Initial release: XGBoost + MLP for ATT&CK phase classification

146a3a4 verified 3 days ago

16.9 kB

	---
	license: cc-by-nc-4.0
	library_name: pytorch
	tags:
	- cybersecurity
	- mitre-attack
	- kill-chain
	- apt
	- tabular-classification
	- synthetic-data
	- xgboost
	- baseline
	pipeline_tag: tabular-classification
	base_model: []
	datasets:
	- xpertsystems/cyb002-sample
	metrics:
	- accuracy
	- f1
	- roc_auc
	model-index:
	- name: cyb002-baseline-classifier
	results:
	- task:
	type: tabular-classification
	name: 10-class MITRE ATT&CK kill-chain phase classification
	dataset:
	type: xpertsystems/cyb002-sample
	name: CYB002 Synthetic Cyber Attack Dataset (Sample)
	metrics:
	- type: roc_auc
	value: 0.8599
	name: Test macro ROC-AUC OvR (XGBoost)
	- type: f1
	value: 0.4255
	name: Test macro-F1 (XGBoost)
	- type: accuracy
	value: 0.4683
	name: Test accuracy (XGBoost)
	- type: roc_auc
	value: 0.8496
	name: Test macro ROC-AUC OvR (MLP)
	- type: f1
	value: 0.3911
	name: Test macro-F1 (MLP)
	- type: accuracy
	value: 0.4449
	name: Test accuracy (MLP)
	---

	# CYB002 Baseline Classifier

	**MITRE ATT&CK kill-chain phase classifier trained on the CYB002
	synthetic cyber attack sample. Predicts which of 10 kill-chain phases
	an attack event belongs to, from observable event + segment features.**

	> Baseline reference, not for production use. This model demonstrates
	> that the [CYB002 sample dataset](https://huggingface.co/datasets/xpertsystems/cyb002-sample)
	> is learnable end-to-end and gives prospective buyers a working starting
	> point. It is not a production threat detector or SOC tool. See
	> [Limitations](#limitations).

	## Model overview

	\| Property \| Value \|
	\|---\|---\|
	\| Task \| 10-class kill-chain phase classification \|
	\| Training data \| `xpertsystems/cyb002-sample` (4,353 attack events across 100 campaigns) \|
	\| Models \| XGBoost + PyTorch MLP \|
	\| Input features \| 90 (after one-hot encoding) \|
	\| Split \| Group-aware by campaign_id (disjoint train/val/test campaigns) \|
	\| License \| CC-BY-NC-4.0 (matches dataset) \|
	\| Status \| Reference baseline \|

	Two model artifacts are published. They are designed to be used together — disagreement is a useful triage signal:

	- `model_xgb.json` — gradient-boosted trees, primary recommendation
	- `model_mlp.safetensors` — PyTorch MLP in SafeTensors format

	## Quick start

	```bash
	pip install xgboost torch safetensors pandas huggingface_hub
	```

	```python
	from huggingface_hub import hf_hub_download
	import json, numpy as np, torch, xgboost as xgb
	from safetensors.torch import load_file

	REPO = "xpertsystems/cyb002-baseline-classifier"

	paths = {n: hf_hub_download(REPO, n) for n in [
	"model_xgb.json", "model_mlp.safetensors",
	"feature_engineering.py", "feature_meta.json", "feature_scaler.json",
	]}

	import sys, os
	sys.path.insert(0, os.path.dirname(paths["feature_engineering.py"]))
	from feature_engineering import (
	transform_single, load_meta, INT_TO_LABEL, build_segment_lookup
	)

	meta = load_meta(paths["feature_meta.json"])
	xgb_model = xgb.XGBClassifier(); xgb_model.load_model(paths["model_xgb.json"])

	# Build the segment-aggregate lookup from the dataset's topology CSV
	seg_lookup = build_segment_lookup("path/to/network_topology.csv")

	# Predict (see inference_example.ipynb for the full pattern)
	seg_agg = seg_lookup.get(my_event["target_segment_id"], {})
	X = transform_single(my_event, meta, segment_aggregates=seg_agg)
	proba = xgb_model.predict_proba(X)[0]
	print(INT_TO_LABEL[int(np.argmax(proba))])
	```

	See [`inference_example.ipynb`](./inference_example.ipynb) for an
	end-to-end copy-paste demo including segment-aggregate setup and
	batch prediction.

	## Training data

	Trained on the public sample of CYB002, 4,353 attack events from 100
	distinct campaigns:

	\| Phase \| Train (n=2,822) \| Test (n=726) \| Test share \|
	\|---\|---:\|---:\|---:\|
	\| `dwell_idle` \| 581 \| 141 \| 19.4% \|
	\| `reconnaissance` \| 411 \| 112 \| 15.4% \|
	\| `initial_access` \| 358 \| 106 \| 14.6% \|
	\| `execution` \| 324 \| 74 \| 10.2% \|
	\| `persistence` \| 287 \| 79 \| 10.9% \|
	\| `privilege_escalation` \| 249 \| 68 \| 9.4% \|
	\| `lateral_movement` \| 201 \| 54 \| 7.4% \|
	\| `collection` \| 162 \| 40 \| 5.5% \|
	\| `exfiltration` \| 113 \| 31 \| 4.3% \|
	\| `impact` \| 105 \| 21 \| 2.9% \|

	### Group-aware split

	A single campaign generates ~40 highly-correlated events. Random row-level
	splitting would put events from the same campaign in both train and test,
	inflating metrics in a way that does not generalize to new campaigns.

	This release uses GroupShuffleSplit by `campaign_id`:

	\| Fold \| Campaigns \| Events \|
	\|---\|---:\|---:\|
	\| Train \| 69 \| 2,822 \|
	\| Validation \| 16 \| 805 \|
	\| Test \| 15 \| 726 \|

	All test campaigns are completely unseen during training. Class imbalance
	is addressed with `class_weight='balanced'` (XGBoost `sample_weight`) and
	weighted cross-entropy (MLP).

	## Feature pipeline

	The bundled `feature_engineering.py` is the canonical feature recipe.

	Three columns are deliberately excluded because they leak the target:

	- `technique_id` — 62 of 63 ATT&CK techniques map 1:1 to a single phase.
	Including it gives perfect-looking metrics that mean nothing.
	- `technique_name` — 1:1 alias of `technique_id` (63 unique values each).
	- `tactic_category` — direct alias of `kill_chain_phase`.

	90 features survive after encoding, drawn from:

	- Event-level numeric (10): `timestep`, `dest_port`, `bytes_transferred`, `connection_duration_s`, `auth_failure_count`, `process_injection_flag`, `lateral_hop_count`, `c2_beacon_interval_s`, `edr_blocked_flag`, `siem_rule_triggered`
	- Event-level categorical (7, one-hot encoded): `target_asset_type`, `source_ip_class`, `protocol`, `attacker_capability_tier`, `defender_maturity_level`, `alert_severity`, `detection_outcome`
	- Segment-level topology aggregates (13): mean `patch_lag_days`, mean `exposure_score`, max `vulnerability_count`, fraction with EDR/SIEM/NDR/MFA coverage, mean MTTD / MTTR baselines, plus segment_type and defender_maturity_level (segment-constant)
	- Engineered (6): `byte_volume_log`, `has_c2_beacon`, `is_brute_forcing`, `attacker_defender_advantage`, `is_high_volume`, `is_privileged_port`

	None of the engineered features is derived from phase or technique —
	that would re-introduce the leakage we just excluded.

	### Note on detection-outcome features

	`detection_outcome`, `alert_severity`, `edr_blocked_flag`, and
	`siem_rule_triggered` are post-hoc observables from the SOC's perspective.
	They are kept as features for the realistic use case where a SOC analyst
	has just seen an action and its initial detection signal and is reasoning
	about which phase the campaign is in. Buyers who want a strictly
	pre-detection model can drop these four columns and retrain — the ablation
	results below show this does not hurt accuracy (the model doesn't
	lean on them for phase prediction).

	## Evaluation

	### Test-set metrics (n = 726 events from 15 disjoint campaigns)

	XGBoost

	\| Metric \| Value \|
	\|---\|---:\|
	\| Macro ROC-AUC (OvR) \| 0.8599 \|
	\| Accuracy \| 0.4683 \|
	\| Macro-F1 \| 0.4255 \|
	\| Weighted-F1 \| 0.4604 \|

	MLP

	\| Metric \| Value \|
	\|---\|---:\|
	\| Macro ROC-AUC (OvR) \| 0.8496 \|
	\| Accuracy \| 0.4449 \|
	\| Macro-F1 \| 0.3911 \|
	\| Weighted-F1 \| 0.4350 \|

	### Headline interpretation

	Accuracy of 47% looks low at first glance, but the right comparison is:

	\| Baseline \| Accuracy \| Macro-F1 \|
	\|---\|---:\|---:\|
	\| Random uniform guess (1/10 classes) \| 0.10 \| ~0.10 \|
	\| Always predict majority (`dwell_idle`) \| 0.19 \| n/a \|
	\| XGBoost (this model) \| 0.47 \| 0.43 \|

	The macro ROC-AUC of 0.86 tells the cleaner story: the model
	distinguishes the 10 phases meaningfully well even though the
	argmax-prediction sometimes lands on an adjacent phase.

	### Per-class F1 — where the signal is and isn't

	\| Phase \| XGBoost F1 \| MLP F1 \| Note \|
	\|---\|---:\|---:\|---\|
	\| `reconnaissance` \| 0.753 \| 0.725 \| Strong: early timestep, distinct protocols/targets \|
	\| `lateral_movement` \| 0.742 \| 0.783 \| Strong: lateral-hop count, post-privesc pattern \|
	\| `initial_access` \| 0.647 \| 0.648 \| Strong: perimeter targets, specific protocols \|
	\| `privilege_escalation` \| 0.500 \| 0.488 \| Moderate \|
	\| `execution` \| 0.441 \| 0.510 \| Moderate \|
	\| `persistence` \| 0.413 \| 0.301 \| Moderate, easily confused with execution \|
	\| `exfiltration` \| 0.273 \| 0.119 \| Weak: late-phase, similar to collection/impact \|
	\| `impact` \| 0.226 \| 0.132 \| Weak: late-phase clustering \|
	\| `collection` \| 0.220 \| 0.191 \| Weak: late-phase clustering \|
	\| `dwell_idle` \| 0.040 \| 0.013 \| Very weak: no-op steps lack distinguishing features \|

	The model has solid signal on early and mid-campaign phases and
	genuinely struggles to disambiguate **late-stage objective-completion
	phases** (collection / exfiltration / impact), which arrive close in
	time and look similar at the event level. This is an honest limitation
	of flat-tabular classification — sequence models would help here.

	### Ablation: which feature groups matter

	\| Configuration \| Accuracy \| Macro-F1 \| Δ accuracy vs full \|
	\|---\|---:\|---:\|---:\|
	\| Full feature set (published) \| 0.4683 \| 0.4255 \| — \|
	\| No `timestep` \| 0.3264 \| 0.3102 \| −0.1419 \|
	\| No topology aggregates \| 0.4601 \| 0.4093 \| −0.0083 \|
	\| No engineered features \| 0.4642 \| 0.4240 \| −0.0041 \|
	\| No detection-signal features \| 0.4725 \| 0.4284 \| +0.0041 \|

	Two clear findings:

	1. `timestep` is by far the most important feature (drops 14 pp when
	removed). The honest reading: kill chains progress in time, and where
	you are in the campaign timeline carries most of the phase signal.
	2. **Detection-signal features (`detection_outcome`, `alert_severity`,
	`edr_blocked_flag`, `siem_rule_triggered`) do not help phase prediction.**
	Removing them actually improves the score marginally. A buyer who wants
	a pre-detection model can drop these four columns with no loss.

	Topology and engineered features each contribute roughly 1 pp.

	### Architecture

	XGBoost: multi-class gradient boosting (`multi:softprob`, 10 classes),
	`hist` tree method, class-balanced sample weights, early stopping on
	validation mlogloss.

	MLP: `90 → 128 → 64 → 10`, each hidden layer followed by `BatchNorm1d`
	→ `ReLU` → `Dropout(0.3)`, weighted cross-entropy loss, AdamW optimizer,
	early stopping on validation macro-F1.

	Training hyperparameters (learning rate, batch size, n_estimators,
	early-stopping patience, weight decay, class-weighting strategy) are
	held internally by XpertSystems and are not part of this release.

	## Limitations

	This is a baseline reference, not a production threat detection system.

	1. Late-phase confusion. Per-class F1 for `collection`, `exfiltration`,
	and `impact` is 0.22–0.27. These phases arrive near campaign-end with
	similar feature signatures, and a flat-tabular event-level model can't
	easily disambiguate them. Sequence models (LSTM / transformer over the
	per-campaign event sequence) would substantially improve this.

	2. `dwell_idle` is essentially unlearnable in this framing. The
	class-balanced weights amplify rare classes; `dwell_idle` is common
	but featureless ("no action this timestep"), so the model trades
	`dwell_idle` recall for late-phase recall. F1 = 0.04. A real SOC
	pipeline would handle idle steps with a separate gating rule, not a
	classifier head.

	3. Sample-size constraints. 100 campaigns / 4,353 events with a
	group-aware split leaves 69 training campaigns. The full 380k-event
	CYB002 product supports much more reliable per-class estimation,
	especially on the rare late-phase classes.

	4. Synthetic-vs-real transfer. The dataset is synthetic and
	calibrated to threat-intelligence benchmark targets (Mandiant
	M-Trends, IBM CODB, Verizon DBIR, MITRE ATT&CK Evaluations). Real
	attack telemetry has different noise characteristics, adversary
	adaptation, and gaps in coverage. Do not assume metrics transfer.

	5. Adversarial robustness not evaluated. The dataset is not
	adversarially generated; the model has not been red-teamed.

	6. MLP brittleness on OOD inputs. With ~2.8k training events, the
	MLP can produce confidently-wrong predictions on hand-crafted
	records far from the training manifold. XGBoost is more robust.
	Use both; treat disagreement as a signal for human review.

	## Notes on dataset schema

	The CYB002 sample dataset README describes some fields differently from
	the actual schema. The model was trained on the actual schema; this note
	is to help buyers reconcile what they read with what they receive.

	\| What the README says \| What the data actually contains \|
	\|---\|---\|
	\| "9 ATT&CK phases" \| 10 phases including `dwell_idle` (idle/no-op steps) \|
	\| 4 attacker tiers: `opportunistic`, `organized_crime`, `apt`, `nation_state` \| 4 tiers: `opportunistic`, `script_kiddie`, `apt`, `nation_state` \|
	\| 5 defender maturity levels: CMMI names (`ad_hoc`, `defined`, `managed`, `quantitatively_managed`, `optimizing`) \| 5 levels: `minimal`, `baseline`, `managed`, `advanced`, `zero_trust` \|
	\| Field name `phase` \| Actual column: `kill_chain_phase` \|
	\| Field name `tactic` \| Actual column: `tactic_category` \|
	\| Field name `segment_id` \| Actual column: `target_segment_id` \|
	\| Field name `attacker_tier` \| Actual column: `attacker_capability_tier` \|
	\| Field name `defender_maturity` \| Actual column: `defender_maturity_level` \|
	\| Field name `detected`, `blocked`, `stealth_score` \| Actual: `detection_outcome`, `edr_blocked_flag`, `siem_rule_triggered`; no `stealth_score` on events \|

	None of this affects model correctness — `feature_engineering.py` uses the
	actual column names. If you build your own pipeline against the dataset,
	use the actual columns, not the README descriptions.

	## Intended use

	- Evaluating fit of the CYB002 dataset for your ATT&CK / kill-chain
	research
	- Baseline reference for new model architectures (especially sequence
	models, which should beat this baseline on the late-phase classes)
	- Teaching and demo for tabular classification on attack-event data
	- Feature engineering reference for MITRE ATT&CK-aligned datasets

	## Out-of-scope use

	- Production threat detection on real network telemetry
	- SOC alert triage on real systems
	- Forensic attribution of real attacks
	- Adversarial-evasion evaluation (dataset not adversarially generated)
	- Any safety-critical or operational security decision

	## Reproducibility

	Outputs above were produced with `seed = 42`, group-aware nested
	`GroupShuffleSplit` (70/15/15 by campaign_id), on the published sample
	(`xpertsystems/cyb002-sample`, version 1.0.0, generated 2026-05-16).
	The feature pipeline in `feature_engineering.py` is deterministic and
	the trained weights in this repo correspond exactly to the metrics above.

	The training script itself is private to XpertSystems. The published
	artifacts contain the feature pipeline, model weights, scaler, metadata,
	and validation results — sufficient to reproduce inference but not
	training.

	## Files in this repo

	\| File \| Purpose \|
	\|---\|---\|
	\| `model_xgb.json` \| XGBoost weights \|
	\| `model_mlp.safetensors` \| PyTorch MLP weights \|
	\| `feature_engineering.py` \| Feature pipeline (load → aggregate topology → engineer → encode) \|
	\| `feature_meta.json` \| Feature column order + categorical levels \|
	\| `feature_scaler.json` \| MLP input mean/std (XGBoost ignores) \|
	\| `validation_results.json` \| Per-class metrics, confusion matrix, architecture \|
	\| `ablation_results.json` \| Per-feature-group ablation (timestep, topology, engineered, detection-signals) \|
	\| `inference_example.ipynb` \| End-to-end inference demo notebook \|
	\| `README.md` \| This file \|

	## Contact and full product

	The full CYB002 dataset contains ~454,000 rows across four files,
	with calibrated benchmark validation against 12 metrics drawn from
	authoritative threat intelligence sources (Mandiant, IBM, Verizon,
	CrowdStrike, MITRE, SANS, ENISA). The full XpertSystems.ai synthetic data
	catalogue spans 41 SKUs across Cybersecurity, Healthcare, Insurance &
	Risk, Oil & Gas, and Materials & Energy.

	- 📧 pradeep@xpertsystems.ai
	- 🌐 https://xpertsystems.ai
	- 🗂 Dataset: https://huggingface.co/datasets/xpertsystems/cyb002-sample
	- 🤖 Companion model (network traffic): https://huggingface.co/xpertsystems/cyb001-baseline-classifier

	## Citation

	```bibtex
	@misc{xpertsystems_cyb002_baseline_2026,
	title = {CYB002 Baseline Classifier: XGBoost and MLP for MITRE ATT&CK Kill-Chain Phase Classification},
	author = {XpertSystems.ai},
	year = {2026},
	url = {https://huggingface.co/xpertsystems/cyb002-baseline-classifier},
	note = {Baseline reference model trained on xpertsystems/cyb002-sample}
	}
	```