Hugging Face's logo

PHZane
/
TriCoAlign-0.5B

Text Generation
Safetensors
qwen2
intrusion-detection
cybersecurity
llm
qwen
tricoalign
reasoning-alignment
network-security
conversational
Model card Files
xet
 Community
TriCoAlign-0.5B / README.md
PHZane's picture
PHZane
Update README.md
4a7fd33 verified
preview code
|
raw
history blame contribute delete
5.78 kB
---
license: mit
datasets:
- Mireu-Lab/NSL-KDD
- svizor/UNSW-NB15
- mcdoniel/cicids2017
metrics:
- accuracy
- f1
- precision
- recall
base_model: Qwen/Qwen2.5-0.5B
pipeline_tag: text-generation
tags:
- intrusion-detection
- cybersecurity
- llm
- qwen
- tricoalign
- reasoning-alignment
- network-security
---
# TriCoAlign-0.5B: Stabilizing LLMs for Network Intrusion Detection
[![Hugging Face Model](https://img.shields.io/badge/Hugging%20Face-Model-blue)](https://huggingface.co/PHZane/TriCoAlign-0.5B)
[![GitHub Repo](https://img.shields.io/badge/GitHub-Code-black?logo=github)](https://github.com/Zaneph1/TriCoAlign)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)
## 📌 Model Overview
**TriCoAlign-0.5B** is a specialized Large Language Model fine-tuned from **Qwen2.5-0.5B** for **Network Intrusion Detection (NIDS)**. It implements the **TriCoAlign** framework proposed.
Standard LLMs often suffer from **unstable reasoning behaviors** and **inconsistent decision outcomes** when analyzing network traffic (e.g., producing different labels for the same packet upon repeated inference). TriCoAlign addresses this by jointly aligning three complementary aspects in a cyclic manner:
1. **Format Alignment**: Enforces a structured `Question–Reasoning–Answer` output to decouple semantic roles.
2. **Thinking Alignment**: Uses reasoning summarization to suppress noisy trajectories and focus on security-critical features.
3. **Answer Alignment**: Constrains the decision space to ensure discriminative and consistent predictions.
This model transforms powerful but unstable LLM reasoning into reliable, deployable intrusion detection decisions.
## 🚀 Key Features
- **🛡️ Enhanced Stability**: Mitigates "over-thinking" and prediction inconsistency common in raw LLMs.
- **🔄 Cyclic Optimization**: Trained with a unified loss function to align format, reasoning, and answers simultaneously.
- **📊 SOTA Performance**: Significantly outperforms vanilla LLMs (Qwen2.5, GLM-4, ChatGPT-OSS) and traditional ML models on benchmarks like **NSL-KDD**, **CIC-IDS**, and **UNSW-NB15**.
- **🧠 Interpretable Reasoning**: Generates concise, security-focused reasoning traces rather than redundant chains of thought.
- **⚡ Lightweight**: Based on the efficient 1.5B parameter architecture, suitable for resource-constrained environments.
## 📈 Performance Highlights
Evaluated on standard NIDS benchmarks, TriCoAlign demonstrates superior accuracy and stability compared to baselines.
*> Note: Baseline numbers reflect the instability of raw LLMs as reported in the TriCoAlign paper. Our 0.5B variant maintains comparable robustness with lower computational cost.*
## 💻 How to Use
### Expected Input
```text
question: 你是一名网络安全师,这是一段关于网络接口的参数,请分析一下以下参数是什么情况?duration的值是0,protocol_type的值是tcp,service的值是http,flag的值是SF,src_bytes的值是54540,dst_bytes的值是8314,land的值是0,wrong_fragment的值是0,urgent的值是0,hot的值是2,num_failed_logins的值是0,logged_in的值是1,num_compromised的值是1,root_shell的值是0,su_attempted的值是0,num_root的值是0,num_file_creations的值是0,num_shells的值是0,num_access_files的值是0,num_outbound_cmds的值是0,is_host_login的值是0,is_guest_login的值是0,count的值是4,srv_count的值是24,serror_rate的值是0,srv_serror_rate的值是0,rerror_rate的值是0,srv_rerror_rate的值是0,same_srv_rate的值是1,diff_srv_rate的值是0,srv_diff_host_rate的值是0.08,dst_host_count的值是255,dst_host_srv_count的值是250,dst_host_same_srv_rate的值是0.98,dst_host_diff_srv_rate的值是0.01,dst_host_same_src_port_rate的值是0,dst_host_srv_diff_host_rate的值是0,dst_host_serror_rate的值是0,dst_host_srv_serror_rate的值是0,dst_host_rerror_rate的值是0.06,dst_host_srv_rerror_rate的值是0.06,
```
### Expected Output
```text
Reasoning: logged_in=1表明已成功登录,num_compromised=1显示账户被入侵,hot=2及低错误率参数支持back攻击特征。
Answer: back
```
## 🔬 Methodology: TriCoAlign Framework
The model is trained using a **Cyclic Alignment Strategy** that minimizes the joint loss:
$$ \mathcal{L} = \alpha\mathcal{L}_{format} + \beta\mathcal{L}_{thinking} + \delta\mathcal{L}_{answer} $$
1. **Format Alignment**: Penalizes deviations from the `Question->Reasoning->Answer` template.
2. **Thinking Alignment**: Aligns internal reasoning states with high-quality, summarized supervisory signals (generated by stronger teacher models like GLM-4/Qwen-7B during training) to remove noise.
3. **Answer Alignment**: Ensures the final prediction distribution is sharp and matches ground truth labels.
This approach effectively reduces the covariance between reasoning noise and decision errors, leading to stable inference.
## 📚 Datasets & Training
- **Base Model**: [Qwen/Qwen2.5-0.5B](https://huggingface.co/Qwen/Qwen2.5-0.5B)
- **Training Data**: Processed versions of [NSL-KDD](https://huggingface.co/datasets/Mireu-Lab/NSL-KDD), [CIC-IDS2017](https://huggingface.co/datasets/mcdoniel/cicids2017), and [UNSW-NB15](https://huggingface.co/datasets/svizor/UNSW-NB15).
- **Preprocessing**: Raw tabular network flows are converted into semantic natural language prompts via the PCF (Prompt Cast Framework) pipeline before alignment training.
## 🔗 Resources
- **💻 Code & Reproduction**: Full training scripts, data preprocessing tools, and evaluation benchmarks are available at:
 👉 [https://github.com/Zaneph1/TriCoAlign](https://github.com/Zaneph1/TriCoAlign)
## 📄 License
This model is released under the **MIT License**.