Securing IIoT systems against DDoS attacks with adaptive moving target defense strategies

Abstract

The escalating distributed denial of service (DDoS) attacks severely threatens the security of the industrial internet of things (IIoT). This paper introduces moving target defense (MTD) as an adaptive solution to fortify IIoT security against DDoS attacks. Dynamically reconfiguring network elements and service placements makes it challenging for attackers to target specific vulnerabilities. We propose an MTD traffic manager (MTDTM) architecture to enable early detection and mitigation of DDoS attacks within resource-constrained edge clouds. A traffic classifier is integrated into our model to intelligently filter incoming traffic, ensuring real-time responsiveness to the demands of IIoT applications. Moreover, dynamic admission rules and relocation of service replicas efficiently distribute the traffic, ensuring the availability of services for legitimate users. Unlike traditional static defense methods, our adaptive approach caters to the evolving DDoS threat landscape of IIoT, safeguarding critical industrial processes. Simulation results validate the efficiency of our algorithm while maintaining an acceptable quality of service. Our research demonstrated a 15% to 20% improvement in service response times compared to existing algorithms. Notably, we achieved significant enhancements in average resource availability during DDoS attacks across various parameter variations.

Introduction

The key industries essential to society, including healthcare, transportation, mining, manufacturing, oil and gas, and energy distribution via smart grids, have evolved to enhance service quality. The advent of Industry 4.0 introduced the IIoT, integrating cyber-physical systems (CPS) and centralized engineering to improve operational efficiency. A critical component of Industry 4.0 is Edge Computing (EC), which addresses real-time processing demands by reducing latency through localized data handling. By processing data from nearby devices, EC minimizes extensive data exchange and prevents network congestion¹. Despite these advantages, the widespread use of the internet has increased vulnerabilities, particularly zero-day exploits, with single-edge servers’ limited computing and storage capacities making them highly susceptible to DDoS attacks. The vulnerability is further exacerbated by the limited computational and storage capacities of edge servers, which are integral to IIoT architectures. A successful DDoS attack can trigger a domino effect, compromising interconnected systems and jeopardizing the stability of essential infrastructures².

In response to these threats, various DDoS mitigation strategies have been proposed, including firewalls, intrusion detection systems (IDS), cloud-based solutions, and fog computing. While these techniques offer some level of protection, they often rely on prior knowledge of attack patterns, making them less effective against evolving threats. Attackers leverage persistent reconnaissance to uncover system weaknesses, and traditional cloud-based defenses are less effective at blocking attacks originating from local networks³. In contrast, network-based mechanisms, especially those deployed at the router level, offer faster and more precise attack responses.

To address these challenges, there is a growing emphasis on adaptive and proactive security solutions. MTD has emerged as a promising paradigm, leveraging dynamic reconfiguration of network elements to increase uncertainty for attackers. By continuously altering network topologies, service placements, and communication paths, MTD strategies disrupt reconnaissance efforts and increase the cost of successful attacks.

The primary motivation of this work is to present a comprehensive solution for mitigating DDoS attacks targeting IIoT systems. The proposed solution is designed to embody three key qualities:

1. 1.

   Dynamic Security: The system dynamically adapts to evolving attack strategies, ensuring a robust and responsive defense.

2. 2.

   Adaptive Network Properties: By integrating adaptive mechanisms, the solution adjusts defense strategies in real-time to counter varying attack patterns effectively.

3. 3.

   Guaranteed QoS and Security Goals: The approach balances seamless service delivery with robust security measures, ensuring high resilience against DDoS attacks without compromising Quality of Service (QoS).

This solution aims to proactively address security vulnerabilities while preserving the performance and reliability of critical IIoT services.

Contribution and plan of research article

The main contributions can be summarized as follows:

• MTD-based proactive defense mechanisms is introduced to mitigate DDoS attacks, employing a generic approach for internet traffic classification. The traffic classification method leveraged time and size-related information from network flows rather than relying on manually extracted features. Here the two stage classifier identifies malicious traffic with accuracy, reducing false positives.

• Malicious traffic overloads are prevented by rejecting harmful requests early and balancing load across edge nodes for optimal resource utilization. Seamless integration of admission control and service migration resulted in mitigation of DDoS attacks at their origin. This approach dynamically confines attackers to a limited scope, thereby optimizing available resources of the system.

• Implemented a resilient gossip protocol for service migration, ensuring efficient load redistribution across edge clouds without relying on a central node.

• We have leveraged edge cloud processing to enable horizontal scalability and reduce latency.

The rest of the paper is structured as follows: Section  "Related work" reviews related work on DDoS mitigation strategies, MTD techniques, and traffic classifiers. The system model’s background and the underlying assumptions are provided in section  "Background and assumptions". Section  "Proposed model" presents the proposed MTDTM architecture, detailing dynamic admission control, service migration, and network reconfiguration. Section  "Simulation" covers the simulation parameters and experimental setup of the model. Section  "Results and discussion" describes the implementation challenges and provides a comparative analysis of MTDTM against baseline DDoS defense methods, highlighting its effectiveness in attack mitigation and resource optimization. Section  "Conclusion" concludes the paper by summarizing key findings and discusses open research challenges and future directions.

Related work

In IIoT environments, common DDoS attacks include UDP flooding, which bombards servers with fake datagrams, ICMP flooding, which exhausts bandwidth through excessive error messages, and TCP SYN flooding, which abuses the handshake mechanism to deplete server resources. Additional threats like Ping of Death crash devices with oversized packets, HTTP flood attacks exploit GET/POST requests to drain computational capacity, and NTP amplification leverages reflection techniques to generate high-volume traffic. Smurf attacks overwhelm victims with ICMP echo replies, while TCP reset attacks sever active connections through forged reset packets⁴. Many strategies have been proposed and tested for defending the DDoS attack over the IIoT. Zhou et al.³ proposed a fog-based mitigation mechanism. The local servers’ virtual network functions (VNF) monitored the real-time traffic. A three-layer architecture was proposed, with the first layer handling firewall-based rule-based traffic filtering, the second layer handling VNF-based specification-based network traffic analysis on local servers, and the third layer handling coordination and consolidation of data from dispersed fog nodes. Yan et al.⁵ proposed a multi-level DDoS mitigation framework to deal with the interoperability issue of IIoT. It included edge, fog and cloud computing levels to mitigate DDoS attacks and Software-Defined Networking (SDN) to manage IIoT devices. However, the static nature of the network configuration results in low efficiency of countermeasures. In another approach, deep learning was used for feature selection within the ISP domain for detection and mitigation of DDoS attacks⁶. However, such an approach is computationally expensive for real-time applications.

