Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider Malware Family Object #123

Open
ikiril01 opened this issue Apr 1, 2016 · 3 comments
Open

Consider Malware Family Object #123

ikiril01 opened this issue Apr 1, 2016 · 3 comments

Comments

@ikiril01
Copy link
Member

ikiril01 commented Apr 1, 2016

Right now we have the Malware_Subject, which is really a characterization of a malware instance. Perhaps we should consider adding a Malware_Family Object, which can serve as a meta class that can reference the Malware_Subjects that are part of a malware family?
@ikiril01
Copy link
Member Author

ikiril01 commented Apr 5, 2016

Notionally, the structure could be something like:

  • Malware Family
    • Names
    • Malware Subjects
    • Common Actions
    • Common Behaviors
    • Common Capabilities
    • etc.

@ikiril01
Copy link
Member Author

A few open questions:

  • How should Malware Instances/Subjects be associated with a Malware Family object?
    • Referenced directly from the Malware Family?
    • Using a top-level Relationship object?
  • How should common Actions/Behaviors/etc. be captured?
    • What if certain Actions/etc. are common to a subset of a malware family, but not the entire family?

@dzbeck
Copy link
Contributor

dzbeck commented Jun 15, 2016

  • In MalwareFamilyType, should the field capture Malware Subjects (maecPackage:MalwareSubjectReferenceType) or Objects (maecCore:ObjectReferenceType)?
    • For now, we’ve chosen Malware Subjects.
    • There may be some objects, which are not malware subjects, which we would want to associate with a particular malware family.
  • So that there is only one way to associate Malware Subjects with a Malware Family, we have NOT defined a Malware_Family field in MalwareSubjectType.
    • This prevents defining relationships in two directions, which we’re trying to get away from in 5.0.
    • With Relationships being pairwise, it would be cumbersome to link multiple Malware Subjects (or Objects) to a Malware Family because multiple Relationships would need to be defined (i.e., capturing through the Malware Family is more efficient).
    • We could remove the Malware_Subject field from MalwareFamilyType and associate malware subjects (and/or objects) and malware families using a Collection.
      • We shouldn’t use both the Malware Subject field in MalwareFamilyType and Collections (there shouldn't be two ways to specify family members).
      • If we don’t use Collections, we should remove “same malware family” from maecPackage:CollectionAssociateTypeEnum.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikiril01 @dzbeck