International Conference on Cyber Warfare and Security (ICCWS 2016) Effectiveness of Migration-based Moving Target Defense in Cyber Systems Noam Ben-Asher 1,2, James Morris-King 2, Brian Thompson 2, and William Glodek

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Moving Target Defense 2

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Platform Migration 3 OS: Windows 10 DBMS: Oracle WS: Microsoft IIS OS: Red Hat Linux DBMS: MySQL WS: Apache Tomcat

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Motivation The need for moving target defense (MTD) in cyber systems is increasingly being recognized, but its security and productivity impacts are not yet clearly understood The effectiveness of MTD is difficult to evaluate, and depends on the type of attack and the capabilities of the attacker 4

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Definitions & Model 5

Effectiveness of Migration-based Moving Target Defense in Cyber Systems OS: Red Hat Linux DBMS: MySQL WS: Apache Tomcat OS: ??????????? DBMS: MySQL WS: ???????????? Attacker Model 6 EXPLOITS RECON ATTACK FAILED

Effectiveness of Migration-based Moving Target Defense in Cyber Systems OS: Windows 10 DBMS: Oracle WS: Microsoft IIS OS: Windows 10 DBMS: Oracle WS: Microsoft IIS Defender Model 7 TIME TO MIGRATE! OS: Red Hat Linux DBMS: MySQL WS: Apache Tomcat PLATFORMS

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Model Parameters 8 Dimensions of Attacker Capabilities Recon Skill Arsenal Size Dimensions of Defender Capabilities Migration Rate Platform Diversity

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Problem Statement 9

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Migration Strategies Maximal Diversity: Select uniformly at random from all available platforms, without replacement Top-k Performers: Select uniformly at random from the k highest-performing platforms, without replacement Maximal Performance: Select the highest-performing platform and never migrate 10 Platform Diversity

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Experimental Setup 11

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Results: Maximal Performance 12 Reconnaissance skill Utility Arsenal size

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Results: Maximal Diversity 13 Reconnaissance skill Utility Arsenal size Migration rate

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Results: Top-k Performers 14 Reconnaissance skill Utility Arsenal size Migration rate

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Summary of Contributions We study the effectiveness of migration-based moving target defense under a more nuanced representation of attacker and defender behaviors and capabilities We develop a model of defender utility that captures the tradeoff between system security and performance when implementing platform migration defense We perform simulation experiments to evaluate the effectiveness of different migration strategies against attackers of varying capabilities 15

Effectiveness of Migration-based Moving Target Defense in Cyber Systems Future Work Consider cross-platform attacks or multi-stage attacks that maintain persistence when the system migrates Model the attacker’s acquisition of new exploits Allow learning from past observations, e.g. the attacker could learn the defender’s migration strategy, or the defender could learn which exploits are in the attacker’s arsenal 16

Effectiveness of Migration-based Moving Target Defense in Cyber Systems 17 Questions? Brian Thompson