Our previous study⁷ introduced a hardware-based network architecture using PUFs, specifically TERO PUF, to combat DDoS attacks. This approach reduced computational overhead and ensured uninterrupted communication with legitimate clients, even in the presence of attackers, as demonstrated in large-scale NS-3 simulations. Scalability and the need for dynamic configuration changes were areas of ongoing concern.

Nevertheless, MTD has become a viable option and has drawn increasing interest in cybersecurity⁸. It counters common DDoS threats by dynamically modifying system configurations, making it difficult for attackers to pinpoint and exploit vulnerabilities. Dynamic admission control restricts access to isolate malicious traffic, while service migration shifts critical workloads across edge clouds to prevent persistent targeting. By continuously altering network parameters, MTD diminishes the effectiveness of reconnaissance, escalates attacker costs, and strengthens IIoT security and resilience⁹. Cai et al.¹⁰ introduced a new security model that incorporates MTD principles, highlighting the shift from traditional static defenses to dynamic, adaptive strategies that continuously alter the attack surface to complicate attacks. They classified MTD strategies into three main areas-MTD theory, MTD strategy, and MTD evaluation-outlining their characteristics and suggesting future research directions. Li et al.¹¹ presented a model called A3PF, designed to detect anomalies in network traffic by leveraging prior knowledge of network attacks. It features an adaptive query strategy to select the most informative data points and an augmented update method that creates pseudo labels for unlabeled data, improving the model’s flexibility and accuracy. The use of adaptive model demonstrated notable improvements in performance. In 2016, Venkatesan et al.¹² proposed another MTD technique, where the client and server’s proxies are reconfigured dynamically, disrupting knowledge accumulated by adversaries. In 2018, Steinberger et al.¹³ proposed a combination of MTD and SDN to limit DDoS attacks (large-scale). Liu et al.¹⁴ proposed a grouping of both network function virtualization (NFV) and SDN, utilizing the proxy (reverse) for relay transmission to check attack traffic from openly attacking the server (target). These proposed solutions had several drawbacks as a delayed or slow response, complicated models leading to less efficient decision-making, and reduced QoS. In 2020, Zhou et al.¹⁵ proposed a low-cost MTD solution that included SDN-based cloud infrastructure. To determine the best MTD strategies, some researchers have turned to game theory^16,17,18 to model scenarios where both the attacker and defender make strategic choices to achieve the optimal outcome. Other approaches, such as Markov decision process (MDP) and Markov game-based methods, have also been employed for analysis and decision-making^19,20,21. However, the majority of them ignored the potential cost of defense while improving the effectiveness. Zhou et al.⁹ suggested an additional approach for enhancing real-time decision-making efficiency in the context of IIoT. They employed constrained Markov decision processes (CMDP) as a modeling technique to tackle the complex optimization problem involving multiple stages. Javadpour et al.²²introduce SCEMA, an SDN-based cost-effective MTD approach that mitigates DDoS attacks by optimizing host shuffling with minimal complexity, validated through mathematical modeling and Mininet simulations. Additionally, Amir et al.²³ propose a dynamic defense strategy integrating MTD with adaptive resource allocation to enhance network resilience against evolving cyber threats.

Another problem with MTD technique is resource allocation. Literature highlights various approaches to improving security, resource allocation, and efficiency in cloud and edge computing environments. Aghazadeh et al.²⁴ conducted a systematic literature review on proactive content caching in edge computing, classifying techniques into model-based, machine-learning-based, and heuristic-based approaches to enhance cache hit rates and reduce energy consumption and network latency. Jazayeri et al.²⁵ proposed a latency-aware and energy-efficient computation offloading method in mobile fog computing using a Hidden Markov Model to optimize energy consumption and execution time. Ghorbian et al.²⁶ reviewed function placement approaches in serverless computing, emphasizing machine learning and optimization-based techniques for efficient function execution. Another study by Ghorbian et al.²⁷ analyzed cold start latency in serverless computing, presenting optimization strategies such as checkpointing and predictive scheduling to mitigate initialization delays. Lastly, Aslani and Ghobaei-Arani²⁸ examined machine learning inference models in serverless environments, classifying them into service-level objective-aware, acceleration-aware, framework-aware, and latency-aware strategies to improve scalability and cost efficiency. While these studies present significant advancements, gaps remain in integrating security-focused dynamic resource allocation with proactive caching and offloading techniques. Moreover, optimizing function placement in serverless computing for real-time applications still faces challenges in balancing cost, latency, and energy efficiency.

Moreover, determining the nature of incoming traffic also helps immediately check out the anomaly behavior. Internet traffic is classified to determine the type of incoming information and track user behavior. It aids in anomaly detection and traffic engineering, although it is challenging since more internet data is encrypted. Classical approaches, such as payload-based traffic classification (also known as deep packet inspection or DPI)^29,30 and port-based methods that use TCP/UDP packet header fields, have limitations such as privacy concerns, computational complexity, and decreased efficiency due to the use of dynamic and default ports. Statistical and machine learning-based methods have been studied to address these issues, which involve manually extracting size and time-related features and applying complex patterns or supervised learning algorithms as classifiers³¹. Hybrid approaches have also been proposed combining classifiers based on port numbers, packet payload signatures, and more³².

