Proposal: Rename Malware_Instance_Object_Attributes Field

Status: Open
Comment Period Closes: 5/5/2015
Affects Backwards Compatibility: Yes
Relevant Issue: https://github.com/MAECProject/schemas/issues/73

Background Information

The field named Malware_Instance_Object_Attributes is cumbersome and lengthy. A less verbose name might be preferable.

Related Issues

This proposal assumes the following issues...

Proposal

We propose to rename the Malware_Instance_Object_Attributes field to "Instance_Properties." This new name seems appropriate both because it refers to a malware "instance" and because the word "properties" is more generic in data representations than the word "attributes" (which has a specific meaning in UML).

Field	Type	Multiplicity	Description
Instance_Properties	`cybox:ObjectType`	0-1	The Instance_Properties field characterizes the properties of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in this Bundle. This is equivalent to the Instance_Properties inside of a Malware_Subject in the MAEC Package, and is therefore only required if this Bundle is to be used in a stand-alone fashion, i.e., without an accompanying MAEC Package and with the defined_subject field set to 'True'.

Example

<maecBundle:MAEC_Bundle>
  <maecBundle:Instance_Properties>
    <cybox:Description>Red October Downloader</cybox:Description>
    <cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
      <FileObj:Hashes>
        <cyboxCommon:Hash>
          <cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
          <cyboxCommon:Simple_Hash_Value>c3b0d1403ba35c3aba8f4529f43fb300</cyboxCommon:Simple_Hash_Value>
        </cyboxCommon:Hash>
      </FileObj:Hashes>
    </cybox:Properties>
  </maecBundle:Instance_Properties>
...
</maecBundle:MAEC_Bundle>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

Does it make sense to make this field name change in MAEC?
Does the proposed name make sense? Are there preferable alternatives?

Proposal: Rename Malware_Instance_Object_Attributes Field

Background Information

Related Issues

Proposal

Example

Impact

Requested Feedback

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!