File size: 9,379 Bytes
0d66688 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 |
---
base_model: mistralai/Ministral-8B-Instruct-2410
tags:
- unsloth
- lora
- qlora
- vulnerability-detection
- security
- code-analysis
- cybersecurity
- ultival
- peft
- adapter
language:
- en
license: apache-2.0
library_name: peft
pipeline_tag: text-generation
---
# UltiVal: Ministral-8B QLoRA Adapter for Vulnerability Detection
This is a **QLoRA adapter** fine-tuned from **Ministral-8B-Instruct-2410** for detecting security vulnerabilities in source code as part of the **UltiVal** project.
## π¨ Important Note
This is a **LoRA adapter**, not a standalone model. You must load it together with the base model `mistralai/Ministral-8B-Instruct-2410`.
## π Model Details
- **Base Model**: `mistralai/Ministral-8B-Instruct-2410`
- **Adapter Type**: QLoRA (4-bit Low-Rank Adaptation)
- **Training Framework**: Unsloth
- **Task**: Security vulnerability detection in source code
- **Model Size**: ~334MB (adapter only)
- **Context Length**: 2048 tokens
- **Languages**: Multi-language code analysis (Python, JavaScript, Java, C/C++, etc.)
## π― Training Configuration
| Parameter | Value |
|-----------|--------|
| **Training Steps** | 6,000 (best checkpoint) |
| **Total Steps** | 6,184 |
| **Validation Loss** | 0.5840 (lowest achieved at step 6000) |
| **Final Training Loss** | 0.4081 |
| **Epochs** | 2 |
| **Learning Rate** | 2e-4 β 1.76e-7 (cosine schedule) |
| **Batch Size** | 8 (2 Γ 4 gradient accumulation) |
| **Sequence Length** | 2048 tokens |
| **LoRA Rank** | 32 |
| **LoRA Alpha** | 32 |
| **LoRA Dropout** | 0.0 |
| **Weight Decay** | 0.01 |
| **Warmup Steps** | ~5% of total steps |
### Target Modules
```
q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj
```
## π§ Usage
### Option 1: Using Unsloth (Recommended)
```python
from unsloth import FastLanguageModel
import torch
# Load base model
model, tokenizer = FastLanguageModel.from_pretrained(
model_name="mistralai/Ministral-8B-Instruct-2410",
max_seq_length=2048,
dtype=None,
load_in_4bit=True,
)
# Add LoRA configuration
model = FastLanguageModel.get_peft_model(
model,
r=32,
target_modules=["q_proj", "k_proj", "v_proj", "o_proj",
"gate_proj", "up_proj", "down_proj"],
lora_alpha=32,
lora_dropout=0,
bias="none",
use_gradient_checkpointing="unsloth",
random_state=3407,
)
# Load the trained adapter
model.load_adapter("starsofchance/Mistral-Unsloth-QLoRA-adapter")
# Enable inference mode
FastLanguageModel.for_inference(model)
```
### Option 2: Using Transformers + PEFT
```python
from transformers import AutoTokenizer, AutoModelForCausalLM
from peft import PeftModel
import torch
# Load base model
base_model = AutoModelForCausalLM.from_pretrained(
"mistralai/Ministral-8B-Instruct-2410",
torch_dtype=torch.float16,
device_map="auto",
load_in_4bit=True
)
tokenizer = AutoTokenizer.from_pretrained("mistralai/Ministral-8B-Instruct-2410")
# Load LoRA adapter
model = PeftModel.from_pretrained(base_model, "starsofchance/Mistral-Unsloth-QLoRA-adapter")
```
## π» Inference Example
```python
# Example: SQL Injection Detection
code_snippet = '''
def authenticate_user(username, password):
query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
cursor.execute(query)
return cursor.fetchone()
'''
messages = [
{"role": "user", "content": f"Analyze this code for security vulnerabilities:\n\n{code_snippet}"}
]
# Tokenize and generate
input_ids = tokenizer.apply_chat_template(
messages,
add_generation_prompt=True,
return_tensors="pt"
).to(model.device)
outputs = model.generate(
input_ids,
max_new_tokens=512,
do_sample=False,
pad_token_id=tokenizer.eos_token_id,
temperature=0.1
)
response = tokenizer.decode(outputs[0][len(input_ids[0]):], skip_special_tokens=True)
print(response)
```
### Expected Output
```
This code contains a critical SQL injection vulnerability. The user input (username and password)
is directly concatenated into the SQL query without any sanitization or parameterization.
**Vulnerability Type**: SQL Injection (CWE-89)
**Severity**: High
**Location**: Line 2, query construction
**How to exploit**: An attacker could input malicious SQL code like:
- Username: `admin' --`
- Password: `anything`
**Secure fix**: Use parameterized queries:
```python
def authenticate_user(username, password):
query = "SELECT * FROM users WHERE username=? AND password=?"
cursor.execute(query, (username, password))
return cursor.fetchone()
```
```
## π‘οΈ Supported Vulnerability Types
The model is trained to detect various security vulnerabilities including:
| Category | Examples |
|----------|----------|
| **Injection** | SQL Injection, Command Injection, LDAP Injection |
| **XSS** | Reflected XSS, Stored XSS, DOM-based XSS |
| **Authentication** | Weak passwords, Authentication bypass, Session management |
| **Authorization** | Privilege escalation, Access control issues |
| **Cryptography** | Weak encryption, Hardcoded keys, Improper random generation |
| **File Operations** | Path traversal, File inclusion, Unsafe deserialization |
| **Memory Safety** | Buffer overflow, Use after free, Memory leaks |
| **Web Security** | CSRF, SSRF, Insecure redirects |
## π Performance Metrics
### Training Progress
- **Initial Loss**: 1.5544
- **Final Loss**: 0.4081
- **Best Validation Loss**: 0.5840 (step 6000)
- **Training Duration**: ~15 hours
- **Convergence**: Stable convergence with cosine learning rate schedule
### Hardware Requirements
- **Training**: NVIDIA GPU with 4-bit quantization
- **Inference**: Can run on CPU or GPU (GPU recommended for speed)
- **Memory**: ~6GB GPU memory for inference with 4-bit quantization
## π Repository Structure
```
starsofchance/Mistral-Unsloth-QLoRA-adapter/
βββ adapter_config.json # LoRA configuration
βββ adapter_model.safetensors # Trained adapter weights (~334MB)
βββ tokenizer.json # Tokenizer configuration
βββ tokenizer_config.json # Tokenizer settings
βββ special_tokens_map.json # Special tokens mapping
βββ README.md # This file
```
## β οΈ Limitations
1. **Adapter Dependency**: Requires the base model to function
2. **Context Window**: Limited to 2048 tokens
3. **Language Coverage**: Primarily trained on common programming languages
4. **False Positives**: May flag secure code patterns as potentially vulnerable
5. **Novel Vulnerabilities**: May not detect cutting-edge or highly obfuscated attacks
6. **Code Context**: Performance depends on having sufficient code context
## π Integration Tips
### Batch Processing
```python
def analyze_multiple_files(code_files):
results = []
for file_path, code_content in code_files:
# Analyze each file
messages = [{"role": "user", "content": f"Analyze for vulnerabilities:\n\n{code_content}"}]
# ... generate response
results.append({"file": file_path, "analysis": response})
return results
```
### Custom Prompting
```python
# For specific vulnerability types
prompt = f"""
Focus on SQL injection vulnerabilities in this code:
{code_snippet}
Provide:
1. Vulnerability assessment (Yes/No)
2. Risk level (Low/Medium/High/Critical)
3. Specific location
4. Remediation steps
"""
```
## π Training Data
The model was fine-tuned on a curated dataset featuring:
- **Real-world vulnerabilities** from CVE databases
- **Secure code patterns** for contrast learning
- **Multi-language examples** across different frameworks
- **Detailed explanations** with remediation guidance
- **Context-rich examples** showing vulnerability in realistic scenarios
## π Model Lineage
```
Ministral-8B-Instruct-2410 (Mistral AI)
β
QLoRA Fine-tuning (Unsloth)
β
UltiVal Vulnerability Detection Adapter
```
## π Citation
If you use this model in your research or applications, please cite:
```bibtex
@misc{ultival_mistral_lora_2025,
title={UltiVal: Ministral-8B QLoRA Adapter for Vulnerability Detection},
author={StarsOfChance},
year={2025},
publisher={Hugging Face},
url={https://huggingface.co/starsofchance/Mistral-Unsloth-QLoRA-adapter}
}
```
## βοΈ License
This adapter inherits the license from the base model `mistralai/Ministral-8B-Instruct-2410`. Please refer to the [base model's license](https://huggingface.co/mistralai/Ministral-8B-Instruct-2410) for specific terms and conditions.
## π Acknowledgments
- **Unsloth Team**: For the efficient LoRA fine-tuning framework
- **Mistral AI**: For the powerful Ministral-8B-Instruct-2410 base model
- **Hugging Face**: For the model hosting and PEFT library
- **UltiVal Project**: Part of ongoing research in automated vulnerability detection
## π Contact & Support
- **Issues**: Report bugs or issues in the [model repository](https://huggingface.co/starsofchance/Mistral-Unsloth-QLoRA-adapter/discussions)
- **Updates**: Follow for model updates and improvements
- **Community**: Join discussions about vulnerability detection and code security
---
**π Security Note**: This model is designed to assist in security analysis but should not be the sole method for vulnerability assessment. Always conduct comprehensive security reviews with multiple tools and expert analysis. |