In recent studies, deep learning techniques have been employed to classify internet traffic. Lopez-Martin et al.³³ utilized a recurrent neural network (RNN) in conjunction with a convolutional neural network (CNN) to categorize traffic based on six features for each packet in the session. By incorporating port information, they achieved an accuracy rate of over 95%, but only 84% without it, exposing the weakness of their method. Chen et al.³⁴ transformed flow data into a picture of the flow parameter auto-convolution and fed it to a neural network; however, their approach was not described thoroughly enough for comparison, and they also utilized supplementary information such as the target IP. Zhang et al.³⁵ proposed a self-updating model to handle new applications, while Pacheco et al.³⁶ presented a deep learning-based framework for classifying heterogeneous internet traffic in satellite communications. Iliyasu and Deng³⁷ tackled the difficulties of labeling large encrypted traffic datasets and introduced a semi-supervised method utilizing DCGAN, producing accurate results with only a few labeled samples. Hassan et al.³⁸ proposed a solution by integrating entropy-based alerting with clustering analysis. It effectively integrates statistical and machine learning techniques, but it is not suitable for real-time response in the IIoT. The computational overhead, as well as high false positives, are bottlenecks. Similarly, Ahmad et al.³⁹advocated the use of federated learning to detect and prevent DDoS. The privacy and scalability improved significantly but the issue with real-time execution remains a matter of concern. Shapira and Shavitt⁴⁰ recently introduced FlowPic, a technique that transforms packet size and inter-arrival times into images and uses standard image classification deep learning to classify Flow pictures into categories, achieving high accuracy rates. They also utilized the same approach to classify applications. Roy et al.⁴¹ introduced a method for rapidly classifying network data that utilizes a combination of ODENet and LSTM. The technique can achieve accurate classification results using only a small number of packets from a unidirectional flow, all while preserving privacy.

The state-of-art defense models for DDoS attacks are summarized, and a comparison has been done in Table 1. This table clearly highlights that SDN-based defense, MTD, and scrubbing centers are the most effective options among those listed.

Table 1 Comparison of state-of-the-art defense methods against DDoS attacks.

Background and assumptions

This section contains the system model, threat model, and the assumptions used to characterize the attacker’s behavior, the defense mechanism, and the standard user reactions. We considered the two major constraints in the IIoT scenario: limited resources and time-sensitive applications. So, we attempt to reduce the compromised edge clouds while staying within the system’s constraints.

Preliminaries

MTD

Such strategies, continually changes both the attack and exploration surfaces, confounding attackers and escalating the difficulty and cost of their efforts. This compels attackers to persistently chase their target, negating any time, information, or cost advantages. They fall into spatial and temporal categories. Spatial strategies classify based on attributes such as the network protocol stack hierarchy, while temporal strategies can be time-driven or event-driven. In the proposed architecture, we employ MTD at the network layer, focusing on switching parameters that impact network routing paths. To handle volumetric DDoS attacks, traffic rerouting and load balancing distribute malicious traffic across multiple nodes, preventing congestion. SDN-based network adaptation allows real-time traffic monitoring and policy adjustments to redirect attack flows dynamically. Furthermore, AI-driven behavioral analysis continuously identifies suspicious activity and fine-tunes security parameters to counter evolving threats.

Gossip protocol

To oversee the condition of nodes and resources within extensive distributed systems, we’ve implemented the gossip protocol. A crucial element in gossip-based monitoring is nodes forming a synchronized perspective on particular nodes. Essentially, this protocol is employed for selecting peers from the current neighbor set, sharing status information with other peers, and processing data to update their perception of other nodes. The data synchronization among replica nodes starts when a seed node updates its states to the network, initiating gossip propagation. This process continues from node to randomly selected neighbors until all nodes have the information¹¹. In such a network, nodes can be added or removed without affecting information spread, even if some nodes are damaged. The protocol’s benefits include scalability, fault tolerance, decentralization, consistent convergence, and simple implementation, making it perfect choice for updating status.

Fig. 1

Proposed DDoS mitigation architecture.

System architecture

Our study focuses on an IIoT system that utilizes SDN technology. The use of SDN architecture in this system has improved network scalability, security, and reliability. The SDN controller allows for efficient data flow management and reduced operational costs. In Fig. 1, we present the system architecture and Fig. 2 shows the sequence diagram representing the interaction between components. The perception layer comprises sensors, actuators, and devices that collect data. The application layer processes this data to generate insights and facilitate decision-making. This layer comprises access points and edge clouds. Finally, the control layer, which features an SDN controller, manages and controls the network infrastructure. The controller communicates with switches and routers through the OpenFlow protocol to effectively manage the data flow. Table 2 includes a list of notations and symbols used in the article, along with their meanings and descriptions.

Fig. 2

Sequence diagram of the proposed architecture.

Table 2 Notations and symbols used in the article.

Assumption 1

The number of edge clouds offering computation resources to the IIoT system is N, and T is the time horizon for the defense operations. Dynamic admission control and shuffling or shifting the classified internet traffic are the two MTD mechanisms adopted by the SDN controller in each time step to combat attacks. Each edge cloud offers an S number of services, and each service has an R number of replicas.

Assumption 2

The resource constraint of an edge cloud can vary widely depending on factors such as the hardware specifications of the cloud infrastructure, the network connection capacity, and the demands of other applications running on the cloud. Depending upon various factors, including its intended use and the underlying hardware and software capabilities, we assume that \(C_i\) is the resource constraint of \(i^{th}\) edge cloud, where i = {1,2,..., N}.

Threat model

We assume that the attacker has access to large botnets and can initiate strategic attacks. We believe the network platform, SDN controller, and service provider are trustworthy, while attackers come from an external network. The clever and strategic adversary may possess multiple network resources to examine and investigate before implementing their tactics. However, they may not utilize all of them while attacking the targets. We also presume that the defender may employ some defensive measures to thwart any attempts to compromise the target system. Additionally, ordinary users, who act as third-party observers, may be more concerned about the performance of the system service rather than the actions and strategies of the other two parties involved.

Attack model : The cyber kill chain (CKC) concept was developed by Lockheed Martin to assist corporations in building more effective defenses against sophisticated and persistent threats and to identify the attacker’s motivation, strategies, and tools⁴². We have selected the same framework in this article, as it helps in defending against advanced persistent threats (APTs). APTs are sophisticated and prolonged attacks designed to evade detection and maintain a long-term presence within a network^43,44. According to the CKC framework, an attacker’s lifecycle can be divided into seven distinct stages: reconnaissance, weaponization, delivery, exploitation, installation, control, and action on objectives. Volumetric attacks are mainly addressed in the present work as they are the most common DDoS attacks. It aims at consuming all the network resources by generating a massive amount of traffic using botnets.

Attack target: In IIoT all the servers, IoT devices, and network infrastructures are the possible targets for the attacker to overload the network and affect the normal communication.

Attackers’ capabilities: When launching DDoS attacks, an attacker possesses various capabilities. The key capabilities attackers may possess:

• Attackers capable of launching DDoS attacks often utilize large botnets, amplification techniques, and sophisticated attack tools.

• They may rent services from DDoS-for-hire platforms, employ multiple attack vectors, and conduct resilience testing.

