I am an applied ML security researcher focused on command-line threat detection, endpoint telemetry, and adversary behavior modeling. My work began with real-time Windows security event monitoring and evolved into ML-based command classification, deobfuscation, and ATT&CK technique mapping.
I am particularly interested in how shell structure — pipes, redirects, flags, arguments, encodings, and execution chains — can be represented more effectively in security ML models.
IEEE World AI IoT Congress (AIIoT), Seattle, USA — May 2026
Existing security solutions are expensive and often utilize kernel-level agents which, by design, introduce a high attack surface and are resource-intensive, rendering them impractical for low-overhead or constrained environments. This paper proposes and validates a novel open-source, kernel-driverless (Ring 3) intrusion detection and mitigation agent designed as a low-overhead alternative. We successfully integrated a RoBERTa-base classifier fine-tuned using LoRA (Low-Rank Adaptation), achieving 99.75% accuracy against real world tests. The system's operation is anchored by the analysis of select data gathered from Windows Event Logs (WEL), where the classifier performs 4-class syntactic analysis to distinguish malicious from benign commands. We demonstrated its capability to detect and mitigate three high-priority MITRE ATT&CK techniques—T1003.002 (OS Credential Dumping), T1562 (Impair Defenses), and T1134 (Access Token Manipulation) and benign commands—with near perfect fidelity. This work validates a significant contribution by establishing a highly effective and resource-efficient security monitoring approach that matches the detection rigor of kernel-level solutions while adhering to the critical constraint of low system overhead and minimal deployment complexity.
The proliferation of Living-off-the-Land (LotL) techniques presents a significant classification challenge for traditional security controls due to their reliance on dual-use system utilities and syntactically complex command-line telemetry. Models designed for natural language processing (NLP), which are fine-tuned for linguistic patterns, often do not capture the execution semantics and structural dependencies inherent in command-line inputs. In this paper, we propose a two-stage cascaded classification framework based on a pre-trained transformer model (CodeBERT) to map command-line sequences to 141 MITRE ATT&CK techniques. The first stage performs binary classification to distinguish potentially malicious commands from benign administrative activity, while the second stage applies fine-grained multi-class classification for behavioral attribution. This cascaded design reduces unnecessary multi-class inference on benign-dominated traffic while improving focus on security-relevant inputs. Experimental results show that the proposed system achieves 95.53% Top 1 accuracy and 97.94% Top 3 accuracy, with a Tier 1 Area Under the Curve (AUC) of 0.9999 and a macro F1-score of 95.46%. End-to-end evaluation further shows that pipeline latency decreases as traffic becomes increasingly benign, reaching 6.57 ms per sequence under a production-like 99% benign distribution. These results demonstrate that transformer-based representations of command-line syntax can support high-fidelity, real-time adversarial behavior classification in endpoint environments.
↳ System artifact from the IEEE AIIoT 2026 work
Open-Source Command Intelligence Research Artifact
NYIT Vancouver
Vancouver, BC | 2023-2025
University of Birmingham
Dubai, U.A.E. | 2020-2021
Heriot Watt University
Dubai, U.A.E. | 2018-2020
OffSec Certified Professional
Scheduled June 9, 2026
OffSec AI Offensive Security Track
Planned 2026
Open to discussing research directions, collaboration on endpoint security and ML-based threat detection, or PhD program inquiries.