Upload README.md with huggingface_hub

README.md

@@ -1,3 +1,114 @@
----
-license: apache-2.0
----
+---
+license: apache-2.0
+base_model: Qwen/Qwen3.5-0.8B
+tags:
+- cybersecurity
+- web-attack-detection
+- fine-tuned
+- chain-of-thought
+- http-payload
+language:
+- en
+pipeline_tag: text-generation
+---
+
+# 🔐 Qwen3.5-0.8B — Web Attack Classifier
+
+A fine-tuned **Qwen3.5-0.8B** model that analyzes raw HTTP request payloads to detect web attacks. Given an HTTP request, the model reasons through the payload step by step and returns a structured JSON result identifying the attack type and the specific malicious syntax.
+
+---
+
+## How It Works
+
+The model uses **chain-of-thought (CoT) reasoning** — before producing a final answer, it thinks through the request structure, anomaly signals, and attack patterns inside a `<think>` block. This reasoning is accessible via the OpenAI-compatible SDK using the `reasoning` field on the response message.
+
+```
+<think>
+1. [Structure Analysis]   GET request with query parameter 'id' containing user input
+2. [Anomaly Detection]    Single quote (') detected — attempting to break SQL string context
+3. [Pattern Mapping]      OR 1=1 is a tautology used to bypass authentication
+4. [Evasion Technique]    Double dash (--) comments out the rest of the original query
+5. [Attack Classification] SQL Injection via GET parameter manipulation
+</think>
+{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
+```
+
+---
+
+## Supported Attack Types
+
+| Label | Description |
+|---|---|
+| `Normal` | Benign HTTP traffic |
+| `SQL Injection` | SQL syntax injected into parameters |
+| `Cross Site Scripting (XSS)` | Script injection via input fields or URLs |
+| `Command Injection` | OS command injection via HTTP parameters |
+| `Path Traversal` | Directory traversal using `../` patterns |
+| `Forced Browsing` | Direct access to hidden or restricted paths |
+| `Brute Force` | Repeated authentication attempts |
+| `Cookie Manipulation` | Tampering with cookie values |
+| `File Upload` | Malicious file upload attempts |
+| `File Download` | Unauthorized file download attempts |
+| `Host Discovery` | Network/host reconnaissance via HTTP |
+
+---
+
+## Usage
+
+The model is served via a vLLM-compatible endpoint and accessed through the **OpenAI SDK**. Enable thinking mode via `chat_template_kwargs` to get the full CoT reasoning.
+
+```python
+import asyncio
+from openai import AsyncOpenAI
+
+client = AsyncOpenAI(
+    base_url="http://your-server:8000/v1",
+    api_key="EMPTY"
+)
+
+http_request = """GET /index.php?id=1' OR 1=1-- HTTP/1.1
+Host: example.com
+User-Agent: Mozilla/5.0"""
+
+async def analyze(payload: str):
+    response = await client.chat.completions.create(
+        model="Qwen3.5-0.8B",
+        messages=[
+            {
+                "role": "system",
+                "content": "You are a cybersecurity analysis AI. Analyze the given HTTP payload and determine whether it contains an attack."
+            },
+            {
+                "role": "user",
+                "content": payload
+            }
+        ],
+        max_tokens=2048,
+        temperature=0.0,
+        top_p=0.95,
+        presence_penalty=1.5,
+        extra_body={
+            "chat_template_kwargs": {"enable_thinking": True},
+            "top_k": 20,
+            "min_p": 0.0,
+            "repetition_penalty": 1.0,
+        },
+    )
+
+    content  = response.choices[0].message.content       # JSON result
+    reasoning = response.choices[0].message.reasoning    # CoT process inside <think>
+
+    return content, reasoning
+
+content, reasoning = asyncio.run(analyze(http_request))
+print("Reasoning:\n", reasoning)
+print("Result:\n", content)
+```
+
+### Output
+
+```python
+# reasoning  →  the full <think>...</think> process
+# content    →  final JSON
+{"attack_type": "SQL Injection", "attack_syntax": "' OR 1=1--"}
+```