A theory for understanding and quantifying moving target defense

Abstract

The static nature of cyber systems gives attackers a valuable and asymmetric advantage - time. To eliminate this asymmetric advantage, a new approach, called Moving Target Defense (MTD) has emerged as a potential solution. MTD system seeks to proactively change system configurations to invalidate the knowledge learned by the attacker and force them to spend more effort locating and re-locating vulnerabilities. While it sounds promising, the approach is so new that there is no standard definition of what an MTD is, what is meant by diversification and randomization, or what metrics to define the effectiveness of such systems. Moreover, the changing nature of MTD violates two basic assumptions about the conventional attack surface notion. One is that the attack surface remains unchanged during an attack and the second is that it is always reachable. Therefore, a new attack surface definition is needed. To address these issues, I propose that a theoretical framework for MTD be defined. The framework should clarify the most basic questions such as what an MTD system is and its properties such as adaptation, diversification and randomization. The framework should reveal what is meant by gaining and losing knowledge, and what are different attack types. To reason over the interactions between attacker and MTD system, the framework should define key concepts such as attack surface, adaptation surface and engagement surface. Based on that, this framework should allow MTD system designers to decide how to use existing configuration choices and functionality diversification to increase security. It should allow them to analyze the effectiveness of adapting various combinations of different configuration aspects to thwart different types of attacks. To support analysis, the frame- work should include an analytical model that can be used by designers to determine how different parameter settings will impact system security.