Moving-Target Defense (March/April 2014)
Abstract submissions due to the guest editors: 1 June 2013
Articles due to ScholarOne: 1 July 2013
Hitting a moving target is usually more difficult than hitting a stationary one. In World War II, naval ships zigzagged through the water to make it harder for submarines to torpedo them, and Hedy Lamarr and George Antheil's invention of frequency-hopping eventually made radio communications harder to jam. But some defensive techniques—like zigzagging—are soon negated by effective countermeasures. So how can we embrace a moving-target defense that has promise for long-term effectiveness?
Typically, in a moving-target defense, some aspect of the computing environment on which an attacker depends changes either over time or between systems. Rather than just trying to remove all vulnerabilities, software (or hardware) diversification hopes to make the attacker work harder by needing to find the vulnerability anew in each system. For example, techniques such as address space layout randomization (ASLR) can change vulnerabilities' locations in a single system over time.
Moving-target defenses in cyberspace has been an announced priority for research programs for several years, and increasing numbers of techniques have been proposed and some (such as ASLR) have been widely deployed. This special issue of IEEE Security & Privacy magazine seeks papers that characterize the state of the art and future directions in moving-target defense. Papers should address questions such as:
- How does the technique work? Can it avoid attacks or just delay them? What moves and how often, and how can the added work for the attacker be characterized? What kinds of countermeasures might the attacker take in response to a moving-target defense?
- Are there generalizable, science-based techniques that move beyond heuristics?
- What kinds of costs, resource constraints, and administrative burdens does the technique impose, and on whom?
- Diversification has long been practiced in the reliability and safety communities, where models have been developed and substantial data exists. What can we learn from these practices, and where can they be applied to security and privacy?
- What experience has there been with the deployment of a moving-target technique? In particular, how might the technique be evaluated and its effectiveness compared with alternative techniques?
We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform the next generation.
Submissions will be subject to the IEEE Computer Society's peer-review process. Articles should be at most 6,000 words, with a maximum of 15 references, and should be understandable to a broad audience of people interested in security and privacy. The writing style should be down to earth, practical, and original. Authors should not assume that the audience will have specialized experience in a particular subfield. All accepted articles will be edited according to the IEEE Computer Society style guide. Submit your papers to Manuscript Central at https://mc.manuscriptcentral.com/cs-ieee.
Contact the Guest Editors: