Common Attack Pattern Enumeration and Classification
A Community Resource for Identifying and Understanding Attacks
Schema Documentation - Schema Version 3.2
Document version: 3.2 Date: 2019-09-30
This is a draft document. It is intended to support maintenance of CAPEC, and to educate and solicit feedback from a specific technical audience. This document does not reflect any official position of the MITRE Corporation or its sponsors. Copyright © 2019, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice.
Author: CAPEC Team
Table of Selected Content
Schema path: AbstractionEnumeration
The AbstractionEnumeration simple type defines the different abstraction levels that apply to an attack pattern. A Meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A Meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A Meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.
A Standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A Standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A Standard level attack pattern is a specific type of a more abstract meta level attack pattern.
A Detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A Detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.
Schema path: AlternateTermsType
The AlternateTermsType complex type indicates one or more other names used to describe this attack pattern. The required Term element contains the actual alternate term. The required Description element provides context for each alternate term by which this attack pattern may be known.
Schema path: AttackPatternType
An attack pattern is an abstraction mechanism for helping describe how an attack is executed. Each pattern defines a challenge that an attacker may face, provides a description of the common technique(s) used to meet the challenge, and presents recommended methods for mitigating an actual attack. Attack patterns help categorize attacks in a meaningful way in an effort to provide a coherent way of teaching designers and developers how their systems may be attacked and how they can effectively defend them.
The required Description element represents a high level description of the attack pattern. The description should be no longer than a few sentences and should include how malicious input is initially supplied, the weakness being exploited, and the resulting negative technical impact. A full step by step description does not belong as part of the description, but rather in the optional Execution_Flow element. The optional Typical_Severity element is used to capture an overall average severity value for attacks that leverage this attack pattern with the understanding that it will not be completely accurate for all attacks. The optional Likelihood_Of_Attack element is used to capture an average likelihood that an attack that leverages this attack pattern will succeed with the understanding that it will not be completely accurate for all attacks. A number of other optional elements are available, each of which is described in more detail within the corresponding complexType that it references.
The required ID attribute provides a unique identifier for the attack pattern. It is considered static for the lifetime of the entry. If this entry becomes deprecated, the identifier should not be reused and a placeholder for the deprecated attack pattern should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what the attack pattern represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Abstraction attribute defines the abstraction level for this attack pattern. The required Status attribute defines the status level for this view. Please refer to the related simple types for a more detailed description of what information these attributes provide and a list of valid values and their meanings.
Schema path: Attack Pattern Catalog
The Attack_Pattern_Catalog root element is used to hold an enumerated catalog of common attack patterns. Each catalog can be organized by optional Views and Categories. The catalog also contains a list of all External_References that may be shared throughout the individual attack patterns. The required Name and Version attributes are used to uniquely identify the catalog. The required Date attribute identifies the date when this catalog was created or last updated.
Schema path: AudienceType
The AudienceType complex type provides a reference to the target stakeholders or groups for a view. For each stakeholder, the required Type element specifies the type of members that might be interested in the view. The required Description element provides some text describing what properties of the view this particular stakeholder might find useful.
Schema path: CategoryType
A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent. (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern) An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.
The required Summary element should be short and limited to the key points that define the category. The optional Relationships element is used to define relationships with attack patterns, categories, and views. The optional Taxonomy_Mappings element is used to relate this category to similar categories in taxomomies outside of CAPEC. The optional References element is used to provide further reading and insight into this category. This should be used when the category is based on external sources or projects. The optional Notes element is used to provide any additional comments that cannot be captured using the other elements of the category. The optional Content_History element is used to keep track of the original author of the category and any subsequent modifications to the content. This provides a means of contacting the authors and modifiers for clarifying ambiguities, merging overlapping contributions, etc.
