Add new SentenceTransformer model.

Browse files

Files changed (11) hide show

1_Pooling/config.json +10 -0
README.md +577 -0
config.json +25 -0
config_sentence_transformers.json +10 -0
model.safetensors +3 -0
modules.json +20 -0
sentence_bert_config.json +4 -0
special_tokens_map.json +37 -0
tokenizer.json +0 -0
tokenizer_config.json +64 -0
vocab.txt +0 -0

1_Pooling/config.json ADDED Viewed

	@@ -0,0 +1,10 @@

+{
+  "word_embedding_dimension": 384,
+  "pooling_mode_cls_token": false,
+  "pooling_mode_mean_tokens": true,
+  "pooling_mode_max_tokens": false,
+  "pooling_mode_mean_sqrt_len_tokens": false,
+  "pooling_mode_weightedmean_tokens": false,
+  "pooling_mode_lasttoken": false,
+  "include_prompt": true
+}

README.md ADDED Viewed

	@@ -0,0 +1,577 @@

+---
+base_model: thenlper/gte-small
+datasets: []
+language: []
+library_name: sentence-transformers
+pipeline_tag: sentence-similarity
+tags:
+- sentence-transformers
+- sentence-similarity
+- feature-extraction
+- generated_from_trainer
+- dataset_size:29440
+- loss:MultipleNegativesRankingLoss
+widget:
+- source_sentence: Olympic Destroyer uses PsExec to interact with the ADMIN$ network
+    share to execute commands on remote systems.
+  sentences:
+  - 'Adversaries may target user email to collect sensitive information. Emails may
+    contain sensitive data, including trade secrets or personal information, that
+    can prove valuable to adversaries. Adversaries can collect or forward email from
+    mail servers or clients. '
+  - 'Adversaries can hide a program''s true filetype by changing the extension of
+    a file. With certain file types (specifically this does not work with .app extensions),
+    appending a space to the end of a filename will change how the file is processed
+    by the operating system.For example, if there is a Mach-O executable file called
+    <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app
+    and execute. If this file is renamed to <code>evil.txt</code>, then when double
+    clicked by a user, it will launch with the default text editing application (not
+    executing the binary). However, if the file is renamed to <code>evil.txt </code>
+    (note the space at the end), then when double clicked by a user, the true file
+    type is determined by the OS and handled appropriately and the binary will be
+    executed (Citation: Mac Backdoors are back).Adversaries can use this feature to
+    trick users into double clicking benign-looking files of any format and ultimately
+    executing something malicious.'
+  - 'Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078)
+    to log into a service that accepts remote connections, such as telnet, SSH, and
+    VNC. The adversary may then perform actions as the logged-on user.In an enterprise
+    environment, servers and workstations can be organized into domains. Domains provide
+    centralized identity management, allowing users to login using one set of credentials
+    across the entire network. If an adversary is able to obtain a set of valid domain
+    credentials, they could login to many different machines using remote access protocols
+    such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure
+    Shell)(Citation: TechNet Remote Desktop Services) They could also login to accessible
+    SaaS or IaaS services, such as those that federate their identities to the domain.
+    Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072)
+    and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021)
+    to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native
+    software used for remote management. ARD leverages a blend of protocols, including
+    [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control
+    buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file
+    transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote
+    Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries
+    can abuse applications such as ARD to gain remote code execution and perform lateral
+    movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH
+    session to an ARD session which enables an adversary to accept TCC (Transparency,
+    Consent, and Control) prompts without user interaction and gain access to data.(Citation:
+    FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart
+    Apple Remote Desktop commands)'
+- source_sentence: Network intrusion prevention systems and systems designed to scan
+    and remove malicious email attachments or links can be used to block activity.
+  sentences:
+  - 'Adversaries may abuse task scheduling functionality to facilitate initial or
+    recurring execution of malicious code. Utilities exist within all major operating
+    systems to schedule programs or scripts to be executed at a specified date and
+    time. A task can also be scheduled on a remote system, provided the proper authentication
+    is met (ex: RPC and file and printer sharing in Windows environments). Scheduling
+    a task on a remote system typically may require being a member of an admin or
+    otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler
+    Security)Adversaries may use task scheduling to execute programs at system startup
