stratosphere/qwen2.5-1.5b-slips-immune-risk

Qwen2.5-1.5B — Slips IDS Cause Analysis & Risk Assessment

This model is a specialized fine-tuned version of Qwen2.5-1.5B-Instruct, developed by Stratosphere Laboratory, CTU Prague. It is designed for cybersecurity analysts to process network security incidents generated by the Slips IDS.

Key Capabilities

• Cause Analysis: Identifies the most probable cause of a network incident (malicious activity, misconfiguration, or legitimate behavior) with structured reasoning and alternative hypotheses.
• Risk Assessment: Provides a calibrated risk level (Critical/High/Medium/Low), a concise business impact statement, likelihood of malicious activity, and an investigation priority.
• Performance: Achieves an average position of 1.73 in LLM-as-judge evaluations, nearly matching GPT-4o, and outperforms GPT-4o in cause analysis score (15.58 vs 15.33).
• Efficiency: The 1.5B parameter model demonstrates strong performance, significantly outperforming larger untuned baselines (Qwen2.5 1.5B and 3B).

Training Details

The model was fine-tuned using Supervised Fine-Tuning (SFT) on a combined cause+risk dataset derived from 826 real Slips IDS network captures. Training utilized a best-of-N response selection strategy, where the highest-scoring response (judged by an LLM-as-judge) from GPT-4o, GPT-4o-mini, Qwen2.5 3B, and Qwen2.5 1.5B was used as ground truth. It employs a single LoRA adapter for both task types.

Good For

• Automated cause analysis of Slips IDS alerts.
• Risk prioritization and triage of network incidents.
• Integration into downstream security reporting or ticketing workflows.

Limitations

• Stronger at cause analysis than risk assessment.
• Performance may drop on highly complex incidents (>= 2000 events) due to input token limits.
• Not intended for general-purpose chat or security domains outside network IDS.