| { |
| "version": "1.0.0", |
| "dataset": "xpertsystems/cyb003-sample", |
| "task": "10-class execution_phase classification", |
| "baselines": { |
| "always_predict_majority_accuracy": 0.13666666666666666, |
| "majority_class": "initial_drop", |
| "random_guess_accuracy": 0.1 |
| }, |
| "split": { |
| "strategy": "group_aware (GroupShuffleSplit by sample_id, nested)", |
| "rationale": "100 unique malware samples generate 6,000 timesteps (60 per sample). Random row-split would leak per-sample correlations into the test fold. Group-aware split keeps train/val/test samples disjoint.", |
| "samples_train": 69, |
| "samples_val": 16, |
| "samples_test": 15, |
| "timesteps_train": 4140, |
| "timesteps_val": 960, |
| "timesteps_test": 900, |
| "seed": 42 |
| }, |
| "n_features": 69, |
| "label_classes": [ |
| "c2_communication", |
| "data_exfiltration", |
| "dormancy_dwell", |
| "initial_drop", |
| "lateral_movement", |
| "payload_execution", |
| "persistence_establishment", |
| "privilege_escalation", |
| "sandbox_evasion_stall", |
| "self_destruct_cleanup" |
| ], |
| "class_distribution_train": { |
| "lateral_movement": 550, |
| "initial_drop": 549, |
| "data_exfiltration": 543, |
| "persistence_establishment": 541, |
| "c2_communication": 492, |
| "privilege_escalation": 489, |
| "payload_execution": 487, |
| "dormancy_dwell": 168, |
| "sandbox_evasion_stall": 166, |
| "self_destruct_cleanup": 155 |
| }, |
| "class_distribution_test": { |
| "initial_drop": 123, |
| "persistence_establishment": 122, |
| "lateral_movement": 121, |
| "data_exfiltration": 113, |
| "c2_communication": 108, |
| "privilege_escalation": 107, |
| "payload_execution": 106, |
| "dormancy_dwell": 40, |
| "sandbox_evasion_stall": 32, |
| "self_destruct_cleanup": 28 |
| }, |
| "models": { |
| "xgboost": { |
| "architecture": "Gradient-boosted decision trees, multi:softprob, 10 classes", |
| "framework": "xgboost", |
| "test_metrics": { |
| "model": "xgboost", |
| "accuracy": 0.9177777777777778, |
| "macro_f1": 0.7780699645112974, |
| "weighted_f1": 0.9064879129227142, |
| "per_class_f1": { |
| "c2_communication": 1.0, |
| "data_exfiltration": 0.9699570815450643, |
| "dormancy_dwell": 0.5301204819277109, |
| "initial_drop": 0.9453125, |
| "lateral_movement": 0.9917355371900827, |
| "payload_execution": 0.963302752293578, |
| "persistence_establishment": 0.9918032786885246, |
| "privilege_escalation": 0.9907407407407407, |
| "sandbox_evasion_stall": 0.125, |
| "self_destruct_cleanup": 0.2727272727272727 |
| }, |
| "confusion_matrix": { |
| "labels": [ |
| "c2_communication", |
| "data_exfiltration", |
| "dormancy_dwell", |
| "initial_drop", |
| "lateral_movement", |
| "payload_execution", |
| "persistence_establishment", |
| "privilege_escalation", |
| "sandbox_evasion_stall", |
| "self_destruct_cleanup" |
| ], |
| "matrix": [ |
| [ |
| 108, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 113, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 4, |
| 22, |
| 7, |
| 0, |
| 1, |
| 0, |
| 0, |
| 2, |
| 4 |
| ], |
| [ |
| 0, |
| 0, |
| 2, |
| 121, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 0, |
| 0, |
| 0, |
| 120, |
| 0, |
| 0, |
| 0, |
| 0, |
| 1 |
| ], |
| [ |
| 0, |
| 0, |
| 1, |
| 0, |
| 0, |
| 105, |
| 0, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 0, |
| 1, |
| 0, |
| 0, |
| 0, |
| 121, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 107, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 0, |
| 17, |
| 3, |
| 0, |
| 1, |
| 1, |
| 2, |
| 3, |
| 5 |
| ], |
| [ |
| 0, |
| 3, |
| 0, |
| 2, |
| 1, |
| 5, |
| 0, |
| 0, |
| 11, |
| 6 |
| ] |
| ] |
| }, |
| "macro_roc_auc_ovr": 0.979171667321058 |
| } |
| }, |
| "mlp": { |
| "architecture": "PyTorch MLP, 69 -> 128 -> 64 -> 10, BatchNorm1d + ReLU + Dropout, weighted cross-entropy loss", |
| "framework": "pytorch", |
| "test_metrics": { |
| "model": "mlp", |
| "accuracy": 0.8222222222222222, |
| "macro_f1": 0.7071652710164154, |
| "weighted_f1": 0.8217291149270296, |
| "per_class_f1": { |
| "c2_communication": 1.0, |
| "data_exfiltration": 0.9181818181818182, |
| "dormancy_dwell": 0.5194805194805194, |
| "initial_drop": 0.8854961832061069, |
| "lateral_movement": 0.9067796610169492, |
| "payload_execution": 0.6981132075471698, |
| "persistence_establishment": 0.8695652173913043, |
| "privilege_escalation": 0.9154228855721394, |
| "sandbox_evasion_stall": 0.07692307692307693, |
| "self_destruct_cleanup": 0.28169014084507044 |
| }, |
| "confusion_matrix": { |
| "labels": [ |
| "c2_communication", |
| "data_exfiltration", |
| "dormancy_dwell", |
| "initial_drop", |
| "lateral_movement", |
| "payload_execution", |
| "persistence_establishment", |
| "privilege_escalation", |
| "sandbox_evasion_stall", |
| "self_destruct_cleanup" |
| ], |
| "matrix": [ |
| [ |
| 108, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 101, |
| 0, |
| 0, |
| 6, |
| 3, |
| 0, |
| 0, |
| 0, |
| 3 |
| ], |
| [ |
| 0, |
| 1, |
| 20, |
| 5, |
| 0, |
| 7, |
| 0, |
| 0, |
| 4, |
| 3 |
| ], |
| [ |
| 0, |
| 0, |
| 3, |
| 116, |
| 0, |
| 0, |
| 4, |
| 0, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 2, |
| 0, |
| 0, |
| 107, |
| 7, |
| 0, |
| 0, |
| 3, |
| 2 |
| ], |
| [ |
| 0, |
| 1, |
| 0, |
| 0, |
| 2, |
| 74, |
| 1, |
| 0, |
| 9, |
| 19 |
| ], |
| [ |
| 0, |
| 0, |
| 2, |
| 7, |
| 0, |
| 0, |
| 110, |
| 2, |
| 1, |
| 0 |
| ], |
| [ |
| 0, |
| 0, |
| 0, |
| 0, |
| 0, |
| 2, |
| 13, |
| 92, |
| 0, |
| 0 |
| ], |
| [ |
| 0, |
| 1, |
| 12, |
| 7, |
| 0, |
| 3, |
| 1, |
| 0, |
| 2, |
| 6 |
| ], |
| [ |
| 0, |
| 1, |
| 0, |
| 4, |
| 0, |
| 10, |
| 2, |
| 0, |
| 1, |
| 10 |
| ] |
| ] |
| }, |
| "macro_roc_auc_ovr": 0.9680976851704761 |
| } |
| } |
| } |
| } |
