GreyNoise

Tag Trends - Trending

Suggest Edits

Tag Trends - Trending

What are trending tags? - GreyNoise classifies a tag as trending when our sensors observe a significant increase in the average number of IPs transmitting traffic within a 3-day period. The list is sorted in descending order of the Percent Change value and displays the top ten tags.

Each tag card in the list contains:

  • Tag Name
  • Tag Category
  • Tag Intent (Benign, Unknown, or Malicious)
  • Associated CVEs
  • Percent Change - a calculated change in average IP activity
1238

How Trending Detection Works

Detecting trends and anomalies is about finding deviation from previous behavior, particularly in a positive direction. Both tasks start with finding the average over a long period, at least ten days. The Trends tab looks at slower increases in traffic for a specific tag, comparing the long-term average to a short-term, more recent average, and doing the classic percent-change formula, thus:

(recent avg. - long term avg.)/long term avg. = % change

This produces a value we can use to rank which tags are seeing the most significant increase in average traffic. Below is an example of "trending" behavior.

619

Trend Detection with Kendall’s Tau

Trend detection can also be done statistically using a tool known as Kendall’s Tau. Ordinarily, this compares the correlation between two rankings, with no ties. Because our data is timestamped, one “ranking” is just in chronological order. The other “ranking” has to be the value, the number of IPs seen emitting a tag per hour. The value is more complicated since many tags will stay at a given value while even staying at 0 in quiet periods. Therefore, we used a formulation based on Kendall’s Tau-b, which accepts dissimilar cardinalities in ranking and accounts for ties (since values are not unique, while time stamps generally are).

Our Tau formulation basically tallies up values that are in an increasing pattern and discounts values that are decreasing over time. This leads to the calculation of a ratio in the range -1 to 1, inclusive, where 1 indicates consistent increases over time, and -1 indicates consistent decreases over time.

This could be considered a rough percentage of how much of the signal is part of the given trend, i.e. a 0.8 result suggests about 80% of the signal is increasing/trending upward, whereas a -.6 suggests about 60% of the signal is decreasing.

What do I do with Trending Tags?

  • Verify cybersecurity news or content about a rise in particular scanning or exploitation activity over the last three days.
  • Potentially detect scanning that is not hyped yet.
  • Verify a rising wave of activity on the internet at scale on new or old threats.

Updated 8 months ago