There is a field labeled as ‘classification‘ which present in every IoC in the Maltiverse data model that classifies the IoC to one in four possible values. Every IoC has to be assigned to a specific classification value at each point in time and this result is the byproduct of the evaluation of the Maltiverse Score Algorithm, that takes into consideration hundreds of conditions to provide a precise classification for an IoC in a specific point in time. This classification is recalculated periodically (every hour) so an IoC can be downgraded in example from malicious to suspicious if the malicious activities have ceased for a specific period of time (IoC Expiration).
The four different values for the ‘classification’ field are:
| Classification Value | Description |
|---|---|
| malicious | The IoC is currently involved in malicious activities and is considered to be harmful. |
| suspicious | The IoC has been involved in malicious activities in the past and there are chances it has not ceased. |
| neutral | There is no information related to the IoC that could determine if it is good or bad. |
| whitelist | The IoC is considered to be safe and will remain as it is despite new malicious classification incoming. |
