The Security Content Automation Protocol (SCAP) federates a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. There are a number of SCAP components such as Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Common Remediation Enumeration (CRE), Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL). Malware Attribute Enumeration and Characterization (MAEC) is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviours, artefacts, and attack patterns. These standards render data in the form of XML.
Although these standards are linked to each other, there is a lack of commonality in their XML schema definitions. There is a need for a unique common metadata schema to represent important aspects relevant for designing efficient search mechanism. This common metadata supports distribution of data across various repositories that render SCAP content. Across all security content databases unique identification and a short description will be common.
In addition, this model makes building of relations to multiple components of SCAP intuitive. Differentiating attributes of security content can be represented as a list of properties, each property being a key-value pair. For example, in the case of CVE, (CVSS, 9.4) represents the key CVSS and a score of 9.4, where CVSS is Common Vulnerability Severity Score. In this model, modifications to the schema of SCAP components can easily be accommodated by just adding or deleting a property key-value pair without changing the model. Searching on this metadata enables fast response to queries and helps interlace various SCAP components; e.g., OVAL references CVE and each CVE depends on various platforms and products denoted by CPEs. This model enables Natural Language Processing (NLP) and renders meaningful responses to queries such as most vulnerable applications, OVAL definitions, vulnerabilities in Adobe Reader in 2014, recent threats etc. 90% of malware attacks make use of an existing vulnerability in the system. This archetype aids to resolve vulnerabilities before an attack happens. In a case where system events are continuously monitored, this model also helps understand an incident in a machine and analyse to determine if it is a malware attack. It will additionally help to scrutinize which vulnerability was exploited by the malware and most importantly, fix the vulnerability to prevent further attacks.