Version 3.0 (Archive)

This page provides information on the version 3.0 release of the MAEC Language. All information about the new version is included in this centralized location. Join the MAEC Community to participate in the next version of MAEC.

Downloads

Includes downloads for the Version 3.0 Schemas, Version 3.0 Example Files, Version 3.0 Schematron Rules, and related documentation.

KEY

  • Complete Schema — has all documentation embedded.
  • Documentation html — element dictionaries, which users can elect to view in a browser or save.
  • All files zip — all the files in a section zipped together to allow for one simple download.
  • xsd/xml/sch — a user can either right click to download the file or left click to open the file in their default viewer.

MAEC Schema Downloads

File Name Schema Version Complete Schema Documentation Schematron
All Files n/a zip n/a n/a
MAEC Bundle 3.0 xsd html sch | xsl
MAEC Package 1.0 xsd html n/a
MAEC Container 1.0 xsd html n/a
Back to top

Release Notes

The major highlights of Version 3.0 are listed below:

MAEC v3.0 represents a major version of the MAEC Language, and consists of three schemas:

  • Version 3.0 of the MAEC Bundle schema, a revised version of the v2.1 MAEC core schema, which also defined the Bundle. A MAEC Bundle is intended to capture all of the analysis derived characteristics for a single malware instance, including any observed MAEC Behaviors or Actions, and any related MAEC Objects.
  • Version 1.0 of the new MAEC Package schema. A MAEC Package is intended to characterize all known data for one or more malware instances, including their analysis derived characteristics (via MAEC Bundles) and any associated analysis or other metadata.
  • Version 1.0 of the new MAEC Container schema. A MAEC Container is intended to serve as a transport mechanism for one or more MAEC Packages.

Some of the new features in MAEC 3.0 include:

  • A significant structural re-organization of functionality and scope through the multiple MAEC schemas, thus permitting the use of only the particular schema(s) that are relevant to the individual end-user.
  • The ability to capture equivalences between identical Actions and Objects, for use as a single units as well as analytical observations, through the new MAEC Package.
  • The ability to explicitly capture the process tree for an executed malware instance, through the revised MAEC Bundle.
  • Many revisions to existing types, for the purpose of streamlining and clarifying their intent and use.
  • The import and usage of the Cyber Observable eXpression (CybOX™) Version 1.0 final.

For more information please see the detailed Release Notes or schema annotations linked to above.

Back to top

Samples

Sample content for MAEC 3.0 is included below.

MAEC Example Content

File Name XML
All Files zip
Bundle Artifact xml
Bundle Candidate Indicator xml
Bundle Dynamic Triage Tool Output xml
Bundle Malicious Webpage xml
Bundle Object Re-use xml
Container Multiple Package xml
Package Action Equivalency xml
Package Clustering xml
Package Dynamic Triage xml
Package Manual Analysis xml
Package Multi-Partite Malware xml
Package Multiple Analysis xml
Package Static Triage xml
Back to top

Timeline

PLANNING DRAFT(S) RELEASE CANDIDATE OFFICIAL
05 December 2012

Status Reports

Status updates are included below. You may also review the MAEC Community Discussion Archive for discussions about Version 3.0.

[2012-12-05]
Version 3.0 has been officially released. Many thanks to all in the MAEC Community who helped with this update release.
Back to top

Page Last Updated: September 25, 2013