Learning When to Say Goodbye: What Should be the Shelf Life of an Indicator of Compromise?

Indicators of Compromise (IOCs), such as IP addresses, file hashes, and domain names associated with known malware or attacks, are cornerstones of cybersecurity, serving to identify malicious activity on a network. In this work, we leverage real data to compare different parameterizations of IOC aging models. Our dataset comprises traffic at a real environment for more than 1 year. Among our trace-driven findings, we determine thresholds for the ratio between miss over monitoring costs such that the system benefits from storing IOCs for a finite time-to-live (TTL) before eviction. To the best of our knowledge, this is the first real world evaluation of thresholds related to IOC aging, paving the way towards realistic IOC decaying models.