A model of strategy formulation is used to study how an adaptive attackerlearns to overcome a moving target cyber defense. The attacker-defenderinteraction is modeled as a game in which a defender deploys a temporalplatform migration defense. Against this defense, a population of attackersdevelop strategies specifying the temporal ordering of resource investmentsthat bring targeted zero-day exploits into existence. Attacker response to twodefender temporal platform migration scheduling policies are examined. In thefirst defender scheduling policy, the defender selects the active platform ineach match uniformly at random from a pool of available platforms. In thesecond policy the defender schedules each successive platform to maximize thediversity of the source code presented to the attacker. Adaptive attackerresponse strategies are modeled by finite state machine (FSM) constructs thatevolve during simulated play against defender strategies via an evolutionaryalgorithm. It is demonstrated that the attacker learns to invest heavily inexploit creation for the platform with the least similarity to other platformswhen faced with a diversity defense, while avoiding investment in exploits forthis least similar platform when facing a randomization defense. Additionally,it is demonstrated that the diversity-maximizing defense is superior forshorter duration attacker-defender engagements, but performs sub-optimally inextended attacker-defender interactions.
展开▼