stratosphere/ qwen2.5-1.5b-slips-immune-unified:q8_0

9 5 days ago

A finetuned qwen2.5 for supporting SLIPS alert summarization and decision making 

ollama run stratosphere/qwen2.5-1.5b-slips-immune-unified:q8_0

Details

5 days ago

aa19b831b1e9 · 1.6GB ·

model
qwen2
·
1.54B
·
Q8_0

Readme

Qwen2.5-1.5B — Slips IDS Unified (Summary + Cause + Risk)

A fine-tuned version of Qwen2.5-1.5B-Instruct specialized for three complementary tasks on network security incidents from Slips IDS, handled by a single adapter:

  1. Alert Summarization — translate raw DAG-structured alert logs into a concise, human-readable incident summary with grouped events and severity labels
  2. Cause Analysis — identify the most likely cause of the incident (malicious activity, misconfiguration, or legitimate behavior) with structured reasoning and alternative hypotheses
  3. Risk Assessment — produce a calibrated risk level (Critical/High/Medium/Low), business impact statement, likelihood of malicious activity, and investigation priority

Quick Start

# Recommended — smallest and fastest, no quality loss vs larger quants on risk
ollama run stratosphere/qwen2.5-1.5b-slips-immune-unified:q4_k_m

# Balanced quality/size
ollama run stratosphere/qwen2.5-1.5b-slips-immune-unified:q5_k_m

# Best summary quality
ollama run stratosphere/qwen2.5-1.5b-slips-immune-unified:q8_0

Available Tags

Tag Size Notes
q4_k_m, latest 986 MB Recommended — best risk quality, smallest
q5_k_m 1.1 GB Balanced
q8_0 1.6 GB Best summary win rate (32.6%)

Usage

The model uses three distinct prompt formats applied to the same incident DAG. Run them sequentially on the same incident for a complete analysis.

Task S — Alert Summarization

You are a cybersecurity analyst. Analyze the following network security incident and provide a concise summary suitable for a security operations report.

INCIDENT METADATA:
- Incident ID: {incident_id}
- Source IP: {source_ip}
- Timewindow: {timewindow}
- Accumulated Threat Level: {threat_level}
- Time Range: {timeline}
- Total Events: {event_count}

SECURITY EVIDENCE:
{dag_analysis}

Output Requirements:
- Respond with ONLY the summary content
- Do NOT include any prefixes (like "AI:"), statistics, or metadata
- Use this exact structure:

**Summary:** [2-3 sentence high-level description of the incident]

**Key Events:**
• [Most significant event type and count]
• [Second most significant event or pattern]
• [Additional notable events if present]

**Threat Assessment:** [1 sentence overall threat characterization]

Task A — Cause Analysis

You are a cybersecurity analyst. Analyze the following network security incident and provide a structured analysis of possible causes.

INCIDENT METADATA:
- Incident ID: {incident_id}
- Source IP: {source_ip}
- Timewindow: {timewindow}
- Accumulated Threat Level: {threat_level}
- Time Range: {timeline}
- Total Events: {event_count}

SECURITY EVIDENCE:
{dag_analysis}

Output Requirements:
- Respond with ONLY the analysis content
- Do NOT include any prefixes (like "AI:"), statistics, or metadata
- Use this exact structure:

**Possible Causes:**

**1. Malicious Activity:**
• [Specific attack technique or malicious cause]
• [Additional malicious possibilities if relevant]

**2. Legitimate Activity:**
• [Benign operational cause]
• [Additional legitimate possibilities if relevant]

**3. Misconfigurations:**
• [Technical misconfigurations that could cause this behavior]

**Conclusion:** [1-2 sentence assessment of most likely cause category with recommendation for further investigation]

Task B — Risk Assessment

You are a cybersecurity analyst. Analyze the following network security incident and provide a structured risk assessment.

INCIDENT METADATA:
- Incident ID: {incident_id}
- Source IP: {source_ip}
- Timewindow: {timewindow}
- Accumulated Threat Level: {threat_level}
- Time Range: {timeline}
- Total Events: {event_count}

SECURITY EVIDENCE:
{dag_analysis}

Output Requirements:
- Respond with ONLY the assessment content
- Do NOT include any prefixes (like "AI:"), statistics, or metadata
- Use this exact structure:

**Risk Level:** [Critical/High/Medium/Low]

**Justification:** [1-2 sentence technical justification for the risk level]

**Business Impact:** [Single clear sentence describing the most relevant business effect]

**Likelihood of Malicious Activity:** [High/Medium/Low] - [Brief rationale]

**Investigation Priority:** [Immediate/High/Medium/Low] - [Brief justification]

Evaluation

Evaluated on held-out Slips IDS incidents using LLM-as-judge against GPT-4o, GPT-4o-mini, Qwen2.5 1.5B baseline, and Qwen2.5 3B baseline. Results on the standalone eval sets (47 summary, 67 risk incidents):

Summary (47 incidents, judge: gpt-oss-120b)

Variant Win Rate Avg Score /10
q8_0 32.6% 5.09
q5_k_m 14.9% 5.00
q4_k_m 12.8% 4.91

Risk (67 incidents, judge: qwen3.5)

Variant Win Rate Avg Cause /30 Avg Risk /30
q4_k_m 26.9% 17.75 13.70
q5_k_m 26.9% 17.30 13.66
q8_0 26.9% 17.43 12.75

All three quantized variants perform competitively — no quality cliff at any quantization level. For full evaluation details see the HuggingFace model card.

Related Models

License

Apache-2.0

Acknowledgments

Supported by the NLnet Foundation as part of the IMMUNE project.