cyber_threat_intent_classifier

Overview

The cyber_threat_intent_classifier is a fine-tuned BERT model designed to analyze system logs, network traffic descriptions, and security alerts to determine the underlying intent of an observed activity. It categorizes events into five distinct stages of the cyber-attack lifecycle.

Model Architecture

• Base Model: BERT-base-uncased
• Task: Multi-class Sequence Classification
• Layers: 12-layer, 768-hidden, 12-heads, 110M parameters
• Fine-tuning: Trained on a synthetic dataset of 50,000 security incident reports and MITRE ATT&CK framework descriptions.

Intended Use

• SOC Automation: Automatically triaging security alerts.
• Threat Hunting: Identifying patterns of reconnaissance or lateral movement in historical logs.
• Incident Response: Providing immediate context to responders regarding the severity and stage of an active threat.

Limitations

• Log Format Sensitivity: Performs best on descriptive text; raw hexadecimal logs may require pre-processing.
• Adversarial Evasion: Sophisticated attackers may obfuscate their actions to mimic "Informational" traffic.
• Context Window: Limited to 512 tokens, which may exclude relevant details in very long log chains.