The required ID attribute provides a unique identifier for the category. It is meant to be static for the lifetime of the category. In the event that the category becomes deprecated, the identifier should not be reused and a placeholder for the deprecated category should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what characteristic this category represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Status attribute defines the status level for this category. Please refer to the StatusEnumeration simple type for a list of valid values and their meanings.
Schema path: ConsequencesType
The ConsequencesType complex type is used to specify individual consequences associated with an attack pattern. The required Scope element identifies the security property that is violated. The optional Impact element describes the technical impact that arises if an adversary succeeds in their attack. The optional Likelihood element identifies how likely the specific consequence is expected to be seen relative to the other consequences. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be used to achieve a different impact. The optional Note element provides additional commentary about a consequence.
The optional Consequence_ID attribute is used by the internal CAPEC team to uniquely identify consequences that are repeated across any number of individual patterns. To help make sure that the details of these common consequences stay synchronized, the Consequence_ID is used to quickly identify those examples across CAPEC that should be identical. The identifier is a string and should match the following format: CC-1.
Schema path: ContentHistoryType
The ContentHistoryType complex type provides elements to keep track of the original author of an entry and any subsequent modifications to the content. The optional Submission element is used to identify the submitter, their organization, the date, and any comments related to an entry. The optional Modification element is used to identify a modifier's name, organization, the date, and any related comments. A new Modification element should exist for each change made to the content. Modifications that change the meaning of the entry, or how it might be interpreted, should be marked with an importance of critical to bring it to the attention of anyone previously dependent on the attack pattern. The optional Contribution element is used to identify a contributor's name, organization, the date, and any related comments. This element has a single Type attribute, which indicates whether the contribution was part of general feedback given or actual content that was donated. The optional Previous_Entry_Name element is used to describe a previous name that was used for the entry. This should be filled out whenever a substantive name change occurs. The required Date attribute lists the date on which this name change was made. A Previous_Entry_Name element should align with a corresponding Modification element.
Schema path: ExampleInstancesType
The ExampleInstancesType complex type is used to describe one or more example instances of the attack pattern. An example helps the reader understand the nature, context and variability of the attack in more practical and concrete terms.
Schema path: ExcludeRelatedType
Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this relationship is not applicable.
Schema path: ExecutionFlowType
The ExecutionFlowType complex type is used to provide a detailed step by step flow of an attack pattern. It lists the steps typically performed by an adversary when leveraging the given technique. This element is usually only applicable to attack patterns with an abstraction level of detailed.
Schema path: ExternalReferenceType
The ExternalReferenceType complex type defines a collection of elements that provide a pointer to where more information and deeper insight can be obtained. Examples would be a research paper or an excerpt from a publication.
Not all of the elements need to be used, since some are designed for web references and others are designed for book references. The Author and Title elements should be filled out for all references if possible; Author is optional, but Title is required. The optional Edition element identifies the edition of the material being referenced in the event that multiple editions of the material exist. If the reference is part of a magazine or journal, the Publication element should be used to identify the name of the publisher. The optional Publication_Year, Publication_Month, Publication_Day, and Publisher elements should be used to more specifically identify the publication via its date and publisher. The year must follow the YYYY format while the month must follow the --MM format and the day must follow the ----DD format. The URL and URL_Date elements are used to capture a URL for the material being referenced, if one exists, and the date when the URL was validated to exist.
The required Reference_ID attribute exists to provide a globally unique identifier for the reference (e.g., REF-1). The ID is used by other entities to link to this external reference.
Schema path: ImportanceEnumeration
The ImportanceEnumeration simple type lists different values for importance.
Schema path: IndicatorsType
The IndicatorsType complex type is used to describe activities, events, conditions or behaviors that may indicate that an attack of leveraging this attack pattern is imminent, in progress, or has occurred. Each individual Indicator element provides a textual description of the indicator.
Schema path: LikelihoodEnumeration
The LikelihoodEnumeration simple type contains a list of values corresponding to different likelihoods. The value "Unknown" should be used when the actual likelihood of something occurring is not known.
