Adaptive Attacker Strategy Development Against Moving Target Cyber Defenses

A model of strategy formulation is used to study how an adaptive attacker learns to overcome a moving target cyber defense. The attacker-defender interaction is modeled as a game in which a defender deploys a temporal platform migration defense. Against this defense, a population of attackers develop strategies specifying the temporal ordering of resource investments that bring targeted zero-day exploits into existence. Attacker response to two defender temporal platform migration scheduling policies are examined. In the first defender scheduling policy, the defender selects the active platform in each match uniformly at random from a pool of available platforms. In the second policy the defender schedules each successive platform to maximize the diversity of the source code presented to the attacker. Adaptive attacker response strategies are modeled by finite state machine (FSM) constructs that evolve during simulated play against defender strategies via an evolutionary algorithm. It is demonstrated that the attacker learns to invest heavily in exploit creation for the platform with the least similarity to other platforms when faced with a diversity defense, while avoiding investment in exploits for this least similar platform when facing a randomization defense. Additionally, it is demonstrated that the diversity-maximizing defense is superior for shorter duration attacker-defender engagements, but performs sub-optimally in extended attacker-defender interactions. ABOUT THE AUTHORS Dr. Michael L. Winterrose is a researcher in the Cyber Systems and Technology Group at MIT Lincoln Laboratory. He is primarily interested in developing models and techniques to aid in the understanding and shaping of adversarial dynamics observed in the cyber domain. Dr. Winterrose’s research interests include advanced simulation techniques, game theory, complex systems modeling, and artificial intelligence with an emphasis on learning. Dr. Kevin M. Carter is an Assistant Group Leader in the Cyber Systems and Technology Group at MIT Lincoln Laboratory. He leads efforts focused on developing models and analytics for the purposes of network security, situational awareness, anomaly detection, and decision support. His research interests include statistical signal processing, pattern recognition and machine learning applied to cyber network and system data. Dr. Neal Wagner is a researcher in the Cyber Systems and Technology Group at MIT Lincoln Laboratory. His focus lies in developing and applying computational intelligence techniques for problems in the cyber domain. Specifically, he is interested in bio-inspired and heuristic algorithms for real-world scale applications of optimization, prediction, and simulation. Dr. William Streilein is an Assistant Group Leader in the Cyber Systems and Technology Group at MIT Lincoln Laboratory where he manages research and development efforts focused on delivering capabilities and technologies for cyber reasoning and response. His research interests include machine learning and modeling and simulation, especially as applied to problems in cybersecurity, security metrics, and cyber moving target. 1 This work is sponsored by the Department of Defense under Air Force Contract FA8721-05-C-0002. Opinions, interpretations, conclusions and recommendations are those of the authors and are not necessarily endorsed by the United States Government.