New to CAPEC? Start Here
Home > Documents > Schema Documentation - Schema Version 3.5  

Schema Documentation - Schema Version 3.5

Document version: 3.5    Date: 2023-01-24

This is a draft document. It is intended to support maintenance of CAPEC, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2023, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.

Author: CAPEC Team
URL: http://capec.mitre.org/documents/schema/index.html

Table of Selected Content
Table of Selected Content

AbstractionEnumeration

Schema path: AbstractionEnumeration

The AbstractionEnumeration simple type defines the different abstraction levels that apply to an attack pattern. A Meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A Meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A Meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.

A Standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A Standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A Standard level attack pattern is a specific type of a more abstract meta level attack pattern.

A Detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A Detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.


AlternateTermsType

Schema path: AlternateTermsType

The AlternateTermsType complex type indicates one or more other names used to describe this attack pattern. The required Term element contains the actual alternate term. The required Description element provides context for each alternate term by which this attack pattern may be known.


AttackPatternType

Schema path: AttackPatternType

An attack pattern is an abstraction mechanism for helping describe how an attack is executed. Each pattern defines a challenge that an attacker may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns help categorize attacks in a meaningful way in an effort to provide a coherent way of teaching designers and developers how their systems may be attacked and how they can effectively defend them.

The required Description element represents a high level description of the attack pattern. The description should be no longer than a few sentences and should include how malicious input is initially supplied, the weakness being exploited, and the resulting negative technical impact. A full step by step description does not belong as part of the description, but rather in the optional Execution_Flow element. The optional Extended_Description element provides a place for additional details important to this attack pattern, but that are not necessary to convey the fundamental concept behind the attack pattern. The optional Typical_Severity element is used to capture an overall average severity value for attacks that leverage this attack pattern with the understanding that it will not be completely accurate for all attacks. The optional Likelihood_Of_Attack element is used to capture an average likelihood that an attack that leverages this attack pattern will succeed with the understanding that it will not be completely accurate for all attacks. A number of other optional elements are available, each of which is described in more detail within the corresponding complexType that it references.

The required ID attribute provides a unique identifier for the attack pattern. It is considered static for the lifetime of the entry. If this entry becomes deprecated, the identifier should not be reused and a placeholder for the deprecated attack pattern should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what the attack pattern represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Abstraction attribute defines the abstraction level for this attack pattern. The required Status attribute defines the status level for this view. Please refer to the related simple types for a more detailed description of what information these attributes provide and a list of valid values and their meanings.


Attack Pattern Catalog

Schema path: Attack Pattern Catalog

The Attack_Pattern_Catalog root element is used to hold an enumerated catalog of common attack patterns. Each catalog can be organized by optional Views and Categories. The catalog also contains a list of all External_References that may be shared throughout the individual attack patterns. The required Name and Version attributes are used to uniquely identify the catalog. The required Date attribute identifies the date when this catalog was created or last updated.


AudienceType

Schema path: AudienceType

The AudienceType complex type provides a reference to the target stakeholders or groups for a view. For each stakeholder, the required Type element specifies the type of members that might be interested in the view. The required Description element provides some text describing what properties of the view this particular stakeholder might find useful.


CategoryType

Schema path: CategoryType

A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent. (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern) An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.

The required Summary element should be short and limited to the key points that define the category. The optional Relationships element is used to define relationships with attack patterns, categories, and views. The optional Taxonomy_Mappings element is used to relate this category to similar categories in taxomomies outside of CAPEC. The optional References element is used to provide further reading and insight into this category. This should be used when the category is based on external sources or projects. The optional Notes element is used to provide any additional comments that cannot be captured using the other elements of the category. The optional Content_History element is used to keep track of the original author of the category and any subsequent modifications to the content. This provides a means of contacting the authors and modifiers for clarifying ambiguities, merging overlapping contributions, etc.

The required ID attribute provides a unique identifier for the category. It is meant to be static for the lifetime of the category. In the event that the category becomes deprecated, the identifier should not be reused and a placeholder for the deprecated category should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what characteristic this category represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Status attribute defines the status level for this category. Please refer to the StatusEnumeration simple type for a list of valid values and their meanings.


