File size: 3,982 Bytes
ed9d6a1 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 | {
"version": "1.0.0",
"dataset": "xpertsystems/cyb007-sample",
"task": "3-class actor_threat_type classification",
"baselines": {
"always_predict_majority_accuracy": 0.4266666666666667,
"majority_class": "negligent_user",
"random_guess_accuracy": 0.3333333333333333
},
"split": {
"strategy": "group_aware (GroupShuffleSplit by incident_id, nested)",
"rationale": "500 insider threat incidents generate 32,500 timesteps (65 per incident). Random row-split would leak per-incident correlations into the test fold. Group-aware split keeps train/val/test incidents disjoint.",
"incidents_train": 350,
"incidents_val": 75,
"incidents_test": 75,
"timesteps_train": 22750,
"timesteps_val": 4875,
"timesteps_test": 4875,
"seed": 42
},
"n_features": 28,
"label_classes": [
"negligent_user",
"malicious_employee",
"privileged_insider"
],
"class_distribution_train": {
"negligent_user": 11895,
"malicious_employee": 6370,
"privileged_insider": 4485
},
"class_distribution_test": {
"negligent_user": 2080,
"malicious_employee": 1755,
"privileged_insider": 1040
},
"leakage_excluded_features": [],
"leakage_audit_notes": "Two features were audited as potential tier oracles: data_access_volume_mb (privileged 0-2541 MB, malicious 0-328, negligent 0-88; overlap [0, 88] covers most timesteps with median ~9 MB each) and exfiltration_volume_mb_cumulative (similar shape). Both have substantial distributional overlap across tiers and represent legitimate observables. Removing both features drops accuracy from 0.85 to 0.47 (below majority), confirming they are real signal rather than oracle leakage. detection_outcome is a near-oracle for INCIDENT_PHASE (purity 0.79, max 1.00 for reconnaissance) but has uniform purity vs tier (~0.50) and is kept as a feature for tier prediction. No features dropped.",
"models": {
"xgboost": {
"architecture": "Gradient-boosted decision trees, multi:softprob, 3 classes",
"framework": "xgboost",
"test_metrics": {
"model": "xgboost",
"accuracy": 0.8529230769230769,
"macro_f1": 0.8495931102241494,
"weighted_f1": 0.8518585237469937,
"per_class_f1": {
"negligent_user": 0.8762557077625571,
"malicious_employee": 0.8262571514604035,
"privileged_insider": 0.8462664714494875
},
"confusion_matrix": {
"labels": [
"negligent_user",
"malicious_employee",
"privileged_insider"
],
"matrix": [
[
1919,
111,
50
],
[
291,
1372,
92
],
[
90,
83,
867
]
]
},
"macro_roc_auc_ovr": 0.9627526877302969
}
},
"mlp": {
"architecture": "PyTorch MLP, 28 -> 128 -> 64 -> 3, BatchNorm1d + ReLU + Dropout, weighted cross-entropy loss",
"framework": "pytorch",
"test_metrics": {
"model": "mlp",
"accuracy": 0.8685128205128205,
"macro_f1": 0.8636019696274673,
"weighted_f1": 0.866725739844854,
"per_class_f1": {
"negligent_user": 0.8934753661784287,
"malicious_employee": 0.8414481897627965,
"privileged_insider": 0.8558823529411764
},
"confusion_matrix": {
"labels": [
"negligent_user",
"malicious_employee",
"privileged_insider"
],
"matrix": [
[
2013,
22,
45
],
[
325,
1348,
82
],
[
88,
79,
873
]
]
},
"macro_roc_auc_ovr": 0.9660800234091633
}
}
}
} |