Toward an Evidence-based Design for Reactive Security Policies and Mechanisms

Omer Katz, Ben Livshits

CS-2016-04 |

As malware, exploits, and cyber-attacks advance over time, so does the mitigation techniques available to the user. However, while attackers often abandon one form of exploitation in favor of a more lucrative one, mitigation techniques are rarely abandoned. Mitigations are rarely retired or disabled since proving they have outlived their usefulness is often impossible. As a result, performance overheads, maintenance costs, and false positive rates induced by the different mitigations accumulate, culminating in an outdated, inefficient, and costly security solution.

We advocate for a new kind of tunable framework on which to base security mechanisms. This new framework enables a more reactive approach to security allowing us to optimize the deployment of security mechanisms based on the current state of attacks. Based on actual evidence of exploitation collected from the field, our framework can choose which mechanisms to enable/disable so that we can minimize the overall costs and false positive rates while maintaining a satisfactory level of security in the system.

We use real-world Snort signatures to simulate the benefits of reactively disabling signatures when no evidence of exploitation is observed and compare them to the costs of the current state of deployment. Additionally, we evaluate the responsiveness of our framework and show that in case disabling a security mechanism triggers a reappearance of an attack we can respond in time to prevent mass exploitation.

Through a series of large-scale simulations that use integer linear and Bayesian solvers, we discover that our responsive strategy is both computationally affordable and results in significant reductions in false positives, at the cost of introducing a moderate number of false negatives. Through measurements performed in the context of large-scale simulations we find that the time to find the optimal sampling strategy is mere seconds for the nonoverlap case and under 2.5 minutes in 98% of overlap cases. The reduction in the number of false positives is significant (about 9.2 million removed over traces that are about 9 years long). The reduction is false positive rates in about 20%.