Hugging Face's logo

gachara
/
my-security-classifier

Safetensors
English
qwen2
security
cybersecurity
http
qwen2.5
lora
fine-tuned
Eval Results (legacy)
Model card Files
xet
Community
my-security-classifier
File size: 6,333 Bytes
4dcde85
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
b406cd3
4dcde85
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
2c773f9
4dcde85
 
 
b406cd3
4dcde85
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
 
---
language:
- en
license: apache-2.0
tags:
- security
- cybersecurity
- http
- qwen2.5
- lora
- fine-tuned
base_model: Qwen/Qwen2.5-3B-Instruct
datasets:
- custom
model-index:
- name: qwen2.5-3b-security
  results:
  - task:
      type: text-classification
      name: HTTP Request Classification
    metrics:
    - type: accuracy
      value: 93.33
      name: Overall Accuracy
    - type: accuracy
      value: 86.7
      name: Malicious Detection
    - type: accuracy
      value: 100.0
      name: Benign Detection
---

# Qwen2.5-3B HTTP Security Classifier

## Model Description

This is a fine-tuned version of [Qwen/Qwen2.5-3B-Instruct](https://huggingface.co/Qwen/Qwen2.5-3B-Instruct) specialized for HTTP request security classification. The model can detect 11 different types of web attacks with 93.33% accuracy.

## Model Details

- **Base Model:** Qwen/Qwen2.5-3B-Instruct
- **Fine-tuning Method:** LoRA (Low-Rank Adaptation)
- **Training Data:** 2,000+ labeled HTTP requests from 6 months of production traffic
- **Parameters:** 3B (59.8M trainable)
- **Quantization:** bfloat16
- **Context Length:** 1024 tokens

## Performance Metrics

### Test Suite Results
- **Overall Accuracy:** 93.33% (28/30 test cases)
- **Malicious Detection:** 86.7% (13/15)
- **Benign Detection:** 100% (15/15)
- **False Positives:** 0
- **False Negatives:** 2
- **Avg Inference Time:** 3.1s (CPU) / 150ms (GPU)

### Attack Types Detected
1. SQL Injection
2. XSS (Cross-Site Scripting)
3. Path Traversal
4. Command Injection
5. Information Disclosure
6. Reconnaissance
7. Authentication Attacks
8. Web Application Attacks
9. Protocol Attacks
10. Injection Attacks
11. Malware

## Intended Use

### Primary Use Cases
- Real-time HTTP request filtering
- WAF (Web Application Firewall) enhancement
- Security log analysis
- Attack pattern detection
- Threat intelligence

### Out of Scope
- Network-level attacks (DDoS, port scanning without HTTP context)
- Binary protocol analysis
- Encrypted traffic analysis (pre-decryption)

## Usage

### Quick Start
```python
from transformers import AutoTokenizer, AutoModelForCausalLM
import torch

model_path = "gachara/my-security-classifier"
tokenizer = AutoTokenizer.from_pretrained(model_path)
model = AutoModelForCausalLM.from_pretrained(
    model_path,
    torch_dtype=torch.bfloat16,
    device_map="auto"
)

def classify_request(method, url, status, query, user_agent):
    input_text = f"""HTTP Request Analysis Required:

Method: {method}
URL: {url}
Status: {status}
Query: {query}
User-Agent: {user_agent}

Task: Determine if this request is malicious and identify the attack type."""

    messages = [
        {"role": "system", "content": "You are a senior cybersecurity analyst..."},
        {"role": "user", "content": input_text}
    ]
    
    text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True)
    inputs = tokenizer([text], return_tensors="pt").to(model.device)
    
    outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.1)
    response = tokenizer.decode(outputs[0][len(inputs.input_ids[0]):], skip_special_tokens=True)
    
    return response

# Example
result = classify_request(
    "GET", 
    "/admin/config.php", 
    200, 
    "id=1' OR '1'='1", 
    "sqlmap/1.0"
)
print(result)
```

### Example Output
Classification: malicious
Confidence Score: 0.80
Attack Type: SQL_Injection
Analysis:
The request contains a classic SQL injection payload in the query parameter.
The pattern "' OR '1'='1" is a boolean-based blind SQL injection attempt
designed to bypass authentication or extract data. The user agent "sqlmap/1.0"
is a known automated SQL injection tool, further confirming malicious intent.
## Training Details

### Training Data
- **Total Samples:** 2,000 (1,000 benign + 1,000 malicious)
- **Data Sources:** Production HTTP logs from web applications
- **Attack Distribution:**
  - Information_Disclosure: 37.9%
  - Command_Injection: 18.0%
  - Reconnaissance: 14.0%
  - Path_Traversal: 9.0%
  - Authentication_Attack: 7.6%
  - Web_Application_Attack: 5.5%
  - SQL_Injection: 5.4%
  - Malware: 1.7%

### Training Procedure
- **Framework:** LLaMA Factory
- **Method:** LoRA fine-tuning
- **LoRA Rank:** 32
- **LoRA Alpha:** 64
- **Epochs:** 3
- **Batch Size:** 32 (4 per device × 8 accumulation)
- **Learning Rate:** 2e-4
- **Warmup Ratio:** 0.1
- **Optimizer:** AdamW
- **Training Time:** ~35 minutes on single GPU

### Hardware
- **GPU:** NVIDIA A100 (40GB) / RTX 4090 (24GB)
- **Memory Usage:** ~18GB VRAM during training

## Limitations

### Known Issues
1. **Server-Side Template Injection (SSTI):** Model sometimes misclassifies legitimate template syntax as benign
2. **GraphQL Introspection:** May not detect GraphQL schema dumping attacks
3. **Obfuscated Payloads:** Performance degrades with heavily encoded attacks
4. **Context Length:** Limited to 1024 tokens (very long URLs may be truncated)

### Bias Considerations
- Training data primarily from English-language web applications
- May underperform on non-HTTP protocols
- Biased toward common attack patterns (rare attacks may be missed)

## Ethical Considerations

### Responsible Use
- ✅ Use for defensive security purposes
- ✅ Integrate as part of defense-in-depth strategy
- ✅ Monitor for false positives in production
- ❌ Do not use for offensive security without authorization
- ❌ Do not rely solely on this model for critical security decisions

### Privacy
- Model does not store or transmit data
- All inference happens locally
- No sensitive data was used in training (IPs/credentials removed)

## Citation

If you use this model in your research or production systems, please cite:
```bibtex
@misc{qwen25-3b-security,
  author = {John gachara},
  title = {Qwen2.5-3B HTTP Security Classifier},
  year = {2024},
  publisher = {HuggingFace},
  url = {https://huggingface.co/gachara/my-security-classifier}
}
```

## License

This model is released under the Apache 2.0 license. The base model Qwen2.5-3B-Instruct is also Apache 2.0.

## Acknowledgments

- Base model: [Qwen Team](https://github.com/QwenLM/Qwen2.5)
- Fine-tuning framework: [LLaMA Factory](https://github.com/hiyouga/LLaMA-Factory)
- Training data: Collected from production web applications over 6 months

## Contact


---


**Model Version:** 1.0.0