Research Portfolio

Genos Research

Command Intelligence for Behavioral Threat Detection and MITRE ATT&CK Attribution

Genos is a cybersecurity research prototype for analyzing command-line activity. It combines deobfuscation, classification, and MITRE ATT&CK attribution across three research prototypes and two IEEE-accepted papers.

View Whitepapers View Publications
Overview

What is Genos?

Genos converts command-line telemetry into structured security outputs: verdicts, behavioral signals, and MITRE ATT&CK mappings.

The research addresses a core detection challenge: obfuscated and encoded commands often evade signature-based methods. The v1.1 prototype uses a two-stage CodeBERT pipeline: a binary Gatekeeper for initial classification and a Specialist model for ATT&CK technique attribution. Paper [2] evaluated 141-class attribution; the current prototype uses a smaller active technique set.

Research span 2023 – 2026
Research prototypes 3
IEEE-accepted papers 2
ATT&CK attribution Multi-class
Model pipeline latency ~6–10 ms (GPU)
Conference IEEE AIIoT 2026, Seattle
Research History

Development Timeline

2023
Initial Research Concept
  • Explored kernel level packet filtering in Linux
2024
Open-Source EDR Prototype
v1.0
  • 3 MITRE Attacks Detected in total for MSc Cybersecurity Thesis.
  • Built a Windows Event Log ingestion pipeline without kernel drivers.
  • RDP Brute Force Detection successfully captured and mitigated with a kernel-free sensor.
2025
Two-Stage Pipeline and MITRE Attribution
v1.1
  • Introduced a CodeBERT-based binary Gatekeeper and 141-class MITRE Specialist classifier.
  • Added recursive deobfuscation before model inference.
  • Evaluated Top-1, Top-3, macro-F1, and model pipeline latency. IEEE AIIoT 2026 Paper [2].
2026
Deployable Prototype and LLM Benchmark
v1.2
  • Packaged the v1.1 inference pipeline as a REST API.
  • Benchmarked command classification against LLM-based approaches.
  • TF-IDF replaced tier 2 specialist and outperformed CodeBERT and Frontier LLMs in a controlled benchmark.
  • Both IEEE papers accepted at IEEE AIIoT 2026.
Research Prototypes

Version History

Each version is a distinct research prototype — not a commercial release. Whitepapers document the system design, methodology, and evaluation results for each prototype.

v1.0
2024 Research prototype
Open-Source Endpoint Detection and Response
IEEE AIIoT 2026 · Paper [1]

An open-source EDR research prototype built around Windows Security Event Log telemetry and machine-learning-based classification for benign activity plus three attack classes.

Key contributions
  • Windows Event Log ingestion without kernel drivers
  • LoRA fine-tuned RoBERTa classifier
  • Benign plus three attack-class classification
  • Selected Windows Security Event IDs: 4688, 4950, 4946, 4947, 4948
  • 99.5% accuracy on a controlled 1,200-case evaluation set
Whitepaper IEEE Paper [1]
v1.1
2025 Research prototype
Two-Stage Transformer Framework for Command-Line Classification and ATT&CK Technique Mapping
IEEE AIIoT 2026 · Paper [2]

Evaluates a cascaded CodeBERT pipeline for command-line classification and MITRE ATT&CK technique attribution, with deobfuscation-aware preprocessing.

Key contributions
  • Binary Gatekeeper using CodeBERT
  • 141-class MITRE Specialist classifier
  • Recursive deobfuscation preprocessing
  • Accuracy, Top-k, macro-F1, and latency evaluation
Whitepaper IEEE Paper [2]
v1.2
2026 Research prototype
Command Intelligence Engine — REST API and LLM Benchmark
Current prototype · deployment build

Packages the v1.1 inference pipeline as a deployable prototype and conducts a formal benchmark comparison against LLM-based classification approaches.

Key contributions
  • Deployable REST API prototype with key-based access control
  • Formal LLM benchmark comparison
  • Matched or exceeded LLM accuracy at lower latency, no per-query cost
Whitepaper GitHub
Evaluation Results

Benchmark Highlights

Results are from controlled research datasets. They should be interpreted within the evaluation methodology described in the associated IEEE publications.

0.9999
Tier 1 Binary AUC
Paper [2] · CodeBERT Gatekeeper · binary benign vs. malicious
99.96%
Tier 1 Binary F1
Paper [2] · CodeBERT Gatekeeper · held-out test set
95.53%
Tier 2 Top-1 Accuracy
Paper [2] · 141-class ATT&CK attribution · held-out test set
97.94%
Tier 2 Top-3 Accuracy
Paper [2] · 141-class ATT&CK attribution · ground truth in top-3 candidates
6.57 ms
Model Pipeline Latency
Paper [2] · deobfuscation + Tier 1 + Tier 2 · GPU · 99% benign distribution
99.5%
v1.0 Event Classifier Accuracy
Paper [1] · 1,200-case controlled evaluation · RoBERTa classifier
Academic Publications

IEEE-Accepted Papers

Both papers were accepted to the IEEE World AI IoT Congress (AIIoT 2026), Seattle, USA. PDFs will be linked upon publication in the IEEE digital library.

Paper [1]  ·  Genos v1.0  ·  IEEE AIIoT 2026 Accepted
Open-Source Next Gen Endpoint Detection & Response
IEEE World AI IoT Congress (AIIoT 2026)  ·  Seattle, USA  ·  Ahmed Khan

Presents an open-source endpoint detection research prototype built around Windows Security Event Log telemetry and machine-learning-based classification. The system evaluates benign activity plus three attack classes and discusses a user-mode detection architecture without kernel drivers.

PDF pending publication Whitepaper
Paper [2]  ·  Genos v1.1  ·  IEEE AIIoT 2026 Accepted
A Two-Stage Transformer-Based Framework for Command-Line Classification and MITRE ATT&CK Technique Mapping
IEEE World AI IoT Congress (AIIoT 2026)  ·  Seattle, USA  ·  Ahmed Khan

Presents a two-stage CodeBERT-based framework for command-line classification and MITRE ATT&CK technique attribution. The system combines recursive deobfuscation, binary Gatekeeper classification, and 141-class Specialist attribution, with evaluation across accuracy, Top-k attribution, macro-F1, and latency.

PDF pending publication Whitepaper
Future Directions

Future Work

Planned research directions for subsequent prototypes and publications.