ConsequencesType

Schema path: ConsequencesType

The ConsequencesType complex type is used to specify individual consequences associated with an attack pattern. The required Scope element identifies the security property that is violated. The optional Impact element describes the technical impact that arises if an adversary succeeds in their attack. The optional Likelihood element identifies how likely the specific consequence is expected to be seen relative to the other consequences. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be used to achieve a different impact. The optional Note element provides additional commentary about a consequence.

The optional Consequence_ID attribute is used by the internal CAPEC team to uniquely identify consequences that are repeated across any number of individual patterns. To help make sure that the details of these common consequences stay synchronized, the Consequence_ID is used to quickly identify those examples across CAPEC that should be identical. The identifier is a string and should match the following format: CC-1.


ContentHistoryType

Schema path: ContentHistoryType

The ContentHistoryType complex type provides elements to keep track of the original author of an entry and any subsequent modifications to the content. The optional Submission element is used to identify the submitter, their organization, the date, and any comments related to an entry. The optional Modification element is used to identify a modifier's name, organization, the date, and any related comments. A new Modification element should exist for each change made to the content. Modifications that change the meaning of the entry, or how it might be interpreted, should be marked with an importance of critical to bring it to the attention of anyone previously dependent on the attack pattern. The optional Contribution element is used to identify a contributor's name, organization, the date, and any related comments. This element has a single Type attribute, which indicates whether the contribution was part of general feedback given or actual content that was donated. The optional Previous_Entry_Name element is used to describe a previous name that was used for the entry. This should be filled out whenever a substantive name change occurs. The required Date attribute lists the date on which this name change was made. A Previous_Entry_Name element should align with a corresponding Modification element.


ExampleInstancesType

Schema path: ExampleInstancesType

The ExampleInstancesType complex type is used to describe one or more example instances of the attack pattern. An example helps the reader understand the nature, context and variability of the attack in more practical and concrete terms.


ExcludeRelatedType

Schema path: ExcludeRelatedType

Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this relationship is not applicable.


ExecutionFlowType

Schema path: ExecutionFlowType

The ExecutionFlowType complex type is used to provide a detailed step by step flow of an attack pattern. It lists the steps typically performed by an adversary when leveraging the given technique. This element is usually only applicable to attack patterns with an abstraction level of detailed.


ExternalReferenceType

Schema path: ExternalReferenceType

The ExternalReferenceType complex type defines a collection of elements that provide a pointer to where more information and deeper insight can be obtained. Examples would be a research paper or an excerpt from a publication.

Not all of the elements need to be used, since some are designed for web references and others are designed for book references. The Author and Title elements should be filled out for all references if possible; Author is optional, but Title is required. The optional Edition element identifies the edition of the material being referenced in the event that multiple editions of the material exist. If the reference is part of a magazine or journal, the Publication element should be used to identify the name of the publisher. The optional Publication_Year, Publication_Month, Publication_Day, and Publisher elements should be used to more specifically identify the publication via its date and publisher. The year must follow the YYYY format while the month must follow the --MM format and the day must follow the ----DD format. The URL and URL_Date elements are used to capture a URL for the material being referenced, if one exists, and the date when the URL was validated to exist.

The required Reference_ID attribute exists to provide a globally unique identifier for the reference (e.g., REF-1). The ID is used by other entities to link to this external reference.


ImportanceEnumeration

Schema path: ImportanceEnumeration

The ImportanceEnumeration simple type lists different values for importance.


IndicatorsType

Schema path: IndicatorsType

The IndicatorsType complex type is used to describe activities, events, conditions or behaviors that may indicate that an attack of leveraging this attack pattern is imminent, in progress, or has occurred. Each individual Indicator element provides a textual description of the indicator.


LikelihoodEnumeration

Schema path: LikelihoodEnumeration

The LikelihoodEnumeration simple type contains a list of values corresponding to different likelihoods. The value "Unknown" should be used when the actual likelihood of something occurring is not known.


