MAEC schema can benefit malware researchers

Focusing on the attributes and behavior of malicious code, not necessarily which malware family it comes from, can help researchers communicate better and respond quicker to threats, an SC World Congress speaker said Wednesday.

Bob Martin, principal engineer at the nonprofit MITRE Corp., discussed his group's Malware Attribute Enumerization and Characterization initiative (MAEC).

Pronounced "Mike", the MAEC schema identifies which registry keys the malware is affecting, what file actions it is making and which vulnerability it is going after, Martin explained. Using this information, a researcher can equate the findings to the behavior and motivation of the attack.

Many times, security professionals will find that seemingly disparate pieces of malware will have the same level of threat and mitigation and should be treated similarly.

"Focusing on the attributes and behaviors of malware facilitates detection and analysis of emerging, sophisticated malware threats that circumvent the traditional signature-based and heuristic approaches," according to the MAEC site. "Characterizing malware in a standard way supports collaboration across organizations, identifying common behavior and functionality across instances of malware, and establishing malware families.

One audience member questioned whether MAEC can help identify and defend against the zero-day threat, for which there is no security patch available. Martin said nothing can, but the initiative can help researchers build a "fabric" around the detection process.

He invited audience members to participate in the effort at, a social networking and collaborative environment.

The schema is expanding to study botnets, he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.