Initial release: XGBoost + MLP for ransomware actor-tier attribution

e8aa6ac verified 2 days ago

4.37 kB

	{
	"feature_names": [
	"timestep",
	"files_encrypted_cumulative",
	"encryption_throughput_mbps",
	"endpoints_compromised",
	"lateral_move_count",
	"credential_harvest_count",
	"c2_bytes_exfiltrated",
	"defender_alert_score",
	"blast_radius_pct",
	"living_off_land_score",
	"attribution_risk_score",
	"data_exfiltrated_gb",
	"wiper_flag",
	"double_extortion_flag",
	"ir_activated",
	"edr_coverage_rate",
	"network_segmentation_quality",
	"patch_posture_score",
	"ir_activation_latency_hrs",
	"endpoint_count",
	"ad_domain_complexity",
	"soc_maturity_score",
	"backup_recovery_prob",
	"backup_recovery_hrs_mean",
	"siem_rule_refresh_cadence_days",
	"segment_id_hash",
	"c2_intensity_score",
	"escalation_velocity",
	"is_destructive",
	"dwell_efficiency",
	"is_post_detonation",
	"lotl_intensity_bin",
	"attack_phase_encryption_detonation",
	"attack_phase_exfiltration_staging",
	"attack_phase_initial_access",
	"attack_phase_internal_recon",
	"attack_phase_lateral_movement",
	"attack_phase_privilege_escalation",
	"attack_phase_ransom_negotiation",
	"attack_phase_recovery_in_progress",
	"detection_outcome_alert_generated",
	"detection_outcome_delayed_detection",
	"detection_outcome_no_detection",
	"detection_outcome_partial_containment",
	"detection_outcome_recovery_in_progress",
	"segment_type_active_directory_domain",
	"segment_type_backup_infrastructure",
	"segment_type_cloud_workload_tier",
	"segment_type_corporate_workstation_fleet",
	"segment_type_dmz_perimeter",
	"segment_type_executive_endpoint_zone",
	"segment_type_file_server_cluster",
	"segment_type_ot_ics_control_network",
	"soc_maturity_tier_none",
	"soc_maturity_tier_tier1",
	"soc_maturity_tier_tier2",
	"soc_maturity_tier_tier3_mdr",
	"backup_maturity_tier_air_gapped_gold_standard",
	"backup_maturity_tier_local_only",
	"backup_maturity_tier_network_attached",
	"backup_maturity_tier_no_backup",
	"backup_maturity_tier_offsite_unverified",
	"backup_maturity_tier_offsite_verified_immutable"
	],
	"numeric_features": [
	"timestep",
	"files_encrypted_cumulative",
	"encryption_throughput_mbps",
	"endpoints_compromised",
	"lateral_move_count",
	"credential_harvest_count",
	"c2_bytes_exfiltrated",
	"defender_alert_score",
	"blast_radius_pct",
	"living_off_land_score",
	"attribution_risk_score",
	"data_exfiltrated_gb",
	"wiper_flag",
	"double_extortion_flag",
	"ir_activated",
	"edr_coverage_rate",
	"network_segmentation_quality",
	"patch_posture_score",
	"ir_activation_latency_hrs",
	"endpoint_count",
	"ad_domain_complexity",
	"soc_maturity_score",
	"backup_recovery_prob",
	"backup_recovery_hrs_mean",
	"siem_rule_refresh_cadence_days",
	"segment_id_hash",
	"c2_intensity_score",
	"escalation_velocity",
	"is_destructive",
	"dwell_efficiency",
	"is_post_detonation",
	"lotl_intensity_bin"
	],
	"categorical_levels": {
	"attack_phase": [
	"encryption_detonation",
	"exfiltration_staging",
	"initial_access",
	"internal_recon",
	"lateral_movement",
	"privilege_escalation",
	"ransom_negotiation",
	"recovery_in_progress"
	],
	"detection_outcome": [
	"alert_generated",
	"delayed_detection",
	"no_detection",
	"partial_containment",
	"recovery_in_progress"
	],
	"segment_type": [
	"active_directory_domain",
	"backup_infrastructure",
	"cloud_workload_tier",
	"corporate_workstation_fleet",
	"dmz_perimeter",
	"executive_endpoint_zone",
	"file_server_cluster",
	"ot_ics_control_network"
	],
	"soc_maturity_tier": [
	"none",
	"tier1",
	"tier2",
	"tier3_mdr"
	],
	"backup_maturity_tier": [
	"air_gapped_gold_standard",
	"local_only",
	"network_attached",
	"no_backup",
	"offsite_unverified",
	"offsite_verified_immutable"
	]
	},
	"label_to_int": {
	"lone_actor": 0,
	"organised_syndicate": 1,
	"raas_affiliate": 2,
	"nation_state_nexus": 3
	},
	"int_to_label": {
	"0": "lone_actor",
	"1": "organised_syndicate",
	"2": "raas_affiliate",
	"3": "nation_state_nexus"
	},
	"leakage_excluded": []
	}