MAECO-Lite: Modular Ontology for Dynamic Malware Analysis
Pith reviewed 2026-06-28 21:53 UTC · model grok-4.3
The pith
MAECO-Lite separates enduring malware entities from runtime events in a modular ontology to improve reasoning over execution traces.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
Ontological mismatches in MAEC and STIX arise from conflating enduring malware artifacts with runtime events and dispositions, which limits coherent representation and reasoning about execution traces; MAECO-Lite corrects this through a modular design that maintains separation between enduring entities and runtime events, and an initial evaluation confirms that the resulting ontology produces markedly higher performance in description logic concept learning algorithms.
What carries the argument
MAECO-Lite, a lightweight modular ontology centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques that enforces separation between enduring entities and runtime events.
If this is right
- Clearer representation of dynamic malware behavior through explicit separation of enduring entities and events.
- Enhanced ability to reason coherently about execution traces.
- Improved performance when applying description logic concept learning algorithms to malware data.
- Operational data processing for dynamic malware analysis enabled by the modular structure.
Where Pith is reading between the lines
- The modular design could be extended to incorporate additional threat intelligence vocabularies beyond MAEC and STIX.
- Similar foundational analyses might reveal comparable mismatches in other cyber threat intelligence standards.
- Real-world integration tests with existing malware sandbox outputs would provide further evidence of practical gains.
Load-bearing premise
The assumption that the identified ontological mismatches are the primary cause of limited reasoning in MAEC and STIX, and that gains in description logic concept learning performance indicate practical usability gains for dynamic malware analysis.
What would settle it
A direct comparison on the same set of malware execution traces in which MAECO-Lite produces no improvement, or a decline, in description logic concept learning performance relative to MAEC or STIX would falsify the usability claim.
Figures
read the original abstract
Capturing dynamic malware behavior in a practical but still semantically precise manner remains a significant challenge in cyber threat intelligence. While standards such as MAEC and STIX provide widely adopted vocabularies for describing malware artifacts and observations, they represent data with considerable complexity in structures that often obscure important ontological distinctions. In particular, they tend to conflate enduring malware artifacts with the events generated during execution, thereby flattening distinctions that are central in foundational standards for ontology design. In this paper, we conduct a foundational ontological analysis of core MAEC and STIX constructs relevant to dynamic malware analysis relying on Unified Foundational Ontology (UFO) as a theoretical lens. Our analysis reveals some ontological mismatches arising from the conflation of artifacts, dispositions, and runtime events in MAEC and STIX that complicate coherent representation of dynamic malware behavior and, from a practical perspective, limit the ability to reason about execution traces. Based on these insights, we propose MAECO-Lite, a lightweight ontology designed to represent data and operationalize their processing for dynamic malware analysis. The ontology adopts a modular structure centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques, while maintaining a clear separation between enduring entities and runtime events. An initial evaluation using description logic concept learning algorithms shows that the simplified ontology significantly improves learning performance, demonstrating that ontologically grounded modelling can enhance both semantic clarity and computational usability.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper performs a UFO-based foundational ontological analysis of core MAEC and STIX constructs for dynamic malware analysis, identifies mismatches arising from conflation of artifacts, dispositions, and runtime events, proposes the modular MAECO-Lite ontology (centered on samples, processes, actions, system artifacts, and ATT&CK techniques with explicit separation of enduring entities from events), and reports that an initial evaluation with description-logic concept learning algorithms shows significantly improved learning performance.
Significance. If the performance claim is substantiated with concrete metrics, tasks, and controls, the work would provide evidence that ontologically grounded modular modeling can simultaneously improve semantic clarity and computational usability for reasoning over execution traces in cyber threat intelligence.
major comments (2)
- [Abstract] Abstract: the central claim that MAECO-Lite 'significantly improves learning performance' is unsupported by any quantitative results, metrics, datasets, target concepts, or baselines; without these the improvement cannot be assessed or attributed to the ontological distinctions rather than reduced axiom count.
