Skip to content

MAEC v5.0 in a Nutshell

Jump to bottom
Ivan Kirillov edited this page Sep 9, 2015 · 40 revisions

Given the current slate of (extensive) proposals around changes in MAEC 5.0, it may be difficult to grasp what the full proposed set of changes entails, especially in comparison to previous versions of MAEC. As such, this document is intended to provide an overview of these changes, based on their rationale for being included.

Rationale: Simplification & Reduction of Complexity

The vast majority of major, non backwards compatible changes in MAEC 5.0 revolve around simplifying the data model for both content producers and consumers. In terms of statistics, part of this change involves the deprecation of:

  • 1 schema (MAEC Container)
  • 2 output formats (MAEC Bundle, MAEC Container)
  • ~45 schema types (final count still ongoing)

Highlighted below are the most critical changes in this regard.

MAEC Bundle & Container Deprecation

The MAEC Bundle is a separate MAEC output format for malware data that was largely an artifact of early versions of MAEC. With the addition of the MAEC Package and Malware Subject constructs, it has been rendered unnecessary. Accordingly, the MAEC Container was added to support potential use cases around MAEC Package management, but has not been widely used. Thus, deprecating both the MAEC Bundle and MAEC Container allows us to simplify the data model (including removing unnecessary layers of abstraction) and focus on supporting only a single output format, the MAEC Package.

Related Proposals

First-class Relationships

Relationships in previous versions of MAEC were defined on their respective entity (e.g., a Malware Subject), making them awkward to construct and parse. MAEC 5.0 proposes to fix this by making one-to-one relationships distinct objects that can be defined at the top level of a MAEC document. This simplifies their construction and use, as both target and source IDs are captured in one place, and also makes them more flexible as it permits relating any identifiable MAEC entities with a single object (instead of needing a special relationship construct for each type of MAEC entity as before).

Related Proposals

Making ALL Entities Top-level Objects

In previous versions of MAEC, entities such as CybOX Objects, MAEC Actions, and the like could be either defined inside or referenced from their respective elements. While this leant a great deal of flexibility, it also meant that content could be quite variable from producer to producer, making it more difficult to parse (and necessitating multiple code paths). With MAEC 5.0, we propose making ALL identifiable MAEC entities top-level objects; that is, they can be defined only at the top-level of a MAEC document, and must be referenced everywhere else (from Malware Subjects). This serves to simplify content production as well as parsing, as it will guarantee a consistent form of MAEC content.

Accordingly, the following entities will be made top-level Objects:

  • CybOX Objects
  • Actions
  • Behaviors
  • Capabilities
  • Tools
  • Collections
  • Relationships
Related Proposals

Generalized Collections

In the past, MAEC Collections have had separate implementations for each respective MAEC entity (e.g., Actions, Behaviors, etc.), making their implementation overly heavyweight and also inflexible due to its inability to support mixed collections of entities such as Actions and CybOX Objects. MAEC 5.0 proposes to resolve this by having a single Collection implementation that can group any arbitrary set of MAEC entities. This also permits the Collection to serve as a mechanism for specifying many-to-many relationships (i.e. between all entities in the Collection).

Related Proposals

Simplified Actions

Malware Actions in previous versions of MAEC have been derived from their respective generalized implementation in CybOX. While this has ensured compatibility with CybOX in this regard, it also meant that MAEC had to carry and support CybOX-defined fields intended for a more general implementation of Actions than needed, increasing the complexity of Actions. Accordingly, this dependency has meant that any necessary modifications to core Action properties would need to be done in CybOX first and then propagated to MAEC. Thus, MAEC 5.0 proposes a refactored, MAEC-defined implementation of Malware Actions to both simplify their representation and also make them more flexible for future updates in MAEC.

Related Proposals

Refactored Capabilities and Behaviors

Owing to the significant overlap in functionality between Capability Objectives (Strategic and Tactical) and Behaviors, we have proposed to deprecate Objectives entirely and recast them as more granular Capabilities or Behaviors, as appropriate, leading to the simplification of the Capability data model and its implementation. Accordingly, we have proposed to refactor Behaviors in order to align their implementation with this change and also for the sake of further simplification.

Related Proposals

Rationale: New Feature Additions

The remaining changes in MAEC 5.0 are around additions of new, useful features previously requested by the MAEC community or noted as candidates for inclusion by the MAEC team. Highlighted below are some of the most relevant new features that are proposed for inclusion.

Capture of Malware Instance/Family Names

The ability to capture names (e.g., as reported by an AV tool) for a malware instance, including that of the malware family that it may belong to, can be a useful tool for the rapid identification and correlation of malware. Thus, we propose supporting this capture on the Malware Subject as one of changes in MAEC 5.0.

Related Proposals

Discrete Capture of Static Malware Features

Previous versions of MAEC had a relatively roundabout way of capturing static malware features via the MAEC Bundle. With the deprecation of the MAEC Bundle in 5.0 and the associated layers it removes, we can now directly support the capture of static malware features (represented as one or more CybOX Objects) that are associated with a Malware Subject.

Related Proposals

Capture of AV Classifications for ANY CybOX Object

MAEC 3.x and 4.x supported the capture of AV classifications only on a Malware Subject, which meant that they could not captured on other CybOX Objects defined in a MAEC document. Having the flexibility to capture an AV classification for any CybOX Object is useful for a number of applications, including the triage of files that may be suspicious but not known with some certainty to be malware (and thus composed as Malware Subjects). Thus, we propose deprecating the existing AV classification implementation in favor of a CybOX Object centered approach.

Related Proposals

Example

Illustrating the nature of these changes is best done through an example, so below we show what an existing MAEC Package looked like (as of MAEC 4.1), and same MAEC Package incorporating the changes that we've proposed for MAEC 5.0.

Before - MAEC 4.1

<maecPackage:MAEC_Package id="example:package-1" schema_version="2.1">
 <maecPackage:Malware_Subjects>
  <maecPackage:Malware_Subject id="example:malware_subject-1">
   <maecPackage:Malware_Instance_Object_Attributes>
     <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
      <FileObj:File_Name>dg003_improve_8080_V132.exe</FileObj:File_Name>
      <FileObj:Size_In_Bytes>196608</FileObj:Size_In_Bytes>
      <FileObj:Hashes>
       <cyboxCommon:Hash>
        <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
        <cyboxCommon:Simple_Hash_Value>4EC0027BEF4D7E1786A04D021FA8A67F</cyboxCommon:Simple_Hash_Value>
       </cyboxCommon:Hash>
      </FileObj:Hashes>
     </cybox:Properties>
   </maecPackage:Malware_Instance_Object_Attributes>
   
   <maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">dropper file</maecPackage:Label>
   
   <maecPackage:Relationships>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">drops</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
    </maecPackage:Relationship>
   </maecPackage:Relationships>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-2">
   <maecPackage:Malware_Instance_Object_Attributes>
    <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
     <FileObj:File_Name>msvcr.dll</FileObj:File_Name>
    </cybox:Properties>
   </maecPackage:Malware_Instance_Object_Attributes>
   
   <maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">downloader</maecPackage:Label>
   
   <maecPackage:Relationships>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">dropped by</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-1"/>
    </maecPackage:Relationship>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-3"/>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-4"/>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-5"/>
    </maecPackage:Relationship>
   </maecPackage:Relationships>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-3">
   <maecPackage:Malware_Instance_Object_Attributes>
    <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
     <FileObj:File_Name>fvcwin32.exe</FileObj:File_Name>
    </cybox:Properties>
   </maecPackage:Malware_Instance_Object_Attributes>
   <maecPackage:Findings_Bundles>
    <maecPackage:Bundle id="example:bundle-1" defined_subject="False">
     <maecBundle:Actions>
      <maecBundle:Action id="example:action-1"  action_status="Success">
       <cybox:Name xsi:type="maecVocabs:FileActionNameVocab-1.0">create file</cybox:Name>
       <cybox:Associated_Objects>
        <cybox:Associated_Object id="example:object-6">
         <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
          <FileObj:File_Name>system.dll</FileObj:File_Name>
          <FileObj:Full_Path>C:\WINDOWS\Debug\Data</FileObj:Full_Path>
         </cybox:Properties>
         <cybox:Association_Type xsi:type="maecVocabs:ActionObjectAssociationTypeVocab-1.0">output</cybox:Association_Type>
        </cybox:Associated_Object>
       </cybox:Associated_Objects>
      </maecBundle:Action>
     </maecBundle:Actions>
    </maecPackage:Bundle>
   </maecPackage:Findings_Bundles>
   <maecPackage:Relationships>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
    </maecPackage:Relationship>
   </maecPackage:Relationships>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-4">
   <maecPackage:Malware_Instance_Object_Attributes>
    <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
     <FileObj:File_Name>acvcwin32.exe</FileObj:File_Name>
    </cybox:Properties>
   </maecPackage:Malware_Instance_Object_Attributes>
   <maecPackage:Findings_Bundles>
    <maecPackage:Bundle id="example:bundle-2" defined_subject="False">
     <maecBundle:Capabilities>
       <maecBundle:Capability id="example:capability-1" name="persistence">
         <maecBundle:Strategic_Objective id="example:objective-1">
           <maecBundle:Name xsi:type="maecVocabs:PersistenceStrategicObjectivesVocab-1.0">persist to  continuously execute on system</maecBundle:Name>
        </maecBundle:Strategic_Objective>
       </maecBundle:Capability>
     </maecBundle:Capabilities>
     <maecBundle:Behaviors>
       <maecBundle:Behavior id="example:behavior-1" status="Success">
         <maecBundle:Description>System reboot persistence.</maecBundle:Description>
         <maecBundle:Action_Composition>
           <maecBundle:Action_Reference action_id="example:action-2"/>
         </maecBundle:Action_Composition>
       </maecBundle:Behavior>
     </maecBundle:Behaviors>
     <maecBundle:Actions>
      <maecBundle:Action id="example:action-2" action_status="Success" >
       <cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key</cybox:Name>
       <cybox:Associated_Objects>
        <cybox:Associated_Object id="example:object-7">
         <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
          <WinRegistryKeyObj:Key>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}</WinRegistryKeyObj:Key>
          <WinRegistryKeyObj:Hive>HKEY_USERS</WinRegistryKeyObj:Hive>
         </cybox:Properties>
         <cybox:Association_Type xsi:type="maecVocabs:ActionObjectAssociationTypeVocab-1.0">output</cybox:Association_Type>
        </cybox:Associated_Object>
       </cybox:Associated_Objects>
      </maecBundle:Action>
     </maecBundle:Actions>
    </maecPackage:Bundle>
   </maecPackage:Findings_Bundles>
   <maecPackage:Relationships>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
    </maecPackage:Relationship>
   </maecPackage:Relationships>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-5">
   <maecPackage:Malware_Instance_Object_Attributes>
    <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
     <FileObj:File_Name>avcwin32.exe</FileObj:File_Name>
    </cybox:Properties>
   </maecPackage:Malware_Instance_Object_Attributes>
   <maecPackage:Relationships>
    <maecPackage:Relationship>
     <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
     <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
    </maecPackage:Relationship>
   </maecPackage:Relationships>
  </maecPackage:Malware_Subject>
 </maecPackage:Malware_Subjects>
 
 <maecPackage:Grouping_Relationships>
  <maecPackage:Grouping_Relationship>
   <maecPackage:Type xsi:type="maecVocabs:GroupingRelationshipTypeVocab-1.0">observed together</maecPackage:Type>
  </maecPackage:Grouping_Relationship>
 </maecPackage:Grouping_Relationships>
</maecPackage:MAEC_Package>

After - MAEC 5.0

The notional MAEC 5.0 example below demonstrates the following changes:

  • MAEC Bundle Deprecation
  • Top-level Relationships
  • Generalized Collections
  • Refactored Malware Actions
  • Refactored Capabilities
  • Refactored Behaviors
<maecPackage:MAEC_Package id="example:package-1" schema_version="5.0">
 <maecPackage:Objects>
  <cybox:Object id="example:object-1">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>dg003_improve_8080_V132.exe</FileObj:File_Name>
    <FileObj:Size_In_Bytes>196608</FileObj:Size_In_Bytes>
    <FileObj:Hashes>
     <cyboxCommon:Hash>
      <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
      <cyboxCommon:Simple_Hash_Value>4EC0027BEF4D7E1786A04D021FA8A67F</cyboxCommon:Simple_Hash_Value>
     </cyboxCommon:Hash>
    </FileObj:Hashes>
   </cybox:Properties>
  </cybox:Object>
  <cybox:Object id="example:object-2">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>msvcr.dll</FileObj:File_Name>
   </cybox:Properties>
  </cybox:Object>
  <cybox:Object id="example:object-3">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>fvcwin32.exe</FileObj:File_Name>
   </cybox:Properties>
  </cybox:Object>
  <cybox:Object id="example:object-4">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>acvcwin32.exe</FileObj:File_Name>
   </cybox:Properties>  
  </cybox:Object>
  <cybox:Object id="example:object-5">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>avcwin32.exe</FileObj:File_Name>
   </cybox:Properties>
  </cybox:Object>
  <cybox:Object id="example:object-6">
   <cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
    <FileObj:File_Name>system.dll</FileObj:File_Name>
    <FileObj:Full_Path>C:\WINDOWS\Debug\Data</FileObj:Full_Path>
   </cybox:Properties>
  </cybox:Object>
  <cybox:Object id="example:object-7">
   <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
    <WinRegistryKeyObj:Key>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}</WinRegistryKeyObj:Key>
    <WinRegistryKeyObj:Hive>HKEY_USERS</WinRegistryKeyObj:Hive>
   </cybox:Properties>
  </cybox:Object>
 </maecPackage:Objects>
 
 <maecPackage:Actions>
  <maecPackage:Action id="example:action-1" action_status="success">
   <maecCore:Name xsi:type="maecVocabs:FileActionNameVocab-1.1">create file</maecCore:Name>
   <maecCore:Associated_Object_Reference object_idref="example:object-6" association_type="output"/>
  </maecPackage:Action>
  <maecPackage:Action id="example:action-2" action_status="success">
   <maecCore:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key</maecCore:Name>
   <maecCore:Associated_Object_Reference object_idref="example:object-7" association_type="output"/>
  </maecPackage:Action>
 </maecPackage:Actions>

 <maecPackage:Behaviors>
   <maecCore:Behavior id="example:behavior-1" status="Success">
     <maecCore:Name xsi:type="maecVocabs:BehaviorNameVocab-1.0">persist after system reboot</maecCore:Name>
     <maecCore:Action_Reference action_id="example:action-2"/>
   </maecCore:Behavior>
 </maecPackage:Behaviors>

 <maecPackage:Capabilities>
   <maecCore:Capability id="example:capability-1">
     <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
   </maecCore:Capability>
   <maecCore:Capability id="example:capability-2">
     <maecCore:Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">continuous execution</Name>
   </maecCore:Capability>
 </maecPackage:Capabilities>
 
 <maecPackage:Relationships>
  <maecPackage:Relationship id="example:relationship-1" source_idref="example:malware_subject-1" target_idref="example:malware_subject-2">
   <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">drops</maecPackage:Type>
  </maecPackage:Relationship>
  <maecPackage:Relationship id="example:relationship-2" source_idref="example:malware_subject-2" target_idref="example:malware_subject-3">
   <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
  </maecPackage:Relationship>
  <maecPackage:Relationship id="example:relationship-3" source_idref="example:malware_subject-2" target_idref="example:malware_subject-4">
   <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
  </maecPackage:Relationship>
  <maecPackage:Relationship id="example:relationship-4" source_idref="example:malware_subject-2" target_idref="example:malware_subject-5">
   <maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
  </maecPackage:Relationship>
 </maecPackage:Relationships>
 
 <maecPackage:Collections>
  <maecPackage:Collection id="example:collection-1" maec_entity_type="malware subjects" association_type="observed together">
   <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-1"/>
   <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
   <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-3"/>
   <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-4"/>
   <maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-5"/>
  </maecPackage:Collection>
 </maecPackage:Collections>
 
 <maecPackage:Malware_Subjects>
  <maecPackage:Malware_Subject id="example:malware_subject-1">
   <maecPackage:Instance_Properties object_idref="example:object-1"/>
   <maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">dropper file</maecPackage:Label>
 </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-2">
   <maecPackage:Instance_Properties object_idref="example:object-2"/>
   <maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">downloader</maecPackage:Label>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-3">
   <maecPackage:Instance_Properties object_idref="example:object-3"/>
   <maecPackage:Actions>
    <maecPackage:Action_Reference action_idref="example:action-1"/>
   </maecPackage:Actions>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-4">
   <maecPackage:Instance_Properties object_idref="example:object-4"/>
   <maecPackage:Capabilities>
     <maecPackage:Capability_Reference capability_idref="example:capability-1"/>
     <maecPackage:Capability_Reference capability_idref="example:capability-2"/>
   </maecPackage:Capabilities>
   <maecPackage:Behaviors>
     <maecPackage:Behavior_Reference behavior_idref="example:behavior-1"/>
   </maecPackage:Behaviors>
   <maecPackage:Actions>
    <maecPackage:Action_Reference action_idref="example:action-2"/>
   </maecPackage:Actions>
  </maecPackage:Malware_Subject>
  
  <maecPackage:Malware_Subject id="example:malware_subject-5">
   <maecPackage:Instance_Properties object_idref="example:object-5"/>
  </maecPackage:Malware_Subject>
 </maecPackage:Malware_Subjects>
</maecPackage:MAEC_Package>
Clone this wiki locally