Data structure to hold prevalence information. The data includes a
reference to another object (which is an xpath expression pointing to an
object inside the 'ref' element), together with a time period (startDate
-> endDate), an origin - where the object came from, and various
location tags. This allows rich information on prevalence to be recorded.
By convention, time periods should be wherever possible standard time
periods, e.g. minute, hour, 24 hours, week, month, quarter, year. This
will facilitate combination of data from multiple sources. To represent a
single entry, make startDate == endDate. Commonality is calculated from
the sightings of malware objects (and so such calculation is easier to
automate). Importance is reserved for cases when “commonality” is not
available or if there is a need to communicate the importance when
commonality is low. We define the commonality on a scale 0 to 100 (0
means “never found in the field” and 100 means “found very frequently”).
Scaling commonality to 0..100 range instead of using actual sample counts
is to avoid the effect of the user base size on the commonality. We
derive commonality from the number of affected computers – not from the
number of samples (for example, a hundred parasitic infections of the
same virus on a single computer are to be counted as one). To calculate
the commonality we use two-stage approach and logarithmic scale: - If the
number of affected users exceeds 0.1% of your user base (more frequent
than 1 in a 1000) set commonality to “100” - Otherwise, calculate the
ratio of infected computers amongst your user base by dividing the real
number of affected computers ‘n’ by the total number ‘N’ - Apply the
following formula to get the commonality –( log2(1+n*1000/N) ) * 100 -
Round to the closest integer Obviously, the calculation above can only be
applied to counting of malware sightings on desktops. If telemetry is
collected from a fraction of such desktops then an appropriate correction
should be used. For all other cases (e.g. sighting on gateways, in some
network security appliance, on an ISP level, etc.) please exercise your
best judgment and apply provided desktop guideline as an example to make
sure the commonality factor is as comparable as possible. For a URL
object the commonality could reflect, for example, how widely it was
spammed. “Importance” should not be used together with “commonality”
(unless commonality=“0”) to avoid possible confusion. High “importance”,
for example, can be assigned to samples that are over-hyped by media when
their commonality is still “0”. Use the following guidelines for
“importance” which is also defined on a scale 0..100: 100 – you’d expect
your CEO and/or media to call you any second about this object 80 – you
might get a call from your CEO and/or media 60 – you’d expect your boss
to call you any second 40 – you might get a call from your boss 20 –
someone is very likely to contact you about this object 10 – you might
get contacted about this object 0 – you’d be surprised if anyone would
ever contact you about this object
|
__init__(self,
references=None,
startDate=None,
endDate=None,
firstSeenDate=None,
origin=None,
commonality=None,
volume=None,
importance=None,
location=None)
x.__init__(...) initializes x; see help(type(x)) for signature |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
export(self,
outfile,
level,
namespace_=' maec: ' ,
name_=' fieldDataEntry ' ,
namespacedef_='
' ) |
source code
|
|
|
exportAttributes(self,
outfile,
level,
already_processed,
namespace_=' maec: ' ,
name_=' fieldDataEntry ' ) |
source code
|
|
|
exportChildren(self,
outfile,
level,
namespace_=' maec: ' ,
name_=' fieldDataEntry ' ,
fromsubclass_=False) |
source code
|
|
|
|
|
exportLiteral(self,
outfile,
level,
name_=' fieldDataEntry ' ) |
source code
|
|
|
exportLiteralAttributes(self,
outfile,
level,
already_processed,
name_) |
source code
|
|
|
exportLiteralChildren(self,
outfile,
level,
name_) |
source code
|
|
|
|
|
buildAttributes(self,
node,
attrs,
already_processed) |
source code
|
|
|
buildChildren(self,
child_,
node,
nodeName_,
fromsubclass_=False) |
source code
|
|
Inherited from GeneratedsSuper :
gds_build_any ,
gds_format_boolean ,
gds_format_boolean_list ,
gds_format_double ,
gds_format_double_list ,
gds_format_float ,
gds_format_float_list ,
gds_format_integer ,
gds_format_integer_list ,
gds_format_string ,
gds_str_lower ,
gds_validate_boolean ,
gds_validate_boolean_list ,
gds_validate_double ,
gds_validate_double_list ,
gds_validate_float ,
gds_validate_float_list ,
gds_validate_integer ,
gds_validate_integer_list ,
gds_validate_string ,
get_class_obj_ ,
get_path_ ,
get_path_list_
Inherited from object :
__delattr__ ,
__format__ ,
__getattribute__ ,
__hash__ ,
__new__ ,
__reduce__ ,
__reduce_ex__ ,
__repr__ ,
__setattr__ ,
__sizeof__ ,
__str__ ,
__subclasshook__
|