No free lunch in cyber security

Confidentiality, integrity and availability (CIA) are traditionally considered to be the three core goals of cyber security. By developing probabilistic models of these security goals we show that: the CIA goals are actually specific operating points in a continuum of possible mission security requirements; component diversity, including certain types of Moving Target Defenses, versus component hardening as security strategies can be quantitatively evaluated; approaches for diversity can be formalized into a rigorous taxonomy. Such considerations are particularly relevant for so-called Moving Target Defense (MTD approaches that seek to adapt or randomize computer resources in a way to delay or defeat attackers. In particular, we explore tradeoffs between confidentiality and availability in such systems that suggest improvements in one may come at the expense of the other. In other words, there is "No Free Lunch" in cyber security.

[1]  H. Saunders,et al.  Probability, Random Variables and Stochastic Processes (2nd Edition) , 1989 .

[2]  Kevin Noble Security Through Diversity , 2013 .

[3]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[4]  R. Macarthur,et al.  The Limiting Similarity, Convergence, and Divergence of Coexisting Species , 1967, The American Naturalist.

[5]  Fred B. Schneider,et al.  IT Monoculture Security Risks and Defenses , 2009, IEEE Secur. Priv..

[6]  Sean W. Smith,et al.  The Craft of System Security , 2007 .

[7]  Herbert A. David,et al.  Order Statistics , 2011, International Encyclopedia of Statistical Science.

[8]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[9]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[10]  Anh Nguyen-Tuong,et al.  Effectiveness of Moving Target Defenses , 2011, Moving Target Defense.

[11]  William Feller,et al.  An Introduction to Probability Theory and Its Applications , 1967 .

[12]  Kenneth P. Birman,et al.  The Monoculture Risk Put into Context , 2009, IEEE Security & Privacy Magazine.

[13]  John G. Proakis,et al.  Probability, random variables and stochastic processes , 1985, IEEE Trans. Acoust. Speech Signal Process..

[14]  G. Tullock,et al.  Competitive Exclusion. , 1960, Science.

[15]  S. Levin Community Equilibria and Stability, and an Extension of the Competitive Exclusion Principle , 1970, The American Naturalist.

[16]  I. Gertsbakh,et al.  Statistical Reliability Theory , 1988 .

[17]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[18]  Feller William,et al.  An Introduction To Probability Theory And Its Applications , 1950 .

[19]  Mohammad Ahsanullah,et al.  Distributions of Order Statistics , 2013 .