How We Calculate These Statistics
This page reports global statistics about several invariants present in MetaFlows' global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of institutions ranging from small commercial enterprises to very large multinational corporations.
The statistics below are from three main detection components:
The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:
- The True Positive Rate (
tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The True Positive Rate implicitly also measures the false positive rate (1 - tpr). For clarity the tpr is called detection rate in the Network Antivirus tables.
- Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The Severity is scaled down by the
tpr and is calculated by multiplying the average priority (0 - 100) of the invariant times its tpr (which is always less than 1). A low Severity score (0 - 10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example: detecting an Adware plugin in your browser). Higher Severity scores imply that the cyber threat becomes increasingly important.
- Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the
tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.
In the individual reports, you will see a bubble graph. You can click on each bubble to view the specific events represented by the bubble. The X and Y axes are the Severity and Prevalence of a given invariant, respectively. The bubble sizes represent the number of different networks in which the invariant caused a true positive. Finally, the color of the bubble represents the tpr. Hovering over the bubble shows some of its metrics and clicking on the bubble shows which table row(s) it represent. Clicking outside any bubble shows all rows. The X axis and the tpr range can be adjusted using the sliders.
Large red bubbles are significant invariants because they are common to more than one network and are good cyber-threat predictors.
Bubbles positioned toward the top-right of the graphs are significant because they represent invariants predicted to pose a high cyber security threat.
The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles, shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect/sort the data or click on the links within the table. To see all rows in the table, click outside any bubble. The last report is a list of sandboxing reports for zero-day malicious content previously unknown. These reports detail the full behavior of this malicious code and the signatures and anomalies that were detected by the MetaFlows Sandbox.