• The continuous evolution of tactics ensures they can circumvent defenses.

Defense model: Our defense model involves multi-layered defense to protect against a wide range of DDoS attacks and ensure that web servers, applications, and networks remain available to legitimate users. Our key goal is to reduce network congestion and keep the resources accessible to authorized users. Traffic filtering, admission control, load balancing, and rate limiting the incoming traffic are the measures to mitigate DDoS attacks at the earliest.

User behavior: MTD based shuffling requires regular reconfiguration in the network system. However, this process may cause an expensive overhead and create a backlog of service requests. Moreover, during the entire shuffling process, high service latency may compel users to select other servers, leading to system overload. Therefore, it is crucial to consider user behavior, and we presume that users have the following abilities:

• Actions of the attacker and the defender are unknown to the users.

• Users are only concerned about the status of the service and the system’s performance.

• If the latency surpasses the expected threshold value, users will choose another server.

Proposed model

Our goal is to enhance IoT device security by reducing attack vulnerabilities through strategic modifications. We plan to achieve this efficiently using SDN, which centralizes network control for precise management⁴⁵. We propose a hybrid defense strategy involving traffic classification and SDN control to improve security. This approach allows dynamic admission control and service migration on edge clouds, ultimately limiting attacker options and mitigating the impact of DDoS attacks.

Classification models

The prevalence of harmful network-targeted attacks has increased concurrently with the technology industry’s exponential growth, making cybersecurity an increasingly important problem to solve. Before the rise of artificial intelligence, domain specialists handled most cybersecurity concerns. They were in charge of putting defence procedures into place and immediately responding to threats. However, because of how frequently infrastructure and software updates raised the risk of introducing new vulnerabilities, this strategy rapidly became unworkable. The second major reason contributing to this transformation is the acceleration of cyber-attack evolution. Their increasing complexity is the reason for their intelligence and automation. Intrusion detection systems (IDS) and other security defences are commonly used. The industry standard is advancing towards autonomous human-on-the-loop protocols, moving away from human-in-the-loop systems. These technologies are in high demand because they can adapt to a constantly changing environment, providing strong answers for addressing future unexpected dangers. Several sophisticated machine learning (ML) based security solutions have been developed, such as naive bayes, neural networks, random forest and SVMs. However, these methods have historically necessitated substantial volumes of high-quality data and meticulous fine-tuning to obtain satisfactory detection performance. Moreover, supervised machine learning-based IDS need maintenance to update training datasets in response to infrastructure changes and the advancement of cyberattacks. Not only ML, but there are also several deep learning based approaches to solve this problem efficiently. But deep learning algorithms face computational problems, some of them are enumerated below:

• Neural networks require significant resources for training due to their reliance on expensive backpropagation and gradient-based approaches.

• They are very susceptible to noise in data, network, or underlying hardware.

• Neural networks lack human-like cognitive abilities for long-term memorization and transparency, and

• Exhaustive feature engineering.

The state-of-art classification models for SDN DDoS attacks were implemented and tested on ISCX-IDS-2012 dataset for their accuracy. In Fig. 3, it can be observed that models like LSTM+CNN, XG Boost, KNN, SVM, and Sequential CNN have accuracy more than 95% but these models are computationally expensive, which makes them less preferred for real-time applications in IoT environment. However, the ODENet+LSTM model has decent accuracy, near 90%, which can be considered reliable with minimal storage requirement and faster classification, which is essential for a real-time application.

Fig. 3

Comparision of accuracy of state-of-art classification models for SDN DDoS attacks.

Traffic classifier

Traffic classifier plays an important role in early detection of DDoS attacks by analyzing patterns, headers, and behaviors to differentiate legitimate traffic from malicious activity. They enable real-time anomaly detection, isolation of malicious sources, and dynamic policy enforcement to reduce disruptions. When integrated with SDN, it provides detailed traffic information to the controller, allowing adaptive defenses, efficient resource management, and improved threat detection accuracy. Advanced tools like ODENet and LSTM improved classification by modeling temporal patterns and processing sequential data, ensuring rapid and precise responses to threats. This strengthened SDN’s ability to mitigate evolving cyberattacks while maintaining service availability and low latency. In the MTDTM model, the traffic classifier identifies abnormal traffic and signals possible attacks in real time. It has helped to promptly recognize and reduce the impact of DDoS attacks. Furthermore, after training itself on the usual traffic patterns, the traffic classifier can detect new attacks that may emerge. We have adopted the model introduced by Roy et al.⁴¹. Their approach merges ODENet and LSTM to allow for a speedy classification utilizing just two characteristics of unidirectional flow. This quick and straightforward model uses minimal packets without compromising privacy. So, this model is best suited to the IIoT application for real-time traffic analysis.

The traffic classifier in the MTDTM architecture effectively distinguishes between legitimate and malicious traffic using a hybrid ODENet+LSTM model that captures dynamic features and temporal patterns of network traffic. ODENet enables adaptive feature extraction, while LSTM analyzes sequential data to detect persistent attack patterns. Traffic is classified with a status indicator 0 for legitimate and 1 for malicious, ensuring quick mitigation. The model achieves a high true positive rate (TPR) and low false positive rate (FPR), outperforming traditional classifiers. Designed for real-time processing, the classifier ensures minimal service disruption in resource-constrained IIoT environments, effectively maintaining quality of service (QoS) while mitigating DDoS attacks. Once the traffic is analyzed by the traffic classifier, based on the auxiliary information, the status indicator will be updated. The status indicator will be set to zero if no anomaly is detected; otherwise, it is set to one. Considering that the attacker could disguise himself and get through this traffic classifier stage, the next stage of SDN will be dynamic admission control. The classified internet traffic is then forwarded to the SDN controller for controlled dynamic admission, load balancing, and service migration.

Dynamic admission control

The classified traffic with status indicator one is allowed to proceed to the next level of SDN, which is dynamic admission. The distributed admission control scheme considers the number of services and their replicas in each edge cloud and the capacity of each replica. Rate limiting the devices; each device is assigned to only one replica. Let \({\mathscr {N}}\) be the number of edge clouds, \({\mathscr {S}}\) be the services each edge cloud provides, \({\mathscr {R}}\) be the replica of each service, and \(C_r\) be each replica’s capacity to serve. Let \(D_k\) devices request access, among them \(A_k\) devices are compromised.

