Proposal: Deprecate MAEC Bundle (as a concept and output format)

Status: CLOSED
Comment Period Closes: August 20th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/104

Background Information

The MAEC Bundle was the earliest MAEC output format and still exists in MAEC v4.1 as a container for data obtained from the analysis of a single malware instance. However, given that the MAEC Package is used almost exclusively today as the de-facto container for MAEC data, it's worth considering deprecating the MAEC Bundle as an independent output format. In conjunction with the deprecation of the MAEC Container, this would simplify the usage of the MAEC Language by making the MAEC Package the sole output format.

Accordingly, the second aspect of this proposal is to likewise deprecate the concept of the MAEC Bundle at the MAEC Package level (i.e. as a "Findings_Bundle" on a Malware Subject). Based on comments we've received and our own consensus, we feel that the concept of the Bundle may be an unnecessary layer of abstraction on top of the analysis-derived data that a Bundle contains. Instead, for the sake of simplicity and ease-of-use, it would be useful to elevate the data currently contained in a Bundle to the Malware Subject level.

Note that these changes do not mean that the core MAEC datatypes (e.g., the MalwareActionType, CapabilityType, etc.) currently defined in the MAEC Bundle schema would be deprecated; rather, it simply means that the Bundle would no longer exist as a concept relative to a MAEC Package or as a MAEC output format.

Associated Proposals

This proposal is associated with the following proposed changes to the schema:

• https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Container
• https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Objects-Top-Level-Entities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Rename-Malware_Instance_Object_Attributes-Field
• https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Malware-Actions

Proposal

There are two key components to this proposal - the deprecation of the MAEC Bundle as an output format and the deprecation of the concept of the MAEC Bundle relative to a MAEC Package.

MAEC Bundle as Output Format

Because there is no strong use case for the MAEC Bundle as a separate output format, we propose simplifying MAEC by deprecating the MAEC Bundle (we've also proposed that the MAEC Container be similarly deprecated) as an output format. As a result, the MAEC Package would be the only MAEC output format available.

This deprecation would simply involve removing the MAEC_Bundle top-level element from the MAEC Bundle schema.

MAEC Bundle as Concept Relative to a MAEC Package

The deprecation of the concept of the MAEC Bundle is more involved and would require a number of changes to both the MAEC Package and MAEC Bundle schemas.

The changes to the MAEC Bundle schema would be the following:

• The MAEC Bundle schema would be renamed to "MAEC Core" and accordingly its filename would be changed to maec_core_schema.xsd.
• The namespace used by the MAEC Core schema would become http://maec.mitre.org/XMLSchema/maec-core-1.
• The version number used by the MAEC Core would become 1.0, because this would be the first release of the MAEC Core schema.
• All Bundle-related types in the MAEC Bundle schema would be deprecated, including the following: BundleType, BundleReferenceType, BundleContentTypeEnum.
• The following MAEC Bundle schema types would be associated with the MAEC Core schema:
  1. The type maecBundle:CapabilityListType would become maecCore:CapabilityListType.
  2. The type maecBundle:BehaviorListType would become maecCore:BehaviorListType.
  3. The type maecBundle:ActionListType would become maecCore:ActionListType.
  4. The type maecBundle:ObjectReferenceListType would become maecCore:ObjectReferenceListType.
• A new type, maecCore:ProcessTreeListType, would be defined:

Field	Type	Multiplicity	Description
Process_Tree	maecCore:ProcessTreeType	0-*	The Process_Tree field specifies a single process tree of execution, as recorded during an execution of the Malware Subject.

---

The changes to the MAEC Package schema would be the following:

• The FindingsBundleListType would be deprecated.
• The corresponding changes would be made to the AnalysisType:
  1. The Findings_Bundle_Reference field would be replaced with an Discovered_Entities field of EntityReferenceListType. This will permit the Analysis to more granularly reference the MAEC Entities (e.g., Objects, Actions, etc.) that it discovered, via their IDs.

Field	Type	Multiplicity	Description
Discovered_Entities	EntityReferenceListType	0-1	The Discovered_Entities field specifies a set of one more Entities that represent the findings of the Analysis.

• The corresponding changes would be made to the MalwareSubjectType:
  1. The Findings_Bundles field would be deprecated. Instead, the Entities previously captured in Bundles (e.g., Actions) will be directly attached to the MalwareSubjectType, as described below.
  2. A new field, Capabilities, of type maecCore:CapabilityListType, would be added. This field permits the capture of the Capabilities associated with the Malware Subject more directly, at its root-level.
  3. A new field, Behaviors, of type maecCore:BehaviorListType, would be added. This field permits the capture of Behaviors associated with the Malware Subject more directly, at its root-level.
  4. A new field, Actions, of type maecCore:ActionListType, would be added. This field permits the capture of Actions associated with the Malware Subject more directly, at its root-level.
  5. A new field, Process_Trees, of type maecCore:ProcessTreeListType, would be added. This field permits the capture of the Process Trees associated with the Malware Subject more directly, at its root-level.
  6. A new field, Static_Features, of type maecCore:ObjectReferenceListType, would be added. This field permits the capture of the static features associated with the Malware Subject more directly, at its root-level.

Field	Type	Multiplicity	Description
Capabilities	maecCore:CapabilityListType	0-1	The Capabilities field specifies a set of one or more Capabilities possessed by the Malware Subject.
Behaviors	maecCore:BehaviorListType	0-1	The Behaviors field specifies a set of one or more Behaviors exhibited by the Malware Subject.
Actions	maecCore:ActionListType	0-1	The Actions field specifies a set of one or more Actions discovered for the Malware Subject.
Process_Trees	maecCore:ProcessTreeListType	0-1	The Process_Trees field specifies a set of one or more Process Trees observed during one or more executions of the Malware Subject.
Static_Features	maecCore:ObjectReferenceListType	0-1	The Static_Features field specifies a set of one or more Static Features, represented as CybOX Objects, associated with the Malware Subject.

• A new type, maecPackage:EntityReferenceListType, would be defined:

Field	Type	Multiplicity	Description
Entity_Reference	EntityReferenceType	1-*	The Entity_Reference field specifies a reference to an existing MAEC Entity in the document, via its ID.

• A new type, maecPackage:EntityReferenceType, would be defined:

Field	Type	Multiplicity	Description
@entity_idref	xs:QName	1	The required entity_idref field provides a reference to an existing Entity in the MAEC document, via its ID. For example, if an Action has an ID value of "action-1", setting the entity_idref field to this value would serve as a reference to this Action.

Example

Before - MAEC v4.1

The following represents an example of a typical Malware Subject with an Analysis and Findings Bundle before this set of proposed changes and related proposals (i.e., as of MAEC v4.1).

<maecPackage:Malware_Subjects>
  <maecPackage:Malware_Subject id="maec-test-sub-1">
    <maecPackage:Malware_Instance_Object_Attributes id="maec-tst-obj-1">
      <cybox:Properties xsi:type="FileObj:FileObjectType">
        <FileObj:File_Name>qwerty.exe</FileObj:File_Name>
      </cybox:Properties>
    </maecPackage:Malware_Instance_Object_Attributes>
    
    <maecPackage:Analysis id="maec-tst-ana-1" method="static" type="in-depth">
      <maecPackage:Findings_Bundle_Reference bundle_idref="maec-tst-bnd-1"/>
    </maecPackage:Analysis>

    <maecPackage:Findings_Bundles>
      <maecPackage:Bundle id="maec-tst-bnd-1" defined_subject="false" schema_version="4.1">
        <maecBundle:Capabilities>
          <maecBundle:Capability id="maec-tst-cpb-1" name="persistence"/>
        </maecBundle:Capabilities>

