Thus, EA aims to find a server configuration having the least number of security vulnerabilities (according to ZAP). I do not see where the connection between EA and MTD is? Is it necessary to describe MTD in your paper? I wonder if you could write that you are looking only for the best server configuration parameters? If so, the section "state of the art" should discuss existing approaches to the problem of server configuration optimization rather than moving target defense techniques.