When a new device is requested to be admitted to the system, the admission controller needs to consider two things. First, it must ensure that the quality of service (QoS) for existing devices in the system is maintained if a new device is admitted. Second, it must provide the new device with its desired quality of service. To achieve these goals, the controller uses information about the state of the replica where the new device is being requested and information about the recovery time that should be within the tolerable threshold.

Here, admission is granted only if \(C_r\times R \ge D_k\); otherwise, the device is redirected to another edge cloud service. We consider an array of replicas as shown in Fig. 4. In this hexagonal array, a new device seeking admission is admitted to the replica \(R_0\) of service \(S_k\) at time \(t_0\) if the following admission conditions are satisfied:

1. 1.

   If no device is accessing the service \(S_0\) at time \(t_0\), the device is always admitted.

2. 2.

   If there are already devices for the service \(S_0\), then the new device can only be admitted if the number of devices in \(S_k\) is less than or equal to a predetermined threshold value, denoted by K.

3. 3.

   If there is no device in replica \(R_0\), the new devices can be admitted if the following conditions are met:

   1. (a)

      The number of devices in the neighboring replicas (\(n_L\)) is less than or equal to a predetermined threshold value, denoted by K.

   2. (b)

      The number of devices in the replica \(R_0\) and its neighboring replicas (\(n_o + n_L\)) is less than or equal to a pre-determined capacity value, denoted by N.

   3. (c)

      The probability that a new device is admitted, denoted by P, is greater than or equal to a predetermined threshold value, denoted by \(P_th\).

      $$\begin{aligned} \begin{aligned} P&= min(1, (N-(n_o+n_L))/N) * (1- p_S) \\&+ min(1, (K-n_o)/K) * p_S/2 \\&+ min(1, (K-n_L)/K) * p_m/6 \end{aligned} \end{aligned}$$

      (1)

      where \(p_S\) is the probability that a device stays in the replica of the service, \(p_m\) is the probability that a device transfers to any one of its six neighboring replicas, and the factor 1/2 is used to account for the fact that there are two possible outcomes (stay or transfers) for the device in its current replica.

The admission conditions stated above aim to achieve a balance between the network’s capacity and the probability of devices getting blocked, considering the mobility of the devices in the network.

Fig. 4

Array of replicas.

Service migration

Another MTD approach is used to isolate attackers on a small number of physical servers once the monitored traffic has been admitted in accordance with the admission requirements. This is done by deliberately moving services across several edge clouds. Several heuristics to machine learning-centric approaches, highlighting their potential for optimizing resource management, have been proposed for load balancing in recent years⁴⁶. However, our focus is on an energy-aware load-balancing algorithm critical for data center operations . In MTDTM, dynamic load balancing is achieved by the weighted load balancing technique of process migration, and we ensure that no single resource becomes paralyzed by the DDoS attack traffic. The complete system is continuously checked for new targets or modifications in DDoS attack patterns. The process migration procedures are repeated if other targets are found to disperse the burden and safeguard the targeted services.

Analyzing the system state and establishing communication with other nodes are the two significant challenges in a distributed systems scenario. These problems are addressed using either a centralized system or a peer-to-peer solution to track the system state. So, MTDTM model uses the Gossip protocol-based algorithm epidemic broadcast as this solution is highly scalable,fault-tolerant, and resilient. They handle dynamic changes, achieve various consistency levels, and reduce network congestion by avoiding redundant messages through probabilistic or deterministic techniques. Gossip protocols disseminate information to all nodes as fast as possible by using a fanout parameter that determines how many nodes each node contacts in each round.

The gossip protocol has been divided into several parts for clarity. In Algorithm  1, the parameters are initialized, and in Algorithm 8, the gossip protocol for service migration is executed using various functions. These functions are defined in Algorithm  2 to Algorithm  7. Algorithms  2,  3,  4, and  5 detail the processes for obtaining node load information, exchanging that information, and migrating services. Algorithms  6 and  7 are used to identify the least loaded node and facilitate service migration.

The MTDTM framework employs a structured sequence of algorithms to implement service migration and load balancing, effectively mitigating DDoS attacks in IIoT and edge cloud environments. The process begins with Algorithm  1 (Initialization and Parameters), where critical system parameters are defined. These include GOSSIP_INTERVAL (10 seconds), which sets the communication frequency, LOAD_THRESHOLD (0.8), which determines when a node is overloaded, and MIGRATION_DELAY (5 seconds) to coordinate migration timing.

Algorithm 1

Initialization and Parameters

Once initialized, node loads are evaluated using Algorithm  2 (Get Node Load), where the load L_i of node i is computed as:

$$\begin{aligned} L_i = \frac{\sum _{j=1}^{n} R_{ij}}{C_i} \end{aligned}$$

(2)

with \(R_{ij}\) as the resource demand of service j and \(C_i\) as the node’s total capacity. This normalized load value identifies nodes that exceed the threshold and require load redistribution.

Algorithm 2

Function get_node_load

Algorithm 3

Function migrate_service

Algorithm 4

Function gossip_protocol

To share load information across the network, Algorithm  4 (Gossip Protocol) is employed. This decentralized, fault-tolerant mechanism enables nodes to exchange load data probabilistically with neighbors. Each update is represented as:

$$\begin{aligned} L_j^{(t+1)} = \frac{L_j^{(t)} + L_i^{(t)}}{2} \end{aligned}$$

(3)

where \(L_i\) and \(L_j\) are the loads of nodes i and j at time t. This data exchange is implemented in Algorithm 5 (Exchange Load Information), where each node updates its local load information table for informed decision-making. When a node’s load exceeds LOAD_THRESHOLD, Algorithm 6 (Evaluate and Migrate Services) identifies services that can be migrated and determines the least-loaded neighboring node using Algorithm 7 (Find Least-Loaded Neighbor). The target node k is chosen by minimizing:

$$\begin{aligned} L_k = \arg \min _{j \in N_i} L_j \end{aligned}$$

(4)

ensuring the selected neighbor can accommodate the additional load without exceeding its own threshold.

The migration process itself is managed by Algorithm  3 (Migrate Service), which locks the source and target nodes, stops the service on the source, transfers the service data, starts the service on the target node, and updates routing tables to maintain connectivity. The migration overhead is represented by:

$$\begin{aligned} T_{mig} = T_{stop} + T_{data\_transfer} + T_{start} \end{aligned}$$

(5)

which ensures seamless transitions and minimal downtime.

