Terminology

General

Artifact:
an entity remaining on a system after the execution of malware that is the result of the behaviors performed by its insertion, infection and payload. In terms of dynamic malware analysis, this can be thought of as the difference in system state before and after malware execution. Examples: file system objects (i.e., files, directories), registry keys, network ports, etc.
Attribute:
a characteristic of malware that can be used as a descriptor. For MAEC, attributes can include low-level Actions, mid-level Behaviors, the categories of the high-level Mechanisms, and metadata.
Attack Pattern:
a description of a common method for exploiting software, which can include the attacker’s perspective and guidance on ways to mitigate their effect. Example: Exploiting incorrectly configured SSL security levels.
AV Classification:
a single classification of a malware instance by an anti-virus (AV) tool.
Dynamic Analysis:
analysis of malware that is performed by executing the malware, typically in a sandbox environment.
Malware Instance:
a specific copy of malware; in MAEC, it refers to the object whose Behaviors, Actions, Objects, Process Tree, and Candidate Indicators are characterized in the MAEC Bundle. Accordingly, the object whose total set of attributes, including analytical findings and metadata, is characterized in the Malware Subject.
Malware Pattern:
an abstraction of some attributes common to a set of malware instances, families, or classes. A single malware pattern may potentially have many varying malware instances, families, or classes associable with it.
Metadata:
a set of data that describes and gives information about other data. Example: relationships between malware samples.
Payload:
the specific malware attributes unrelated to insertion, infection, armoring, obfuscation, and self-defense. Therefore, a malware’s payload can be thought of as the actions taken after the successful infection of a system, and is directly tied into the purpose behind the malware. This is potentially one of the categories in MAEC’s high-level Mechanisms
Propagation:
the mechanism and vector used by malware for the purpose of spreading to other machines. Considered a MAEC Mechanism and potentially a sub-category of payload.
Static Analysis:
analysis of malware that is performed without executing the code. Static analysis tools include disassemblers and string extractors.
Taxonomy:
a classification of malware or aspects of malware according to type or function. Examples: network reconnaissance, propagation, insertion method.
Tool:
A software application or device that analyzes or detects malware through various methods. Examples: a static analysis tool, dynamic analysis tool, signature based scanner, or heuristic based scanner.
Type:
any of the anti-virus (AV)/security community’s commonly used monikers for groupings of malware that share some common characteristic. Examples: virus, Trojan, worm, backdoor, key logger, rootkit, bot, etc.
Vector:
thethe specific method that malware uses to propagate itself. Examples: software vulnerability exploitation or social-engineering.
Back to top

MAEC-Specific Terminology

Action:
a Cyber Observable eXpression (CybOX™) entity extended by MAEC for capturing a system state change or a similar operation that represents the fundamental low-level operation of malware. Some examples include the creation of a file, deletion of a registry key, and the sending of some data on a socket.
Behavior:
a MAEC entity for capturing the end result of the execution of a specific set of instructions by malware. In this manner, a Behavior can be thought of as the consequence of one or more Actions. Example: the consequence of inserting a registry key (Action) is allowing malware to become resident at system start-up (Behavior).
Candidate Indicator:
a MAEC entity that specifies the particular components that may signify the presence of the malware instance on a host system or network. For instance, the existence of a particular Registry Key Object, or observation of a particular 'send http get request' Action.
Collection:
a MAEC entity that serves as a container for abstract grouping of MAEC Bundle level entities, i.e., Behaviors, Actions, Objects, and Candidate Indicators. Used in some of the dynamic analysis tool translators for binning actions that operate on the same type of Object.
Document:
some instance of MAEC output, whether it be a MAEC Bundle, MAEC Package, or MAEC Container. A document may characterize one or more malware instances.
Grouping Relationship:
a MAEC entity that serves as a relationship for defining the grouping between the Malware Subjects captured in a MAEC Package. Examples: 'same malware family' and 'part of intrusion set'.
Malware Subject:
a MAEC entity for capturing the total set of attributes pertaining to a single malware instance object, including any corresponding analyses, field data, findings via MAEC Bundles, and relationships to other Malware Subjects.
Mechanism:
a high-level MAEC entity for capturing a particular goal of the author(s) of a malware instance and used to organize groups of Behaviors. Example: ensuring that malware is executed at start-up is a Behavior that is typically part of a "Persistence" mechanism. Note that the Mechanism element is not yet included in the MAEC XML schemas as of v4.0.1.
Object:
a Cyber Observable eXpression (CybOX™) entity for capturing the characteristics of a specific cyber-relevant object, including its particular properties and relationships to other Objects. Examples: file, registry key, or process (which are typically captured in MAEC using further defined object models).
Process Tree:
a MAEC entity for capturing the process tree of execution for a malware instance, including the parent process and any processes spawned or injected by it, along with any Actions initiated by each.
Back to top

Page Last Updated: January 02, 2014