Capturing dynamic malware behavior in a practical but still semantically precise manner remains a significant challenge in cyber threat intelligence. While standards such as MAEC and STIX provide widely adopted vocabularies for describing malware artifacts and observations, they represent data with considerable complexity in structures that often obscure important ontological distinctions. In particular, they tend to conflate enduring malware artifacts with the events generated during execution, thereby flattening distinctions that are central in foundational standards for ontology design. In this paper, we conduct a foundational ontological analysis of core MAEC and STIX constructs relevant to dynamic malware analysis relying on Unified Foundational Ontology (UFO) as a theoretical lens. Our analysis reveals some ontological mismatches arising from the conflation of artifacts, dispositions, and runtime events in MAEC and STIX that complicate coherent representation of dynamic malware behavior and, from a practical perspective, limit the ability to reason about execution traces. Based on these insights, we propose MAECO-Lite, a lightweight ontology designed to represent data and operationalize their processing for dynamic malware analysis. The ontology adopts a modular structure centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques, while maintaining a clear separation between enduring entities and runtime events. An initial evaluation using description logic concept learning algorithms shows that the simplified ontology significantly improves learning performance, demonstrating that ontologically grounded modelling can enhance both semantic clarity and computational usability.

翻译：以实用且语义精确的方式捕获动态恶意软件行为仍然是网络威胁情报领域的一项重大挑战。虽然MAEC和STIX等标准提供了广泛采用的词汇来描述恶意软件构件和观测结果，但它们以相当复杂的结构表示数据，这种结构常常模糊了重要的本体论区分。特别是，它们倾向于将持久的恶意软件构件与执行期间生成的事件混为一谈，从而扁平化了本体论设计基础标准中的核心区分。在本文中，我们以统一基础本体论（UFO）为理论视角，对与动态恶意软件分析相关的核心MAEC和STIX结构进行了基础本体论分析。我们的分析揭示了由于MAEC和STIX中构件、倾向和运行时事件的混淆而产生的一些本体论错配，这种混淆使动态恶意软件行为的一致性表示复杂化，并且从实践角度来看，限制了基于执行轨迹进行推理的能力。基于这些见解，我们提出了MAECO-Lite，这是一个轻量级本体论，旨在表示数据并使其处理操作化以用于动态恶意软件分析。该本体论采用模块化结构，以样本、进程、动作、系统构件和MITRE ATT&CK技术为核心，同时保持持久实体与运行时事件之间的清晰分离。使用描述逻辑概念学习算法的初步评估表明，简化的本体论显著提高了学习性能，证明了基于本体论的建模能够增强语义清晰度和计算可用性。