Algorithm 5

Function exchange_load_information

Algorithm 6

Function evaluate_and_migrate_services

Algorithm 7

Function find_least_loaded_neighbor

Finally, Algorithm  8 (Main Function and Monitoring) runs the gossip protocol and migration processes across all nodes in parallel, ensuring continuous and adaptive load balancing.

Mathematically, MTDTM integrates energy-aware optimization to minimize the total energy cost:

$$\begin{aligned} E = \sum _{t=1}^{N} \sum _{j=1}^{M} P_{tj} \cdot T_{tj} \end{aligned}$$

(6)

where \(P_{ij}\) represents the power consumed by node i while processing service j, and \(T_{ij}\) is the processing time. This ensures that load balancing decisions not only mitigate DDoS attacks but also optimize resource utilization and operational costs. By combining these algorithms into a coherent and modular framework, MTDTM achieves scalability, fault tolerance, and resilience, making it a robust solution for dynamic, distributed systems under attack.

Algorithm 8

Main Function and Monitoring

Performance overhead

The performance of the proposed framework has been evaluated for its computational overhead and time complexity across different scenarios, focusing on service migration, load balancing, and attack mitigation. This section discuss the complexity of each algorithm of service migration and its contribution to the overall framework to analyze the feasibility and efficiency of the approach. The analysis of time complexity of all the eight algorithms of service migration is summarized in Table 3.

Algorithm  1 involves setting up network nodes, services, and key parameters like gossip intervals, load thresholds, and migration delays. Since this algorithm primarily performs variable assignments and simple data structure initializations, it has a constant time complexity of O(1), independent of the network size. Algorithm  2 calculates the load of each node by summing the resource demands of all hosted services. The complexity depends on the number of services per node, resulting in a linear time complexity of O(N), where N represents the number of services or resource demands being evaluated.

Algorithm  3 manages the process of service migration, which includes stopping a service, transferring data, restarting the service on the target node, and updating routing tables. Since the migration process involves scanning the active services and corresponding replicas, its complexity is O(N), scaling linearly with the number of services. Algorithm  4 facilitates decentralized load information exchange among nodes. The gossip protocol’s probabilistic communication approach ensures quick convergence. Its complexity is O(N log N), where N is the number of network nodes. This logarithmic convergence ensures scalability and efficiency, even in large networks. Finally, Algorithm  5 enables nodes to share their load information with randomly selected neighbors. Each information exchange operation takes constant time per interaction; however, when considered across all nodes, the overall complexity becomes O(N) due to the cumulative exchanges across the network.

Algorithm  6 assesses each hosted service to determine if migration is necessary. In the worst case, where all services require migration, the time complexity is \(O(S \times N)\), with S representing the number of services and N the number of nodes. This complexity arises from iterating through each service for every node to evaluate migration conditions. Algorithm  7 identifies the node with the lowest load for service migration. This involves scanning all neighboring nodes, resulting in a linear time complexity of O(N), where N is the number of neighboring nodes connected to the current node.

Algorithm  8 orchestrates the execution of the gossip protocol and service migration processes. Since the gossip protocol runs in parallel with service evaluation and migration functions, the complexity of this algorithm is primarily driven by the gossip protocol, resulting in O(N log N) time complexity.

Table 3 Time complexity analysis of proposed algorithms.

Overall the proposed service migration maintains an efficient and suitable computational overhead for real-time IIoT applications. Initialization tasks are minimal with constant complexity, while load evaluations, service migrations, and neighbor searches scale linearly with network size. The gossip protocol ensures scalability through logarithmic convergence, making the solution adaptable to varying network sizes without significant computational burden. The combination of these complexities provides a balanced approach between performance, resource utilization, and responsiveness under dynamic DDoS attack scenarios.

Simulation

This section provides a description of the SDN topology employed in the simulation. The simulation environment used to evaluate the MTDTM approach was implemented using Mininet, an SDN-based network emulator. The experiments were conducted on a system running Ubuntu 18.04 with 16 GB RAM and an Intel i7 processor, 3.2 GHz. The network infrastructure consisted of OpenVSwitches controlled by a Ryu SDN controller, enabling dynamic network reconfiguration and real-time load balancing. To represent real-world DDoS attack scenarios, the simulations included multiple network topologies, with adversary nodes directly connected to host nodes. This configuration allowed for a comprehensive evaluation of the MTDTM’s adaptability under various attack patterns.

To analyze the effectiveness of the MTDTM approach under varying conditions, several parameters were adjusted during the simulations. The number of compromised hosts was varied at 10%, 30%, and 50% to assess system resilience against different scales of DDoS attacks. To evaluate the architecture’s adaptability to diverse adversary strategies, both sequential and uniform random scanning methods were employed. Additionally, service migration intervals were modified to achieve an optimal balance between security enhancement and computational overhead reduction. The simulations also considered attack intensity, with the adversary probing five hosts per scan at 15 second intervals, thereby replicating realistic attack scenarios and ensuring a comprehensive assessment of the MTDTM’s performance under various threat conditions.

Fig. 5

Simulated topology.

Figure 5 depicts the topology, consisting of three Openvswitch (OVS) v2.9.5 instances and eight hosts. The experiments involve different numbers of attackers and packet rates: one, two, and three attackers. Performance is evaluated at varying packet rates, ranging from 50 packets/second to 1000 packets/second. The attack traffic is generated using the Python-based tool Scapy. Further setup details can be found in Table 4. We assume that each service’s storage requirement is uniformly distributed with an average ranging from 20 to 80 GB, and the computational workload for each service follows a uniform distribution with an average ranging from 10 to 50 gigacycles. Recognizing the variability in storage and computing capacities within the edge cloud, the edge cloud’s storage capacity is randomly chosen from 100 to 200 GB, and its computing capacity from 50 to 100 GHz. As for the transmission speed between edge clouds, we assume it falls within the range of 20 to 40 Mbps.

The edge cloud’s resources are evenly distributed among the offloaded IIoT devices on that node. It is assumed that the number of devices each replica (qk) can handle follows the same distribution as rk. As mentioned in²², the average recovery time after admission control (tA) is 200 ms, and the mean service migration time (tS) is 10,000 ms. We compare our algorithm with three baseline strategies: a static strategy, a random strategy, and a deterministic pure strategy. The static strategy maintains the original MTD deployment, the random strategy updates devices and services randomly, and the deterministic pure strategy involves exchanging or migrating compromised services.

