Effective intrusion detection is central to keeping networks safe from malicious actors. Using MAEC to characterize malware based on its attributes provides actionable information for malware detection and assessment: more specifically, low-level Objects and Actions, mid-level Behaviors, and high-level Capabilities enable malware detection.
Unlike a physical signature, a single MAEC characterization, represented by a MAEC Bundle or MAEC Package, can provide data that can be used to detect multiple malware instances. Because there are a finite number of ways of implementing a particular software behavior (for instance, keylogging), particularly at the assembly level, there is likely to be an intersection of such attributes between multiple malware instances. Therefore, the MAEC characterization of a single malware instance - to include behavior-based indicators to detect the presence of the malware - can permit an intrusion detection system to detect malware families and even otherwise un-related malware that have certain attributes in common with the malware instance.