Proposal: Add Ability to Capture Common Malware Family Names

Status: Open
Comment Period Closes: July 28th, 2015
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/88

Background Information

The ability to capture the name and associated family of a malware instance can be useful for correlation, attribution, as well as providing a sense of what the purpose of the malware is. As such, we believe that MAEC should support the ability to capture this information.

Proposal

We propose the expansion of the existing MalwareSubjectType in the MAEC Package schema with the following fields, for the capture of malware instance and family names:

Field	Type	Multiplicity	Description
Malware_Instance_Name	`NameType`	0-1	The Malware_Instance_Name field captures the name of the malware instance that is characterized by the Malware Subject. This name is assigned by the producer of the document, and may come from various sources, including from an analyst or as reported by a tool (e.g., an AV classification tool).
Malware_Family_Name	`NameType`	0-1	The Malware_Family_Name field captures the name of the malware family to which the malware instance characterized by the Malware Subject belongs to. This name is assigned by the producer of the document, and may come from various sources, including from an analyst or as reported by a tool (e.g., an AV classification tool).
Malware_Aliases	`MalwareAliasesType`	0-1	The Malware_Aliases field captures any aliases for the malware instance name or malware family name associated with the Malware Subject, as reported by sources other than the producer of the MAEC document.

We propose that the new NameType will extend the xs:string base type with the following fields:

Field	Type	Multiplicity	Description
confidence	`ConfidenceMeasureEnum`	0-1	The confidence field specifies the relative confidence in the accuracy of the assigned malware instance or malware family name.

Accordingly, the ConfidenceMeasureEnum represents an enumeration of relative confidence measures, and aligns with the values in the HighMediumLow Vocabulary from STIX:

Value	Description
Low	A low relative measure of confidence.
Medium	A medium relative measure of confidence.
High	A high relative measure of confidence.
None	No measure of confidence.
Unknown	An unknown measure of confidence.

Finally, the new MalwareAliasesType will serve to capture any aliases for the malware instance name or malware family name provided by the MAEC document producer, and thus be a useful means of correlating between different names. Accordingly, it will have the following fields:

Field	Type	Multiplicity	Description
Malware_Alias	`AliasNameType`	0-N	The Malware_Alias field captures a single alias for the malware instance name or malware family name provided by the MAEC document producer.

Similar to the NameType, the new AliasNameType will extend the xs:string base type with the following fields:

Field	Type	Multiplicity	Description
@source	`xs:string`	0-1	The source field captures the source of the malware alias, if known. It can be used to refer to the name of organization or entity from which the alias originates.

Example

<Malware_Subject>
    <Malware_Instance_Name confidence="Medium">CryptoLocker.B</Malware_Instance_Name>
    <Malware_Family_Name confidence="High">CryptoLocker</Malware_Instance_Name>
    <Malware_Aliases>
      <Malware_Alias @source="Trend Micro">WORM_CRILOCK.A</Malware_Alias>
    </Malware_Aliases>
</Malware_Subject>

Impact

There is no expected compatibility impact.

Requested Feedback

Does it make sense to add such a capability to MAEC?
Do the defined types, their child properties, their datatypes, and their annotations makes sense? Should they be changed in any way?
Does it make sense to capture malware aliases in this way, as a single field?
Does it make sense to assign a relative measure of confidence to malware instance and malware family names? Accordingly, do the values in the ConfidenceMeasureEnum make sense?

Proposal: Add Ability to Capture Common Malware Family Names

Background Information

Proposal

Example

Impact

Requested Feedback

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!