Documents

General

MAEC Language Overview, Version 4.1

Provides a detailed introduction to the Malware Attribute Enumeration and Characterization (MAEC™) Language, an overview of the MAEC data models, a discussion of high-level use cases, requirements for the MAEC Language, and a discussion of open issues and challenges. June 12, 2014.

PDF (1.64 MB)

Characterizing Malware with MAEC and STIX

Describes the use of the Malware Attribute Enumeration and Characterization (MAEC™) and Structured Threat Information eXpression (STIX™) languages in the context of malware characterization and malware metadata exchange. By describing the relationships between the languages and by providing details on each language's ability to capture malware-related information, this document answers the "When should I use MAEC, when should I use STIX, and when should I use both?" questions. April 21, 2014

PDF (1.12 MB)

MAEC Detailed Use Cases

Provides comprehensive guidance on the creation of Malware Attribute Enumeration and Characterization (MAEC™) Package and Bundle documents in the context of static triage, dynamic triage, and manual analysis. Also provided is a detailed walk-through and description of a notional MAEC document for each such use case. Currently, this document is written against MAEC Version 4.0.1, though the concepts are almost completely compatible with MAEC Version 4.1.

PDF (2 MB)

MAEC Introductory Brochure

A brief one-page introduction to the MAEC effort. February 2013.

PDF (191 KB)

Back to top

Specifications

MAEC Bundle Specification, Version 4.1

Provides an overview and detailed description of the MAEC Bundle Data Model used in the MAEC Language. The "MAEC Bundle" provides the ability to capture and share data obtained from the analysis of a single malware instance; its underlying structure is formed by actions, behaviors, and capabilities. June 12, 2014.

PDF (875 KB)

MAEC Package Specification, Version 4.1

Provides an overview and detailed description of the MAEC Package Data Model used in the MAEC Language. The "MAEC Package" enables a user to capture and share MAEC characterized data for one or more malware subjects (a "malware subject" is MAEC's representation of a malware instance and all of the known data associated with it, including data derived from analysis and metadata); in most such cases, the malware subjects are related. June 12, 2014.

PDF (729 KB)

MAEC Container Specification, Version 4.1

Provides an overview and detailed description of the MAEC Container Data Model used in the MAEC Language. The MAEC Container enables a user to share any collection of MAEC characterized data, including one or more MAEC Packages. June 12, 2014.

PDF (387 KB)

MAEC Default Vocabularies Specification, Version 4.1

Provides an overview and detailed description of the MAEC Default Vocabularies Data Model used in the MAEC Language. The "MAEC Vocabularies" represent a set of default controlled vocabularies for use in MAEC content and were created to take advantage of the extension mechanisms provided by the Cyber Observable eXpression (CybOX™) Version 2.1 controlled vocabulary implementation; these vocabularies are broken out from the MAEC Bundle, Package, and Container schemas to support customized extension and replacement. June 12, 2014.

PDF (1.02 MB)

Back to top

Presentations

MAEC Version 4.0 Overview Briefing Slides

An introduction to Version 4.0 of the MAEC Language. June 2013.

PDF (1332 KB)

MAEC Conficker Case Study Presentation

MAEC Conficker Case Study slides presented at the DHS/DoD Software Assurance Forum Malware Working Group. December 2009.

PDF (487 KB)

"Top Botnets and How MAEC Can Help Keep You Out of Their Clutches" Briefing Slides

Presented at SC World Congress 2010. November 2010.

PDF (6144 KB)

Back to top

Archive

MAEC Overview Briefing Slides

Presented at 2010 Malware and Bot Technology Reverse Engineering Technical Exchange Meeting. July 2010.

PDF (4096 KB)

Malware Attribute Enumeration and Characterization (MAEC™) White Paper

Provides a detailed introduction to the Malware Attribute Enumeration and Characterization (MAEC™) initiative to provide a standardized language for attribute-based characterization of malware. The paper discusses project history; a high-level overview of the MAEC concept; eight use cases for MAEC; and, a discussion of the challenges and issues facing the development of MAEC. February 2010.

PDF (1508 KB)

Malware Attribute Enumeration and Characterization SCAP Presentation

Slides from the introduction of MAEC at the 5th Annual IT Security Content Automation Conference. October 2009.

PDF (2412 KB)

Malware Attribute Enumeration and Characterization Concept Document

Provides an introduction to the Malware Attribute Enumeration and Characterization (MAEC™) initiative. Includes project history, a high-level overview of the MAEC Language, and several use cases. October 2009.

PDF (1119 KB)

 

Back to top

Page Last Updated: October 28, 2014