skip to main content
10.1145/2663474.2663475acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
keynote

No free lunch in cyber security

Published: 03 November 2014 Publication History

Abstract

Confidentiality, integrity and availability (CIA) are traditionally considered to be the three core goals of cyber security. By developing probabilistic models of these security goals we show that:
the CIA goals are actually specific operating points in a continuum of possible mission security requirements;
component diversity, including certain types of Moving Target Defenses, versus component hardening as security strategies can be quantitatively evaluated;
approaches for diversity can be formalized into a rigorous taxonomy.
Such considerations are particularly relevant for so-called Moving Target Defense (MTD approaches that seek to adapt or randomize computer resources in a way to delay or defeat attackers. In particular, we explore tradeoffs between confidentiality and availability in such systems that suggest improvements in one may come at the expense of the other. In other words, there is "No Free Lunch" in cyber security.

References

[1]
R. Armstrong and R. McGehee. Competitive exclusion. American Naturalist, 115:151--170, Feb. 1980.
[2]
L. Carin, G. Cybenko, and J. Hughes. Cybersecurity strategies: The queries methodology. IEEE Computer, pages 20--26, 2008.
[3]
D. Evans, A. Nguyen-Tuong, and J. Knight. Effectiveness of moving target defenses. Chapter in Moving Target Defense: An Asymmetric Approach to Cyber Security edited by Sushil Jajodia, Planned for 2011.
[4]
W. Feller. An Introduction to Probability Theory and Its Applications, volume 1. Wiley, 3rd edition, 1968.
[5]
I. Gertsbakh. Statistical Reliability Theory. Marcel Dekker, New York, 1989.
[6]
M. Güngör, Y. Bulut, and S. Calik. Distributions of order statistics. Applied Mathematical Sciences, 3:795--802, 2009.
[7]
S. Jajodia, A. Ghosh, V. Swarup, C. Wang, and X. S. Wang. Moving Target Defense: Creating Asymmetric Uncertainty for Cyber Threats. Springer, New York, 2011.
[8]
J. H. Lala and F. B. Schneider. IT monoculture security risks and defenses. IEEE Security & Privacy, 7(1):12--13, Jan.-Feb. 2009.
[9]
L. Lamport, R. Shostak, and M. L. Pease. The Byzantine generals problem. ACM Transactions on Programming Languages and Systems, 4:382--401, July 1982.
[10]
S. A. Levin. Community equilibria and stability, and an extension of the competitive exclusion principle. American Naturalist, 104:413--423, 1970.
[11]
R. Macarthur and R. Levins. The limiting similarity, convergence, and divergence of coexisting species. The American Naturalist, 101(921):377--385, Sep.-Oct. 1967.
[12]
NITRD. Moving targets. http://cybersecurity.nitrd.gov/page/moving-target, 2011.
[13]
A. Papoulis. Probability, Random Variables and Stochastic Processes. McGraw-Hill, 2nd edition, 1984.
[14]
S. M. Ross. Probability Models, 9th Edition. Academic Press, 2007.
[15]
RSA. http://www.rsa.com/innovation/docs/APT?findings.pdf, 2011.
[16]
F. B. Schneider and K. P. Birman. The monoculture risk put into context. IEEE Security & Privacy, 7(1), Jan.-Feb. 2009.
[17]
H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh. On the effectiveness of address-space randomization. In Proceedings of the 11th ACM conference on Computer and communications security, CCS '04, pages 298--307, New York, NY, USA, 2004. ACM.
[18]
S. Smith and J. Marchesini. The Craft of System Security. Addison Wesley, Upper Saddle River, NJ, 2008.
[19]
S. S. Wilkes. Order statistics. Bull. Amer. Math. Soc., 54:6--50, 1948.
[20]
Williams et al. Security through diversity. IEEE Security & Privacy, 2009.

Cited By

View all
  • (2021)Performance evaluation of the SRE and SBPG components of the IoT hardware platform security advisor frameworkComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108496199:COnline publication date: 9-Nov-2021
  • (2020)Scheduling Sequence Control Method Based on Sliding Window in Cyberspace Mimic DefenseIEEE Access10.1109/ACCESS.2019.29616448(1517-1533)Online publication date: 2020
  • (2020)A Framework for Mimic Defense System in CyberspaceJournal of Signal Processing Systems10.1007/s11265-019-01473-6Online publication date: 15-Apr-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MTD '14: Proceedings of the First ACM Workshop on Moving Target Defense
November 2014
116 pages
ISBN:9781450331500
DOI:10.1145/2663474
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2014

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. availability
  2. confidentiality
  3. diversity
  4. formal models
  5. integrity
  6. moving targets
  7. security metrics

Qualifiers

  • Keynote

Funding Sources

Conference

CCS'14
Sponsor:

Acceptance Rates

MTD '14 Paper Acceptance Rate 9 of 16 submissions, 56%;
Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)16
  • Downloads (Last 6 weeks)1
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Performance evaluation of the SRE and SBPG components of the IoT hardware platform security advisor frameworkComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2021.108496199:COnline publication date: 9-Nov-2021
  • (2020)Scheduling Sequence Control Method Based on Sliding Window in Cyberspace Mimic DefenseIEEE Access10.1109/ACCESS.2019.29616448(1517-1533)Online publication date: 2020
  • (2020)A Framework for Mimic Defense System in CyberspaceJournal of Signal Processing Systems10.1007/s11265-019-01473-6Online publication date: 15-Apr-2020
  • (2020)Modelization and analysis of dynamic heterogeneous redundant systemConcurrency and Computation: Practice and Experience10.1002/cpe.603534:12Online publication date: 13-Oct-2020
  • (2019)Overview of Control and Game Theory in Adaptive Cyber DefensesAdversarial and Uncertain Reasoning for Adaptive Cyber Defense10.1007/978-3-030-30719-6_1(1-11)Online publication date: 31-Aug-2019
  • (2018)Mimic defense: a designed‐in cybersecurity defense frameworkIET Information Security10.1049/iet-ifs.2017.008612:3(226-237)Online publication date: May-2018
  • (2017)Optimal Strategy Selection for Moving Target Defense Based on Markov GameIEEE Access10.1109/ACCESS.2016.26339835(156-169)Online publication date: 2017
  • (2017)MTD CBITS: Moving Target Defense for Cloud-Based IT SystemsComputer Security – ESORICS 201710.1007/978-3-319-66402-6_11(167-186)Online publication date: 12-Aug-2017
  • (2016)Dependency Graph Analysis and Moving Target Defense SelectionProceedings of the 2016 ACM Workshop on Moving Target Defense10.1145/2995272.2995277(105-116)Online publication date: 24-Oct-2016
  • (2016)MTD assessment framework with cyber attack modeling2016 IEEE International Carnahan Conference on Security Technology (ICCST)10.1109/CCST.2016.7815722(1-8)Online publication date: Oct-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media