In this paper, we proposed a network intrusion detection system that combines a streaming machine learning model in the fog layer and an on-line labeling model in the cloud layer. The streaming learning model is based on the Adaptive XGBoost machine learning algorithm and is aiming to detect anonymous network traffic. The on-line labeling model is a batch-based machine learning model based on the Random Forest algorithm and is also responsible to label unknown traffic and provide updates to the streaming learning model in the fog layer. The proposed solution can effectively detect abnormal traffic in the fog layer that is connected with IoT devices. The streaming learning model can update the model at a lower cost as compared to the batch-based approach. To evaluate the proposed system, modern datasets are used to test the accuracy of the model. The experiment results show that with the cloud layer provides updates to the fog layer, the proposed scheme can effectively achieve better classification accuracy than the baseline method. And the stream learning-based approach can provide higher throughput than the batch-based approach.