MTD assessment framework with cyber attack modeling

Abstract

Moving Target Defense (MTD) has received significant focus in technical publications. The publications describe MTD approaches that periodically change some attribute of the computer network system. The attribute that is changed, in most cases, is one that an adversary attempts to gain knowledge of through reconnaissance and may use its knowledge of the attribute to exploit the system. The fundamental mechanism an MTD uses to secure the system is to change the system attributes such that the adversary never gains the knowledge and cannot execute an exploit prior to the attribute changing value. Thus, the MTD keeps the adversary from gaining the knowledge of attributes necessary to exploit the system. Most papers conduct theoretical analysis or basic simulations to assess the effectiveness of the MTD approach. More effective assessment of MTD approaches should include behavioral characteristics for both the defensive actor and the adversary; however, limited research exists on running actual attacks against an implemented system with the objective of determining the security benefits and total cost of deploying the MTD approach. This paper explores empirical assessment through experimentation of MTD approaches. The cyber-kill chain is used to characterize the actions of the adversary and identify what classes of attacks were successfully thwarted by the MTD approach and what classes of attacks could not be thwarted In this research paper, we identify the experiment environments and where experiment fidelity should be focused to evaluate the effectiveness of MTD approaches. Additionally, experimentation environments that support contemporary technologies used in MTD approaches, such as software defined networking (SDN), are also identified and discussed.