Language >

MAEC Schema

Introduction

The MAEC Language includes a schema to provide both a syntax for the common vocabulary of attributes and behaviors, and an interchange format for structured information about these elements. The initial phase of development for MAEC is focused on the creation of the XML MAEC Schema. Future development efforts will leverage semantic Web technologies such as Resource Description Framework (RDF) and Web Ontology Language (OWL) in order to further help refine the specifics of the language and to allow for the establishment of initial namespaces and common relationships for use in the schema.

For re-use of components already being utilized in the sharing of malware-oriented information, the MAEC Schema imports certain elements from version 1.1 of the IEEE Industry Connections Security Group’s Malware Metadata Exchange Schema. Future schema revisions may import additional components from this and other schemas.

The initial draft of the MAEC Schema has been released. All future releases of the MEAC Schema will be posted here and announced on the News and Events page, in the MAEC Announce e-newsletter, on the MAEC Development Group on Handshake, and on the MAEC Discussion List.

MAEC’s Schema

MAEC’s Enumerations of behaviors and other attributes are necessary for the establishment of a vocabulary for characterizing malware. Therefore, the primary intent of the MAEC Schema is to define a syntax for the discrete MAEC Language elements. The schema also serves as an interchange format for the MAEC Language, and can be utilized as a baseline for the creation of malware repositories or intermediate format for the sharing of information between repositories.

Key MAEC Schema Components

Key MAEC Schema Components

The current revision of the schema has four key types: analyses, actions, objects, and behaviors. For more detailed information on these and other types, please refer to the MAEC Schema itself or its associated HTML documentation.

AnalysisType

The AnalysisType is intended to provide a way of characterizing typical malware analysis-related metadata. Among others, it includes elements for capturing attributes such as the analysts who performed the analysis, the source of the analysis, and any tools used in the analysis.

ActionType

The ActionType is intended to provide a way of characterizing any actions found or observed in malware. Among others, it includes elements for capturing attributes such as how the action was implemented, any objects associated with the action, and its effects.

ObjectType

The ObjectType is intended to provide a way of characterizing any entities that actions and behaviors operate on or are associated with. Among others, it includes elements for capturing general attributes such as object type, as well as attributes that are valid only for specific types of objects, such as file creation date/time.

BehaviorType

The BehaviorType is intended to serve as a method for the characterization of malicious behaviors found or observed in malware. Among others, it includes elements for capturing the actions that constitute the behavior, along with its effects.

Back to top

Feedback Requested

We encourage members of the security community to participate in the development of MAEC on the MAEC Development Group on Handshake and MAEC Email Discussion List.

Back to top

Page Last Updated: February 03, 2012