ITU-T X 1546-2014 Malware attribute enumeration and characterization (Study Group 17)《恶意软件属性枚举和特性》.pdf

1、 International Telecommunication Union ITU-T X.1546TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Event/incident/heuristics exchange Malware attribute enumeration and characterization Recom

2、mendation ITU-T X.1546 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYST

3、EM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SEC

4、URE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY

5、 Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/sta

6、te exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601

7、 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For further details, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1546

8、 (01/2014) i Recommendation ITU-T X.1546 Malware attribute enumeration and characterization Summary The malware attribute enumeration and characterization (MAEC) language includes enumerations of malware attributes and behaviour that provide a common vocabulary. These enumerations are at different l

9、evels of abstraction: low-level observables, mid-level behaviours and high-level taxonomies. Recommendation ITU-T X.1546, which is the initial version of MAEC, focuses on the creation of the enumeration of low-level malware attributes, and leverages the few instances of similar work already done in

10、this area. Thus it will initially be capable of characterizing the most common malware types, including Trojans, worms and rootkits, but it will ultimately be applicable to more esoteric malware types. History Edition Recommendation Approval Study Group Unique ID*1.0 ITU-T X.1546 2014-01-24 17 11.10

11、02/1000/12038 _ *To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii Rec. ITU-T X.1546 (01/2014) FOREWORD The International Telecommunication

12、Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff question

13、s and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on

14、 these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the

15、expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or appl

16、icability) and compliance with the Recommendation is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with

17、the Recommendation is required of any party. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applica

18、bility of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to impleme

19、nt this Recommendation. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any mean

20、s whatsoever, without the prior written permission of ITU. Rec. ITU-T X.1546 (01/2014) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 1 4 Abbreviations and acronyms 2 5 Conventions 3 6 High-level requireme

21、nts . 3 7 Correctness . 4 8 Documentation 4 9 Validity . 4 10 Specific capability requirements. 5 11 Review authority requirements . 7 12 Revocation 8 Bibliography. 9 iv Rec. ITU-T X.1546 (01/2014) Introduction Recommendation ITU-T X.1546 on the use of malware attribute enumeration and characteristi

22、cs (MAEC) is an international, information security, community standard to promote open and publicly available security content about malware and malware behaviours. This Recommendation also aims to standardize the transfer of this information across the entire spectrum of security tools and service

23、s that can be used to monitor and manage defences against malware. MAEC is a language used to encode malware relevant details. The MAEC language aims to: 1) improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware, 2) reduce potential duplication of malware

24、analysis efforts by researchers, and 3) allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. Threat analysis, intrusion detection, and incident management are processes that deal with all manners of cyberthreats.

25、MAEC, through its uniform encoding of malware attributes, provides a standardized format for the incorporation of actionable information regarding malware in these processes. Malicious software also called “malware“ has existed in one form or another since the advent of the first PC virus in 1971. I

26、t is presently responsible for a host of malicious activities, ranging from the vast majority of spam email distribution through botnets, to the theft of sensitive information via targeted social engineering attacks. Effectively an autonomous agent operating on behalf of the attacker, malware has th

27、e ability to perform any action that is capable of being expressed in code, and as such it represents a prodigious threat to cybersecurity. The protection of computer systems from malware is therefore currently one of the most important information security concerns for organizations and individuals

28、 because even a single instance of uncaught malware can result in damaged systems and compromised data. Being disconnected from a computer network does not completely mitigate this risk of infection, as exemplified by malware that makes use of USB as its insertion vector. As such, the main focus of

29、the majority of anti-malware efforts to date has been on preventing damaging effects through early detection. There are currently several common methods used for malware detection, based mainly on physical signatures and heuristics. These methods are effective in terms of their narrow scope, althoug

30、h they have their own individual drawbacks, such as the fact that signatures are unsuitable for dealing with zero-day, targeted, polymorphic and other forms of emerging malware. Similarly, heuristic detection may be able to generically detect certain types of malware while missing those that it does

31、 not have patterns for, such as kernel-level rootkits. Therefore, it would be safe to say that these methods, while still useful, cannot be exclusively relied upon to deal with the current influx of malware. Malware attribute enumeration and characterization (MAEC, pronounced “mike“) aims to elimina

