--- language: - en license: apache-2.0 tags: - security - cybersecurity - http - qwen2.5 - lora - fine-tuned base_model: Qwen/Qwen2.5-3B-Instruct datasets: - custom model-index: - name: qwen2.5-3b-security results: - task: type: text-classification name: HTTP Request Classification metrics: - type: accuracy value: 93.33 name: Overall Accuracy - type: accuracy value: 86.7 name: Malicious Detection - type: accuracy value: 100.0 name: Benign Detection --- # Qwen2.5-3B HTTP Security Classifier ## Model Description This is a fine-tuned version of [Qwen/Qwen2.5-3B-Instruct](https://huggingface.co/Qwen/Qwen2.5-3B-Instruct) specialized for HTTP request security classification. The model can detect 11 different types of web attacks with 93.33% accuracy. ## Model Details - **Base Model:** Qwen/Qwen2.5-3B-Instruct - **Fine-tuning Method:** LoRA (Low-Rank Adaptation) - **Training Data:** 2,000+ labeled HTTP requests from 6 months of production traffic - **Parameters:** 3B (59.8M trainable) - **Quantization:** bfloat16 - **Context Length:** 1024 tokens ## Performance Metrics ### Test Suite Results - **Overall Accuracy:** 93.33% (28/30 test cases) - **Malicious Detection:** 86.7% (13/15) - **Benign Detection:** 100% (15/15) - **False Positives:** 0 - **False Negatives:** 2 - **Avg Inference Time:** 3.1s (CPU) / 150ms (GPU) ### Attack Types Detected 1. SQL Injection 2. XSS (Cross-Site Scripting) 3. Path Traversal 4. Command Injection 5. Information Disclosure 6. Reconnaissance 7. Authentication Attacks 8. Web Application Attacks 9. Protocol Attacks 10. Injection Attacks 11. Malware ## Intended Use ### Primary Use Cases - Real-time HTTP request filtering - WAF (Web Application Firewall) enhancement - Security log analysis - Attack pattern detection - Threat intelligence ### Out of Scope - Network-level attacks (DDoS, port scanning without HTTP context) - Binary protocol analysis - Encrypted traffic analysis (pre-decryption) ## Usage ### Quick Start ```python from transformers import AutoTokenizer, AutoModelForCausalLM import torch model_path = "gachara/my-security-classifier" tokenizer = AutoTokenizer.from_pretrained(model_path) model = AutoModelForCausalLM.from_pretrained( model_path, torch_dtype=torch.bfloat16, device_map="auto" ) def classify_request(method, url, status, query, user_agent): input_text = f"""HTTP Request Analysis Required: Method: {method} URL: {url} Status: {status} Query: {query} User-Agent: {user_agent} Task: Determine if this request is malicious and identify the attack type.""" messages = [ {"role": "system", "content": "You are a senior cybersecurity analyst..."}, {"role": "user", "content": input_text} ] text = tokenizer.apply_chat_template(messages, tokenize=False, add_generation_prompt=True) inputs = tokenizer([text], return_tensors="pt").to(model.device) outputs = model.generate(**inputs, max_new_tokens=512, temperature=0.1) response = tokenizer.decode(outputs[0][len(inputs.input_ids[0]):], skip_special_tokens=True) return response # Example result = classify_request( "GET", "/admin/config.php", 200, "id=1' OR '1'='1", "sqlmap/1.0" ) print(result) ``` ### Example Output Classification: malicious Confidence Score: 0.80 Attack Type: SQL_Injection Analysis: The request contains a classic SQL injection payload in the query parameter. The pattern "' OR '1'='1" is a boolean-based blind SQL injection attempt designed to bypass authentication or extract data. The user agent "sqlmap/1.0" is a known automated SQL injection tool, further confirming malicious intent. ## Training Details ### Training Data - **Total Samples:** 2,000 (1,000 benign + 1,000 malicious) - **Data Sources:** Production HTTP logs from web applications - **Attack Distribution:** - Information_Disclosure: 37.9% - Command_Injection: 18.0% - Reconnaissance: 14.0% - Path_Traversal: 9.0% - Authentication_Attack: 7.6% - Web_Application_Attack: 5.5% - SQL_Injection: 5.4% - Malware: 1.7% ### Training Procedure - **Framework:** LLaMA Factory - **Method:** LoRA fine-tuning - **LoRA Rank:** 32 - **LoRA Alpha:** 64 - **Epochs:** 3 - **Batch Size:** 32 (4 per device × 8 accumulation) - **Learning Rate:** 2e-4 - **Warmup Ratio:** 0.1 - **Optimizer:** AdamW - **Training Time:** ~35 minutes on single GPU ### Hardware - **GPU:** NVIDIA A100 (40GB) / RTX 4090 (24GB) - **Memory Usage:** ~18GB VRAM during training ## Limitations ### Known Issues 1. **Server-Side Template Injection (SSTI):** Model sometimes misclassifies legitimate template syntax as benign 2. **GraphQL Introspection:** May not detect GraphQL schema dumping attacks 3. **Obfuscated Payloads:** Performance degrades with heavily encoded attacks 4. **Context Length:** Limited to 1024 tokens (very long URLs may be truncated) ### Bias Considerations - Training data primarily from English-language web applications - May underperform on non-HTTP protocols - Biased toward common attack patterns (rare attacks may be missed) ## Ethical Considerations ### Responsible Use - ✅ Use for defensive security purposes - ✅ Integrate as part of defense-in-depth strategy - ✅ Monitor for false positives in production - ❌ Do not use for offensive security without authorization - ❌ Do not rely solely on this model for critical security decisions ### Privacy - Model does not store or transmit data - All inference happens locally - No sensitive data was used in training (IPs/credentials removed) ## Citation If you use this model in your research or production systems, please cite: ```bibtex @misc{qwen25-3b-security, author = {John gachara}, title = {Qwen2.5-3B HTTP Security Classifier}, year = {2024}, publisher = {HuggingFace}, url = {https://huggingface.co/gachara/my-security-classifier} } ``` ## License This model is released under the Apache 2.0 license. The base model Qwen2.5-3B-Instruct is also Apache 2.0. ## Acknowledgments - Base model: [Qwen Team](https://github.com/QwenLM/Qwen2.5) - Fine-tuning framework: [LLaMA Factory](https://github.com/hiyouga/LLaMA-Factory) - Training data: Collected from production web applications over 6 months ## Contact --- **Model Version:** 1.0.0