This study addresses the semantic ambiguity and reasoning challenges in existing dynamic malware analysis standards—such as MAEC and STIX—stemming from their conflation of persistent artifacts with runtime events. To resolve this, the work introduces the Unified Foundational Ontology (UFO) into the domain for the first time and proposes MAECO-Lite, a lightweight, modular ontology that clearly delineates core concepts including malware samples, processes, actions, system artifacts, and MITRE ATT&CK techniques. Crucially, MAECO-Lite enforces a strict ontological separation between persistent entities and runtime events. Empirical validation using description logic-based concept learning algorithms demonstrates that MAECO-Lite significantly enhances reasoning performance while preserving semantic rigor, thereby achieving an effective balance between computational tractability and ontological clarity.

Capturing dynamic malware behavior in a practical but still semantically precise manner remains a significant challenge in cyber threat intelligence. While standards such as MAEC and STIX provide widely adopted vocabularies for describing malware artifacts and observations, they represent data with considerable complexity in structures that often obscure important ontological distinctions. In particular, they tend to conflate enduring malware artifacts with the events generated during execution, thereby flattening distinctions that are central in foundational standards for ontology design. In this paper, we conduct a foundational ontological analysis of core MAEC and STIX constructs relevant to dynamic malware analysis relying on Unified Foundational Ontology (UFO) as a theoretical lens. Our analysis reveals some ontological mismatches arising from the conflation of artifacts, dispositions, and runtime events in MAEC and STIX that complicate coherent representation of dynamic malware behavior and, from a practical perspective, limit the ability to reason about execution traces. Based on these insights, we propose MAECO-Lite, a lightweight ontology designed to represent data and operationalize their processing for dynamic malware analysis. The ontology adopts a modular structure centered on samples, processes, actions, system artifacts, and MITRE ATT&CK Techniques, while maintaining a clear separation between enduring entities and runtime events. An initial evaluation using description logic concept learning algorithms shows that the simplified ontology significantly improves learning performance, demonstrating that ontologically grounded modelling can enhance both semantic clarity and computational usability.