+    or on a scheduled basis for persistence. These mechanisms can also be abused to
+    run a process under the context of a specified account (such as one with elevated
+    permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218),
+    adversaries have also abused task scheduling to potentially mask one-time execution
+    under a trusted system process.(Citation: ProofPoint Serpent)'
+  - 'Adversaries may attempt to make an executable or file difficult to discover or
+    analyze by encrypting, encoding, or otherwise obfuscating its contents on the
+    system or in transit. This is common behavior that can be used across different
+    platforms and the network to evade defenses. Payloads may be compressed, archived,
+    or encrypted in order to avoid detection. These payloads may be used during Initial
+    Access or later to mitigate detection. Sometimes a user''s action may be required
+    to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)
+    for [User Execution](https://attack.mitre.org/techniques/T1204). The user may
+    also be required to input a password to open a password protected compressed/encrypted
+    file that was provided by the adversary. (Citation: Volexity PowerDuke November
+    2016) Adversaries may also use compressed or archived scripts, such as JavaScript.
+    Portions of files can also be encoded to hide the plain-text strings that would
+    otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security
+    Analysis) Payloads may also be split into separate, seemingly benign files that
+    only reveal malicious functionality when reassembled. (Citation: Carbon Black
+    Obfuscation Sept 2016)Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010)
+    to obscure commands executed from payloads or directly via [Command and Scripting
+    Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables,
+    aliases, characters, and other platform/language specific semantics can be used
+    to evade signature based detections and application control mechanisms. (Citation:
+    FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation:
+    PaloAlto EncodedCommand March 2017) '
+  - 'Adversaries may send phishing messages to gain access to victim systems. All
+    forms of phishing are electronically delivered social engineering. Phishing can
+    be targeted, known as spearphishing. In spearphishing, a specific individual,
+    company, or industry will be targeted by the adversary. More generally, adversaries
+    can conduct non-targeted phishing, such as in mass malware spam campaigns.Adversaries
+    may send victims emails containing malicious attachments or links, typically to
+    execute malicious code on victim systems. Phishing may also be conducted via third-party
+    services, like social media platforms. Phishing may also involve social engineering
+    techniques, such as posing as a trusted source, as well as evasive techniques
+    such as removing or manipulating emails or metadata/headers from compromised accounts
+    being abused to send messages (e.g., [Email Hiding Rules](https://attack.mitre.org/techniques/T1564/008)).(Citation:
+    Microsoft OAuth Spam 2022)(Citation: Palo Alto Unit 42 VBA Infostealer 2014) Another
+    way to accomplish this is by forging or spoofing(Citation: Proofpoint-spoof) the
+    identity of the sender which can be used to fool both the human recipient as well
+    as automated security tools.(Citation: cyberproof-double-bounce) Victims may also
+    receive phishing messages that instruct them to call a phone number where they
+    are directed to visit a malicious URL, download malware,(Citation: sygnia Luna
+    Month)(Citation: CISA Remote Monitoring and Management Software) or install adversary-accessible
+    remote management tools onto their computer (i.e., [User Execution](https://attack.mitre.org/techniques/T1204)).(Citation:
+    Unit42 Luna Moth)'
+- source_sentence: MoonWind obtains the number of removable drives from the victim.
+  sentences:
+  - 'Adversaries may attempt to gather information about attached peripheral devices
+    and components connected to a computer system.(Citation: Peripheral Discovery
+    Linux)(Citation: Peripheral Discovery macOS) Peripheral devices could include
+    auxiliary resources that support a variety of functionalities such as keyboards,
+    printers, cameras, smart card readers, or removable storage. The information may
+    be used to enhance their awareness of the system and network environment or may
+    be used for further actions.'
+  - 'Adversaries can steal application access tokens as a means of acquiring credentials
+    to access remote systems and resources.Application access tokens are used to make
+    authorized API requests on behalf of a user or service and are commonly used as
+    a way to access resources in cloud and container-based applications and software-as-a-service
+    (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs
+    Sept 2019) OAuth is one commonly implemented framework that issues tokens to users
+    for access to systems. Adversaries who steal account API tokens in cloud and containerized
+    environments may be able to access data and perform actions with the permissions
+    of these accounts, which can lead to privilege escalation and further compromise
