Hello sg jr,
While the details of the Global Correlation and Reputation algorithm are proprietary and not shareable, you're assumptions are correct. A significant amount of legitimately and verifiably malicious traffic would need to be repetitively generated and targeted to cause an IP to obtain a negative reputation.
Please let me know if I can help you with anything further within the context of this thread. If your question has been Answered, please mark the thread as such so that it will be helpful to other users. Also, please feel free to Rate this thread to reflect your experience.
Thank you,
Blayne Dreier
Cisco TAC Escalation Team
**Please check out our Podcasts**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast
TAC IPS Media Series: