Existing real-time network attack detection systems suffer from high false positive rates, frequently disrupting legitimate operations and degrading productivity—particularly against time-progressive attacks (e.g., Rowhammer, side-channel, ransomware, cryptocurrency mining), where balancing detection accuracy and low false positives remains challenging. This paper proposes a novel “false-positive impact minimization” paradigm: rather than eliminating false positives, it dynamically throttles resource consumption (CPU/memory) of suspicious processes post-initial detection, thereby decoupling detection from response and enabling plug-and-play integration with arbitrary black-box detectors. Our approach integrates confidence-adaptive thresholding, progressive attack behavior modeling, and real-time feedback control. Experimental results show that false positives induce only 0.9% performance degradation for single-threaded applications and 6.7% for multi-threaded ones. The method effectively mitigates Rowhammer attacks and significantly degrades the efficacy of side-channel, ransomware, and cryptocurrency mining attacks.

A popular approach to detect cyberattacks is to monitor systems in real-time to identify malicious activities as they occur. While these solutions aim to detect threats early, minimizing damage, they suffer from a significant challenge due to the presence of false positives. False positives have a detrimental impact on computer systems, which can lead to interruptions of legitimate operations and reduced productivity. Most contemporary works tend to use advanced Machine Learning and AI solutions to address this challenge. Unfortunately, false positives can, at best, be reduced but not eliminated. In this paper, we propose an alternate approach that focuses on reducing the impact of false positives rather than eliminating them. We introduce Valkyrie, a framework that can enhance any existing runtime detector with a post-detection response. Valkyrie is designed for time-progressive attacks, such as micro-architectural attacks, rowhammer, ransomware, and cryptominers, that achieve their objectives incrementally using system resources. As soon as an attack is detected, Valkyrie limits the allocated computing resources, throttling the attack, until the detector's confidence is sufficiently high to warrant a more decisive action. For a false positive, limiting the system resources only results in a small increase in execution time. On average, the slowdown incurred due to false positives is less than 1% for single-threaded programs and 6.7% for multi-threaded programs. On the other hand, attacks like rowhammer are prevented, while the potency of micro-architectural attacks, ransomware, and cryptominers is greatly reduced.