Global Incident Report Statistics (12/04/2020 12:48am to 12/11/2020 12:48am UTC)

How We Calculate These Statistics

URLs delivering files which contained malware.
URL Prevalence

Worst MIME Types

View Full Report
MIME types associated with malware detected by MetaFlows.
MIME Type Prevalence

Malware Names

View Full Report
Virus names.
Malware Name Prevalence

Dropped Files

View Full Report
Files dropped by malware during analysis in the MetaFlows Cuckoo sandbox.
File Dropped Prevalence

Content MD5 Hash

View Full Report
MD5 hashes of files which contained malware.
Content MD5 Hash Description Prevalence

High Priority IDS Rules

View Full Report
Multi-session incident reports which were likely involved in cyber attacks.
IDS ID Description Prevalence

Sandbox Anomalies

View Full Report
Anomalies detected by the MetaFlows Cuckoo sandbox.
Sandbox Anomaly Prevalence

Yara Signatures

View Full Report
Yara signatures triggered during analysis in the MetaFlows Cuckoo sandbox.
Yara Signature Prevalence

Hosts Contacted

View Full Report
Hosts contacted by malware during analysis in the MetaFlows Cuckoo sandbox.
Host Prevalence

Processes Started

View Full Report
Processes started by malware during analysis in the MetaFlows Cuckoo sandbox.
Process Name Prevalence

Zero-Day Reports

View Full Report
Zero-day threats discovered by the MetaFlows Cuckoo sandbox.

How We Calculate These Statistics

This page reports global statistics about several invariants present in MetaFlows' global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of institutions ranging from small commercial enterprises to very large multinational corporations.

The statistics below are from three main detection components:

The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:

  • The True Positive Rate (tpr) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The True Positive Rate implicitly also measures the false positive rate (1 - tpr). For clarity the tpr is called detection rate in the Network Antivirus tables.
  • Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The Severity is scaled down by the tpr and is calculated by multiplying the average priority (0 - 100) of the invariant times its tpr (which is always less than 1). A low Severity score (0 - 10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example: detecting an Adware plugin in your browser). Higher Severity scores imply that the cyber threat becomes increasingly important.
  • Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the tpr of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.

In the individual reports, you will see a bubble graph. You can click on each bubble to view the specific events represented by the bubble. The X and Y axes are the Severity and Prevalence of a given invariant, respectively. The bubble sizes represent the number of different networks in which the invariant caused a true positive. Finally, the color of the bubble represents the tpr. Hovering over the bubble shows some of its metrics and clicking on the bubble shows which table row(s) it represent. Clicking outside any bubble shows all rows. The X axis and the tpr range can be adjusted using the sliders.

Large red bubbles are significant invariants because they are common to more than one network and are good cyber-threat predictors.

Bubbles positioned toward the top-right of the graphs are significant because they represent invariants predicted to pose a high cyber security threat.

The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles, shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect/sort the data or click on the links within the table. To see all rows in the table, click outside any bubble. The last report is a list of sandboxing reports for zero-day malicious content previously unknown. These reports detail the full behavior of this malicious code and the signatures and anomalies that were detected by the MetaFlows Sandbox.