Analysis-oriented malware repositories often have very specific requirements, and it is common for security organizations to use custom schemas for data storage. From a malware analysis standpoint at a local level, custom repositories can serve a purpose. However, sharing or exporting data from custom repositories can be difficult and time-consuming due to the need to translate between multiple proprietary schemas, and the usefulness of a custom repository as a long-term analysis resource can be limited if the schema is not suitably expressive.
MAEC is well-suited for use as a common intermediate format for mapping between dissimilar malware repository schemas so that analysis information stored in disparate repositories can be shared, allowing teams or organizations to quickly leverage each other’s analysis results. Furthermore, for appropriate database architectures, using the MAEC data model in malware repositories would not only enable information sharing but would also permit improved data-mining due to MAEC’s structuring and labeling of malware attributes (MAEC can serve as a physical or logical data model, depending upon the architecture). For example, an analyst could query a MAEC-based repository for malware instances that exhibit a particular MAEC-defined Malware Action, Behavior, or Capability.