####### Scoring ####### *************************************** Details about scores in Silent Push API *************************************** A brief overview of different scores available in API responses Domain related scores ===================== *age_score* * based on the age of the domain as seen in DNS zone files * a more recently created domain scores higher *is_new_score* * the is_new_score is 100 if the domain has been created within the last 24 hours * newly created domains represent a higher risk when observed in network traffic *dga_probability_score* * indicates the likelihood that the domain name is the result of a Domain Generating Algorithm *url_shortener_score* * 100 if the domain is a known url shortener service * scored alternative to the is_url_shortener flag *listing_score* * shows if the domain has previously been seen on any of a selection of highly trusted threat intelligence feeds * the score is graded based on recency and frequency of prior listings *ns_reputation_score* * reputation score for the name servers currently associated with this domain * name server reputation is based on the number of domains hosted on the name server versus the number of those domains listed in threat intelligence feeds *ns_entropy_score* * an indication of frequency and recency of historic changes of name servers for this domain * more frequent and/or recent name server changes may add to levels of suspicions about the domain *sp_risk_score* * the Silent Push Risk Score provides an at-a-glance assessment of the risk associated with this domain * the sp_risk_score is equal to the highest of the following scores, but will be reduced to 0 if any of these flags is true: is_expired, is_parked, is_sinkholed * ns_entropy_score, ns_reputation_score, is_new_score, age_score, listing_score IPv4 related scores =================== *asn_rank_score* * a weighted measure of the type of feed where IPv4 addresses in this ASN have been listed * listings on malware feeds are counted with a higher weight than listings on phishing feeds, for example * all ASNs with listings are ranked against each other *asn_reputation_score* * a measure of IPv4 addresses in this ASN that have been listed on certain feeds * the score reflects volume rather than severity * the reputation score is calculated as a logarithmic ratio of listed vs active IPv4 addresses in the ASN, where an active IPv4 address is any IP with a current A record in Silent Push Passive DNS *asn_takedown_reputation_score* * a measure of how long it takes for malicious URLs to be taken down by the ISP abuse desk * we only count URLs that have a minimum age of X days and the aggregation is the number of items/URLs listed * the total count of items listed is then compared to the total number of IPs in the ASN using a specific formula * all ASNs with listings are ranked against each other *ip_is_dsl_dynamic_score* * 100 if the IPv4 address is part of dynamically allocated/residential IP space * scored alternative to the ip_is_dsl_dynamic flag *listing_score* * shows if the IPv4 address has previously been seen on any of a selection of highly trusted threat intelligence feeds * the score is graded based on recency and frequency of prior listings *subnet_reputation_score* * a measure of IPv4 addresses in this subnet that have been listed on certain feeds * the score reflects volume rather than severity * the reputation score is calculated as a logarithmic ratio of listed vs active IPv4 addresses in the subnet, where an active IPv4 address is any IP with a current A record in Silent Push Passive DNS *ip_reputation_score* * a measure of the number of DNS A record names resolving to this IPv4 address and that have been listed on certain feeds * the score reflects volume rather than severity * the reputation score is calculated as a logarithmic ratio of listed names (A records) vs all active A records resolving to this IPv4 address, where an active A record is any current A record in Silent Push Passive DNS *sp_risk_score* * the Silent Push Risk Score provides an at-a-glance assessment of the risk associated with this IPv4 address * the sp_risk_score is equal to the highest of the following scores, but will be reduced to 0 if any of these flags is true: known_benign, known_sinkhole_ip * ip_reputation, subnet_reputation, asn_reputation, asn_takedown_reputation, asn_rank, listing_score