- [Evaluation section] Evaluation (presumed § on DL concept learning): no details are supplied on the learning tasks, target concepts, trace dataset, metrics, or control conditions that would isolate the effect of the UFO-derived separations from mere simplification, leaving the proxy link to practical usability in dynamic malware analysis unsecured.
minor comments (1)
- The abstract refers to 'an initial evaluation' without specifying the DL algorithms or comparison ontologies, which hinders immediate verification of the reported gain.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback. The comments correctly identify that the evaluation lacks the quantitative details needed to support the performance claims. We will revise the manuscript to expand both the abstract and the evaluation section with the requested information on metrics, datasets, tasks, and controls.
read point-by-point responses
-
Referee: [Abstract] Abstract: the central claim that MAECO-Lite 'significantly improves learning performance' is unsupported by any quantitative results, metrics, datasets, target concepts, or baselines; without these the improvement cannot be assessed or attributed to the ontological distinctions rather than reduced axiom count.
Authors: We accept the point. The abstract currently asserts improved performance without supporting data. In the revision we will update the abstract to include concrete metrics (e.g., learning time and accuracy deltas), the trace dataset, target concepts, and the baselines used, so that the claim can be evaluated directly and the contribution of the UFO-derived distinctions can be assessed. revision: yes
-
Referee: [Evaluation section] Evaluation (presumed § on DL concept learning): no details are supplied on the learning tasks, target concepts, trace dataset, metrics, or control conditions that would isolate the effect of the UFO-derived separations from mere simplification, leaving the proxy link to practical usability in dynamic malware analysis unsecured.
Authors: We agree that the current evaluation section is insufficiently detailed. We will expand it to specify the learning tasks, the exact target concepts, the malware trace dataset, the evaluation metrics, and the control conditions (including direct comparison against the original MAEC/STIX ontologies). This will allow readers to determine whether the observed gains stem from the ontological separations rather than from axiom reduction alone. revision: yes
Circularity Check
No significant circularity; derivation relies on external UFO and separate empirical evaluation
full rationale
The paper's chain begins with UFO (external foundational ontology) analysis of MAEC/STIX to identify mismatches, proposes MAECO-Lite modular structure from those insights, and reports an empirical DL concept-learning evaluation showing performance gain. No step matches self-definitional, fitted-input-called-prediction, self-citation load-bearing, uniqueness-imported-from-authors, ansatz-smuggled, or renaming patterns. The evaluation is presented as an independent check rather than a quantity forced by construction from the ontology design itself. The central claim remains non-circular because UFO is independent and the performance result is not shown to be definitionally equivalent to the input distinctions.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Unified Foundational Ontology (UFO) supplies the correct theoretical categories for distinguishing enduring entities from runtime events in malware data.
invented entities (1)
-
MAECO-Lite ontology
no independent evidence
Reference graph
Works this paper leans on
-
[1]
A general definition of malware
Kramer S, Bradfield JC. A general definition of malware. Journal of Computer Virology and Hacking Techniques. 2010;6:105-14
2010
-
[2]
Exploring the Effectiveness and Efficiency of LightGBM Algorithm for Windows Malware Detection
Onoja M, Jegede A, Mazadu J, Aimufua G, Oyedele A, Olibodum K. Exploring the Effectiveness and Efficiency of LightGBM Algorithm for Windows Malware Detection. In: 2022 5th Information Technology for Education and Development (ITED); 2022. p. 1-6
2022
-
[3]
In: Gritzalis D, Choo KKR, Patsakis C, editors
Patsakis C, Arroyo D, Casino F. In: Gritzalis D, Choo KKR, Patsakis C, editors. The Malware as a Service Ecosystem. Cham: Springer Nature Switzerland; 2025. p. 371-94
2025
-
[4]
EEMDS: efficient and effective mal- ware detection system with hybrid model based on xceptioncnn and lightgbm algorithm
Onoja M, Jegede A, Blamah NV , Olawale A V , Omotehinwa TO. EEMDS: efficient and effective mal- ware detection system with hybrid model based on xceptioncnn and lightgbm algorithm. Journal of Computing and Social Informatics. 2022;1:42-57
2022
-
[5]
Ontology-based mobile malware behavioral analysis
Chiang HS, Tsaur WJ, et al. Ontology-based mobile malware behavioral analysis. In: IEEE Second International Conference on Social Computing (SocialCOM 2010). vol. 10; 2010
2010
-
[6]
Semantic Data Representation for Explainable Windows Malware Detection Models
Švec P, Štefan Balogh, Homola M, Kl’uka J, Bisták T. Semantic Data Representation for Explainable Windows Malware Detection Models. CoRR. 2024;abs/2403.11669. Available from:https://doi. org/10.48550/arXiv.2403.11669
-
[7]
Integration of Results from Static and Dynamic Code Analysis into an Onto- logical Model
Štefan Balogh, Galko T. Integration of Results from Static and Dynamic Code Analysis into an Onto- logical Model. In: 12th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS 2023, Dortmund, Germany, September 7- 9, 2023. IEEE; 2023. p. 680-5. Available from:https://doi.org/10.1...
-
[8]
Bromander S, Swimmer M, Muller LP, Jøsang A, Eian M, Skjøtskift G, et al. Investigating Sharing of Cyber Threat Intelligence and Proposing A New Data Model for Enabling Automation in Knowledge Representation and Exchange. Digital Threats. 2021 Oct;3(1). Available from:https://doi.org/ 10.1145/3458027
-
[9]
A taxonomy for cybersecurity standards
Kalogeraki EM, Polemi N. A taxonomy for cybersecurity standards. Journal of Surveillance, Security and Safety. 2024;5(2). Available from:https://www.oaepublish.com/articles/jsss.2023.50
2024
-
[10]
An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications
Preuveneers D, Joosen W. An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications. Future Internet. 2024;16(3). Available from:https://www.mdpi.com/1999-5903/ 16/3/69
2024
-
[11]
Light up that Droid! On the effectiveness of static analysis features against app obfuscation for Android malware detection
Molina-Coronado B, Ruggia A, Mori U, Merlo A, Mendiburu A, Miguel-Alonso J. Light up that Droid! On the effectiveness of static analysis features against app obfuscation for Android malware detection. Journal of Network and Computer Applications. 2025;235:104094
2025
-
[12]
A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack
Geng J, Wang J, Fang Z, Zhou Y , Wu D, Ge W. A survey of strategy-driven evasion methods for PE malware: Transformation, concealment, and attack. Computers & Security. 2024;137:103595
2024
-
[13]
Malware Detection Based on Static and Dynamic Features Analysis
Xu B, Li Y , Yu X. Malware Detection Based on Static and Dynamic Features Analysis. In: Chen X, Yan H, Yan Q, Zhang X, editors. Machine Learning for Cyber Security; 2020
2020
-
[14]
Capturing Malware Behaviour with Ontology-based Knowledge Graphs
Chowdhury IR, Bhowmik D. Capturing Malware Behaviour with Ontology-based Knowledge Graphs. In: IEEE Conference on Dependable and Secure Computing, DSC 2022, Edinburgh, UK, June 22-24,
2022
-
[15]
IEEE; 2022. p. 1-7. Available from:https://doi.org/10.1109/DSC54232.2022.9888860
-
[16]
MAEC™ 5.0 Specification: Core Concepts
MAEC Project. MAEC™ 5.0 Specification: Core Concepts. MITRE Corporation; 2017. Ac- cessed: 2026-03-24. Available from:https://maecproject.github.io/releases/5.0/MAEC_ Core_Specification.pdf
2017
-
[17]
MAEC™ 5.0 Specification: V ocabularies
MAEC Project. MAEC™ 5.0 Specification: V ocabularies. MITRE Corporation; 2017. Ac- cessed: 2026-03-24. Available from:https://maecproject.github.io/releases/5.0/MAEC_ Vocabularies_Specification.pdf. Z. Adams et al. / MAECO-Lite: Modular Ontology for Dynamic Malware Analysis
2017
-
[18]
Towards Ontological Foundations for the Conceptual Modeling of Events
Guizzardi G, Wagner G, Almeida JPA. Towards Ontological Foundations for the Conceptual Modeling of Events. In: Conceptual Modeling – 32nd International Conference (ER 2013). Lecture Notes in Computer Science. Springer; 2013. p. 327-41
2013
-
[19]
Ontological foundations for structural conceptual models [PhD
Guizzardi G. Ontological foundations for structural conceptual models [PhD. thesis]. University of Twente; 2005
2005
-
[20]
STIX™ Version 2.1
Jordan B, Piazza R, Darley T. STIX™ Version 2.1. OASIS Cyber Threat Intelligence (CTI) Technical Committee; 2021. Approved 25 January 2021. Available from:https://docs.oasis-open.org/ cti/stix/v2.1/cs02/stix-v2.1-cs02.html
2021
-
[21]
MITRE ATT&CK; 2025
