Cyber Attacks Global Incident Report Statitstics

We are now generating weekly Global Incident Reports that provide statistics of the invariants present in our global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of Institutions ranging from small commercial enterprises to very large multinational corporations.

The statistics below are from three main detection components.

The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:

  • The true positive rate (tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The true positive rate implicitly also measures false positive rate (1-tpr). For clarity the tpr is called <strong>detection rate</strong> in the Network Anti-virus tables.
  • Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The severity is scaled down by the tpr and is calculated by multiplying the average priority (0-100) of the invariant times its tpr (which is always less than 1). A low severity score (0-10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example detecting an ADWare plug-in in your browser). Higher severity scores imply that the cyber threat becomes increasingly important.
  • Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.

Selection_020Here is an example bubble graph which visually represents the statistics of the top IDS rules which triggered a true positive.

Mousing over the bubbles reveal the actual invariant and its associated statistics.

How to access the statistics

  • The anonymized global report across all of our networks is at From this report there are some hyper-links that query you own database (if you are MetaFlows customer) to see if any of the invariants a re present in you event data.
  • If you are a MetaFlows customer, you can also access a specific report for your own domain which has both (1) links to the invariants found on your own domain and (2) links to the incident reports used to derive the invariants.

Note that both types of reports compare the invariants to the global counts; so, they both should help you understand how widespread and how serious the associated cyber- threats are.