File size: 5,003 Bytes
407b0e5 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 |
---
language:
- en
license: llama3.1
library_name: transformers
base_model: meta-llama/Llama-3.1-8B-Instruct
tags:
- aws
- cloud-security
- security-analysis
- wazuh
- threat-detection
- llama
- peft
- lora
- aws-security
- cloudtrail
- guardduty
- compliance
pipeline_tag: text-generation
widget:
- text: 'Analyze this AWS GuardDuty finding: UnauthorizedAccess:EC2/SSHBruteForce from IP 45.142.120.10'
example_title: "AWS GuardDuty Alert"
- text: 'Analyze CloudTrail event: AttachUserPolicy with AdministratorAccess by root user'
example_title: "AWS IAM Policy Change"
model-index:
- name: aws-security-analyst
results:
- task:
type: text-generation
name: AWS Security Analysis
metrics:
- type: loss
value: 0.03
name: Training Loss
- type: eval_loss
value: 0.08
name: Validation Loss
---
# aws-security-analyst
## Model Details
- **Model Name:** aws-security-analyst
- **Base Model:** OpenNix base model(LLaMA 3.1 8B based)
- **License:** llama3.1
- **Model Type:** Causal Language Model (Fine-tuned with LoRA for AWS Security)
- **Architecture:** 8B parameters
- **Specialization:** AWS Cloud Security Events Analysis
## Model Description
LLaMA 3.1 8B Instruct model fine-tuned for AWS cloud security event analysis.
Analyzes events from 20+ AWS security sources including CloudTrail, GuardDuty, Security Hub, Macie, Inspector, Config, VPC Flow Logs, WAF, and more.
### Key Features
- **20+ AWS Security Sources:** CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.
- **MITRE ATT&CK Mapping:** 135 cloud techniques, 14 tactics
- **Compliance Framework Support:** 195 items (CIS, PCI-DSS, HIPAA, GDPR, FedRAMP, NIST)
- **Attack Scenario Detection:** 20 multi-step attack scenarios
- **Severity Mapping:** AWS native scales → Wazuh levels (0-15)
- **Advanced Analysis:** Threat assessment, incident response recommendations
## Training Data
- **Total Samples:** 2000
- **AWS Sources:** 20 (CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.)
- **Attack Scenarios:** 20 multi-step scenarios
- **MITRE Techniques:** 135 cloud techniques
- **Compliance Items:** 195 (CIS 62, PCI-DSS 49, HIPAA 35, GDPR 15, FedRAMP 3, NIST 31)
**Distribution:**
- GuardDuty Findings: 86 types
- CloudTrail Events: 74 types
- Security Hub Findings: CIS, PCI-DSS, HIPAA compliance
- VPC Flow Logs: 5 attack patterns
## Capabilities
### AWS Security Event Analysis
```python
# Example usage
from transformers import AutoModelForCausalLM, AutoTokenizer
model = AutoModelForCausalLM.from_pretrained("pyToshka/aws-security-analyst")
tokenizer = AutoTokenizer.from_pretrained("pyToshka/aws-security-analyst")
# Analyze AWS GuardDuty finding
prompt = """Analyze this AWS security event:
Event Source: GuardDuty
Finding Type: UnauthorizedAccess:EC2/SSHBruteForce
Severity: 8.0
Resource: EC2 instance i-1234567890abcdef0
Source IP: 45.142.120.10
Provide:
1. Threat assessment
2. MITRE ATT&CK techniques
3. Compliance impact
4. Recommended actions
"""
inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=512)
response = tokenizer.decode(outputs[0])
```
### Supported AWS Sources
- CloudTrail API calls
- GuardDuty threat findings
- Security Hub compliance findings
- VPC Flow Logs network traffic
- WAF web application attacks
- Macie data sensitivity findings
- Inspector vulnerability findings
- Config compliance events
- IAM Access Analyzer findings
- Route 53 DNS queries
- RDS database logs
- EKS Kubernetes audit logs
- CloudWatch alarms
- EventBridge events
- AWS Budgets alerts
- Threat Intelligence IOCs
## Use Cases
- AWS security event triage and analysis
- GuardDuty finding interpretation
- CloudTrail event investigation
- Compliance violation detection (CIS, PCI-DSS, HIPAA, GDPR)
- MITRE ATT&CK technique mapping
- Multi-source event correlation
- Attack scenario detection
- Incident response planning
## Limitations
- Trained on synthetic AWS security events
- May require validation on real-world data
- Performance depends on input quality
- Best used as assistant tool, not replacement for human analysis
## Citation
If you use this model in your research or application, please cite:
```bibtex
@misc{{wazuh_aws_security_llama_aws_security_analyst,
title={{Wazuh AWS Security Analyst based on LLaMA 3.1 8B}},
author={{pyToshka}},
year={{2025}},
publisher={{HuggingFace}},
url={{https://huggingface.co/pyToshka/aws-security-analyst}}
}}
```
## Acknowledgments
Built with:
- **Data:** AWS security documentation, MITRE ATT&CK Cloud Matrix, Wazuh Rules, and more
- **Training:** Wazuh, AWS
## License
This model inherits the LLaMA 3.1 Community License from the base model.
## Contact
Issues: Please open an issue on the repository
## Disclaimer
This model is provided for research and educational purposes. Always validate outputs with human security expertise before taking action on security incidents.
|