Doctoral thesis defense on July 1^st 2026 at 09H00 AM ,in Amphitheater Ibn Khaldoun, SUP'COM 2.

Thesis conducted within CN&S Lab in collaboration with SAMA PARTNERS under MOBIDOC program

Entitled: Adaptive and Intelligent Deployment of Deception Resources for Cyber Defense 

Presented by: Amal SAYARI

Thesis Committee :

Abstract

Modern cyberattacks are increasingly sophisticated, adaptive, and capable of propagating across heterogeneous technological domains, rendering traditional reactive defenses insufficient. While conventional security mechanisms focus primarily on detecting or preventing known threats, modern adversaries require proactive approaches that can anticipate and disrupt attacker behavior before critical assets are compromised. Cyber deception has emerged as a promising paradigm that shifts the advantage toward defenders by increasing attacker uncertainty, exposing malicious activities, and gathering valuable intelligence. However, existing deception solutions often remain static, fragmented, and poorly integrated with adaptive decision-making and cyber threat intelligence (CTI).  This thesis aims to design and evaluate an integrated cyber deception framework that combines threat modeling, adaptive defense mechanisms, and CTI to enable proactive, intelligence-driven, and attacker-centric security. Our contributions are five-fold.

First, we conduct a cross-domain analysis of cyber deception across cloud environments (CE), wireless networks (WN), cyber-physical systems (CPS), industrial control systems (ICS), smart grids (SG), internet of things (IoT), internet of vehicles (IoV), and unmanned aerial vehicles (UAV) environments. The study reveals significant fragmentation in existing approaches and highlights the need for unified attacker-aware defense frameworks.

Second, we propose a multi-layer attack graph integrating vulnerabilities, software weaknesses, MITRE ATT&CK techniques, and tactical objectives into a unified representation of adversarial behavior. From this model, we derive a directed vulnerability exploitation graph and develop a reinforcement learning (RL) approach for the adaptive deployment of denial and deception mechanisms against opportunistic and strategic attackers.

Third, we extend this approach using deep reinforcement learning (DRL), including deep Q network (DQN), advantage actor-critic (A2C), and proximal policy optimization (PPO), on large-scale attack graphs generated from real-world attack chains involving 28 APT and ransomware groups. Results demonstrate superior defensive performance and more stable policies than static and tabular Q-learning approaches.

Fourth, we extend deception to the quantum domain through a game theory (GT) decoy-qubit defense for the superdense coding protocol. By analyzing Nash equilibria and incorporating RL-based optimization, we show that optimized decoy strategies can mitigate bijection and scrambling attacks while preserving communication efficiency.

Finally, we present DECEPT-CTI, an end-to-end natural language processing (NLP) framework that automatically extracts CTI from unstructured reports and maps it to tailored deception strategies. Using transformer-based models (SecBERT and SecRoBERTa) and BiLSTM–CRF architectures, the framework extracts actionable indicators of compromise (IoCs), maps them to MITRE ATTCK techniques tactics procedures (TTPs), and supports intelligence-driven deception planning through MITRE D3FEND and Engage.