ramitha2002 commited on
Commit
908e92d
·
verified ·
1 Parent(s): b5d5dbd

Update readme

Browse files
Files changed (1) hide show
  1. README.md +167 -92
README.md CHANGED
@@ -6,154 +6,226 @@ tags:
6
  - base_model:adapter:fdtn-ai/Foundation-Sec-8B-Instruct
7
  - lora
8
  - transformers
 
 
 
9
  ---
10
 
11
  # Model Card for Model ID
12
 
13
- <!-- Provide a quick summary of what the model is/does. -->
14
-
15
 
16
 
17
  ## Model Details
18
 
19
  ### Model Description
20
 
21
- <!-- Provide a longer summary of what this model is. -->
22
 
 
 
 
 
 
 
 
23
 
 
24
 
25
- - **Developed by:** [More Information Needed]
26
- - **Funded by [optional]:** [More Information Needed]
27
- - **Shared by [optional]:** [More Information Needed]
28
- - **Model type:** [More Information Needed]
29
- - **Language(s) (NLP):** [More Information Needed]
30
- - **License:** [More Information Needed]
31
- - **Finetuned from model [optional]:** [More Information Needed]
32
 
33
- ### Model Sources [optional]
34
 
35
- <!-- Provide the basic links for the model. -->
36
 
37
- - **Repository:** [More Information Needed]
38
- - **Paper [optional]:** [More Information Needed]
39
- - **Demo [optional]:** [More Information Needed]
40
 
41
  ## Uses
42
 
43
- <!-- Address questions around how the model is intended to be used, including the foreseeable users of the model and those affected by the model. -->
44
-
45
  ### Direct Use
46
 
47
- <!-- This section is for the model use without fine-tuning or plugging into a larger ecosystem/app. -->
48
 
49
- [More Information Needed]
 
 
 
50
 
51
- ### Downstream Use [optional]
52
 
53
- <!-- This section is for the model use when fine-tuned for a task, or when plugged into a larger ecosystem/app -->
54
 
55
- [More Information Needed]
 
 
 
56
 
57
  ### Out-of-Scope Use
58
 
59
- <!-- This section addresses misuse, malicious use, and uses that the model will not work well for. -->
60
 
61
- [More Information Needed]
 
 
 
62
 
63
  ## Bias, Risks, and Limitations
64
 
65
- <!-- This section is meant to convey both technical and sociotechnical limitations. -->
66
-
67
- [More Information Needed]
68
 
69
  ### Recommendations
70
 
71
- <!-- This section is meant to convey recommendations with respect to the bias, risk, and technical limitations. -->
72
-
73
- Users (both direct and downstream) should be made aware of the risks, biases and limitations of the model. More information needed for further recommendations.
74
 
75
  ## How to Get Started with the Model
76
 
77
  Use the code below to get started with the model.
78
 
79
- [More Information Needed]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
80
 
81
  ## Training Details
82
 
83
  ### Training Data
84
 
85
- <!-- This should link to a Dataset Card, perhaps with a short stub of information on what the training data is all about as well as documentation related to data pre-processing or additional filtering. -->
86
 
87
- [More Information Needed]
88
 
89
- ### Training Procedure
 
90
 
91
- <!-- This relates heavily to the Technical Specifications. Content here should link to that section when it is relevant to the training procedure. -->
92
 
93
- #### Preprocessing [optional]
94
-
95
- [More Information Needed]
96
 
 
97
 
98
  #### Training Hyperparameters
99
 
100
- - **Training regime:** [More Information Needed] <!--fp32, fp16 mixed precision, bf16 mixed precision, bf16 non-mixed precision, fp16 non-mixed precision, fp8 mixed precision -->
 
 
 
 
 
 
 
 
 
 
 
101
 
102
- #### Speeds, Sizes, Times [optional]
103
 
104
- <!-- This section provides information about throughput, start/end time, checkpoint size if relevant, etc. -->
105
-
106
- [More Information Needed]
107
 
108
  ## Evaluation
109
 
110
- <!-- This section describes the evaluation protocols and provides the results. -->
111
-
112
  ### Testing Data, Factors & Metrics
113
 
114
  #### Testing Data
115
 
116
- <!-- This should link to a Dataset Card if possible. -->
117
 
118
- [More Information Needed]
 
 
 
 
 
 
 
119
 
120
  #### Factors
121
 
122
- <!-- These are the things the evaluation is disaggregating by, e.g., subpopulations or domains. -->
123
 
124
- [More Information Needed]
 
 
 
