Confidence Factor and IP Address Reputation
IP address reputation data is evaluated on the time that it is seen and the volume of messages or data. X-Force categorizes IP address reputation data and assigns a confidence factor value 0 - 100, where 0 represents no confidence and 100 represents certainty. For example, X-Force might categorize a source IP address as a scanning IP with a confidence factor of 75, which is a moderately high level of confidence.
Determining a Threshold
As an example, spam messages with an IP address reputation entry of 0 indicates that the source IP traffic is not spam, whereas an entry of 100 indicates definite spam traffic. Thus, values less than 50 indicate less probability that the message is spam, and values greater than 50 indicate more probability that the message is spam. A value of 50 or higher is the threshold where you might consider action on a triggered rule.
These probabilities are based on ongoing web-based data that Juniper X-Force Threat Intelligence continuously collects and analyzes from around the world in X-Force data centers. As data is collected, the system evaluates how much spam is received from a particular IP address, or how frequently the flagged IP address is in the IP address reputation category. The more times, the higher the system scores the confidence factor.
Tuning False Positives with the Confidence Factor Setting
Use the confidence factor to limit the number of offenses that are created by triggered rules. Depending on the level of protection that you want, you adjust the confidence values to a level that best matches your network environment.
When you tune rules, consider a scale where 50 is the tipping point. On assets of lower importance, you might weigh an X-Force rule to trigger at a higher confidence factor for specific categories, like spam. For example, tuning a rule to a confidence factor of 75 means the rule triggers only when X-Force sees an IP address at or above a confidence factor of 75. This tuning reduces the number of offenses that are generated on lower priority systems and non-critical assets. However, an important system or critical business asset with a confidence factor of 50 triggers an offense at a lower level and brings attention to an issue more quickly.
For your DMZ, choose a higher confidence value such as 95% or higher. You do not need to investigate many offenses in this area. With a high confidence level, the IP addresses are more likely to match the category that is listed. If it is 95% certain that a host is serving malware, then you need to know about it.
For more secure areas of the network, like a server pool, lower the confidence value. More potential threats are identified and you spend less effort investigating because the threat pertains to a specific network segment.
For optimum false positive tuning, manage your rule triggers by segment. Look at your network infrastructure and decide which assets need a high level of protection, and which assets do not. You can apply different confidence values for the different network segments. Use building blocks for grouping commonly used tests so that they can be used in rules.
- Click the Log Activity tab.
- On the toolbar, click Rules >Rules.
- Double-click a rule to start the Rule wizard.
- In the filter box, type the following text:
when this host property is categorized by X-Force as this category with confidence value equal to this amount
- Click the Add test to rule (+) icon.
- In the Rule section, click the this amount link.
- Enter a confidence value.
- Click Submit.
- Click Finish to exit the Rules wizard.