The latency analysis of the traffic classifier model was performed by comparing the latency of the SVM and KNN model with the proposed traffic classifier on CTU-13 dataset.

Table 4 Simulation setup.

Results and discussion

Implementation challenges and mitigation strategies

Implementing the MTD Traffic Manager within resource-constrained edge clouds posed several challenges, primarily computational overhead, latency constraints, and balancing security with quality of service (QoS). These challenges were addressed through targeted solutions to ensure efficient DDoS mitigation while maintaining system performance.

• Computational Overhead: Edge clouds have limited processing capabilities, making it difficult to execute complex MTD algorithms efficiently. To mitigate this, a lightweight traffic classification model was implemented using ODENet+LSTM, which balances classification accuracy and resource efficiency. Unlike deep learning models that require intensive computation, the chosen model ensures real-time detection with lower latency (50 ms), as validated through simulations.

• Latency Constraints: Many IIoT applications demand low-latency communication. Frequent service migrations or continuous shuffling can degrade system responsiveness. To address this, dynamic admission control was optimized to trigger reconfiguration only when a load threshold (LOAD_THRESHOLD = 0.8) was exceeded, reducing unnecessary migrations. The migration delay was set at 5 seconds, ensuring that the defense mechanisms did not compromise latency-sensitive IIoT applications.

• Balancing Security with QoS: Frequent MTD adaptations can interrupt legitimate traffic, leading to degraded QoS. To maintain a balance, the MTDTM employs a weighted load-balancing mechanism that considers both service capacity and attack status. By using a probabilistic gossip protocol for load information exchange (with a GOSSIP_INTERVAL of 10 seconds), the system achieves adaptive service migration without overburdening network resources. This approach ensures that legitimate users experience minimal service disruption while maintaining strong security.

The challenges of computational overhead, latency, and QoS degradation were addressed through lightweight models, adaptive control mechanisms, and efficient service migration strategies, ensuring that MTDTM remains effective even in resource-constrained edge cloud environments.

• Efficient Load Redistribution: The gossip protocol enables scalable and decentralized load balancing, ensuring that nodes receive updates without relying on a central entity, which reduces the risk of bottlenecks.

• Minimal Service Downtime: The service migration process was optimized to ensure that the migration overhead (T_mig) comprising stopping, transferring, and restarting services remained within acceptable limits, ensuring smooth transitions.

• QoS Preservation: By integrating dynamic admission control with service migration, malicious traffic is isolated, while legitimate requests are redirected to less-loaded replicas, maintaining high service availability.

The ODENet reduces computation by dynamically adjusting the depth, minimizing unnecessary calculations compared to static deep networks. This combination works adaptively and sequentially, minimizing unnecessary computations and achieving lower overall latency. Table 5 demonstrates the comparative analysis of latency of KNN, SVM, LSTM and ODENeT with the hybrid model of ODENet and LSTM used.

Table 5 Comparision of latency for the proposed traffic classifier.

The overall performance was evaluated among basic strategy, arbitrary strategy, deterministic strategy and our approach for varying parameters. The basic strategy maintains the initial MTD deployment, but in arbitrary strategy, devices and services are randomly selected for status updates. Lastly, the deterministic strategy includes device exchanges from troubled services and the migration of services to an alternative edge cloud, regardless of past compromises.

The proposed approach was evaluated by examining its effects on the average available resources across varying numbers of compromised devices, average storage capacities, and recovery time thresholds. Additionally, its influence was analyzed on service response time while varying the number of service requests, the edge cloud’s computing capacities, and the edge cloud’s storage capacities. We compared the performance of all four algorithms and presented the results in Figs. 6 and 7.

The graphs in Fig. 6 highlight the effectiveness of the MTDTM algorithm compared to deterministic, basic, and arbitrary strategies in managing resource availability under varying conditions. Figure  6a shows the impact of varying compromised devices. As the number of compromised devices ((\(C\), ranging from 50 to 300) increases, the average available resources (\(R\), measured in GB) for MTDTM decrease linearly at a slower rate (\(R = 35 - 0.04C\)) compared to deterministic (\(R = 20 - 0.02C\)) and much better than basic and arbitrary strategies, which show steep declines (dropping below 5 GB when C=300). The slower decrease in MTDTM is attributed to its dynamic load-balancing mechanism, which efficiently redistributes traffic and resources, preventing bottlenecks. In contrast, basic and arbitrary strategies lack adaptability, leading to rapid resource depletion.

In Fig. 6b and c, MTDTM outperforms other strategies under increasing edge cloud storage capacity (\(S\), in MB) and recovery time thresholds (\(T\), in seconds). For storage capacity, MTDTM shows a linear increase in resource availability (\(R = 0.08S + 20\)) as \(S\) increases from 500 MB to 1000 MB, far exceeding deterministic (\(R = 0.04S + 10\)) and basic/arbitrary strategies, which plateau below 15 GB. Here, the higher \(S\) allows MTDTM to leverage additional storage for traffic redistribution and legitimate user support. Similarly, in Fig. 5c, as the recovery time threshold grows from 2 to 10 seconds, MTDTM exhibits a quadratic increase in resources, highlighting its adaptability in restoring resources quickly during prolonged recovery windows. The deterministic strategy increases linearly (\(R = 2T + 5\)), while basic and arbitrary strategies remain almost constant (near 5 GB), showing their inability to recover effectively.

Fig. 6

Performance evaluation of basic, deterministic, arbitrary strategy, and MTDTM algorithm on the basis of average available resources by varying no. of compromised devices (a), varying edge cloud average storage capacity (b), and the recovery time threshold (c).

