167059–167068. [Google Scholar] [CrossRef]
  29. Kumar, P.; Gupta, G.P.; Tripathi, R. An ensemble learning and fog-cloud architecture-driven cyber-attack detection framework for IoMT networks. Comput. Commun. 2021, 166, 110–124. [Google Scholar] [CrossRef]
  30. Alzubi, O.A.; Alzubi, J.A.; Alazab, M.; Alrabea, A.; Awajan, A.; Qiqieh, I. Optimized machine learning-based intrusion detection system for fog and edge computing environments. Electronics 2022, 11, 3007. [Google Scholar] [CrossRef]
  31. Tariq, N.; Alsirhani, A.; Humayun, M.; Alserhani, F.; Shaheen, M. A fog-edge-enabled intrusion detection system for smart grids. J. Cloud Comput. 2024, 13, 43. [Google Scholar] [CrossRef]
  32. NG, B.A.; Selvakumar, S. Anomaly detection framework for Internet of things traffic using vector convolutional deep learning approach in fog environment. Future Gener. Comput. Syst. 2020, 113, 255–265. [Google Scholar] [CrossRef]
  33. Imrana, Y.; Xiang, Y.; Ali, L.; Abdul-Rauf, Z. A bidirectional LSTM deep learning approach for intrusion detection. Expert Syst. Appl. 2021, 185, 115524. [Google Scholar] [CrossRef]
  34. Abdel-Basset, M.; Chang, V.; Hawash, H.; Chakrabortty, R.K.; Ryan, M. Deep-IFS: Intrusion Detection Approach for IIoT Traffic in Fog Environment. IEEE Trans. Ind. Inform. 2020, 17, 7704–7715. [Google Scholar] [CrossRef]
  35. El Houda, Z.A.; Brik, B.; Khoukhi, L. “Why should I trust your IDS?”: An Explainable Deep Learning Framework for Intrusion Detection Systems in Internet of Things Networks. IEEE Open J. Commun. Soc. 2022, 3, 1164–1176. [Google Scholar] [CrossRef]
  36. Attique, D.; Wang, H.; Wang, P. Fog-assisted deep-learning-empowered intrusion detection system for RPL-based resource-constrained smart industries. Sensors 2022, 22, 9416. [Google Scholar] [CrossRef]
  37. De Souza, C.A.; Westphall, C.B.; Machado, R.B.; Sobral, J.B.M.; dos Santos Vieira, G. Hybrid approach to intrusion detection in fog-based IoT environments. Comput. Netw. 2020, 180, 107417. [Google Scholar] [CrossRef]
  38. Mohamed, D.; Ismael, O. Enhancement of an IoT hybrid intrusion detection system based on fog-to-cloud computing. J. Cloud Comput. 2023, 12, 41. [Google Scholar] [CrossRef]
  39. Tawfik, M. Optimized intrusion detection in IoT and fog computing using ensemble learning and advanced feature selection. PLoS ONE 2024, 19, e0304082. [Google Scholar] [CrossRef]
  40. Sahar, N.; Mishra, R.; Kalam, S. Deep learning approach-based network intrusion detection system for fog-assisted IoT. In International Conference on Big Data, Machine Learning, and Their Applications; Springer: Berlin/Heidelberg, Germany, 2021; pp. 39–50. [Google Scholar]
  41. Kaliyaperumal, K.; Murugaiyan, C.; Perumal, D.; Jayaraman, G.; Samikannu, K. Combined ensemble intrusion detection model using deep learning with feature selection for fog computing environments. Acta Scientiarum. Technol. 2023, 45, e60551. [Google Scholar] [CrossRef]
  42. Zhao, G.; Wang, Y.; Wang, J. Lightweight Intrusion Detection Model of the Internet of Things with Hybrid Cloud-Fog Computing. Secur. Commun. Netw. 2023, 2023, 7107663. [Google Scholar] [CrossRef]
  43. Chen, Y.; Lin, Q.; Wei, W.; Ji, J.; Wong, K.C.; Coello, C.A.C. Intrusion detection using multi-objective evolutionary convolutional neural network for Internet of Things in Fog computing. Knowl.-Based Syst. 2022, 244, 108505. [Google Scholar] [CrossRef]
  44. Najafli, S.; Toroghi Haghighat, A.; Karasfi, B. A novel reinforcement learning-based hybrid intrusion detection system on fog-to-cloud computing. J. Supercomput. 2024, 80, 26088–26110. [Google Scholar] [CrossRef]
  45. Al Rawajbeh, M.; Maria Soosai, A.J.; Ramasamy, L.K.; Khan, F. Trustworthy Adaptive AI for Real-Time Intrusion Detection in Industrial IoT Security. IoT 2025, 6, 53. [Google Scholar] [CrossRef]
Computers 15 00169 g001
Figure 1. PRISMA framework.
Figure 1. PRISMA framework.
Computers 15 00169 g001
Computers 15 00169 g002
Figure 2. Intrusion Detection in fog networks word cloud.
Figure 2. Intrusion Detection in fog networks word cloud.
Computers 15 00169 g002
Computers 15 00169 g003
Figure 3. Top Authors by h-index.
Figure 3. Top Authors by h-index.
Computers 15 00169 g003
