As part of expanding MAEC's "predictive" capability, we should consider developing a patterning language/implementation for the purpose of describing (and subsequently detecting) malware behaviors. Such patterns will operate on observed malware Actions, and must support Boolean logic, temporal logic, sequencing, data flows, among others.
E.g., as a very rough strawman, the following would represent an instance of such a pattern for a specific registry autorun persistence behavior:
As part of expanding MAEC's "predictive" capability, we should consider developing a patterning language/implementation for the purpose of describing (and subsequently detecting) malware behaviors. Such patterns will operate on observed malware Actions, and must support Boolean logic, temporal logic, sequencing, data flows, among others.
E.g., as a very rough strawman, the following would represent an instance of such a pattern for a specific registry autorun persistence behavior: