Understanding and tracking the source and evolution of malware families over time, as well as trying to understand the characteristics of a malware instance that might be useful in identifying its provenance, are important parts of the anti-malware lifecycle.
MAEC is useful in both cases.
Malware family evolution can be tracked via MAEC’s graph-based data model, while the lineage of malware instances can be modeled by leveraging top-level relationships between MAEC entities. With respect to the latter, MAEC defines a standard set of malware properties, such as strings, for both malware instances and families, which can serve as artifacts that are directly associated with provenance.