Showing:

Annotations
Attributes
Diagrams
Facets
Instances

Table of Contents

Group by:

http://maec.mitre.org/XMLSchema/maec-package-2

Elements
Main schema maec_package_schema.xsd
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The following is a description of the elements, types, and attributes that compose the Malware Attribute Enumeration and Characterization (MAEC) package schema.
The MAEC Package Schema is maintained by The Mitre Corporation. For more information, including how to get involved in the project, please visit the MAEC website at http://maec.mitre.org.
The imported MMDEF v1.2 schema is copyright 2013 IEEE-SA.
[ top ]
Element maecPackage:MAEC_Package
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The root element of the MAEC Package schema is the MAEC_Package, which captures a single MAEC Package that encompasses one or more Malware Subjects and all of their associated MAEC entities.
Diagram
Diagram maec_package_schema.tmp#PackageType_id maec_package_schema.tmp#PackageType_schema_version maec_package_schema.tmp#PackageType_timestamp maec_package_schema.tmp#PackageType_Malware_Subjects maec_package_schema.tmp#PackageType_Grouping_Relationships maec_package_schema.tmp#PackageType
Type maecPackage:PackageType
Instance
<maecPackage:MAEC_Package id="" schema_version="2.0.1" timestamp="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Malware_Subjects>{1,1}</maecPackage:Malware_Subjects>
  <maecPackage:Grouping_Relationships>{0,1}</maecPackage:Grouping_Relationships>
</maecPackage:MAEC_Package>
Attributes
QName Type Fixed Use Annotation
id maecPackage:PackageIDPattern required
The required id field specifies a unique ID for this Package. The ID must follow the pattern defined in the PackageIDPattern simple type.
schema_version xs:string 2.0.1 required
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the Package was generated.
[ top ]
Element maecPackage:PackageType / maecPackage:Malware_Subjects
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Subjects field captures each of the Malware Subjects contained in the Package.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectListType_Malware_Subject maec_package_schema.tmp#MalwareSubjectListType
Type maecPackage:MalwareSubjectListType
Instance
<maecPackage:Malware_Subjects xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Malware_Subject id="">{1,unbounded}</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
[ top ]
Element maecPackage:MalwareSubjectListType / maecPackage:Malware_Subject
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Subject field represents a single Malware Subject (most commonly a file) and its associated metadata, such as Analyses, Bundles, relationships to other Malware Subjects, etc.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectType_id maec_package_schema.tmp#MalwareSubjectType_Malware_Instance_Object_Attributes maec_package_schema.tmp#MalwareSubjectType_Minor_Variants maec_package_schema.tmp#MalwareSubjectType_Field_Data maec_package_schema.tmp#MalwareSubjectType_Analyses maec_package_schema.tmp#MalwareSubjectType_Findings_Bundles maec_package_schema.tmp#MalwareSubjectType_Relationships maec_package_schema.tmp#MalwareSubjectType
Type maecPackage:MalwareSubjectType
Instance
<maecPackage:Malware_Subject id="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Malware_Instance_Object_Attributes>{1,1}</maecPackage:Malware_Instance_Object_Attributes>
  <maecPackage:Minor_Variants>{0,1}</maecPackage:Minor_Variants>
  <maecPackage:Field_Data>{0,1}</maecPackage:Field_Data>
  <maecPackage:Analyses>{0,1}</maecPackage:Analyses>
  <maecPackage:Findings_Bundles>{0,1}</maecPackage:Findings_Bundles>
  <maecPackage:Relationships>{0,1}</maecPackage:Relationships>
</maecPackage:Malware_Subject>
Attributes
QName Type Use Annotation
id maecPackage:MalwareSubjectIDPattern required
The required id field specifies a unique ID for this Malware Subject. The ID must follow the pattern defined in the MalwareSubjectIDPattern simple type.
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Malware_Instance_Object_Attributes
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Instance_Object_Attributes field captures the attributes of the malware instance object (most commonly a file) that is encompassed in the Malware Subject, via its corresponding CybOX Object. For example, a File Object would be represented via a CybOX File_Object and may have a file name, MD5 hash, etc.
Diagram
Diagram
Type ObjectType
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Minor_Variants
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Minor_Variants field captures any minor variants of the malware instance object, such as the same file but with different filenames.
Diagram
Diagram maec_package_schema.tmp#MinorVariantListType_Minor_Variant maec_package_schema.tmp#MinorVariantListType
Type maecPackage:MinorVariantListType
Instance
<maecPackage:Minor_Variants xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Minor_Variant>{1,unbounded}</maecPackage:Minor_Variant>
</maecPackage:Minor_Variants>
[ top ]
Element maecPackage:MinorVariantListType / maecPackage:Minor_Variant
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Minor_Variant field captures a single minor variant of the malware instance object.
Diagram
Diagram
Type ObjectType
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Field_Data
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Field_Data field captures field data and prevalance information relating to the Malware Subject. It imports and uses the fieldDataEntry type from the MMDEF v1.2 schema.
Diagram
Diagram
Type fieldDataEntry
Instance
<maecPackage:Field_Data xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2" xmlns:metadata="http://xml/metadataSharing.xsd">
  <metadata:references>{1,1}</metadata:references>
  <metadata:startDate>{1,1}</metadata:startDate>
  <metadata:endDate>{1,1}</metadata:endDate>
  <metadata:firstSeenDate>{0,1}</metadata:firstSeenDate>
  <metadata:origin>{1,1}</metadata:origin>
  <metadata:commonality>{0,1}</metadata:commonality>
  <metadata:volume units="">{0,unbounded}</metadata:volume>
  <metadata:importance>{0,1}</metadata:importance>
  <metadata:location type="">{0,1}</metadata:location>
</maecPackage:Field_Data>
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Analyses
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analyses field captures any Analyses (including their associated metadata such as tools used, etc.) that were performed on the Malware Subject.
Diagram
Diagram maec_package_schema.tmp#AnalysisListType_Analysis maec_package_schema.tmp#AnalysisListType
Type maecPackage:AnalysisListType
Instance
<maecPackage:Analyses xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Analysis complete_datetime="" id="" lastupdate_datetime="" method="" ordinal_position="" start_datetime="" type="">{1,unbounded}</maecPackage:Analysis>
</maecPackage:Analyses>
[ top ]
Element maecPackage:AnalysisListType / maecPackage:Analysis
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysis field represents the metadata regarding a single analysis that was performed on a Malware Subject.
Diagram
Diagram maec_package_schema.tmp#AnalysisType_id maec_package_schema.tmp#AnalysisType_type maec_package_schema.tmp#AnalysisType_method maec_package_schema.tmp#AnalysisType_ordinal_position maec_package_schema.tmp#AnalysisType_start_datetime maec_package_schema.tmp#AnalysisType_complete_datetime maec_package_schema.tmp#AnalysisType_lastupdate_datetime maec_package_schema.tmp#AnalysisType_Source maec_package_schema.tmp#AnalysisType_Analysts maec_package_schema.tmp#AnalysisType_Summary maec_package_schema.tmp#AnalysisType_Comments maec_package_schema.tmp#AnalysisType_Findings_Bundle_Reference maec_package_schema.tmp#AnalysisType_Tools maec_package_schema.tmp#AnalysisType_Dynamic_Analysis_Metadata maec_package_schema.tmp#AnalysisType_Analysis_Environment maec_package_schema.tmp#AnalysisType_Report maec_package_schema.tmp#AnalysisType
Type maecPackage:AnalysisType
Instance
<maecPackage:Analysis complete_datetime="" id="" lastupdate_datetime="" method="" ordinal_position="" start_datetime="" type="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Source>{0,1}</maecPackage:Source>
  <maecPackage:Analysts>{0,1}</maecPackage:Analysts>
  <maecPackage:Summary>{0,1}</maecPackage:Summary>
  <maecPackage:Comments>{0,1}</maecPackage:Comments>
  <maecPackage:Findings_Bundle_Reference>{0,1}</maecPackage:Findings_Bundle_Reference>
  <maecPackage:Tools>{0,1}</maecPackage:Tools>
  <maecPackage:Dynamic_Analysis_Metadata>{0,1}</maecPackage:Dynamic_Analysis_Metadata>
  <maecPackage:Analysis_Environment>{0,1}</maecPackage:Analysis_Environment>
  <maecPackage:Report>{0,1}</maecPackage:Report>
</maecPackage:Analysis>
Attributes
QName Type Use Annotation
complete_datetime xs:dateTime optional
The complete_datetime field specifies the date/time the analysis was completed.
id maecPackage:AnalysisIDPattern required
The required id field specifies a unique ID for this Analysis. The ID must follow the pattern defined in the AnalysisIDPattern simple type.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the date/time the analysis was last updated.
method maecPackage:AnalysisMethodEnum optional
The method field specifies the analysis method used in the analysis.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.
start_datetime xs:dateTime optional
The start_datetime field specifies the date/time the analysis was started.
type maecPackage:AnalysisTypeEnum optional
The type field specifies the type of malware analysis being performed.
