A theory for understanding and quantifying moving target defense

The static nature of cyber systems gives attackers a valuable and asymmetric advantage time. To eliminate this asymmetric advantage, a new approach, called Moving Target Defense (MTD) has emerged as a potential solution. MTD system seeks to proactively change system configurations to invalidate the knowledge learned by the attacker and force them to spend more effort locating and re-locating vulnerabilities. While it sounds promising, the approach is so new that there is no standard definition of what an MTD is, what is meant by diversification and randomization, or what metrics to define the effectiveness of such systems. Moreover, the changing nature of MTD violates two basic assumptions about the conventional attack surface notion. One is that the attack surface remains unchanged during an attack and the second is that it is always reachable. Therefore, a new attack surface definition is needed. To address these issues, I propose that a theoretical framework for MTD be defined. The framework should clarify the most basic questions such as what an MTD system is and its properties such as adaptation, diversification and randomization. The framework should reveal what is meant by gaining and losing knowledge, and what are different attack types. To reason over the interactions between attacker and MTD system, the framework should define key concepts such as attack surface, adaptation surface and engagement surface. Based on that, this framework should allow MTD system designers to decide how to use existing configuration choices and functionality diversification to increase security. It should allow them to analyze the effectiveness of adapting various combinations of different configuration aspects to thwart different types of attacks. To support analysis, the framework should include an analytical model that can be used by designers to determine how different parameter settings will impact system security. A THEORY FOR UNDERSTANDING AND QUANTIFYING MOVING TARGET DEFENSE

[1]  Scott A. DeLoach,et al.  Model-driven, Moving-Target Defense for Enterprise Network Security , 2011, Models@run.time@Dagstuhl.

[2]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[3]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[4]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[5]  Sahin Albayrak,et al.  Application-level simulation for network security , 2008, Simutools 2008.

[6]  Salvatore J. Stolfo,et al.  Toward Cost-Sensitive Modeling for Intrusion Detection and Response , 2002, J. Comput. Secur..

[7]  Richard Colbaugh,et al.  Moving target defense for adaptive adversaries , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[8]  N. Weiss A Course in Probability , 2005 .

[9]  Pratyusa K. Manadhata,et al.  Game Theoretic Approaches to Attack Surface Shifting , 2013, Moving Target Defense.

[10]  Xiang Yu,et al.  Applying Self-Shielding Dynamics to the Network Architecture , 2013, Moving Target Defense.

[11]  Steven M. Bellovin On the Brittleness of Software and the Infeasibility of Security Metrics , 2006, IEEE Security & Privacy Magazine.

[12]  Daniel C. DuVarney,et al.  Efficient Techniques for Comprehensive Protection from Memory Error Exploits , 2005, USENIX Security Symposium.

[13]  Sahin Albayrak,et al.  Application-level Simulation for Network Security , 2010, Simul..

[14]  Arun K. Sood,et al.  SCIT-DNS: Critical infrastructure protection through secure DNS server dynamic updates , 2006, J. High Speed Networks.

[15]  Nelly Bencomo,et al.  Requirements reflection: requirements as runtime entities , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[16]  Scott A. DeLoach,et al.  An Investigation of Reorganization Algorithms , 2006, IC-AI.

[17]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[18]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[19]  Scott A. DeLoach,et al.  Towards a Theory of Moving Target Defense , 2014, MTD '14.

[20]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[21]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[22]  Evangelos P. Markatos,et al.  Defending against hitlist worms using network address space randomization , 2007, Comput. Networks.

[23]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[24]  Chao Yang,et al.  NOMAD: Towards non-intrusive moving-target defense against web bots , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[25]  Somesh Jha,et al.  End-to-End Software Diversification of Internet Services , 2011, Moving Target Defense.

[26]  H. Okhravi,et al.  TALENT : Dynamic Platform Heterogeneity for Cyber Survivability of Mission Critical Applications ∗ , 2010 .

[27]  Karl N. Levitt,et al.  Artificial Diversity as Maneuvers in a Control Theoretic Moving Target Defense , 2012 .

[28]  Johnny S. Wong,et al.  A Cost-Sensitive Model for Preemptive Intrusion Response Systems , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[29]  Stephanie Forrest,et al.  Automated Response Using System-Call Delay , 2000, USENIX Security Symposium.

[30]  Ariel Rubinstein,et al.  A Course in Game Theory , 1995 .

[31]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[32]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[33]  Mark Burgess,et al.  Modeling Next Generation Configuration Management Tools , 2006, LISA.

[34]  Y. Huang Self-Cleansing Systems for Intrusion Containment , 2006 .

[35]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[36]  Y. Huang,et al.  Countering Web Defacing Attacks with System Self Cleansing , 2003 .

