MAEC Enumerations
Introduction
The MAEC Language will include enumerations of malware attributes and behavior that provide a common vocabulary. These enumerations will be at different levels of abstraction: low-level observables, mid-level behaviors and high-level taxonomies. The initial phase of development for MAEC will focus on the creation of the enumeration of low-level malware attributes. A draft will be created by leveraging the few instances of similar work already done in this area, such as the Common Malware Enumeration (CME) profile and other information.
The initial enumeration of low-level malware actions can be found in the 1.01 release of the MAEC Schema. All future releases of the enumerations will be posted here and announced on the News and Events page, in the MAEC Announce e-newsletter, on the MAEC Development Group on Handshake, and on the MAEC Discussion List.
MAEC’s Enumerated Elements
MAEC will consist of a finite number of enumerations of malware attributes. As malware is a form of software, and software can only perform the actions that can be achieved through execution of the instructions provided by the underlying system’s instruction set architecture (ISA), it follows that these attributes are finite and enumerable. Therefore, these enumerated attributes will include the detailed observables and behaviors performed by the software, as well as various metadata regarding the actions and the software in general.
MAEC’s Enumerated Elements
MAEC’s ability to communicate high-fidelity information about malware will be directly tied into its ability to accurately characterize the numerous types of malware in existence, as well as those created in the future. Therefore, at a minimum, MAEC must be able to describe any low-level actions performed by malware. However, its utility would be significantly degraded if it did not also have the ability to group such information into higher-level representations of malware behavior.
Low-Level Actions
At the lowest level, MAEC will describe attributes tied to the basic functionality and low-level operation of malware. This includes observable entities such as system state changes (e.g., the insertion of a registry key, the creation of a file). Therefore, likely sources of such data include static analysis, automated dynamic analysis of malware binaries through sandboxes, host-based IDS, and IPS.
Mid-Level Behaviors
At the middle level, MAEC’s language will organize the aforementioned low-level observables into groups for the purpose of defining mid-level behaviors. This is to allow for the construction of a higher-level representation of malware behavior, thereby giving insight into the consequences of the actions performed by the low-level observables.
For instance, the description of a registry entry created or modified by malware can be useful for establishing its presence on a system. However, it does not give any insight into why the malware created or manipulated the registry entry. Such a registry entry inserted or modified by malware could have many possible uses, including being used to ensure that the malware gets executed at system start-up, or as a simple flag to indicate that the system has been infected. Including the necessary components for characterizing such mid-level behaviors in the MAEC Language will allow for the accurate description of the possible intent or goal that is behind the low-level actions being performed by malware.
High-Level Mechanisms
At the more conceptual and high level, MAEC’s vocabulary will allow for the construction of mechanisms that abstracts clusters of mid-level malware behaviors based upon the achievement of a higher order classification. We envision that such a taxonomy will have views (i.e., unique layouts) intended for different target audiences. For example, forensic analysts may only be interested in looking at malware payload behaviors, etc.
To expound upon the example given for the mid-level behaviors, ensuring that malware is executed at start-up is a behavior that is typically part of a persistence mechanism. This behavior is often accompanied by the creation of a binary copy of the malware somewhere on the local hard disk. Therefore, in MAEC’s high-level mechanisms, these two mid-level behaviors would be defined as belonging to the class of persistence mechanism.
Once MAEC’s mid-level behaviors have been defined, the MAEC community will be in a position to begin the process of creating the high-level taxonomy and constructing the appropriate and necessary behavioral linkages.
Metadata
In order to include all pertinent information regarding malware and to fully describe the common actions of malware and the rationale behind them, MAEC will characterize malware-appropriate metadata. This can range from metadata associated with malware behaviors, like the transparency of the insertion mechanism used, to the more common types of metadata that are associated with malware artifacts, such as file hashes. However, the exact nature of malware metadata is an open question and one that should be discussed in the larger security community.
Feedback Requested
We encourage members of the security community to participate in the development of MAEC on the MAEC Development Group on Handshake and MAEC Email Discussion List.
Page Last Updated: January 19, 2011
