{ "feature_names": [ "timestep", "dest_port", "bytes_transferred", "connection_duration_s", "auth_failure_count", "process_injection_flag", "lateral_hop_count", "c2_beacon_interval_s", "edr_blocked_flag", "siem_rule_triggered", "seg_patch_lag_days_mean", "seg_exposure_score_mean", "seg_vulnerability_count_max", "seg_inter_segment_trust_level_mean", "seg_alert_threshold_sensitivity_mean", "seg_mttd_baseline_hours_mean", "seg_mttr_baseline_hours_mean", "seg_siem_coverage_flag_mean", "seg_edr_deployed_flag_mean", "seg_ndr_coverage_flag_mean", "seg_mfa_enforced_flag_mean", "byte_volume_log", "has_c2_beacon", "is_brute_forcing", "attacker_defender_advantage", "is_high_volume", "is_privileged_port", "target_asset_type_backup_system", "target_asset_type_cloud_vm", "target_asset_type_container", "target_asset_type_database_server", "target_asset_type_domain_controller", "target_asset_type_ehr_system", "target_asset_type_email_server", "target_asset_type_firewall", "target_asset_type_iot_device", "target_asset_type_router", "target_asset_type_scada_plc", "target_asset_type_server", "target_asset_type_vpn_gateway", "target_asset_type_web_server", "target_asset_type_workstation", "source_ip_class_cloud_egress", "source_ip_class_external_internet", "source_ip_class_internal_lan", "source_ip_class_tor_exit", "source_ip_class_vpn_tunnel", "protocol_dns", "protocol_ftp", "protocol_http", "protocol_https", "protocol_icmp", "protocol_rdp", "protocol_smb", "protocol_ssh", "protocol_tcp", "protocol_udp", "attacker_capability_tier_apt", "attacker_capability_tier_nation_state", "attacker_capability_tier_opportunistic", "attacker_capability_tier_script_kiddie", "defender_maturity_level_advanced", "defender_maturity_level_baseline", "defender_maturity_level_managed", "defender_maturity_level_minimal", "defender_maturity_level_zero_trust", "alert_severity_critical", "alert_severity_high", "alert_severity_informational", "alert_severity_low", "alert_severity_medium", "detection_outcome_blind_spot", "detection_outcome_edr_blocked", "detection_outcome_evasion_success", "detection_outcome_high_confidence_alert", "detection_outcome_ir_escalated", "detection_outcome_marginal_alert", "detection_outcome_suppressed_alert", "seg_segment_type_cloud_workload", "seg_segment_type_corporate_lan", "seg_segment_type_data_exfiltration_target", "seg_segment_type_endpoint_fleet", "seg_segment_type_soc_management_plane", "seg_segment_type_supply_chain_interface", "seg_segment_type_zero_trust_segment", "seg_defender_maturity_level_advanced", "seg_defender_maturity_level_baseline", "seg_defender_maturity_level_managed", "seg_defender_maturity_level_minimal", "seg_defender_maturity_level_zero_trust" ], "numeric_features": [ "timestep", "dest_port", "bytes_transferred", "connection_duration_s", "auth_failure_count", "process_injection_flag", "lateral_hop_count", "c2_beacon_interval_s", "edr_blocked_flag", "siem_rule_triggered", "seg_patch_lag_days_mean", "seg_exposure_score_mean", "seg_vulnerability_count_max", "seg_inter_segment_trust_level_mean", "seg_alert_threshold_sensitivity_mean", "seg_mttd_baseline_hours_mean", "seg_mttr_baseline_hours_mean", "seg_siem_coverage_flag_mean", "seg_edr_deployed_flag_mean", "seg_ndr_coverage_flag_mean", "seg_mfa_enforced_flag_mean", "byte_volume_log", "has_c2_beacon", "is_brute_forcing", "attacker_defender_advantage", "is_high_volume", "is_privileged_port" ], "categorical_levels": { "target_asset_type": [ "backup_system", "cloud_vm", "container", "database_server", "domain_controller", "ehr_system", "email_server", "firewall", "iot_device", "router", "scada_plc", "server", "vpn_gateway", "web_server", "workstation" ], "source_ip_class": [ "cloud_egress", "external_internet", "internal_lan", "tor_exit", "vpn_tunnel" ], "protocol": [ "dns", "ftp", "http", "https", "icmp", "rdp", "smb", "ssh", "tcp", "udp" ], "attacker_capability_tier": [ "apt", "nation_state", "opportunistic", "script_kiddie" ], "defender_maturity_level": [ "advanced", "baseline", "managed", "minimal", "zero_trust" ], "alert_severity": [ "critical", "high", "informational", "low", "medium" ], "detection_outcome": [ "blind_spot", "edr_blocked", "evasion_success", "high_confidence_alert", "ir_escalated", "marginal_alert", "suppressed_alert" ], "seg_segment_type": [ "cloud_workload", "corporate_lan", "data_exfiltration_target", "endpoint_fleet", "soc_management_plane", "supply_chain_interface", "zero_trust_segment" ], "seg_defender_maturity_level": [ "advanced", "baseline", "managed", "minimal", "zero_trust" ] }, "label_to_int": { "dwell_idle": 0, "reconnaissance": 1, "initial_access": 2, "execution": 3, "persistence": 4, "privilege_escalation": 5, "lateral_movement": 6, "collection": 7, "exfiltration": 8, "impact": 9 }, "int_to_label": { "0": "dwell_idle", "1": "reconnaissance", "2": "initial_access", "3": "execution", "4": "persistence", "5": "privilege_escalation", "6": "lateral_movement", "7": "collection", "8": "exfiltration", "9": "impact" }, "topology_aggregation": { "segment_constant": [ "segment_type", "defender_maturity_level" ], "segment_numeric_aggregates": { "patch_lag_days": "mean", "exposure_score": "mean", "vulnerability_count": "max", "inter_segment_trust_level": "mean", "alert_threshold_sensitivity": "mean", "mttd_baseline_hours": "mean", "mttr_baseline_hours": "mean", "siem_coverage_flag": "mean", "edr_deployed_flag": "mean", "ndr_coverage_flag": "mean", "mfa_enforced_flag": "mean" } } }