File size: 3,718 Bytes
cb625af 293b7e6 cb625af | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 | ---
license: apache-2.0
base_model: Qwen/Qwen3.5-0.8B
tags:
- cybersecurity
- web-attack-detection
- fine-tuned
- chain-of-thought
- http-payload
language:
- en
pipeline_tag: text-generation
---
# 🔐 DeepQ — Web Attack Classifier
A fine-tuned **Qwen3.5-0.8B** model that analyzes raw HTTP request payloads to detect web attacks. Given an HTTP request, the model reasons through the payload step by step and returns a structured JSON result identifying the attack type and the specific malicious syntax.
---
## How It Works
The model uses **chain-of-thought (CoT) reasoning** — before producing a final answer, it thinks through the request structure, anomaly signals, and attack patterns inside a `<think>` block. This reasoning is accessible via the OpenAI-compatible SDK using the `reasoning` field on the response message.
```
<think>
1. [Structure Analysis] GET request with query parameter 'id' containing user input
2. [Anomaly Detection] Single quote (') detected — attempting to break SQL string context
3. [Pattern Mapping] OR 1=1 is a tautology used to bypass authentication
4. [Evasion Technique] Double dash (--) comments out the rest of the original query
5. [Attack Classification] SQL Injection via GET parameter manipulation
</think>
{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
```
---
## Supported Attack Types
| Label | Description |
|---|---|
| `Normal` | Benign HTTP traffic |
| `SQL Injection` | SQL syntax injected into parameters |
| `Cross Site Scripting (XSS)` | Script injection via input fields or URLs |
| `Command Injection` | OS command injection via HTTP parameters |
| `Path Traversal` | Directory traversal using `../` patterns |
| `Forced Browsing` | Direct access to hidden or restricted paths |
| `Brute Force` | Repeated authentication attempts |
| `Cookie Manipulation` | Tampering with cookie values |
| `File Upload` | Malicious file upload attempts |
| `File Download` | Unauthorized file download attempts |
| `Host Discovery` | Network/host reconnaissance via HTTP |
---
## Usage
The model is served via a vLLM-compatible endpoint and accessed through the **OpenAI SDK**. Enable thinking mode via `chat_template_kwargs` to get the full CoT reasoning.
```python
import asyncio
from openai import AsyncOpenAI
client = AsyncOpenAI(
base_url="http://your-server:8000/v1",
api_key="EMPTY"
)
http_request = """GET /index.php?id=1' OR 1=1-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0"""
async def analyze(payload: str):
response = await client.chat.completions.create(
model="Qwen3.5-0.8B",
messages=[
{
"role": "system",
"content": "You are a cybersecurity analysis AI. Analyze the given HTTP payload and determine whether it contains an attack."
},
{
"role": "user",
"content": payload
}
],
max_tokens=2048,
temperature=0.0,
top_p=0.95,
presence_penalty=1.5,
extra_body={
"chat_template_kwargs": {"enable_thinking": True},
"top_k": 20,
"min_p": 0.0,
"repetition_penalty": 1.0,
},
)
content = response.choices[0].message.content # JSON result
reasoning = response.choices[0].message.reasoning # CoT process inside <think>
return content, reasoning
content, reasoning = asyncio.run(analyze(http_request))
print("Reasoning:\n", reasoning)
print("Result:\n", content)
```
### Output
```python
# reasoning → the full <think>...</think> process
# content → final JSON
{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
```
|