+    of the environment.In Kubernetes environments, processes running inside a container
+    communicate with the Kubernetes API server using service account tokens. If a
+    container is compromised, an attacker may be able to steal the container’s token
+    and thereby gain access to Kubernetes API commands.(Citation: Kubernetes Service
+    Accounts)Token theft can also occur through social engineering, in which case
+    user action may be required to grant access. An application desiring access to
+    cloud-based services or protected APIs can gain entry using OAuth 2.0 through
+    a variety of authorization protocols. An example commonly-used sequence is Microsoft''s
+    Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols
+    May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An
+    OAuth access token enables a third-party application to interact with resources
+    containing user data in the ways requested by the application without obtaining
+    user credentials.  Adversaries can leverage OAuth authorization by constructing
+    a malicious application designed to be granted access to resources with the target
+    user''s OAuth token.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation:
+    Trend Micro Pawn Storm OAuth 2017) The adversary will need to complete registration
+    of their application with the authorization server, for example Microsoft Identity
+    Platform using Azure Portal, the Visual Studio IDE, the command-line interface,
+    PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration
+    - May 2019) Then, they can send a [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)
+    to the target user to entice them to grant access to the application. Once the
+    OAuth access token is granted, the application can gain potentially long-term
+    access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation:
+    Microsoft - Azure AD Identity Tokens - Aug 2019)Application access tokens may
+    function within a limited lifetime, limiting how long an adversary can utilize
+    the stolen token. However, in some cases, adversaries can also steal application
+    refresh tokens(Citation: Auth0 Understanding Refresh Tokens), allowing them to
+    obtain new access tokens without prompting the user.  '
+  - Adversaries may modify component firmware to persist on systems. Some adversaries
+    may employ sophisticated means to compromise computer components and install malicious
+    firmware that will execute adversary code outside of the operating system and
+    main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001)
+    but conducted upon other system components/devices that may not have the same
+    capability or level of integrity checking.Malicious component firmware could provide
+    both a persistent level of access to systems despite potential typical failures
+    to maintain access and hard disk re-images, as well as a way to evade host software-based
+    defenses and integrity checks.
+- source_sentence: InvisiMole can launch a remote shell to execute commands.
+  sentences:
+  - 'Adversaries may abuse the Windows command shell for execution. The Windows command
+    shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command
+    prompt on Windows systems. The Windows command prompt can be used to control almost
+    any aspect of a system, with various permission levels required for different
+    subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021)
+    such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in
+    Windows)Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential
+    commands to run, as well as normal scripting operations such as conditionals and
+    loops. Common uses of batch files include long or repetitive tasks, or the need
+    to run the same set of commands on multiple systems.Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106)
+    to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106)
+    to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106)
+    interactively with input and output forwarded over a command and control channel.'
+  - 'Adversaries may abuse command and script interpreters to execute commands, scripts,
+    or binaries. These interfaces and languages provide ways of interacting with computer
+    systems and are a common feature across many different platforms. Most systems
+    come with some built-in command-line interface and scripting capabilities, for
+    example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004)
+    while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003)
+    and [PowerShell](https://attack.mitre.org/techniques/T1059/001).There are also
+    cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006),
+    as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007)
+    and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).Adversaries
+    may abuse these technologies in various ways as a means of executing arbitrary
+    commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001)
+    payloads delivered to victims as lure documents or as secondary payloads downloaded
+    from an existing C2. Adversaries may also execute commands through interactive