125
 
126
  #### Metrics
127
 
128
- <!-- These are the evaluation metrics being used, ideally with a description of why. -->
129
 
130
- [More Information Needed]
 
 
 
 
 
 
 
 
 
 
 
 
131
 
132
  ### Results
133
 
134
- [More Information Needed]
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
135
 
136
  #### Summary
137
 
138
-
139
-
140
- ## Model Examination [optional]
141
-
142
- <!-- Relevant interpretability work for the model goes here -->
143
-
144
- [More Information Needed]
145
-
146
- ## Environmental Impact
147
-
148
- <!-- Total emissions (in grams of CO2eq) and additional considerations, such as electricity usage, go here. Edit the suggested text below accordingly -->
149
-
150
- Carbon emissions can be estimated using the [Machine Learning Impact calculator](https://mlco2.github.io/impact#compute) presented in [Lacoste et al. (2019)](https://arxiv.org/abs/1910.09700).
151
-
152
- - **Hardware Type:** [More Information Needed]
153
- - **Hours used:** [More Information Needed]
154
- - **Cloud Provider:** [More Information Needed]
155
- - **Compute Region:** [More Information Needed]
156
- - **Carbon Emitted:** [More Information Needed]
157
 
158
  ## Technical Specifications [optional]
159
 
@@ -163,45 +235,48 @@ Carbon emissions can be estimated using the [Machine Learning Impact calculator]
163
 
164
  ### Compute Infrastructure
165
 
166
- [More Information Needed]
167
 
168
  #### Hardware
169
 
170
- [More Information Needed]
 
171
 
172
  #### Software
173
 
174
- [More Information Needed]
 
 
 
 
 
175
 
176
  ## Citation [optional]
177
 
178
- <!-- If there is a paper or blog post introducing the model, the APA and Bibtex information for that should go in this section. -->
179
-
180
  **BibTeX:**
181
 
182
- [More Information Needed]
 
 
 
 
 
 
 
183
 
184
  **APA:**
185
 
186
- [More Information Needed]
187
-
188
- ## Glossary [optional]
189
-
190
- <!-- If relevant, include terms and calculations in this section that can help readers understand the model or model card. -->
191
-
192
- [More Information Needed]
193
-
194
- ## More Information [optional]
195
-
196
- [More Information Needed]
197
 
198
- ## Model Card Authors [optional]
199
 
200
- [More Information Needed]
201
 
202
- ## Model Card Contact
 
 
 
 
203
 
204
- [More Information Needed]
205
  ### Framework versions
206
 
207
  - PEFT 0.19.1
 
6
  - base_model:adapter:fdtn-ai/Foundation-Sec-8B-Instruct
7
  - lora
8
  - transformers
9
+ - cybersecurity
10
+ - vulnerability-remediation
11
+ - cve
12
  ---
13
 
14
  # Model Card for Model ID
15
 
16
+ LoRA adapter for `fdtn-ai/Foundation-Sec-8B-Instruct` tuned for structured CVE remediation output. The model is designed to take CVE evidence and return a fixed seven-field JSON object containing severity, affected component, root cause, and remediation guidance.
 
17
 
18
 
19
  ## Model Details
20
 
21
  ### Model Description
22
 
23
+ This model is a parameter-efficient fine-tuning adapter built on top of `fdtn-ai/Foundation-Sec-8B-Instruct`. It is intended for structured vulnerability remediation assistance rather than open-ended chat. Given CVE evidence such as CVE ID, description, CVSS score, CWE, and affected component context, it generates a JSON response with a fixed schema:
24
 
25
+ - `cve_id`
26
+ - `severity`
27
+ - `affected_component`
28
+ - `technical_root_cause`
29
+ - `recommended_fix`
30
+ - `developer_remediation_steps`
31
+ - `verification_steps`
32
 
33
+ The adapter was evaluated in a Colab-based external benchmark on 100 CVE examples and showed strong schema adherence and high exact-match performance on most structured fields.
34
 
35
+ - **Developed by:** Ramitha Iddamalgoda
36
+ - **Funded by [optional]:** Self-directed
37
+ - **Shared by [optional]:** Ramitha Iddamalgoda
38
+ - **Model type:** LoRA adapter for causal language modeling
39
+ - **Language(s) (NLP):** English
40
+ - **License:** Apache 2.0
41
+ - **Finetuned from model [optional]:** `fdtn-ai/Foundation-Sec-8B-Instruct`
42
 
 
43
 
44
+ ### Model Sources [optional]
45
 
46
+ - **Paper [optional]:** Not applicable
47
+ - **Demo [optional]:** Not available
 
48
 
49
  ## Uses
50
 
 
 
51
  ### Direct Use
52
 
53
+ This adapter is intended for structured CVE remediation tasks where the input contains vulnerability evidence and the desired output is a constrained JSON object. Likely uses include:
54
 
55
+ - vulnerability triage experiments
56
+ - structured remediation drafting
57
+ - evaluation workflows for CVE understanding
58
+ - prototype security assistant pipelines
59
 
60
+ ### Downstream Use
61
 
62
+ This adapter can be used inside larger systems that:
63
 
64
+ - collect CVE descriptions from vulnerability feeds
65
+ - normalize vulnerability information into a fixed schema
66
+ - generate remediation suggestions for analyst review
67
+ - compare structured output quality across model variants
68
 
69
  ### Out-of-Scope Use
70
 
71
+ This model should not be used as:
72
 
73
+ - a fully autonomous security remediation engine
74
+ - a guaranteed-safe patch recommendation system
75
+ - a replacement for expert review in production security operations
76
+ - a general-purpose cybersecurity assistant outside its structured CVE task
77
 
78
  ## Bias, Risks, and Limitations
79
 
80
+ This model inherits limitations from the base model and from its fine-tuning data. It may produce incomplete, incorrect, outdated, or oversimplified remediation guidance. Although it performs well on the reported benchmark, the benchmark is small and not a definitive production evaluation.
 
 
81
 
82
  ### Recommendations
83
 
84
+ Use this model as an assistive tool, not an authoritative source. All outputs should be reviewed by a human with security context before operational use. When reporting results, describe them as an initial external benchmark rather than a final research-grade evaluation.
 
 
85
 
86
  ## How to Get Started with the Model
87
 
88
  Use the code below to get started with the model.
89
 
90
+ ```python
91
+ from transformers import AutoModelForCausalLM, AutoTokenizer
92
+ from peft import PeftModel
93
+
94
+ base_model = "fdtn-ai/Foundation-Sec-8B-Instruct"
95
+ adapter_repo = "your-username/secfix-cve-remediation-lora"
96
+
97
+ tokenizer = AutoTokenizer.from_pretrained(adapter_repo)
98
+ model = AutoModelForCausalLM.from_pretrained(base_model, device_map="auto")
99
+ model = PeftModel.from_pretrained(model, adapter_repo)
100
+ model.eval()
101
+ ```
102
+
103
+ Example input format:
104
+
105
+ ```
106
+ CVE ID: CVE-2024-11773
107
+ Description: SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.
108
+ CVSS Score: 9.8
109
+ CWE: CWE-89
110
+ Affected Component: Ivanti - Cloud Services Application
111
+ ```
112
+
113
+ Expected output schema:
114
+
115
+ ```
116
+ {
117
+ "cve_id": "",
118
+ "severity": "",
119
+ "affected_component": "",
120
+ "technical_root_cause": "",
121
+ "recommended_fix": "",
122
+ "developer_remediation_steps": "",
123
+ "verification_steps": ""
124
+ }
125
+ ```
126
 
127
  ## Training Details
128
 
129
  ### Training Data
130
 
131
+ The adapter was trained for structured CVE remediation tasks using public CVE-oriented datasets prepared into JSONL chat-style training rows. The broader project used public CVE records with descriptions, CVSS-derived severity information, CWE information where available, and remediation-oriented text derived from source evidence.
132
 
133
+ Datasets considered in the project included:
134
 
135
+ - AlicanKiraz0/All-CVE-Records-Training-Dataset
136
+ - iamthierno/cvedataset.jsonl
137
 
138
+ The final task format used a system prompt plus a user message containing CVE evidence, with the assistant target being a structured JSON object.
139
 
140
+ ### Training Procedure
 
 
141
 
142
+ The model was fine-tuned as a LoRA adapter over fdtn-ai/Foundation-Sec-8B-Instruct for causal language modeling.
143
 
144
  #### Training Hyperparameters
145
 
146
+ - **Training regime:** bf16 when supported, otherwise fp32
147
+ - **LoRA rank:** 16
148
+ - **LoRA alpha:** 32
149
+ - **LoRA dropout:** 0.1
150
+ - **Target modules:** `q_proj`, `k_proj`, `v_proj`, `o_proj`
151
+ - **Epochs:** 2
152
+ - **Max sequence length:** 2048
153
+ - **Learning rate:** 2e-5
154
+ - **Weight decay:** 0.05
155
+ - **Gradient accumulation steps:** 4
156
+ - **Effective batch size:** 16
157
+ - **Gradient checkpointing:** enabled
158
 
159
+ #### Speeds, Sizes, Times
160
 
161
+ The adapter artifact is much smaller than the full base model because only LoRA parameters are stored. Evaluation and inference in Colab were performed using 4-bit loading for practical memory usage.
 
 
162
 
163
  ## Evaluation
164
 
 
 
165
  ### Testing Data, Factors & Metrics
166
 
167
  #### Testing Data
168
 
169
+ The published benchmark was run on 200 examples sampled from:
170
 
171
+ - `AlicanKiraz0/All-CVE-Records-Training-Dataset`
172
+
173
+ The reported sample used a balanced severity mix:
174
+
175
+ - 25 Critical
176
+ - 25 High
177
+ - 25 Medium
178
+ - 25 Low
179
 
180
  #### Factors
181
 
182
+ The evaluation focuses on:
183
 
184
+ - structured JSON validity
185
+ - exact-match correctness on normalized fields
186
+ - token overlap on short text spans
187
+ - overlap-based quality on longer remediation text
188
 
189
  #### Metrics
190
 
191
+ The evaluation used:
192
 
193
+ - JSON validity rate
194
+ - required key set match rate
195
+ - field completeness
196
+ - exact match for `cve_id`
197
+ - exact match and Macro-F1 for `severity`
198
+ - exact match and Token-F1 for `affected_component`
199
+ - exact match, Token-F1, and CWE Macro-F1 for `technical_root_cause`
200
+ - ROUGE-L for:
201
+ - `recommended_fix`
202
+ - `developer_remediation_steps`
203
+ - `verification_steps`
204
+
205
+ BERTScore was not computed in the published run.
206
 
207
  ### Results
208
 
209
+ Published benchmark results:
210
+
211
+ - JSON validity: `0.9400`
212
+ - Required key match: `0.9400`
213
+ - Field completeness: `0.9400`
214
+ - CVE ID exact match: `0.9400`
215
+ - Severity exact match: `0.9400`
216
+ - Severity Macro-F1: `0.7748`
217
+ - Affected component exact match: `0.9400`
218
+ - Affected component Token-F1: `0.9400`
219
+ - Technical root cause exact match: `0.9400`
220
+ - Technical root cause Token-F1: `0.9400`
221
+ - Technical root cause CWE Macro-F1: `0.9062`
222
+ - Recommended fix ROUGE-L: `0.9367`
223
+ - Developer remediation ROUGE-L: `0.9228`
224
+ - Verification steps ROUGE-L: `0.9400`
225
 
226
  #### Summary
227
 
228
+ On the published 100-example Colab benchmark, the adapter showed strong schema adherence and high exact-match performance across most structured fields. The weakest reported metric is severity Macro-F1, which suggests that the remaining errors are concentrated in a subset of severity classes rather than evenly distributed.
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
229
 
230
  ## Technical Specifications [optional]
231
 
 
235
 
236
  ### Compute Infrastructure
237
 
238
+ Training used NVIDIA MI300X VRAM and Google Colab for testing.
239
 
240
  #### Hardware
241
 
242
+ - NVIDIA MI300X VRAM for training
243
+ - Google Colab T4 GPU for evaluation
244
 
245
  #### Software
246
 
247
+ - Transformers
248
+ - PEFT
249
+ - PyTorch
250
+ - Hugging Face Hub
251
+ - rouge-score
252
+ - scikit-learn
253
 
254
  ## Citation [optional]
255
 
 
 
256
  **BibTeX:**
257
 
258
+ ```bibtex
259
+ @misc{secfix_lora_adapter,
260
+ title={SecFix CVE Remediation LoRA Adapter},
261
+ author={Ramitha},
262
+ year={2026},
263
+ howpublished={Hugging Face model repository}
264
+ }
265
+ ```
266
 
267
  **APA:**
268
 
269
+ Iddamalgoda, I. H. R. P. (2026). *SecFix CVE Remediation LoRA Adapter* [LoRA adapter]. Hugging Face.
 
 
 
 
 
 
 
 
 
 
270
 
 
271
 
272
+ ## Glossary
273
 
274
+ - **CVE:** Common Vulnerabilities and Exposures identifier
275
+ - **CWE:** Common Weakness Enumeration label
276
+ - **LoRA:** Low-Rank Adaptation, a parameter-efficient fine-tuning method
277
+ - **ROUGE-L:** Longest-common-subsequence overlap metric for generated text
278
+ - **Macro-F1:** Class-balanced F1 score across labels
279
 
 
280
  ### Framework versions
281
 
282
  - PEFT 0.19.1