Allow AV Classifications to be captured for any CybOX Object

[ikiril01]

Currently, AV Classifications can only be captured for a malware instance characterized by a Malware Subject or Bundle (i.e. via the Malware_Instance_Object_Attributes). Unfortunately this means that they cannot be captured for other CybOX Objects, such as those that result from Actions. Thus, we should add support for capturing AV Classifications for any CybOX Object - perhaps as a new type of relationship?

[ikiril01]

Some possibilities:

• Add a "Has AV Classification" relationship that relates an Object to its AV Classification(s)
  • This would require adding an extensible element where the AV Classification can be plugged in
• Make the AVClassificationType an extension of the CybOX DomainSpecificAttributesType, so that it can be plugged into the Domain_Specific_Object_Properties field on a CybOX Object
  • This would be problematic as the AVClassificationType already extends the CybOX ToolInformationType, so doing this would mean it would lose the current fields that it uses for capturing Tool Vendor, Version, etc.

[ikiril01]

After some team discussion, it appears that the second approach (via Domain_Specific_Object_Properties) is the more favorable one, even though it would require "duplicating" a few fields from the ToolInformationType.

Thus, the resulting XML would look something like:

<Object>
    <Domain_Specific_Object_Properties xsi:type="maec:AVClassificationType">
       <Name>Security Essentials</Name>
       <Vendor>Microsoft</Vendor>
       <Engine_Version>4.2.3</Engine_Version>
       <Definition_Version>032415-0011</Definition_Version>
       <Classification_Name>Zeus.A.D</Classification_Name>
    </Domain_Specific_Object_Properties>
    <Properties xsi:type="FileObj:FileObjectType">
       <File_Name>kernal32.dll</File_Name>
    </Properties>
</Object>

[ikiril01]

One open question is how to capture AV classifications that change over time. Perhaps it may be enough to simply embed a timestamp that specifies when the scan was performed (similar to what the VirusTotal JSON output captures), e.g.:

<Object>
    <Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
      <AV_Classification scan_date="2010-05-15T03:38:44">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>4.2.3</Engine_Version>
           <Definition_Version>032415-0011</Definition_Version>
           <Classification_Name>Zeus.A.D</Classification_Name>
      </AV_Classification>
      <AV_Classification scan_date="2012-02-11T08:36:14">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>5.1.0</Engine_Version>
           <Definition_Version>053514-0062</Definition_Version>
           <Classification_Name>Zeus.D.C</Classification_Name>
      </AV_Classification>
    </Domain_Specific_Object_Properties>
    <Properties xsi:type="FileObj:FileObjectType">
       <File_Name>kernal32.dll</File_Name>
    </Properties>
</Object>

[gtback]

I've always thought of this as the job of the Definition_Version. But I can see why this might be useful. If we make it part of the <Object>, it's harder to say "scanned as X during analysis performed on date Y." using existing timestamps found in MAEC.

[ikiril01]

@gtback yeah, I think the primary intent is for historical AV analysis, especially in cases where something wasn't detected on date X and then detected on date Y. I agree that making it part of the Object does make it more difficult to update/add new AV Classifications, and also reference them from an Analysis - I suppose the only other alternative would be to make it a top-level object (that references the Object that it's classifying):

<Package>
    <AV_Classifications>
        <AV_Classification id="avclass-1" scan_date="2012-02-11T08:36:14">
            <Object_Reference object_id="object-1"/>
            <Name>Security Essentials</Name>
            <Vendor>Microsoft</Vendor>
            <Engine_Version>5.1.0</Engine_Version>
             <Definition_Version>053514-0062</Definition_Version>
             <Classification_Name>Zeus.D.C</Classification_Name>
        </AV_Classification>
    </AV_Classification>
</Package>

[ikiril01]

Or we could keep the AV classifications at the Object level, and just have IDs on them as in the previous example (for referencing from an Analysis):

<Object>
    <Domain_Specific_Object_Properties xsi:type="maec:AVClassificationsType">
      <AV_Classification id="avclass-1" scan_date="2010-05-15T03:38:44">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>4.2.3</Engine_Version>
           <Definition_Version>032415-0011</Definition_Version>
           <Classification_Name>Zeus.A.D</Classification_Name>
      </AV_Classification>
      <AV_Classification id="avclass-2" scan_date="2012-02-11T08:36:14">
          <Name>Security Essentials</Name>
          <Vendor>Microsoft</Vendor>
          <Engine_Version>5.1.0</Engine_Version>
           <Definition_Version>053514-0062</Definition_Version>
           <Classification_Name>Zeus.D.C</Classification_Name>
      </AV_Classification>
    </Domain_Specific_Object_Properties>
    <Properties xsi:type="FileObj:FileObjectType">
       <File_Name>kernal32.dll</File_Name>
    </Properties>
</Object>

[gtback]

I'm all for more high-level objects and less nesting, but I think either of these approaches would work well.