OneFirewall Crime Score (OFA Score)
The OneFirewall Crime Score (OFA Score) is a quantitative risk metric assigned to an asset (IPv4 address, domain, URL, or file hash) based on intelligence collected and validated within the OneFirewall Alliance ecosystem. The score ranges from 0 to 1000, representing the probabilistic confidence and severity that an asset is malicious or has been involved in cybercriminal activity. Higher values indicate higher risk and stronger correlation with confirmed malicious behavior.Score Semantics
Score = 0The asset has never been observed, submitted, or correlated within the OneFirewall Threat Intelligence ecosystem. Score = 1
The asset has been observed at least once in relation to suspicious or malicious activity. Score > 1
Represents progressive risk elevation derived from multi-factor correlation, validation, and scoring algorithms.
Scoring Model – Contributing Factors
The Crime Score is a weighted, time-aware, trust-aware correlation engine built on multiple intelligence dimensions.1. Alliance Member Frequency
Number of independent Alliance Members reporting the same asset in malicious contexts. Higher independent confirmations increase score non-linearly.2. Source Trust Weight
Each Alliance Member is assigned a dynamic trust score based on:- Historical submission accuracy
- False positive rate
- Validation consistency
- Participation longevity
- Correlation agreement with other members
3. Confidence Metadata
Submissions may include a confidence level indicating the reporting entity’s internal validation depth. Examples:- Observed exploitation attempt
- Confirmed compromise
- Sinkhole validation
- Sandbox execution
- Heuristic suspicion
4. Temporal Oscillation (Time Decay Model)
The Crime Score incorporates a time-based decay function. If no new malicious activity is observed, the score gradually decreases according to a proprietary decay algorithm designed to model:- Infrastructure churn
- Botnet IP reassignment
- Compromised host remediation
- Natural IPv4 reallocation
5. Structured CTI Enrichment (STIX 2.x)
If a submission includes structured CTI (e.g., STIX 2 objects), additional contextual enrichment increases scoring precision:- Associated threat actor
- Malware family
- Campaign reference
- MITRE ATT&CK mapping
- Kill chain phase
- Infrastructure pivot correlation
6. Cross-Member Temporal Correlation
If multiple independent Alliance Members report the same asset within correlated time windows, the score increases significantly due to:- Distributed attack validation
- Campaign propagation detection
- Multi-tenant exposure confirmation
Dynamic Score Behavior
The Crime Score is dynamic. It may:- Increase with new validated submissions
- Increase through correlation enrichment
- Decrease via negative submissions (false-positive correction)
- Decrease through time-based decay (IPv4 only)
Operational Usage – Enforcement Thresholds
Using the Crime Score for automated perimeter enforcement requires selecting a blocking threshold aligned with organizational risk tolerance. OneFirewall does not enforce a fixed threshold, but operational guidance based on Alliance usage patterns is as follows.Recommended Calibration Process
- Start enforcement at Score ≥ 400
- Reduce threshold by 50 points per week
- During each phase, review:
- Inbound blocked traffic
- Outbound blocked traffic
- False positives
- Business impact
- Continue reduction until operational equilibrium is reached.
Alliance-Validated Enforcement Baseline
Across the majority of Alliance Members, a threshold of:Score ≥ 190has demonstrated an effective balance between prevention efficiency and low false-positive impact. This value is derived from empirical operational validation across multi-sector deployments.
Strategic Value
The OFA Crime Score transforms distributed threat detection into a standardized enforcement metric. Instead of manually evaluating raw IoCs, security controls can:- Consume numeric risk thresholds
- Automate firewall and IPS decisions
- Apply dynamic blocking policies
- Adjust risk appetite programmatically