Is it available a plain definition/explication of MTD suitable for not-specialists also?

As far as I understand, the concept of Mobile Target Defense is a cornerstone of the work; at the same time, it is not completely cleared (or, possibly, it is referred to a preparatory technical background). The question aims exactly to a clarification of such key-concept.

waiting for moderation
1 Answer
Accepted answer

The abstract definition of MTD is to dynamically change software or system configuration (the attack surface) to add uncertainty, unpredictability, and diversity and increase cost to the attacker.

Let me illustrate MTD first by means of analogy to gain an intuition: The "Scramble Suit" in the movie "A Scanner Darkly" http://www.dailymotion.com/video/xqrvzba-scanner-darkly-clip-scramble-suitshortfilms

A suit composed of a patchwork of images that changes continuously to thwart identification. The "Moving" would be the wearer's appearance, the "Target" the positive identification, and the "Defense" the continuous changing of images.

Let us move to the computer domain: If you have a non-changing makeup of say 4 networked computers at fixed Internet addresses, following attack pattern is very common: First an attacker does reconnaissance of the network and the computers therein by means of a port scan. This gives version & patch level information on the underlying Operating System, other services that accept connection like web servers or databases etc. The attacker then can research public vulnerabilities of these 4 systems and then connect back at those fixed IP addresses and try to hack them.

Now, one way of Moving Target Defending these 4 systems is to not give them fixed IP addresses but move the IP assignments around in the address space available (many times you have 1000's of IP addresses available to do that). If you have thousands of addresses and you move the assignment quickly enough, what the attacker learned from the reconnaissance phase is no longer useful: He/she may try to connect at the IP addresses, but the systems are no longer associated with them. Now you deduce some properties and requirements: If you can change faster than the attacker can learn your new attack surface, you can stay a step ahead - this indeed is the main motivation behind MTDs.

Now image you decide to MTD these systems differently - you do not change the fixed IP addresses, but you change the underlying Operating System - you rotate between Windows, Linux, OS X, BeOS, OpenBSD and other OS types. Now again the attacker's information is not so useful - he/she may have prepared an exploit for a Windows version, but now the OS is OSX so it would not work anymore. This is roughly similar to a thief scoping out the lock on your door and while he/she is out getting a tool for that particular lock, you change the lock type. Many more MTD techniques exist (including deception) across system dimensions and time.

Let me know if this is sufficient for understanding in the context of the manuscript.

waiting for moderation