[ top ]
Element maecPackage:AnalysisType / maecPackage:Source
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Source field specifies information about the internal or external source of the analysis, if applicable.
Diagram
Diagram maec_package_schema.tmp#SourceType_Name maec_package_schema.tmp#SourceType_Method maec_package_schema.tmp#SourceType_Reference maec_package_schema.tmp#SourceType_Organization maec_package_schema.tmp#SourceType_URL maec_package_schema.tmp#SourceType
Type maecPackage:SourceType
Instance
<maecPackage:Source xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Name>{0,1}</maecPackage:Name>
  <maecPackage:Method>{0,1}</maecPackage:Method>
  <maecPackage:Reference>{0,1}</maecPackage:Reference>
  <maecPackage:Organization>{0,1}</maecPackage:Organization>
  <maecPackage:URL>{0,1}</maecPackage:URL>
</maecPackage:Source>
[ top ]
Element maecPackage:SourceType / maecPackage:Name
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Name field refers to the name of the person linked to the source.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:SourceType / maecPackage:Method
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Method field provides an abstract way of specifying the method used to obtain the data that the Source element refers to.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:SourceType / maecPackage:Reference
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Reference field provides an abstract way of specifying a reference name or ID for the source.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:SourceType / maecPackage:Organization
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Organization field specifies the name of the organization from which the source originated.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:SourceType / maecPackage:URL
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The URL field specifies the URl of the external source, if applicable.
Diagram
Diagram
Type xs:anyURI
[ top ]
Element maecPackage:AnalysisType / maecPackage:Analysts
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysts field specifies the analyst(s) who performed the analysis.
Diagram
Diagram
Type PersonnelType
[ top ]
Element maecPackage:AnalysisType / maecPackage:Summary
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Summary field specifies a summary of the analysis that was performed.
Diagram
Diagram
Type StructuredTextType
[ top ]
Element maecPackage:AnalysisType / maecPackage:Comments
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Comments field specifies any comments regarding the analysis that was performed.
Diagram
Diagram maec_package_schema.tmp#CommentListType_Comment maec_package_schema.tmp#CommentListType
Type maecPackage:CommentListType
Instance
<maecPackage:Comments xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Comment>{1,unbounded}</maecPackage:Comment>
</maecPackage:Comments>
[ top ]
Element maecPackage:CommentListType / maecPackage:Comment
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Comment field specifies a single comment pertaining to a particular MAEC entity.
Diagram
Diagram maec_package_schema.tmp#CommentType_author maec_package_schema.tmp#CommentType_timestamp maec_package_schema.tmp#CommentType
Type maecPackage:CommentType
[ top ]
Element maecPackage:AnalysisType / maecPackage:Findings_Bundle_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Findings_Bundle_Reference field specifies a reference to the Bundle which encompasses the results and output of the Analysis in terms of its corresponding MAEC entities, such as Behaviors and Actions.
Diagram
Diagram
Type BundleReferenceType
[ top ]
Element maecPackage:AnalysisType / maecPackage:Tools
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Tools field specifies information about the tool(s) used in the analysis, via the CybOX ToolInformationType. If only a single Tool is specified, then this implies that this tool was responsible for all of the findings contained in the Bundle referenced by the Findings_Bundle_Reference element.
Diagram
Diagram maec_package_schema.tmp#ToolListType_Tool maec_package_schema.tmp#ToolListType
Type maecPackage:ToolListType
Instance
<maecPackage:Tools xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Tool>{1,unbounded}</maecPackage:Tool>
</maecPackage:Tools>
[ top ]
Element maecPackage:ToolListType / maecPackage:Tool
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Tool field specifies a single tool in the list.
Diagram
Diagram
Type ToolInformationType
[ top ]
Element maecPackage:AnalysisType / maecPackage:Dynamic_Analysis_Metadata
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Dynamic_Analysis_Metadata field specifies metadata pertaining to the dynamic analysis of the subject binary, such as the command line used, the duration of the analysis, etc.
Diagram
Diagram maec_package_schema.tmp#DynamicAnalysisMetadataType_Command_Line maec_package_schema.tmp#DynamicAnalysisMetadataType_Analysis_Duration maec_package_schema.tmp#DynamicAnalysisMetadataType_Exit_Code maec_package_schema.tmp#DynamicAnalysisMetadataType
Type maecPackage:DynamicAnalysisMetadataType
Instance
<maecPackage:Dynamic_Analysis_Metadata xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Command_Line>{0,1}</maecPackage:Command_Line>
  <maecPackage:Analysis_Duration>{0,1}</maecPackage:Analysis_Duration>
  <maecPackage:Exit_Code>{0,1}</maecPackage:Exit_Code>
</maecPackage:Dynamic_Analysis_Metadata>
[ top ]
Element maecPackage:DynamicAnalysisMetadataType / maecPackage:Command_Line
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Command_Line field specifies the command line used to launch the subject binary.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:DynamicAnalysisMetadataType / maecPackage:Analysis_Duration
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysis_Duration field specifies the duration of the overall dynamic analysis process, in seconds.
Diagram
Diagram
Type xs:float
[ top ]
Element maecPackage:DynamicAnalysisMetadataType / maecPackage:Exit_Code
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Exit_Code field specifies the exit code with which the subject binary exited.
Diagram
Diagram
Type xs:integer
[ top ]
Element maecPackage:AnalysisType / maecPackage:Analysis_Environment
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysis_Environment field specifies attributes for characterizing the analysis environment in which the analysis was performed.
Diagram
Diagram maec_package_schema.tmp#AnalysisEnvironmentType_Hypervisor_Host_System maec_package_schema.tmp#AnalysisEnvironmentType_Analysis_Systems maec_package_schema.tmp#AnalysisEnvironmentType_Network_Infrastructure maec_package_schema.tmp#AnalysisEnvironmentType
Type maecPackage:AnalysisEnvironmentType
Instance
<maecPackage:Analysis_Environment xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Hypervisor_Host_System>{0,1}</maecPackage:Hypervisor_Host_System>
  <maecPackage:Analysis_Systems>{0,1}</maecPackage:Analysis_Systems>
  <maecPackage:Network_Infrastructure>{0,1}</maecPackage:Network_Infrastructure>
</maecPackage:Analysis_Environment>
[ top ]
Element maecPackage:AnalysisEnvironmentType / maecPackage:Hypervisor_Host_System
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Hypervisor_Host_System field characterizes the (physical) host system used in the analysis on which the VM Hypervisor runs. This element imports and extends the CybOX System Object.
