MAEC - Terminology

Terminology

Artifact:: an entity remaining on a system after the execution of malware that is the result of the behaviors performed by its insertion, infection and payload. In terms of dynamic malware analysis, this can be thought of as the difference in system state before and after malware execution. Examples: file system objects (i.e. files, directories), registry keys, network ports, etc.
Attribute:: a characteristic of malware that can be used as a descriptor. For MAEC, attributes can include low-level observables, mid-level behaviors, the categories of the high-level taxonomy, and metadata.
Attack Pattern:: a description of a common method for exploiting software, which can include the attacker’s perspective and guidance on ways to mitigate their effect. Example: Exploiting incorrectly configured SSL security levels.
Behavior:: the end result of the execution of a specific set of instructions by malware. In this manner, a behavior can be thought of as the consequence of an action. Example: the consequence of inserting a registry key (action) is allowing malware to become resident at system start-up (behavior).
Observable:: any data that can be obtained by observing the host-level execution of malware on a system through some form of instrumentation. It is typically obtained through dynamic analysis methods and is dependent on the host operating system. This is the overarching category which artifacts fall under, but it also includes dynamic entities such as the processes spawned and network connections initiated by malware. Examples (broad): file system changes, GUI events, etc.
Payload:: the specific malware attributes unrelated to insertion, infection, armoring, obfuscation, and self-defense. Therefore, a malware’s payload can be thought of as the actions taken after the successful infection of a system, and is directly tied into the purpose behind the malware. This is potentially one of the categories in MAEC’s high-level taxonomy.
Propagation (mechanism):: the mechanism and vector utilized by malware for the purpose of spreading to other machines. This is potentially a sub-category of payload.
Type:: any of the AV/security community’s commonly used monikers for groupings of malware that share some common characteristic. Examples: virus, trojan, worm, backdoor, keylogger, rootkit, bot, etc.
Vector:: the specific method that malware uses to propagate itself. Examples: software vulnerability exploitation, social-engineering, etc.

Page Last Updated: December 16, 2009

About MAEC

Terminology

Ties to Existing Standards

Documents

About

MAEC Language

Community

News & Events

Contact Us

Terminology

About MAEC

Items of Interest