The industrial Internet of Things (IIoT) systems are under mounting cyber threats that take advantage of the resource shortage and operational vulnerability of industrial systems. The current intrusion detection schemes are based on either the static or passive form of defense that is not dynamically adapted to the changing attacks. This paper presents D3O-IIoT, a progressive reinforcement learning model that dynamically coordinates deception techniques, including honeypot deployment, moving target defense, fake telemetry injection, and node isolation on the basis of real time threat monitoring. The defense problem is formulated as a Markov Decision Process, in which a Dueling Deep Q-Network agent maximizes a multi-objective reward to balance between attack mitigation, deception engagement, false positive control and resource cost. Experiments on three IIoT datasets (CIC-IIoT2025, WUSTL-IIoT2021, TON-IoT) demonstrate that D3O-IIoT has a 13.7% attack mitigation rate with a 0.3% false alarm, which is an improvement of 293-767% (p < 0.0001) over baselines. Generalization is confirmed by cross-dataset validation (97.7% and 77.8% retention on TON-IoT and WUSTL-IIoT, respectively). Results of Ablation determine that the most critical component of reward is false positive control (51.4% degradation upon removal) and that sensitivity analysis indicates the possibility of 46.1% tunability through risk threshold change. The acquired policy favors isolation (71.2 per cent) on confirmed threats and honeypots (15.4 per cent) on reconnaissance with a 2.07ms latency that can be deployed in real time. D3O-IIoT builds upon IIoT cybersecurity by substituting fixed set rule-based defenses with dynamic and learning-based deception orchestration, balancing various practical goals under resource-constrained conditions.

Cloud-native microservice architectures offer scalability and resilience but introduce complex interdependencies and new attack surfaces, making them vulnerable to resource-exhaustion Distributed Denial-of-Service (DDoS) attacks. These attacks propagate along service call chains, closely mimic legitimate traffic, and evade traditional detection and mitigation techniques, resulting in cascading bottlenecks and degraded Quality of Service (QoS). Existing Moving Target Defense (MTD) approaches lack adaptive, cost-aware policy guidance and are often ineffective against spatiotemporally adaptive adversaries. To address these challenges, this paper proposes ScaleShield, an adaptive MTD framework powered by Deep Reinforcement Learning (DRL) that learns coordinated, attack-aware defense policies for microservices. ScaleShield formulates defense as a Markov Decision Process (MDP) over multi-dimensional discrete actions, leveraging a Multi-Dimensional Double Deep Q-Network (MD3QN) to optimize service availability and minimize operational overhead. Experimental results demonstrate that ScaleShield achieves near 100% defense success rates and reduces compromised nodes to zero within approximately 5 steps, significantly outperforming state-of-the-art baselines. It lowers service latency by up to 72% under dynamic attacks while maintaining over 94% resource efficiency, providing robust and cost-effective protection against resource-exhaustion DDoS attacks in cloud-native environments.

Abstract Defensive Deception is an advanced strategy in network security that aims to mislead, confuse, or delay cyber adversaries by introducing uncertainty and manipulating attacker perceptions. Unlike traditional defense mechanisms that focus on detection and prevention, deceptive techniques ‒ such as honeypots, honeytokens, moving target defense, and decoy systems ‒ proactively shape attacker behavior and create a more complex threat landscape. A critical aspect of modern defensive deception is the integration of game-theoretic models, which provide a rigorous mathematical framework for analyzing interactions between attackers and defenders. These models help in designing optimal deception strategies by anticipating adversary actions and balancing the trade-offs between risk, cost, and information gain. By leveraging deception and strategic reasoning, defenders can increase the attacker’s cognitive and operational burden, shift the asymmetry in cyber conflict, and significantly enhance the resilience of network systems.