Diagram
Diagram maec_package_schema.tmp#HypervisorHostSystemType_VM_Hypervisor maec_package_schema.tmp#HypervisorHostSystemType
Type maecPackage:HypervisorHostSystemType
Instance
<maecPackage:Hypervisor_Host_System xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:VM_Hypervisor>{0,1}</maecPackage:VM_Hypervisor>
</maecPackage:Hypervisor_Host_System>
[ top ]
Element maecPackage:HypervisorHostSystemType / maecPackage:VM_Hypervisor
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The VM_Hypervisor field refers to the name of the VM Hypervisor that hosts the operating system(s) on which the analysis was performed, if applicable, via a Common Platform Enumeration (CPE) identifier. See http://cpe.mitre.org for more information on CPE.
Diagram
Diagram
Type PlatformSpecificationType
[ top ]
Element maecPackage:AnalysisEnvironmentType / maecPackage:Analysis_Systems
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysis_Systems field characterizes the system(s) (real or virtual) on which the actual analysis was performed, including information about both the hardware and software, such as the properties of its BIOS, processor architecture, and operating system. This element imports and extends the CybOX System Object.
Diagram
Diagram maec_package_schema.tmp#AnalysisSystemListType_Analysis_System maec_package_schema.tmp#AnalysisSystemListType
Type maecPackage:AnalysisSystemListType
Instance
<maecPackage:Analysis_Systems xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Analysis_System>{1,unbounded}</maecPackage:Analysis_System>
</maecPackage:Analysis_Systems>
[ top ]
Element maecPackage:AnalysisSystemListType / maecPackage:Analysis_System
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Analysis_System field captures a single analysis system.
Diagram
Diagram maec_package_schema.tmp#AnalysisSystemType_Installed_Programs maec_package_schema.tmp#AnalysisSystemType
Type maecPackage:AnalysisSystemType
Instance
<maecPackage:Analysis_System xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Installed_Programs>{0,1}</maecPackage:Installed_Programs>
</maecPackage:Analysis_System>
[ top ]
Element maecPackage:AnalysisSystemType / maecPackage:Installed_Programs
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Installed_Programs field specifies the programs installed on the OS that was used to perform the analysis. This can be useful for clarifying the nature of the analysis environment, for instance for determining whether an exploited piece of software was present, as well as for specifying any tools that may have been installed.
Diagram
Diagram maec_package_schema.tmp#InstalledProgramsType_Program maec_package_schema.tmp#InstalledProgramsType
Type maecPackage:InstalledProgramsType
Instance
<maecPackage:Installed_Programs xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Program>{1,unbounded}</maecPackage:Program>
</maecPackage:Installed_Programs>
[ top ]
Element maecPackage:InstalledProgramsType / maecPackage:Program
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Program field specifies a single program that is installed on the system. It imports and uses the CPESpecificationType from the Cybox v1.0 Common Types draft.
Diagram
Diagram
Type PlatformSpecificationType
[ top ]
Element maecPackage:AnalysisEnvironmentType / maecPackage:Network_Infrastructure
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Network_Infrastructure field captures details of the network infrastructure used in the analysis environment, such as any network protocols that are captured or manipulated.
Diagram
Diagram maec_package_schema.tmp#NetworkInfrastructureType_Captured_Protocols maec_package_schema.tmp#NetworkInfrastructureType
Type maecPackage:NetworkInfrastructureType
Instance
<maecPackage:Network_Infrastructure xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Captured_Protocols>{1,1}</maecPackage:Captured_Protocols>
</maecPackage:Network_Infrastructure>
[ top ]
Element maecPackage:NetworkInfrastructureType / maecPackage:Captured_Protocols
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Captured_Protocols field specifies a list of network protocols, along with the particular level of interaction, that the malware analysis environment captures or interacts with in some fashion.
Diagram
Diagram maec_package_schema.tmp#CapturedProtocolListType_Protocol maec_package_schema.tmp#CapturedProtocolListType
Type maecPackage:CapturedProtocolListType
Instance
<maecPackage:Captured_Protocols xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Protocol interaction_level="" layer4_protocol="" layer7_protocol="" port_number="">{1,unbounded}</maecPackage:Protocol>
</maecPackage:Captured_Protocols>
[ top ]
Element maecPackage:CapturedProtocolListType / maecPackage:Protocol
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Protocol field specifies a single layer 4 or layer 7 network protocol captured or interacted with by the analysis environment.
Diagram
Diagram maec_package_schema.tmp#CapturedProtocolType_layer7_protocol maec_package_schema.tmp#CapturedProtocolType_layer4_protocol maec_package_schema.tmp#CapturedProtocolType_port_number maec_package_schema.tmp#CapturedProtocolType_interaction_level maec_package_schema.tmp#CapturedProtocolType
Type maecPackage:CapturedProtocolType
Attributes
QName Type Use Annotation
interaction_level maecPackage:InteractionLevelEnum optional
The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.
layer4_protocol maecPackage:Layer4ProtocolEnum optional
The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.
layer7_protocol maecPackage:Layer7ProtocolEnum optional
The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.
port_number xs:positiveInteger optional
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
[ top ]
Element maecPackage:AnalysisType / maecPackage:Report
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Report field specifies the textual report regarding the analysis performed on the malware.
Diagram
Diagram
Type StructuredTextType
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Findings_Bundles
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Findings_Bundles field specifies any MAEC Bundles pertaining to the Malware Subject, thus capturing any observed or discovered Behaviors, Actions, or Objects. These Bundles can either be abstract, or referenced as the result of an analysis that was performed on the malware.
Diagram
Diagram maec_package_schema.tmp#FindingsBundleListType_Meta_Analysis maec_package_schema.tmp#FindingsBundleListType_Bundle maec_package_schema.tmp#FindingsBundleListType_Bundle_External_Reference maec_package_schema.tmp#FindingsBundleListType
Type maecPackage:FindingsBundleListType
Instance
<maecPackage:Findings_Bundles xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Meta_Analysis>{0,1}</maecPackage:Meta_Analysis>
  <maecPackage:Bundle>{0,unbounded}</maecPackage:Bundle>
  <maecPackage:Bundle_External_Reference>{0,unbounded}</maecPackage:Bundle_External_Reference>
</maecPackage:Findings_Bundles>
[ top ]
Element maecPackage:FindingsBundleListType / maecPackage:Meta_Analysis
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Meta_Analysis field captures any meta-analysis related entities for the Bundles captured for a Malware Subject, such as equivalencies.
Diagram
Diagram maec_package_schema.tmp#MetaAnalysisType_Action_Equivalences maec_package_schema.tmp#MetaAnalysisType_Object_Equivalences maec_package_schema.tmp#MetaAnalysisType
Type maecPackage:MetaAnalysisType
Instance
<maecPackage:Meta_Analysis xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Action_Equivalences>{0,1}</maecPackage:Action_Equivalences>
  <maecPackage:Object_Equivalences>{0,1}</maecPackage:Object_Equivalences>
</maecPackage:Meta_Analysis>
[ top ]
Element maecPackage:MetaAnalysisType / maecPackage:Action_Equivalences
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Action_Equivalences field captures any equivalences between Actions contained in one or more Bundles.
Diagram
Diagram maec_package_schema.tmp#ActionEquivalenceListType_Action_Equivalence maec_package_schema.tmp#ActionEquivalenceListType
Type maecPackage:ActionEquivalenceListType
Instance
<maecPackage:Action_Equivalences xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Action_Equivalence id="">{1,unbounded}</maecPackage:Action_Equivalence>
</maecPackage:Action_Equivalences>
[ top ]
Element maecPackage:ActionEquivalenceListType / maecPackage:Action_Equivalence
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Action_Equivalence field captures a single Action Equivalence in the list.
Diagram
Diagram maec_package_schema.tmp#ActionEquivalenceType_id maec_package_schema.tmp#ActionEquivalenceType_Action_Reference maec_package_schema.tmp#ActionEquivalenceType
Type maecPackage:ActionEquivalenceType
Instance
<maecPackage:Action_Equivalence id="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Action_Reference>{1,unbounded}</maecPackage:Action_Reference>
</maecPackage:Action_Equivalence>
Attributes
QName Type Use Annotation
id maecPackage:ActionEquivalenceIDPattern required
The required id field specifies the ID for the Action Equivalence, and must be of the format specified by the ActionEquivalenceIDPattern type.
[ top ]
Element maecPackage:ActionEquivalenceType / maecPackage:Action_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Action_Reference field specifies a reference to a single Action that is part of the Action Equivalency.
Diagram
Diagram
Type ActionReferenceType
[ top ]
Element maecPackage:MetaAnalysisType / maecPackage:Object_Equivalences
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Object_Equivalences field captures any equivalences between Objects contained in one or more Bundles.
Diagram
Diagram maec_package_schema.tmp#ObjectEquivalenceListType_Object_Equivalence maec_package_schema.tmp#ObjectEquivalenceListType
Type maecPackage:ObjectEquivalenceListType
Instance
<maecPackage:Object_Equivalences xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Object_Equivalence>{1,unbounded}</maecPackage:Object_Equivalence>
</maecPackage:Object_Equivalences>
[ top ]
Element maecPackage:ObjectEquivalenceListType / maecPackage:Object_Equivalence
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Object_Equivalence field specifies a single Object Equivalence in the list.
Diagram
Diagram maec_package_schema.tmp#ObjectEquivalenceType_id maec_package_schema.tmp#ObjectEquivalenceType
Type maecPackage:ObjectEquivalenceType
[ top ]
Element maecPackage:FindingsBundleListType / maecPackage:Bundle
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Bundle field captures a single MAEC Bundle, representing some set of characterized entities resulting from  analysis of the Malware Subject.
Diagram
Diagram
Type BundleType
[ top ]
Element maecPackage:FindingsBundleListType / maecPackage:Bundle_External_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Bundle_External_Reference field specifies a single externally located MAEC Bundle (such as a file or URL) via a URI, representing some set of results from analysis of the Malware Subject.
Diagram
Diagram
Type xs:anyURI
[ top ]
Element maecPackage:MalwareSubjectType / maecPackage:Relationships
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Relationships field captures any relationships between the Malware Subject and other Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectRelationshipListType_Relationship maec_package_schema.tmp#MalwareSubjectRelationshipListType
Type maecPackage:MalwareSubjectRelationshipListType
Instance
<maecPackage:Relationships xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Relationship>{1,unbounded}</maecPackage:Relationship>
</maecPackage:Relationships>
[ top ]
Element maecPackage:MalwareSubjectRelationshipListType / maecPackage:Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Relationship field specifies a relationship that relates the Malware Subject to one or more other Malware Subjects contained in the Package.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectRelationshipType_Type maec_package_schema.tmp#MalwareSubjectRelationshipType_Malware_Subject_Reference maec_package_schema.tmp#MalwareSubjectRelationshipType
Type maecPackage:MalwareSubjectRelationshipType
Instance
<maecPackage:Relationship xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Type>{1,1}</maecPackage:Type>
  <maecPackage:Malware_Subject_Reference malware_subject_idref="">{1,unbounded}</maecPackage:Malware_Subject_Reference>
</maecPackage:Relationship>
[ top ]
Element maecPackage:MalwareSubjectRelationshipType / maecPackage:Type
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Type field specifies the type of relationship being captured.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is MalwareSubjectRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram
Type ControlledVocabularyStringType
[ top ]
Element maecPackage:MalwareSubjectRelationshipType / maecPackage:Malware_Subject_Reference
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Subject_Reference field provides a reference to a single Malware Subject that this relationship pertains to.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectReferenceType_malware_subject_idref maec_package_schema.tmp#MalwareSubjectReferenceType
Type maecPackage:MalwareSubjectReferenceType
Attributes
QName Type Use Annotation
malware_subject_idref maecPackage:MalwareSubjectIDREFPattern required
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
[ top ]
Element maecPackage:PackageType / maecPackage:Grouping_Relationships
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Grouping_Relationships field specifies the particular relationships that serve to group the Malware Subjects encompassed in this Package. This is solely for cases where more than one Malware Subject is contained within the Package.
Diagram
Diagram maec_package_schema.tmp#GroupingRelationshipListType_Grouping_Relationship maec_package_schema.tmp#GroupingRelationshipListType
Type maecPackage:GroupingRelationshipListType
Instance
<maecPackage:Grouping_Relationships xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Grouping_Relationship>{1,unbounded}</maecPackage:Grouping_Relationship>
</maecPackage:Grouping_Relationships>
[ top ]
Element maecPackage:GroupingRelationshipListType / maecPackage:Grouping_Relationship
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Grouping_Relationship field specifies a single grouping relationship in the list.
Diagram
Diagram maec_package_schema.tmp#GroupingRelationshipType_Type maec_package_schema.tmp#GroupingRelationshipType_Malware_Family_Name maec_package_schema.tmp#GroupingRelationshipType_Malware_Toolkit_Name maec_package_schema.tmp#GroupingRelationshipType_Clustering_Metadata maec_package_schema.tmp#GroupingRelationshipType
Type maecPackage:GroupingRelationshipType
Instance
<maecPackage:Grouping_Relationship xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Type>{0,1}</maecPackage:Type>
  <maecPackage:Malware_Family_Name>{0,1}</maecPackage:Malware_Family_Name>
  <maecPackage:Malware_Toolkit_Name>{0,1}</maecPackage:Malware_Toolkit_Name>
  <maecPackage:Clustering_Metadata>{0,1}</maecPackage:Clustering_Metadata>
</maecPackage:Grouping_Relationship>
[ top ]
Element maecPackage:GroupingRelationshipType / maecPackage:Type
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Type field specifies the type of relationship that groups the Malware Subjects in the Package.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is GroupingRelationshipTypeVocab-1.0 in the http://maec.mitre.org/default_vocabularies-1 namespace. This type is defined in the maec_default_vocabularies.xsd file or at the URL http://maec.mitre.org/XMLSchema/default_vocabularies/1.0.0/maec_default_vocabularies.xsd.
Diagram
Diagram
Type ControlledVocabularyStringType
[ top ]
Element maecPackage:GroupingRelationshipType / maecPackage:Malware_Family_Name
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Family_Name field specifies the name of the malware family referred to by the 'same_malware_family' relationship type.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:GroupingRelationshipType / maecPackage:Malware_Toolkit_Name
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Toolkit_Name field specifies the name of the malware toolkit referred to by the 'same_malware_toolkit' relationship type.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:GroupingRelationshipType / maecPackage:Clustering_Metadata
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Clustering_Metadata field specifies any metadata regarding the algorithm and/or methods used for cluster the Malware Subjects in this Package.
Diagram
Diagram maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Name maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Version maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Parameters maec_package_schema.tmp#ClusteringMetadataType_Cluster_Size maec_package_schema.tmp#ClusteringMetadataType_Cluster_Description maec_package_schema.tmp#ClusteringMetadataType_Cluster_Composition maec_package_schema.tmp#ClusteringMetadataType
Type maecPackage:ClusteringMetadataType
Instance
<maecPackage:Clustering_Metadata xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Algorithm_Name>{0,1}</maecPackage:Algorithm_Name>
  <maecPackage:Algorithm_Version>{0,1}</maecPackage:Algorithm_Version>
  <maecPackage:Algorithm_Parameters>{0,1}</maecPackage:Algorithm_Parameters>
  <maecPackage:Cluster_Size>{0,1}</maecPackage:Cluster_Size>
  <maecPackage:Cluster_Description>{0,1}</maecPackage:Cluster_Description>
  <maecPackage:Cluster_Composition score_type="">{0,1}</maecPackage:Cluster_Composition>
</maecPackage:Clustering_Metadata>
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Algorithm_Name
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Algorithm_Name field specifies the name of the clustering algorithm used to cluster the malware.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Algorithm_Version
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Algorithm_Version field specifies the version of the algorithm used to cluster the malware.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Algorithm_Parameters
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Algorithm_Parameters field specifies any parameters that may have been used in the clustering algorithm.
Diagram
Diagram maec_package_schema.tmp#ClusteringAlgorithmParametersType_Distance_Threshold maec_package_schema.tmp#ClusteringAlgorithmParametersType_Number_of_Iterations maec_package_schema.tmp#ClusteringAlgorithmParametersType
Type maecPackage:ClusteringAlgorithmParametersType
Instance
<maecPackage:Algorithm_Parameters xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Distance_Threshold>{0,1}</maecPackage:Distance_Threshold>
  <maecPackage:Number_of_Iterations>{0,1}</maecPackage:Number_of_Iterations>
</maecPackage:Algorithm_Parameters>
[ top ]
Element maecPackage:ClusteringAlgorithmParametersType / maecPackage:Distance_Threshold
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Distance_Threshold field specifies the minimum distance threshold for the cluster, or the minimum distance between nodes in order for them to belong to the same cluster.
Diagram
Diagram
Type xs:decimal
[ top ]
Element maecPackage:ClusteringAlgorithmParametersType / maecPackage:Number_of_Iterations
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Number_of_Iterations field specifies the number of times that the algorithm was executed in order to produce the cluster.
Diagram
Diagram
Type xs:positiveInteger
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Cluster_Size
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Cluster_Size field specifies the size of the malware cluster.
Diagram
Diagram
Type xs:positiveInteger
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Cluster_Description
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Cluster_Description field provides a textual description of the malware cluster, such as information about its composition, etc.
Diagram
Diagram
Type xs:string
[ top ]
Element maecPackage:ClusteringMetadataType / maecPackage:Cluster_Composition
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Cluster_Composition field captures the composition of the malware cluster, including the similarity indices between its members, as a collection of edges and their corresponding nodes.
Diagram
Diagram maec_package_schema.tmp#ClusterCompositionType_score_type maec_package_schema.tmp#ClusterCompositionType_Edge_Node_Pair maec_package_schema.tmp#ClusterCompositionType
Type maecPackage:ClusterCompositionType
Instance
<maecPackage:Cluster_Composition score_type="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Edge_Node_Pair similarity_distance="" similarity_index="">{1,unbounded}</maecPackage:Edge_Node_Pair>
</maecPackage:Cluster_Composition>
Attributes
QName Type Use Annotation
score_type xs:string optional
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
[ top ]
Element maecPackage:ClusterCompositionType / maecPackage:Edge_Node_Pair
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Cluster_Edge_Node_Pair field specifies a single edge and its connected nodes in the malware cluster, representing the similarity index between two Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#ClusterEdgeNodePairType_similarity_index maec_package_schema.tmp#ClusterEdgeNodePairType_similarity_distance maec_package_schema.tmp#ClusterEdgeNodePairType_Malware_Subject_Node_A maec_package_schema.tmp#ClusterEdgeNodePairType_Malware_Subject_Node_B maec_package_schema.tmp#ClusterEdgeNodePairType
Type maecPackage:ClusterEdgeNodePairType
Instance
<maecPackage:Edge_Node_Pair similarity_distance="" similarity_index="" xmlns:maecPackage="http://maec.mitre.org/XMLSchema/maec-package-2">
  <maecPackage:Malware_Subject_Node_A malware_subject_idref="">{1,1}</maecPackage:Malware_Subject_Node_A>
  <maecPackage:Malware_Subject_Node_B malware_subject_idref="">{1,1}</maecPackage:Malware_Subject_Node_B>
</maecPackage:Edge_Node_Pair>
Attributes
QName Type Use Annotation
similarity_distance xs:decimal optional
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
similarity_index xs:decimal optional
The similarity_index field specifies the similarity index  between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
[ top ]
Element maecPackage:ClusterEdgeNodePairType / maecPackage:Malware_Subject_Node_A
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Subject_Node_A field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectReferenceType_malware_subject_idref maec_package_schema.tmp#MalwareSubjectReferenceType
Type maecPackage:MalwareSubjectReferenceType
Attributes
QName Type Use Annotation
malware_subject_idref maecPackage:MalwareSubjectIDREFPattern required
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
[ top ]
Element maecPackage:ClusterEdgeNodePairType / maecPackage:Malware_Subject_Node_B
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Malware_Subject_Node_B field represents a node connected to the edge via a reference to a Malware Subject that is part of a malware cluster.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectReferenceType_malware_subject_idref maec_package_schema.tmp#MalwareSubjectReferenceType
Type maecPackage:MalwareSubjectReferenceType
Attributes
QName Type Use Annotation
malware_subject_idref maecPackage:MalwareSubjectIDREFPattern required
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
[ top ]
Complex Type maecPackage:PackageType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The PackageType is the namesake type of the MAEC Package schema, and captures either a single Malware Subject, or a collection of Malware Subjects that are related in some way (even if exact details of the relationship are unknown). Unlike the MAEC Bundle, which captures only the MAEC-characterized analysis results for a malware instance, the Package permits the capture of additional metadata relating to the analysis, relationships between Malware Subjects, and similar types of entities.
Diagram
Diagram maec_package_schema.tmp#PackageType_id maec_package_schema.tmp#PackageType_schema_version maec_package_schema.tmp#PackageType_timestamp maec_package_schema.tmp#PackageType_Malware_Subjects maec_package_schema.tmp#PackageType_Grouping_Relationships
Attributes
QName Type Fixed Use Annotation
id maecPackage:PackageIDPattern required
The required id field specifies a unique ID for this Package. The ID must follow the pattern defined in the PackageIDPattern simple type.
schema_version xs:string 2.0.1 required
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
timestamp xs:dateTime optional
The timestamp field specifies the date/time that the Package was generated.
[ top ]
Complex Type maecPackage:MalwareSubjectListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectListType captures a list of Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectListType_Malware_Subject
[ top ]
Complex Type maecPackage:MalwareSubjectType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectType captures all of the details pertaining to a single malware instance, including any corresponding Analyses, Field Data, Findings Bundles, and relationships to other Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectType_id maec_package_schema.tmp#MalwareSubjectType_Malware_Instance_Object_Attributes maec_package_schema.tmp#MalwareSubjectType_Minor_Variants maec_package_schema.tmp#MalwareSubjectType_Field_Data maec_package_schema.tmp#MalwareSubjectType_Analyses maec_package_schema.tmp#MalwareSubjectType_Findings_Bundles maec_package_schema.tmp#MalwareSubjectType_Relationships
Attributes
QName Type Use Annotation
id maecPackage:MalwareSubjectIDPattern required
The required id field specifies a unique ID for this Malware Subject. The ID must follow the pattern defined in the MalwareSubjectIDPattern simple type.
[ top ]
Complex Type maecPackage:MinorVariantListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MinorVariantListType captures a list of minor variants of a Malware Subject's malware instance object. For example, the same binary with but with different filenames.
Diagram
Diagram maec_package_schema.tmp#MinorVariantListType_Minor_Variant
[ top ]
Complex Type maecPackage:AnalysisListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisListType captures a list of analyses that were performed on a Malware Subject.
Diagram
Diagram maec_package_schema.tmp#AnalysisListType_Analysis
[ top ]
Complex Type maecPackage:AnalysisType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisType provides a way of capturing the information associated with the analysis of a malware instance, such as the subject, authors, start datetime, and other relevant data.
