Skip to content

Draft Proposal: Add Support for Characterizing Interesting Data

Jump to bottom
Ivan Kirillov edited this page Sep 9, 2015 · 1 revision

DRAFT

Status:
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/8

Background Information

While analyzing malware, an analyst may find something interesting, but may not know how it fits into a large analysis picture. We need to enable analysts to simply tag "interesting" data.

Related Proposals

This proposal is assumes the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-Use-of-QNames-for-IDs

Proposal

We propose to capture "interesting" data in MAEC through an Observation field of type ObservationType. The ObservationType would have the fields:

Field Type Multiplicity Description
type ObservationTypeEnum 0-1 The type field specifies the type of observation.
target_id xs:anyURI 0-1 The target_id field specifies the MAEC Entity (e.g., Action, Behavior) that is being tagged as interesting.

As stated in the Requested Feedback section, it is not clear whether the Observation should be captured as part of a Malware Subject or as part of a particular Analysis. Analyst comments are currently captured as part of an Analysis (Comments field of type CommentListType), which suggests that Observations should also be captured as part of an Analysis.

Also, the values for the ObservationTypeEnum enumeration, representing the default set of "observations" specified in MAEC, will need to be specified.

Example

<Analysis id="analysis-1">
  <Observation type="malformed header" target_id="pe-object-1"/>
</Analysis>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Is it necessary to capture "interesting" data?
    1. If so, should Observations be associated with Malware Subjects or Analyses?
  2. Is it feasible to define a default set of "interesting" observations?
    1. If so, what should be the values of ObservationTypeEnum?
  3. Should an ObservationListType be defined? Or should the multiplicity of the Observation field be 0..*?
Clone this wiki locally