Fusion Source Technologies

 Knowledge CenterWeb Design ServicesWeb Hosting ServicesSupport CenterProgramming ServicesSoftware DownloadsVisual Effects StudioCompany Information
Knowledge Center
Click Here for Fusion Source Home Page        |    Free Downloads    |     Visual Studio    |    New Browsers
 

 
 
AntiVirus Research Center
Threat Severity Assessment

The SARC Threat Severity Assessment evaluates computer threats and classifies them into clearly defined categories of risk for computer users. There are three major threat components that are analyzed to determine the severity rating:

  • The extent to which a malicious program is "in-the-wild".
  • The damage that a malicious program causes if encountered.
  • The rate at which a malicious program spreads.

Based on an evaluation of its sub-components, each category is rated as High, Medium, or Low risk. The overall severity measure, which is drawn from various combinations of risks, falls into one of 5 categories, with Category 5 (or CAT 5) being the most severe, and Category 1 (or CAT 1) the least severe. Section 1 describes each threat component. Section 2 lists the combinations of components that result in the overall risk assessment measure.

Section 1: Threat Metrics

1.1 Wild

The wild component measures the extent to which a virus is already spreading among computer users. Information in this metric includes:

  • Number of independent sites infected
  • Number of computers infected
  • Geographic distribution of infection
  • Ability of current technology to combat threat
  • Virus complexity

Classification guidelines:

  • High: 1,000 machines or 10 infected sites or 5 countries
  • Medium: 50-999 machines or 2 infected sites/countries (i.e., WildList)
  • Low: Anything else

1.2 Damage

The damage component measures the amount of damage that a given infection could inflict. Information in this metric includes:

  • Triggered events
  • Clogged email servers
  • Deleted/modified files
  • Release of confidential information
  • Performance degradation
  • Buggy routines that cause unintended loss of productivity
  • Compromised security settings
  • Ease of fixing damage

Classification guidelines:

  • High: File destruction/modification, very high server traffic, large-scale non-repairable damage, large security breaches, destructive triggers
  • Medium: Non-critical settings altered, buggy routines, easily repairable damage, non-destructive triggers
  • Low: No intentionally destructive behavior

1.3. Distribution

The distribution component measures how quickly a program spreads itself. Information in this metric includes:

  • Large-scale email attack (worm)
  • Executable code attack (virus)
  • spreads only through download or copy (Trojan horse)
  • Network drive infection capability
  • Difficulty to remove/repair

Classification guidelines:

  • High: Worms, network-aware executables, uncontainable threats (due to high virus complexity or low AV ability to combat)
  • Medium: Most viruses
  • Low: Most Trojan horses

Section 2: Overall severity measure

The overall severity measure unifies the three components above into a measure of risk to computer users. There are five severity threat categories.

Category 5 (Very Severe):   Level 5

Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. Recent example: Melissa.A (when it first came out). All three threat metrics must be High.

1) Wild: High

and

2) Damage: High

and

3) Distribution: High

Category 4 (Severe):   Level 4

Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed. Recent example: CIH.

1) Wild: High

and

2) Damage or Distribution: High

Category 3 (Moderate):   Level 3

Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild. Recent example: Melissa.A (now).

1) Wild: High

or

2) Damage: High and Distribution: High

Category 2 (Small):   Level 2

Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news. Recent example: Bubbleboy.

1) Damage: High

or

2) Distribution: High

or

3)Wild: Low or Moderate

Category 1 (Minimal):   Level 1

Poses little threat to users. Rarely even makes headlines. No reports in the wild.

1) Wild: Low

and

2) Damage or Distribution: Low

 

 

        
   Copyright ©2001 Fusion Source Technologies. All Rights Reserved. Privacy Statement  |  Legal Notices and Terms of Use   

 Knowledge Center managed by the Knowledge & Resource Group - last updated 11.10.2001 @ 04:28 PM -0500