ICSG Malware Metadata Exchange Format Working Group

About the ICSG Malware Metadata Exchange Format Working Group

The Malware Metadata Exchange Format (MMDEF) Working Group is working on expanding the breadth of information able to be captured and shared about malware in a standardized fashion. The initial phases of this effort are focused on adding new capabilities to the MMDEF schema, which is currently in use by AV vendors for the purpose of augmenting shared malware samples with additional metadata.

3D virtual handshake

These capabilities include the following:

  • Attributes and metadata specific to the characterization of clean (benign) files, thus supporting the exchange of information on such files and datasets. Such exchange will allow for improved whitelisting and reduction in AV detection false positives. This portion of the effort was completed as an extension of version 1.1 of the MMDEF XSD schema, which now stands at version 1.2. The main changes were the addition of several new object types, such as a digital signature object for characterizing digitally signed binaries, as well as a software package object for the linking of files with the software packages that they may belong to. Along with these new types, many tool-extractable elements, such as the version and internal name, were added to the existing file object for their utility in whitelisting.
  • Blackbox behavioral metadata, such as the type of information captured by dynamic malware analysis tools. This will allow for the creation of a standardized format for such data, permitting correlation and clustering based on shared behavioral functionality, as well as facilitating the exchange of such information across various entities. This portion of the effort was completed as a new, behaviorally focused version of MMDEF called “MMDEF-B,” which stands at version 1.0.

The latter phase of this effort will be focused on conducting a feasibility study on the creation of a standardized system for white-box malware behavioral metadata profiling. Such a system would provide for a standard way of representing and exchanging information on malware behavior derived from instruction execution.

Working Group Participation

To participate in the Malware Metadata Exchange Format Working Group, the entity with which you are associated (company, organization, etc.) must become a member of ICSG.

Only entity members of the ICSG can have voting rights in the Working Group. Additionally, some individual subject experts may be invited to participate in the Working Group (without voting rights).


Sign up for our monthly newsletter to learn about new developments, including resources, insights and more.