All IP reputation systems must "forget" what they know from time to time. IPs go out of service or change hands; infected systems are cleaned and clean systems become infected.

GBUdb statistics degrade over time through "condensation". Condensation is when the good and bad counts of a GBUdb record are both divided by 2. More precisely they are usually right-shifted one bit. The result is that the Confidence figure degrades while the Probability figure remains the same (or at least very close to it).

For example, consider an IP that has 100 bad encounters and 50 good encounters. The resulting probability figure can be calculated as (100 - 50) / (100 + 50) giving us a probability figure of .33333. After condensation the bad count would be 50 and the good count would be 25. Now the probability figure can be calculated as (50 - 25) / (50 + 25) giving the result .33333.

For all Ugly IPs, once both the good and bad counts have reached zero the record is removed from the database. IPs with other flags must remain because the flags carry important information.

Condensation can be triggered by a number of factors. Most commonly (by default) a condensation cycle is triggered once per day. The result is that if a particular IP is not seen for 15 days then information about that IP will be "forgotten". In most cases information about an IP is lost much more quickly since it is unlikely there would have been enough encounters to generate 15 bits worth of data. More commonly IPs from defunct bot-net addresses tend to disappear in 3-5 days.

These numbers are only guesses based on observations during testing. They are intended to show the basic concepts involved and not to predict day-to-day activity. It is very likely that you will experience different results.

Related Topics