Intrusion Detection

Effective intrusion detection is central to keeping networks safe from malicious actors. Using MAEC to characterize malware based on its attributes provides actionable information for malware detection and assessment: more specifically, low-level Objects and Actions, mid-level Behaviors, and high-level Capabilities enable malware detection.

Unlike a physical signature, a single MAEC characterization, represented by a MAEC Bundle or MAEC Package, can provide data that can be used to detect multiple malware instances. Because there are a finite number of ways of implementing a particular software behavior (for instance, keylogging), particularly at the assembly level, there is likely to be an intersection of such attributes between multiple malware instances. Therefore, the MAEC characterization of a single malware instance - to include behavior-based indicators to detect the presence of the malware - can permit an intrusion detection system to detect malware families and even otherwise un-related malware that have certain attributes in common with the malware instance.