Proposal: Add Ability to Capture Common Malware Family Names

Status: Open
Comment Period Closes: Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/88

Background Information

The ability to capture the name and associated family of a malware instance can be useful for correlation, attribution, as well as providing a sense of what the purpose of the malware is. As such, MAEC should support the ability to capture this information.

Proposal

We propose the expansion of the existing MalwareSubjectType with the following fields, for the capture of malware instance and family names:

Field	Type	Multiplicity	Description
Malware_Instance_Name	`NameType`	0-N	The Malware_Instance_Name field captures the name of the malware instance that is characterized by the Malware Subject. This can be one that is assigned by an analyst or reported from a tool (e.g., an AV classification tool). Multiple such names can be captured through the use of multiple instances of this field.
Malware_Family_Name	`NameType`	0-N	The Malware_Family_Name field captures the name of the malware family to which the malware instance characterized by the Malware Subject belongs to. This can be one that is assigned by an analyst or reported from a tool (e.g., an AV classification tool). Multiple such names can be captured through the use of multiple instances of this field.

We propose that the new NameType will extend the xs:string base type with the following fields:

Field	Type	Multiplicity	Description
confidence	`ConfidenceMeasureEnum`	0-1	The confidence field specifies the relative confidence in the accuracy of the assigned malware instance or malware family name.

Accordingly, the ConfidenceMeasureEnum represents an enumeration of relative confidence measures:

Value	Description
low	A low relative measure of confidence.
medium	A medium relative measure of confidence.
high	A high relative measure of confidence.

Impact

There is no expected compatibility impact.

Requested Feedback

Does it make sense to add such a capability to MAEC?
Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
Does it make sense to have a multiplicity of 0-N (unbounded) for malware instance and malware family names, or should it be bounded to 1?
Does it make sense to assign a relative measure of confidence to malware instance and malware family names? Accordingly, do the values in the ConfidenceMeasureEnum make sense?

Proposal: Add Ability to Capture Common Malware Family Names

Background Information

Proposal

Impact

Requested Feedback

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!