MAEC Schemas

MAEC Schemas imageThe MAEC Language is defined by three data models, each of which is implemented in its own XML schema.

As shown in the illustration, "MAEC Bundle" is the level one data model; "MAEC Package" is the level two data model; and "MAEC Container" is the level three data model. All three data models offer a stand-alone output format, so each of the lower two models can optionally be used without the higher level data model (although each requires the lower level). This three-tiered structure provides flexibility in the type and amount of information that can be shared.

There is also a Default Vocabularies schema that defines default controlled vocabularies used within MAEC.

Each of these schemas, including the Default Vocabulary Schema, is briefly described below.

MAEC Bundle

The MAEC Bundle schema captures all of the analysis-derived characteristics for a single malware instance, including any observed MAEC Behaviors, MAEC Actions, and any related MAEC Objects. It is intended to be used as a stand-alone container for capturing and exchanging solely the analysis output data for a malware instance, but it can also be used inside of a MAEC Package to relate the output of a particular analysis for a malware instance, as noted below.

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

MAEC Package

The MAEC Package schema captures one or more Malware Subjects along with the grouping relationship that groups them, if applicable. A Malware Subject encompasses any analysis information and metadata related to a particular malware instance, including the analyses that were performed, their resulting output (captured as unique MAEC Bundles), and relationships to other Malware Subjects. For cases where there is more than one Malware Subject in a Package, the specific relationship that groups the Malware Subjects (if known) can be specified.

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

MAEC Container

The MAEC Container schema is a high-level container for all forms of MAEC data, that is, any collection of MAEC entities. It is intended to serve as a transport mechanism for one or more MAEC Packages.

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

MAEC Default Vocabularies

The MAEC Default Vocabularies schema defines the set of default controlled vocabularies for use in MAEC content and was created to take advantage of the extension mechanisms provided by the Cyber Observables eXpression (CybOX™) controlled vocabulary implementation. These vocabularies are broken out from the other MAEC schemas to support customized extension and replacement of the content of these vocabularies.

Please see the MAEC Language Specification, schema annotations, and/or examples included in the current release of the MAEC Language for additional information.

Back to top

Feedback Requested

We encourage you to help build this growing, open-source industry effort by joining the MAEC Community and participating in the next version of the MAEC Language.

Back to top

Page Last Updated: April 23, 2014