The service availability is measured as the proportion of legitimate traffic that is successfully processed by the classifier. The efficiency of classifier helps in improving service availability by accurate temporal feature extraction and sequential patterns, improving overall true positive rate (TPR). Moreover, ODENet’s adaptive learning minimizes overfitting, and LSTM’s memory reduces false positive rate (FPR).

$$\begin{aligned} TPR_{ODENet+LSTM}&> TPR_{Baseline} \end{aligned}$$

(7)

$$\begin{aligned} FPR_{ODENet+LSTM}&> FPR_{Baseline} \end{aligned}$$

(8)

Overall service availability \(A_s\) for ODENet+LSTM can be mathematically expressed as

$$\begin{aligned} A_s = \frac{TPR. Traffic Rate}{ TPR+FPR} \end{aligned}$$

(9)

The graphs in Fig. 7 illustrate the effectiveness of MTDTM in minimizing service response time (\(T_s\)) compared to deterministic, basic, and arbitrary strategies across varying conditions. In Fig. 7a, as the number of service requests (\(R\)) increases from 10 to 35, MTDTM maintains the lowest response time, increasing only slightly from 0.35 ms to 0.45 ms. In contrast, deterministic strategies rise to 0.55 ms, while basic and arbitrary strategies show steep increases, reaching up to 0.9 ms for arbitrary strategies. This performance is due to MTDTM’s dynamic load-balancing mechanism, which reallocates services efficiently to handle increased traffic, whereas other strategies lack such adaptability, leading to significantly higher delays.

In Fig. 7b and c, MTDTM demonstrates superior scalability with increasing edge cloud computing capacity (\(C_c\)) and storage capacity (\(S_c\)). As \(C_c\) grows from 50 to 100 GB in Fig. 7b, MTDTM reduces response time from 0.45 ms to 0.3 ms, outperforming deterministic strategies, which only drop to 0.4 ms, while basic and arbitrary strategies remain above 0.65 ms. Similarly, in Fig. 7c, MTDTM achieves the lowest response time, decreasing from 0.5 ms to 0.35 ms as \(S_c\) increases from 50 to 250 GB, with deterministic strategies lagging and static strategies showing minimal improvement. An increase in edge cloud storage capacity leads to a decrease in service response time, thereby reducing service response time.These results highlight MTDTM’s ability to efficiently utilize available resources and dynamically adapt to increasing workloads, making it the most effective strategy for reducing response times in resource-constrained edge cloud environments.

Fig. 7

Performance evaluation of basic, deterministic, arbitrary strategy, and MTDTM algorithm on the basis of service response time by (a) number of service requests (b) varying computing capacity of edge cloud (c) varying edge cloud storage capacity.

The MTDTM architecture ensures minimal disruption to IIoT services while mitigating DDoS attacks through a combination of dynamic traffic management, service migration, and adaptive load balancing. Firstly, dynamic admission control helps in filtering and prioritizing legitimate traffic. The traffic classifier integrated into MTDTM ensures that only verified traffic gains access to the IIoT system, effectively reducing false positives and service disruptions. The classifier uses ODENet and LSTM models, which improve the true positive rate (TPR) and lower false positive rate (FPR), ensuring better accuracy in distinguishing between normal and malicious traffic. Secondly, adaptive service migration enables seamless transitions in case of attack. MTDTM employs a weighted load-balancing mechanism that dynamically redistributes services across edge clouds. This prevents bottlenecks and ensures optimal resource utilization, even during high-traffic attack periods. The migration overhead, defined by Eq. (5) ensures that transitions are efficient and minimally impact ongoing services.

Additionally, MTDTM uses a gossip-based protocol for decentralized information exchange, enabling faster and resilient adaptation to evolving attack patterns. This protocol prevents single-point failures, ensuring that system-wide updates propagate efficiently without overloading network resources. Lastly, simulation results validate the effectiveness of proposed architecturein maintaining low response times, even under increasing service requests. It is evident from the graph 7a, as requests increase from 10 to 35, MTDTM keeps response time stable between 0.35ms to 0.45ms, whereas deterministic approaches rise to 0.55ms and arbitrary strategies peak at 0.9ms. These results demonstrate the proposed architecture’s capability to minimize service degradation under attack scenarios.

Statistical validation of performance differences in MTDTM

To ensure the scientific rigor of our evaluation and confirm whether the observed improvements in available resources and service response time using MTDTM are statistically significant, we conducted paired t-tests comparing MTDTM against the Deterministic strategy. These tests help determine whether the observed performance differences result from actual improvements or mere chance.

The analysis focused on two key performance metrics: available resources (GB) and service response time (ms). Available resources were measured under different numbers of compromised devices, while service response time was evaluated based on increasing service requests. To assess statistical significance, we applied a paired t-test, a standard method for comparing two related samples. The null hypothesis (H_0) assumed that there was no significant difference between MTDTM and the Deterministic strategy, while the alternative hypothesis (HA) proposed that MTDTM demonstrated a statistically significant improvement. For both metrics, we computed the mean values, standard deviations, and standard errors of the mean (SEM) for each strategy. Using these values, the t-statistic was calculated, followed by determining the p-value to assess significance. The results of this analysis are summarized in the Table 6.

Table 6 Statistical comparison of MTDTM and deterministic strategy.

The low p-values (<0.001) indicate that the differences in both available resources and response time are statistically significant, meaning that the improvements observed with MTDTM are unlikely to have occurred by chance. The negative t-statistic for service response time confirms that MTDTM consistently reduces latency compared to the Deterministic strategy, reinforcing its effectiveness in IIoT environments.

Conclusion

In this paper, we have proposed a novel algorithm to mitigate DDoS attacks in IIoT environments. The algorithm adopts a dynamic approach to address key challenges associated with distributed networks, including latency, resource management, and service migration. The major features of our proposed solution include traffic filtering, admission control, and dynamic load balancing through service migration, all aimed at enhancing resource availability and reducing service response times.

Simulation results validate the effectiveness of the MTDTM algorithm in outperforming deterministic, basic, and arbitrary strategies across various scenarios. For instance, under increasing numbers of compromised devices and service requests, MTDTM demonstrated higher resource availability and significantly lower service response times compared to other methods. Similarly, with increasing edge cloud storage and computing capacities, MTDTM scaled effectively, maintaining optimal performance. These results highlight the scalability, self-organizing nature, and resilience of the proposed model, making it a robust solution for mitigating DDoS attacks in resource-constrained IIoT environments.

Additionally, use of a gossip protocol facilitated efficient peer-to-peer communication, enabling faster information sharing and preventing single-point failures. This contributed to the adaptive and decentralized nature of the system. The proposed algorithm is readily deployable and well-suited for commercial applications, providing a scalable and efficient mechanism to ensure uninterrupted services. However, in bandwidth-constrained environments where frequent gossip messages may add overhead, a hybrid load-balancing approach could further optimize performance. These findings underscore the potential of MTDTM in safeguarding critical IIoT processes while maintaining acceptable quality of service under evolving threat landscapes.