Adaptive Attacker Strategy Development Against Moving Target Cyber Defenses

A model of strategy formulation is used to study how an adaptive attacker learns to overcome a moving target cyber defense. The attacker-defender interaction is modeled as a game in which a defender deploys a temporal platform migration defense. Against this defense, a population of attackers develop strategies specifying the temporal ordering of resource investments that bring targeted zero-day exploits into existence. Attacker response to two defender temporal platform migration scheduling policies are examined. In the first defender scheduling policy, the defender selects the active platform in each match uniformly at random from a pool of available platforms. In the second policy the defender schedules each successive platform to maximize the diversity of the source code presented to the attacker. Adaptive attacker response strategies are modeled by finite state machine (FSM) constructs that evolve during simulated play against defender strategies via an evolutionary algorithm. It is demonstrated that the attacker learns to invest heavily in exploit creation for the platform with the least similarity to other platforms when faced with a diversity defense, while avoiding investment in exploits for this least similar platform when facing a randomization defense. Additionally, it is demonstrated that the diversity-maximizing defense is superior for shorter duration attacker-defender engagements, but performs sub-optimally in extended attacker-defender interactions.

💡 Research Summary

The paper presents a rigorous game‑theoretic and evolutionary‑computing study of how an adaptive attacker learns to defeat a moving‑target cyber‑defense (MTD). The defender employs a temporal platform‑migration strategy, switching the active operating system or service platform at each interaction. Two scheduling policies are examined: (1) Random Migration, where the active platform for each match is drawn uniformly from a pool of available platforms, and (2) Diversity‑Maximizing Migration, where the defender deliberately selects the next platform to minimize source‑code similarity with the previously used one, thereby maximizing the diversity of the attack surface presented to the adversary.

Attackers must invest limited development resources to create zero‑day exploits for the platforms they expect to encounter. To model attacker strategy formation, the authors use finite‑state machines (FSMs) whose states encode the current platform and remaining resource budget, while transitions dictate the ordering of future investments. A population of FSMs evolves through a genetic algorithm: fitness is measured by the number of successful compromises achieved during simulated matches against the defender, and selection, crossover, and mutation generate successive generations.

Simulation experiments span a range of engagement lengths (from 50 to 200 rounds) and platform pool sizes (3–5 distinct platforms). Results reveal distinct adaptive behaviors under the two defender policies. Against Random Migration, attackers concentrate their exploit development on the most frequently appearing platforms, effectively “frequency‑based learning,” and largely ignore rarely selected platforms. In contrast, under Diversity‑Maximizing Migration, the platform with the lowest code similarity appears infrequently, yet over longer engagements attackers evolve FSMs that allocate substantial resources to this “sparse” platform. The rationale is that mastering the rare platform yields a disproportionate payoff because it reduces the defender’s ability to predict the attacker’s focus, thereby increasing overall success rates.

A key finding concerns the impact of engagement duration. For short engagements (≈50 rounds), the diversity‑maximizing policy significantly curtails attacker success—by roughly 30 % compared with random migration—by limiting the time available for the attacker to evolve effective FSMs. However, as the number of rounds grows, the attacker’s evolutionary process catches up: by ≈150–200 rounds the attacker’s fitness under the diversity policy matches or exceeds that under random migration. This demonstrates that a purely diversity‑driven MTD is advantageous only when the defender expects brief, intermittent attacks; it becomes sub‑optimal in prolonged, persistent threat scenarios.

The study also explores resource‑allocation sensitivity. When attackers allocate resources uniformly across platforms, success rates are lower than when they concentrate investment on a subset of platforms—especially under the diversity policy, where focusing on the least similar platform yields the highest payoff. This suggests that attackers adaptively shift from a “spread‑thin” to a “focus‑deep” strategy as they learn the defender’s scheduling pattern.

Overall, the paper contributes three practical insights for MTD design: (1) Policy Choice Matters – the defender’s scheduling algorithm directly shapes attacker learning dynamics; (2) Engagement Length is Critical – short‑term diversity can be a strong deterrent, but long‑term engagements allow attackers to overcome diversity through evolution; (3) Resource‑Allocation Interplay – understanding how attackers allocate development effort can inform the selection of platform pools and migration frequencies.

The authors conclude by recommending that MTD implementations incorporate adaptive timing (e.g., randomizing the duration of each platform’s tenure) and consider hybrid policies that blend randomness with controlled diversity. Future work is outlined to validate the findings with real‑world vulnerability data, extend the model to multi‑defender and multi‑attacker ecosystems, and explore defensive learning mechanisms that anticipate attacker evolution.