Reputation score

Each IP address is assigned a reputation score, a single number summarizing the level of threat the address poses, based on the number of events and the number of distinct sources which reported it within the last 14 days. The score takes values between 0.0 (no events) and 1.0 (worst case).

Note: Currently, only alerts from Warden are used for computing the reputation score. All alerts are treated the same, regardless of their category/type.

The score is computed as follows:

• For each of the last 14 days, compute:
  • n_events(d) - Number of events reported to Warden within the day which have the evalutated IP address listed as the source.
  • n_nodes(d) - Number of distinct nodes (detectors) that reported those alerts.
  • Daily reputation score rep(d) = (1 - 1/2^n_events(d)) * (1 - 1/2^n_nodes(d))
• Final reputation score is the weighted average of the 14 daily scores with linearly decreasing weight (most recent day has the highest weight):
  • rep = SUM[d=0..13](rep(d) * (14-d)/14) / 7.5 (where d is the number of days before today; 7.5 is just the sum of the weights)

For reference, the fuction used to transform the number of events/nodes to the interval 0..1 looks like this:

For example, the daily reputation of an IP address with just one event in a day is 0.25. Even if the same IP is reported many times, but just by one detector, it can never exceed 0.5. Higher values are only possible if the IP is reported by multiple detectors (and therefore there is a low chance of false positive). If the events were reported in just one or a few of the last 14 days, the final score is in fact much smaller due to the averaging.