--- language: - en license: llama3.1 library_name: transformers base_model: meta-llama/Llama-3.1-8B-Instruct tags: - aws - cloud-security - security-analysis - wazuh - threat-detection - llama - peft - lora - aws-security - cloudtrail - guardduty - compliance pipeline_tag: text-generation widget: - text: 'Analyze this AWS GuardDuty finding: UnauthorizedAccess:EC2/SSHBruteForce from IP 45.142.120.10' example_title: "AWS GuardDuty Alert" - text: 'Analyze CloudTrail event: AttachUserPolicy with AdministratorAccess by root user' example_title: "AWS IAM Policy Change" model-index: - name: aws-security-analyst results: - task: type: text-generation name: AWS Security Analysis metrics: - type: loss value: 0.03 name: Training Loss - type: eval_loss value: 0.08 name: Validation Loss --- # aws-security-analyst ## Model Details - **Model Name:** aws-security-analyst - **Base Model:** OpenNix base model(LLaMA 3.1 8B based) - **License:** llama3.1 - **Model Type:** Causal Language Model (Fine-tuned with LoRA for AWS Security) - **Architecture:** 8B parameters - **Specialization:** AWS Cloud Security Events Analysis ## Model Description LLaMA 3.1 8B Instruct model fine-tuned for AWS cloud security event analysis. Analyzes events from 20+ AWS security sources including CloudTrail, GuardDuty, Security Hub, Macie, Inspector, Config, VPC Flow Logs, WAF, and more. ### Key Features - **20+ AWS Security Sources:** CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc. - **MITRE ATT&CK Mapping:** 135 cloud techniques, 14 tactics - **Compliance Framework Support:** 195 items (CIS, PCI-DSS, HIPAA, GDPR, FedRAMP, NIST) - **Attack Scenario Detection:** 20 multi-step attack scenarios - **Severity Mapping:** AWS native scales → Wazuh levels (0-15) - **Advanced Analysis:** Threat assessment, incident response recommendations ## Training Data - **Total Samples:** 2000 - **AWS Sources:** 20 (CloudTrail, GuardDuty, SecurityHub, VPCFlow, WAF, Macie, Inspector, Config, etc.) - **Attack Scenarios:** 20 multi-step scenarios - **MITRE Techniques:** 135 cloud techniques - **Compliance Items:** 195 (CIS 62, PCI-DSS 49, HIPAA 35, GDPR 15, FedRAMP 3, NIST 31) **Distribution:** - GuardDuty Findings: 86 types - CloudTrail Events: 74 types - Security Hub Findings: CIS, PCI-DSS, HIPAA compliance - VPC Flow Logs: 5 attack patterns ## Capabilities ### AWS Security Event Analysis ```python # Example usage from transformers import AutoModelForCausalLM, AutoTokenizer model = AutoModelForCausalLM.from_pretrained("pyToshka/aws-security-analyst") tokenizer = AutoTokenizer.from_pretrained("pyToshka/aws-security-analyst") # Analyze AWS GuardDuty finding prompt = """Analyze this AWS security event: Event Source: GuardDuty Finding Type: UnauthorizedAccess:EC2/SSHBruteForce Severity: 8.0 Resource: EC2 instance i-1234567890abcdef0 Source IP: 45.142.120.10 Provide: 1. Threat assessment 2. MITRE ATT&CK techniques 3. Compliance impact 4. Recommended actions """ inputs = tokenizer(prompt, return_tensors="pt") outputs = model.generate(**inputs, max_new_tokens=512) response = tokenizer.decode(outputs[0]) ``` ### Supported AWS Sources - CloudTrail API calls - GuardDuty threat findings - Security Hub compliance findings - VPC Flow Logs network traffic - WAF web application attacks - Macie data sensitivity findings - Inspector vulnerability findings - Config compliance events - IAM Access Analyzer findings - Route 53 DNS queries - RDS database logs - EKS Kubernetes audit logs - CloudWatch alarms - EventBridge events - AWS Budgets alerts - Threat Intelligence IOCs ## Use Cases - AWS security event triage and analysis - GuardDuty finding interpretation - CloudTrail event investigation - Compliance violation detection (CIS, PCI-DSS, HIPAA, GDPR) - MITRE ATT&CK technique mapping - Multi-source event correlation - Attack scenario detection - Incident response planning ## Limitations - Trained on synthetic AWS security events - May require validation on real-world data - Performance depends on input quality - Best used as assistant tool, not replacement for human analysis ## Citation If you use this model in your research or application, please cite: ```bibtex @misc{{wazuh_aws_security_llama_aws_security_analyst, title={{Wazuh AWS Security Analyst based on LLaMA 3.1 8B}}, author={{pyToshka}}, year={{2025}}, publisher={{HuggingFace}}, url={{https://huggingface.co/pyToshka/aws-security-analyst}} }} ``` ## Acknowledgments Built with: - **Data:** AWS security documentation, MITRE ATT&CK Cloud Matrix, Wazuh Rules, and more - **Training:** Wazuh, AWS ## License This model inherits the LLaMA 3.1 Community License from the base model. ## Contact Issues: Please open an issue on the repository ## Disclaimer This model is provided for research and educational purposes. Always validate outputs with human security expertise before taking action on security incidents.