+    terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021)
+    in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation:
+    Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell
+    Execution in Python)'
+  - 'Adversaries may communicate using application layer protocols associated with
+    electronic mail delivery to avoid detection/network filtering by blending in with
+    existing traffic. Commands to the remote system, and often the results of those
+    commands, will be embedded within the protocol traffic between the client and
+    server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail
+    may be very common in environments.  Packets produced from these protocols may
+    have many fields and headers in which data can be concealed. Data could also be
+    concealed within the email messages themselves. An adversary may abuse these protocols
+    to communicate with systems under their control within a victim network while
+    also mimicking normal, expected traffic. '
+- source_sentence: BackdoorDiplomacy has dropped legitimate software onto a compromised
+    host and used it to execute malicious DLLs.
+  sentences:
+  - 'Adversaries may transfer tools or other files from an external system into a
+    compromised environment. Tools or files may be copied from an external adversary-controlled
+    system to the victim network through the command and control channel or through
+    alternate protocols such as [ftp](https://attack.mitre.org/software/S0095). Once
+    present, adversaries may also transfer/spread tools between victim devices within
+    a compromised environment (i.e. [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570)).
+    On Windows, adversaries may use various utilities to download tools, such as `copy`,
+    `finger`, [certutil](https://attack.mitre.org/software/S0160), and [PowerShell](https://attack.mitre.org/techniques/T1059/001)
+    commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and
+    <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities
+    also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation:
+    t1105_lolbas)Adversaries may also abuse installers and package managers, such
+    as `yum` or `winget`, to download tools to victim hosts.Files can also be transferred
+    using various [Web Service](https://attack.mitre.org/techniques/T1102)s as well
+    as native or otherwise present tools on the victim system.(Citation: PTSecurity
+    Cobalt Dec 2016) In some cases, adversaries may be able to leverage services that
+    sync between a web-based and an on-premises client, such as Dropbox or OneDrive,
+    to transfer files onto victim systems. For example, by compromising a cloud account
+    and logging into the service''s web portal, an adversary may be able to trigger
+    an automatic syncing process that transfers the file onto the victim''s machine.(Citation:
+    Dropbox Malware Sync)'
+  - 'Adversaries may communicate using application layer protocols associated with
+    web traffic to avoid detection/network filtering by blending in with existing
+    traffic. Commands to the remote system, and often the results of those commands,
+    will be embedded within the protocol traffic between the client and server. Protocols
+    such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets)
+    that carry web traffic may be very common in environments. HTTP/S packets have
+    many fields and headers in which data can be concealed. An adversary may abuse
+    these protocols to communicate with systems under their control within a victim
+    network while also mimicking normal, expected traffic. '
+  - 'Adversaries may inject code into processes in order to evade process-based defenses
+    as well as possibly elevate privileges. Process injection is a method of executing
+    arbitrary code in the address space of a separate live process. Running code in
+    the context of another process may allow access to the process''s memory, system/network
+    resources, and possibly elevated privileges. Execution via process injection may
+    also evade detection from security products since the execution is masked under
+    a legitimate process. There are many different ways to inject code into a process,
+    many of which abuse legitimate functionalities. These implementations exist for
+    every major OS but are typically platform specific. More sophisticated samples
+    may perform multiple process injections to segment modules and further evade detection,
+    utilizing named pipes or other inter-process communication (IPC) mechanisms as
+    a communication channel. '
+---
+# SentenceTransformer based on thenlper/gte-small
+This is a [sentence-transformers](https://www.SBERT.net) model finetuned from [thenlper/gte-small](https://huggingface.co/thenlper/gte-small). It maps sentences & paragraphs to a 384-dimensional dense vector space and can be used for semantic textual similarity, semantic search, paraphrase mining, text classification, clustering, and more.
+## Model Details
+### Model Description
+- **Model Type:** Sentence Transformer
+- **Base model:** [thenlper/gte-small](https://huggingface.co/thenlper/gte-small) <!-- at revision 50c7dd33df1027ef560fd504d95e277948c3c886 -->