Towards a moving target defense based on stochastic games and honeypots

Current threat intelligence systems often lack scalable, adaptive AI architectures capable of delivering real time incident detection and dynamic response, particularly in resource constrained environment such as judicial institutions. This paper presents a novel AI-driven architectural design for operational threat intelligence, specifically tailored to enhance cybersecurity in the Kenyan judiciary system. The proposed model integrates three foundational frameworks which are, Integrated Adaptive Cyber Defense (IACD), the Cyber Kill Chain, and Moving Target Defense (MTD) into an architecture that supports real-time data ingestion, continuous AI model retraining, and automated response orchestration. Key features include a dynamic feedback loop for adaptive learning, AI-powered multi-stage threat detection aligned with attack lifecycle mapping, and resource-efficient dynamic defense mechanisms suitable for low-resource judicial environments. This design significantly improves incident response capabilities by enabling faster, more accurate threat detection and automated mitigation, reducing mean time to detect and respond. By providing a scalable, transparent, and explainable AI model, the architecture offers a practical blueprint for enhancing cybersecurity resilience in judicial systems worldwide, with applicability to the unique challenges faced by Kenyan courts. This study lays the foundation for future extensions involving federated learning to enable secure, multi-court deployments, further strengthening collective judicial cybersecurity defenses.

Moving Target Defense (MTD) has been proposed as a dynamic defense strategy to address the static and isomorphic vulnerabilities of networks. Recent research in MTD has focused on enhancing its effectiveness by combining it with cyber deception techniques. However, there is limited research on evaluating and quantifying this hybrid defence framework. Existing studies on MTD evaluation often overlook the deployment of deception, which can expand the potential attack surface and introduce additional costs. Moreover, a unified model that simultaneously measures security, reliability, and defense cost is lacking. We propose a novel hybrid defense effectiveness evaluation method that integrates queuing and evolutionary game theories to tackle these challenges. The proposed method quantifies the safety, reliability, and defense cost. Additionally, we construct an evolutionary game model of MTD and deception, jointly optimizing triggering and deployment strategies to minimize the attack success rate. Furthermore, we introduce a hybrid strategy selection algorithm to evaluate the impact of various strategy combinations on security, resource consumption, and availability. Simulation and experimental results demonstrate that the proposed approach can accurately evaluate and guide the configuration of hybrid defenses. Demonstrating that hybrid defense can effectively reduce the attack success rate and unnecessary overhead while maintaining Quality of Service (QoS).

Switching-Based Moving Target Defense Control Against Cyberattacks

Misconfigurations in software systems are a persistent source of security vulnerabilities, particularly within static architectures that fail to adapt over time. Moving Target Defense (MTD) offers a proactive approach by dynamically altering the system’s attack surface, thereby reducing exposure. This paper builds upon an MTD model, RL-MTD, which leverages Reinforcement Learning (RL) to generate adaptive secure configurations. Although effective, RL-MTD faces limitations due to an unoptimized and sparse search space. To address this, two hybrid models—GA-RL and PSO-RL—are proposed, integrating Genetic Algorithm (GA) and Particle Swarm Optimization (PSO) into the RL-MTD framework. Experiments on four misconfigured SUTs show both models outperform the baseline. Notably, PSO-RL yields the most secure configurations in most scenarios. The authors present a prototype demonstrating how PSO-RL could be applied on a constrained Windows 10 system to defend against an attack. These findings enhance MTDbased adaptive cybersecurity via optimized search.

Crossfire attacks disrupt network services by targeting critical links of server groups, causing traffic congestion and server failures that prevent legitimate users from accessing services. To counter this threat, this study proposes a novel topology spoofing defense mechanism based on a sequence-based Graph Neural Network–Moving Target Defense (ENRNN-MTD). During the reconnaissance phase, the method employs a GNN to generate multiple random and diverse virtual topologies, which are mapped to various external hosts. This obscures the real internal network structure and complicates the attacker’s ability to accurately identify it. In the attack phase, an IP random-hopping mechanism using a chaotic sequence is introduced to conceal node information and increase the cost of launching attacks, thereby enhancing the protection of critical services. Experimental results demonstrate that, compared to existing defense mechanisms, the proposed approach exhibits significant advantages in terms of deception topology randomness, defensive effectiveness, and system load management.

