Proposal: Add Field to MalwareSubjectType to Capture Static Features

Status: Open
Comment Period Closes: Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/109

Background Information

Currently, static features of a malware instance are captured by defining Objects in a MAEC Bundle. This method has proven to be awkward and indirect.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle

https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Objects-Top-level-Entities

Proposal

We propose the addition of a Static_Features field to MalwareSubjectType:

Field	Type	Multiplicity	Description
Static Features	`Boolean`	0-1	The Detected field specifies whether or not the AV tool specified in AVClassificationType has detected the malware instance that is characterized by the Malware Subject.

While the presence of the Classification_Name field implies that the AV tool has detected the malware instance, the detected field will make the fact explicit. In addition, the field aligns well with the VirusTotal API output, which includes a detected flag.

Example

<Objects>
    <Object id="object_1">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
         <Headers>
           <Optional_Header>
             <Major_Linker_Version>06</Major_Linker_Version> 
             <Minor_Linker_Version>00</Minor_Linker_Version> 
             <Base_Of_Code>036418</Base_Of_Code> 
             <Subsystem>Windows_GUI</Subsystem> 
           </Optional_Header>
         </Headers>
         <Type>Executable</Type> 
       </Properties>
    </Object>
    <Object id="object_2">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
         <Size_In_Bytes>24840</Size_In_Bytes> 
         <Hashes>
           <Hash>
             <Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</Type> 
             <Simple_Hash_Value>3d23ec8b55840b95ea75197ce9446b6d</Simple_Hash_Value> 
           </Hash>
           <Hash>
             <Type xsi:type="cyboxVocabs:HashNameVocab-1.0">SHA1</Type> 
             <Simple_Hash_Value>272ce73adebba81983abbbf112155e463951d046</Simple_Hash_Value> 
           </Hash>
         <Hashes>
       </Properties>
    </Object>
</Objects>
<Malware_Subjects>
    <Malware_Subject>
        <Static_Features>
           <Object_Reference object_id="object_1"/>
           <Object_Reference object_id="object_2"/>
        </Static_Features>
    </Malware_Subject>
</Malware_Subjects>

Impact

The flag is optional, so there is no expected compatibility impact.

Requested Feedback

Does it make sense to add an explicit detected field?

Proposal: Add Field to MalwareSubjectType to Capture Static Features

Background Information

Related Proposals

Proposal

Example

Impact

Requested Feedback

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!