<p>Cyber deception in Industrial Internet of Things (IIoT) environments faces a fundamental challenge, insufficient deception investment fails to trap attackers, while excessive deployment causes rational adversaries to accumulate skepticism, progressively neutralizing deceptive mechanisms. To the best of our knowledge, no existing reinforcement learning (RL) framework has jointly characterized the optimal deception investment level under these dynamics and trained against a co-evolutionary adversary that explicitly models skepticism accumulation. This paper introduces Co-ADAM, a Co-evolutionary Adaptive Deception-Aware Multi-mechanism defense framework that formalizes IIoT cyber deception as a constrained Markov decision process (CMDP) with an embedded signaling game. We establish that the co-evolutionary training will reach some equilibrium of skepticism (Lemma 1, Propositions 1, 2) and characterize the resulting joint policy as an <i>ε</i>-Nash deception equilibrium with exploitability <i>ε</i> = 2.4523 (4.43% normalized). A deep Q-network (DQN) defender is trained against an adaptive attacker pool of size <i>K</i> = 10 across 5000 episodes, with skepticism dynamics, attacker momentum, and budget constraints embedded directly in the environment. Compared to seven baselines over three IIoT datasets, CIC-IIoT 2025, WUSTL-IIoT 2021 and Edge-IIoTset, Co-ADAM attains an Attack Mitigation Rate (AMR) of 0.8363 under random and 0.8033 under adaptive attackers, with cumulative rewards of 147.91 and 102.52 respectively, all differences are statistically significant at <i>p</i> &lt; 0.001. The learned policy transfers across heterogeneous IIoT environments with 99.61% mean AMR retention, scales to 1000 devices with less than 0.26% AMR degradation, and converges empirically at episode 1377. The most significant element of the architecture confirmed in ablation as adversarial skepticism (Cohen’s <i>d</i> = 3.57), forms the foundation of principled skepticism modeling as a critical component of deception-based IIoT defense. Physical validation on a 10-day IIoT testbed comprising a Centerm D660 honeypot, three ESP32 sensors, and a Kali Linux attack machine confirms simulation findings with testbed AMR of 0.9975 exceeding simulation AMR of 0.8363.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Co-ADAM: a co-evolutionary signaling game framework for equilibrium cyber deception in industrial IoT

  • Usman Wushishi,
  • Nasir Hussain,
  • Altaf Hussain,
  • Amal Al-Rasheed,
  • Zahid Ullah

摘要

Cyber deception in Industrial Internet of Things (IIoT) environments faces a fundamental challenge, insufficient deception investment fails to trap attackers, while excessive deployment causes rational adversaries to accumulate skepticism, progressively neutralizing deceptive mechanisms. To the best of our knowledge, no existing reinforcement learning (RL) framework has jointly characterized the optimal deception investment level under these dynamics and trained against a co-evolutionary adversary that explicitly models skepticism accumulation. This paper introduces Co-ADAM, a Co-evolutionary Adaptive Deception-Aware Multi-mechanism defense framework that formalizes IIoT cyber deception as a constrained Markov decision process (CMDP) with an embedded signaling game. We establish that the co-evolutionary training will reach some equilibrium of skepticism (Lemma 1, Propositions 1, 2) and characterize the resulting joint policy as an ε-Nash deception equilibrium with exploitability ε = 2.4523 (4.43% normalized). A deep Q-network (DQN) defender is trained against an adaptive attacker pool of size K = 10 across 5000 episodes, with skepticism dynamics, attacker momentum, and budget constraints embedded directly in the environment. Compared to seven baselines over three IIoT datasets, CIC-IIoT 2025, WUSTL-IIoT 2021 and Edge-IIoTset, Co-ADAM attains an Attack Mitigation Rate (AMR) of 0.8363 under random and 0.8033 under adaptive attackers, with cumulative rewards of 147.91 and 102.52 respectively, all differences are statistically significant at p < 0.001. The learned policy transfers across heterogeneous IIoT environments with 99.61% mean AMR retention, scales to 1000 devices with less than 0.26% AMR degradation, and converges empirically at episode 1377. The most significant element of the architecture confirmed in ablation as adversarial skepticism (Cohen’s d = 3.57), forms the foundation of principled skepticism modeling as a critical component of deception-based IIoT defense. Physical validation on a 10-day IIoT testbed comprising a Centerm D660 honeypot, three ESP32 sensors, and a Kali Linux attack machine confirms simulation findings with testbed AMR of 0.9975 exceeding simulation AMR of 0.8363.