pith. sign in

arxiv: 2605.31199 · v1 · pith:ZK6G2VDRnew · submitted 2026-05-29 · 💻 cs.CR · cs.AI

MAECO-Lite: Modular Ontology for Dynamic Malware Analysis

Pith reviewed 2026-06-28 21:53 UTC · model grok-4.3

classification 💻 cs.CR cs.AI
keywords malware ontologydynamic malware analysisMAECSTIXexecution tracesdescription logiccyber threat intelligenceontologicial analysis
0
0 comments X

The pith

MAECO-Lite separates enduring malware entities from runtime events in a modular ontology to improve reasoning over execution traces.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper performs a UFO-based ontological analysis of MAEC and STIX and identifies mismatches that conflate artifacts, dispositions, and events. It introduces MAECO-Lite, a lightweight modular ontology built around samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques while enforcing a clear split between enduring entities and runtime events. Evaluation with description logic concept learning algorithms shows that this simplified structure yields significantly better learning performance than the original standards.

Core claim

Ontological mismatches in MAEC and STIX arise from conflating enduring malware artifacts with runtime events and dispositions, which limits coherent representation and reasoning about execution traces; MAECO-Lite corrects this through a modular design that maintains separation between enduring entities and runtime events, and an initial evaluation confirms that the resulting ontology produces markedly higher performance in description logic concept learning algorithms.

What carries the argument

MAECO-Lite, a lightweight modular ontology centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques that enforces separation between enduring entities and runtime events.

If this is right

  • Clearer representation of dynamic malware behavior through explicit separation of enduring entities and events.
  • Enhanced ability to reason coherently about execution traces.
  • Improved performance when applying description logic concept learning algorithms to malware data.
  • Operational data processing for dynamic malware analysis enabled by the modular structure.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The modular design could be extended to incorporate additional threat intelligence vocabularies beyond MAEC and STIX.
  • Similar foundational analyses might reveal comparable mismatches in other cyber threat intelligence standards.
  • Real-world integration tests with existing malware sandbox outputs would provide further evidence of practical gains.

Load-bearing premise

The assumption that the identified ontological mismatches are the primary cause of limited reasoning in MAEC and STIX, and that gains in description logic concept learning performance indicate practical usability gains for dynamic malware analysis.

What would settle it

A direct comparison on the same set of malware execution traces in which MAECO-Lite produces no improvement, or a decline, in description logic concept learning performance relative to MAEC or STIX would falsify the usability claim.

Figures

Figures reproduced from arXiv: 2605.31199 by J\'an K\v{l}uka, Martin Homola, Monday Onoja, Peter \v{S}vec, Roderik Ploszek, \v{S}tefan Balogh, Zekeri Adams.

Figure 1
Figure 1. Figure 1: Overview of MAEC-STIX [15] techniques, static and dynamic features, capabilities, process tree nodes, analysis and sig￾nature metadata, field data, names, and development environment information. Together, these constructs allow MAEC to describe malware from multiple analytical perspectives, ranging from low-level program artifacts to higher-level behavioral and contextual in￾formation. For instance, MAEC … view at source ↗
Figure 2
Figure 2. Figure 2: MAEC’s Structure and UFO Representation MAEC’s Malware Instance type is intended to denote a file under analysis; however, this is a misnomer, as both malicious and benign files may be analyzed. More precisely, it refers to a file whose malicious nature is determined through the analysis process. From a UFO perspective, Malware Instance is more appropriately understood as a role. In this view, a File assum… view at source ↗
Figure 3
Figure 3. Figure 3: MAECO-Lite Ontology challenges. Modularization also facilitates focusing on ontologically coherent subsets of features or comparing the efficacy of malware detection based on different feature sets. We call the resulting ontology MAECO-Lite. We view it as a first step towards a possibly larger ontology representing more features available in MAEC (including static features, further observable objects, deta… view at source ↗
read the original abstract

