Upload Glaurung Small 001 - RoBERTa model for binary analysis

README.md

@@ -0,0 +1,297 @@
+# Glaurung Small 001
+
+A RoBERTa-based masked language model trained on binary executable files for security research and binary analysis.
+
+## Overview
+
+**Glaurung Small 001** is a transformer model specifically designed for understanding binary executable files. It uses a custom BPE (Byte Pair Encoding) tokenizer trained on multi-byte patterns from various binary formats across multiple architectures (x86-64, ARM64, etc.) and operating systems (Linux, Alpine, Ubuntu, Debian, Rocky).
+
+### Key Features
+- **Custom Binary Tokenizer**: BPE tokenizer that creates efficient multi-byte tokens from binary data
+- **Binary-Aware**: Trained on actual executable files, not hex strings
+- **Multi-Architecture**: Understands patterns from various CPU architectures and file formats
+- **Latin-1 Encoding**: Preserves all byte values (0-255) without loss
+
+## Model Details
+
+- **Architecture**: RoBERTa for Masked Language Modeling
+- **Hidden Size**: 768
+- **Layers**: 12
+- **Attention Heads**: 12
+- **Vocabulary Size**: 65,536 tokens
+- **Max Position Embeddings**: 520
+- **Special Tokens**:
+  - `<|start|>` (0): Beginning of sequence
+  - `<|end|>` (1): End token  
+  - `<|sep|>` (2): Separator/EOS
+  - `<|cls|>` (3): Classification token
+  - `<|pad|>` (4): Padding
+  - `<|mask|>` (5): Mask token for MLM
+  - `<|unk|>` (6): Unknown token
+
+## Installation & Loading
+
+```python
+from transformers import AutoTokenizer, AutoModelForMaskedLM, AutoModel, pipeline
+
+# Method 1: Load with pipeline for fill-mask tasks
+fill_mask = pipeline('fill-mask', model='models/glaurung-small-001/', device=-1)
+
+# Method 2: Load model and tokenizer directly for fill-mask
+model = AutoModelForMaskedLM.from_pretrained('models/glaurung-small-001/')
+tokenizer = AutoTokenizer.from_pretrained('models/glaurung-small-001/')
+
+# Method 3: Load base model for feature extraction/embeddings
+model_base = AutoModel.from_pretrained('models/glaurung-small-001/')
+```
+
+## Usage Guide
+
+### 1. Loading Binary Data (Critical!)
+
+Binary files MUST be read as bytes and converted to latin-1 encoding:
+
+```python
+# CORRECT: Read as bytes, decode with latin-1
+with open('/usr/bin/ls', 'rb') as f:
+    binary_data = f.read()  # Read first 512 bytes or as needed
+    text = binary_data.decode('latin-1', errors='ignore')
+
+# WRONG: Never use hex strings or other encodings
+# hex_string = "7f454c46..."  # ❌ Will not work
+# utf8_text = binary_data.decode('utf-8')  # ❌ Will lose bytes
+```
+
+### 2. Understanding the BPE Tokenizer
+
+The tokenizer creates multi-byte tokens from common binary patterns:
+
+```python
+from transformers import AutoTokenizer
+
+tokenizer = AutoTokenizer.from_pretrained('models/glaurung-small-001/')
+
+# Example: ELF header tokenization
+elf_header = b'\x7fELF\x02\x01\x01\x00'
+text = elf_header.decode('latin-1')
+
+tokens = tokenizer(text, return_tensors='pt')
+token_ids = tokens['input_ids'][0].tolist()
+
+# Decode tokens individually to see multi-byte patterns
+for token_id in token_ids[1:5]:  # Skip special tokens
+    decoded = tokenizer.decode([token_id], skip_special_tokens=True)
+    print(f"Token {token_id}: {repr(decoded)}")
+
+# Output:
+# Token 45689: '\x7fEL'    # ELF magic compressed to one token!
+# Token 3665:  'F\x02'     # Format byte + 64-bit flag
+# Token 458:   '\x01\x01'  # Little-endian + version
+# Token 600:   '\x00\x00\x00\x00\x00\x00\x00\x00\x00'  # Padding
+```
+
+### 3. Fill-Mask Task (Token-Level Prediction)
+
+**Important**: Masking works at the TOKEN level, not byte level!
+
+```python
+from transformers import AutoTokenizer, AutoModelForMaskedLM
+import torch
+
+model = AutoModelForMaskedLM.from_pretrained('models/glaurung-small-001/')
+tokenizer = AutoTokenizer.from_pretrained('models/glaurung-small-001/')
+
+# Read binary file
+with open('/usr/bin/ls', 'rb') as f:
+    binary_data = f.read(512)
+    text = binary_data.decode('latin-1', errors='ignore')
+
+# Tokenize
+tokens = tokenizer(text, return_tensors='pt')
+token_ids = tokens['input_ids'][0].tolist()
+
+# Mask the second token (first content token after <|start|>)
+masked_ids = token_ids.copy()
+original_token = masked_ids[1]  # Save original
+masked_ids[1] = tokenizer.mask_token_id
+
+# Prepare input
+tokens_masked = {
+    'input_ids': torch.tensor([masked_ids]), 
+    'attention_mask': torch.tensor([[1]*len(masked_ids)])
+}
+
+# Predict
+with torch.no_grad():
+    outputs = model(**tokens_masked)
+    predictions = outputs.logits[0, 1].softmax(dim=-1)
+    top5 = predictions.topk(5)
+
+# Show results
+print(f"Original: {repr(tokenizer.decode([original_token]))}")
+for score, token_id in zip(top5.values, top5.indices):
+    token_text = tokenizer.decode([token_id.item()], skip_special_tokens=True)
+    print(f"Predicted: {repr(token_text)} (confidence: {score:.2%})")
+
+# Example output:
+# Original: '\x7fEL'
+# Predicted: '\x7fEL' (confidence: 79.07%)  ✓ Correct!
+# Predicted: '\x00\x00\x00\x00\x00\x00\x00\x00' (confidence: 13.62%)
+```
+
+### 4. Using Pipeline for Fill-Mask
+
+The pipeline handles tokenization automatically but requires understanding multi-byte tokens:
+
+```python
+from transformers import pipeline
+
+# Load pipeline
+fill_mask = pipeline('fill-mask', model='models/glaurung-small-001/', device=-1)
+
+# Read binary
+with open('/usr/bin/ls', 'rb') as f:
+    binary_data = f.read(100)
+    text = binary_data.decode('latin-1', errors='ignore')
+
+# Create masked input at token boundaries
+# First, tokenize to understand token boundaries
+tokenizer = fill_mask.tokenizer
+tokens = tokenizer(text)
+decoded_tokens = [tokenizer.decode([tid], skip_special_tokens=True) for tid in tokens['input_ids']]
+
+# Reconstruct with mask at token boundary
+masked_text = ''.join([
+    decoded_tokens[0],  # <|start|> 
+    fill_mask.tokenizer.mask_token,  # Mask the ELF magic
+    ''.join(decoded_tokens[2:])  # Rest of tokens
+])
+
+# Predict
+predictions = fill_mask(masked_text, top_k=3)
+for pred in predictions:
+    print(f"{repr(pred['token_str'])}: {pred['score']:.2%}")
+```
+
+### 5. Feature Extraction & Embedding Similarity
+
+Compare binary files by their learned embeddings:
+
+```python
+from transformers import AutoTokenizer, AutoModel
+import torch
+import torch.nn.functional as F
+from pathlib import Path
+
+# Load for embeddings (not MaskedLM)
+tokenizer = AutoTokenizer.from_pretrained('models/glaurung-small-001/')
+model = AutoModel.from_pretrained('models/glaurung-small-001/')
+model.eval()
+
+def get_binary_embedding(file_path, max_bytes=512):
+    """Extract embedding for a binary file using mean pooling"""
+    with open(file_path, 'rb') as f:
+        binary_data = f.read(max_bytes)
+        text = binary_data.decode('latin-1', errors='ignore')
+    
+    # Tokenize
+    tokens = tokenizer(text, return_tensors='pt', 
+                      padding=True, truncation=True, max_length=512)
+    
+    # Get embeddings with mean pooling
+    with torch.no_grad():
+        outputs = model(**tokens)
+        # Mean pooling (better than CLS token for this model)
+        attention_mask = tokens['attention_mask']
+        hidden_states = outputs.last_hidden_state
+        
+        # Mask padding tokens
+        mask_expanded = attention_mask.unsqueeze(-1).expand(hidden_states.size()).float()
+        sum_embeddings = torch.sum(hidden_states * mask_expanded, dim=1)
+        sum_mask = torch.clamp(mask_expanded.sum(dim=1), min=1e-9)
+        embedding = sum_embeddings / sum_mask
+    
+    return embedding
+
+# Compare multiple binaries
+files = ['/usr/bin/ls', '/usr/bin/cat', '/usr/bin/echo', '/etc/passwd']
+embeddings = {}
+
+for file_path in files:
+    if Path(file_path).exists():
+        name = Path(file_path).name
+        embeddings[name] = get_binary_embedding(file_path)
+        
+# Calculate similarities
+print("Cosine Similarity Matrix:")
+names = list(embeddings.keys())
+for name1 in names:
+    similarities = []
+    for name2 in names:
+        sim = F.cosine_similarity(embeddings[name1], embeddings[name2], dim=-1).item()
+        similarities.append(f"{sim:.3f}")
+    print(f"{name1:10s}: {' '.join(similarities)}")
+
+# Expected output:
+# ELF executables (ls, cat, echo) will have high similarity (0.85-0.95)
+# Text file (passwd) will have low similarity (0.25-0.30) to ELF files
+```
+
+## Real-World Example: ELF Header Analysis
+
+```python
+# Analyze ELF executable structure
+with open('/usr/bin/ls', 'rb') as f:
+    binary_data = f.read(64)
+
+print(f"Raw bytes (hex): {binary_data[:16].hex()}")
+# Output: 7f454c46020101000000000000000000
+
+# Convert to latin-1 for model
+text = binary_data.decode('latin-1', errors='ignore')
+
+# Tokenize to see learned patterns
+tokens = tokenizer(text, return_tensors='pt')
+token_ids = tokens['input_ids'][0].tolist()
+
+# Model recognizes these multi-byte patterns:
+# Token 45689: '\x7fEL'  - ELF magic number
+# Token 3665:  'F\x02'   - 'F' + 64-bit flag  
+# Token 458:   '\x01\x01' - Little-endian + ELF version
+# Token 600:   '\x00\x00\x00\x00\x00\x00\x00\x00\x00' - Padding bytes
+
+# Test model's understanding by masking
+for position in [1, 2, 3]:  # Test first 3 content tokens
+    masked_ids = token_ids.copy()
+    masked_ids[position] = tokenizer.mask_token_id
+    
+    # Model correctly predicts with high confidence:
+    # Position 1: '\x7fEL' with 79% confidence
+    # Position 2: 'F\x02' with 98% confidence  
+    # Position 3: '\x01\x01' with 89% confidence
+```
+
+## Training Details
+
+- **MLM Objective**: 20% masking probability
+- **Training Data**: Binary executables from various architectures
+- **Optimization**: AdamW with warmup, dropout 0.01
+- **Special Design**: Increased position embeddings (520) to handle RoBERTa's position offset
+
+## Limitations
+
+- Maximum sequence length: 512 tokens
+- Optimized for executable files (ELF, PE, Mach-O)
+- Mean pooling recommended for embeddings (pooler layer not specifically trained)
+
+## Citation
+
+If using this model in research:
+```
+@software{glaurung-small-001,
+  title = {Glaurung Small 001: Binary Analysis Transformer},
+  author = {Glaurung Project},
+  year = {2024},
+  url = {https://github.com/mjbommar/glaurung-models}
+}
+```

config.json

@@ -0,0 +1,26 @@
+{
+  "architectures": [
+    "RobertaForMaskedLM"
+  ],
+  "attention_probs_dropout_prob": 0.01,
+  "bos_token_id": 0,
+  "classifier_dropout": null,
+  "dtype": "float32",
+  "eos_token_id": 2,
+  "hidden_act": "gelu",
+  "hidden_dropout_prob": 0.01,
+  "hidden_size": 768,
+  "initializer_range": 0.02,
+  "intermediate_size": 3072,
+  "layer_norm_eps": 1e-12,
+  "max_position_embeddings": 520,
+  "model_type": "roberta",
+  "num_attention_heads": 12,
+  "num_hidden_layers": 12,
+  "pad_token_id": 4,
+  "position_embedding_type": "absolute",
+  "transformers_version": "4.56.1",
+  "type_vocab_size": 1,
+  "use_cache": true,
+  "vocab_size": 65536
+}

model.safetensors

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b0cbba5fe50e87b04ba1b6616589ce5ee815a80d3842ad02d6d5a915b953c1ce
+size 545805976

special_tokens_map.json

@@ -0,0 +1,9 @@
+{
+  "bos_token": "<|start|>",
+  "eos_token": "<|sep|>",
+  "sep_token": "<|sep|>",
+  "cls_token": "<|cls|>",
+  "unk_token": "<|unk|>",
+  "pad_token": "<|pad|>",
+  "mask_token": "<|mask|>"
+}

tokenizer_config.json

@@ -0,0 +1,15 @@
+{
+  "tokenizer_class": "PreTrainedTokenizerFast",
+  "model_max_length": 512,
+  "padding_side": "right",
+  "truncation_side": "right",
+  "clean_up_tokenization_spaces": false,
+  "bos_token": "<|start|>",
+  "eos_token": "<|sep|>",
+  "sep_token": "<|sep|>",
+  "cls_token": "<|cls|>",
+  "unk_token": "<|unk|>",
+  "pad_token": "<|pad|>",
+  "mask_token": "<|mask|>",
+  "add_prefix_space": false
+}