Ahmed Khan

Applied ML Security Researcher

About Me

I am an applied ML security researcher focused on command-line threat detection, endpoint telemetry, and adversary behavior modeling. My work began with real-time Windows security event monitoring and evolved into ML-based command classification, deobfuscation, and ATT&CK technique mapping.

I am particularly interested in how shell structure — pipes, redirects, flags, arguments, encodings, and execution chains — can be represented more effectively in security ML models.

📍 Toronto, ON

Publications

IEEE World AI IoT Congress (AIIoT), Seattle, USA — May 2026

[1]

Open-Source Next Gen Endpoint Detection & Response

Ahmed Khan · First Author · IEEE AIIoT 2026 · Seattle

Existing security solutions are expensive and often utilize kernel-level agents which, by design, introduce a high attack surface and are resource-intensive, rendering them impractical for low-overhead or constrained environments. This paper proposes and validates a novel open-source, kernel-driverless (Ring 3) intrusion detection and mitigation agent designed as a low-overhead alternative. We successfully integrated a RoBERTa-base classifier fine-tuned using LoRA (Low-Rank Adaptation), achieving 99.75% accuracy against real world tests. The system's operation is anchored by the analysis of select data gathered from Windows Event Logs (WEL), where the classifier performs 4-class syntactic analysis to distinguish malicious from benign commands. We demonstrated its capability to detect and mitigate three high-priority MITRE ATT&CK techniques—T1003.002 (OS Credential Dumping), T1562 (Impair Defenses), and T1134 (Access Token Manipulation) and benign commands—with near perfect fidelity. This work validates a significant contribution by establishing a highly effective and resource-efficient security monitoring approach that matches the detection rigor of kernel-level solutions while adhering to the critical constraint of low system overhead and minimal deployment complexity.

[2]

A Two-Stage Transformer-Based Framework for Command-Line Classification and MITRE ATT&CK Technique Mapping

Ahmed Khan · First Author · IEEE AIIoT 2026 · Seattle

The proliferation of Living-off-the-Land (LotL) techniques presents a significant classification challenge for traditional security controls due to their reliance on dual-use system utilities and syntactically complex command-line telemetry. Models designed for natural language processing (NLP), which are fine-tuned for linguistic patterns, often do not capture the execution semantics and structural dependencies inherent in command-line inputs. In this paper, we propose a two-stage cascaded classification framework based on a pre-trained transformer model (CodeBERT) to map command-line sequences to 141 MITRE ATT&CK techniques. The first stage performs binary classification to distinguish potentially malicious commands from benign administrative activity, while the second stage applies fine-grained multi-class classification for behavioral attribution. This cascaded design reduces unnecessary multi-class inference on benign-dominated traffic while improving focus on security-relevant inputs. Experimental results show that the proposed system achieves 95.53% Top 1 accuracy and 97.94% Top 3 accuracy, with a Tier 1 Area Under the Curve (AUC) of 0.9999 and a macro F1-score of 95.46%. End-to-end evaluation further shows that pipeline latency decreases as traffic becomes increasingly benign, reaching 6.57 ms per sequence under a production-like 99% benign distribution. These results demonstrate that transformer-based representations of command-line syntax can support high-fidelity, real-time adversarial behavior classification in endpoint environments.

Research

↳ System artifact from the IEEE AIIoT 2026 work

Genos

Open-Source Command Intelligence Research Artifact

2024 – Present
  • Built an applied ML security pipeline that classifies raw command-line activity into verdicts, confidence scores, MITRE ATT&CK technique candidates, and analyst-oriented explanations.
  • Implemented a two-tier inference design: a fast gatekeeper model routes suspicious/context-dependent inputs into a specialist classifier for technique attribution.
  • Engineered recursive de-obfuscation and parsing features for encoded payloads, PowerShell constructs, shell chains, registry operations, file paths, URLs, IPs, and execution markers.
  • Designed benchmark and evaluation workflows covering top-k accuracy, latency, class-level behavior, adversarial perturbations, and reproducibility of security ML claims.
  • Designed as an open-source research artifact: public code, evaluation scripts, model cards, and reproducibility notes supporting independent verification of results.

Experience

Security Analyst

Verto Solutions
08/2025 – Present Toronto, ON
  • Led OSINT and vulnerability research workflows for projects including ReconNet, integrating Python tooling with penetration testing to identify and remediate 15+ systemic vulnerabilities before production.
  • Developed threat models and response strategies aligned to attacker behavior, improving detection coverage and analyst triage for emerging security issues.
  • Reviewed C++ and Python codebases with R&D teams, identifying security gaps and strengthening secure development practices across the SDLC.

Systems Administrator

The Home Team
01/2018 – 09/2024 Dubai, U.A.E.
  • Secured enterprise infrastructure across Active Directory, Windows Server, IIS, VPN, and network perimeter environments over a 6-year tenure.
  • Hardened Windows infrastructure by configuring 50+ Group Policy Objects to mitigate privilege escalation, access control, and administrative exposure risks.
  • Architected Cisco firewall policies and IIS request-filtering controls, improving perimeter defense and maintaining secure web-service availability.

Education

🎓

M.Sc. Cybersecurity

NYIT Vancouver

Vancouver, BC | 2023-2025

  • Domestic Scholarship
🎓

M.Sc. Computer Science

University of Birmingham

Dubai, U.A.E. | 2020-2021

  • Merits Chancellors Scholarship
🎓

Bachelor of Business Administration

Heriot Watt University

Dubai, U.A.E. | 2018-2020

Technical Skills

Applied ML for Security

Transformer Fine-Tuning LoRA / PEFT CodeBERT RoBERTa Adversarial Evaluation Reproducible Benchmarking

ML Engineering

PyTorch Hugging Face Transformers Evaluation Harnesses Reproducibility Documentation

Threat Research

MITRE ATT&CK MITRE ATLAS Command-Line Analysis Windows Telemetry Endpoint Detection

Offensive Security

Burp Suite Nmap OWASP Top 10 Privilege Escalation

Engineering

Python C++ PowerShell Bash Docker

Certifications & Training

🎯

OSCP

OffSec Certified Professional

Scheduled June 9, 2026

🤖

OSAI

OffSec AI Offensive Security Track

Planned 2026

Get in Touch

Open to discussing research directions, collaboration on endpoint security and ML-based threat detection, or PhD program inquiries.