Multi-Source Cybersecurity Logs: An ATT&CK-Labeled Dataset and SLM Evaluation

📅 2026-06-16
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the scarcity of publicly available datasets that simultaneously encompass system, network, and browser logs annotated with fine-grained MITRE ATT&CK technique labels—hindering research on cross-source, multi-stage attack detection. To bridge this gap, we construct and release the first such dataset, comprising 870 sessions and approximately 2.3 million synchronously collected log events, labeled with 53 distinct ATT&CK techniques based on real-world attack tools, including remote access trojans (RATs), C2 tunneling, and cloud exfiltration. We further demonstrate the efficacy of small language models—Qwen2.5-1.5B, Llama-3.2-3B, and Phi-4-Mini—efficiently fine-tuned via LoRA for log chunk classification, achieving accuracy improvements from 8% to 90–97%. The best exact-match accuracy for ATT&CK technique identification reaches 42%, with even stronger performance under partial matching, confirming the learnability and practical utility of compact models in complex cybersecurity tasks.
📝 Abstract
Multi-stage cyberattacks span system, network, and browser logs. Detecting them requires correlating events across all three sources. Machine learning methods can learn these cross-source patterns, but they need labeled multi-source data. Existing public datasets fall short. Network-only datasets such as CICIDS and UNSW-NB15 miss host and browser activity. Host-focused datasets such as LMDG and CICAPT-IIoT lack browser telemetry. ATLAS includes all three sources but labels events only as malicious or benign, without MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) technique granularity. No public dataset combines all three sources with per-entry ATT&CK technique labels. We close the gap by building a multi-source log dataset of 870 sessions (70 attack, 800 benign) and approximately 2.3 million events. We captured system, network, and browser activity simultaneously on Windows endpoints. We labeled malicious events with ATT&CK technique IDs, covering 12 tactics and 53 techniques. We generated all attack data using real tools, including Remote Access Trojan (RAT), Command and Control (C2) tunnels, and cloud exfiltration. To demonstrate learnability, we fine-tuned three Small Language Models (SLMs) (Qwen2.5-1.5B, Llama-3.2-3B, Phi-4-Mini) using Low-Rank Adaptation (LoRA). We compared each against its base variant across ten metrics on two tasks: chunk classification and ATT&CK technique identification. Fine-tuning improved every model on every metric. Chunk classification accuracy rose from approximately 8% in the base variants to between 90% and 97% after fine-tuning. Technique identification remained challenging, with the best exact-match accuracy at 42%, although high partial-match scores show the models captured most of the underlying reasoning.
Problem

Research questions and friction points this paper is trying to address.

multi-source logs
cybersecurity
ATT&CK labeling
dataset
multi-stage attacks
Innovation

Methods, ideas, or system contributions that make the work stand out.

multi-source cybersecurity logs
ATT&CK-labeled dataset
Small Language Models (SLMs)
Low-Rank Adaptation (LoRA)
cross-source correlation
🔎 Similar Papers
No similar papers found.