Version 2.0 (Archive)

This page provides information on the current release of the MAEC Language. All information about the current release is included in this centralized location.

All items in this release remain open for discussion and any comments or feedback is greatly appreciated on MITRE’s Handshake collaboration Web site and/or the MAEC Discussion List. Please see the schema or schema documentation below for more information.

Version 2.0 of the MAEC core schema represents a significant set of changes to improve the expressiveness of the schema, particularly in terms of profiling actions performed by malware and the objects that are associated with these actions, and as such is not backwards compatible with MAEC 1.x. MAEC 2.0 imports and utilizes components of version 0.7 of the Cyber Observables Expression (CybOX™) Schema, where appropriate. Please see the summary changes below for more information.

Downloads

Includes downloads for the Version 2.0 Schemas, Version 2.0 Example Files, and related documentation.

KEY

  • Complete Schema — has all documentation embedded.
  • Documentation html — element dictionaries, which users can elect to view in a browser or save.
  • All files zip — all the files in a section zipped together to allow for one simple download.
  • xsd/xml — a user can either right click to download the file or left click to open the file in their default viewer.

MAEC Schema Downloads

File Name Complete Schema Documentation
MAEC Core xsd html

MAEC Example Content Downloads

File Name XML
All Files zip
Static Malware Triage xml
Dynamic Malware Triage xml
Manual Malware Analysis xml
Back to top

Previous Version Differences Report

  • The MAEC Object Type has been extensively reworked. It now extends the CybOX Object Type, which permits object compatibility across multiple efforts, as well as much improved object typing and granularity through the use of the CybOX defined objects. For the currently available set of CybOX defined objects, please see the CybOX 0.7 objects schemas at http://cybox.mitre.org/XMLSchema/CybOX_v0.7_Objects.zip. For examples of the instantiation of these new MAEC objects, please refer to the MAEC example content above.
  • The MAEC Action Type has been significantly revised, and now extends the CybOX Action Type. One of the main changes in this regard has been vastly improved expressiveness, allowing for the unambiguous characterization of complex actions upon objects, such as actions that operate upon some specific object attribute. For examples of these revised actions, please refer to the dynamic analysis triage or manual malware analysis examples in the MAEC example content above.
  • A new type, the Indicator Type, has been implemented. This type is used for defining MAEC Object-based indicators for malware and related entities, such as Actions and Behaviors, along with any additional context behind the indicator. An indicator in this context can be defined as the particular set of objects that can be used to identify the presence of malware on a system.
  • All MAEC entity IDs have had their pattern redefined to use a dash (‘-’) as a separator instead of a colon, in order to ensure compatibility with xs:id and xs:idref types.
  • A new type associated with the Indicator Type, the Target Type, has been implemented. This type provides a mechanism for characterizing the particular entity being targeted by an indicator or signature, whether it is a particular malware instance, object, action, behavior, family, or class.
  • All attributes, elements, and types have been annotated.
  • All ID attributes are now optional.
  • The schema now imports and uses the latest version, v1.2, of the IEEE ICSG Malware Metadata Exchange Format (MMDEF) Schema.
  • All Reference Types (e.g., ActionReferenceType) have been deprecated, and in their place the corresponding MAEC entities have been modified to include an IDREF attribute, serving as a reference to a unique ID for that entity type.
  • As part of the consolidation/redefinition of the Action Type, the Effect Type and associated elements have been deprecated. Effects upon objects are now implicit in the MAEC Action context, and can be abstracted from the actions that make up a MAEC Behavior in this context.
  • The MAEC Bundle Type has been revised, and now includes elements for storing Objects and Indicators at the root level, along with an attribute for specifying the date/time of generation. Similarly, the Pools element has been deprecated and replaced with a Collections element for storing the various collection types.
  • The MAEC Analysis Type has been revised, and now includes attributes for specifying the type of analysis performed and the method used. Also added were elements for specifying the findings of the analysis in terms of observed MAEC Actions and Behaviors, along with elements for specifying comments, summary information about the analysis, and the report generated as part of the analysis. The anonymous typed Subject element was also changed to use the new Analysis Subject Type (described below) as its base type.
  • A new type, the Analysis Subject Type, was added. The AnalysisSubjectType complex type provides a method for characterizing the particular subject of a malware analysis, and incorporates several of the elements included in the old Subject anonymous type from the Analysis Type, along with new ones for characterizing the command line used to launch the malware binary, the duration of the analysis, and the exit code returned after the subject binary exited.
  • A new type, the Related Object Type, has been implemented. This type provides a method for the characterization of relationships among MAEC Objects, and is intended to redefine the CybOX Related Object Type, for the purpose of using MAEC Objects in this context.
  • A new type, the Associated Object Type, has been implemented. This type represents the characterization of a malware Object associated with a given malware Action, and is intended to redefine the CybOX Associated Object Type, for the purpose of using MAEC Objects in this context.
  • A new type, the Stateful Measure Type, has been implemented. This type represents a cyber observable property that is statically stateful in nature (e.g., a registry key holding a certain value, a specific mutex existing or a file having a specific MD5 hash), and is intended to redefine the CybOX Stateful Measure Type, for the purpose of using MAEC Objects in this context.
  • A new type, the Observable Type, has been implemented. This type represents a description of a single cyber observable, and is intended to redefine the CybOX Stateful Measure Type, for the purpose of using MAEC Objects in this context.
  • A new type, the Comments Type, has been implemented. This type provides a simple way of capturing any comments related malware associated entities, such as analyses and indicators.
  • A new type, the Source Type, has been implemented. This type provides a way of characterizing the external source of a relevant MAEC entity, such as an analysis or indicator.
  • A new type, the Indicator Collection Type, has been implemented. This type provides a mechanism for characterizing collections of indicators.
  • A new type, the Base Collection Type, has been implemented. All other MAEC collection types now extend this type.
  • All uses of the ToolType have been replaced with the CybOX ToolInformationType. Subsequently, the ToolType and its associated entities have been deprecated.
  • The Language Enum type has been renamed to Programming Language Enum for clarity.
  • The following types have been deprecated as a result of the CybOX Object Type and Action Type integration: DataType, HashType, PEDataDirectoryStruct, PEExportType, PEImportType, PEResourceType, PESectionHeaderStruct, PESectionType, PEStringType, StructuredTextType, ActionTypeEnum, FileTypeEnum, HashTypeEnum, ObjectTypeEnum, and PackerTypeEnum.
Back to top

Page Last Updated: April 25, 2013