Schema path: MitigationsType
The MitigationsType complex type is used to describe actions or approaches to prevent or mitigate the risk of an attack that leverages this attack pattern. The approaches described in each individual mitigation child element should help improve the resiliency of the target system, reduce its attack surface, or reduce the impact of the attack if it is successful.
Schema path: NoteTypeEnumeration
The NoteTypeEnumeration simple type defines the different types of notes that can be associated with an attack pattern. A "Maintenance" note contains significant maintenance tasks within this entry that still need to be addressed, such as clarifying the concepts involved or improving relationships. A "Relationship" note provides clarifying details regarding the relationships between entities. A "Research Gap" note identifies potential opportunities for the research community to conduct further exploration of issues related to this attack pattern. A "Terminology" note contains a discussion of terminology issues related to this attack pattern, or clarifications when there is no established terminology, or if there are multiple uses of the same key term.
Schema path: NotesType
The NotesType complex type contains one or more note elements, each of which is used to provide any additional comments about an entry that cannot be captured using other elements.
Schema path: PrerequisitesType
The PrerequisitesType complex type indicates one or more prerequisites for an attack and is used to provide a description of the conditions that must exist in order for an attack of this type to succeed.
Schema path: ReferencesType
The ReferencesType complex type contains one or more reference elements, each of which is used to link to an external reference defined within the catalog. The required External_Reference_ID attribute represents the external reference entry being linked to (e.g., REF-1). Text or quotes within the same entity can cite this External_Reference_ID similar to how a footnote is used, and should use the format [REF-1]. The optional Section attribute holds any section title or page number that is specific to this use of the reference.
Schema path: RelatedAttackPatternType
The RelatedAttackPatternType complex type is used to refer to other attack patterns and give insight to similar items that may exist at higher and lower levels of abstraction. It contains one or more Related_Attack_Pattern elements, each of which is used to link to the CAPEC identifier of the other attack pattern. The nature of the relation is also capture by the Nature attribute. Please see the RelatedNatureEnumeration simple type definition for details about the valid values and meanings. Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this Related_Attack_Pattern relationship is not applicable.
Schema path: RelatedNatureEnumeration
The RelatedNatureEnumeration simple type defines the different values that can be used to define the nature of a related attack pattern. A ChildOf nature denotes a related attack pattern as a higher level of abstraction. A ParentOf nature denotes a related attack pattern as a lower level of abstraction. The CanPrecede and CanFollow relationships are used to denote attack patterns that are part of a chaining structure. The CanAlsoBe relationship denotes a attack pattern that, in the proper environment and context, can also be perceived as the target attack pattern. Note that the CanAlsoBe relationship is not necessarily reciprocal. The PeerOf relationship is used to show some similarity with the target attack pattern which does not fit any of the other types of relationships.
Schema path: RelatedWeaknessesType
The RelatedWeaknessesType complex type contains references to weaknesses associated with this attack pattern. The association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.
Schema path: RelationshipsType
The RelationshipsType complex type provides elements to show the relationships associated with categories. The Member_Of element is used to show memberOf relationship with a given view or category. The Has_Member element is used to show a hasMember relationship with a given attack pattern or category. In both cases, the required CAPEC_ID attribute specifies the unique CAPEC ID that is the target entry of the relationship. Special cases may require any number of Exclude_Related elements to capture the CAPEC identifier of an ancestor for which this relationship is not applicable.
Schema path: RequiredResourcesType
The RequiredResourcesType complex type is used to describe the resources (e.g., CPU cycles, IP addresses, tools) required by an adversary to effectively execute this type of attack.
Schema path: ScopeEnumeration
The ScopeEnumeration simple type defines the different areas of software security that can be affected by exploiting a weakness.
Schema path: SeverityEnumeration
The SeverityEnumeration simple type contains a list of values corresponding to different severities.
Schema path: SkillLevelEnumeration
The SkillLevelEnumeration simple type contains a list of values corresponding to different knowledge levels required to perform an attack. The value "Unknown" should be used when the actual skill level is not known.
Schema path: SkillsType
The SkillsType complex type is used to describe the level of skills or specific knowledge needed by an adversary to execute this type of attack.
Schema path: StakeholderEnumeration
The StakeholderEnumeration simple type defines the different types of users within the CAPEC community.
Schema path: StatusEnumeration
The StatusEnumeration simple type defines the different status values that an entity (view, category, attack pattern) can have.
Schema path: StructuredTextType
The StructuredTextType complex type is used to allow XHTML content embedded within standard string data. Some common elements are: <BR/> to insert a line break, <UL><LI/></UL> to create a bulleted list, <OL><LI/></OL> to create a numbered list, and <DIV style="margin-left: 40px"></DIV> to create a new indented section.
Schema path: TaxonomyMappingFitEnumeration
The TaxonomyMappingFitEnumeration simple type defines the different values used to describe how close a certain mapping to CAPEC is.
Schema path: TaxonomyMappingsType
The TaxonomyMappingsType complex type is used to provide a mapping from an entry (Attack Pattern or Category) in CAPEC to an equivalent entry in a different taxonomy. The required Taxonomy_Name attribute identifies the taxonomy to which the mapping is being made. The Entry_ID and Entry_Name elements identify the ID and name of the entry which is being mapped. The Mapping_Fit element identifies how close the CAPEC is to the entry in the taxonomy.
Schema path: TaxonomyNameEnumeration
The TaxonomyNameEnumeration simple type lists the different known taxomomies that can be mapped to CAPEC.
Schema path: TechnicalImpactEnumeration
The ImpactEnumeration simple type defines the different negative technical impacts that can results from an attack leveraging a given attack pattern. A negative technical impact is the specific effect of successfully violating a reasonable security policy for the system or network.
Schema path: ViewType
A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views as defined by the Type attribute: graphs, explicit slices, and implicit slices.
The required Objective element describes the perspective from which the view has been constructed. The optional Audience element provides a reference to the target stakeholders or groups for whom the view is most relevant. The members of a view are either defined externally through memberOf relationships (in the case of a graph or an explict slice, see the relationships elements of categories) or by the optional Filter element (in the case of an implict slice). The Filter element holds an XSL query for identifying which attack patterns are members of an implicit slice. The optional References element is used to provide further reading and insight into this view. This should be used when the view is based on external sources or projects. The optional Notes element is used to provide any additional comments that cannot be captured using the other elements of the view. The optional Content_History element is used to keep track of the original author of the view and any subsequent modifications to the content. This provides a means of contacting the authors and modifiers for clarifying ambiguities, merging overlapping contributions, etc.
The required ID attribute provides a unique identifier for the view. It is meant to be static for the lifetime of the view. In the event that the view becomes deprecated, the identifier should not be reused and a placeholder for the deprecated view should be left in the catalog. The required Name attribute provides a descriptive title used to give the reader an idea of what perspective this view represents. All words in the name should be capitalized except for articles and prepositions unless they begin or end the name. The required Type attribute describes how this view is being constructed. Please refer to the ViewTypeEnumeration simple type for a list of valid values and their meanings. The required Status attribute defines the status level for this view. Please refer to the StatusEnumeration simple type for a list of valid values and their meanings.
Schema path: ViewTypeEnumeration
The ViewTypeEnumeration simple type defines the different types of views that can be found within CAPEC. A graph is a hierarchical representation of attack patterns based on a specific vantage point that a user my take. The hierarchy often starts with a category, followed by a meta/standard attack pattern, and ends with a detailed attack pattern. An explicit slice is a subset of attack patterns that are related through some external factor. For example, a view may be used to represent mappings to external groupings like a Top-N list. An implicit slice is a subset of attack patterns that are related through a specific attribute. For example, a slice may refer to all attack patterns in draft status, or all existing meta attack patterns.
More information is available — Please select a different filter.