-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Rename Malware_Instance_Object_Attributes Field
Status: Open
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issue: https://github.com/MAECProject/schemas/issues/73
The field named Malware_Instance_Object_Attributes is cumbersome and lengthy. A less verbose name might be preferable.
This proposal assumes the following changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format)
We propose to rename the Malware_Instance_Object_Attributes field to Instance_Properties. This new name seems appropriate both because it refers to a malware "instance" and because the word "properties" is more generic in data representations than the word "attributes" (which has a specific meaning in UML).
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Instance_Properties | cybox:ObjectType |
0-1 | The Instance_Properties field characterizes the properties of the object (most typically a file) that represents the malware instance whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in a Malware Subject of a MAEC Package. |
<maecBundle:MAEC_Bundle>
<maecBundle:Instance_Properties>
<cybox:Description>Red October Downloader</cybox:Description>
<cybox:Properties xsi:type="WinExecutableFileObj:WindowsExecutableFileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>c3b0d1403ba35c3aba8f4529f43fb300</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</maecBundle:Instance_Properties>
...
</maecBundle:MAEC_Bundle>This change will not be backward compatible and is one of several revisions planned in new major version.
- Does it make sense to make this field name change in MAEC?
- Does the proposed name make sense? Are there preferable alternatives?