        <maecBundle:Behaviors>
          <maecBundle:Behavior id="maec-tst-bhv-1">
            <maecBundle:Description>System Reboot Persistence via Registry Startup</maecBundle:Description>
            <maecBundle:Action_Composition>
              <maecBundle:Action_Reference action_id="maec-tst-act-1"/>
            </maecBundle:Action_Composition>
          </maecBundle:Behavior>
        </maecBundle:Behaviors>

        <maecBundle:Actions>
          <maecBundle:Action id="maec-tst-act-1">
            <cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key value</cybox:Name>
              <cybox:Associated_Objects>
                <cybox:Associated_Object id="maec-tst-obj-2">
                  <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
                    <WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
                    <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
                    <WinRegistryKeyObj:Values>
                      <WinRegistryKeyObj:Value>
                        <WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
                        <WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
                      </WinRegistryKeyObj:Value>
                    </WinRegistryKeyObj:Values>
                  </cybox:Properties>
                </cybox:Associated_Object>
              </cybox:Associated_Objects>
          </maecBundle:Action>
        </maecBundle:Actions>
      </maecPackage:Bundle>
    </maecPackage:Findings_Bundles>
  </maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>

After - MAEC v5.0

The following represents an example of the same Malware Subject as above, assuming that this set of proposed changes and related proposals is implemented (i.e., as of MAEC v5.0).

<maecPackage:Objects>
  <maecPackage:Object id="maec-tst-obj-1">
    <cybox:Properties xsi:type="FileObj:FileObjectType">
      <FileObj:File_Name>qwerty.exe</FileObj:File_Name>
    </cybox:Properties>
  </maecPackage:Object>
  <maecPackage:Object id="maec-tst-obj-2">
    <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
      <WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
      <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
      <WinRegistryKeyObj:Values>
        <WinRegistryKeyObj:Value>
          <WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
          <WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
        </WinRegistryKeyObj:Value>
      </WinRegistryKeyObj:Values>
    </cybox:Properties>
  </maecPackage:Object> 
</maecPackage:Objects>

<maecPackage:Malware_Subjects>
  <maecPackage:Malware_Subject id="maec-test-sub-1">
    <maecPackage:Instance_Object object_idref="maec-tst-obj-1"/>

    <maecPackage:Analysis id="maec-tst-ana-1" method="static" type="in-depth">
      <maecPackage:Discovered_Entities>
        <maecPackage:Entity_Reference entity_idref="maec-tst-cpb-1"/>
        <maecPackage:Entity_Reference entity_idref="maec-tst-bhv-1"/>
        <maecPackage:Entity_Reference entity_idref="maec-tst-act-1"/>  
      </maecPackage:Discovered_Entities>
    </maecPackage:Analysis>

    <maecCore:Capabilities>
      <maecCore:Capability id="maec-tst-cpb-1" name="persistence"/>
    </maecCore:Capabilities>

  <maecCore:Behaviors>
    <maecCore:Behavior id="maec-tst-bhv-1">
      <maecCore:Description>System Reboot Persistence via Registry Startup</maecCore:Description>
      <maecCore:Action_Composition>
        <maecCore:Action_Reference action_id="maec-tst-act-1"/>
      </maecCore:Action_Composition>
    </maecCore:Behavior>
  </maecCore:Behaviors>

    <maecCore:Actions>
      <maecCore:Action id="maec-tst-act-1" name="create registry key value">
        <maecCore:Associated_Object_Reference object_idref="maec-tst-obj-2"/>
      </maecCore:Action>
    </maecCore:Actions>
  </maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

1. Does it make sense to deprecate the MAEC Bundle as an output format? Are there any use cases that we're missing that would require the use of the Bundle?
2. Does it make sense to deprecate the concept of the MAEC Bundle, and accordingly rename the MAEC Bundle schema to "MAEC Core"?
3. Do the corresponding schema changes associated with 1. and 2. make sense?