-
Notifications
You must be signed in to change notification settings - Fork 16
/
dynamic-features.json
32 lines (32 loc) · 2.18 KB
/
dynamic-features.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{
"$schema": "http://json-schema.org/draft-04/schema#",
"definitions": {
"dynamic-features": {
"title": "DynamicFeatures",
"type": "object",
"description": "Captures the dynamic features, i.e., those that are associated with the semantics of the executed code, of a malware instance. At least one of the \"behavior_refs\" or \"action_refs\" or \"process_trees\" MUST be inlcuded when using this type.",
"properties": {
"behavior_refs": {
"type": "array",
"items": {"type": "string"},
"description": "Captures the IDs of Behaviors exhibited by the Malware Instance."
},
"action_refs": {
"type": "array",
"items": {"type": "string"},
"description": "Captures the IDs of Actions discovered for the Malware Instance. This property is intended for capturing Actions that are discovered through static analysis, reverse engineering, or other methods and therefore MUST NOT be used to reference any of the Actions that are included in the process_tree property. As such, the Actions referenced by this property are mutually exclusive with respect to the Actions referenced by the process_tree property."
},
"process_tree":{
"type": "array",
"items": {"$ref": "process-tree-node.json#/definitions/process-tree-node"},
"description": "Captures the Process Tree observed during the execution of the Malware Instance. This property may also capture Actions that are executed by a process and captured by dynamic analysis/sandboxing and therefore MUST NOT be used to reference any of the Actions that are included in the action_refs property. That is to say, the Actions referenced by this property are mutually exclusive with respect to the Actions referenced by the action_refs property."
}
},
"anyOf": [
{"required": ["behavior_refs"]},
{"required": ["action_refs"]},
{"required": ["process_tree"]}
]
}
}
}