Capturing dynamic malware behavior in a practical but still semantically precise manner remains a significant challenge in cyber threat intelligence. While standards such as MAEC and STIX provide widely adopted vocabularies for describing malware artifacts and observations, they represent data with considerable complexity in structures that often obscure important ontological distinctions. In particular, they tend to conflate enduring malware artifacts with the events generated during execution, thereby flattening distinctions that are central in foundational standards for ontology design. In this paper, we conduct a foundational ontological analysis of core MAEC and STIX constructs relevant to dynamic malware analysis relying on Unified Foundational Ontology (UFO) as a theoretical lens. Our analysis reveals some ontological mismatches arising from the conflation of artifacts, dispositions, and runtime events in MAEC and STIX that complicate coherent representation of dynamic malware behavior and, from a practical perspective, limit the ability to reason about execution traces. Based on these insights, we propose MAECO-Lite, a lightweight ontology designed to represent data and operationalize their processing for dynamic malware analysis. The ontology adopts a modular structure centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques, while maintaining a clear separation between enduring entities and runtime events. An initial evaluation using description logic concept learning algorithms shows that the simplified ontology significantly improves learning performance, demonstrating that ontologically grounded modelling can enhance both semantic clarity and computational usability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper performs a UFO-based foundational ontological analysis of core MAEC and STIX constructs for dynamic malware analysis, identifies mismatches arising from conflation of artifacts, dispositions, and runtime events, proposes the modular MAECO-Lite ontology (centered on samples, processes, actions, system artifacts, and ATT&CK techniques with explicit separation of enduring entities from events), and reports that an initial evaluation with description-logic concept learning algorithms shows significantly improved learning performance.

Significance. If the performance claim is substantiated with concrete metrics, tasks, and controls, the work would provide evidence that ontologically grounded modular modeling can simultaneously improve semantic clarity and computational usability for reasoning over execution traces in cyber threat intelligence.

major comments (2)
  1. [Abstract] Abstract: the central claim that MAECO-Lite 'significantly improves learning performance' is unsupported by any quantitative results, metrics, datasets, target concepts, or baselines; without these the improvement cannot be assessed or attributed to the ontological distinctions rather than reduced axiom count.
  2. [Evaluation section] Evaluation (presumed § on DL concept learning): no details are supplied on the learning tasks, target concepts, trace dataset, metrics, or control conditions that would isolate the effect of the UFO-derived separations from mere simplification, leaving the proxy link to practical usability in dynamic malware analysis unsecured.
minor comments (1)
  1. The abstract refers to 'an initial evaluation' without specifying the DL algorithms or comparison ontologies, which hinders immediate verification of the reported gain.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback. The comments correctly identify that the evaluation lacks the quantitative details needed to support the performance claims. We will revise the manuscript to expand both the abstract and the evaluation section with the requested information on metrics, datasets, tasks, and controls.

read point-by-point responses
  1. Referee: [Abstract] Abstract: the central claim that MAECO-Lite 'significantly improves learning performance' is unsupported by any quantitative results, metrics, datasets, target concepts, or baselines; without these the improvement cannot be assessed or attributed to the ontological distinctions rather than reduced axiom count.

    Authors: We accept the point. The abstract currently asserts improved performance without supporting data. In the revision we will update the abstract to include concrete metrics (e.g., learning time and accuracy deltas), the trace dataset, target concepts, and the baselines used, so that the claim can be evaluated directly and the contribution of the UFO-derived distinctions can be assessed. revision: yes

  2. Referee: [Evaluation section] Evaluation (presumed § on DL concept learning): no details are supplied on the learning tasks, target concepts, trace dataset, metrics, or control conditions that would isolate the effect of the UFO-derived separations from mere simplification, leaving the proxy link to practical usability in dynamic malware analysis unsecured.

    Authors: We agree that the current evaluation section is insufficiently detailed. We will expand it to specify the learning tasks, the exact target concepts, the malware trace dataset, the evaluation metrics, and the control conditions (including direct comparison against the original MAEC/STIX ontologies). This will allow readers to determine whether the observed gains stem from the ontological separations rather than from axiom reduction alone. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation relies on external UFO and separate empirical evaluation

full rationale

The paper's chain begins with UFO (external foundational ontology) analysis of MAEC/STIX to identify mismatches, proposes MAECO-Lite modular structure from those insights, and reports an empirical DL concept-learning evaluation showing performance gain. No step matches self-definitional, fitted-input-called-prediction, self-citation load-bearing, uniqueness-imported-from-authors, ansatz-smuggled, or renaming patterns. The evaluation is presented as an independent check rather than a quantity forced by construction from the ontology design itself. The central claim remains non-circular because UFO is independent and the performance result is not shown to be definitionally equivalent to the input distinctions.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on the assumption that UFO provides a sound lens for identifying mismatches in MAEC and STIX and that DL concept learning performance reliably indicates practical usability; no free parameters are mentioned.

axioms (1)
  • domain assumption Unified Foundational Ontology (UFO) supplies the correct theoretical categories for distinguishing enduring entities from runtime events in malware data.
    The paper explicitly relies on UFO as the lens for the foundational analysis of MAEC and STIX.
invented entities (1)
  • MAECO-Lite ontology no independent evidence
    purpose: To provide a modular, lightweight representation of dynamic malware data with clear separation between enduring entities and events.
    The ontology is newly proposed in the paper.

pith-pipeline@v0.9.1-grok · 5809 in / 1450 out tokens · 31391 ms · 2026-06-28T21:53:08.724289+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references · 7 canonical work pages

  1. [1]

    A general definition of malware

    Kramer S, Bradfield JC. A general definition of malware. Journal of Computer Virology and Hacking Techniques. 2010;6:105-14

  2. [2]

    Exploring the Effectiveness and Efficiency of LightGBM Algorithm for Windows Malware Detection

    Onoja M, Jegede A, Mazadu J, Aimufua G, Oyedele A, Olibodum K. Exploring the Effectiveness and Efficiency of LightGBM Algorithm for Windows Malware Detection. In: 2022 5th Information Technology for Education and Development (ITED); 2022. p. 1-6

  3. [3]

    In: Gritzalis D, Choo KKR, Patsakis C, editors

    Patsakis C, Arroyo D, Casino F. In: Gritzalis D, Choo KKR, Patsakis C, editors. The Malware as a Service Ecosystem. Cham: Springer Nature Switzerland; 2025. p. 371-94

  4. [4]

    EEMDS: efficient and effective mal- ware detection system with hybrid model based on xceptioncnn and lightgbm algorithm

    Onoja M, Jegede A, Blamah NV , Olawale A V , Omotehinwa TO. EEMDS: efficient and effective mal- ware detection system with hybrid model based on xceptioncnn and lightgbm algorithm. Journal of Computing and Social Informatics. 2022;1:42-57

  5. [5]

    Ontology-based mobile malware behavioral analysis

    Chiang HS, Tsaur WJ, et al. Ontology-based mobile malware behavioral analysis. In: IEEE Second International Conference on Social Computing (SocialCOM 2010). vol. 10; 2010

  6. [6]

    Semantic Data Representation for Explainable Windows Malware Detection Models

    Švec P, Štefan Balogh, Homola M, Kl’uka J, Bisták T. Semantic Data Representation for Explainable Windows Malware Detection Models. CoRR. 2024;abs/2403.11669. Available from:https://doi. org/10.48550/arXiv.2403.11669

  7. [7]

    Integration of Results from Static and Dynamic Code Analysis into an Onto- logical Model

    Štefan Balogh, Galko T. Integration of Results from Static and Dynamic Code Analysis into an Onto- logical Model. In: 12th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2023, Dortmund, Germany, September 7- 9, 2023. IEEE; 2023. p. 680-5. Available from:https://doi.org/10.1...