+- **Maximum Sequence Length:** 512 tokens
+- **Output Dimensionality:** 384 tokens
+- **Similarity Function:** Cosine Similarity
+<!-- - **Training Dataset:** Unknown -->
+<!-- - **Language:** Unknown -->
+<!-- - **License:** Unknown -->
+### Model Sources
+- **Documentation:** [Sentence Transformers Documentation](https://sbert.net)
+- **Repository:** [Sentence Transformers on GitHub](https://github.com/UKPLab/sentence-transformers)
+- **Hugging Face:** [Sentence Transformers on Hugging Face](https://huggingface.co/models?library=sentence-transformers)
+### Full Model Architecture
+```
+SentenceTransformer(
+  (0): Transformer({'max_seq_length': 512, 'do_lower_case': False}) with Transformer model: BertModel
+  (1): Pooling({'word_embedding_dimension': 384, 'pooling_mode_cls_token': False, 'pooling_mode_mean_tokens': True, 'pooling_mode_max_tokens': False, 'pooling_mode_mean_sqrt_len_tokens': False, 'pooling_mode_weightedmean_tokens': False, 'pooling_mode_lasttoken': False, 'include_prompt': True})
+  (2): Normalize()
+)
+```
+## Usage
+### Direct Usage (Sentence Transformers)
+First install the Sentence Transformers library:
+```bash
+pip install -U sentence-transformers
+```
+Then you can load this model and run inference.
+```python
+from sentence_transformers import SentenceTransformer
+# Download from the 🤗 Hub
+model = SentenceTransformer("acedev003/gte-small-mitre")
+# Run inference
+sentences = [
+    'BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.',
+    "Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel. ",
+    'Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ',
+]
+embeddings = model.encode(sentences)
+print(embeddings.shape)
+# [3, 384]
+# Get the similarity scores for the embeddings
+similarities = model.similarity(embeddings, embeddings)
+print(similarities.shape)
+# [3, 3]
+```
+<!--
+### Direct Usage (Transformers)
+<details><summary>Click to see the direct usage in Transformers</summary>
+</details>
+-->
+<!--
+### Downstream Usage (Sentence Transformers)
+You can finetune this model on your own dataset.
+<details><summary>Click to expand</summary>
+</details>
+-->
+<!--
+### Out-of-Scope Use
+*List how the model may foreseeably be misused and address what users ought not to do with the model.*
+-->
+<!--
+## Bias, Risks and Limitations
+*What are the known or foreseeable issues stemming from this model? You could also flag here known failure cases or weaknesses of the model.*
+-->
+<!--
+### Recommendations
+*What are recommendations with respect to the foreseeable issues? For example, filtering explicit content.*
+-->
+## Training Details
+### Training Dataset
+#### Unnamed Dataset
+* Size: 29,440 training samples
+* Columns: <code>sentence_0</code> and <code>sentence_1</code>
+* Approximate statistics based on the first 1000 samples:
+  |         | sentence_0                                                                         | sentence_1                                                                           |
+  |:--------|:-----------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------|
+  | type    | string                                                                             | string                                                                               |
+  | details | <ul><li>min: 4 tokens</li><li>mean: 25.63 tokens</li><li>max: 101 tokens</li></ul> | <ul><li>min: 37 tokens</li><li>mean: 283.48 tokens</li><li>max: 512 tokens</li></ul> |
+* Samples:
+  | sentence_0                                                                                                                                                                                         | sentence_1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+  |:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+  | <code>Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration.</code>                                                            | <code>Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device.  A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design.  In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device.  In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.  Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities</code> |
+  | <code>When documents, applications, or programs are downloaded an extended attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the download.</code> | <code>Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates) </code>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
+  | <code>FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.</code>                                                                                        | <code>Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.</code>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
+* Loss: [<code>MultipleNegativesRankingLoss</code>](https://sbert.net/docs/package_reference/sentence_transformer/losses.html#multiplenegativesrankingloss) with these parameters:
+  ```json
+  {
+      "scale": 20.0,
+      "similarity_fct": "cos_sim"
+  }
+  ```
+### Training Hyperparameters
+#### Non-Default Hyperparameters
+- `per_device_train_batch_size`: 16
+- `per_device_eval_batch_size`: 16