[37]  Johnny S. Wong,et al.  A taxonomy of intrusion response systems , 2007, Int. J. Inf. Comput. Secur..

[38]  Scott A. DeLoach,et al.  A model for analyzing the effect of moving target defenses on enterprise networks , 2014, CISR '14.

[39]  Michael Franz,et al.  Compiler-Generated Software Diversity , 2011, Moving Target Defense.

[40]  David A. Schmidt,et al.  Aggregating vulnerability metrics in enterprise networks using attack graphs , 2013, J. Comput. Secur..

[41]  Anil Somayaji,et al.  Analysis of the 1999 DARPA/Lincoln Laboratory IDS evaluation data with NetADHICT , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[42]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[43]  Manish Jain,et al.  Software Assistants for Randomized Patrol Planning for the LAX Airport Police and the Federal Air Marshal Service , 2010, Interfaces.

[44]  Udo W. Pooch,et al.  Adaptive agent-based intrusion response , 2001 .

[45]  D. Sterne,et al.  Cooperative Intrusion Traceback and Response Architecture (CITRA) , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[46]  Coniferous softwood GENERAL TERMS , 2003 .

[47]  Michael B. Crouse,et al.  A moving target environment for computer configurations using Genetic Algorithms , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[48]  Scott A. DeLoach,et al.  Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense | NIST , 2012 .

[49]  Ehab Al-Shaer,et al.  Spatio-temporal Address Mutation for Proactive Cyber Agility against Sophisticated Attackers , 2014, MTD '14.

[50]  Arun K. Sood,et al.  Incorruptible system self-cleansing for intrusion tolerance , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[51]  Nelly Bencomo,et al.  Requirements-Aware Systems: A Research Agenda for RE for Self-adaptive Systems , 2010, 2010 18th IEEE International Requirements Engineering Conference.

[52]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[53]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[54]  Angelos D. Keromytis,et al.  On the General Applicability of Instruction-Set Randomization , 2010, IEEE Transactions on Dependable and Secure Computing.

[55]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[56]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[57]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[58]  Salvatore J. Stolfo,et al.  Symbiotes and defensive Mutualism: Moving Target Defense , 2011, Moving Target Defense.

[59]  Sarit Kraus,et al.  Deployed ARMOR protection: the application of a game theoretic model for security at the Los Angeles International Airport , 2008, AAMAS 2008.

[60]  Bo An,et al.  Security Games Applied to Real-World: Research Contributions and Challenges , 2013, Moving Target Defense.

[61]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[62]  William W. Streilein,et al.  On the Challenges of Effective Movement , 2014, MTD '14.

[63]  S. Mnsman,et al.  System or security managers adaptive response tool , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[64]  Mohamed Eltoweissy,et al.  ChameleonSoft: A moving target defense system , 2011, 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom).

[65]  Angelos D. Keromytis,et al.  Global ISR: Toward a Comprehensive Defense Against Unauthorized Code Execution , 2011, Moving Target Defense.

[66]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[67]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[68]  Angelika Bayer,et al.  A First Course In Probability , 2016 .

[69]  Peng Xie,et al.  A Self-shielding Dynamic Network Architecture , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[70]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[71]  Salvatore J. Stolfo,et al.  The MEERKATS Cloud Security Architecture , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[72]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[73]  Yih Huang,et al.  Introducing Diversity and Uncertainty to Create Moving Attack Surfaces for Web Services , 2011, Moving Target Defense.

[74]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[75]  Martin C. Rinard Manipulating Program Functionality to Eliminate Security Vulnerabilities , 2011, Moving Target Defense.

[76]  Jeffrey M. Bradshaw,et al.  A human-agent teamwork command and control framework for moving target defense (MTC2) , 2013, CSIIRW '13.

[77]  Krishna Kant,et al.  Configuration Management Security in Data Center Environments , 2011, Moving Target Defense.

[78]  Milind Tambe,et al.  Towards a science of security games , 2016 .

[79]  Scott A. DeLoach,et al.  A Theory of Cyber Attacks: A Step Towards Analyzing MTD Systems , 2015, MTD@CCS.

[80]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[81]  Jeannette M. Wing,et al.  A Formal Model for a System's Attack Surface , 2011, Moving Target Defense.

[82]  Dan Schnackenberg,et al.  Infrastructure for intrusion detection and response , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[83]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[84]  Sarit Kraus,et al.  Playing games for security: an efficient exact algorithm for solving Bayesian Stackelberg games , 2008, AAMAS.

[85]  Richard Colbaugh,et al.  Predictive Moving Target Defense. , 2012 .

[86]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[87]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[88]  Ehab Al-Shaer,et al.  Toward Network Configuration Randomization for Moving Target Defense , 2011, Moving Target Defense.

[89]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .