- Super Types
Data structure to hold prevalence information. The data includes a reference to another object (which is an xpath
expression pointing to an object inside the 'ref' element), together with a time period (startDate -> endDate),
an origin - where the object came from, and various location tags. This allows rich information on prevalence to be recorded.
By convention, time periods should be wherever possible standard time periods, e.g. minute, hour, 24 hours, week, month, quarter, year. This
will facilitate combination of data from multiple sources.
To represent a single entry, make startDate == endDate.
Commonality is calculated from the sightings of malware objects (and so such calculation is easier to automate).
Importance is reserved for cases when “commonality” is not available or if there is a need to communicate the
importance when commonality is low.
We define the commonality on a scale 0 to 100 (0 means “never found in the field” and 100 means “found very frequently”). Scaling commonality to 0..100 range instead of using actual sample counts is to avoid the effect of the user base size on the commonality. We derive commonality from the number of affected computers – not from the number of samples (for example, a hundred parasitic infections of the same virus on a single computer are to be counted as one).
To calculate the commonality we use two-stage approach and logarithmic scale:
- If the number of affected users exceeds 0.1% of your user base (more frequent than 1 in a 1000) set commonality to “100”
- Otherwise, calculate the ratio of infected computers amongst your user base by dividing the real number of affected computers ‘n’ by the total number ‘N’
- Apply the following formula to get the commonality –( log2(1+n*1000/N) ) * 100
- Round to the closest integer
Obviously, the calculation above can only be applied to counting of malware sightings on desktops.
If telemetry is collected from a fraction of such desktops then an appropriate correction should be used.
For all other cases (e.g. sighting on gateways, in some network security appliance, on an ISP level, etc.)
please exercise your best judgment and apply provided desktop guideline as an example to make sure
the commonality factor is as comparable as possible.
For a URL object the commonality could reflect, for example, how widely it was spammed.
“Importance” should not be used together with “commonality” (unless commonality=“0”) to avoid possible confusion. High “importance”, for example, can be assigned to samples that are over-hyped by media when their commonality is still “0”.
Use the following guidelines for “importance” which is also defined on a scale 0..100:
100 – you’d expect your CEO and/or media to call you any second about this object
80 – you might get a call from your CEO and/or media
60 – you’d expect your boss to call you any second
40 – you might get a call from your boss
20 – someone is very likely to contact you about this object
10 – you might get contacted about this object
0 – you’d be surprised if anyone would ever contact you about this object
- This component is not nillable.
(references, startDate, endDate, firstSeenDate?, origin, commonality?, volume, importance?, location )
<xs:complexType name="fieldDataEntry"> <xs:sequence></xs:complexType> <xs:element name="references"> <xs:complexType> </xs:element> <xs:sequence> </xs:complexType> <xs:element maxOccurs="unbounded" minOccurs="1" name="ref" type="reference"/> </xs:sequence>
<xs:element name="startDate" type="xs:dateTime">
<xs:element name="endDate" type="xs:dateTime">
<xs:element minOccurs="0" name="firstSeenDate" type="xs:dateTime">
<xs:element maxOccurs="unbounded" minOccurs="0" name="volume"> <xs:complexType> </xs:element> <xs:simpleContent> </xs:complexType> <xs:extension base="xs:int"> </xs:extension> </xs:simpleContent> <xs:element minOccurs="0" name="location"> </xs:sequence> <xs:complexType> </xs:element> <xs:simpleContent> </xs:complexType> <xs:extension base="xs:string"> </xs:extension> </xs:simpleContent>
Submit a bug or a feature.
Created by xsddoc, a sub project of xframe, hosted at http://xframe.sourceforge.net.