Security: Doing Whatever is Needed... and Not a Thing More!

TL;DR

This paper proposes a reactive, tunable security framework that dynamically enables or disables mitigation mechanisms based on real-time attack evidence, reducing false positives and costs while maintaining security.

Contribution

It introduces a novel adaptive security framework that optimizes mitigation deployment using real-world attack evidence and large-scale simulations.

Findings

Reduces false positives by approximately 20%.

Responds effectively to attack reappearances in real-time.

Computationally efficient with quick sampling strategy optimization.

Abstract

As malware, exploits, and cyber-attacks advance over time, so do the mitigation techniques available to the user. However, while attackers often abandon one form of exploitation in favor of a more lucrative one, mitigation techniques are rarely abandoned. Mitigations are rarely retired or disabled since proving they have outlived their usefulness is often impossible. As a result, performance overheads, maintenance costs, and false positive rates induced by the different mitigations accumulate, culminating in an outdated, inefficient, and costly security solution. We advocate for a new kind of tunable framework on which to base security mechanisms. This new framework enables a more reactive approach to security allowing us to optimize the deployment of security mechanisms based on the current state of attacks. Based on actual evidence of exploitation collected from the field, our framework can choose which mechanisms to enable/disable so that we can minimize the overall costs and false positive rates while maintaining a satisfactory level of security in the system. We use real-world Snort signatures to simulate the benefits of reactively disabling signatures when no evidence of exploitation is observed and compare them to the costs of the current state of deployment. Additionally, we evaluate the responsiveness of our framework and show that in case disabling a security mechanism triggers a reappearance of an attack we can respond in time to prevent mass exploitation. Through large-scale simulations that use integer linear and Bayesian solvers, we discover that our responsive strategy is both computationally affordable and results in significant reductions in false positives (~20% over traces that are about 9 years long), at the cost of introducing a moderate number of false negatives. Finding the optimal sampling strategy takes less than 2.5 minutes in the vast majority of cases.