MITRE Corporation. MITRE ATT&CK; 2025. Accessed: 2026-02-18. Available from:https:// attack.mitre.org/
2025
-
[22]
Reporting Results — Cuckoo Sandbox v0.3.2 Book; 2025
Sandbox C. Reporting Results — Cuckoo Sandbox v0.3.2 Book; 2025. Accessed: May 12, 2025. Avail- able from:https://cuckoo.readthedocs.io/en/0.3.2/customization/reporting/
2025
-
[23]
UFO: Unified Foundational Ontol- ogy
Guizzardi G, Benevides AB, Fonseca CM, Porello D, Almeida JPA. UFO: Unified Foundational Ontol- ogy. Applied Ontology. 2022;17(1):1-44
2022
-
[24]
Ontological Analysis and Design for Engineering Informa- tion Systems
Guizzardi G, Almeida JPA, Guizzardi RSS. Ontological Analysis and Design for Engineering Informa- tion Systems. Berlin, Germany: Springer; 2015
2015
-
[25]
Representing a Reference Foundational Ontology of Events in SROIQ
Benevides AB, Guizzardi G, Braga BF, Almeida JPA. Representing a Reference Foundational Ontology of Events in SROIQ. Applied Ontology. 2019;14(3):293-334
2019
-
[26]
Understanding and Modeling Prevention
Baratella R, Guizzardi G, Almeida JPA. Understanding and Modeling Prevention. In: Research Chal- lenges in Information Science (RCIS 2022). Springer; 2022. p. 389-405
2022
-
[27]
Experimental Evaluation of Description Logic Concept Learning Algorithms for Static Malware Detection
Švec P, Štefan Balogh, Homola M. Experimental Evaluation of Description Logic Concept Learning Algorithms for Static Malware Detection. In: International Conference on Information Systems Security and Privacy; 2021. Available from:https://api.semanticscholar.org/CorpusID:232106435
2021
-
[28]
Dynamic Features for Robust Malware Detection: A Systematic Review, Taxonomy, and Practical Analysis Framework
Onoja M, Anthony P, Adams Z, Galadima KR, Homola M, Balogh S, et al. Dynamic Features for Robust Malware Detection: A Systematic Review, Taxonomy, and Practical Analysis Framework. SSRN Electronic Journal. 2026. Available from:https://ssrn.com/abstract=6202682
2026
-
[29]
Windows Malware Detection using Machine Learning and TF-IDF Enriched API Calls Information
Namita, Prachi, Sharma P. Windows Malware Detection using Machine Learning and TF-IDF Enriched API Calls Information. In: 2022 Second International Conference on Computer Science, Engineering and Applications (ICCSEA); 2022. p. 1-6
2022
-
[30]
User Profiling Attack Using Windows Registry Data
Amoruso EL, Zou C, Leinecker R. User Profiling Attack Using Windows Registry Data. 2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON). 2023:171-81
2023
-
[31]
Shim A. Techniques of Modern Attacks. ArXiv. 2026;abs/2601.13427
-
[32]
DL-Learner: learning concepts in description logics
Lehmann J. DL-Learner: learning concepts in description logics. The Journal of Machine Learning Research. 2009;10:2639-42
2009
-
[33]
Ontology-based knowledge representation for malware individuals and fami- lies
Ding Y , Wu R, Zhang X. Ontology-based knowledge representation for malware individuals and fami- lies. Comput Secur. 2019;87. Available from:https://doi.org/10.1016/j.cose.2019.101574
-
[34]
Ontology for Malware Behavior: A Core Model Proposal
de Geus AGRBONVMAPL, Jino M. Ontology for Malware Behavior: A Core Model Proposal. In: 2014 IEEE 23rd International WETICE Conference, WETICE 2014, Parma, Italy, 23-25 June, 2014. IEEE Computer Society; 2014. p. 453-8. Available from:https://doi.org/10.1109/WETICE.2014.72
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.