Skip to content

Proposal: Rename Malware_Instance_Object_Attributes Field

Jump to bottom
Ivan Kirillov edited this page Jul 29, 2015 · 17 revisions

Status: CLOSED
Comment Period Closes: July 28th, 2015
Affects Backwards Compatibility: Yes
Relevant Issue: https://github.com/MAECProject/schemas/issues/73

Proposal

We propose to rename the Malware_Instance_Object_Attributes field to Instance_Object. This new name seems appropriate both because it refers to a malware "instance" and because it provides additional context that this field is intended to refer to a CybOX Object whose properties identify the malware instance being characterized.

Field Type Multiplicity Description
Instance_Object cybox:ObjectType 0-1 The Instance_Object field characterizes the properties of the CybOX Object (most commonly a File Object) that represents the malware instance whose Capabilities, Behaviors, Actions, Objects, and Process Tree are characterized in a Malware Subject of a MAEC Package.

Example

<maecPackage:Malware_Subject>
  <maecPackage:Instance_Object>
    <cybox:Description>Red October Downloader</cybox:Description>
    <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
      <FileObj:Hashes>
        <cyboxCommon:Hash>
          <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
          <cyboxCommon:Simple_Hash_Value>c3b0d1403ba35c3aba8f4529f43fb300</cyboxCommon:Simple_Hash_Value>
        </cyboxCommon:Hash>
      </FileObj:Hashes>
    </cybox:Properties>
  </maecPackage:Instance_Object>
...
</maecPackage:Malware_Subject>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

  1. Does it make sense to make this field name change in MAEC?
  2. Does the proposed name make sense? Are there preferable alternatives?
Clone this wiki locally