feature_meta.json

{
  "feature_names": [
    "timestep",
    "data_access_volume_mb",
    "privilege_event_count",
    "communication_anomaly_score",
    "dlp_confidence_score",
    "exfiltration_volume_mb_cumulative",
    "behavioural_risk_score",
    "log_data_volume",
    "log_cumulative_exfil",
    "exfil_velocity",
    "is_privileged_event",
    "risk_x_dlp_composite",
    "is_late_stage",
    "incident_phase_access_escalation",
    "incident_phase_cover_tracks",
    "incident_phase_data_staging",
    "incident_phase_exfiltration_attempt",
    "incident_phase_idle_dwell",
    "incident_phase_incident_resolution",
    "incident_phase_lateral_access",
    "incident_phase_reconnaissance",
    "detection_outcome_exfil_success",
    "detection_outcome_high_risk_alert",
    "detection_outcome_moderate_risk_alert",
    "detection_outcome_suppressed",
    "target_data_sensitivity_tier_confidential",
    "target_data_sensitivity_tier_internal",
    "target_data_sensitivity_tier_restricted"
  ],
  "numeric_features": [
    "timestep",
    "data_access_volume_mb",
    "privilege_event_count",
    "communication_anomaly_score",
    "dlp_confidence_score",
    "exfiltration_volume_mb_cumulative",
    "behavioural_risk_score",
    "log_data_volume",
    "log_cumulative_exfil",
    "exfil_velocity",
    "is_privileged_event",
    "risk_x_dlp_composite",
    "is_late_stage"
  ],
  "categorical_levels": {
    "incident_phase": [
      "access_escalation",
      "cover_tracks",
      "data_staging",
      "exfiltration_attempt",
      "idle_dwell",
      "incident_resolution",
      "lateral_access",
      "reconnaissance"
    ],
    "detection_outcome": [
      "exfil_success",
      "high_risk_alert",
      "moderate_risk_alert",
      "suppressed"
    ],
    "target_data_sensitivity_tier": [
      "confidential",
      "internal",
      "restricted"
    ]
  },
  "label_to_int": {
    "negligent_user": 0,
    "malicious_employee": 1,
    "privileged_insider": 2
  },
  "int_to_label": {
    "0": "negligent_user",
    "1": "malicious_employee",
    "2": "privileged_insider"
  },
  "leakage_excluded": []
}