Hands-on Study: Small Open-weight Qwen3 Models for Insider Threat SOC Narratives Using Zero-shot, Few-shot, SFT LoRA, and GRPO on CERT R4.2
English summary
This article presents a hands-on study on generating security operations center (SOC) narratives for insider threat detection using small open-weight language models. The experiments are conducted on the CERT R4.2 dataset using Qwen3 models, comparing four approaches: zero-shot prompting, few-shot prompting, supervised fine-tuning with LoRA (SFT LoRA), and Group Relative Policy Optimization (GRPO). The study demonstrates a practical workflow for adapting small LLMs to explain insider threats, highlighting the accessibility of fine-tuning with open-weight models.
Chinese summary
本文展示了一项利用小型开源语言模型为内部威胁检测生成安全运营中心(SOC)叙事文本的实操研究。实验基于 CERT R4.2 数据集和 Qwen3 模型,对比了四种方法:零样本提示、少样本提示、基于 LoRA 的有监督微调(SFT LoRA)以及组相对策略优化(GRPO)。该研究给出了使用小型大语言模型解读内部威胁的实用流程,突显了开源模型微调的易用性。
Key points
Uses the CERT R4.2 insider threat dataset for training and evaluation.
使用 CERT R4.2 内部威胁数据集进行训练和评估。
Employs small, open-weight Qwen3 language models to generate SOC narratives.
采用开源小型 Qwen3 语言模型生成安全运营中心叙事。
Compares four methods: zero-shot, few-shot, SFT LoRA, and GRPO.
系统性对比零样本、少样本、SFT LoRA 微调和 GRPO 优化四种方法。
Provides a reproducible hands-on workflow for fine-tuning small LLMs on insider threat detection.
提供了可复现的实操流程,展示如何将小型大语言模型微调用于内部威胁检测。