How Do We Define Our "Risk" score
Risk is usually defined as the probability of something bad happening. In our case, we try to quantify the risk emanating from a particular source IP address. In other words: What are the chances that this IP address will cause damage to my network. Of course, we do not know what your network looks like. The number we calculate is just based on the risk we "see" based on our data.
We define risk on a scale of 0 through 10. 0 usually means that we have little or no data, or that there are other circumstances that make us believe that our data is likely false positives.
Components of Our Risk Number
Number of Targets: This is the number of different targets that reported a particular IP address. We just use the twice the log10 of the number, and cap it at 10. On a typical day, we have about 200,000 targets reporting, so it would require everybody reporting this same IP address for it to reach 10.
Forum Spammer: If the IP was seen to post forum spam, we add 3 to the risk score. Why three? It looked like the right number, and the forum spammer feed has a rather low false positive rate.
SSH Scanning: Since SSH scanning requires a full connection, and sending data, we multiply the log10 of the number of attempts with 3.
Top Domain Rank: We reduce the risk for high ranking site. For 1-10 we subtract 10, essentially forcing the score to 0. Then we decrease it again by log10 of the domain's popularity rank. We use data from tranco-list.eu for domain ranking.
TLD Name Servers: We get a lot of false positives for top level domain DNS servers. The risk is set to 0 for them. Blocking a TLD NS will also affect your network quite badly.
External Threat Feeds: The risk is increased by 1 for each external threat feed the IP shows up in.
This is, of course subject to change. We will tweak the algorithm, in particular as we add more data feeds.
