metadata
license: apache-2.0
base_model:
- Qwen/Qwen2.5-Coder-7B-Instruct
ThreatFlux-Qwen2.5-7B-Instruct
Model Information
- Author: Wyatt Roersma
- Organization: ThreatFlux
- Model Type: Fine-tuned Language Model
- Base Model: Qwen2.5-Coder-7B-Instruct
- License: Apache 2.0
This model is a specialized fine-tuned version of Qwen2.5-Coder-7B-Instruct optimized for YARA rule generation and analysis. It inherits the powerful code generation and reasoning capabilities of the base model while adding specialized knowledge for security applications.
Deployment Methods
Ollama
ollama run hf.co/vtriple/Qwen-2.5-7B-Threatflux
llama-cpp-python
from llama_cpp import Llama
llm = Llama.from_pretrained(
repo_id="vtriple/Qwen-2.5-7B-Threatflux",
filename="threatflux.gguf",
)
llm.create_chat_completion(
messages=[{"role": "user", "content": "Write a YARA rule for..."}]
)
llama.cpp
Install via Homebrew
brew install llama.cpp
Run the Model
llama-cli \
--hf-repo "vtriple/Qwen-2.5-7B-Threatflux" \
--hf-file threatflux.gguf \
-p "You are a helpful assistant" \
--conversation
For more details on llama.cpp implementation, refer to the llama.cpp documentation.
Model Details
Base Model Architecture
- Model Type: Causal Language Model
- Parameters: 7.61B (Base) / 6.53B (Non-Embedding)
- Architecture: Transformers with RoPE, SwiGLU, RMSNorm, and Attention QKV bias
- Layers: 28
- Attention Heads: 28 for Q and 4 for KV (GQA)
- Context Length: 131,072 tokens
- Training Data: Built on Qwen2.5's 5.5 trillion token dataset
Fine-tuning Specifications
- Training Dataset: ~1,600 specialized samples curated by ThreatFlux
- Training Type: Instruction tuning
- Domain Focus: YARA rules, malware analysis, threat detection
Example Output
Here's an example of the model's YARA rule generation capabilities:
private rule Track_EXE_Files {
meta:
description = "Detects all EXE (Executable) files"
author = "ThreatFlux"
version = "1.0"
condition:
uint16(0) == 0x5A4D
}
The model provides detailed explanations of generated rules:
- Rule is marked private to prevent inclusion in final compiled rules
- Utilizes PE signature (MZ header) verification
- Includes condition logic explanation
- Provides technical details about hex values and their significance
Example Instructions
This model was fine tuned with a extermental YAML instruction set like this:
# Core YARA Rule Generation System
model_behavior:
role: yara_expert_pro
task: rule_generation
format_style: yara_optimized
testing: rule_validation
output_type: technical_documentation
# Content Structure and Formatting
content_structure:
sections:
- meta
- strings
- condition
- tests
format: |
rule Name {
meta:
description = "purpose"
author = "source"
version = "1.0"
reference_files = "test_files"
date = "YYYY-MM-DD"
tlp = "WHITE/GREEN/AMBER/RED"
strings:
// String definitions
$string1 = "example"
condition:
// Detection logic
structure_check and detection_logic
}
# Technical Components
components:
technical_analysis:
enabled: true
elements:
- rule_architecture
- detection_logic
- pattern_analysis
- optimization
code_blocks:
enabled: true
formatting:
indentation: 4
comments: required
syntax_highlight: true
languages:
- yara
- plaintext
documentation:
enabled: true
sections:
- implementation_details
- pattern_rationale
- optimization_notes
- usage_guidance
# Validation Requirements
validation:
required:
- format_check
- content_check
- size_limits
- error_handling
- proper_string_definitions
- optimized_conditions
- metadata_completeness
performance:
- memory_efficiency
- execution_speed
- detection_accuracy
# Magic Headers
magic_headers:
archives:
zip: uint32(0) == 0x04034B50
rar: |
uint32be(0) == 0x52617221 and
(uint16be(4) == 0x1A07 or uint32be(4) == 0x1A070100)
executables:
pe: |
uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550
elf: uint32be(0) == 0x7F454C46
documents:
docx:
strings:
- "[Content_Types].xml"
- "word/document.xml"
requires: zip_structure
# Pattern Types
pattern_types:
magic:
format: uint comparisons
examples: magic_headers section
strings:
format: |
hex: {pattern}
regex: /pattern/
ascii: "text"
conditions:
format: |
structure_check and
content_validation
# Optimization Guidelines
optimization:
use:
- fixed_offset_checks
- minimal_strings
- early_exits
- clear_structure
avoid:
- full_scans
- complex_regex
- deep_nesting
- redundant_checks
# Examples
examples:
archive_check:
rule: |
private rule ZIP_Check {
condition:
uint32(0) == 0x04034B50
}
doc_check:
rule: |
rule DOCX_Check {
strings:
$content = "[Content_Types].xml"
$doc = "word/document.xml"
condition:
ZIP_Check and all of them
}
