README.md

---
license: apache-2.0
base_model: Qwen/Qwen3.5-0.8B
tags:
- cybersecurity
- web-attack-detection
- fine-tuned
- chain-of-thought
- http-payload
language:
- en
pipeline_tag: text-generation
---

# 🔐 DeepQ — Web Attack Classifier

A fine-tuned **Qwen3.5-0.8B** model that analyzes raw HTTP request payloads to detect web attacks. Given an HTTP request, the model reasons through the payload step by step and returns a structured JSON result identifying the attack type and the specific malicious syntax.

---

## How It Works

The model uses **chain-of-thought (CoT) reasoning** — before producing a final answer, it thinks through the request structure, anomaly signals, and attack patterns inside a `<think>` block. This reasoning is accessible via the OpenAI-compatible SDK using the `reasoning` field on the response message.

```
<think>
1. [Structure Analysis]   GET request with query parameter 'id' containing user input
2. [Anomaly Detection]    Single quote (') detected — attempting to break SQL string context
3. [Pattern Mapping]      OR 1=1 is a tautology used to bypass authentication
4. [Evasion Technique]    Double dash (--) comments out the rest of the original query
5. [Attack Classification] SQL Injection via GET parameter manipulation
</think>
{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
```

---

## Supported Attack Types

| Label | Description |
|---|---|
| `Normal` | Benign HTTP traffic |
| `SQL Injection` | SQL syntax injected into parameters |
| `Cross Site Scripting (XSS)` | Script injection via input fields or URLs |
| `Command Injection` | OS command injection via HTTP parameters |
| `Path Traversal` | Directory traversal using `../` patterns |
| `Forced Browsing` | Direct access to hidden or restricted paths |
| `Brute Force` | Repeated authentication attempts |
| `Cookie Manipulation` | Tampering with cookie values |
| `File Upload` | Malicious file upload attempts |
| `File Download` | Unauthorized file download attempts |
| `Host Discovery` | Network/host reconnaissance via HTTP |

---

## Usage

The model is served via a vLLM-compatible endpoint and accessed through the **OpenAI SDK**. Enable thinking mode via `chat_template_kwargs` to get the full CoT reasoning.

```python
import asyncio
from openai import AsyncOpenAI

client = AsyncOpenAI(
    base_url="http://your-server:8000/v1",
    api_key="EMPTY"
)

http_request = """GET /index.php?id=1' OR 1=1-- HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0"""

async def analyze(payload: str):
    response = await client.chat.completions.create(
        model="Qwen3.5-0.8B",
        messages=[
            {
                "role": "system",
                "content": "You are a cybersecurity analysis AI. Analyze the given HTTP payload and determine whether it contains an attack."
            },
            {
                "role": "user",
                "content": payload
            }
        ],
        max_tokens=2048,
        temperature=0.0,
        top_p=0.95,
        presence_penalty=1.5,
        extra_body={
            "chat_template_kwargs": {"enable_thinking": True},
            "top_k": 20,
            "min_p": 0.0,
            "repetition_penalty": 1.0,
        },
    )

    content  = response.choices[0].message.content       # JSON result
    reasoning = response.choices[0].message.reasoning    # CoT process inside <think>

    return content, reasoning

content, reasoning = asyncio.run(analyze(http_request))
print("Reasoning:\n", reasoning)
print("Result:\n", content)
```

### Output

```python
# reasoning  →  the full <think>...</think> process
# content    →  final JSON
{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
```