Initial release: attack_lifecycle_phase 5-class baseline + 11-oracle-path leakage diagnostic
e2c4702 verified | { | |
| "version": "1.0.0", | |
| "dataset": "xpertsystems/cyb010-sample", | |
| "task": "5-class attack_lifecycle_phase classification", | |
| "baselines": { | |
| "always_predict_majority_accuracy": 0.5593129361245304, | |
| "majority_class": "benign_background", | |
| "random_guess_accuracy": 0.2 | |
| }, | |
| "split": { | |
| "strategy": "group-aware (GroupShuffleSplit on incident_id, nested 70/15/15)", | |
| "rationale": "500 incidents x ~44 events each. Events from the same incident share host, threat actor, and phase trajectory. Group-aware splitting prevents train/test leakage. ~75 test incidents per fold.", | |
| "events_train": 14697, | |
| "events_val": 3473, | |
| "events_test": 3726, | |
| "n_incidents_train": 350, | |
| "seed": 42 | |
| }, | |
| "n_features": 87, | |
| "label_classes": [ | |
| "benign_background", | |
| "initial_access", | |
| "lateral_movement", | |
| "persistence_establishment", | |
| "exfiltration_or_impact" | |
| ], | |
| "class_distribution_train": { | |
| "benign_background": 8547, | |
| "exfiltration_or_impact": 3898, | |
| "initial_access": 1187, | |
| "lateral_movement": 670, | |
| "persistence_establishment": 395 | |
| }, | |
| "class_distribution_test": { | |
| "benign_background": 2084, | |
| "exfiltration_or_impact": 1186, | |
| "initial_access": 247, | |
| "lateral_movement": 118, | |
| "persistence_establishment": 91 | |
| }, | |
| "oracle_excluded_features": [ | |
| "mitre_tactic (benign value -> benign_background phase, perfect oracle)", | |
| "mitre_technique_id (ATT&CK-by-design perfect oracle for mitre_tactic)", | |
| "label_malicious (False -> benign_background, perfect oracle)", | |
| "threat_actor_id (NONE -> benign, perfect oracle)", | |
| "threat_actor_profile (benign_user -> benign_background, perfect oracle)", | |
| "event_type (many values phase-specific; e.g. c2_beacon_outbound -> 100% exfil)" | |
| ], | |
| "leakage_audit_note": "See leakage_diagnostic.json for the full audit. 11 oracle paths documented (4 phase oracles, 1 ATT&CK indirect, 6 event_type near-oracles, 7 alert-task oracles), and 2 unlearnable README-suggested targets after honest leakage removal.", | |
| "models": { | |
| "xgboost": { | |
| "architecture": "Gradient-boosted decision trees, multi:softprob, 5 classes", | |
| "framework": "xgboost", | |
| "test_metrics": { | |
| "model": "xgboost", | |
| "accuracy": 0.9492753623188406, | |
| "macro_f1": 0.7780594102481514, | |
| "weighted_f1": 0.9522470071864876, | |
| "per_class_f1": { | |
| "benign_background": 0.9975996159385502, | |
| "initial_access": 0.7196652719665272, | |
| "lateral_movement": 0.48322147651006714, | |
| "persistence_establishment": 0.703030303030303, | |
| "exfiltration_or_impact": 0.9867803837953092 | |
| }, | |
| "confusion_matrix": { | |
| "labels": [ | |
| "benign_background", | |
| "initial_access", | |
| "lateral_movement", | |
| "persistence_establishment", | |
| "exfiltration_or_impact" | |
| ], | |
| "matrix": [ | |
| [ | |
| 2078, | |
| 6, | |
| 0, | |
| 0, | |
| 0 | |
| ], | |
| [ | |
| 4, | |
| 172, | |
| 65, | |
| 6, | |
| 0 | |
| ], | |
| [ | |
| 0, | |
| 38, | |
| 72, | |
| 6, | |
| 2 | |
| ], | |
| [ | |
| 0, | |
| 11, | |
| 22, | |
| 58, | |
| 0 | |
| ], | |
| [ | |
| 0, | |
| 4, | |
| 21, | |
| 4, | |
| 1157 | |
| ] | |
| ] | |
| }, | |
| "macro_roc_auc_ovr": 0.9904125505537232 | |
| } | |
| }, | |
| "mlp": { | |
| "architecture": "PyTorch MLP, 87 -> 128 -> 64 -> 5, BatchNorm1d + ReLU + Dropout, weighted cross-entropy loss", | |
| "framework": "pytorch", | |
| "test_metrics": { | |
| "model": "mlp", | |
| "accuracy": 0.9412238325281803, | |
| "macro_f1": 0.7533989932595785, | |
| "weighted_f1": 0.9423850278932477, | |
| "per_class_f1": { | |
| "benign_background": 0.9937679769894535, | |
| "initial_access": 0.6511627906976745, | |
| "lateral_movement": 0.4507042253521127, | |
| "persistence_establishment": 0.6903553299492385, | |
| "exfiltration_or_impact": 0.9810046433094133 | |
| }, | |
| "confusion_matrix": { | |
| "labels": [ | |
| "benign_background", | |
| "initial_access", | |
| "lateral_movement", | |
| "persistence_establishment", | |
| "exfiltration_or_impact" | |
| ], | |
| "matrix": [ | |
| [ | |
| 2073, | |
| 11, | |
| 0, | |
| 0, | |
| 0 | |
| ], | |
| [ | |
| 10, | |
| 140, | |
| 72, | |
| 17, | |
| 8 | |
| ], | |
| [ | |
| 2, | |
| 27, | |
| 64, | |
| 12, | |
| 13 | |
| ], | |
| [ | |
| 2, | |
| 4, | |
| 17, | |
| 68, | |
| 0 | |
| ], | |
| [ | |
| 1, | |
| 1, | |
| 13, | |
| 9, | |
| 1162 | |
| ] | |
| ] | |
| }, | |
| "macro_roc_auc_ovr": 0.986126094475466 | |
| } | |
| } | |
| } | |
| } |