# Implementation Notes
notes:
- Use private rules for reusable checks
- Start with format validation
- Add content validation
- Consider false positives
- Test edge cases
- Optimize condition logic
- Document detection rationale
# Output Control
output_control:
style: technical
format: markdown
depth: comprehensive
token_limits:
min: 2000
max: 4000
break_at: 3000
# Formatting
formatting:
headings:
style: markdown
levels_enabled: [1,2,3]
code_blocks:
style: fenced
language_tags: true
indent_size: 4
lists:
types: ["bullet", "number"]
nesting: enabled
# Metadata
metadata:
keywords:
- yara
- rule
- detection
- signature
fields:
- md5_hash
- ascii_strings
- file_type
Intended Use
This model is designed to assist security professionals in:
- Generating and optimizing YARA rules
- Analyzing malware patterns
- Supporting threat hunting workflows
- Enhancing detection capabilities
Performance Metrics and Testing
Testing Environment
- GPU: NVIDIA H100 NVL (48.3 TFLOPS)
- GPU Memory: 93.6 GB
- Memory Bandwidth: 2271.1 GB/s
- PCIe: 5.0 x16 (54.4 GB/s)
- CPU: AMD EPYC 9124 16-Core Processor
- System Memory: 193 GB
- Storage: SAMSUNG MZQLB7T6HALA-00AAZ
- CUDA Version: 12.4
- Network Speed: 8334.9/7516.3 Mbps (Up/Down)
Testing Results
- Total Training Time: ~45 hours
- Average Cost per Hour: $2.6667 (GPU)
- Testing Duration: Multiple sessions totaling approximately 23.953 hours
- Testing Environment: Ubuntu Latest with SSH access
Performance and Limitations
Strengths
- Specialized knowledge in YARA rule syntax and best practices
- Inherits Qwen2.5-Coder's strong code reasoning abilities
- Long context understanding for complex analysis
- Maintains mathematical and general coding competencies
Limitations
- Should be used as an assistant, not a replacement for security expertise
- Generated rules require human validation
- Performance varies based on deployment environment
- Inherits base model's limitations
Technical Specifications
Deployment Requirements
- Compatible with Hugging Face Transformers (requires version ≥4.37.0)
- Supports both CPU and GPU deployment
- Can utilize YaRN for long context processing
Configuration
For extended context length support (>32,768 tokens), add to config.json:
{
"rope_scaling": {
"factor": 4.0,
"original_max_position_embeddings": 32768,
"type": "yarn"
}
}
Training Details
This model was fine-tuned on the Qwen2.5-Coder-7B-Instruct base, which includes:
- Comprehensive code generation capabilities
- Strong mathematical reasoning
- Extended context understanding
- Security-focused enhancements
The fine-tuning process focused on:
- YARA rule syntax and structure
- Pattern matching optimization
- Security use cases
- Real-world application scenarios
License
This model inherits the Apache 2.0 license from its base model. See LICENSE for details.
Community Support
We're working to make this model freely accessible to everyone through a dedicated public inference server. If you'd like to support this initiative, you can contribute to our server fund: Support the ThreatFlux Public Server Your support helps maintain:
- Free public API access
- Consistent model availability
- Community training improvements
- Dedicated infrastructure
Citation
If you use this model in your work, please cite both this model and the original Qwen2.5-Coder work:
@article{hui2024qwen2,
title={Qwen2.5-Coder Technical Report},
author={Hui, Binyuan and Yang, Jian and Cui, Zeyu and Yang, Jiaxi and Liu, Dayiheng and Zhang, Lei and Liu, Tianyu and Zhang, Jiajun and Yu, Bowen and Dang, Kai and others},
journal={arXiv preprint arXiv:2409.12186},
year={2024}
}
@article{qwen2,
title={Qwen2 Technical Report},
author={An Yang and Baosong Yang and Binyuan Hui and Bo Zheng and Bowen Yu and Chang Zhou and Chengpeng Li and Chengyuan Li and Dayiheng Liu and Fei Huang and Guanting Dong and Haoran Wei and Huan Lin and Jialong Tang and Jialin Wang and Jian Yang and Jianhong Tu and Jianwei Zhang and Jianxin Ma and Jin Xu and Jingren Zhou and Jinze Bai and Jinzheng He and Junyang Lin and Kai Dang and Keming Lu and Keqin Chen and Kexin Yang and Mei Li and Mingfeng Xue and Na Ni and Pei Zhang and Peng Wang and Ru Peng and Rui Men and Ruize Gao and Runji Lin and Shijie Wang and Shuai Bai and Sinan Tan and Tianhang Zhu and Tianhao Li and Tianyu Liu and Wenbin Ge and Xiaodong Deng and Xiaohuan Zhou and Xingzhang Ren and Xinyu Zhang and Xipin Wei and Xuancheng Ren and Yang Fan and Yang Yao and Yichang Zhang and Yu Wan and Yunfei Chu and Yuqiong Liu and Zeyu Cui and Zhenru Zhang and Zhihao Fan},
journal={arXiv preprint arXiv:2407.10671},
year={2024}
}