+- `num_train_epochs`: 1
+- `multi_dataset_batch_sampler`: round_robin
+#### All Hyperparameters
+<details><summary>Click to expand</summary>
+- `overwrite_output_dir`: False
+- `do_predict`: False
+- `eval_strategy`: no
+- `prediction_loss_only`: True
+- `per_device_train_batch_size`: 16
+- `per_device_eval_batch_size`: 16
+- `per_gpu_train_batch_size`: None
+- `per_gpu_eval_batch_size`: None
+- `gradient_accumulation_steps`: 1
+- `eval_accumulation_steps`: None
+- `torch_empty_cache_steps`: None
+- `learning_rate`: 5e-05
+- `weight_decay`: 0.0
+- `adam_beta1`: 0.9
+- `adam_beta2`: 0.999
+- `adam_epsilon`: 1e-08
+- `max_grad_norm`: 1
+- `num_train_epochs`: 1
+- `max_steps`: -1
+- `lr_scheduler_type`: linear
+- `lr_scheduler_kwargs`: {}
+- `warmup_ratio`: 0.0
+- `warmup_steps`: 0
+- `log_level`: passive
+- `log_level_replica`: warning
+- `log_on_each_node`: True
+- `logging_nan_inf_filter`: True
+- `save_safetensors`: True
+- `save_on_each_node`: False
+- `save_only_model`: False
+- `restore_callback_states_from_checkpoint`: False
+- `no_cuda`: False
+- `use_cpu`: False
+- `use_mps_device`: False
+- `seed`: 42
+- `data_seed`: None
+- `jit_mode_eval`: False
+- `use_ipex`: False
+- `bf16`: False
+- `fp16`: False
+- `fp16_opt_level`: O1
+- `half_precision_backend`: auto
+- `bf16_full_eval`: False
+- `fp16_full_eval`: False
+- `tf32`: None
+- `local_rank`: 0
+- `ddp_backend`: None
+- `tpu_num_cores`: None
+- `tpu_metrics_debug`: False
+- `debug`: []
+- `dataloader_drop_last`: False
+- `dataloader_num_workers`: 0
+- `dataloader_prefetch_factor`: None
+- `past_index`: -1
+- `disable_tqdm`: False
+- `remove_unused_columns`: True
+- `label_names`: None
+- `load_best_model_at_end`: False
+- `ignore_data_skip`: False
+- `fsdp`: []
+- `fsdp_min_num_params`: 0
+- `fsdp_config`: {'min_num_params': 0, 'xla': False, 'xla_fsdp_v2': False, 'xla_fsdp_grad_ckpt': False}
+- `fsdp_transformer_layer_cls_to_wrap`: None
+- `accelerator_config`: {'split_batches': False, 'dispatch_batches': None, 'even_batches': True, 'use_seedable_sampler': True, 'non_blocking': False, 'gradient_accumulation_kwargs': None}
+- `deepspeed`: None
+- `label_smoothing_factor`: 0.0
+- `optim`: adamw_torch
+- `optim_args`: None
+- `adafactor`: False
+- `group_by_length`: False
+- `length_column_name`: length
+- `ddp_find_unused_parameters`: None
+- `ddp_bucket_cap_mb`: None
+- `ddp_broadcast_buffers`: False
+- `dataloader_pin_memory`: True
+- `dataloader_persistent_workers`: False
+- `skip_memory_metrics`: True
+- `use_legacy_prediction_loop`: False
+- `push_to_hub`: False
+- `resume_from_checkpoint`: None
+- `hub_model_id`: None
+- `hub_strategy`: every_save
+- `hub_private_repo`: False
+- `hub_always_push`: False
+- `gradient_checkpointing`: False
+- `gradient_checkpointing_kwargs`: None
+- `include_inputs_for_metrics`: False
+- `eval_do_concat_batches`: True
+- `fp16_backend`: auto
+- `push_to_hub_model_id`: None
+- `push_to_hub_organization`: None
+- `mp_parameters`:
+- `auto_find_batch_size`: False
+- `full_determinism`: False
+- `torchdynamo`: None
+- `ray_scope`: last
+- `ddp_timeout`: 1800
+- `torch_compile`: False
+- `torch_compile_backend`: None
+- `torch_compile_mode`: None
+- `dispatch_batches`: None
+- `split_batches`: None
+- `include_tokens_per_second`: False
+- `include_num_input_tokens_seen`: False
+- `neftune_noise_alpha`: None
+- `optim_target_modules`: None
+- `batch_eval_metrics`: False
+- `eval_on_start`: False
+- `eval_use_gather_object`: False
+- `batch_sampler`: batch_sampler
+- `multi_dataset_batch_sampler`: round_robin
+</details>
+### Training Logs
+| Epoch  | Step | Training Loss |
+|:------:|:----:|:-------------:|
+| 0.2717 | 500  | 0.8973        |
+| 0.5435 | 1000 | 0.5649        |
+| 0.8152 | 1500 | 0.4969        |
+### Framework Versions
+- Python: 3.10.14
+- Sentence Transformers: 3.0.1
+- Transformers: 4.44.0
+- PyTorch: 2.4.0
+- Accelerate: 0.33.0
+- Datasets: 2.21.0
+- Tokenizers: 0.19.1
+## Citation
+### BibTeX
+#### Sentence Transformers
+```bibtex
+@inproceedings{reimers-2019-sentence-bert,
+    title = "Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks",
+    author = "Reimers, Nils and Gurevych, Iryna",
+    booktitle = "Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing",
+    month = "11",
+    year = "2019",
+    publisher = "Association for Computational Linguistics",
+    url = "https://arxiv.org/abs/1908.10084",
+}
+```
+#### MultipleNegativesRankingLoss
+```bibtex
+@misc{henderson2017efficient,
+    title={Efficient Natural Language Response Suggestion for Smart Reply},
+    author={Matthew Henderson and Rami Al-Rfou and Brian Strope and Yun-hsuan Sung and Laszlo Lukacs and Ruiqi Guo and Sanjiv Kumar and Balint Miklos and Ray Kurzweil},
+    year={2017},
+    eprint={1705.00652},
+    archivePrefix={arXiv},
+    primaryClass={cs.CL}
+}
+```
+<!--
+## Glossary
+*Clearly define terms in order to be accessible across audiences.*
+-->
+<!--
+## Model Card Authors
+*Lists the people who create the model card, providing recognition and accountability for the detailed work that goes into its construction.*
+-->
+<!--
+## Model Card Contact
+*Provides a way for people who have updates to the Model Card, suggestions, or questions, to contact the Model Card authors.*
+-->

