MAEC v3.0 represents a major version of the MAEC language, and consists of three XML schemas:
Version 3.0 of the MAEC Bundle schema, a revised version of the v2.1 MAEC core schema, which also defined the Bundle. A MAEC Bundle is intended to capture all of the analysis derived characteristics for a single malware instance, including any observed MAEC
Behaviors or Actions, and any related MAEC Objects.
Version 1.0 of the new MAEC Package schema. A MAEC Package is intended to characterize all known data for one or more malware instances, including their analysis derived characteristics (via MAEC Bundles) and any associated analysis or other metadata.
Version 1.0 of the new MAEC Container schema. A MAEC Container is intended to serve as a transport mechanism for one or more MAEC Packages.
Some of the new features in MAEC 3.0 include:
A significant structural re-organization of functionality and scope through the multiple MAEC schemas, thus permitting the use of only the particular schema(s) that are relevant to the individual end-user.
The ability to capture equivalences between identical Actions and Objects, for use as a single units as well as analytical observations, through the new MAEC Package.
The ability to explicitly capture the process tree for an executed malware instance, through the revised MAEC Bundle.
Many revisions to existing types, for the purpose of streamlining and clarifying their intent and use.
The import and usage of the Cyber Observables Expression (CybOX) v1.0 final.
For more information please see the detailedrelease
notes or schema annotations linked to on the
release page; also included are many more examples that are intended to highlight the new structures and features in MAEC v3.0. We welcome your comments, feedback, and questions.