  8. [8]

    Investigating Sharing of Cyber Threat Intelligence and Proposing A New Data Model for Enabling Automation in Knowledge Representation and Exchange

    Bromander S, Swimmer M, Muller LP, Jøsang A, Eian M, Skjøtskift G, et al. Investigating Sharing of Cyber Threat Intelligence and Proposing A New Data Model for Enabling Automation in Knowledge Representation and Exchange. Digital Threats. 2021 Oct;3(1). Available from:https://doi.org/ 10.1145/3458027

  9. [9]

    A taxonomy for cybersecurity standards

    Kalogeraki EM, Polemi N. A taxonomy for cybersecurity standards. Journal of Surveillance, Security and Safety. 2024;5(2). Available from:https://www.oaepublish.com/articles/jsss.2023.50

  10. [10]

    An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications

    Preuveneers D, Joosen W. An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications. Future Internet. 2024;16(3). Available from:https://www.mdpi.com/1999-5903/ 16/3/69

  11. [11]

    Light up that Droid! On the effectiveness of static analysis features against app obfuscation for Android malware detection

    Molina-Coronado B, Ruggia A, Mori U, Merlo A, Mendiburu A, Miguel-Alonso J. Light up that Droid! On the effectiveness of static analysis features against app obfuscation for Android malware detection. Journal of Network and Computer Applications. 2025;235:104094

  12. [12]

    A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack

    Geng J, Wang J, Fang Z, Zhou Y , Wu D, Ge W. A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack. Computers & Security. 2024;137:103595

  13. [13]

    Malware Detection Based on Static and Dynamic Features Analysis

    Xu B, Li Y , Yu X. Malware Detection Based on Static and Dynamic Features Analysis. In: Chen X, Yan H, Yan Q, Zhang X, editors. Machine Learning for Cyber Security; 2020

  14. [14]

    Capturing Malware Behaviour with Ontology-based Knowledge Graphs

    Chowdhury IR, Bhowmik D. Capturing Malware Behaviour with Ontology-based Knowledge Graphs. In: IEEE Conference on Dependable and Secure Computing, DSC 2022, Edinburgh, UK, June 22-24,

  15. [15]

    IEEE; 2022. p. 1-7. Available from:https://doi.org/10.1109/DSC54232.2022.9888860

  16. [16]

    MAEC™ 5.0 Specification: Core Concepts

    MAEC Project. MAEC™ 5.0 Specification: Core Concepts. MITRE Corporation; 2017. Ac- cessed: 2026-03-24. Available from:https://maecproject.github.io/releases/5.0/MAEC_ Core_Specification.pdf

  17. [17]

    MAEC™ 5.0 Specification: V ocabularies

    MAEC Project. MAEC™ 5.0 Specification: V ocabularies. MITRE Corporation; 2017. Ac- cessed: 2026-03-24. Available from:https://maecproject.github.io/releases/5.0/MAEC_ Vocabularies_Specification.pdf. Z. Adams et al. / MAECO-Lite: Modular Ontology for Dynamic Malware Analysis

  18. [18]

    Towards Ontological Foundations for the Conceptual Modeling of Events

    Guizzardi G, Wagner G, Almeida JPA. Towards Ontological Foundations for the Conceptual Modeling of Events. In: Conceptual Modeling – 32nd International Conference (ER 2013). Lecture Notes in Computer Science. Springer; 2013. p. 327-41

  19. [19]

    Ontological foundations for structural conceptual models [PhD

    Guizzardi G. Ontological foundations for structural conceptual models [PhD. thesis]. University of Twente; 2005

  20. [20]

    STIX™ Version 2.1

    Jordan B, Piazza R, Darley T. STIX™ Version 2.1. OASIS Cyber Threat Intelligence (CTI) Technical Committee; 2021. Approved 25 January 2021. Available from:https://docs.oasis-open.org/ cti/stix/v2.1/cs02/stix-v2.1-cs02.html

