{
  "feature_names": [
    "source_port",
    "dest_port",
    "flow_duration_ms",
    "total_fwd_packets",
    "total_bwd_packets",
    "total_bytes_fwd",
    "total_bytes_bwd",
    "fwd_packet_len_mean",
    "fwd_packet_len_std",
    "bwd_packet_len_mean",
    "bwd_packet_len_std",
    "flow_bytes_per_sec",
    "flow_packets_per_sec",
    "inter_arrival_time_mean",
    "inter_arrival_time_std",
    "tcp_flag_syn_count",
    "tcp_flag_ack_count",
    "tcp_flag_fin_count",
    "tcp_flag_rst_count",
    "tcp_flag_psh_count",
    "tcp_flag_urg_count",
    "retransmission_flag",
    "fragmentation_flag",
    "protocol_violation_flag",
    "payload_entropy_mean",
    "retransmission_rate",
    "protocol_violation_count",
    "c2_beacon_flag",
    "session_risk_score",
    "trust_level",
    "avg_concurrent_flows",
    "bandwidth_mbps",
    "nat_enabled",
    "ids_coverage",
    "diurnal_peak_factor",
    "feature_space_dim",
    "alert_threshold",
    "retraining_cadence_days",
    "ensemble_size",
    "device_count",
    "iat_cv",
    "fwd_bwd_byte_ratio",
    "bytes_per_packet_fwd",
    "tcp_flag_anomaly_score",
    "payload_density",
    "hour_of_day",
    "is_off_hours",
    "is_well_known_dest_port",
    "is_ephemeral_src_port",
    "protocol_DNS",
    "protocol_FTP",
    "protocol_HTTPS",
    "protocol_NTP",
    "protocol_SMTP",
    "protocol_SSH",
    "protocol_TCP",
    "protocol_UDP",
    "flow_lifecycle_phase_connection_initiation",
    "flow_lifecycle_phase_connection_teardown",
    "flow_lifecycle_phase_data_transfer",
    "flow_lifecycle_phase_protocol_handshake",
    "flow_lifecycle_phase_session_maintenance",
    "source_device_type_cloud_service",
    "source_device_type_iot_device",
    "source_device_type_mobile_endpoint",
    "source_device_type_ot_controller",
    "source_device_type_server",
    "source_device_type_workstation",
    "dest_device_type_cloud_service",
    "dest_device_type_iot_device",
    "dest_device_type_mobile_endpoint",
    "dest_device_type_ot_controller",
    "dest_device_type_server",
    "dest_device_type_workstation",
    "segment_type_cloud_workload",
    "segment_type_corporate_lan",
    "segment_type_data_centre_spine",
    "segment_type_dmz_perimeter",
    "segment_type_endpoint_fleet",
    "segment_type_guest_wifi",
    "segment_type_ot_ics_control_network",
    "segment_type_soc_management_plane",
    "segment_type_zero_trust_segment",
    "firewall_policy_default_deny",
    "firewall_policy_open_permissive",
    "firewall_policy_stateful_inspection",
    "firewall_policy_strict_allowlist",
    "firewall_policy_zone_based",
    "qos_policy_best_effort",
    "qos_policy_dscp_expedited",
    "qos_policy_none",
    "qos_policy_priority_queue",
    "qos_policy_weighted_fair_queue",
    "defender_architecture_autoencoder_anomaly",
    "defender_architecture_ensemble_stacked",
    "defender_architecture_gradient_boosted_tree",
    "defender_architecture_isolation_forest",
    "defender_architecture_lstm_behavioural",
    "defender_architecture_neural_network_dense",
    "defender_architecture_rule_based_threshold",
    "defender_architecture_transformer_sequence"
  ],
  "numeric_features": [
    "source_port",
    "dest_port",
    "flow_duration_ms",
    "total_fwd_packets",
    "total_bwd_packets",
    "total_bytes_fwd",
    "total_bytes_bwd",
    "fwd_packet_len_mean",
    "fwd_packet_len_std",
    "bwd_packet_len_mean",
    "bwd_packet_len_std",
    "flow_bytes_per_sec",
    "flow_packets_per_sec",
    "inter_arrival_time_mean",
    "inter_arrival_time_std",
    "tcp_flag_syn_count",
    "tcp_flag_ack_count",
    "tcp_flag_fin_count",
    "tcp_flag_rst_count",
    "tcp_flag_psh_count",
    "tcp_flag_urg_count",
    "retransmission_flag",
    "fragmentation_flag",
    "protocol_violation_flag",
    "payload_entropy_mean",
    "retransmission_rate",
    "protocol_violation_count",
    "c2_beacon_flag",
    "session_risk_score",
    "trust_level",
    "avg_concurrent_flows",
    "bandwidth_mbps",
    "nat_enabled",
    "ids_coverage",
    "diurnal_peak_factor",
    "feature_space_dim",
    "alert_threshold",
    "retraining_cadence_days",
    "ensemble_size",
    "device_count",
    "iat_cv",
    "fwd_bwd_byte_ratio",
    "bytes_per_packet_fwd",
    "tcp_flag_anomaly_score",
    "payload_density",
    "hour_of_day",
    "is_off_hours",
    "is_well_known_dest_port",
    "is_ephemeral_src_port"
  ],
  "categorical_levels": {
    "protocol": [
      "DNS",
      "FTP",
      "HTTPS",
      "NTP",
      "SMTP",
      "SSH",
      "TCP",
      "UDP"
    ],
    "flow_lifecycle_phase": [
      "connection_initiation",
      "connection_teardown",
      "data_transfer",
      "protocol_handshake",
      "session_maintenance"
    ],
    "source_device_type": [
      "cloud_service",
      "iot_device",
      "mobile_endpoint",
      "ot_controller",
      "server",
      "workstation"
    ],
    "dest_device_type": [
      "cloud_service",
      "iot_device",
      "mobile_endpoint",
      "ot_controller",
      "server",
      "workstation"
    ],
    "segment_type": [
      "cloud_workload",
      "corporate_lan",
      "data_centre_spine",
      "dmz_perimeter",
      "endpoint_fleet",
      "guest_wifi",
      "ot_ics_control_network",
      "soc_management_plane",
      "zero_trust_segment"
    ],
    "firewall_policy": [
      "default_deny",
      "open_permissive",
      "stateful_inspection",
      "strict_allowlist",
      "zone_based"
    ],
    "qos_policy": [
      "best_effort",
      "dscp_expedited",
      "none",
      "priority_queue",
      "weighted_fair_queue"
    ],
    "defender_architecture": [
      "autoencoder_anomaly",
      "ensemble_stacked",
      "gradient_boosted_tree",
      "isolation_forest",
      "lstm_behavioural",
      "neural_network_dense",
      "rule_based_threshold",
      "transformer_sequence"
    ]
  },
  "label_to_int": {
    "BENIGN": 0,
    "MALICIOUS": 1,
    "AMBIGUOUS": 2
  },
  "int_to_label": {
    "0": "BENIGN",
    "1": "MALICIOUS",
    "2": "AMBIGUOUS"
  }
}