{
  "feature_names": [
    "timestep",
    "api_call_rate",
    "registry_write_count",
    "network_connection_count",
    "process_injection_flag",
    "c2_beacon_interval_sec",
    "av_signature_hit_flag",
    "sandbox_evasion_flag",
    "lateral_propagation_count",
    "privilege_escalation_flag",
    "pe_entropy_mean",
    "pe_entropy_std",
    "import_hash_cluster",
    "section_count",
    "packed_section_ratio",
    "string_entropy_mean",
    "byte_histogram_chi2",
    "code_section_rx_ratio",
    "resource_section_entropy",
    "suspicious_import_count",
    "packer_detected_flag",
    "api_burst_score",
    "is_c2_active",
    "is_high_net_volume",
    "is_stealth_step",
    "is_destructive_step",
    "lateral_activity_score",
    "malware_family_apt_implant",
    "malware_family_botnet_agent",
    "malware_family_cryptominer",
    "malware_family_dropper",
    "malware_family_fileless_malware",
    "malware_family_ransomware",
    "malware_family_rootkit",
    "malware_family_spyware",
    "malware_family_trojan",
    "malware_family_worm",
    "threat_actor_tier_apt",
    "threat_actor_tier_commodity",
    "threat_actor_tier_crimeware",
    "threat_actor_tier_nation_state",
    "target_platform_android_13",
    "target_platform_embedded_ot_firmware",
    "target_platform_linux_rhel_9",
    "target_platform_linux_ubuntu_22",
    "target_platform_macos_ventura",
    "target_platform_windows_10_enterprise",
    "target_platform_windows_11_pro",
    "target_platform_windows_server_2022",
    "obfuscation_technique_anti_analysis_stall",
    "obfuscation_technique_code_signing_abuse",
    "obfuscation_technique_lotl_binary",
    "obfuscation_technique_packing",
    "obfuscation_technique_polymorphic_mutation",
    "obfuscation_technique_sandbox_evasion",
    "obfuscation_technique_string_encryption",
    "detection_outcome_behavioural_flag",
    "detection_outcome_definitive_detection",
    "detection_outcome_heuristic_alert",
    "detection_outcome_sandbox_evasion_confirmed",
    "detection_outcome_signature_miss",
    "ep_stack_av_plus_firewall",
    "ep_stack_deception_honeypot",
    "ep_stack_edr_endpoint_detect",
    "ep_stack_legacy_av_only",
    "ep_stack_managed_detection_response",
    "ep_stack_ngav_ml_based",
    "ep_stack_no_protection",
    "ep_stack_xdr_extended_detect"
  ],
  "numeric_features": [
    "timestep",
    "api_call_rate",
    "registry_write_count",
    "network_connection_count",
    "process_injection_flag",
    "c2_beacon_interval_sec",
    "av_signature_hit_flag",
    "sandbox_evasion_flag",
    "lateral_propagation_count",
    "privilege_escalation_flag",
    "pe_entropy_mean",
    "pe_entropy_std",
    "import_hash_cluster",
    "section_count",
    "packed_section_ratio",
    "string_entropy_mean",
    "byte_histogram_chi2",
    "code_section_rx_ratio",
    "resource_section_entropy",
    "suspicious_import_count",
    "packer_detected_flag",
    "api_burst_score",
    "is_c2_active",
    "is_high_net_volume",
    "is_stealth_step",
    "is_destructive_step",
    "lateral_activity_score"
  ],
  "categorical_levels": {
    "malware_family": [
      "apt_implant",
      "botnet_agent",
      "cryptominer",
      "dropper",
      "fileless_malware",
      "ransomware",
      "rootkit",
      "spyware",
      "trojan",
      "worm"
    ],
    "threat_actor_tier": [
      "apt",
      "commodity",
      "crimeware",
      "nation_state"
    ],
    "target_platform": [
      "android_13",
      "embedded_ot_firmware",
      "linux_rhel_9",
      "linux_ubuntu_22",
      "macos_ventura",
      "windows_10_enterprise",
      "windows_11_pro",
      "windows_server_2022"
    ],
    "obfuscation_technique": [
      "anti_analysis_stall",
      "code_signing_abuse",
      "lotl_binary",
      "packing",
      "polymorphic_mutation",
      "sandbox_evasion",
      "string_encryption"
    ],
    "detection_outcome": [
      "behavioural_flag",
      "definitive_detection",
      "heuristic_alert",
      "sandbox_evasion_confirmed",
      "signature_miss"
    ],
    "ep_stack": [
      "av_plus_firewall",
      "deception_honeypot",
      "edr_endpoint_detect",
      "legacy_av_only",
      "managed_detection_response",
      "ngav_ml_based",
      "no_protection",
      "xdr_extended_detect"
    ]
  },
  "label_to_int": {
    "c2_communication": 0,
    "data_exfiltration": 1,
    "dormancy_dwell": 2,
    "initial_drop": 3,
    "lateral_movement": 4,
    "payload_execution": 5,
    "persistence_establishment": 6,
    "privilege_escalation": 7,
    "sandbox_evasion_stall": 8,
    "self_destruct_cleanup": 9
  },
  "int_to_label": {
    "0": "c2_communication",
    "1": "data_exfiltration",
    "2": "dormancy_dwell",
    "3": "initial_drop",
    "4": "lateral_movement",
    "5": "payload_execution",
    "6": "persistence_establishment",
    "7": "privilege_escalation",
    "8": "sandbox_evasion_stall",
    "9": "self_destruct_cleanup"
  }
}