[MAEC] Capturing information about the analysis process itself

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[MAEC] Capturing information about the analysis process itself

Paul Patrick-2

I was looking through the current specification and the JSON schemas and realized that it appears that we’ve lost the ability to capture what type of analysis was performed and information about its performance.  I’m wondering if someone could explain why it was removed as this data can be useful in characterization of the analysis process and giving the consumer the context to give them confidence in the results.  One possible consideration I came up to not have this data with was whether the information would be useful to another party if shared.

 

I’d like to suggest that we consider adding the “analyses” property back to the MalwareInstanceType but redesign what is in the Analysis.json schema file to limit it to something like below.  If there is no need for anything to reference an analysis object, then remove the type and id properties.  The alternative I also considered was to put this type of information inside the InstanceMetadata type.

 

One additional benefit adding such a section would allow is to provide a natural extension point for people to include other analysis process information they may want to convey.

 

{

    “type”: “package”,

    “id”: “package--<uuid>”,

    “schema_version”: “5.0”,

    “malware_instances”: [

        {

            “instance_object_refs”: [

                 “<observable-type>--<uuid>”

             ],

             “analyses”: [

                 {

                     “type”: “analysis”,

                     “id”: “analysis--<uuid>”,

                     “analysis_type”: “analysis-type-cv value”,

                     “analysis_method”: “analysis-method-cv value”,

                     “ordinal_position”: “number”,

                     “start_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “complete_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “last_update_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “tool_refs”: [

                          “software--<uuid>”

                     ]

                 }

             ]

        }

    ]

}

 

 

Thoughts?

 

 

 

Paul Patrick

 

 

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] Capturing information about the analysis process itself

Kirillov, Ivan A.

Hi Paul,

 

The MAEC team recently tackled the refactoring of the existing AnalysisType and I see you’ve noticed the changes we’ve made. Our primary concern was exactly as you stated, namely that this data would not be useful to another party if shared. We were also concerned that much of the content of the AnalysisType focused on capturing the content of a textual report, something which would likely be a large burden on malware analysts to reproduce in a structured format.

 

> I’d like to suggest that we consider adding the “analyses” property back to the MalwareInstanceType but redesign what is in the Analysis.json schema file to limit it to something like below.  If there is no need for anything to reference an analysis object, then remove the type and id properties. 

 

We discussed this and it seems like quite a reasonable suggestion. Since Analyses are specific to a particular Malware Instance and will not be re-used/referenced elsewhere, I think we can indeed remove the type and id properties. Therefore, it would look like:

 

{

    “type”: “package”,

    “id”: “package--<uuid>”,

    “schema_version”: “5.0”,

    “malware_instances”: [

        {

            “instance_object_refs”: [

                 “<observable-type>--<uuid>”

             ],

             “analyses”: [

                 {

                     “analysis_type”: “analysis-type-cv value”,

                     “analysis_method”: “analysis-method-cv value”,

                     “ordinal_position”: “number”,

                     “start_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “complete_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “last_update_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “tool_refs”: [

                          “software--<uuid>”

                     ]

                 }

             ]

        }

    ]

}

 

We’ve already made these initial changes to the MAEC 5.0 specification (apart from adding some of the missing properties), so please free to comment and add any additional thoughts there [1]

 

[1] https://docs.google.com/document/d/1cnjjZAPHITFjo_8xGVBo1mX9Qvo7pN-YJ4pRZwdsuL0/edit#heading=h.fefbalm476rp

 

Regards,

Ivan

 

 

From: Paul Patrick <[hidden email]>
Reply-To: Paul Patrick <[hidden email]>
Date: Wednesday, January 4, 2017 at 4:33 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion <[hidden email]>
Subject: [MAEC] Capturing information about the analysis process itself

 

I was looking through the current specification and the JSON schemas and realized that it appears that we’ve lost the ability to capture what type of analysis was performed and information about its performance.  I’m wondering if someone could explain why it was removed as this data can be useful in characterization of the analysis process and giving the consumer the context to give them confidence in the results.  One possible consideration I came up to not have this data with was whether the information would be useful to another party if shared.

 

I’d like to suggest that we consider adding the “analyses” property back to the MalwareInstanceType but redesign what is in the Analysis.json schema file to limit it to something like below.  If there is no need for anything to reference an analysis object, then remove the type and id properties.  The alternative I also considered was to put this type of information inside the InstanceMetadata type.

 

One additional benefit adding such a section would allow is to provide a natural extension point for people to include other analysis process information they may want to convey.

 

{

    “type”: “package”,

    “id”: “package--<uuid>”,

    “schema_version”: “5.0”,

    “malware_instances”: [

        {

            “instance_object_refs”: [

                 “<observable-type>--<uuid>”

             ],

             “analyses”: [

                 {

                     “type”: “analysis”,

                     “id”: “analysis--<uuid>”,

                     “analysis_type”: “analysis-type-cv value”,

                     “analysis_method”: “analysis-method-cv value”,

                     “ordinal_position”: “number”,

                     “start_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “complete_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “last_update_datetime”: “YYYY-MM-DDTHH:mm:ss[.s+]Z”,

                     “tool_refs”: [

                          “software--<uuid>”

                     ]

                 }

             ]

        }

    ]

}

 

 

Thoughts?

 

 

 

Paul Patrick

 

 

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.