This Recommendation on malware attribute enumeration and classification (MAEC) is an XML/XSD based specification for characterizing malware based on its behaviors, artifacts, and attack patterns. This will allow for the description and identification of malware based on distinct patterns of attributes rather than a single metadata entity (which is the method commonly employed in signature-based detection). MAEC's focus on structured, attribute-based characterization provides several capabilities that the aforementioned methods do not possess. These capabilities stem from MAEC's existence as a domain-specific language, with an encompassing and unambiguous vocabulary and grammar.
MAEC aims to: 1) improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware, 2) reduce potential duplication of malware analysis efforts by researchers, and 3) allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. Threat analysis, intrusion detection, and incident management are processes that deal with all manners of cyber threats. MAEC, through its uniform encoding of malware attributes, provides a standardized format for the incorporation of actionable information regarding malware in these processes.