Restore complete model card from commit 69fc49b

3c42913 verified 22 days ago

7.2 kB

	---
	{}
	---

	# Gemma-2-2B-IT-CyberAgent

	## Model Description

	This is a fine-tuned version of google/gemma-2-2b-it, optimized for on-device cybersecurity applications for mobile devices. Unlike standard chatbots, this model is trained to output structured JSON actions (e.g., `scan_url`, `isolate_network`) that can be executed by an Android app or Edge AI Service.

	The model has been adapted using Supervised Fine-Tuning (SFT) and DPO (Direct Preference Optimization) with LoRA (Low-Rank Adaptation) techniques to maintain high performance while remaining efficient for mobile and edge devices.

	## Key Technologies

	- Unsloth: Used for ultra-fast, memory-efficient fine-tuning (2x faster, 70% less memory)
	- LiteRT (formerly TFLite): Model format compatible with Google AI Edge Gallery for on-device inference
	- LoRA (Low-Rank Adaptation): Parameter-efficient fine-tuning to keep the model lightweight

	## Model Details

	- Base Model: google/gemma-2-2b-it
	- Model Size: 2 billion parameters (~2GB)
	- Model Type: Causal Language Model (Gemma2ForCausalLM)
	- Fine-tuning Method: LoRA + SFT + DPO
	- Optimization: Mobile-first deployment
	- Precision: bfloat16 / 4-bit quantization
	- Context Length: 2048 tokens (training) / 8192 tokens (max)
	- Hardware Requirements: GPU (L4/T4 recommended for training)

	## Training

	This model was fine-tuned with the following techniques:

	### Supervised Fine-Tuning (SFT)

	- Training Steps: 600 steps
	- Dataset: Custom cybersecurity dataset with 2000+ threat examples
	- Focus: Task-specific instruction tuning for security actions
	- Learning Rate: 5e-5 (stable convergence)
	- Batch Size: 2 with gradient accumulation (4 steps)

	### DPO Training (Refining the Agent)

	- Training Steps: 150 steps
	- Purpose: Refine model responses for better alignment
	- Technique: Direct Preference Optimization

	### Data Preparation

	- Clean synthetic dataset with EOS tokens
	- Hard negatives for improved discrimination
	- Structured JSON output format training

	## Available Security Actions

	The model can output these security actions:

	- `scan_url(url)`: Check a link for phishing
	- `kill_process(pid)`: Stop a suspicious app
	- `isolate_network()`: Cut off internet access
	- `ignore()`: No threat detected

	## Input/Output Format

	Input: Natural language threat description

	Output: JSON action block

	```json
	{
	"thought": "Suspicious URL detected",
	"action": "scan_url",
	"params": {"url": "bit.ly/malware-site"}
	}
	```

	## Implementation Workflow

	This model outputs JSON action blocks that your application must parse and execute. Here's the complete workflow:

	### 1. Model Generates JSON Instructions

	When you send user input to the model (e.g., "Check this suspicious link: bit.ly/malware-site"), it analyzes the threat and outputs structured JSON:

	```json
	{
	"thought": "Suspicious URL detected",
	"action": "scan_url",
	"params": {"url": "bit.ly/malware-site"}
	}
	```

	### 2. Application Parses JSON

	Your Android app or Edge AI Service must:
	- Parse the JSON response from the model
	- Extract the `action` field to determine what security action to take
	- Extract the `params` object to get necessary parameters (URL, process ID, etc.)
	- Extract the `thought` field for logging/debugging

	### 3. Execute Security Actions

	Based on the action specified, your application implements the actual security function:

	- `scan_url(url)`: Integrate with a URL scanning service (e.g., Google Safe Browsing API, VirusTotal) to check if the link is malicious
	- `kill_process(pid)`: Use Android's `ActivityManager` or system APIs to terminate the suspicious application process
	- `isolate_network()`: Disable network connectivity using `ConnectivityManager` or firewall APIs to prevent data exfiltration
	- `ignore()`: No action needed - log the event and continue normal operation

	Important: The model does NOT perform these actions itself. It only generates the instructions. Your application must implement the actual security mechanisms.

	## Usage

	### Python

	```python
	from transformers import AutoTokenizer, AutoModelForCausalLM
	import torch

	model_id = "jprtr/gemma-2-2b-it-CyberAgent"

	tokenizer = AutoTokenizer.from_pretrained(model_id)
	model = AutoModelForCausalLM.from_pretrained(
	model_id,
	device_map="auto",
	torch_dtype=torch.bfloat16,
	)

	# Security agent prompt
	agent_prompt = """You are an autonomous security agent on a Pixel device.
	Analyze the user's input. If a threat is detected, output a JSON action block.
	Available Actions:
	- scan_url(url): Check a link for phishing.
	- kill_process(pid): Stop a suspicious app.
	- isolate_network(): Cut off internet access.
	- ignore(): No threat found.

	### Instruction:
	{}
	### Input:
	{}
	### Response:
	{}"""

	input_text = "Check this suspicious link: bit.ly/malware-site"
	prompt = agent_prompt.format(input_text, "", "")

	inputs = tokenizer([prompt], return_tensors="pt").to("cuda")
	outputs = model.generate(**inputs, max_new_tokens=128, use_cache=True)
	response = tokenizer.batch_decode(outputs)[0].split("### Response:")[1].strip()
	print(response)
	```

	## Training Notebook

	The complete training pipeline is available on GitHub:

	- Repository: [cyber-agent-gemma-2-2b-mobile](https://github.com/jprtr/cyber-agent-gemma-2-2b-mobile)
	- Notebook: Production-ready Google Colab notebook with full training workflow
	- Open in Colab: [![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://github.com/jprtr/cyber-agent-gemma-2-2b-mobile/blob/main/Gemma_2_2B_Cybersecurity_Agent_Mobile.ipynb)

	## Intended Use

	- Mobile and edge device cybersecurity
	- On-device AI security applications
	- Autonomous threat detection and response
	- Resource-constrained environments
	- Android security agents
	- Privacy-focused local inference

	## Performance

	- Training Time: ~1-2 hours on L4 GPU
	- Model Size: ~2GB (suitable for modern Android devices with 6GB+ RAM)
	- Inference Speed: Optimized for on-device execution
	- Memory Efficiency: 70% less memory usage with Unsloth optimization

	## Limitations

	- This model inherits the limitations of the base Gemma 2-2B model
	- Optimized for mobile deployment, performance may vary on different hardware
	- As with all language models, outputs should be verified for accuracy
	- AI Edge Torch conversion had compatibility issues - use PyTorch Mobile or ONNX Runtime instead
	- Trained specifically for cybersecurity actions - not a general-purpose chatbot

	## Deployment Options

	1. PyTorch Mobile (recommended for Android)
	2. ONNX Runtime Mobile
	3. TensorFlow Lite (via ONNX conversion)

	## Citation

	If you use this model, please cite both the original Gemma model and this fine-tuned version:

	```bibtex
	@misc{gemma-2-2b-it-cyberagent,
	author = {CyberAgent},
	title = {Gemma-2-2B-IT-CyberAgent: Mobile Cybersecurity Agent},
	year = {2025},
	publisher = {HuggingFace},
	url = {https://huggingface.co/jprtr/gemma-2-2b-it-CyberAgent}
	}
	```

	## License

	This model is released under the Gemma license. See the [Gemma Terms of Use](https://ai.google.dev/gemma/terms) for more details.