MitigationsType

Schema path: MitigationsType

The MitigationsType complex type is used to describe actions or approaches to prevent or mitigate the risk of an attack that leverages this attack pattern. The approaches described in each individual mitigation child element should help improve the resiliency of the target system, reduce its attack surface, or reduce the impact of the attack if it is successful.


NoteTypeEnumeration

Schema path: NoteTypeEnumeration

The NoteTypeEnumeration simple type defines the different types of notes that can be associated with an attack pattern. A "Maintenance" note contains significant maintenance tasks within this entry that still need to be addressed, such as clarifying the concepts involved or improving relationships. A "Relationship" note provides clarifying details regarding the relationships between entities. A "Research Gap" note identifies potential opportunities for the research community to conduct further exploration of issues related to this attack pattern. A "Terminology" note contains a discussion of terminology issues related to this attack pattern, or clarifications when there is no established terminology, or if there are multiple uses of the same key term.


NotesType

Schema path: NotesType

The NotesType complex type contains one or more note elements, each of which is used to provide any additional comments about an entry that cannot be captured using other elements.


PrerequisitesType

Schema path: PrerequisitesType

The PrerequisitesType complex type indicates one or more prerequisites for an attack and is used to provide a description of the conditions that must exist in order for an attack of this type to succeed.


ReferencesType

Schema path: ReferencesType

The ReferencesType complex type contains one or more reference elements, each of which is used to link to an external reference defined within the catalog. The required External_Reference_ID attribute represents the external reference entry being linked to (e.g., REF-1). Text or quotes within the same entity can cite this External_Reference_ID similar to how a footnote is used, and should use the format [REF-1]. The optional Section attribute holds any section title or page number that is specific to this use of the reference.


RelatedAttackPatternType

Schema path: RelatedAttackPatternType

The RelatedAttackPatternType complex type is used to refer to other attack patterns and give insight to similar items that may exist at higher and lower levels of abstraction. It contains one or more Related_Attack_Pattern elements, each of which is used to link to the CAPEC identifier of the other attack pattern. The nature of the relation is also capture by the Nature attribute. Please see the RelatedNatureEnumeration simple type definition for details about the valid values and meanings. Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this Related_Attack_Pattern relationship is not applicable.


RelatedNatureEnumeration

Schema path: RelatedNatureEnumeration

The RelatedNatureEnumeration simple type defines the different values that can be used to define the nature of a related attack pattern. A ChildOf nature denotes a related attack pattern as a higher level of abstraction. A ParentOf nature denotes a related attack pattern as a lower level of abstraction. The CanPrecede and CanFollow relationships are used to denote attack patterns that are part of a chaining structure. The CanAlsoBe relationship denotes a attack pattern that, in the proper environment and context, can also be perceived as the target attack pattern. Note that the CanAlsoBe relationship is not necessarily reciprocal. The PeerOf relationship is used to show some similarity with the target attack pattern which does not fit any of the other types of relationships.


RelatedWeaknessesType

Schema path: RelatedWeaknessesType

The RelatedWeaknessesType complex type contains references to weaknesses associated with this attack pattern. The association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.


RelationshipsType

Schema path: RelationshipsType

The RelationshipsType complex type provides elements to show the relationships associated with categories. The Member_Of element is used to show memberOf relationship with a given view or category. The Has_Member element is used to show a hasMember relationship with a given attack pattern or category. In both cases, the required CAPEC_ID attribute specifies the unique CAPEC ID that is the target entry of the relationship. Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this relationship is not applicable.


RequiredResourcesType

Schema path: RequiredResourcesType

The RequiredResourcesType complex type is used to describe the resources (e.g., CPU cycles, IP addresses, tools) required by an adversary to effectively execute this type of attack.


ScopeEnumeration

Schema path: ScopeEnumeration

The ScopeEnumeration simple type defines the different areas of software security that can be affected by exploiting a weakness.


SeverityEnumeration

Schema path: SeverityEnumeration

The SeverityEnumeration simple type contains a list of values corresponding to different severities.


SkillLevelEnumeration

Schema path: SkillLevelEnumeration

The SkillLevelEnumeration simple type contains a list of values corresponding to different knowledge levels required to perform an attack. The value "Unknown" should be used when the actual skill level is not known.


