Inconsistency in Object Relationship Expression

[ikiril01]

One of the biggest existing issues with CybOX that leads to multiple ways of producing semantically identical content is with regards to the inconsistent design around how CybOX Objects are related. What this boils down to that there are two different ways that CybOX Objects can be related - directly inside of another Object, or via an explicit Object Relationship.

To help illustrate, here are examples of existing implementations of each approach:

• Direct embedding: For characterizing the partitions that exist on a disk, the Disk Object imports and uses the Disk Partition Object in its Partition_List field.
• Object relationships: Using the Process Object to characterize processes that were spawned by or parents of an existing process, one must use an Object Relationship with values of Child_Of and Parent_Of, respectively. There is no field with an embedded Object for this purpose.

Accordingly, given that CybOX and STIX appear to be moving towards a top-level relationship driven structure, it may make sense to support only Object Relationships in the future.

[johnwunder]

Another thing to consider is the distinction between Observable (Observation) relationships and Object relationships.