Indicators of Compromise (IOCs), such as IP addresses, file hashes, and domain names associated with known malware or attacks, are cornerstones of cybersecurity, serving to identify malicious activity on a network. In this work, we leverage real data to compare different parameterizations of IOC aging models. Our dataset comprises traffic at a real environment for more than 1 year. Among our trace-driven findings, we determine thresholds for the ratio between miss over monitoring costs such that the system benefits from storing IOCs for a finite time-to-live (TTL) before eviction. To the best of our knowledge, this is the first real world evaluation of thresholds related to IOC aging, paving the way towards realistic IOC decaying models.

翻译：入侵指标（IOC），例如与已知恶意软件或攻击相关的IP地址、文件哈希值和域名，是网络安全的基石，用于识别网络上的恶意活动。在本研究中，我们利用真实数据比较了IOC老化模型的不同参数化方案。我们的数据集涵盖真实环境中超过一年的流量数据。基于轨迹驱动的发现，我们确定了监控成本与漏报率之间的阈值，以使系统在存储IOC时受益于有限生存时间（TTL）后再将其清除。据我们所知，这是首个关于IOC老化相关阈值的真实世界评估，为构建现实的IOC衰减模型铺平了道路。