The research evaluates the effectiveness of shuffle-based Moving Target Defense (MTD) on host and network systems using a temporal graph-based security model, T-HARM. A novel dynamic security metric, the Reward-Based Metric (RBM), is introduced to assess the impact of MTD from the defender’s perspective, capturing changes in system resilience and attacker effort. The study involves implementing shuffle-based MTD techniques, defining and integrating the new metric with existing ones, and conducting simulation-based experiments to analyze security posture over time. The results show that the dynamic metric more accurately reflects real-time security changes, and that shuffle-based MTD significantly increases attack complexity and delays system compromise, thereby enhancing overall network defense.

The surge of IoT devices has revolutionized the world, but the inherent complexity and vulnerabilities of these devices pose significant security risks. Among security challenges, distributed denial of service (DDoS) attacks stands out as a major cybersecurity issue aimed at interfering with regular systems. This paper conducts a gap analysis of existing research on DDoS attacks in the context of SDN oriented IoT devices. The research focus is on comparing algorithms and mitigation strategies proposed in different research papers and evaluating their efficiency and cost-effectiveness as previous research efforts have taken a variety of approaches, some focused on inexpensive but ineffective procedures, while others focused on expensive but effective procedures. However, few studies have investigated both cost and performance effectiveness simultaneously. The main objective of this research paper is to evaluate and compare different strategies proposed in the literature to protect Software Defined Network oriented IoT devices from DDoS attacks through an active approach using MTD (Moving Target Defense) technique. The goal of this strategy is to protect the network from attacks while remaining cost-effective through gap analysis to suggest that the Moving Target Defense technique is less complex than previous approaches to provide better security measures and protection against DDoS attacks on networks.

Cloud–edge collaboration industrial control systems (ICSs) face critical security and privacy challenges that existing dynamic heterogeneous redundancy (DHR) architectures inadequately address due to two fundamental limitations: event-triggered scheduling approaches that amplify common-mode escape impacts in resource-constrained environments, and insufficient privacy-preserving arbitration mechanisms for sensitive industrial data processing. In contrast to existing work that treats scheduling and privacy as separate concerns, this paper proposes a unified polymorphic heterogeneous security architecture that integrates hybrid event–time triggered scheduling with adaptive privacy-preserving arbitration, specifically designed to address the unique challenges of cloud–edge collaboration ICSs where both security resilience and privacy preservation are paramount requirements. The architecture introduces three key innovations: (1) a hybrid event–time triggered scheduling algorithm with credibility assessment and heterogeneity metrics to mitigate common-mode escape scenarios, (2) an adaptive privacy budget allocation mechanism that balances privacy protection effectiveness with system availability based on attack activity levels, and (3) a unified framework that organically integrates privacy-preserving arbitration with heterogeneous redundancy management. Comprehensive evaluations using natural gas pipeline pressure control and smart grid voltage control systems demonstrate superior performance: the proposed method achieves 100% system availability compared to 62.57% for static redundancy and 86.53% for moving target defense, maintains 99.98% availability even under common-mode attacks (10−2 probability), and consistently outperforms moving target defense methods integrated with state-of-the-art detection mechanisms (99.7790% and 99.6735% average availability when false data deviations from true values are 5% and 3%, respectively) across different attack detection scenarios, validating its effectiveness in defending against availability attacks and privacy leakage threats in cloud–edge collaboration environments.

Moving Target Defense Against Adversarial False Data Injection Attacks in Power Grids

Competition and Cooperation of Multiagent System for Moving Target Defense With Dynamic Task-Switching

Corrigendum to “Towards a moving target defense based on stochastic games and honeypots”. [Inf. Sci. 720 (2025) 122488

Network slicing is revolutionizing how networks are built and managed by enabling the flexible and efficient allocation of resources to meet diverse application requirements. Yet this flexibility introduces significant security challenges that must be addressed to maintain system integrity and performance. Therefore, this article presents a novel framework integrating Deep Reinforcement Learning (DRL) with Moving Target Defense (MTD) strategies to create a dynamic, multi-layered security system. By modelling the problem as a Markov Decision Process (MDP), the proposed framework leverages advanced DRL algorithms to learn optimal policies for deploying MTD mechanisms across network slices by continuously adapting defences to counter evolving cyber threats. Simulations, including comparative evaluation with baseline DRL and heuristic methods, demonstrate this integrated approach’s superiority in mitigating cyber-attacks while maintaining high network performance.

