Technical Report CS-2016-04

Title: Toward an Evidence-based Design for Reactive Security Policies and Mechanisms
Authors: Omer Katz, Benjamin Livshits
PDFNot Available
Abstract: As malware, exploits, and cyber-attacks advance over time, so does the mitigation techniques available to the user. However, while attackers often abandon one form of exploitation in favor of a more lucrative one, mitigation techniques are rarely abandoned. Mitigations are rarely retired or disabled since proving they have outlived their usefulness is often impossible. As a result, performance overheads, maintenance costs, and false positive rates induced by the different mitigations accumulate, culminating in an outdated, inefficient, and costly security solution. We advocate for a new kind of tunable framework on which to base security mechanisms. This new framework enables a more reactive approach to security allowing us to optimize the deployment of security mechanisms based on the current state of attacks. Based on actual evidence of exploitation collected from the field, our framework can choose which mechanisms to enable/disable so that we can minimize the overall costs and false positive rates while maintaining a satisfactory level of security in the system. We use real-world Snort signatures to simulate the benefits of reactively disabling signatures when no evidence of exploitation is observed and compare them to the costs of the current state of deployment. Additionally, we evaluate the responsiveness of our framework and show that in case disabling a security mechanism triggers a reappearance of an attack we can respond in time to prevent mass exploitation. Through a series of large-scale simulations that use integer linear and Bayesian solvers, we discover that our responsive strategy is both computationally affordable and results in significant reductions in false positives, at the cost of introducing a moderate number of false negatives. Through measurements performed in the context of large-scale simulations we find that the time to find the optimal sampling strategy is mere seconds for the non-overlap case and under 2.5 minutes in 98% of overlap cases. The reduction in the number of false positives is significant (about 9.2 million removed over traces that are about 9 years long). The reduction in false positive rates in about 20%.
CopyrightThe above paper is copyright by the Technion, Author(s), or others. Please contact the author(s) for more information

Remark: Any link to this technical report should be to this page (, rather than to the URL of the PDF files directly. The latter URLs may change without notice.

To the list of the CS technical reports of 2016
To the main CS technical reports page

Computer science department, Technion