The BehaviorType is one of the foundational MAEC types, and serves as a method for the characterization of malicious behaviors found or observed in malware. Behaviors can be thought of as representing the purpose behind groups of MAEC Actions, and are therefore representative of distinct portions of higher-level malware functionality. Thus, while a malware instance may perform some multitude of Actions, it is likely that these Actions represent only a few distinct behaviors. Some examples include vulnerability exploitation, email address harvesting, the disabling of a security service, etc.
The required id field specifies a unique ID for this Behavior.
The ordinal_position field specifies the ordinal position of the Behavior with respect to the execution of the malware.
The status field specifies the execution status of the Behavior being characterized.
The duration field specifies the duration of the Behavior. One way to derive such a value may be to calculate the difference between the timestamps of the first and last actions that compose the behavior.
The Purpose field specifies the intended purpose of the Behavior. Since a Behavior is not always successful, and may not be fully observed, this is meant as way to state the nature of the Behavior apart from its constituent actions.
The Description field specifies a prose textual description of the Behavior.
The Discovery_Method field specifies the method used to discover the Behavior.
The Action_Composition field captures the Actions that compose the Behavior.
The Associated_Code field specifies any code snippets that may be associated with the Behavior.
The Relationships field specifies any relationships between this Behavior and any other Behaviors.