Diagram
Diagram maec_package_schema.tmp#AnalysisType_id maec_package_schema.tmp#AnalysisType_type maec_package_schema.tmp#AnalysisType_method maec_package_schema.tmp#AnalysisType_ordinal_position maec_package_schema.tmp#AnalysisType_start_datetime maec_package_schema.tmp#AnalysisType_complete_datetime maec_package_schema.tmp#AnalysisType_lastupdate_datetime maec_package_schema.tmp#AnalysisType_Source maec_package_schema.tmp#AnalysisType_Analysts maec_package_schema.tmp#AnalysisType_Summary maec_package_schema.tmp#AnalysisType_Comments maec_package_schema.tmp#AnalysisType_Findings_Bundle_Reference maec_package_schema.tmp#AnalysisType_Tools maec_package_schema.tmp#AnalysisType_Dynamic_Analysis_Metadata maec_package_schema.tmp#AnalysisType_Analysis_Environment maec_package_schema.tmp#AnalysisType_Report
Attributes
QName Type Use Annotation
complete_datetime xs:dateTime optional
The complete_datetime field specifies the date/time the analysis was completed.
id maecPackage:AnalysisIDPattern required
The required id field specifies a unique ID for this Analysis. The ID must follow the pattern defined in the AnalysisIDPattern simple type.
lastupdate_datetime xs:dateTime optional
The lastupdate_datetime field specifies the date/time the analysis was last updated.
method maecPackage:AnalysisMethodEnum optional
The method field specifies the analysis method used in the analysis.
ordinal_position xs:positiveInteger optional
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.
start_datetime xs:dateTime optional
The start_datetime field specifies the date/time the analysis was started.
type maecPackage:AnalysisTypeEnum optional
The type field specifies the type of malware analysis being performed.
[ top ]
Complex Type maecPackage:SourceType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The SourceType provides a way of characterizing the external source of a relevant MAEC entity, such as an Analysis.
Diagram
Diagram maec_package_schema.tmp#SourceType_Name maec_package_schema.tmp#SourceType_Method maec_package_schema.tmp#SourceType_Reference maec_package_schema.tmp#SourceType_Organization maec_package_schema.tmp#SourceType_URL
[ top ]
Complex Type maecPackage:CommentListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CommentListType provides a simple way of capturing any comments relating to MAEC entities, such as Analyses.
Diagram
Diagram maec_package_schema.tmp#CommentListType_Comment
[ top ]
Complex Type maecPackage:CommentType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CommentType captures a comment relating to some MAEC entity.
Diagram
Diagram maec_package_schema.tmp#CommentType_author maec_package_schema.tmp#CommentType_timestamp
Type extension of StructuredTextType
[ top ]
Complex Type maecPackage:ToolListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ToolsType characterizes one or more tools, such as those used in the analysis of a Malware Subject.
Diagram
Diagram maec_package_schema.tmp#ToolListType_Tool
[ top ]
Complex Type maecPackage:DynamicAnalysisMetadataType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The DynamicAnalysisMetadataType captures any metadata specific to the dynamic analysis of a malware instance.
Diagram
Diagram maec_package_schema.tmp#DynamicAnalysisMetadataType_Command_Line maec_package_schema.tmp#DynamicAnalysisMetadataType_Analysis_Duration maec_package_schema.tmp#DynamicAnalysisMetadataType_Exit_Code
[ top ]
Complex Type maecPackage:AnalysisEnvironmentType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisEnvironmentType provides mechanisms for characterizing the particular hardware/software environment used in the analysis of a Malware Subject.
Diagram
Diagram maec_package_schema.tmp#AnalysisEnvironmentType_Hypervisor_Host_System maec_package_schema.tmp#AnalysisEnvironmentType_Analysis_Systems maec_package_schema.tmp#AnalysisEnvironmentType_Network_Infrastructure
[ top ]
Complex Type maecPackage:HypervisorHostSystemType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The HypervisorHostSystemType characterizes the VM Hypervisor host system used in the malware analysis environment.
Diagram
Diagram maec_package_schema.tmp#HypervisorHostSystemType_VM_Hypervisor
Type extension of SystemObjectType
[ top ]
Complex Type maecPackage:AnalysisSystemListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemListType captures a list of the systems, physical or virtual, used in the analysis of a Malware Subject.
Diagram
Diagram maec_package_schema.tmp#AnalysisSystemListType_Analysis_System
[ top ]
Complex Type maecPackage:AnalysisSystemType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisSystemType is intended to characterize any systems on which malware analysis is performed. It imports and extends version 1.3 of the CybOX System Object.
Diagram
Diagram maec_package_schema.tmp#AnalysisSystemType_Installed_Programs
Type extension of SystemObjectType
[ top ]
Complex Type maecPackage:InstalledProgramsType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InstalledProgramsType captures the programs installed on a particular operating system image, via a list of CPE identifiers.
Diagram
Diagram maec_package_schema.tmp#InstalledProgramsType_Program
[ top ]
Complex Type maecPackage:NetworkInfrastructureType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The NetworkInfrastructureType captures specific details about the network infrastructure used in the malware analysis environment.
Diagram
Diagram maec_package_schema.tmp#NetworkInfrastructureType_Captured_Protocols
[ top ]
Complex Type maecPackage:CapturedProtocolListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolListType specifies a list of network protocols that a malware analysis environment may capture or interact with.
Diagram
Diagram maec_package_schema.tmp#CapturedProtocolListType_Protocol
[ top ]
Complex Type maecPackage:CapturedProtocolType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The CapturedProtocolType specifies the details of a network protocol that may be captured or otherwise manipulated in the malware analysis environment.
Diagram
Diagram maec_package_schema.tmp#CapturedProtocolType_layer7_protocol maec_package_schema.tmp#CapturedProtocolType_layer4_protocol maec_package_schema.tmp#CapturedProtocolType_port_number maec_package_schema.tmp#CapturedProtocolType_interaction_level
Attributes
QName Type Use Annotation
interaction_level maecPackage:InteractionLevelEnum optional
The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.
layer4_protocol maecPackage:Layer4ProtocolEnum optional
The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.
layer7_protocol maecPackage:Layer7ProtocolEnum optional
The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.
port_number xs:positiveInteger optional
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
[ top ]
Simple Type maecPackage:Layer7ProtocolEnum
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer7ProtocolEnum is a non-exhaustive enumeration of Layer 7 (OSI model) network protocols.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration http
The http value specifies the Hypertext Transfer Protocol (HTTP).
enumeration https
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
enumeration ftp
The ftp value specifies the File Transfer Protocol (FTP).
enumeration ftps
The ftps value specifies the File Transfer Protocol Secure (FTPS).
enumeration smtp
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
enumeration smtps
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
enumeration pop3
The pop3 value specifies the Post Office Protocol version 3 (POP3).
enumeration pop3s
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
enumeration irc
The irc value specifies the Internet Relay Chat (IRC) protocol.
enumeration dns
The dns value specifies the Domain Name System (DNS) protocol.
enumeration rdp
The rdp value specifies the Remote Desktop Protocol (RDP).
enumeration rpc
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
enumeration ssh
The ssh value specifies the Secure Shell (SSH) protocol.
enumeration telnet
The telnet value specifies the Telnet protocol.
[ top ]
Simple Type maecPackage:Layer4ProtocolEnum
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The Layer4ProtocolEnum is a non-exhaustive enumeration of Layer 4 (OSI model) network protocols.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration tcp
The tcp value specifies the Transport Control Protocol (TCP).
enumeration udp
The udp value specifies the User Datagram Protocol (UDP).
[ top ]
Simple Type maecPackage:InteractionLevelEnum
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The InteractionLevelEnum is a non-exhaustive enumeration of interaction levels for network protocols in a malware analysis environment.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration high
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration low
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration honeytrap
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration live
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration none
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
[ top ]
Simple Type maecPackage:AnalysisIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisIDPattern defines the format for acceptable MAEC Analysis ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'ana', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-ana-[1-9][0-9]*)
[ top ]
Simple Type maecPackage:AnalysisTypeEnum
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisTypeEnum is an enumeration of types of malware analyses.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration triage
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
enumeration manual
The Manual value specifies an in-depth, or manual type of malware analysis, that is typically performed by a human analyst.
[ top ]
Simple Type maecPackage:AnalysisMethodEnum
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The AnalysisMethodEnum is an enumeration of malware analysis methods.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration static
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
enumeration dynamic
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
enumeration combination
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
[ top ]
Complex Type maecPackage:FindingsBundleListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The FindingsBundleListType captures a list of Bundles or external references to Bundles, along with any related meta-analysis entities.
Diagram
Diagram maec_package_schema.tmp#FindingsBundleListType_Meta_Analysis maec_package_schema.tmp#FindingsBundleListType_Bundle maec_package_schema.tmp#FindingsBundleListType_Bundle_External_Reference
[ top ]
Complex Type maecPackage:MetaAnalysisType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MetaAnalysisType captures meta-analysis entities associated with the Bundles that were captured for a Malware Subject, such as Action Equivalencies.
Diagram
Diagram maec_package_schema.tmp#MetaAnalysisType_Action_Equivalences maec_package_schema.tmp#MetaAnalysisType_Object_Equivalences
[ top ]
Complex Type maecPackage:ActionEquivalenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceListType captures a list of Action Equivalences.
Diagram
Diagram maec_package_schema.tmp#ActionEquivalenceListType_Action_Equivalence
[ top ]
Complex Type maecPackage:ActionEquivalenceType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceType relates any Actions that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools. It can be used as a way of referencing equivalent actions as a single unit, such as for specifying the Action composition of a Behavior.
Diagram
Diagram maec_package_schema.tmp#ActionEquivalenceType_id maec_package_schema.tmp#ActionEquivalenceType_Action_Reference
Attributes
QName Type Use Annotation
id maecPackage:ActionEquivalenceIDPattern required
The required id field specifies the ID for the Action Equivalence, and must be of the format specified by the ActionEquivalenceIDPattern type.
[ top ]
Simple Type maecPackage:ActionEquivalenceIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ActionEquivalenceIDPattern defines the format for acceptable MAEC Action Equivalence ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the five letter code 'acteq', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-acteq-[1-9][0-9]*)
[ top ]
Complex Type maecPackage:ObjectEquivalenceListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceListType captures a list of Object Equivalences.
Diagram
Diagram maec_package_schema.tmp#ObjectEquivalenceListType_Object_Equivalence
[ top ]
Complex Type maecPackage:ObjectEquivalenceType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceType relates the Objects that are equivalent to each other, e.g., those that were found for the same Malware Subject when using different analysis tools.
Diagram
Diagram maec_package_schema.tmp#ObjectEquivalenceType_id
Type extension of ObjectReferenceListType
[ top ]
Simple Type maecPackage:ObjectEquivalenceIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ObjectEquivalenceIDPattern defines the format for acceptable MAEC Object Equivalence ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the five letter code 'objeq', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-objeq-[1-9][0-9]*)
[ top ]
Complex Type maecPackage:MalwareSubjectRelationshipListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipListType captures a list of relationships between a Malware Subject and other Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectRelationshipListType_Relationship
[ top ]
Complex Type maecPackage:MalwareSubjectRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectRelationshipType provides a mechanism for capturing the relationships between a Malware Subject and one or more other Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectRelationshipType_Type maec_package_schema.tmp#MalwareSubjectRelationshipType_Malware_Subject_Reference
[ top ]
Complex Type maecPackage:MalwareSubjectReferenceType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectReferenceType provides a mechanism for specifying a reference to a Malware Subject contained in the Package.
Diagram
Diagram maec_package_schema.tmp#MalwareSubjectReferenceType_malware_subject_idref
Attributes
QName Type Use Annotation
malware_subject_idref maecPackage:MalwareSubjectIDREFPattern required
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
[ top ]
Simple Type maecPackage:MalwareSubjectIDREFPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectIDPattern defines the format for acceptable MAEC Malware Subject idrefs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'sub', and ending with an integer.
Diagram
Diagram
Type restriction of xs:IDREF
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-sub-[1-9][0-9]*)
[ top ]
Simple Type maecPackage:MalwareSubjectIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The MalwareSubjectIDPattern defines the format for acceptable MAEC Malware Subject ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'sub', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-sub-[1-9][0-9]*)
[ top ]
Complex Type maecPackage:GroupingRelationshipListType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipListType captures a list of grouping relationships relating the Malware Subjects in a Package.
Diagram
Diagram maec_package_schema.tmp#GroupingRelationshipListType_Grouping_Relationship
[ top ]
Complex Type maecPackage:GroupingRelationshipType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The GroupingRelationshipType provides a mechanism for specifying the relationship that groups together the Malware Subjects in a Package.
Diagram
Diagram maec_package_schema.tmp#GroupingRelationshipType_Type maec_package_schema.tmp#GroupingRelationshipType_Malware_Family_Name maec_package_schema.tmp#GroupingRelationshipType_Malware_Toolkit_Name maec_package_schema.tmp#GroupingRelationshipType_Clustering_Metadata
[ top ]
Complex Type maecPackage:ClusteringMetadataType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringMetadataType specifies the metadata regarding a particular method used to cluster malware.
Diagram
Diagram maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Name maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Version maec_package_schema.tmp#ClusteringMetadataType_Algorithm_Parameters maec_package_schema.tmp#ClusteringMetadataType_Cluster_Size maec_package_schema.tmp#ClusteringMetadataType_Cluster_Description maec_package_schema.tmp#ClusteringMetadataType_Cluster_Composition
[ top ]
Complex Type maecPackage:ClusteringAlgorithmParametersType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusteringAlgorithmParametersType captures any parameters that may have been used in a malware clustering algorithm.
Diagram
Diagram maec_package_schema.tmp#ClusteringAlgorithmParametersType_Distance_Threshold maec_package_schema.tmp#ClusteringAlgorithmParametersType_Number_of_Iterations
[ top ]
Complex Type maecPackage:ClusterCompositionType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterCompositionType captures the composition of a malware cluster via its edges and their respective connected nodes, as in an undirected graph.
Diagram
Diagram maec_package_schema.tmp#ClusterCompositionType_score_type maec_package_schema.tmp#ClusterCompositionType_Edge_Node_Pair
Attributes
QName Type Use Annotation
score_type xs:string optional
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
[ top ]
Complex Type maecPackage:ClusterEdgeNodePairType
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The ClusterEdgeNodePairType captures a single edge-node pair in a malware cluster, which is composed of the two Malware Subjects that correspond to the nodes connected to the edge (via references), and represents the similarity index between the two Malware Subjects.
Diagram
Diagram maec_package_schema.tmp#ClusterEdgeNodePairType_similarity_index maec_package_schema.tmp#ClusterEdgeNodePairType_similarity_distance maec_package_schema.tmp#ClusterEdgeNodePairType_Malware_Subject_Node_A maec_package_schema.tmp#ClusterEdgeNodePairType_Malware_Subject_Node_B
Attributes
QName Type Use Annotation
similarity_distance xs:decimal optional
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
similarity_index xs:decimal optional
The similarity_index field specifies the similarity index  between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
[ top ]
Simple Type maecPackage:PackageIDPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The PackageIDPattern defines the format for acceptable MAEC Package ids. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'pkg', and ending with an integer.
Diagram
Diagram
Type restriction of xs:ID
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-pkg-[1-9][0-9]*)
[ top ]
Simple Type maecPackage:PackageIDREFPattern
Namespace http://maec.mitre.org/XMLSchema/maec-package-2
Annotations
The PackageIDREFPattern defines the format for acceptable MAEC Package idrefs. A dash-delimited format is used with the id starting with the word maec followed by a unique string, followed by the three letter code 'pkg', and ending with an integer.
Diagram
Diagram
Type restriction of xs:IDREF
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-pkg-[1-9][0-9]*)
[ top ]
Attribute maecPackage:CommentType / @author
Namespace No namespace
Annotations
The author field specifies the name of the author that added the comment.
Type xs:string
[ top ]
Attribute maecPackage:CommentType / @timestamp
Namespace No namespace
Annotations
The timestamp field specifies the date/time that the comment was added.
Type xs:dateTime
[ top ]
Attribute maecPackage:CapturedProtocolType / @layer7_protocol
Namespace No namespace
Annotations
The layer7_protocol field specifies the name of the Layer 7 network protocol (OSI model) captured or manipulated by the analysis environment.
Type maecPackage:Layer7ProtocolEnum
Facets
enumeration http
The http value specifies the Hypertext Transfer Protocol (HTTP).
enumeration https
The https value specifies the Hypertext Transfer Protocol Secure (HTTPS).
enumeration ftp
The ftp value specifies the File Transfer Protocol (FTP).
enumeration ftps
The ftps value specifies the File Transfer Protocol Secure (FTPS).
enumeration smtp
The smtp value specifies the Simple Mail Transfer Protocol (SMTP).
enumeration smtps
The smtps value specifies the Simple Mail Transfer Protocol Secure (SMTPS).
enumeration pop3
The pop3 value specifies the Post Office Protocol version 3 (POP3).
enumeration pop3s
The pop3s value specifies the Post Office Protocol version 3 Secure (POP3S).
enumeration irc
The irc value specifies the Internet Relay Chat (IRC) protocol.
enumeration dns
The dns value specifies the Domain Name System (DNS) protocol.
enumeration rdp
The rdp value specifies the Remote Desktop Protocol (RDP).
enumeration rpc
The rpc value specifies some Remote Procedure Call (RPC) protocol, such as MSRPC.
enumeration ssh
The ssh value specifies the Secure Shell (SSH) protocol.
enumeration telnet
The telnet value specifies the Telnet protocol.
[ top ]
Attribute maecPackage:CapturedProtocolType / @layer4_protocol
Namespace No namespace
Annotations
The layer4_protocol field specifies the name of the Layer 4 network protocol (OSI model) captured or manipulated by the analysis environment.
Type maecPackage:Layer4ProtocolEnum
Facets
enumeration tcp
The tcp value specifies the Transport Control Protocol (TCP).
enumeration udp
The udp value specifies the User Datagram Protocol (UDP).
[ top ]
Attribute maecPackage:CapturedProtocolType / @port_number
Namespace No namespace
Annotations
The port_number field specifies the port number for this network protocol that is captured or manipulated by the analysis environment.
Type xs:positiveInteger
[ top ]
Attribute maecPackage:CapturedProtocolType / @interaction_level
Namespace No namespace
Annotations
The interaction_level field specifies the relative level of interaction that the analysis environment has with the specified network protocol.
Type maecPackage:InteractionLevelEnum
Facets
enumeration high
The high value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to decode/identify any common protocols used by the malware. The level of decode/protocol support can be subjective and dependent on the particular environment.
enumeration low
The low value specifies that, for the specified protocol, the analysis environment will accept the packets and will identify the initial connection request. No further interaction is performed.
enumeration honeytrap
The honeytrap value specifies that, for the specified protocol, the analysis environment will establish the connection and attempt to interact with outgoing requests. The level of interaction can be subjective and dependent on the particular environment.
enumeration live
The live value specifies that, for the specified protocol, the analysis environment allows the malware to connect out to the real (unemulated) IP.
enumeration none
The none value specifies that, for the specified protocol, the analysis environment does not support or perform any level of interaction.
[ top ]
Attribute maecPackage:AnalysisType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this Analysis. The ID must follow the pattern defined in the AnalysisIDPattern simple type.
Type maecPackage:AnalysisIDPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-ana-[1-9][0-9]*)
[ top ]
Attribute maecPackage:AnalysisType / @type
Namespace No namespace
Annotations
The type field specifies the type of malware analysis being performed.
Type maecPackage:AnalysisTypeEnum
Facets
enumeration triage
The Triage value specifies an cursory, or triage type of malware analysis, commonly automated in conjunction with one or more tools.
enumeration manual
The Manual value specifies an in-depth, or manual type of malware analysis, that is typically performed by a human analyst.
[ top ]
Attribute maecPackage:AnalysisType / @method
Namespace No namespace
Annotations
The method field specifies the analysis method used in the analysis.
Type maecPackage:AnalysisMethodEnum
Facets
enumeration static
The static value specifies a static malware analysis method, which is achieved by inspecting but not executing the malware instance.
enumeration dynamic
The dynamic value specifies a dynamic malware analysis method, which is achieved by executing but not inspecting the malware instance.
enumeration combination
The combination value specifies a combination of dynamic and static malware analysis, achieved by both inspecting and executing the malware instance.
[ top ]
Attribute maecPackage:AnalysisType / @ordinal_position
Namespace No namespace
Annotations
The ordinal_position field specifies the ordering of the analysis with respect to the other analyses performed on the Malware Subject.
Type xs:positiveInteger
[ top ]
Attribute maecPackage:AnalysisType / @start_datetime
Namespace No namespace
Annotations
The start_datetime field specifies the date/time the analysis was started.
Type xs:dateTime
[ top ]
Attribute maecPackage:AnalysisType / @complete_datetime
Namespace No namespace
Annotations
The complete_datetime field specifies the date/time the analysis was completed.
Type xs:dateTime
[ top ]
Attribute maecPackage:AnalysisType / @lastupdate_datetime
Namespace No namespace
Annotations
The lastupdate_datetime field specifies the date/time the analysis was last updated.
Type xs:dateTime
[ top ]
Attribute maecPackage:ActionEquivalenceType / @id
Namespace No namespace
Annotations
The required id field specifies the ID for the Action Equivalence, and must be of the format specified by the ActionEquivalenceIDPattern type.
Type maecPackage:ActionEquivalenceIDPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-acteq-[1-9][0-9]*)
[ top ]
Attribute maecPackage:ObjectEquivalenceType / @id
Namespace No namespace
Annotations
The required id field specifies the ID for the Object Equivalence, and must be of the format specified by the ObjectEquivalenceIDPattern type.
Type maecPackage:ObjectEquivalenceIDPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-objeq-[1-9][0-9]*)
[ top ]
Attribute maecPackage:MalwareSubjectReferenceType / @malware_subject_idref
Namespace No namespace
Annotations
The malware_subject_idref field provides a reference to a Malware Subject contained in the Package, via its ID.
Type maecPackage:MalwareSubjectIDREFPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-sub-[1-9][0-9]*)
[ top ]
Attribute maecPackage:MalwareSubjectType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this Malware Subject. The ID must follow the pattern defined in the MalwareSubjectIDPattern simple type.
Type maecPackage:MalwareSubjectIDPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-sub-[1-9][0-9]*)
[ top ]
Attribute maecPackage:ClusterEdgeNodePairType / @similarity_index
Namespace No namespace
Annotations
The similarity_index field specifies the similarity index  between the two Malware Subjects being referenced (indicating how similar they are), as a decimal value. This value should be equivalent to 1 minus the similarity distance value (if included).
Type xs:decimal
[ top ]
Attribute maecPackage:ClusterEdgeNodePairType / @similarity_distance
Namespace No namespace
Annotations
The similarity_index field specifies the similarity distance between the two Malware Subjects being referenced (indicating how dissimilar they are), as a decimal value. This value should be equivalent to 1 minus the similarity index value (if included).
Type xs:decimal
[ top ]
Attribute maecPackage:ClusterCompositionType / @score_type
Namespace No namespace
Annotations
For clustering algorithms that may capture different types of scores, the score_type attribute specifies the type of score used to define the composition of this malware cluster.
Type xs:string
[ top ]
Attribute maecPackage:PackageType / @id
Namespace No namespace
Annotations
The required id field specifies a unique ID for this Package. The ID must follow the pattern defined in the PackageIDPattern simple type.
Type maecPackage:PackageIDPattern
Facets
pattern (\i\c*) & ([\i-[:]][\c-[:]]*) & (maec-[A-Za-z0-9_\-\.]+-pkg-[1-9][0-9]*)
[ top ]
Attribute maecPackage:PackageType / @schema_version
Namespace No namespace
Annotations
The required schema_version field specifies the version of the MAEC Package schema that the document has been written in and that should be used for validation.
Type xs:string
[ top ]
Attribute maecPackage:PackageType / @timestamp
Namespace No namespace
Annotations
The timestamp field specifies the date/time that the Package was generated.
Type xs:dateTime
[ top ]