search

MAECProject / schemas

MAEC Schemas and Schema Development
83 stars 16 forks source link

Behavioral (Action-based) Patterning #111

Open ikiril01 opened 9 years ago

ikiril01 commented 9 years ago

As part of expanding MAEC's "predictive" capability, we should consider developing a patterning language/implementation for the purpose of describing (and subsequently detecting) malware behaviors. Such patterns will operate on observed malware Actions, and must support Boolean logic, temporal logic, sequencing, data flows, among others.

E.g., as a very rough strawman, the following would represent an instance of such a pattern for a specific registry autorun persistence behavior:

<Objects>
  <Object id="object-1">
    <Properties xsi:type="FileObjectType">
      <File_Path id="val-1"/>
    </Properties>
  </Object>
  <Object id="object-2">
    <Properties xsi:type="WindowsRegistryKeyObjectType">
      <Hive id="val-2">HKEY_LOCAL_MACHINE</Hive>
      <Key id="val-3">Software\Microsoft\Windows\CurrentVersion\Run\</Key>
      <Values>
        <Value>
          <Data id="val-5"/>
        </Value>
      </Values>
    </Properties>
  </Object>
</Objects>

<Actions>
  <Action id="action-1" name="create file">
    <Associated_Object_Reference object_id="object-1"/>
  </Action>
  <Action id="action-2" name="create registry key value"> 
    <Associated_Object_Reference object_id="object-2"/>
  </Action>
</Actions>

<Behavioral_Pattern>
  <Name>registry autorun persistence</Name>
  <Action_Composition operator="AND">
    <Action_Reference action_id="action-1"/>
    <Action_Reference action_id="action-2"/>
  </Action_Composition>
  <Conditions>
    <Condition type="equals" pattern_type="regex" source_id="val-1" value=".*"/>
    <Condition type="contains value" source_id="val-5" target_id="val-1"/>
  </Conditions> 
</Behavioral_Pattern>
ikiril01 commented 9 years ago

Besides those relating to the actual implementation of these patterns, there are a number of other open questions: