-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Add Ability to Capture Common Malware Family Names
Status: CLOSED
Comment Period Closes: July 28th, 2015
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/88
The ability to capture the name and associated family of a malware instance can be useful for correlation, attribution, as well as providing a sense of what the purpose of the malware is. As such, we believe that MAEC should support the ability to capture this information.
We propose the expansion of the existing MalwareSubjectType in the MAEC Package schema with the following fields, for the capture of malware instance and family names:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Malware_Name | MalwareNameType |
0-1 | The Malware_Name field captures the name of the malware instance characterized by the Malware Subject and also the malware family that it belongs to. These names are assigned by the producer of the MAEC document, and may come from various sources, including from an analyst or as reported by a tool (e.g., an AV classification tool). |
| Malware_Aliases | MalwareAliasesType |
0-1 | The Malware_Aliases field captures any aliases for the malware instance name or malware family name associated with the Malware Subject, as reported by sources other than the producer of the MAEC document. |
We propose that the new MalwareNameType, defined in the MAEC Package schema, will have the following fields:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Malware_Instance_Name | NameConfidenceType |
0-1 | The Malware_Instance_Name field captures the name of the malware instance that is characterized by the Malware Subject. |
| Malware_Family_Name | NameConfidenceType |
0-1 | The Malware_Family_Name field captures the name of the malware family to which the malware instance characterized by the Malware Subject belongs to. |
| Source | maecPackage:SourceType |
0-1 | The Source field specifies the source of the malware instance and family names captured, respectively, in the Malware_Instance_Name and Malware_Family_Name fields. |
Accordingly, we propose that the new NameConfidenceType, defined in the MAEC Package schema and used in the MalwareNameType will extend the xs:string base type with the following fields:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| confidence | ConfidenceMeasureEnum |
0-1 | The confidence field specifies the relative confidence in the accuracy of the assigned malware instance or malware family name. |
Accordingly, the ConfidenceMeasureEnum represents an enumeration of relative confidence measures, and aligns with the values in the HighMediumLow Vocabulary from STIX:
| Value | Description |
|---|---|
| Low | A low relative measure of confidence. |
| Medium | A medium relative measure of confidence. |
| High | A high relative measure of confidence. |
| None | No measure of confidence. |
| Unknown | An unknown measure of confidence. |
Finally, the new MalwareAliasesType, defined in the MAEC Package schema, will serve to capture any aliases for the malware instance name or malware family name provided by the MAEC document producer, and thus be a useful means of correlating between different names. For compatibility with the existing name structure found in the Malware_Name field and efficient use of types, it will also make use of the new MalwareNameType. Accordingly, it will have the following fields:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Malware_Alias | MalwareNameType |
0-N | The Malware_Alias field captures a single alias for the malware instance name or malware family name (captured in the Malware_Name field) provided by the MAEC document producer. |
<Malware_Subject>
<Malware_Name>
<Malware_Instance_Name confidence=”Medium”>CryptoLocker.B</Malware_Instance_Name>
<Malware_Family_Name confidence=”High”>CryptoLocker</Malware_Family_Name>
</Malware_Name>
<Malware Aliases>
<Malware_Alias>
<Malware_Instance_Name>WORM_CRILOCK.A</Malware_Instance_Name>
<Source>Trend Micro</Source>
</Malware_Alias>
</Malware_Aliases>
</Malware_Subject>There is no expected compatibility impact.
- Does it make sense to add such a capability to MAEC?
- Do the defined types, their child properties, their datatypes, and their annotations makes sense? Should they be changed in any way?
- Does it make sense to capture malware aliases in this way, as a single field?
- Does it make sense to assign a relative measure of confidence to malware instance and malware family names? Accordingly, do the values in the
ConfidenceMeasureEnummake sense?