Hugging Face's logo

JustinYuann
/
CSC4006-CyberSecAnnotation

Text Generation
Transformers
Safetensors
English
cybersecurity
mitre-attack
honeypot
log-analysis
llama
lora
security
threat-detection
conversational
Model card Files
xet
Community
CSC4006-CyberSecAnnotation
File size: 4,615 Bytes 
a2d88fb
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
e3ebdec
a2d88fb
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
e3ebdec
a2d88fb
e3ebdec
a2d88fb
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
 
---
license: mit
base_model: unsloth/Meta-Llama-3.1-8B-Instruct-unsloth-bnb-4bit
tags:
- cybersecurity
- mitre-attack
- honeypot
- log-analysis
- llama
- lora
- security
- threat-detection
language:
- en
datasets:
- custom
library_name: transformers
pipeline_tag: text-generation
---

# LLM-Enhanced Honeypot Log Analysis Model

## Model Description

This model is a fine-tuned version of Llama 3.1 8B Instruct, specialized for analyzing honeypot logs and generating MITRE ATT&CK framework annotations. It was developed as part of a research project at Queen's University Belfast investigating automated security log analysis using Large Language Models.

## Key Features

- **MITRE ATT&CK Annotation**: Automatically generates structured annotations for security events
- **Honeypot Log Analysis**: Specialized in analyzing Unix terminal logs from honeypot systems
- **LoRA Fine-tuning**: Uses Low-Rank Adaptation for efficient parameter updates
- **Research-Grade**: Developed for academic research in cybersecurity and AI

## Model Details

### Base Model
- **Base Model**: unsloth/Meta-Llama-3.1-8B-Instruct-unsloth-bnb-4bit
- **Model Size**: 8B parameters
- **Architecture**: Llama 3.1 with Instruct tuning
- **Quantization**: 4-bit quantization for efficiency

### Fine-tuning Details
- **Method**: LoRA (Low-Rank Adaptation)
- **LoRA Rank**: 32
- **LoRA Alpha**: 32
- **LoRA Dropout**: 0
- **Learning Rate**: 0.00012
- **Batch Size**: 2
- **Gradient Accumulation**: 4
- **Max Steps**: 100
- **Optimizer**: adamw_8bit

## Training Data

The model was trained on a curated dataset of honeypot logs with human-annotated MITRE ATT&CK framework labels. The training data includes:

- Unix terminal command logs from honeypot systems
- Structured annotations for 6 key MITRE ATT&CK fields
- Balanced representation of different attack tactics and techniques

## Usage

### Installation

```bash
pip install transformers torch unsloth
```

### Loading the Model

```python
from unsloth import FastLanguageModel

model, tokenizer = FastLanguageModel.from_pretrained(
    model_name="your-username/model-name",
    max_seq_length=2048,
    dtype=None,
    load_in_4bit=True,
)
```

### Inference

```python
# Enable inference mode
FastLanguageModel.for_inference(model)

# Format your input
prompt = '''Below is a Unix terminal command log from a honeypot system. Please analyze it and provide MITRE ATT&CK framework annotations.

Command: {command}
Timestamp: {timestamp}
Source IP: {source_ip}

Please provide:
1. Tactic
2. Technique
3. Sub-technique
4. Description'

inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=1024, temperature=0.7)
response = tokenizer.decode(outputs[0], skip_special_tokens=True)
```

## Evaluation

The model has been evaluated on multiple metrics:

- **Overall MITRE Accuracy**: Novel composite metric combining all 6 MITRE ATT&CK field accuracies
- **Confusion Matrix Analysis**: Visual analysis of tactics classification performance
- **Field-level Accuracy**: Individual accuracy for each MITRE ATT&CK field
- **Human Evaluation**: Expert validation of generated annotations

## Limitations

- Specialized for honeypot log analysis - may not generalize to other security contexts
- Requires structured input format for optimal performance
- Training data limited to specific honeypot configurations
- May exhibit biases present in training data

## Ethical Considerations

This model is designed for defensive cybersecurity research and should be used responsibly:

- Intended for legitimate security research and defense applications
- Should not be used for malicious purposes or unauthorized access
- Users should validate outputs before making security decisions
- Consider privacy implications when analyzing logs

## Citation

If you use this model in your research, please cite:

```bibtex
@misc{llm_honeypot_analysis_2025,
  title={LLM-Enhanced Honeypot Log Analysis System},
  author={[Student Name]},
  year={2025},
  institution={Queen's University Belfast},
  course={CSC4003 - Research Project},
  url={https://gitlab.eeecs.qub.ac.uk/[student-id]/CSC4003}
}
```

## License

This model is released under the MIT License. See the LICENSE file for details.

## Contact

For questions or issues:
- Repository: https://gitlab.eeecs.qub.ac.uk/40285272/CSC4006
- Institution: Queen's University Belfast
- Course: CSC4006 - Research Project

## Acknowledgments

- Built using the Unsloth library for efficient training
- Based on Meta's Llama 3.1 model
- Developed as part of cybersecurity research at Queen's University Belfast