-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Allow AV Classifications to be captured for any CybOX Object
Status: Open
Comment Period Closes:
Affects Backwards Compatibility: No
Relevant Issues: https://github.com/MAECProject/schemas/issues/99
Currently, AV Classifications can only be captured for a malware instance characterized by a Malware Subject or Bundle (via the Malware_Instance_Object_Attributes field). Unfortunately this means that AV Classifications cannot be captured for other CybOX Objects, such as those that result from Actions.
This proposal is related to the following proposed changes to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-output-format)
We propose to make the AVClassificationType an extension of the CybOX DomainSpecificAttributesType, so that it can be used in the Domain_Specific_Object_Properties field on a CybOX Object.
The maecBundle:AVClassificationsType and the maecBundle:AVClassificationType (which extended cyboxCommon:ToolInformationType) will be deprecated.
We propose a new AVClassificationsType, defined in the Package schema, to capture a set of one or more AV Classifications of CybOX Objects:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| AV_Classification | AVClassificationType |
1-* | The AV_Classification field captures a single AV classification of a CybOX Object. |
A new AVClassificationType, defined in the Package schema, would characterize AV-classification related data and extend the cybox:DomainSpecificAttributesType base type with the following fields:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| @id | QName |
0-1 | The id field specifies a unique identifier for the AV Classification. It can be used to reference an AV classification from an Analysis. |
| @scan_date | xs:dateTime |
0-1 | The scan_date field specifies the date and time of the scan. This field can be used to capture how a scan changes over time. |
| Name | xs:string |
0-1 | The Name field specifies the name of the AV scanner tool. |
| Vendor | xs:string |
0-1 | The Vendor field specifies the vendor organization for the AV scanner tool. |
| Engine_Version | xs:string |
0-1 | The Engine_Version field captures the version of the AV engine used by the AV scanner tool. |
| Definition_Version | xs:string |
0-1 | The Definition_Version field captures the version of the AV definitions used by the AV scanner tool. |
| Classification_Name | xs:string |
0-1 | The Classification_Name field captures the classification assigned to the CybOX Object by the AV scanner tool. |
Note that maecPackage:AVClassificationType duplicates the Name and Vendor fields from the cyboxCommon:ToolInformationType.
<Object>
<Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
<AV_Classification id="avclass-1" scan_date="2010-05-15T03:38:44">
<Name>Security Essentials</Name>
<Vendor>Microsoft</Vendor>
<Engine_Version>4.2.3</Engine_Version>
<Definition_Version>032415-0011</Definition_Version>
<Classification_Name>Zeus.A.D</Classification_Name>
</AV_Classification>
<AV_Classification id="avclass-2" scan_date="2012-02-11T08:36:14">
<Name>Security Essentials</Name>
<Vendor>Microsoft</Vendor>
<Engine_Version>5.1.0</Engine_Version>
<Definition_Version>053514-0062</Definition_Version>
<Classification_Name>Zeus.D.C</Classification_Name>
</AV_Classification>
</Domain_Specific_Object_Properties>
<Properties xsi:type="FileObj:FileObjectType">
<File_Name>kernal32.dll</File_Name>
</Properties>
</Object>This change will not be backward compatible and is one of several revisions planned in new major version.
- Is it important to capture AV classifications of CybOX Objects (and not just malware instances)?
- Would it be preferable to define AV Classifications as top level objects in a MAEC Package?
- Is there any issue with
AVClassificationTypeduplicating the Name and Vendor fields in thecyboxCommon:ToolInformationType? - Is the scan_date field sufficient for capturing changes in scans over time?
- Would it work well for an Analysis to reference an AV classification by its id field?