Vulnerability defence using hybrid moving target defence in Internet of Things systems

The Internet of Things (IoT) networks face an increasing number of cyber threats due to their heterogeneous, distributed, and resource-constrained nature. Conventional static defense mechanisms are often inadequate against sophisticated and advanced persistent threats. Moving Target Defense (MTD) is a dynamic proactive security method that increases system resilience by continuously changing the attack surface, thereby increasing uncertainty and complexity for attackers. In this paper, we evaluate the effectiveness of shuffling or diversity-based MTD methods using time-to-compromise and security risk metrics. We develop attack path-based mean time-to-compromise and security risk reduction metrics for assessing the effectiveness of MTD. These metrics provide a quantitative basis for evaluating how well MTD techniques delay successful compromises and lower overall security risk exposure. The performance of the deployed MTD mechanism is evaluated and discussed for different attacker skill levels and shuffling frequencies.

ABSTRACT The increasing use of 5 G networks in core sectors necessitates its adequacy in terms of security. This paper presents a new mathematical model that bolsters cybersecurity in critical infrastructures based on 5 G technology. This framework incorporates the Moving Target Defence (MTD) method with a dynamic game theory model to respond to the fact that cyber threats are not static when a critical infrastructure has 5 G facility. The new game-theoretic concept enhances defense processes against cyber threats targeted on mobile networks in critical infrastructure. It has been developed for a game of incomplete information with two players- an attacker and a defender, where both have resource constraints and MTD. The suggested model is tested via various simulations and benchmarked against traditional static defense methods. Results demonstrate significant improvements across multiple metrics: a 23% boost in the network reliability, a 17.1% drop in the false positives ratios and a 24.1% improvement in resource utilization. This work benefits the field as it provides insight into how game theoretical methods can be applied when addressing the security issues of a 5 G-supported utility infrastructure environment to ensure a safer, more secure and much more reliable world in the future.

ABSTRACTCloud computing is an innovative technology that provides computing services over the internet and replaces the requirement to own physical hardware or software. Security threats present a wide range of risks to cloud computing, and a security threat defense plays a significant role in cloud computing. Virtual machines (VM) serve as the backbone, providing flexible and scalable resources for running and storing data. Moving Target Defense (MTD) and Blockchain enhance security and privacy by reducing the chances of successful attacks and minimizing the impact of security attacks. To address these issues, we propose integrating MTD and blockchain technologies within the cloud computing environment named Hybrid Secure Onlooker (HSO). The proposed work involves several entities, including Cloud Users (CUs), Centralized Subnet Manager (CSM), Distributed Group Manager (DGM), Consortium Block Module (CBM) and Private Block Module (PBM). Initially, we perform Multi‐Factor Authentication (MFA) to establish secure communication and to avoid malicious traffic. Followed by this, we utilize the Komoda Miliphir optimization (KMO) algorithm to perform CUs' task scheduling based upon the task types, task sensitivity, and task size. Entrenched in the scheduled tasks, the CSM performs classification and grouping of cloud VMs, assigning them to their capacity, security protocols, and availability, utilizing the Residual Flowed Capsule Network (RFC‐Net). The grouped subsets are overseen and managed by the DGM, which handles MTD operations such as virtual switch placement and VM migration within the subsets. Finally, the transactions are stored in the hybrid blockchain layer with CBM and PBM to ensure privacy and security. The is the implementation tool for realizing the proposed HSO model. The proposed model can be examined based on several metrics with state‐of‐the‐art work comparisons. The results show that the proposed HSO model outperforms the state‐of‐the‐art models.