Quantification of moving target cyber defenses

Current network and information systems are static, making it simple for attackers to maintain an advantage. Adaptive defenses, such as Moving Target Defenses (MTD) have been developed as potential “game-changers” in an effort to increase the attacker’s workload. With many new methods being developed, it is difficult to accurately quantify and compare their overall costs and effectiveness. This paper compares the tradeoffs between current approaches to the quantification of MTDs. We present results from an expert opinion survey on quantifying the overall effectiveness, upfront and operating costs of a select set of MTD techniques. We find that gathering informed scientific opinions can be advantageous for evaluating such new technologies as it offers a more comprehensive assessment. We end by presenting a coarse ordering of a set of MTD techniques from most to least dominant. We found that seven out of 23 methods rank as the more dominant techniques. Five of which are techniques of either address space layout randomization or instruction set randomization. The remaining two techniques are applicable to software and computer platforms. Among the techniques that performed the worst are those primarily aimed at network randomization.

[1]  Sushil Jajodia,et al.  Moving Target Defense II , 2013, Advances in Information Security.

[2]  Béla Genge,et al.  Cyber-physical testbeds , 2014, CACM.

[3]  M. Kynn The ‘heuristics and biases’ bias in expert elicitation , 2007 .

[4]  Gordon S. Blair,et al.  Models@ run.time , 2009, Computer.

[5]  Daniel J. Ryan,et al.  Quantifying information security risks using expert judgment elicitation , 2012, Comput. Oper. Res..

[6]  J. Charles Kerkering,et al.  Eliciting and Analyzing Expert Judgment, A Practical Guide , 2002, Technometrics.

[7]  Nelly Bencomo,et al.  Models@run.time , 2014, Lecture Notes in Computer Science.

[8]  W. Neil Adger,et al.  Using expert elicitation to define successful adaptation to climate change , 2009 .

[9]  Brett Benyo,et al.  Managed Execution Environment as a Moving-Target Defense Infrastructure , 2014, IEEE Security & Privacy.

[10]  Erik Lebret,et al.  The use of expert elicitation in environmental health impact assessment: a seven step procedure , 2010, Environmental health : a global access science source.

[11]  William W. Streilein,et al.  Finding Focus in the Blur of Moving-Target Techniques , 2014, IEEE Security & Privacy.

[12]  Shouhuai Xu,et al.  Characterizing the power of moving target defense via cyber epidemic dynamics , 2014, HotSoS '14.

[13]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[14]  Sushil Jajodia,et al.  Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Building the Scientific Foundation , 2014, ICISS.

[15]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.