http://xml/metadataSharing.xsd
complexType fieldDataEntry

Super Types
{http://www.w3.org/2001/XMLSchema}anyType
|
+--{http://xml/metadataSharing.xsd}fieldDataEntry (restriction)

Documentation
     Data structure to hold prevalence information. The data includes a reference to another object (which is an xpath 
     expression pointing to an object inside the 'ref' element), together with a time period (startDate -> endDate), 
     an origin - where the object came from, and various location tags. This allows rich information on prevalence to be recorded.
     
     By convention, time periods should be wherever possible standard time periods, e.g. minute, hour, 24 hours, week, month, quarter, year. This
     will facilitate combination of data from multiple sources.
     
     To represent a single entry, make startDate == endDate.
     
     Commonality is calculated from the sightings of malware objects (and so such calculation is easier to automate).
     Importance is reserved for cases when “commonality” is not available or if there is a need to communicate the 
     importance when commonality is low. 
     
     We define the commonality on a scale 0 to 100 (0 means “never found in the field” and 100 means “found very frequently”). Scaling commonality to 0..100 range instead of using actual sample counts is to avoid the effect of the user base size on the commonality. We derive commonality from the number of affected computers – not from the number of samples (for example, a hundred parasitic infections of the same virus on a single computer are to be counted as one).  
     
     To calculate the commonality we use two-stage approach and logarithmic scale:
     -	If the number of affected users exceeds 0.1% of your user base (more frequent than 1 in a 1000) set commonality to “100”
     -	Otherwise, calculate the ratio of infected computers amongst your user base by dividing the real number of affected computers ‘n’ by the total number ‘N’ 
     -	Apply the following formula to get the commonality –( log2(1+n*1000/N) ) * 100
     -	Round to the closest integer
    
     
     Obviously, the calculation above can only be applied to counting of malware sightings on desktops.
     If telemetry is collected from a fraction of such desktops then an appropriate correction should be used. 
     For all other cases (e.g. sighting on gateways, in some network security appliance, on an ISP level, etc.) 
     please exercise your best judgment and apply provided desktop guideline as an example to make sure
     the commonality factor is as comparable as possible.
     
     For a URL object the commonality could reflect, for example, how widely it was spammed.
     
     “Importance” should not be used together with “commonality” (unless commonality=“0”) to avoid possible confusion. High “importance”, for example, can be assigned to samples that are over-hyped by media when their commonality is still “0”. 
     
     Use the following guidelines for “importance” which is also defined on a scale 0..100:
     100 – you’d  expect your CEO and/or media to call you any second about this object
     80 – you might get a call from your CEO and/or media
     60 –  you’d  expect your boss to call you any second
     40 – you might get a call from your boss
     20 – someone is very likely to contact you about this object
     10 – you might get contacted about this object
     0 – you’d be surprised if anyone would ever contact you about this object
    
    
Properties
This component is not nillable.

Model
<...>
(references, startDate, endDate, firstSeenDate?, origin, commonality?, volume, importance?, location )
</...>


Nested Element Summary
intBetween0and100commonality
          
xs:dateTimeendDate
           The end date for this field data entry - the end date of the period over which the prevalence (commonality) and importance is measured  
xs:dateTimefirstSeenDate
           The date that the object was first seen by the reporting entity.  
intBetween0and100importance
          
 location
          
OriginTypeEnumorigin
          
 references
          
xs:dateTimestartDate
           The start date for this field data entry - the start date of the period over which the prevalence (commonality) and importance is measured  
 volume
          
Source
<xs:complexType name="fieldDataEntry">
<xs:sequence>
<xs:element name="references">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1" name="ref" type="reference"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="startDate" type="xs:dateTime">
</xs:element>
<xs:element name="endDate" type="xs:dateTime">
</xs:element>
<xs:element minOccurs="0" name="firstSeenDate" type="xs:dateTime">
</xs:element>
<xs:element name="origin" type="OriginTypeEnum"/>
<xs:element minOccurs="0" name="commonality" type="intBetween0and100"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="volume">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:int">
<xs:attribute name="units" type="VolumeUnitsEnum" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element minOccurs="0" name="importance" type="intBetween0and100"/>
<xs:element minOccurs="0" name="location">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" type="LocationTypeEnum"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>


Submit a bug or a feature.
Created by xsddoc, a sub project of xframe, hosted at http://xframe.sourceforge.net.