> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # OneFirewall Crime Score # OneFirewall Crime Score (OFA Score) The **OneFirewall Crime Score (OFA Score)** is a quantitative risk metric assigned to an asset (IPv4 address, domain, URL, or file hash) based on intelligence collected and validated within the OneFirewall Alliance ecosystem. The score ranges from **0 to 1000**, representing the probabilistic confidence and severity that an asset is malicious or has been involved in cybercriminal activity. Higher values indicate higher risk and stronger correlation with confirmed malicious behavior. *** ## Score Semantics **Score = 0**\ The asset has never been observed, submitted, or correlated within the OneFirewall Threat Intelligence ecosystem. **Score = 1**\ The asset has been observed at least once in relation to suspicious or malicious activity. **Score > 1**\ Represents progressive risk elevation derived from multi-factor correlation, validation, and scoring algorithms. *** ## Scoring Model – Contributing Factors The Crime Score is a weighted, time-aware, trust-aware correlation engine built on multiple intelligence dimensions. ### 1. Alliance Member Frequency Number of independent Alliance Members reporting the same asset in malicious contexts. Higher independent confirmations increase score non-linearly. *** ### 2. Source Trust Weight Each Alliance Member is assigned a dynamic **trust score** based on: * Historical submission accuracy * False positive rate * Validation consistency * Participation longevity * Correlation agreement with other members Submissions from higher-trust members carry greater influence in score computation. *** ### 3. Confidence Metadata Submissions may include a **confidence level** indicating the reporting entity’s internal validation depth. Examples: * Observed exploitation attempt * Confirmed compromise * Sinkhole validation * Sandbox execution * Heuristic suspicion Confidence metadata directly affects score weighting. *** ### 4. Temporal Oscillation (Time Decay Model) The Crime Score incorporates a time-based decay function. If no new malicious activity is observed, the score gradually decreases according to a proprietary decay algorithm designed to model: * Infrastructure churn * Botnet IP reassignment * Compromised host remediation * Natural IPv4 reallocation Currently, **only IPv4 indicators** are subject to time-based decay. Domains, URLs, and file hashes are not automatically decayed due to persistence characteristics. *** ### 5. Structured CTI Enrichment (STIX 2.x) If a submission includes structured CTI (e.g., STIX 2 objects), additional contextual enrichment increases scoring precision: * Associated threat actor * Malware family * Campaign reference * MITRE ATT\&CK mapping * Kill chain phase * Infrastructure pivot correlation Structured CTI improves confidence granularity and cross-asset correlation. *** ### 6. Cross-Member Temporal Correlation If multiple independent Alliance Members report the same asset within correlated time windows, the score increases significantly due to: * Distributed attack validation * Campaign propagation detection * Multi-tenant exposure confirmation This mechanism reduces false positives and strengthens consensus-based elevation. *** ## Dynamic Score Behavior The Crime Score is dynamic. It may: * **Increase** with new validated submissions * **Increase** through correlation enrichment * **Decrease** via negative submissions (false-positive correction) * **Decrease** through time-based decay (IPv4 only) This ensures the score reflects current threat posture rather than historical bias. *** ## Operational Usage – Enforcement Thresholds Using the Crime Score for automated perimeter enforcement requires selecting a blocking threshold aligned with organizational risk tolerance. OneFirewall does not enforce a fixed threshold, but operational guidance based on Alliance usage patterns is as follows. ### Recommended Calibration Process 1. Start enforcement at **Score ≥ 400** 2. Reduce threshold by **50 points per week** 3. During each phase, review: * Inbound blocked traffic * Outbound blocked traffic * False positives * Business impact 4. Continue reduction until operational equilibrium is reached. *** ## Alliance-Validated Enforcement Baseline Across the majority of Alliance Members, a threshold of: > **Score ≥ 190** has demonstrated an effective balance between prevention efficiency and low false-positive impact. This value is derived from empirical operational validation across multi-sector deployments. *** ## Strategic Value The OFA Crime Score transforms distributed threat detection into a standardized enforcement metric. Instead of manually evaluating raw IoCs, security controls can: * Consume numeric risk thresholds * Automate firewall and IPS decisions * Apply dynamic blocking policies * Adjust risk appetite programmatically This enables SOC teams to shift from reactive triage to algorithmic perimeter enforcement.