Computers 15 00169 g004
Figure 4. The publication venues by source index.
Figure 4. The publication venues by source index.
Computers 15 00169 g004
Computers 15 00169 g005
Figure 5. Top 10 co-authorship network.
Figure 5. Top 10 co-authorship network.
Computers 15 00169 g005
Computers 15 00169 g006
Figure 6. The Top 10 relevant authors.
Figure 6. The Top 10 relevant authors.
Computers 15 00169 g006
Computers 15 00169 g007
Figure 7. Publication venues by volume.
Figure 7. Publication venues by volume.
Computers 15 00169 g007
Computers 15 00169 g008
Figure 8. Top 10 international country collaborations in intrusion detection for fog computing.
Figure 8. Top 10 international country collaborations in intrusion detection for fog computing.
Computers 15 00169 g008
Table 1. Search strategy and screening.
Table 1. Search strategy and screening.
StageCriteriaWeb of Science ArticlesScopus Articles
1Titles include “intrusion
detection” AND “fog computing.”		3228238
2Choose the 2021–2025 articles2327306
3Choose only the journal and
conference articles		2325651
4Select articles that were written in English2325594
5Open access2325594
Merged and de-duplicated total: 4905 unique articles (921 duplicates were removed).
Table 2. Comparison of Related Intrusion Detection Approaches for Fog Networks.
Table 2. Comparison of Related Intrusion Detection Approaches for Fog Networks.
StudyDatasetTechniquesFindingsLimitations
Two-tier Smart-Home IDS [26] CSE-CIC-IDS2018; NSL-KDDHybrid: misuse/signature rules and ML (RF, XGBoost, DT, kNN)Improved detection of known and unknown attacks in smart-home fog nodes; reduced false alarms with signatures.Rule-based requires continual expert updates; evaluated on simulated datasets, not live fog deployments.
Feature-lean RF IDS [27] NSL-KDD; KDD’99Random Forest with manual feature selection for low computeReasonable attack vs. normal accuracy with minimized features suited to fog.Training data synthetic/older; generalization to real fog traffic uncertain.
Auto-IF (Autoencoder and Isolation Forest) [28] NSL-KDDUnsupervised AE (reconstruction error) and Isolation Forest; anomaly-basedHigh binary intrusion detection accuracy: no labeled attacks needed for training.Binary only (no multiple-attack classes); old datasets; not validated in real-world fog networks
Fog-Cloud Ensemble for IoMT [29] NSL-KDD; real healthcare trafficEnsemble of ML classifiers; fog prefiltering and cloud aggregation>90% multi-attack accuracy; scalable across fog-cloud; diversity boosted TPR.Ensemble adds latency/overhead; reliance on the cloud link can increase delay.
ESOML-IDS [30] UNSW-NB15Effective Seeker Optimization (ESO) feature selection and ML with Denoising AutoencoderF1 = 0.82 to 0.83 after selection vs. 0.53 to 0.67 for baselines; better accuracy/precision/recall with fewer features.ESO search is compute-intensive; it may need offline optimization for tiny fog nodes.
Federated SVM for Smart Grids [31] NSL-KDD; CICIDS2017Federated Learning with SVM at the edge; parameter sharing to fog aggregator4–6% accuracy and notable F1/recall gains over centralized; privacy preserved, better generalization.Classical SVM may miss complex nonlinearities; Federated Learning introduces communication and synchronization overhead.
Vector CNN for IoT Traffic [32] IoT traffic datasetsCNN on vectorized flow features for local pattern extraction at fogAnomaly detection typically >90%; CNN learns spatial-temporal feature interactions.Needs large/representative data; porting to new environments may require retraining/transfer.
Bi-LSTM IDS [33] NSL-KDDBidirectional LSTM sequence modelOverall accuracy > 95%; markedly higher recall for rare U2R/R2L classes.Training/inference heavy for fog; dataset dated; no online/drift evaluation.
Deep-IFS (Local GRUs and Multi-Head Attention) [34] BoT-IoTDistributed GRUs at fog; attention-based aggregation; residual linksScaled to high IIoT volumes; outperformed centralized training on accuracy/F1/recall.Non-trivial communications and computational overhead; best for fog with stronger processors.
DL with XAI [35] NSL-KDD; UNSW-NB15DNN detector and XAI (RuleFit, LIME, SHAP)Competitive detection while providing explanations to operators.Explainable AI methods incur runtime costs; they may be too slow for strict real-time at the fog.
