Skip to content

Proposal: Add Field to MalwareSubjectType to Capture Static Features

Jump to bottom
Ivan Kirillov edited this page Sep 30, 2015 · 13 revisions

Status: CLOSED
Comment Period Closes: September 24th, 2015
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/110

Background Information

Currently, static features of a malware instance are captured by defining Objects in a MAEC Bundle. This method has proven to be awkward and indirect.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle

https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Objects-Top-level-Entities

Proposal

To tie static features more directly to a malware instance, we propose the addition of a Static_Features field to MalwareSubjectType:

Field Type Multiplicity Description
Static_Features ObjectReferenceListType 0-1 The Static_Features field specifies a set of one or more Object references related to the malware instance characterized by the Malware Subject.

The Static_Features field will allow multiple, specific static analysis results to be linked to a single Malware Subject. For example, when a malware instance is analyzed, one Object could be created for the output of the PEFile tool, and a second Object could be created for the output of a string-dumping tool. Then both Objects could be referenced as static features of the malware instance (which is characterized by the Malware Subject).

Example

<Objects>
    <Object id="object_1">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
         <Headers>
           <Optional_Header>
             <Major_Linker_Version>06</Major_Linker_Version> 
             <Minor_Linker_Version>00</Minor_Linker_Version> 
             <Base_Of_Code>036418</Base_Of_Code> 
             <Subsystem>Windows_GUI</Subsystem> 
           </Optional_Header>
         </Headers>
         <Type>Executable</Type> 
       </Properties>
    </Object>
    <Object id="object_2">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
         <Size_In_Bytes>24840</Size_In_Bytes> 
         <Hashes>
           <Hash>
             <Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</Type> 
             <Simple_Hash_Value>3d23ec8b55840b95ea75197ce9446b6d</Simple_Hash_Value> 
           </Hash>
           <Hash>
             <Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</Type> 
             <Simple_Hash_Value>272ce73adebba81983abbbf112155e463951d046</Simple_Hash_Value> 
           </Hash>
         <Hashes>
       </Properties>
    </Object>
</Objects>
<Malware_Subjects>
    <Malware_Subject>
        <Static_Features>
           <Object_Reference object_id="object_1"/>
           <Object_Reference object_id="object_2"/>
        </Static_Features>
    </Malware_Subject>
</Malware_Subjects>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

  1. Should static features of a malware instance be captured in a Malware Subject field?
  2. Are there preferable ways to easily capture static features?
Clone this wiki locally