AlexXBueno
/

Mistral-7B-Cyber-Thread-Intelligence-Extractor

@@ -6,202 +6,161 @@ tags:
 - base_model:adapter:mistralai/Mistral-7B-v0.3
 - lora
 - transformers
 ---
 # Model Card for Model ID
-<!-- Provide a quick summary of what the model is/does. -->
 ## Model Details
 ### Model Description
-<!-- Provide a longer summary of what this model is. -->
-- **Developed by:** [More Information Needed]
-- **Funded by [optional]:** [More Information Needed]
-- **Shared by [optional]:** [More Information Needed]
-- **Model type:** [More Information Needed]
-- **Language(s) (NLP):** [More Information Needed]
-- **License:** [More Information Needed]
-- **Finetuned from model [optional]:** [More Information Needed]
 ### Model Sources [optional]
-<!-- Provide the basic links for the model. -->
-- **Repository:** [More Information Needed]
-- **Paper [optional]:** [More Information Needed]
-- **Demo [optional]:** [More Information Needed]
 ## Uses
-<!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
 ### Direct Use
-<!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
-[More Information Needed]
-### Downstream Use [optional]
-<!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
-[More Information Needed]
-### Out-of-Scope Use
-<!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
-[More Information Needed]
 ## Bias, Risks, and Limitations
-<!-- This section is meant to convey both technical and sociotechnical limitations. -->
-[More Information Needed]
 ### Recommendations
-<!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
-Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
 ## How to Get Started with the Model
-Use the code below to get started with the model.
-[More Information Needed]
 ## Training Details
 ### Training Data
-<!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
-[More Information Needed]
 ### Training Procedure
 <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
-#### Preprocessing [optional]
-[More Information Needed]
 #### Training Hyperparameters
-- **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
-#### Speeds, Sizes, Times [optional]
-<!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
-[More Information Needed]
-## Evaluation
-<!-- This section describes the evaluation protocols and provides the results. -->
-### Testing Data, Factors & Metrics
-#### Testing Data
-<!-- This should link to a Dataset Card if possible. -->
-[More Information Needed]
-#### Factors
-<!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
-[More Information Needed]
-#### Metrics
-<!-- These are the evaluation metrics being used, ideally with a description of why. -->
-[More Information Needed]
-### Results
-[More Information Needed]
-#### Summary
-## Model Examination [optional]
-<!-- Relevant interpretability work for the model goes here -->
-[More Information Needed]
-## Environmental Impact
-<!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
-Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
-- **Hardware Type:** [More Information Needed]
-- **Hours used:** [More Information Needed]
-- **Cloud Provider:** [More Information Needed]
-- **Compute Region:** [More Information Needed]
-- **Carbon Emitted:** [More Information Needed]
-## Technical Specifications [optional]
 ### Model Architecture and Objective
-[More Information Needed]
 ### Compute Infrastructure
-[More Information Needed]
-#### Hardware
-[More Information Needed]
 #### Software
-[More Information Needed]
-## Citation [optional]
-<!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
-**BibTeX:**
-[More Information Needed]
-**APA:**
-[More Information Needed]
-## Glossary [optional]
-<!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
-[More Information Needed]
-## More Information [optional]
-[More Information Needed]
-## Model Card Authors [optional]
-[More Information Needed]
-## Model Card Contact
-[More Information Needed]
-### Framework versions
-- PEFT 0.18.1

 - base_model:adapter:mistralai/Mistral-7B-v0.3
 - lora
 - transformers
+- cyber-threat-intelligence
+- cti
+- ner
+- information-extraction
 ---
 # Model Card for Model ID
+This model is a fine-tuned version of Mistral-7B-v0.3 designed to automate the extraction of Cyber Threat Intelligence (CTI) from unstructured security reports.
+It transforms raw, technical text into structured JSON format containing cybersecurity entities (e.g., Malware, Threat Actors, Attack Patterns, and Indicators of Compromise).
 ## Model Details
 ### Model Description
+This model uses QLoRA (Quantized Low-Rank Adaptation) to efficiently adapt the Mistral-7B base model for the highly specific task of Named Entity Recognition (NER) in the cybersecurity domain.
+The model outputs a strict JSON structure, making it ideal for integration into automated RAG pipelines, SIEMs, or autonomous agent workflows (like LangGraph).
+- **Developed by:** Alex Bueno
+- **Model type:** Causal Language Model with LoRA adapters (PEFT)
+- **Language(s) (NLP):** English
+- **License:** Apache 2.0
+- **Finetuned from model:** `mistralai/Mistral-7B-v0.3`
 ### Model Sources [optional]
+- **Repository:** https://huggingface.co/AlexXBueno/Mistral-7B-Cyber-Thread-Intelligence-Extractor
 ## Uses
 ### Direct Use
+The model is designed to be directly queried with unstructured cybersecurity text (like threat reports, blogs, or logs) using a specific prompt template.
+It will extract relevant entities and return them as a structured JSON array.
+### Downstream Use
+- **Multi-Agent Systems:** As a specific Tool Node for an orchestrator agent (e.g., Llama-3-70B) to extract structured data before querying a Vector Database or SQL.
+- **CTI Pipelines:** Automated ingestion and structuring of daily threat reports into a local database.
 ## Bias, Risks, and Limitations
+The model may suffer from previous knowledge bias, which may leads to insert threat actors or malware names that are semantically related but not explicitly mentioned in the input text.
 ### Recommendations
+- **Temperature:** It is strictly recommended to use a low temperature (`temperature=0.1` or `0.0`) during inference to ensure deterministic extraction.
+- **Validation:** Use Pydantic or structured decoding libraries (like `Outlines` or `Guidance`) in production to enforce JSON grammar, as the model may occasionally produce malformed JSON syntax.
 ## How to Get Started with the Model
+Use the code below to load the quantized base model and apply the LoRA adapters for inference:
+```python
+import torch
+from transformers import AutoModelForCausalLM, AutoTokenizer, BitsAndBytesConfig
+from peft import PeftModel
+MODEL_NAME = "mistralai/Mistral-7B-v0.3"
+ADAPTER_REPO = "AlexXBueno/Mistral-7B-Cyber-Thread-Intelligence-Extractor"
+# Load Tokenizer
+tokenizer = AutoTokenizer.from_pretrained(MODEL_NAME)
+tokenizer.pad_token = tokenizer.eos_token
+# Configure 4-bit Quantization
+bnb_config = BitsAndBytesConfig(
+    load_in_4bit=True,
+    bnb_4bit_quant_type="nf4",
+    bnb_4bit_compute_dtype=torch.float16,
+    bnb_4bit_use_double_quant=True
+)
+# Load Base Model
+base_model = AutoModelForCausalLM.from_pretrained(
+    MODEL_NAME,
+    quantization_config=bnb_config,
+    device_map="auto",
+    dtype=torch.float16,
+    low_cpu_mem_usage=True,
+    attn_implementation="sdpa"
+)
+base_model.config.use_cache = True
+# Merge Adapters
+model = PeftModel.from_pretrained(base_model, ADAPTER_REPO)
+model.eval()
+# Inference
+text = "The attacker used IP 192.168.1.50 to deliver the Emotet payload via phishing."
+prompt = (
+    f"### Instruction: Extract cyber threat entities in JSON format.\n"
+    f"### Input: {text}\n"
+    f"### Response: "
+)
+inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
+with torch.no_grad():
+    outputs = model.generate(
+        **inputs,
+        max_new_tokens=256,
+        temperature=0.1,
+        do_sample=True,
+        pad_token_id=tokenizer.eos_token_id
+    )
+print(tokenizer.decode(outputs[0], skip_special_tokens=True).split("### Response:")[1].strip())
+```
 ## Training Details
 ### Training Data
+The model was fine-tuned on the ```mrmoor/cyber-threat-intelligence``` dataset, which contains annotated cybersecurity entities.
 ### Training Procedure
 <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
+#### Preprocessing
+A custom Data Collator (```CTICompletionCollator```) was implemented during training.
+It calculates the loss only on the JSON response generated by the model.
+The instruction and input tokens were masked using -100 labels to prevent the model from learning to generate the prompt itself, focusing entirely on the JSON structure generation.
 #### Training Hyperparameters
+- Training regime: QLoRA (4-bit base model, 16-bit adapters)
+- Epochs: 3
+- Learning Rate: 2e-4
+- Batch Size: 2
+- Gradient Accumulation Steps: 8
+- Optimizer: AdamW
+- LR Scheduler: Linear
+- LoRA Rank (r): 8
+- LoRA Alpha: 32
+- LoRA Dropout: 0.05
+- Target Modules: q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj
+## Technical Specifications
 ### Model Architecture and Objective
+The objective is strictly Information Extraction (IE) formatted as an Instruction-Following generation task.
 ### Compute Infrastructure
+The entire stack was developed and validated on local/on-premise infrastructure, bypassing cloud dependencies to assure data privacy for sensitive CTI documents.
 #### Software
+- PEFT 0.18.1
+- Transformers
+- BitsAndBytes
+- PyTorch 2.5.1