| { |
| "feature_names": [ |
| "timestep", |
| "api_call_rate", |
| "registry_write_count", |
| "network_connection_count", |
| "process_injection_flag", |
| "c2_beacon_interval_sec", |
| "av_signature_hit_flag", |
| "sandbox_evasion_flag", |
| "lateral_propagation_count", |
| "privilege_escalation_flag", |
| "pe_entropy_mean", |
| "pe_entropy_std", |
| "import_hash_cluster", |
| "section_count", |
| "packed_section_ratio", |
| "string_entropy_mean", |
| "byte_histogram_chi2", |
| "code_section_rx_ratio", |
| "resource_section_entropy", |
| "suspicious_import_count", |
| "packer_detected_flag", |
| "api_burst_score", |
| "is_c2_active", |
| "is_high_net_volume", |
| "is_stealth_step", |
| "is_destructive_step", |
| "lateral_activity_score", |
| "malware_family_apt_implant", |
| "malware_family_botnet_agent", |
| "malware_family_cryptominer", |
| "malware_family_dropper", |
| "malware_family_fileless_malware", |
| "malware_family_ransomware", |
| "malware_family_rootkit", |
| "malware_family_spyware", |
| "malware_family_trojan", |
| "malware_family_worm", |
| "threat_actor_tier_apt", |
| "threat_actor_tier_commodity", |
| "threat_actor_tier_crimeware", |
| "threat_actor_tier_nation_state", |
| "target_platform_android_13", |
| "target_platform_embedded_ot_firmware", |
| "target_platform_linux_rhel_9", |
| "target_platform_linux_ubuntu_22", |
| "target_platform_macos_ventura", |
| "target_platform_windows_10_enterprise", |
| "target_platform_windows_11_pro", |
| "target_platform_windows_server_2022", |
| "obfuscation_technique_anti_analysis_stall", |
| "obfuscation_technique_code_signing_abuse", |
| "obfuscation_technique_lotl_binary", |
| "obfuscation_technique_packing", |
| "obfuscation_technique_polymorphic_mutation", |
| "obfuscation_technique_sandbox_evasion", |
| "obfuscation_technique_string_encryption", |
| "detection_outcome_behavioural_flag", |
| "detection_outcome_definitive_detection", |
| "detection_outcome_heuristic_alert", |
| "detection_outcome_sandbox_evasion_confirmed", |
| "detection_outcome_signature_miss", |
| "ep_stack_av_plus_firewall", |
| "ep_stack_deception_honeypot", |
| "ep_stack_edr_endpoint_detect", |
| "ep_stack_legacy_av_only", |
| "ep_stack_managed_detection_response", |
| "ep_stack_ngav_ml_based", |
| "ep_stack_no_protection", |
| "ep_stack_xdr_extended_detect" |
| ], |
| "numeric_features": [ |
| "timestep", |
| "api_call_rate", |
| "registry_write_count", |
| "network_connection_count", |
| "process_injection_flag", |
| "c2_beacon_interval_sec", |
| "av_signature_hit_flag", |
| "sandbox_evasion_flag", |
| "lateral_propagation_count", |
| "privilege_escalation_flag", |
| "pe_entropy_mean", |
| "pe_entropy_std", |
| "import_hash_cluster", |
| "section_count", |
| "packed_section_ratio", |
| "string_entropy_mean", |
| "byte_histogram_chi2", |
| "code_section_rx_ratio", |
| "resource_section_entropy", |
| "suspicious_import_count", |
| "packer_detected_flag", |
| "api_burst_score", |
| "is_c2_active", |
| "is_high_net_volume", |
| "is_stealth_step", |
| "is_destructive_step", |
| "lateral_activity_score" |
| ], |
| "categorical_levels": { |
| "malware_family": [ |
| "apt_implant", |
| "botnet_agent", |
| "cryptominer", |
| "dropper", |
| "fileless_malware", |
| "ransomware", |
| "rootkit", |
| "spyware", |
| "trojan", |
| "worm" |
| ], |
| "threat_actor_tier": [ |
| "apt", |
| "commodity", |
| "crimeware", |
| "nation_state" |
| ], |
| "target_platform": [ |
| "android_13", |
| "embedded_ot_firmware", |
| "linux_rhel_9", |
| "linux_ubuntu_22", |
| "macos_ventura", |
| "windows_10_enterprise", |
| "windows_11_pro", |
| "windows_server_2022" |
| ], |
| "obfuscation_technique": [ |
| "anti_analysis_stall", |
| "code_signing_abuse", |
| "lotl_binary", |
| "packing", |
| "polymorphic_mutation", |
| "sandbox_evasion", |
| "string_encryption" |
| ], |
| "detection_outcome": [ |
| "behavioural_flag", |
| "definitive_detection", |
| "heuristic_alert", |
| "sandbox_evasion_confirmed", |
| "signature_miss" |
| ], |
| "ep_stack": [ |
| "av_plus_firewall", |
| "deception_honeypot", |
| "edr_endpoint_detect", |
| "legacy_av_only", |
| "managed_detection_response", |
| "ngav_ml_based", |
| "no_protection", |
| "xdr_extended_detect" |
| ] |
| }, |
| "label_to_int": { |
| "c2_communication": 0, |
| "data_exfiltration": 1, |
| "dormancy_dwell": 2, |
| "initial_drop": 3, |
| "lateral_movement": 4, |
| "payload_execution": 5, |
| "persistence_establishment": 6, |
| "privilege_escalation": 7, |
| "sandbox_evasion_stall": 8, |
| "self_destruct_cleanup": 9 |
| }, |
| "int_to_label": { |
| "0": "c2_communication", |
| "1": "data_exfiltration", |
| "2": "dormancy_dwell", |
| "3": "initial_drop", |
| "4": "lateral_movement", |
| "5": "payload_execution", |
| "6": "persistence_establishment", |
| "7": "privilege_escalation", |
| "8": "sandbox_evasion_stall", |
| "9": "self_destruct_cleanup" |
| } |
| } |