SkillsType

Schema path: SkillsType

The SkillsType complex type is used to describe the level of skills or specific knowledge needed by an adversary to execute this type of attack.


StakeholderEnumeration

Schema path: StakeholderEnumeration

The StakeholderEnumeration simple type defines the different types of users within the CAPEC community.


StatusEnumeration

Schema path: StatusEnumeration

The StatusEnumeration simple type defines the different status values that an entity (view, category, attack pattern) can have.


StructuredTextType

Schema path: StructuredTextType

The StructuredTextType complex type is used to allow XHTML content embedded within standard string data. Some common elements are: <BR/> to insert a line break, <UL><LI/></UL> to create a bulleted list, <OL><LI/></OL> to create a numbered list, and <DIV style="margin-left: 40px"></DIV> to create a new indented section.


TaxonomyMappingFitEnumeration

Schema path: TaxonomyMappingFitEnumeration

The TaxonomyMappingFitEnumeration simple type defines the different values used to describe how close a certain mapping to CAPEC is.


TaxonomyMappingsType

Schema path: TaxonomyMappingsType

The TaxonomyMappingsType complex type is used to provide a mapping from an entry (Attack Pattern or Category) in CAPEC to an equivalent entry in a different taxonomy. The required Taxonomy_Name attribute identifies the taxonomy to which the mapping is being made. The Entry_ID and Entry_Name elements identify the ID and name of the entry which is being mapped. The Mapping_Fit element identifies how close the CAPEC is to the entry in the taxonomy.


TaxonomyNameEnumeration

Schema path: TaxonomyNameEnumeration

The TaxonomyNameEnumeration simple type lists the different known taxomomies that can be mapped to CAPEC.


TechnicalImpactEnumeration

Schema path: TechnicalImpactEnumeration

The ImpactEnumeration simple type defines the different negative technical impacts that can results from an attack leveraging a given attack pattern. A negative technical impact is the specific effect of successfully violating a reasonable security policy for the system or network.


ViewType

Schema path: ViewType

A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views as defined by the Type attribute: graphs, explicit slices, and implicit slices.

The required Objective element describes the perspective from which the view has been constructed. The optional Audience element provides a reference to the target stakeholders or groups for whom the view is most relevant. The members of a view are either defined externally through memberOf relationships (in the case of a graph or an explict slice, see the relationships elements of categories) or by the optional Filter element (in the case of an implict slice). The Filter element holds an XSL query for identifying which attack patterns are members of an implicit slice. The optional References element is used to provide further reading and insight into this view. This should be used when the view is based on external sources or projects. The optional Notes element is used to provide any additional comments that cannot be captured using the other elements of the view. The optional Content_History element is used to keep track of the original author of the view and any subsequent modifications to the content. This provides a means of contacting the authors and modifiers for clarifying ambiguities, merging overlapping contributions, etc.

The required ID attribute provides a unique identifier for the view. It is meant to be static for the lifetime of the view. In the event that the view becomes deprecated, the identifier should not be reused and a placeholder for the deprecated view should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what perspective this view represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Type attribute describes how this view is being constructed. Please refer to the ViewTypeEnumeration simple type for a list of valid values and their meanings. The required Status attribute defines the status level for this view. Please refer to the StatusEnumeration simple type for a list of valid values and their meanings.


ViewTypeEnumeration

Schema path: ViewTypeEnumeration

The ViewTypeEnumeration simple type defines the different types of views that can be found within CAPEC. A graph is a hierarchical representation of attack patterns based on a specific vantage point that a user my take. The hierarchy often starts with a category, followed by a meta/standard attack pattern, and ends with a detailed attack pattern. An explicit slice is a subset of attack patterns that are related through some external factor. For example, a view may be used to represent mappings to external groupings like a Top-N list. An implicit slice is a subset of attack patterns that are related through a specific attribute. For example, a slice may refer to all attack patterns in draft status, or all existing meta attack patterns.

More information is available — Please select a different filter.
Page Last Updated or Reviewed: October 28, 2016