Malware repositories oriented toward analysis often have very specific requirements, and it is common for security organizations to use their own custom schemas for storing data in repositories. From a malware analysis standpoint at a local level, custom repositories can serve their purpose. However, sharing or exporting data from custom repositories can be difficult and time-consuming due to the need to translate between multiple proprietary schemas, and the usefulness of a custom repository as a long-term analysis resource can be limited if the schema is not suitably expressive.
MAEC is well-suited for use as a common intermediate format for mapping between dissimilar malware repository schemas so that analysis information stored in disparate repositories can be shared, allowing teams or organizations to quickly leverage each other’s analysis results. Furthermore, for appropriate database architectures, using the MAEC data model in malware repositories would not only enable information sharing but would also permit improved data-mining due to MAEC’s structuring and labeling of malware attributes (MAEC can serve as a physical or logical data model, depending upon the architecture). For example, an analyst could query a MAEC-based repository for malware instances that exhibit a particular MAEC-defined Action, Behavior, or Capability.