Language Overview

Malware Attribute Enumeration and Characterization (MAEC™) is a structured language for encoding and communicating high fidelity information about any type of malware based upon attributes such as behaviors, artifacts, and attack patterns. As a language, MAEC offers a grammar and vocabulary that provide a standard means of communicating information about malware attributes.

MAEC Framework

MAEC’s core components include a vocabulary, grammar, and form of standardized output.


Core Components image


Learn more by following the links below:

MAEC Vocabularies — MAEC vocabularies represent a set of default controlled vocabularies for use in the description of various malware attributes when captured in MAEC. As MAEC matures, more enumerations will be captured as controlled vocabularies.

MAEC Schemas — The MAEC Language is defined by three data models, each of which is implemented in its own XML schema. Each schema provides a grammar that defines the structure of the enumerated elements and the relationships between them. There is also a default vocabulary schema, which defines the controlled vocabularies used within MAEC.

  • MAEC Bundle Schema — captures all of the analysis derived characteristics for a single malware instance, including any observed MAEC Behaviors or MAEC Actions, and any related MAEC Objects.
  • MAEC Package Schema — characterizes all known data for one or more malware instances, including their analysis derived characteristics (via MAEC Bundles) and any associated analysis or other metadata.
  • MAEC Container Schema — serves as a transport mechanism for one or more MAEC Packages
  • MAEC Default Vocabularies Schema — defines default controlled vocabularies currently used within MAEC.

Feedback Requested

We encourage you to help build this growing, open-source industry effort by joining the MAEC Community and participating in the next version of the MAEC Language.

Back to top

Page Last Updated: April 23, 2014