Skip to content

Proposal: Deprecate MAEC Bundle (as a concept and output format)

Jump to bottom
Ivan Kirillov edited this page May 18, 2015 · 40 revisions

Status: Open
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/104

Background Information

The MAEC Bundle was the original MAEC output format, and still exists as of v4.1 as a container for purely analysis-derived results relating to the analysis of a malware instance. However, given that the MAEC Package is used almost exclusively today as the de-facto container for MAEC data, it's probably worth considering deprecating the MAEC Bundle as a separate output format. This would simplify the MAEC Bundle by removing certain fields intended for use only when the Bundle was used by itself, and also generally simplify the usage of MAEC by having only a single supported output format.

Accordingly, the second aspect of this proposal is to likewise deprecate the concept of the MAEC Bundle (i.e. as a "Findings_Bundle" on a Malware Subject). Based on comments we've received and our own consensus, we feel that the concept of the Bundle may be an unnecessary layer of abstraction on top of the analysis-derived data that a Bundle contains. Instead, for the sake of simplicity and ease-of-use, it would be useful to promote the data currently contained in a Bundle directly to the Malware Subject level.

Note that these changes do not mean that the core MAEC datatypes (e.g., the MalwareActionType and CapabilityType) currently defined in the MAEC Bundle would be deprecated; rather, it simply means that the Bundle would no longer exist as a concept and corresponding MAEC output format.

Related Proposals

This proposal is related to the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Container

Proposal

There are two key components to this proposal - the deprecation of the MAEC Bundle as an output format, and the deprecation of the concept of the MAEC Bundle.

MAEC Bundle as Output Format

Because there is no strong use case for the MAEC Bundle as a separate output format, we propose simplifying MAEC by deprecating the MAEC Bundle (we've also proposed that the MAEC Container be similarly deprecated) as an output format. As a result, the MAEC Package would be the only MAEC output format available.

This deprecation would simply involve removing the MAEC_Bundle top-level element from the MAEC Bundle schema.

Concept of the MAEC Bundle

The deprecation of the concept of the MAEC Bundle is more involved and revolves around a number of changes to both the MAEC Package and MAEC Bundle schemas.

The changes to the MAEC Bundle schema would be the following:

  1. The MAEC Bundle schema would be renamed to "MAEC Core" and accordingly its filename would be changed to "maec_core_schema.xsd".
  2. The namespace used by the MAEC Core schema would become http://maec.mitre.org/XMLSchema/maec-core-1.
  3. The version number used by the MAEC Core would become 1.0, since this would be the first release of this schema.
  4. All Bundle-related types in the schema would be deprecated, including the following: BundleType, BundleReferenceType, BundleContentTypeEnum.

The changes to the MAEC Package schema would be the following:

  1. The FindingsBundleListType would be deprecated.
  2. The corresponding changes would be made to the AnalysisType:
    1. The Findings_Bundle_Reference field would be replaced with an Entity_Reference field of EntityReferenceType (defined below). This will permit the Analysis to more granularly reference the MAEC entities (e.g., Objects, Actions, etc.) that it discovered, via their IDs.
  3. The corresponding changes would be made to the MalwareSubjectType:
    1. The Findings_Bundles field will be deprecated. Instead, the entities previously captured in Bundles (e.g., Actions) will be directly attached to the MalwareSubjectType, as described below.
    2. A new field, Capabilities, of type maecCore:CapabilityListType (equivalent to the existing maecPackage:CapabilityListType), will be added. This field permits the capture of the Capabilities associated with the Malware Subject more directly, at its root-level.
    3. A new field, Behaviors, of type maecCore:BehaviorListType (equivalent to the existing maecPackage:BehaviorListType), will be added. This field permits the capture of Behaviors associated with the Malware Subject more directly, at its root-level.
    4. A new field, Actions, of type maecCore:ActionListType (equivalent to the existing maecPackage:ActionListType), will be added. This field permits the capture of Actions associated with the Malware Subject more directly, at its root-level.
    5. A new field, Process_Trees, of new type maecCore:ProcessTreeListType, will be added. This field permits the capture of the Process Trees associated with the Malware Subject more directly, at its root-level.
    6. A new field, Static_Features, of new type maecCore:ObjectReferenceListType, will be added. This field permits the capture of the static features associated with the Malware Subject more directly, at its root-level.
New Fields (MAEC Package)

The new fields on the AnalysisType would be the following:

Field Type Multiplicity Description
Entity_References EntityReferenceListType 0-1 The Entity_References field specifies a reference to one or more existing MAEC entities in the document that represent the findings of the Analysis.

