MAEC v4.0 Release Notes April 26, 2013 MAEC v4.0 consists of four schemas: Version 4.0 of the MAEC Bundle schema Version 2.0 of the MAEC Package schema Version 2.0 of the MAEC Container schema Version 1.0.0 of the MAEC Default Vocabularies schema, which defines default controlled vocabularies used within MAEC v4.0 While the changes in this release are not numerous, they are significant enough to impact backwards compatibility with MAEC 3.0 and thus necessitate a new major version of MAEC. The new feature highlights and changes for this release are provided below. New Feature Highlights The import and usage of the Cyber Observables eXpression (CybOX) v2.0 The addition of the MAEC default vocabularies schema Better support for AV scanner results Support for characterizing minor variants of a malware subject High-Level Changes The MAEC Bundle, Package, and Container schemas were updated to incorporate CybOX v2.0. This update was the primary driving force behind creating a new major version of MAEC, due to the incompatibility of CybOX v2.0 with CybOX v1.0. The MAEC Default Vocabularies schema was created to take advantage of the extension mechanisms of CybOX’s 2.0’s newly-defined controlled vocabularies. MAEC Default Vocabularies were added as a separate schema to define the default controlled vocabularies used within MAEC v4.0. Version 1.0.0 of the Default Vocabularies schema defines default vocabularies for Package Grouping Relationships, Malware Subject Relationships, Action Names, Action/Object Association Types, and Candidate Indicator Importance Measures and Malware Entity Types. MAEC offers a more standard method of capturing AV scanner results in a Bundle. Through the combination of one or more Analyses in a Malware Subject along with their corresponding Bundles, MAEC can capture the historical context of AV runs, which is useful for capturing information such as the different classifications of a malware sample over time. 1 MAEC is able to capture observed simple variations of a Malware Subject (e.g., same file with a different filename). MAEC Bundle Changes In BundleType, updated the schema_version attribute to a fixed value of 4.0. Renamed the Bundle schema file to use underscores rather than dashes for separators. In order to provide better support for AV scanner results: o Defined a new complex type, AVClassificationType, which extends off of the cyboxCommon:ToolInformationType with the addition of three new elements: Engine_Version, Definition_Version, and Classification_Name. o Added the AV_Classifications element, of type AVClassificationsType, to the root level of the BundleType. The AV_Classifications element contains 1-n AVClassificationType objects, which capture any Anti-Virus scanner tool classifications of the malware instance object. Changed all uses of “element” and “attribute” to “field” in the annotations. In MalwareEntityType, removed the type attribute and created an element named Type of type cyboxCommon:ControlledVocabularyStringType. Moved MalwareEntityTypeEnum to the controlled vocabularies schema. In CandidateIndicatorType, removed the importance attribute and created an element named Importance of type cyboxCommon:ControlledVocabularyStringType. Removed numeric_importance attribute and created an element named Numeric_Importance of type xs:positiveInteger. Moved ImportanceTypeEnum to the controlled vocabularies schema. Changed enumeration definitions to conform to a lowercase + whitespace delimited convention. Moved all enumerations, except for BundleContentTypeEnum and ActionImplementationTypeEnum, into the MAEC Default Vocabularies schema. Refactored all renaming enumerations to conform to a lowercase+whitespace delimited convention. Fixed annotation for ActionImplementationTypeEnum. Changed minOccurs value of Composition element in CandidateIndicatorType from 0 to 1. MAEC Package Changes In PackageType, updated schema_version attribute to a fixed value of 2.0. Renamed the Package schema file to use underscores rather than dashes for separators. In order to provide support for characterizing minor variants of a malware subject: 2 o Defined the MinorVariantListType type to capture a list of minor variants of a Malware Subject's malware instance object. Each embedded Minor_Variant element, of type cybox:ObjectType, captures a single minor variant of the Malware Subject. o Added the Minor_Variants element of type MinorVariantListType to the root level of the MalwareSubjectType. Changed all uses of “element” and “attribute” to “field” in the annotations. In GroupingRelationshipType, removed the type attribute and created an element named Type of type cyboxCommon:ControlledVocabularyStringType. Removed the other_type attribute. Moved GroupingRelationshipTypeEnum to the vocabularies schema. In MalwareSubjectRelationshipType, removed the type attribute and created an element named Type of type cyboxCommon:ControlledVocabularyStringType. Moved MalwareSubjectRelationshipTypeEnum to the vocabularies schema. Refactored all renaming enumerations to conform to a lowercase+whitespace delimited convention. In AnalysisType, changed type of Summary element to cyboxCommon:StructuredTextType from xs:string. Changed base type of CommentType to cyboxCommon:StructuredTextType from xs:string. Added annotation to id attribute in the AnalysisType type. Updated imports to use the newly renamed Bundle schema. MAEC Container Changes Updated schema_version attribute to a fixed value of 2.0. Renamed the Container schema file to use underscores rather than dashes for separators. Updated imports to use the newly renamed Bundle and Package schemas. MAEC Default Vocabularies The MAEC Default Vocabularies schema was added to define the default controlled vocabularies used within MAEC v4.0. MAEC default vocabularies can be referenced from the appropriate MAEC elements by using the xsi:type attribute to indicate the expected default vocabulary. The enumerations associated with the default vocabularies resulted primarily by splitting the CybOX Action Names enumeration into separate enumerations for each class of objects used in MAEC (e.g., FileActionNameEnum, NetworkActionNameEnum). 3 The enumerations taken from CybOX were supplemented as needed (e.g., layer 7 protocol enumerations were added). An individual vocabulary may be revised at any time. Revisions to vocabularies will result in the creation of new types with the new version number embedded in the name of those types (e.g., FileActionNameVocab-1.0 might be updated to FileActionNameVocab-1.1 or FileActionNameVocab-2.0). 4
© Copyright 2026 Paperzz