Hugging Face's logo

pyToshka
/
aws-security-analyst

Text Generation
Transformers
Safetensors
PEFT
English
llama
aws
cloud-security
security-analysis
wazuh
threat-detection
lora
aws-security
cloudtrail
guardduty
compliance
conversational
Eval Results
text-generation-inference
Model card Files
xet
Community
aws-security-analyst / README.md
pyToshka's picture
pyToshka
Upload model
407b0e5 verified
preview code
|
raw
history blame contribute delete
5 kB
metadata
language:
  - en
license: llama3.1
library_name: transformers
base_model: meta-llama/Llama-3.1-8B-Instruct
tags:
  - aws
  - cloud-security
  - security-analysis
  - wazuh
  - threat-detection
  - llama
  - peft
  - lora
  - aws-security
  - cloudtrail
  - guardduty
  - compliance
pipeline_tag: text-generation
widget:
  - text: >-
      Analyze this AWS GuardDuty finding: UnauthorizedAccess:EC2/SSHBruteForce
      from IP 45.142.120.10
    example_title: AWS GuardDuty Alert
  - text: >-
      Analyze CloudTrail event: AttachUserPolicy with AdministratorAccess by
      root user
    example_title: AWS IAM Policy Change
model-index:
  - name: aws-security-analyst
    results:
      - task:
          type: text-generation
          name: AWS Security Analysis
        metrics:
          - type: loss
            value: 0.03
            name: Training Loss
          - type: eval_loss
            value: 0.08
            name: Validation Loss

aws-security-analyst

Model Details

  • Model Name: aws-security-analyst
  • Base Model: OpenNix base model(LLaMA 3.1 8B based)
  • License: llama3.1
  • Model Type: Causal Language Model (Fine-tuned with LoRA for AWS Security)
  • Architecture: 8B parameters
  • Specialization: AWS Cloud Security Events Analysis

Model Description

LLaMA 3.1 8B Instruct model fine-tuned for AWS cloud security event analysis.

Analyzes events from 20+ AWS security sources including CloudTrail, GuardDuty, Security Hub, Macie, Inspector, Config, VPC Flow Logs, WAF, and more.

Key Features

  • 20+ AWS Security Sources: CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.
  • MITRE ATT&CK Mapping: 135 cloud techniques, 14 tactics
  • Compliance Framework Support: 195 items (CIS, PCI-DSS, HIPAA, GDPR, FedRAMP, NIST)
  • Attack Scenario Detection: 20 multi-step attack scenarios
  • Severity Mapping: AWS native scales → Wazuh levels (0-15)
  • Advanced Analysis: Threat assessment, incident response recommendations

Training Data

  • Total Samples: 2000
  • AWS Sources: 20 (CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.)
  • Attack Scenarios: 20 multi-step scenarios
  • MITRE Techniques: 135 cloud techniques
  • Compliance Items: 195 (CIS 62, PCI-DSS 49, HIPAA 35, GDPR 15, FedRAMP 3, NIST 31)

Distribution:

  • GuardDuty Findings: 86 types
  • CloudTrail Events: 74 types
  • Security Hub Findings: CIS, PCI-DSS, HIPAA compliance
  • VPC Flow Logs: 5 attack patterns

Capabilities

AWS Security Event Analysis 

# Example usage
from transformers import AutoModelForCausalLM, AutoTokenizer

model = AutoModelForCausalLM.from_pretrained("pyToshka/aws-security-analyst")
tokenizer = AutoTokenizer.from_pretrained("pyToshka/aws-security-analyst")

# Analyze AWS GuardDuty finding
prompt = """Analyze this AWS security event:
Event Source: GuardDuty
Finding Type: UnauthorizedAccess:EC2/SSHBruteForce
Severity: 8.0
Resource: EC2 instance i-1234567890abcdef0
Source IP: 45.142.120.10

Provide:
1. Threat assessment
2. MITRE ATT&CK techniques
3. Compliance impact
4. Recommended actions
"""

inputs = tokenizer(prompt, return_tensors="pt")
outputs = model.generate(**inputs, max_new_tokens=512)
response = tokenizer.decode(outputs[0])

Supported AWS Sources

  • CloudTrail API calls
  • GuardDuty threat findings
  • Security Hub compliance findings
  • VPC Flow Logs network traffic
  • WAF web application attacks
  • Macie data sensitivity findings
  • Inspector vulnerability findings
  • Config compliance events
  • IAM Access Analyzer findings
  • Route 53 DNS queries
  • RDS database logs
  • EKS Kubernetes audit logs
  • CloudWatch alarms
  • EventBridge events
  • AWS Budgets alerts
  • Threat Intelligence IOCs

Use Cases

  • AWS security event triage and analysis
  • GuardDuty finding interpretation
  • CloudTrail event investigation
  • Compliance violation detection (CIS, PCI-DSS, HIPAA, GDPR)
  • MITRE ATT&CK technique mapping
  • Multi-source event correlation
  • Attack scenario detection
  • Incident response planning

Limitations

  • Trained on synthetic AWS security events
  • May require validation on real-world data
  • Performance depends on input quality
  • Best used as assistant tool, not replacement for human analysis

Citation

If you use this model in your research or application, please cite:

@misc{{wazuh_aws_security_llama_aws_security_analyst,
  title={{Wazuh AWS Security Analyst based on LLaMA 3.1 8B}},
  author={{pyToshka}},
  year={{2025}},
  publisher={{HuggingFace}},
  url={{https://huggingface.co/pyToshka/aws-security-analyst}}
}}

Acknowledgments

Built with:

  • Data: AWS security documentation, MITRE ATT&CK Cloud Matrix, Wazuh Rules, and more
  • Training: Wazuh, AWS

License

This model inherits the LLaMA 3.1 Community License from the base model.

Contact

Issues: Please open an issue on the repository

Disclaimer

This model is provided for research and educational purposes. Always validate outputs with human security expertise before taking action on security incidents.