Learning When to Say Goodbye: What Should be the Shelf Life of an Indicator of Compromise?

TL;DR

This paper evaluates real-world data to determine optimal time-to-live thresholds for Indicators of Compromise, balancing detection efficacy and resource costs, thus informing better IOC management strategies.

Contribution

It introduces the first real-world evaluation of IOC aging thresholds using extensive traffic data, enhancing the realism of IOC decay models.

Findings

Identified thresholds for IOC TTL based on miss and monitoring costs

Demonstrated benefits of finite IOC lifespan for cybersecurity systems

Provided empirical data to inform IOC decay modeling

Abstract

Indicators of Compromise (IOCs), such as IP addresses, file hashes, and domain names associated with known malware or attacks, are cornerstones of cybersecurity, serving to identify malicious activity on a network. In this work, we leverage real data to compare different parameterizations of IOC aging models. Our dataset comprises traffic at a real environment for more than 1 year. Among our trace-driven findings, we determine thresholds for the ratio between miss over monitoring costs such that the system benefits from storing IOCs for a finite time-to-live (TTL) before eviction. To the best of our knowledge, this is the first real world evaluation of thresholds related to IOC aging, paving the way towards realistic IOC decaying models.