A Cost-Based Mechanism for Evaluating the Effectiveness of Moving Target Defenses

  • M. Patrick Collins
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7638)


We propose a means for evaluating the strength of network-based moving target defenses using a general model of tag switching. Tag switching breaks the network into tags (labels for entities on the network) and assets (hosts present on the network) whose relationshps are moderated by lookup protocols, such as DNS, ARP or BGP. Lookup protocols hide the relationship between tags and assets, and are already used to provide dynamic asset allocation for scaling and defense. Our model provides a generalize means for describing tags and assets within tag spaces defined by the defender and then quantifies the attacker’s ability to manipulate a network within a tag space. Defenders manipulate the tag/asset relationship over time using one of a number of moving target defenses. The impact of these defenses is quantifiable and can be used to determine how effective different defensive postures will be.


Defensive Strategy Content Distribution Network Intelligence Gathering Dynamic Asset Allocation DARPA Information Survivability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Antonatos, S., Akritidis, P., Markatos, E.P.: Defending against hitlist worms using network address space randomization. In: Proceedings of the 3rd ACM Workshop on Rapid Malcode (WORM) (2005)Google Scholar
  2. 2.
    Antonatos, S., Anagnostakis, K.G.: TAO: Protecting against Hitlist Worms Using Transparent Address Obfuscation. In: Leitold, H., Markatos, E.P. (eds.) CMS 2006. LNCS, vol. 4237, pp. 12–21. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Caglayan, A., Toothaker, M., Drapaeau, D., Burke, D., Eaton, G.: Behavioral analysis of fast flux service networks. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies (2009)Google Scholar
  4. 4.
    Cai, J.-Y., Yegneswaran, V., Alfeld, C., Barford, P.: An Attacker-Defender Game for Honeynets. In: Ngo, H.Q. (ed.) COCOON 2009. LNCS, vol. 5609, pp. 7–16. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Cárdenas, A., Baras, J., Seamon, K.: A framework for evaluation of intrusion detection systems. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)Google Scholar
  6. 6.
    Collins, M.: Payoff based ids evaluation. In: Proceedings of the 2nd Annual CSET Workshop on Computer Security Experimentation and Test (2009)Google Scholar
  7. 7.
    Davis, B.: Leveraging the load balancer to fight DDoS. In: SANS GIAC Gold Certification Report (2009)Google Scholar
  8. 8.
    Gaffney, J., Ulvila, J.: Evaluation of intrusion detectors: A decision theory approach. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy (2001)Google Scholar
  9. 9.
    Kewley, D., Fink, R., Lowry, J., Dean, M.: Dynamic approaches to thwart adversary intelligence gathering. In: DARPA Information Survivability Conference and Exposition, vol. 1 (2001)Google Scholar
  10. 10.
    Krishnamurthy, B., Wills, C., Zhang, Y.: On the use and performance of content distribution networks. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement (2001)Google Scholar
  11. 11.
    Moore, T., Clayton, R.: Examining the impact of website take-down on phishing. In: Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit (2007)Google Scholar
  12. 12.
    Shin, S., Gu, G.: Conficker and beyond: a large-scale empirical study. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC 2010 (2010)Google Scholar
  13. 13.
    Stolfo, S., Fan, W., Lee, W., Prodromidis, A., Chan, P.: Cost-based modeling for fraud and intrusion detection: Results from the JAM project. In: Proceedings of the 2000 DARPA Information Survivability Conference and Exposition (2000)Google Scholar
  14. 14.
    Tyma, P.: The architecture of mailinatorGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • M. Patrick Collins
    • 1
  1. 1.RedJack LLCSilver SpringUSA

Personalised recommendations