Cu-DNNGRU at Fog [36] N-BaIoTCUDA-optimized GRU (GPU-accelerated)Accuracy 99.39% with high precision/recall; GPU parallelism speeds inference.Possible overfitting to a clean dataset; many fog nodes lack GPUs/edge accelerators.
Hybrid DNN-kNN [37] NSL-KDD; CICIDS2017Deep NN for feature learning and kNN classification>99% accuracy with low latency at the fog layer in experiments.Computational complexity is higher than simpler Machine Learning; tuning is required.
EHIDS (GA-tuned BPNN) [38] ToN-IoT (and others)Genetic Algorithm initializes/tunes Backprop NN; FS and normalization pipeline.Higher accuracy with faster convergence; training time reduced by 37% and 16%.GA adds initial optimization overhead; BPNN is less expressive than modern Deep Learning.
Edge AEs and Cloud Transformer-CNN-LSTM [39] NSL-KDD; UNSW-NB15; AWIDStacked autoencoders at fog for real-time anomaly/feature reduction; cloud ensemble for classificationDetection > 99%; balances latency/bandwidth by offloading heavy computational processingComplex multi-component system; depends on stable connectivity; AE must retain critical features.
DL NIDS on Fog Nodes [40] UNSW-NB15; NSL-KDDDeep learning-based network IDS deployed at the fogAccuracy 91.20% (UNSW-NB15) and 95.40% (NSL-KDD).Performance varies by dataset; details on resource usage/latency are limited.
Ensemble CNN-IDS (CNN and AlexNet) [41] UNSW-NB15 with 9 attack classesRandom-Forest-based feature selection and CNN/AlexNet ensemble97.5% accuracy; outperformed traditional and related IDS baselines.Supervised training needs labels: ensemble increases training/inference complexity.
ConvNeXt-Sf Lightweight IDS [42] BoT-IoT; ToN-IoT1D ConvNeXt with ShuffleNet V2 ideas; LE-MMN preprocessing1.25% of ConvNeXt params; training time reduced by 82.63%, prediction time reduced by 56.48%; increased accuracy by 6.18% accuracy, reduced 4.49% false alarm rate vs. baselines.A supervised model that required substantial labeled data for deployment.
MECNN (MOEA/D-evolved CNN) [43] AWID; CIC-IDS2017Multi-objective evolutionary search over CNN topologies (accuracy vs. complexity)Accuracy reported up to 99.96%; selectable models per fog node, per constraint.Evolutionary search/training costs are high; offline tuning is likely needed.
DRL at Fog and Cloud Ensemble [44] CIC-IDS2018DRL agent for local binary decisions; cloud ensemble for multi-classBotnet detection 99.99%; binary F-measure 0.9959; prediction latency = 0.52.System complexity, stability of DRL, and dependence on the cloud for full multi-class labeling.
Lightweight Online-Ensemble IDS with explainable AI (XAI) [45] ToN-IoT; BoT-IoT; Raspberry Pi 5 testbedAdaptive online learners’ ensemble; real-time detection on fog; SHAPAccuracy 96.4%; False-positives 2.1%; 35 ms inference; interpretableBroader multi-platform, multi-attack trials needed.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Tamuka, N.; Mathonsi, T.E.; Olwal, T.O.; Maswikaneng, S.; Muchenje, T.; Tshilongamulenzhe, T.M. Intrusion Detection in Fog Computing: A Systematic Review of Security Advances and Challenges. Computers 2026, 15, 169. https://doi.org/10.3390/computers15030169

AMA Style

Tamuka N, Mathonsi TE, Olwal TO, Maswikaneng S, Muchenje T, Tshilongamulenzhe TM. Intrusion Detection in Fog Computing: A Systematic Review of Security Advances and Challenges. Computers. 2026; 15(3):169. https://doi.org/10.3390/computers15030169

Chicago/Turabian Style

Tamuka, Nyashadzashe, Topside Ehleketani Mathonsi, Thomas Otieno Olwal, Solly Maswikaneng, Tonderai Muchenje, and Tshimangadzo Mavin Tshilongamulenzhe. 2026. "Intrusion Detection in Fog Computing: A Systematic Review of Security Advances and Challenges" Computers 15, no. 3: 169. https://doi.org/10.3390/computers15030169

APA Style

Tamuka, N., Mathonsi, T. E., Olwal, T. O., Maswikaneng, S., Muchenje, T., & Tshilongamulenzhe, T. M. (2026). Intrusion Detection in Fog Computing: A Systematic Review of Security Advances and Challenges. Computers, 15(3), 169. https://doi.org/10.3390/computers15030169

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop