Missing Label Mapping for Behavior/Multi-label Benchmark Models
Hi EMBER2024 Team especially @joyce8 ,
I am currently utilizing the EMBER2024 benchmark models (specifically the behavior.model) as a core component of my Master’s research. My work focuses on model interpretability, and I am specifically trying to apply SHAP to these models to understand which of the 2,568 EMBER v3 features trigger specific behavioral detections.
The Blocker: The behavior model loads as a collection of 92 independent LightGBM Boosters. While I can successfully generate SHAP values for each of these 92 outputs, I am unable to map them to actual human-readable labels (e.g., ransomware, worm, downloader).
Currently, the repository lacks a label_map.json or equivalent metadata file that defines the order of these 92 binary classifiers. My analysis of the ember_dataset_stats.txt shows 99 behavior tags with frequency >= 10 and 76 behavior tags with frequency >= 100, but the model's 92-dimension output suggests an inclusion of additional tags (likely common Packers or Threat Groups) that aren't explicitly mapped.
Urgency: I am currently facing tight thesis deadlines and am unable to proceed with the comparative analysis or interpret my SHAP results without this mapping.
Request: Could you please provide the ordered list of labels (0–91) used for the EMBER2024_behavior.model? Having this mapping would allow me (and the wider community) to finally interpret what these baseline models are actually detecting.
Thank you for your incredible work on this dataset—it is a game-changer for the field, and I would appreciate any help to get this research back on track!