IEEE Security & Privacy Magazine
Special Issue on Moving-Target Defense
Call for Papers

(Optional) Abstract submissions due to the guest editors: 1 June 2013
Articles due to ScholarOne: 1 July 2013
Publication date: March/April 2014
Author guidelines:
Submit papers to ScholarOne at
Questions: Contact guest editors Luanne Goldrich (Johns Hopkins
University Applied Physics Laboratory, and
Carl Landwehr (George Washington University,

Hitting a moving target is usually more difficult than hitting a
stationary one. In World War II, naval ships zigzagged through the
water to make it harder for submarines to torpedo them, and Hedy
Lamarr and George Antheil’s invention of frequency-hopping eventually
made radio communications harder to jam. But some defensive
techniques—like zigzagging—are soon negated by effective
countermeasures. So how can we embrace a moving-target defense that
has promise for long-term effectiveness?

Typically, in a moving-target defense, some aspect of the computing
environment on which an attacker depends changes either over time or
between systems. Rather than just trying to remove all
vulnerabilities, software (or hardware) diversification hopes to make
the attacker work harder by needing to find the vulnerability anew in
each system. For example, techniques such as address space layout
randomization (ASLR) can change vulnerabilities’ locations in a single
system over time.

Moving-target defenses in cyberspace have been an announced priority
for research programs for several years, and increasing numbers of
techniques have been proposed and some (such as ASLR) have been widely
deployed. This special issue of IEEE Security & Privacy magazine seeks
papers that characterize the state of the art and future directions in
moving-‐target defense. Papers should address questions such as:

 - How does the technique work? Can it avoid attacks or just delay
them? What moves and how often, and how can the added work for the
attacker be characterized? What kinds of countermeasures might the
attacker take in response to a moving-‐target defense?

 - Are there generalizable, science-based techniques that move beyond

 - What kinds of costs, resource constraints, and administrative
burdens does the technique impose, and on whom?

 - Diversification has long been practiced in the reliability and
safety communities, where models have been developed and substantial
data exists. What can we learn from these practices, and where can
they be applied to security and privacy?

 - What experience has there been with the deployment of a
moving-target technique? In particular, how might the technique be
evaluated and its effectiveness compared with alternative techniques?

We welcome case studies, experience reports, practices, research
results, and standards reports. Our readers are eager to hear about
industry experiences, especially resulting from empirical studies that
help us learn how past successes and failures should inform the next

Submission Guidelines

Submissions will be subject to the IEEE Computer Society's
peer-review process. Articles should be at most 6,000 words, with a
maximum of 15 references, and should be understandable to a broad
audience of people interested in security, privacy, and dependability.
The writing style should be down to earth, practical, and original.
Authors shouldn’t assume that the audience will have specialized
experience in a particular subfield. All accepted articles will be
edited by a staff editor according to the IEEE Computer Society style