config.json ADDED Viewed

	@@ -0,0 +1,25 @@

+{
+  "_name_or_path": "thenlper/gte-small",
+  "architectures": [
+    "BertModel"
+  ],
+  "attention_probs_dropout_prob": 0.1,
+  "classifier_dropout": null,
+  "hidden_act": "gelu",
+  "hidden_dropout_prob": 0.1,
+  "hidden_size": 384,
+  "initializer_range": 0.02,
+  "intermediate_size": 1536,
+  "layer_norm_eps": 1e-12,
+  "max_position_embeddings": 512,
+  "model_type": "bert",
+  "num_attention_heads": 12,
+  "num_hidden_layers": 12,
+  "pad_token_id": 0,
+  "position_embedding_type": "absolute",
+  "torch_dtype": "float32",
+  "transformers_version": "4.44.0",
+  "type_vocab_size": 2,
+  "use_cache": true,
+  "vocab_size": 30522
+}

config_sentence_transformers.json ADDED Viewed

	@@ -0,0 +1,10 @@

+{
+  "__version__": {
+    "sentence_transformers": "3.0.1",
+    "transformers": "4.44.0",
+    "pytorch": "2.4.0"
+  },
+  "prompts": {},
+  "default_prompt_name": null,
+  "similarity_fn_name": null
+}

model.safetensors ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:66abbd9a56f9a3a963a759eaad136f6e8e3ffec839c01eadf1663cba5aa98592
+size 133462128

modules.json ADDED Viewed

	@@ -0,0 +1,20 @@

+[
+  {
+    "idx": 0,
+    "name": "0",
+    "path": "",
+    "type": "sentence_transformers.models.Transformer"
+  },
+  {
+    "idx": 1,
+    "name": "1",
+    "path": "1_Pooling",
+    "type": "sentence_transformers.models.Pooling"
+  },
+  {
+    "idx": 2,
+    "name": "2",
+    "path": "2_Normalize",
+    "type": "sentence_transformers.models.Normalize"
+  }
+]

sentence_bert_config.json ADDED Viewed

	@@ -0,0 +1,4 @@

+{
+  "max_seq_length": 512,
+  "do_lower_case": false
+}

special_tokens_map.json ADDED Viewed

	@@ -0,0 +1,37 @@

+{
+  "cls_token": {
+    "content": "[CLS]",
+    "lstrip": false,
+    "normalized": false,
+    "rstrip": false,
+    "single_word": false
+  },
+  "mask_token": {
+    "content": "[MASK]",
+    "lstrip": false,
+    "normalized": false,
+    "rstrip": false,
+    "single_word": false
+  },
+  "pad_token": {
+    "content": "[PAD]",
+    "lstrip": false,
+    "normalized": false,
+    "rstrip": false,
+    "single_word": false
+  },
+  "sep_token": {
+    "content": "[SEP]",
+    "lstrip": false,
+    "normalized": false,
+    "rstrip": false,
+    "single_word": false
+  },
+  "unk_token": {
+    "content": "[UNK]",
+    "lstrip": false,
+    "normalized": false,
+    "rstrip": false,
+    "single_word": false
+  }
+}

tokenizer.json ADDED Viewed

The diff for this file is too large to render. See raw diff

tokenizer_config.json ADDED Viewed

	@@ -0,0 +1,64 @@

+{
+  "added_tokens_decoder": {
+    "0": {
+      "content": "[PAD]",
+      "lstrip": false,
+      "normalized": false,
+      "rstrip": false,
+      "single_word": false,
+      "special": true
+    },
+    "100": {
+      "content": "[UNK]",
+      "lstrip": false,
+      "normalized": false,
+      "rstrip": false,
+      "single_word": false,
+      "special": true
+    },
+    "101": {
+      "content": "[CLS]",
+      "lstrip": false,
+      "normalized": false,
+      "rstrip": false,
+      "single_word": false,
+      "special": true
+    },
+    "102": {
+      "content": "[SEP]",
+      "lstrip": false,
+      "normalized": false,
+      "rstrip": false,
+      "single_word": false,
+      "special": true
+    },
+    "103": {
+      "content": "[MASK]",
+      "lstrip": false,
+      "normalized": false,
+      "rstrip": false,
+      "single_word": false,
+      "special": true
+    }
+  },
+  "clean_up_tokenization_spaces": true,
+  "cls_token": "[CLS]",
+  "do_basic_tokenize": true,
+  "do_lower_case": true,
+  "mask_token": "[MASK]",
+  "max_length": 128,
+  "model_max_length": 512,
+  "never_split": null,
+  "pad_to_multiple_of": null,
+  "pad_token": "[PAD]",
+  "pad_token_type_id": 0,
+  "padding_side": "right",
+  "sep_token": "[SEP]",
+  "stride": 0,
+  "strip_accents": null,
+  "tokenize_chinese_chars": true,
+  "tokenizer_class": "BertTokenizer",
+  "truncation_side": "right",
+  "truncation_strategy": "longest_first",
+  "unk_token": "[UNK]"
+}

vocab.txt ADDED Viewed

The diff for this file is too large to render. See raw diff