Moving-Target-Defense based Security Mechanisms: A System Management Perspective

The term "moving" in Moving-Target-Defense (MTD) mechanisms for enhanced security of networked systems can refer to a variety of things. Often, dynamic changes in the system mechanisms that do not involve a physical and/or logical movement of network assets (e.g., IP addresses) to evade attacks come too under the realm of MTD. In this paper, we characterize MTD mechanisms as orchestrated in three different forms. First, at network algorithm level that involves a dynamic switching from one instance of distributed algorithm to another instance to obfuscate the internal message flows. Second, MTD can be at a functional level where a network service behavior itself dynamically changes, as captured in the application program interfaces and parameter mappings, to deter information flow attacks. Third, MTD can manifest as a physical/logical relocation of computational nodes dynamically in the infrastructure-level topology, to reduce the vulnerability of critical nodes.The paper illustrates these manifestations of MTD from our experiences on realizing adaptive fault-tolerance and security in Content Distribution Networks.