The new fields on the MalwareSubjectType would be the following:

Field Type Multiplicity Description
Capabilities maecCore:CapabilityListType 0-1 The Capabilities field captures a list of Capabilities possessed by the Malware Subject.
Behaviors maecCore:BehaviorListType 0-1 The Behaviors field captures a list of Behaviors exhibited by the Malware Subject.
Actions maecCore:ActionListType 0-1 The Actions field captures a list of Actions observed during one or more executions of the Malware Subject.
Process_Trees maecCore:ProcessTreeListType 0-1 The Process_Trees field captures a list of Process Trees observed during one or more executions of the Malware Subject.
Static_Features maecCore:ObjectReferenceListType 0-1 The Static_Features field captures one or more Static Features associated with the Malware Subject.
New Types (MAEC Core)

Accordingly, the new types in the MAEC Core schema (formerly MAEC Bundle schema) would be:

ProcessTreeListType

Field Type Multiplicity Description
Process_Tree maecCore:ProcessTreeType 0-1 The Process_Tree field specifies a single process tree of execution, as recorded during an execution of the Malware Subject.
New Types (MAEC Package)

EntityReferenceListType

Field Type Multiplicity Description
Entity_Reference EntityReferenceType 1-N The Entity_Reference field specifies a reference to an existing MAEC entity in the document, via its ID.

EntityReferenceType

Field Type Multiplicity Description
entity_idref xs:anyURI 1-1 The required entity_idref field provides a reference to an existing entity in the MAEC document, via its ID. For example, if an Action has an ID value of "action-1", setting the entity_idref field to this value would serve as a reference to this Action.

Example

Before

The following represents an example of a typical Malware Subject with a Findings Bundle before this set of proposed changes (i.e., as of MAEC v4.1).

<maecPackage:Malware_Subject id="maec-test-sub-1">
    <maecPackage:Malware_Instance_Object_Attributes id="maec-tst-obj-1">
        <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:File_Name>qwerty.exe</FileObj:File_Name>
        </cybox:Properties>
    </maecPackage:Malware_Instance_Object_Attributes>
    
    <maecPackage:Findings_Bundles>
        <maecPackage:Bundle id="maec-tst-bnd-1" defined_subject="false" schema_version="4.1">
            <maecBundle:Capabilities>
                <maecBundle:Capability id="maec-tst-cpb-1" name="persistence"/>
            </maecBundle:Capabilities>
            <maecBundle:Behaviors>
                <maecBundle:Behavior id="maec-tst-bhv-1">
                    <maecBundle:Description>System Reboot Persistence via Registry Startup</maecBundle:Description>
                    <maecBundle:Action_Composition>
                        <maecBundle:Action_Reference action_id="maec-tst-act-1"/>
                    </maecBundle:Action_Composition>
                </maecBundle:Behavior>
            </maecBundle:Behaviors>

            <maecBundle:Actions>
                <maecBundle:Action id="maec-tst-act-1">
                    <cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key value</cybox:Name>
                    <cybox:Associated_Objects>
                        <cybox:Associated_Object id="maec-tst-obj-2">
                            <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
                                <WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
                                <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
                                <WinRegistryKeyObj:Values>
                                    <WinRegistryKeyObj:Value>
                                        <WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
                                        <WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
                                    </WinRegistryKeyObj:Value>
                                </WinRegistryKeyObj:Values>
                            </cybox:Properties>
                        </cybox:Associated_Object>
                    </cybox:Associated_Objects>
                </maecBundle:Action>
            </maecBundle:Actions>
        </maecPackage:Bundle>
    </maecPackage:Findings_Bundles>
</maecPackage:Malware_Subject>
After

The following represents an example of the same Malware Subject as above, assuming that this set of proposed changes is incorporated (i.e., as of MAEC v5.0).

<maecPackage:Malware_Subject id="maec-test-sub-1">
    <maecPackage:Malware_Instance_Object_Attributes id="maec-tst-obj-1">
        <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:File_Name>qwerty.exe</FileObj:File_Name>
        </cybox:Properties>
    </maecPackage:Malware_Instance_Object_Attributes>

    <maecCore:Capabilities>
        <maecCore:Capability id="maec-tst-cpb-1" name="persistence"/>
    </maecCore:Capabilities>

    <maecCore:Behaviors>
        <maecCore:Behavior id="maec-tst-bhv-1">
            <maecCore:Description>System Reboot Persistence via Registry Startup</maecCore:Description>
            <maecCore:Action_Composition>
                <maecCore:Action_Reference action_id="maec-tst-act-1"/>
            </maecCore:Action_Composition>
        </maecCore:Behavior>
    </maecCore:Behaviors>

    <maecCore:Actions>
        <maecCore:Action id="maec-tst-act-1">
            <cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key value</cybox:Name>
            <cybox:Associated_Objects>
                <cybox:Associated_Object id="maec-tst-obj-2">
                    <cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
                        <WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
                        <WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
                        <WinRegistryKeyObj:Values>
                            <WinRegistryKeyObj:Value>
                                <WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
                                <WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
                            </WinRegistryKeyObj:Value>
                        </WinRegistryKeyObj:Values>
                    </cybox:Properties>
                </cybox:Associated_Object>
            </cybox:Associated_Objects>
        </maecCore:Action>
    </maecCore:Actions>
</maecPackage:Malware_Subject>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

Clone this wiki locally