MAEC Use Cases

At its highest level, MAEC is a domain-specific language for non-signature based malware characterization. Because MAEC provides a common vocabulary and grammar for the malware domain, it follows that the majority of the use cases for MAEC are motivated by the unambiguous and accurate communication of malware attributes enabled by MAEC.

Malware Analysis

Malware analysis-related use cases demonstrate how MAEC can be used to effectively capture the data obtained from malware analysis. As we illustrate in the first use case, a malware instance is analyzed automatically or manually using either dynamic or static methods. The results are then captured using the MAEC schema and either a single MAEC Package (with one or more MAEC Bundles) or one or more standalone MAEC Bundles.

Static and Dynamic Malware Analysis »

MAEC Packages and MAEC Bundles can also be used to help with visualization, to capture data for storage in analysis-oriented repositories, and as a means for standardizing tool output.

Malware Visualization »

Analysis Oriented Malware Repositories »

Standardized Tool Output »

Intrusion Detection

The intrusion detection use case demonstrates how MAEC can be used to characterize malware based on its attributes to provide actionable information for malware intrusion detection and assessment.

Intrusion Detection »

Cyber Threat Analysis

Cyber threat analysis-related use cases demonstrate how capturing cyber threat analysis information in MAEC will result in a threat being more readily understood and evaluated because the information will be more consistent across analysts and incidents. Furthermore, MAEC's standardized encoding of the Capabilities exhibited by a malware instance will allow for the accurate discernment of the threat that the malware poses to an organization and its infrastructure.

Attribution »

Malware Threat Scoring System »

Incident Management

Incident management-related use cases describe how a uniform malware reporting format, standardized malware repositories, and the ability to verify remediation procedures - all based on the MAEC data model - greatly enhance malware-related incident management efforts.

Uniform Malware Reporting Format »

Malware Repositories »

Remediation »