Hugging Face's logo

xpertsystems
/
cyb002-baseline-classifier

Tabular Classification
PyTorch
cybersecurity
mitre-attack
kill-chain
apt
synthetic-data
xgboost
baseline
Eval Results (legacy)
Model card Files
xet
 Community
cyb002-baseline-classifier / feature_meta.json
pradeep-xpert's picture
pradeep-xpert
Initial release: XGBoost + MLP for ATT&CK phase classification
146a3a4 verified
raw
history blame contribute delete
6.57 kB
{
 "feature_names": [
 "timestep",
 "dest_port",
 "bytes_transferred",
 "connection_duration_s",
 "auth_failure_count",
 "process_injection_flag",
 "lateral_hop_count",
 "c2_beacon_interval_s",
 "edr_blocked_flag",
 "siem_rule_triggered",
 "seg_patch_lag_days_mean",
 "seg_exposure_score_mean",
 "seg_vulnerability_count_max",
 "seg_inter_segment_trust_level_mean",
 "seg_alert_threshold_sensitivity_mean",
 "seg_mttd_baseline_hours_mean",
 "seg_mttr_baseline_hours_mean",
 "seg_siem_coverage_flag_mean",
 "seg_edr_deployed_flag_mean",
 "seg_ndr_coverage_flag_mean",
 "seg_mfa_enforced_flag_mean",
 "byte_volume_log",
 "has_c2_beacon",
 "is_brute_forcing",
 "attacker_defender_advantage",
 "is_high_volume",
 "is_privileged_port",
 "target_asset_type_backup_system",
 "target_asset_type_cloud_vm",
 "target_asset_type_container",
 "target_asset_type_database_server",
 "target_asset_type_domain_controller",
 "target_asset_type_ehr_system",
 "target_asset_type_email_server",
 "target_asset_type_firewall",
 "target_asset_type_iot_device",
 "target_asset_type_router",
 "target_asset_type_scada_plc",
 "target_asset_type_server",
 "target_asset_type_vpn_gateway",
 "target_asset_type_web_server",
 "target_asset_type_workstation",
 "source_ip_class_cloud_egress",
 "source_ip_class_external_internet",
 "source_ip_class_internal_lan",
 "source_ip_class_tor_exit",
 "source_ip_class_vpn_tunnel",
 "protocol_dns",
 "protocol_ftp",
 "protocol_http",
 "protocol_https",
 "protocol_icmp",
 "protocol_rdp",
 "protocol_smb",
 "protocol_ssh",
 "protocol_tcp",
 "protocol_udp",
 "attacker_capability_tier_apt",
 "attacker_capability_tier_nation_state",
 "attacker_capability_tier_opportunistic",
 "attacker_capability_tier_script_kiddie",
 "defender_maturity_level_advanced",
 "defender_maturity_level_baseline",
 "defender_maturity_level_managed",
 "defender_maturity_level_minimal",
 "defender_maturity_level_zero_trust",
 "alert_severity_critical",
 "alert_severity_high",
 "alert_severity_informational",
 "alert_severity_low",
 "alert_severity_medium",
 "detection_outcome_blind_spot",
 "detection_outcome_edr_blocked",
 "detection_outcome_evasion_success",
 "detection_outcome_high_confidence_alert",
 "detection_outcome_ir_escalated",
 "detection_outcome_marginal_alert",
 "detection_outcome_suppressed_alert",
 "seg_segment_type_cloud_workload",
 "seg_segment_type_corporate_lan",
 "seg_segment_type_data_exfiltration_target",
 "seg_segment_type_endpoint_fleet",
 "seg_segment_type_soc_management_plane",
 "seg_segment_type_supply_chain_interface",
 "seg_segment_type_zero_trust_segment",
 "seg_defender_maturity_level_advanced",
 "seg_defender_maturity_level_baseline",
 "seg_defender_maturity_level_managed",
 "seg_defender_maturity_level_minimal",
 "seg_defender_maturity_level_zero_trust"
 ],
 "numeric_features": [
 "timestep",
 "dest_port",
 "bytes_transferred",
 "connection_duration_s",
 "auth_failure_count",
 "process_injection_flag",
 "lateral_hop_count",
 "c2_beacon_interval_s",
 "edr_blocked_flag",
 "siem_rule_triggered",
 "seg_patch_lag_days_mean",
 "seg_exposure_score_mean",
 "seg_vulnerability_count_max",
 "seg_inter_segment_trust_level_mean",
 "seg_alert_threshold_sensitivity_mean",
 "seg_mttd_baseline_hours_mean",
 "seg_mttr_baseline_hours_mean",
 "seg_siem_coverage_flag_mean",
 "seg_edr_deployed_flag_mean",
 "seg_ndr_coverage_flag_mean",
 "seg_mfa_enforced_flag_mean",
 "byte_volume_log",
 "has_c2_beacon",
 "is_brute_forcing",
 "attacker_defender_advantage",
 "is_high_volume",
 "is_privileged_port"
 ],
 "categorical_levels": {
 "target_asset_type": [
 "backup_system",
 "cloud_vm",
 "container",
 "database_server",
 "domain_controller",
 "ehr_system",
 "email_server",
 "firewall",
 "iot_device",
 "router",
 "scada_plc",
 "server",
 "vpn_gateway",
 "web_server",
 "workstation"
 ],
 "source_ip_class": [
 "cloud_egress",
 "external_internet",
 "internal_lan",
 "tor_exit",
 "vpn_tunnel"
 ],
 "protocol": [
 "dns",
 "ftp",
 "http",
 "https",
 "icmp",
 "rdp",
 "smb",
 "ssh",
 "tcp",
 "udp"
 ],
 "attacker_capability_tier": [
 "apt",
 "nation_state",
 "opportunistic",
 "script_kiddie"
 ],
 "defender_maturity_level": [
 "advanced",
 "baseline",
 "managed",
 "minimal",
 "zero_trust"
 ],
 "alert_severity": [
 "critical",
 "high",
 "informational",
 "low",
 "medium"
 ],
 "detection_outcome": [
 "blind_spot",
 "edr_blocked",
 "evasion_success",
 "high_confidence_alert",
 "ir_escalated",
 "marginal_alert",
 "suppressed_alert"
 ],
 "seg_segment_type": [
 "cloud_workload",
 "corporate_lan",
 "data_exfiltration_target",
 "endpoint_fleet",
 "soc_management_plane",
 "supply_chain_interface",
 "zero_trust_segment"
 ],
 "seg_defender_maturity_level": [
 "advanced",
 "baseline",
 "managed",
 "minimal",
 "zero_trust"
 ]
 },
 "label_to_int": {
 "dwell_idle": 0,
 "reconnaissance": 1,
 "initial_access": 2,
 "execution": 3,
 "persistence": 4,
 "privilege_escalation": 5,
 "lateral_movement": 6,
 "collection": 7,
 "exfiltration": 8,
 "impact": 9
 },
 "int_to_label": {
 "0": "dwell_idle",
 "1": "reconnaissance",
 "2": "initial_access",
 "3": "execution",
 "4": "persistence",
 "5": "privilege_escalation",
 "6": "lateral_movement",
 "7": "collection",
 "8": "exfiltration",
 "9": "impact"
 },
 "topology_aggregation": {
 "segment_constant": [
 "segment_type",
 "defender_maturity_level"
 ],
 "segment_numeric_aggregates": {
 "patch_lag_days": "mean",
 "exposure_score": "mean",
 "vulnerability_count": "max",
 "inter_segment_trust_level": "mean",
 "alert_threshold_sensitivity": "mean",
 "mttd_baseline_hours": "mean",
 "mttr_baseline_hours": "mean",
 "siem_coverage_flag": "mean",
 "edr_deployed_flag": "mean",
 "ndr_coverage_flag": "mean",
 "mfa_enforced_flag": "mean"
 }
 }
}