Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "Static_Features" field to Malware Subject for capturing static features of a malware instance #110

Closed
ikiril01 opened this issue Apr 8, 2015 · 4 comments
Closed

Add "Static_Features" field to Malware Subject for capturing static features of a malware instance #110

ikiril01 opened this issue Apr 8, 2015 · 4 comments
Assignees
@dzbeck
Labels
Com-Package Expand Type Impl-Proposal Pri-Medium Type-Enhancement
Milestone
MAEC 5.0

Comments

@ikiril01
Copy link
Member

ikiril01 commented Apr 8, 2015

Capturing static features of a malware instance has always been rather awkward and indirect via the Bundle/Objects approach. As such, given the changes proposed in #104 and #108, we should consider adding a "Static_Features" field directly on the Malware_Subject, used for capturing any PE header information, strings, etc. that were found for the malware instance, through the use of Object_References.

Thus, it would look something like:

<Objects>
    <Object id="object_1">
       <Properties xsi:type="WinExectuableFileObj:WindowsExecutableFileObjectType">
          ...
       </Properties>
    </Object>
</Objects>
<Malware_Subjects>
    <Malware_Subject>
        <Static_Features>
           <Object_Reference object_id="object_1"/>
        </Static_Features>
    </Malware_Subject>
</Malware_Subjects>
@ikiril01 ikiril01 added this to the MAEC 5.0 milestone Apr 8, 2015
@gtback
Copy link
Contributor

gtback commented Apr 8, 2015

How is this different than:

<Objects>
  <Object id="object_1">
    <Properties xsi:type="WinExectuableFileObj:WindowsExecutableFileObjectType">
      ...
    </Properties>
  </Object>
</Objects>
<Malware_Subjects>
  <Malware_Subject>
    <Malware_Instance_Object_Attributes idref="object_1"/>
  </Malware_Subject>
</Malware_Subjects>

@ikiril01
Copy link
Member Author

ikiril01 commented Apr 9, 2015

@gtback the main difference is that it allows you to granularly link the results of a particular static analysis to its output. E.g., for a PEFile dump you could just create a single Object, same for a strings analysis, etc. It also allows you to continuously add this data as further static analyses are performed. Having all of it live under the Malware_Instance_Object_Attributes, while cleaner and less verbose, makes this much more difficult to do.

@gtback
Copy link
Contributor

gtback commented Apr 13, 2015

Are you saying there could be more than one Object_Reference inside Static_Features (or more than one Static_Features)? If so, then this makes more sense.

@ikiril01
Copy link
Member Author

@gtback yup (to the former)! My thought was that multiple Object_Reference fields can exist inside of the Static_Features, each referencing some particular static finding:

        <Static_Features>
           <Object_Reference object_id="object_1"/>
           <Object_Reference object_id="object_2"/>
            ...
        </Static_Features>

@dzbeck dzbeck closed this as completed Oct 18, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dzbeck dzbeck

Labels
Com-Package Expand Type Impl-Proposal Pri-Medium Type-Enhancement
Projects
None yet
Milestone
MAEC 5.0
Development

No branches or pull requests
3 participants
@gtback @ikiril01 @dzbeck