32、te the ambiguity and inaccuracy that currently exists in malware descriptions and to reduce reliance on signatures. In this way, MAEC seeks to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts

33、by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. As will be illustrated, the MAEC language enables correlation, integration and automation for sharing structured information about malware b

34、ased upon attributes such as behaviours, artefacts and attack patterns. As shown in Figure 1, MAEC is composed of a data model that spans several interconnected schemas, thus representing the grammar that defines the language. These schemas permit different forms of MAEC output to be generated, whic

35、h can be considered as specific uses of the aforementioned grammar. Rec. ITU-T X.1546 (01/2014) v Figure 1 High-level MAEC overview The MAEC container, MAEC package and MAEC bundle schemas are targeted at different use cases and thus capture different types of malware-related information. The MAEC l

36、anguage is related to both the cyber-observable expression (CybOX) language and to the IEEE ICSGs malware metadata exchange format (MMDEF). CybOX is a standardized language for the specification, capture, characterization and communication of events or stateful properties that are observable in the

37、operational domain. Cyber-observables apply to numerous domains: threat assessment and characterization (detailed attack patterns), malware characterization, operational event management, logging, cyber situational awareness, incident response, digital forensics, and cyberthreat information sharing,

38、 among others. Almost every field in CybOX is optional, so one can use whatever is appropriate and ignore the rest. CybOX can be used to specify and characterize a wide range of cyber objects and can be used to define relational and logical compositions of multiple objects, actions, events, and/or o

39、bservables. Malware characterization with MAEC relies on the common mechanism (structure and content) that CybOX provides for addressing cyber-observables across and among MAECs full range of use cases. Whereas MAEC provides analysis context, indicators, behaviours, and mechanisms, CybOX provides ge

40、neral actions and objects used in the operational cyber domain. A cyber-observable is a measurable event or stateful property in the cyber domain. Examples of measurable events include registry key creation, file deletion, and the reception of an HTTP GET request; examples of stateful properties inc

41、lude the MD5 hash of a file, the value of a registry key, and the existence of a mutex. MAEC imports and extends the CybOX object and action. An extremely simplified overview of the CybOX schema is shown in Figure 2; the CybOX components that MAEC uses are shown in green. vi Rec. ITU-T X.1546 (01/20

42、14) .X.1546(14)_F02ObservableEventObjectActionTypeNameAssociatedobjectAssociation typeFileProcessMemoryGUIPropertiesAddressLibrarySystemFigure 2 Cyber-observable expression (CybOX) schema: simple overview The CybOX properties construct is an abstract placeholder for various predefined Object type sc

43、hemas (e.g., file, process, memory) that can be instantiated in its place. Properties schemas, shown in light blue, are maintained independently of the core CybOX schema. MMDEF is being developed by the Institute of Electrical and Electronics Engineers (IEEE) Industry Connections Security Group (ICS

44、G). The development of the original schema was led primarily by a group of antivirus (AV) product vendors for the purpose of having some way to augment shared malware samples with additional metadata. As such, it permits the characterization of some static features like hashes and file names, along

45、with some very basic behavioural features. The information security community contributes to the development of MAEC by participating in the creation of the MAEC language on the MAEC developers discussion lists and collaboration portal and by integrating the MAEC language into their tools and reposi

46、tory capabilities. The MAEC community includes representatives from a broad spectrum of industry, academia and government organizations from around the world that oversees and collaborates on the MAEC language and the MAEC utilities and tools through the MAEC publicly available repository. This mean

47、s that MAEC reflects the insights and combined expertise of the broadest possible collection of malware analysis and prevention professionals worldwide. This Recommendation has been developed on a collaborative basis with The MITRE Corporation bearing in mind the importance of maintaining, to the ex

48、tent possible, technical compatibility between this Recommendation and the “Requirements and Recommendation for MAEC Compatibility“, version 1.1, 7 July 2013 https:/maec.mitre.org/compatible/Requirements_for_MAEC_Compatibility_V1.1.pdf. Rec. ITU-T X.1546 (01/2014) 1 Recommendation ITU-T X.1546 Malwa

49、re attribute enumeration and characterization 1 Scope This Recommendation provides a structured means to promote open and publicly available security content about malware and malware behaviours, and to standardize the transfer of this information across the entire spectrum of security tools and services that can be used to monitor and manage defences against malware. 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute