Global Incident Report Statistics (12/04/2020 12:48am to 12/11/2020 12:48am UTC)
Measured Antivirus Performance
View Full ReportThe bar graph estimates the severity of the malware that was detected by the individual vendors in this period. Some vendors have good detection rate, but they do not detect the really important malware; some may have low detection rates, but catch the most important malware. You can hover the bars to see the severity for each Antivirus solution.
The detection rate of endpoint antivirus solutions ranges from 10% to 50% (the average is 20%). The table below shows the best 15 antivirus detection rates for this period.
Antivirus Vendor | Detection Rate |
---|
Worst MIME Types
View Full ReportMIME Type | Prevalence |
---|
Malware Names
View Full ReportMalware Name | Prevalence |
---|
Dropped Files
View Full ReportFile Dropped | Prevalence |
---|
Content MD5 Hash
View Full ReportContent MD5 Hash | Description | Prevalence |
---|
High Priority IDS Rules
View Full ReportIDS ID | Description | Prevalence |
---|
Sandbox Anomalies
View Full ReportSandbox Anomaly | Prevalence |
---|
Yara Signatures
View Full ReportYara Signature | Prevalence |
---|
Hosts Contacted
View Full ReportHost | Prevalence |
---|
Processes Started
View Full ReportProcess Name | Prevalence |
---|
Zero-Day Reports
View Full ReportHow We Calculate These Statistics
This page reports global statistics about several invariants present in MetaFlows' global detection infrastructure. The detection infrastructure receives approximately 8 million events per day from a variety of institutions ranging from small commercial enterprises to very large multinational corporations.
The statistics below are from three main detection components:
- MetaFlows' Multisession IDS Analysis
- MetaFlows' Network Antivirus leveraging VirusTotal
- MetaFlows' Cloud-based Sand-boxing leveraging Cuckoo
The invariants from the events reported by these detection components are extracted and their relative contribution is compared. The contribution of the invariants is measured in three different dimensions:
- The True Positive Rate (
tpr
) of an invariant is measured by dividing the number of confirmed true positive hits by the number of occurrences of the same invariant (whether they are a true positives or not). The True Positive Rate implicitly also measures the false positive rate (1 - tpr
). For clarity thetpr
is called detection rate in the Network Antivirus tables. - Severity ranges from 0 to 100 and measures the likelihood that an invariant in a cyber attack compromises the integrity or confidentiality of a system. The Severity is scaled down by the
tpr
and is calculated by multiplying the average priority (0 - 100) of the invariant times itstpr
(which is always less than 1). A low Severity score (0 - 10) typically implies that the cyber attack may reduce security but the loss of security is minimal (for example: detecting an Adware plugin in your browser). Higher Severity scores imply that the cyber threat becomes increasingly important. - Prevalence measures how widespread a given cyber attack is across multiple networks. Prevalence is also weighted against the
tpr
of a given invariant. Prevalence does not have an upper limit because it depends on how many cyber attacks we find in a given time period.
In the individual reports, you will see a bubble graph. You can click on each bubble to view the specific events represented by the bubble. The X and Y axes are the Severity and Prevalence of a given invariant, respectively. The bubble sizes represent the number of different networks in which the invariant caused a true positive. Finally, the color of the bubble represents the tpr
. Hovering over the bubble shows some of its metrics and clicking on the bubble shows which table row(s) it represent. Clicking outside any bubble shows all rows. The X axis and the tpr
range can be adjusted using the sliders.
Large red bubbles are significant invariants because they are common to more than one network and are good cyber-threat predictors.
Bubbles positioned toward the top-right of the graphs are significant because they represent invariants predicted to pose a high cyber security threat.
The table below the bubble graph shows the sortable raw data. The first column is the invariant extracted from the events. If you have an account with MetaFlows, you can click on certain invariants to see if your sensors have detected it. The other columns should be self-explanatory. Hovering over a bubble or set of overlapping bubbles, shows the raw data represented by the bubble(s) selected. This selection is sticky so that you can go to the table and inspect/sort the data or click on the links within the table. To see all rows in the table, click outside any bubble. The last report is a list of sandboxing reports for zero-day malicious content previously unknown. These reports detail the full behavior of this malicious code and the signatures and anomalies that were detected by the MetaFlows Sandbox.