Valkyrie: A Response Framework to Augment Runtime Detection of Time-Progressive Attacks
Abstract
A popular approach to detect cyberattacks is to monitor systems in real-time to identify malicious activities as they occur. While these solutions aim to detect threats early, minimizing damage, they suffer from a significant challenge due to the presence of false positives. False positives have a detrimental impact on computer systems, which can lead to interruptions of legitimate operations and reduced productivity. Most contemporary works tend to use advanced Machine Learning and AI solutions to address this challenge. Unfortunately, false positives can, at best, be reduced but not eliminated. In this paper, we propose an alternate approach that focuses on reducing the impact of false positives rather than eliminating them. We introduce Valkyrie, a framework that can enhance any existing runtime detector with a post-detection response. Valkyrie is designed for time-progressive attacks, such as micro-architectural attacks, rowhammer, ransomware, and cryptominers, that achieve their objectives incrementally using system resources. As soon as an attack is detected, Valkyrie limits the allocated computing resources, throttling the attack, until the detector's confidence is sufficiently high to warrant a more decisive action. For a false positive, limiting the system resources only results in a small increase in execution time. On average, the slowdown incurred due to false positives is less than 1% for single-threaded programs and 6.7% for multi-threaded programs. On the other hand, attacks like rowhammer are prevented, while the potency of micro-architectural attacks, ransomware, and cryptominers is greatly reduced.