Skip to content

Proposal: Add Field to MalwareSubjectType to Capture Static Features

Jump to bottom
Desiree Beck edited this page May 2, 2015 · 13 revisions

Status: Open
Comment Period Closes: Affects Backwards Compatibility: No
Relevant Issue: https://github.com/MAECProject/schemas/issues/109

Background Information

Currently, static features of a malware instance are captured by defining Objects in a MAEC Bundle. This method has proven to be awkward and indirect.

Related Proposals

This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle

https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Objects-Top-level-Entities

Proposal

We propose the addition of a Static_Features field to MalwareSubjectType:

Field Type Multiplicity Description
Static Features Boolean 0-1 The Detected field specifies whether or not the AV tool specified in AVClassificationType has detected the malware instance that is characterized by the Malware Subject.

While the presence of the Classification_Name field implies that the AV tool has detected the malware instance, the detected field will make the fact explicit. In addition, the field aligns well with the VirusTotal API output, which includes a detected flag.

Example

<Objects>
    <Object id="object_1">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
         <WinExecFileObj:Headers>
           <WinExecFileObj:Optional_Header>
             <WinExecFileObj:Major_Linker_Version>06</WinExecFileObj:Major_Linker_Version> 
             <WinExecFileObj:Minor_Linker_Version>00</WinExecFileObj:Minor_Linker_Version> 
             <WinExecFileObj:Base_Of_Code>036418</WinExecFileObj:Base_Of_Code> 
             <WinExecFileObj:Subsystem>Windows_GUI</WinExecFileObj:Subsystem> 
           </WinExecFileObj:Optional_Header>
         </WinExecFileObj:Headers>
         <WinExecFileObj:Type>Executable</WinExecFileObj:Type> 
       </Properties>
    </Object>
    <Object id="object_2">
       <Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
          ...
       </Properties>
    </Object>
</Objects>
<Malware_Subjects>
    <Malware_Subject>
        <Static_Features>
           <Object_Reference object_id="object_1"/>
           <Object_Reference object_id="object_2"/>
        </Static_Features>
    </Malware_Subject>
</Malware_Subjects>

Impact

The flag is optional, so there is no expected compatibility impact.

Requested Feedback

  1. Does it make sense to add an explicit detected field?

Clone this wiki locally