ε-Indistinguishability In Moving Target Defense: Framework, Algorithms, And Cloud Case Studies

📅 2026-07-15
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the lack of quantitative security guarantees in Moving Target Defense (MTD) regarding the indistinguishability of runtime configurations based on observable features such as latency. It formalizes MTD security as the problem of finding the largest ε-approximate subset within the Cartesian product of component choices. Leveraging an additive utility model, pairwise indistinguishability is transformed into a densest window query over sumsets. The authors propose four scalable algorithms—full enumeration, meet-in-the-middle, FFT-based convolution, and Monte Carlo sampling—capable of handling configuration spaces ranging from 10¹ to 10³⁸. Empirical evaluation in real cloud environments reveals that unmasked rotation among four serverless runtimes achieves only three-way anonymity, whereas a 27-configuration, three-tier architecture, where latency differences are absorbed by database round-trips, attains nine-way effective anonymity, highlighting the critical role of system context in determining anonymity guarantees.
📝 Abstract
Moving Target Defense (MTD) assumes its pool of candidate configurations is safe to cycle among, i.e. latency and other observables do not trivially fingerprint the active choice, but this assumption has not been quantified at the pool level. We formalize this pool-safety problem as finding the largest $\varepsilon$-close subset of the Cartesian product of per-component implementation choices, reducing pairwise indistinguishability under an additive utility model to a densest-window query over a sum-set. We give four algorithms spanning the scalability spectrum -- full enumeration, meet-in-the-middle, FFT convolution, and Monte Carlo sampling -- covering configuration spaces from tens to $10^{38}$. We then measure the anonymity gap end-to-end on two production cloud case studies, and find that a component's latency differences do not survive deployment unchanged: a four-runtime serverless rotation, where nothing else masks the interpreter, collapses from four-way to three-way anonymity against a VPC-adjacent adversary, while a $27$-configuration three-tier stack, where the same interpreter differences are instead absorbed by a shared $8$~ms database round-trip, delivers nine-way effective anonymity. The framework and the two case studies together suggest a diagnostic for MTD design: rotating a component adds anonymity only if the latency differences among its variants are too small for the adversary to identify.
Problem

Research questions and friction points this paper is trying to address.

Moving Target Defense
ε-Indistinguishability
configuration pool safety
latency fingerprinting
anonymity
Innovation

Methods, ideas, or system contributions that make the work stand out.

ε-Indistinguishability
Moving Target Defense
Anonymity Quantification
Latency Fingerprinting
Configuration Space Sampling