  21. [21]

    MITRE ATT&CK; 2025

    MITRE Corporation. MITRE ATT&CK; 2025. Accessed: 2026-02-18. Available from:https:// attack.mitre.org/

  22. [22]

    Reporting Results — Cuckoo Sandbox v0.3.2 Book; 2025

    Sandbox C. Reporting Results — Cuckoo Sandbox v0.3.2 Book; 2025. Accessed: May 12, 2025. Avail- able from:https://cuckoo.readthedocs.io/en/0.3.2/customization/reporting/

  23. [23]

    UFO: Unified Foundational Ontol- ogy

    Guizzardi G, Benevides AB, Fonseca CM, Porello D, Almeida JPA. UFO: Unified Foundational Ontol- ogy. Applied Ontology. 2022;17(1):1-44

  24. [24]

    Ontological Analysis and Design for Engineering Informa- tion Systems

    Guizzardi G, Almeida JPA, Guizzardi RSS. Ontological Analysis and Design for Engineering Informa- tion Systems. Berlin, Germany: Springer; 2015

  25. [25]

    Representing a Reference Foundational Ontology of Events in SROIQ

    Benevides AB, Guizzardi G, Braga BF, Almeida JPA. Representing a Reference Foundational Ontology of Events in SROIQ. Applied Ontology. 2019;14(3):293-334

  26. [26]

    Understanding and Modeling Prevention

    Baratella R, Guizzardi G, Almeida JPA. Understanding and Modeling Prevention. In: Research Chal- lenges in Information Science (RCIS 2022). Springer; 2022. p. 389-405

  27. [27]

    Experimental Evaluation of Description Logic Concept Learning Algorithms for Static Malware Detection

    Švec P, Štefan Balogh, Homola M. Experimental Evaluation of Description Logic Concept Learning Algorithms for Static Malware Detection. In: International Conference on Information Systems Security and Privacy; 2021. Available from:https://api.semanticscholar.org/CorpusID:232106435

  28. [28]

    Dynamic Features for Robust Malware Detection: A Systematic Review, Taxonomy, and Practical Analysis Framework

    Onoja M, Anthony P, Adams Z, Galadima KR, Homola M, Balogh S, et al. Dynamic Features for Robust Malware Detection: A Systematic Review, Taxonomy, and Practical Analysis Framework. SSRN Electronic Journal. 2026. Available from:https://ssrn.com/abstract=6202682

  29. [29]

    Windows Malware Detection using Machine Learning and TF-IDF Enriched API Calls Information

    Namita, Prachi, Sharma P. Windows Malware Detection using Machine Learning and TF-IDF Enriched API Calls Information. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA); 2022. p. 1-6

  30. [30]

    User Profiling Attack Using Windows Registry Data

    Amoruso EL, Zou C, Leinecker R. User Profiling Attack Using Windows Registry Data. 2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). 2023:171-81

  31. [31]

    Techniques of Modern Attacks

    Shim A. Techniques of Modern Attacks. ArXiv. 2026;abs/2601.13427

  32. [32]

    DL-Learner: learning concepts in description logics

    Lehmann J. DL-Learner: learning concepts in description logics. The Journal of Machine Learning Research. 2009;10:2639-42

  33. [33]

    Ontology-based knowledge representation for malware individuals and fami- lies

    Ding Y , Wu R, Zhang X. Ontology-based knowledge representation for malware individuals and fami- lies. Comput Secur. 2019;87. Available from:https://doi.org/10.1016/j.cose.2019.101574

  34. [34]

    Ontology for Malware Behavior: A Core Model Proposal

    de Geus AGRBONVMAPL, Jino M. Ontology for Malware Behavior: A Core Model Proposal. In: 2014 IEEE 23rd International WETICE Conference, WETICE 2014, Parma, Italy, 23-25 June, 2014. IEEE Computer Society; 2014. p. 453-8. Available from:https://doi.org/10.1109/WETICE.2014.72